RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation
Andrew Leonard
aleonard at openjdk.java.net
Thu Dec 2 10:59:20 UTC 2021
On Thu, 2 Dec 2021 00:09:31 GMT, Sergey Bylokhov <serb at openjdk.org> wrote:
> I have a question related to the custom cacerts which can be added to the OpenJDK bundle. How do you pass the tests like test/jdk/sun/security/lib/cacerts/VerifyCACerts.java using that custom jdk bundle? Probably we can add an additional configuration to that test so it will check the custom cacerts passed to the build as well?
@mrserb
So VerifyCACerts is specific to the make/data/cacerts certificates, the README specifically states there that when those are updated VerifyCACerts needs updating. It checks things like fingerprints etc..
If a developer or other provider decide to provide their own cacerts file, then it is up to them to have verified and trust those certificates. They won't run the VerifyCACerts which is specific to the openjdk certs.
This is the case at Adoptium for example, which uses the Mozilla trusted CA certs.
-------------
PR: https://git.openjdk.java.net/jdk/pull/6647
More information about the security-dev
mailing list