[8u] RFR: 8233223: Add Amazon Root CA certificates

Langer, Christoph christoph.langer at sap.com
Thu Dec 19 17:05:14 UTC 2019


Hi Severin,

same here, looks good - when VerifyCACerts passes, everything is correct.

Cheers
Christoph

> -----Original Message-----
> From: security-dev <security-dev-bounces at openjdk.java.net> On Behalf Of
> Severin Gehwolf
> Sent: Donnerstag, 19. Dezember 2019 11:10
> To: Volker Simonis <volker.simonis at gmail.com>
> Cc: jdk8u-dev <jdk8u-dev at openjdk.java.net>; security-dev <security-
> dev at openjdk.java.net>
> Subject: Re: [8u] RFR: 8233223: Add Amazon Root CA certificates
> 
> Hi Volker,
> 
> On Wed, 2019-12-18 at 22:27 +0100, Volker Simonis wrote:
> > Hi Severin,
> >
> > not strictly a 8u "Reviewer" yet, but I've looked at your changes
> > (this one and 8232019) nevertheless :)
> 
> Thanks for the review!
> 
> > They both look good, except that I can not verify the new "cacert"
> > file because it is not in the patch (because it is binary). Not sure
> > if it is necessary to upload the whole file to cr.openjdk.java.net as
> > well? If you say that sun/security/lib/cacerts/VerifyCACerts.java and
> > security/infra/java/security/cert/CertPathValidator/certification both
> > pass, then everything seems to be fine.
> 
> FWIW the raw download of the webrev's cacerts file should have the
> binary blob:
> http://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-
> 8233223/jdk8/01/webrev/raw_files/new/src/share/lib/security/cacerts
> 
> And for 8232019:
> http://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-
> 8232019/jdk8/01/webrev/raw_files/new/src/share/lib/security/cacerts
> 
> Thanks,
> Severin
> 
> > So thumbs up from me (for both, this one and 8232019).
> >
> > Best regards,
> > Volker
> >
> > On Tue, Dec 17, 2019 at 8:39 PM Severin Gehwolf <sgehwolf at redhat.com>
> wrote:
> > > Hi,
> > >
> > > Could I please get a review of this OpenJDK 8u backport of 8233223
> > > which depends on 8u backport of 8232019[1]. The JDK 11u patch did not
> > > apply cleanly for a couple of reasons:
> > >
> > >    1. 8u still has the binary blob for cacerts (JDK-8193255
> > >       not backported, yet). Instead, I've updated to the revision in
> > >       jdk11u, performed a build and copied the cacerts binary to 8u.
> > >    2. JDK-8225392 not present in 8u, which added the checksum to
> > >       VerifyCACerts.java. Thus, the 8u backport does not include
> > >       this hunk.
> > >    3. JDK-8234245 not present in 8u.
> > >    4. Due to 2) and 3) above @bug annotation modified manually for these
> > >       reasons.
> > >
> > > Everything else is the same.
> > >
> > > Bug: https://bugs.openjdk.java.net/browse/JDK-8233223
> > > webrev: http://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-
> 8233223/jdk8/01/webrev/
> > >
> > > Testing: sun/security/lib/cacerts/VerifyCACerts.java and
> > >          security/infra/java/security/cert/CertPathValidator/certification
> > >          Pass, except for ActalisCA.java which is problem-listed and still
> > >          broken in HEAD (JDK-8224768)
> > >
> > > Thoughts?
> > >
> > > Once reviewed, I'll try to get this into 8u242 via the critical fix
> > > request label workflow.
> > >
> > > Thanks,
> > > Severin
> > >
> > > [1] http://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-
> December/010813.html
> > >



More information about the security-dev mailing list