webrev.01 of 8011402: Move blacklisting certificate logic from hard code to data
Sean Mullan
sean.mullan at oracle.com
Wed Sep 18 13:20:30 UTC 2013
On 09/17/2013 07:07 AM, Weijun Wang wrote:
> Webrev updated to version 02 at
>
> http://cr.openjdk.java.net/~weijun/8011402/webrev.02/
>
> Changes since webrev.01:
>
> 1. Makefiles:
> - new build logic outside "ifndef OPENJDK"
> - Add a sed check to make sure open and close list use same algorithm
>
> 2. Fingerprint calculation moved into X509CertImpl using a
> ConcurrrentHashMap, although we only use one algorithm now.
Can you set the default size to 1 or 2?
I think it may be worth adding (maybe not for JDK 8 but JDK 9) a new
method to the Certificate class called getFingerPrint(String alg) ...
This way the fingerprint would not have to be calculated every time when
using 3rd party providers for CertificateFactory.
Also, you still have the fingerprints HashMap in
UntrustedCertificates.java though it is no longer used.
> 3. Certificate::hashCode is now 0 if it's not a X509Cert
Ok.
>
> 4. Cleanup comments in blacklisted.certs.pem, only subject/issuer/serial
> remain
Ok.
>
> 5. Test moved to lib/security and check more.
>
> I didn't change Certificate's private hash field to volatile.
Ok.
--Sean
More information about the security-dev
mailing list