RFR 8189131: Open-source the Oracle JDK Root Certificates

Sean Mullan sean.mullan at oracle.com
Fri Dec 1 19:50:22 UTC 2017


On 12/1/17 2:25 PM, Rajan Halade wrote:
> On 12/1/17 10:09 AM, Sean Mullan wrote:
>> So only the VerifyCACerts test would potentially fail by default (it 
>> is part of tier2). If this becomes a big issue, we can follow-up later 
>> and investigate more with some sort of fix, but I don't think this 
>> should hold up the current fix. 
> Would it be acceptable if I change blocks at line 227-231 and 234-239 to 
> soft-failures? Essentially then this test will only validate a cert if 
> it is present in keystore. This test is designed to check integrity of 
> cacerts keystore but if we are to allow test to pass with different 
> cacerts specified using --with-cacerts-file then it may be acceptable.

I don't think we should do that. This could more easily allow a 
non-approved cert to accidentally make its way into the real cacerts 
keystore without detection.

We can handle the alternate cacerts keystore issue with a better 
solution later, if necessary.

--Sean



More information about the security-dev mailing list