webrev.01 of 8011402: Move blacklisting certificate logic from hard code to data
Erik Joelsson
erik.joelsson at oracle.com
Wed Sep 11 13:45:24 UTC 2013
On 2013-09-11 15:32, Weijun Wang wrote:
> Slightly updated at the same location.
>
> Added different algorithm check in the 2 makefiles.
>
I should have noticed this earlier, but in CopyFiles.gmk, the whole
thing is enclosed in ifndef OPENJDK. I would expect lines 403 to 415 to
be moved outside of that conditional. At least if I interpret the
intention correctly.
/Erik
> Thanks
> Max
>
>
> On 9/11/13 3:57 PM, Weijun Wang wrote:
>> Hi Sean and Erik
>>
>> An updated webrev is at
>>
>> http://cr.openjdk.java.net/~weijun/8011402/webrev.01/
>>
>> Changes since the last webrev:
>>
>> - Some makefile changes
>> * wildcard on closed file
>> * make sure the file's first line is always "Algorithm="
>> - Move fingerprint cache for cert from X509CertImpl to
>> UntrustedCertificates
>> - Cache hash for Certificate
>> - log blacklist parsing error in UntrustedCertificates
>> - A new test
>>
>> Thanks
>> Max
>>
>> On 9/6/13 9:30 PM, Weijun Wang wrote:
>>> Hi Sean
>>>
>>> Please review the code changes at
>>>
>>> 8011402: Move blacklisting certificate logic from hard code to data
>>
>> http://cr.openjdk.java.net/~weijun/8011402/webrev.00/
>>
>>>
>>> Hard coded blacklisted certificates are moved out of the class file and
>>> now inside a data file. Furthermore, only their fingerprints are
>>> released in the JRE. The makefile covers blacklist files in both open
>>> and closed repo.
>>>
>>> No regression test, cleanup.
>>>
>>> *build-dev*, I am not an export of Makefile, and I have some questions:
>>>
>>> 1. I create a new macro (or function?) called cat-files. Its only
>>> difference from install-file is that it needs to deal with two inputs.
>>> Do we already have a similar macro somewhere?
>>>
>>> 2. cat-files is defined inside CopyFiles.gmk right beside its usage. Do
>>> you think it's better to define it in a common file?
>>>
>>> 3. Most important: it only works if both $(BLACKLISTED_CERTS_SRC_OPEN)
>>> and $(BLACKLISTED_CERTS_SRC_CLOSED) already exists. Currently there is
>>> no closed blacklist, but I still have to create an empty file there.
>>> Otherwise, there will be
>>>
>>> make[2]: *** No rule to make target
>>> `/space/repos/jdk8/tl/jdk/src/closed/share/lib/security/blacklisted.certs',
>>>
>>>
>>> needed by
>>> `/space/repos/jdk8/tl/build/macosx-x86_64-normal-server-release/jdk/lib/security/blacklisted.certs'.
>>>
>>>
>>> Stop.
>>>
>>> Is there a way to make it work without adding that empty file?
>>>
>>> Thanks
>>> Max
More information about the security-dev
mailing list