[8u] RFR: 8233223: Add Amazon Root CA certificates

Severin Gehwolf sgehwolf at redhat.com
Thu Dec 19 10:09:46 UTC 2019 

Hi Volker,

On Wed, 2019-12-18 at 22:27 +0100, Volker Simonis wrote:
> Hi Severin,
> 
> not strictly a 8u "Reviewer" yet, but I've looked at your changes
> (this one and 8232019) nevertheless :)

Thanks for the review!

> They both look good, except that I can not verify the new "cacert"
> file because it is not in the patch (because it is binary). Not sure
> if it is necessary to upload the whole file to cr.openjdk.java.net as
> well? If you say that sun/security/lib/cacerts/VerifyCACerts.java and
> security/infra/java/security/cert/CertPathValidator/certification both
> pass, then everything seems to be fine.

FWIW the raw download of the webrev's cacerts file should have the
binary blob:
http://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-8233223/jdk8/01/webrev/raw_files/new/src/share/lib/security/cacerts

And for 8232019:
http://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-8232019/jdk8/01/webrev/raw_files/new/src/share/lib/security/cacerts

Thanks,
Severin

> So thumbs up from me (for both, this one and 8232019).
> 
> Best regards,
> Volker
> 
> On Tue, Dec 17, 2019 at 8:39 PM Severin Gehwolf <sgehwolf at redhat.com> wrote:
> > Hi,
> > 
> > Could I please get a review of this OpenJDK 8u backport of 8233223
> > which depends on 8u backport of 8232019[1]. The JDK 11u patch did not
> > apply cleanly for a couple of reasons:
> > 
> >    1. 8u still has the binary blob for cacerts (JDK-8193255
> >       not backported, yet). Instead, I've updated to the revision in
> >       jdk11u, performed a build and copied the cacerts binary to 8u.
> >    2. JDK-8225392 not present in 8u, which added the checksum to
> >       VerifyCACerts.java. Thus, the 8u backport does not include
> >       this hunk.
> >    3. JDK-8234245 not present in 8u.
> >    4. Due to 2) and 3) above @bug annotation modified manually for these
> >       reasons.
> > 
> > Everything else is the same.
> > 
> > Bug: https://bugs.openjdk.java.net/browse/JDK-8233223
> > webrev: http://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-8233223/jdk8/01/webrev/
> > 
> > Testing: sun/security/lib/cacerts/VerifyCACerts.java and
> >          security/infra/java/security/cert/CertPathValidator/certification
> >          Pass, except for ActalisCA.java which is problem-listed and still
> >          broken in HEAD (JDK-8224768)
> > 
> > Thoughts?
> > 
> > Once reviewed, I'll try to get this into 8u242 via the critical fix
> > request label workflow.
> > 
> > Thanks,
> > Severin
> > 
> > [1] http://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-December/010813.html
> >

More information about the security-dev mailing list