[8u] RFR: 8189131: Open-source the Oracle JDK Root Certificates (Integration for JEP 319: Root Certificates)
Doerr, Martin
martin.doerr at sap.com
Tue May 14 08:22:26 UTC 2019
Hi Christoph,
this looks good to me.
I don't know if anybody has issues with the failing tests. Should they get added to a problem list?
Best regards,
Martin
-----Original Message-----
From: jdk8u-dev <jdk8u-dev-bounces at openjdk.java.net> On Behalf Of Langer, Christoph
Sent: Dienstag, 7. Mai 2019 16:15
To: 'jdk8u-dev at openjdk.java.net' <jdk8u-dev at openjdk.java.net>; security-dev <security-dev at openjdk.java.net>
Subject: [CAUTION] RE: [8u] RFR: 8189131: Open-source the Oracle JDK Root Certificates (Integration for JEP 319: Root Certificates)
Ping: can I please have a review for this?
From: Langer, Christoph
Sent: Donnerstag, 2. Mai 2019 14:55
To: 'jdk8u-dev at openjdk.java.net' <jdk8u-dev at openjdk.java.net>; security-dev <security-dev at openjdk.java.net>
Subject: [8u] RFR: 8189131: Open-source the Oracle JDK Root Certificates (Integration for JEP 319: Root Certificates)
Hi,
as was already discussed and requested on the mailing lists ([0], [1]), I hereby propose a change to add the root certificates of upstream OpenJDK to OpenJDK 8 updates.
The main bug that (initially) brought the Oracle certificates to OpenJDK is 8189131: Open-source the Oracle JDK Root Certificates [2]. My proposed change will also backport all updates to the contents of cacerts since then:
8191844: Remove SECOM root (secomevrootca1)
8189949: Remove Baltimore Cybertrust Code Signing CA
8191031: Remove several Symantec Root CAs
8196141: Add GoDaddy root certificates
8204923: Restore Symantec root verisignclass2g2ca
8195774: Add Entrust root certificates
8199779: Add T-Systems, GlobalSign and Starfield services root certificates
8209506: Add Google Trust Services GlobalSign root certificates
8210432: Add additional TeliaSonera root certificate
8195793: Remove GTE CyberTrust Global Root
8216577: Add GlobalSign's R6 Root certificate
8222137: Remove T-Systems root CA certificate
Please find the webrev here: http://cr.openjdk.java.net/~clanger/webrevs/8189131.8u/
I took the current state of cacerts from the jdk/jdk repo along with the provided testcases and brought them down to the jdk8 repository layout.
To make the test run in JDK8, I had to
a) modify test/sun/security/lib/cacerts/VerifyCACerts.java:
240 private static final HashSet<String> EXPIRY_EXC_ENTRIES = new HashSet<String>() {
I needed to add the String type to the constructor of the HashSet, since the JDK8 java compiler will not accept <> in that place.
b) modify test/security/infra/java/security/cert/CertPathValidator/certification/ValidatePathWithParams.java
60 private static final String CACERTS_STORE = System.getProperty("test.jdk")
61 + FS + "jre" + FS + "lib" + FS + "security" + FS + "cacerts";
I needed to adapt the path to cacerts in a JDK8 JDK/JRE as it is located in subdirectory jre there.
Out of the tests in test/security/infra/java/security/cert/CertPathValidator/certification, there are 2 failing:
FAILED: security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java
FAILED: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java
However, for jdk/jdk it is the same. JBS Issues for these tests exist and are yet unresolved: JDK-8202651 and JDK-8215546.
Since the tests don't seem to be part of any tier, I propose to include them in this backport and later on also backport possible fixes to them.
Thanks
Christoph
[0] https://mail.openjdk.java.net/pipermail/security-dev/2019-March/019557.html
[1] https://mail.openjdk.java.net/pipermail/security-dev/2019-April/019733.html
[2] https://bugs.openjdk.java.net/browse/JDK-8189131
More information about the security-dev
mailing list