RFR 8189131: Open-source the Oracle JDK Root Certificates
Sean Mullan
sean.mullan at oracle.com
Fri Dec 1 19:50:22 UTC 2017
On 12/1/17 2:25 PM, Rajan Halade wrote:
> On 12/1/17 10:09 AM, Sean Mullan wrote:
>> So only the VerifyCACerts test would potentially fail by default (it
>> is part of tier2). If this becomes a big issue, we can follow-up later
>> and investigate more with some sort of fix, but I don't think this
>> should hold up the current fix.
> Would it be acceptable if I change blocks at line 227-231 and 234-239 to
> soft-failures? Essentially then this test will only validate a cert if
> it is present in keystore. This test is designed to check integrity of
> cacerts keystore but if we are to allow test to pass with different
> cacerts specified using --with-cacerts-file then it may be acceptable.
I don't think we should do that. This could more easily allow a
non-approved cert to accidentally make its way into the real cacerts
keystore without detection.
We can handle the alternate cacerts keystore issue with a better
solution later, if necessary.
--Sean
More information about the security-dev
mailing list