[8u] RFR: 8232019: Add LuxTrust certificate updates to the existing root program

Andrew John Hughes gnu.andrew at redhat.com
Thu Dec 19 19:29:45 UTC 2019



On 17/12/2019 19:30, Severin Gehwolf wrote:
> Hi,
> 
> Could I please get a review of this OpenJDK 8u backport of 8232019. The
> JDK 11 patch did not apply cleanly for a couple of reasons:
> 
>    1. 8u still has the binary blob for cacerts (JDK-8193255 not
>       backported, yet). Instead, I've updated to the revision in jdk11u,
>       performed a build and copied the cacerts binary to 8u.
>    2. JDK-8225392 not present in 8u, which added the checksum to
>       VerifyCACerts.java. Thus, the 8u backport does not include this
>       hunk. @bug annotation modified manually for the same reason.
> 
> Everything else is the same.
> 
> Bug: https://bugs.openjdk.java.net/browse/JDK-8232019
> webrev: http://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-8232019/jdk8/01/webrev/
> 
> Testing: sun/security/lib/cacerts/VerifyCACerts.java and
>          security/infra/java/security/cert/CertPathValidator/certification
>          Pass, except for ActalisCA.java which is problem-listed and still
>          broken in HEAD (JDK-8224768)
> 
> Thoughts?
> 
> If reviewed, I'll try to get this in 8u242 via the critical fix request
> label workflow.
> 
> Thanks,
> Severin
> 

Going on this & the similar Amazon fix, I'd say we should backport
JDK-8193255 & JDK-8225392 first. The previous updates which alter a
binary file have been pretty much unreviewable and, if there's a better
solution to that, I'd rather we had it sooner rather than later.

Likewise, judging by the comment on JDK-8234245, I'd say that needs to
be applied between the LuxTrust & Amazon ones:

"This fixes an issue after JDK-8232019, so it needs to be included.
Patch applies cleanly."

Thanks,
-- 
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
https://keybase.io/gnu_andrew

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20191219/1f05a423/signature.asc>


More information about the security-dev mailing list