webrev.01 of 8011402: Move blacklisting certificate logic from hard code to data
Weijun Wang
weijun.wang at oracle.com
Wed Sep 11 14:09:20 UTC 2013
Yes, you're right. I need to try run it again with OPENJDK set.
Thanks
Max
On 9/11/13 9:45 PM, Erik Joelsson wrote:
>
> On 2013-09-11 15:32, Weijun Wang wrote:
>> Slightly updated at the same location.
>>
>> Added different algorithm check in the 2 makefiles.
>>
> I should have noticed this earlier, but in CopyFiles.gmk, the whole
> thing is enclosed in ifndef OPENJDK. I would expect lines 403 to 415 to
> be moved outside of that conditional. At least if I interpret the
> intention correctly.
>
> /Erik
>> Thanks
>> Max
>>
>>
>> On 9/11/13 3:57 PM, Weijun Wang wrote:
>>> Hi Sean and Erik
>>>
>>> An updated webrev is at
>>>
>>> http://cr.openjdk.java.net/~weijun/8011402/webrev.01/
>>>
>>> Changes since the last webrev:
>>>
>>> - Some makefile changes
>>> * wildcard on closed file
>>> * make sure the file's first line is always "Algorithm="
>>> - Move fingerprint cache for cert from X509CertImpl to
>>> UntrustedCertificates
>>> - Cache hash for Certificate
>>> - log blacklist parsing error in UntrustedCertificates
>>> - A new test
>>>
>>> Thanks
>>> Max
>>>
>>> On 9/6/13 9:30 PM, Weijun Wang wrote:
>>>> Hi Sean
>>>>
>>>> Please review the code changes at
>>>>
>>>> 8011402: Move blacklisting certificate logic from hard code to data
>>>
>>> http://cr.openjdk.java.net/~weijun/8011402/webrev.00/
>>>
>>>>
>>>> Hard coded blacklisted certificates are moved out of the class file and
>>>> now inside a data file. Furthermore, only their fingerprints are
>>>> released in the JRE. The makefile covers blacklist files in both open
>>>> and closed repo.
>>>>
>>>> No regression test, cleanup.
>>>>
>>>> *build-dev*, I am not an export of Makefile, and I have some questions:
>>>>
>>>> 1. I create a new macro (or function?) called cat-files. Its only
>>>> difference from install-file is that it needs to deal with two inputs.
>>>> Do we already have a similar macro somewhere?
>>>>
>>>> 2. cat-files is defined inside CopyFiles.gmk right beside its usage. Do
>>>> you think it's better to define it in a common file?
>>>>
>>>> 3. Most important: it only works if both $(BLACKLISTED_CERTS_SRC_OPEN)
>>>> and $(BLACKLISTED_CERTS_SRC_CLOSED) already exists. Currently there is
>>>> no closed blacklist, but I still have to create an empty file there.
>>>> Otherwise, there will be
>>>>
>>>> make[2]: *** No rule to make target
>>>> `/space/repos/jdk8/tl/jdk/src/closed/share/lib/security/blacklisted.certs',
>>>>
>>>>
>>>> needed by
>>>> `/space/repos/jdk8/tl/build/macosx-x86_64-normal-server-release/jdk/lib/security/blacklisted.certs'.
>>>>
>>>>
>>>> Stop.
>>>>
>>>> Is there a way to make it work without adding that empty file?
>>>>
>>>> Thanks
>>>> Max
>
More information about the security-dev
mailing list