webrev.01 of 8011402: Move blacklisting certificate logic from hard code to data
Weijun Wang
weijun.wang at oracle.com
Wed Sep 11 13:32:47 UTC 2013
Slightly updated at the same location.
Added different algorithm check in the 2 makefiles.
Thanks
Max
On 9/11/13 3:57 PM, Weijun Wang wrote:
> Hi Sean and Erik
>
> An updated webrev is at
>
> http://cr.openjdk.java.net/~weijun/8011402/webrev.01/
>
> Changes since the last webrev:
>
> - Some makefile changes
> * wildcard on closed file
> * make sure the file's first line is always "Algorithm="
> - Move fingerprint cache for cert from X509CertImpl to
> UntrustedCertificates
> - Cache hash for Certificate
> - log blacklist parsing error in UntrustedCertificates
> - A new test
>
> Thanks
> Max
>
> On 9/6/13 9:30 PM, Weijun Wang wrote:
>> Hi Sean
>>
>> Please review the code changes at
>>
>> 8011402: Move blacklisting certificate logic from hard code to data
>
> http://cr.openjdk.java.net/~weijun/8011402/webrev.00/
>
>>
>> Hard coded blacklisted certificates are moved out of the class file and
>> now inside a data file. Furthermore, only their fingerprints are
>> released in the JRE. The makefile covers blacklist files in both open
>> and closed repo.
>>
>> No regression test, cleanup.
>>
>> *build-dev*, I am not an export of Makefile, and I have some questions:
>>
>> 1. I create a new macro (or function?) called cat-files. Its only
>> difference from install-file is that it needs to deal with two inputs.
>> Do we already have a similar macro somewhere?
>>
>> 2. cat-files is defined inside CopyFiles.gmk right beside its usage. Do
>> you think it's better to define it in a common file?
>>
>> 3. Most important: it only works if both $(BLACKLISTED_CERTS_SRC_OPEN)
>> and $(BLACKLISTED_CERTS_SRC_CLOSED) already exists. Currently there is
>> no closed blacklist, but I still have to create an empty file there.
>> Otherwise, there will be
>>
>> make[2]: *** No rule to make target
>> `/space/repos/jdk8/tl/jdk/src/closed/share/lib/security/blacklisted.certs',
>>
>> needed by
>> `/space/repos/jdk8/tl/build/macosx-x86_64-normal-server-release/jdk/lib/security/blacklisted.certs'.
>>
>> Stop.
>>
>> Is there a way to make it work without adding that empty file?
>>
>> Thanks
>> Max
More information about the security-dev
mailing list