RFR 8189131: Open-source the Oracle JDK Root Certificates

Volker Simonis volker.simonis at gmail.com
Fri Dec 1 18:05:31 UTC 2017

On Fri, Dec 1, 2017 at 6:22 PM, Alan Bateman <Alan.Bateman at oracle.com> wrote:
> On 01/12/2017 17:16, Volker Simonis wrote:
>> Hi Rajan,
>> great to see this finally happen!
>> I have just a quick question related to the tests. As far as I can
>> see, the tests will only succeed if the OpenJDK will be build with the
>> new open sourced, Oracle root certificates. But what if somebody is
>> building the OpenJDK with his own set of root certificates (by using
>> the --with-cacerts-file option)? Do you see any possibility of
>> restricting these tests only to builds which used the original,
>> checked in cacerts file?
> If needed, you could add a keyword (@key tag) on these tests, or any tests
> that depend on the OpenJDK cacerts file, so can you control if the tests are
> run or not.

Yes, but as far as I know @key tags are implemented by querying VM
properties. In this case however there's no VM property which
indicates how the VM has been configured. --with-cacerts-file is just
changing the copy rule which copies the cacerts fine into the final
image. If we would like to query this information at runtime, we must
save the --with-cacerts-file configuration option in a property. I'm
not sure if that is worth it.

Maybe everybody will use the new Oracle JDK Root Certificates once
they are available? Or maybe we should just make the tests manual
tests which are not automatically executed? I just think if you build
your own version of OpenJDK with --with-cacerts-file and run the JTreg
tests afterwards, it will be confusing to get test errors because of
your trust store.

> -Alan

More information about the security-dev mailing list