webrev.01 of 8011402: Move blacklisting certificate logic from hard code to data

Weijun Wang weijun.wang at oracle.com
Wed Sep 11 07:57:03 UTC 2013


Hi Sean and Erik

An updated webrev is at

   http://cr.openjdk.java.net/~weijun/8011402/webrev.01/

Changes since the last webrev:

- Some makefile changes
   * wildcard on closed file
   * make sure the file's first line is always "Algorithm="
- Move fingerprint cache for cert from X509CertImpl to UntrustedCertificates
- Cache hash for Certificate
- log blacklist parsing error in UntrustedCertificates
- A new test

Thanks
Max

On 9/6/13 9:30 PM, Weijun Wang wrote:
> Hi Sean
>
> Please review the code changes at
>
>    8011402: Move blacklisting certificate logic from hard code to data

http://cr.openjdk.java.net/~weijun/8011402/webrev.00/

>
> Hard coded blacklisted certificates are moved out of the class file and
> now inside a data file. Furthermore, only their fingerprints are
> released in the JRE. The makefile covers blacklist files in both open
> and closed repo.
>
> No regression test, cleanup.
>
> *build-dev*, I am not an export of Makefile, and I have some questions:
>
> 1. I create a new macro (or function?) called cat-files. Its only
> difference from install-file is that it needs to deal with two inputs.
> Do we already have a similar macro somewhere?
>
> 2. cat-files is defined inside CopyFiles.gmk right beside its usage. Do
> you think it's better to define it in a common file?
>
> 3. Most important: it only works if both $(BLACKLISTED_CERTS_SRC_OPEN)
> and $(BLACKLISTED_CERTS_SRC_CLOSED) already exists. Currently there is
> no closed blacklist, but I still have to create an empty file there.
> Otherwise, there will be
>
> make[2]: *** No rule to make target
> `/space/repos/jdk8/tl/jdk/src/closed/share/lib/security/blacklisted.certs',
> needed by
> `/space/repos/jdk8/tl/build/macosx-x86_64-normal-server-release/jdk/lib/security/blacklisted.certs'.
>   Stop.
>
> Is there a way to make it work without adding that empty file?
>
> Thanks
> Max



More information about the security-dev mailing list