<div dir="ltr">I'm not a security engineer, but:<div>- consider creating static finals for e.g. <span style="color:green">"Mighty Aphrodite" </span>just to give it a symbolic name.</div><div>- <span style="color:red">VerifyCACerts </span>probably fails when the jdk is configured with a different cacerts file (but the JDK doesn't preserve configuration information - how could one fix it?)</div><div>Many downstream organizations will configure a different cacerts.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jun 12, 2019 at 8:42 AM Weijun Wang <<a href="mailto:weijun.wang@oracle.com">weijun.wang@oracle.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">This is my version of the fix:<br>
<br>
<a href="http://cr.openjdk.java.net/~weijun/8225392/webrev.00/" rel="noreferrer" target="_blank">http://cr.openjdk.java.net/~weijun/8225392/webrev.00/</a><br>
<br>
Now you can still compare cacerts bit by bit.<br>
<br>
Thanks,<br>
Max<br>
<br>
> On Jun 12, 2019, at 10:50 PM, Weijun Wang <<a href="mailto:weijun.wang@oracle.com" target="_blank">weijun.wang@oracle.com</a>> wrote:<br>
> <br>
> Hi Erik,<br>
> <br>
> Are you going to fix this bug soon?<br>
> <br>
> I am inspired by Martin's words and would like to update GenerateCacerts.java so that as long as the certs and their aliases are unchanged, the output cacerts will always be the same. I can send out a code review today.<br>
> <br>
> Thanks,<br>
> Max<br>
> <br>
>> On Jun 12, 2019, at 10:59 AM, Weijun Wang <<a href="mailto:weijun.wang@oracle.com" target="_blank">weijun.wang@oracle.com</a>> wrote:<br>
>> <br>
>> Good idea about the creation time.<br>
>> <br>
>> --Max<br>
>> <br>
>>> On Jun 12, 2019, at 10:53 AM, Martin Buchholz <<a href="mailto:martinrb@google.com" target="_blank">martinrb@google.com</a>> wrote:<br>
>>> <br>
>>> Google culture really likes build output determinism, and we recently built our own cacerts generator.<br>
>>> <br>
>>> To get determinism, we are using cert digest as alias (must have a unique alias, but value doesn't seem to matter much), and using cert notBefore instead of current (build) timestamp.<br>
>>> <br>
>>> On Mon, Jun 10, 2019 at 12:40 PM Erik Joelsson <<a href="mailto:erik.joelsson@oracle.com" target="_blank">erik.joelsson@oracle.com</a>> wrote:<br>
>>> Since JDK-8193255, when we started generating the cacerts file in the <br>
>>> build, the build compare baseline builds have started failing. It seems <br>
>>> the cacerts binary file has some non determinism built in so it doesn't <br>
>>> get generated exactly the same given the same input. This patch adds <br>
>>> special handling when comparing that file by comparing the output of <br>
>>> "keytool -list" on the files instead.<br>
>>> <br>
>>> Bug: <a href="https://bugs.openjdk.java.net/browse/JDK-8225392" rel="noreferrer" target="_blank">https://bugs.openjdk.java.net/browse/JDK-8225392</a><br>
>>> <br>
>>> Webrev: <a href="http://cr.openjdk.java.net/~erikj/8225392/webrev.01/" rel="noreferrer" target="_blank">http://cr.openjdk.java.net/~erikj/8225392/webrev.01/</a><br>
>>> <br>
>>> /Erik<br>
>>> <br>
>> <br>
> <br>
<br>
</blockquote></div>