[security-dev 01727]: Re: Please review new regression test for java.net.* API

Andrew John Hughes ahughes at redhat.com
Mon Mar 22 09:01:38 PDT 2010 

On 22 March 2010 15:41, Sean Mullan <Sean.Mullan at sun.com> wrote:
> Andrew John Hughes wrote:
>>
>> On 18 March 2010 21:12, Christopher Hegarty -Sun Microsystems Ireland
>> <Christopher.Hegarty at sun.com> wrote:
>>>
>>> Andrew John Hughes wrote:
>>>>
>>>> On 18 March 2010 20:56, Christopher Hegarty -Sun Microsystems Ireland
>>>> <Christopher.Hegarty at sun.com> wrote:
>>>>>
>>>>> Brad, Pavel, Andrew,
>>>>>
>>>>> I'm also not comfortable with this test, but what bothers me more than
>>>>> the
>>>>> reliance on an external server is the reliance on cacerts. While
>>>>> cacerts
>>>>> (or
>>>>> equivalent) is not part of OpenJDK I don't think it makes sense adding
>>>>> a
>>>>> test to OpenJDK that has a reliance on it.
>>>>>
>>>>> For now I think is makes more sense to add a test like this to wherever
>>>>> in
>>>>> the build process cacerts (or equivalent) is added.
>>>>>
>>>> The problem is nothing does in the OpenJDK build process.  So SSL is
>>>> always broken for OpenJDK builds.  Is this something we really want?
>>>
>>> This is certainly not ideal, but is a separate issue to the test, right?
>>> It
>>> seems Sean or someone in the security team should comment on the
>>> possibility
>>> of adding root CA's to OpenJDK, until then I don't see any requirement
>>> for a
>>> test.
>
> I don't have an answer right now - this will take some more investigation
> first.
>
>> My thoughts too.  We have a solution for GNU/Linux where cacerts is
>> populated from the crt files found on the system (installed by Mozilla
>> and the like).  I don't know what the equivalent would be for Windows
>> and Solaris though.  A quick look on my OpenSolaris box didn't find
>> any crt files but I only looked in installed packages.  I presume
>> firefox may bring some in if it's available.
>
> On Windows you can use the "Windows-ROOT" KeyStore type, ex:
>
> keytool -list -keystore NONE -storetype Windows-ROOT
>

Ok, so that presumably makes some Windows system call, right?

> I haven't tried it, but you could probably use the keytool -importkeystore
> option to import all of these certs into the cacerts file.
>
> On Solaris, you could use the /usr/java/jre/lib/security/cacerts file.
>

Isn't that exactly what's being installed?
Though maybe there's a general solution there of importing from the
bootstrap JDK.

>
> --Sean
>



-- 
Andrew :-)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net

PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8

More information about the security-dev mailing list