[8u] RFR: 8189131: Open-source the Oracle JDK Root Certificates (Integration for JEP 319: Root Certificates)

Langer, Christoph christoph.langer at sap.com
Tue May 14 09:29:14 UTC 2019 

Hi Martin,

thanks for your review.

Regarding the failing tests: They are not executed in any tier. You'd either have to execute all tests below jdk/test or the test group "jdk_security_infra". But anyway, I'll follow up on these tests as we see the issues in our test system and have to exclude them locally.

/Christoph

> -----Original Message-----
> From: Doerr, Martin
> Sent: Dienstag, 14. Mai 2019 10:22
> To: Langer, Christoph <christoph.langer at sap.com>; 'jdk8u-
> dev at openjdk.java.net' <jdk8u-dev at openjdk.java.net>; security-dev
> <security-dev at openjdk.java.net>
> Subject: RE: [8u] RFR: 8189131: Open-source the Oracle JDK Root Certificates
> (Integration for JEP 319: Root Certificates)
> 
> Hi Christoph,
> 
> this looks good to me.
> I don't know if anybody has issues with the failing tests. Should they get
> added to a problem list?
> 
> Best regards,
> Martin
> 
> 
> -----Original Message-----
> From: jdk8u-dev <jdk8u-dev-bounces at openjdk.java.net> On Behalf Of
> Langer, Christoph
> Sent: Dienstag, 7. Mai 2019 16:15
> To: 'jdk8u-dev at openjdk.java.net' <jdk8u-dev at openjdk.java.net>; security-
> dev <security-dev at openjdk.java.net>
> Subject: [CAUTION] RE: [8u] RFR: 8189131: Open-source the Oracle JDK Root
> Certificates (Integration for JEP 319: Root Certificates)
> 
> Ping: can I please have a review for this?
> 
> From: Langer, Christoph
> Sent: Donnerstag, 2. Mai 2019 14:55
> To: 'jdk8u-dev at openjdk.java.net' <jdk8u-dev at openjdk.java.net>; security-
> dev <security-dev at openjdk.java.net>
> Subject: [8u] RFR: 8189131: Open-source the Oracle JDK Root Certificates
> (Integration for JEP 319: Root Certificates)
> 
> Hi,
> 
> as was already discussed and requested on the mailing lists ([0], [1]), I hereby
> propose a change to add the root certificates of upstream OpenJDK to
> OpenJDK 8 updates.
> 
> The main bug that (initially) brought the Oracle certificates to OpenJDK is
> 8189131: Open-source the Oracle JDK Root Certificates [2]. My proposed
> change will also backport all updates to the contents of cacerts since then:
> 
> 8191844: Remove SECOM root (secomevrootca1)
> 8189949: Remove Baltimore Cybertrust Code Signing CA
> 8191031: Remove several Symantec Root CAs
> 8196141: Add GoDaddy root certificates
> 8204923: Restore Symantec root verisignclass2g2ca
> 8195774: Add Entrust root certificates
> 8199779: Add T-Systems, GlobalSign and Starfield services root certificates
> 8209506: Add Google Trust Services GlobalSign root certificates
> 8210432: Add additional TeliaSonera root certificate
> 8195793: Remove GTE CyberTrust Global Root
> 8216577: Add GlobalSign's R6 Root certificate
> 8222137: Remove T-Systems root CA certificate
> 
> Please find the webrev here:
> http://cr.openjdk.java.net/~clanger/webrevs/8189131.8u/
> 
> I took the current state of cacerts from the jdk/jdk repo along with the
> provided testcases and brought them down to the jdk8 repository layout.
> 
> To make the test run in JDK8, I had to
> a) modify test/sun/security/lib/cacerts/VerifyCACerts.java:
>   240     private static final HashSet<String> EXPIRY_EXC_ENTRIES = new
> HashSet<String>() {
> I needed to add the String type to the constructor of the HashSet, since the
> JDK8 java compiler will not accept <> in that place.
> 
> b) modify
> test/security/infra/java/security/cert/CertPathValidator/certification/Validat
> ePathWithParams.java
> 
>   60     private static final String CACERTS_STORE =
> System.getProperty("test.jdk")
> 
>   61             + FS + "jre" + FS + "lib" + FS + "security" + FS + "cacerts";
> I needed to adapt the path to cacerts in a JDK8 JDK/JRE as it is located in
> subdirectory jre there.
> 
> Out of the tests in
> test/security/infra/java/security/cert/CertPathValidator/certification, there
> are 2 failing:
> FAILED:
> security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.ja
> va
> FAILED:
> security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.
> java
> However, for jdk/jdk it is the same. JBS Issues for these tests exist and are
> yet unresolved: JDK-8202651 and JDK-8215546.
> 
> Since the tests don't seem to be part of any tier, I propose to include them in
> this backport and later on also backport possible fixes to them.
> 
> Thanks
> Christoph
> 
> [0] https://mail.openjdk.java.net/pipermail/security-dev/2019-
> March/019557.html
> [1] https://mail.openjdk.java.net/pipermail/security-dev/2019-
> April/019733.html
> [2] https://bugs.openjdk.java.net/browse/JDK-8189131

More information about the security-dev mailing list