I'm not a security engineer, but: - consider creating static finals for e.g. "Mighty Aphrodite" just to give it a symbolic name. - VerifyCACerts probably fails when the jdk is configured with a different cacerts file (but the JDK doesn't preserve configuration information - how could one fix it?) Many downstream organizations will configure a different cacerts.
On Wed, Jun 12, 2019 at 8:42 AM Weijun Wang <weijun.w...@oracle.com> wrote: > This is my version of the fix: > > http://cr.openjdk.java.net/~weijun/8225392/webrev.00/ > > Now you can still compare cacerts bit by bit. > > Thanks, > Max > > > On Jun 12, 2019, at 10:50 PM, Weijun Wang <weijun.w...@oracle.com> > wrote: > > > > Hi Erik, > > > > Are you going to fix this bug soon? > > > > I am inspired by Martin's words and would like to update > GenerateCacerts.java so that as long as the certs and their aliases are > unchanged, the output cacerts will always be the same. I can send out a > code review today. > > > > Thanks, > > Max > > > >> On Jun 12, 2019, at 10:59 AM, Weijun Wang <weijun.w...@oracle.com> > wrote: > >> > >> Good idea about the creation time. > >> > >> --Max > >> > >>> On Jun 12, 2019, at 10:53 AM, Martin Buchholz <marti...@google.com> > wrote: > >>> > >>> Google culture really likes build output determinism, and we recently > built our own cacerts generator. > >>> > >>> To get determinism, we are using cert digest as alias (must have a > unique alias, but value doesn't seem to matter much), and using cert > notBefore instead of current (build) timestamp. > >>> > >>> On Mon, Jun 10, 2019 at 12:40 PM Erik Joelsson < > erik.joels...@oracle.com> wrote: > >>> Since JDK-8193255, when we started generating the cacerts file in the > >>> build, the build compare baseline builds have started failing. It > seems > >>> the cacerts binary file has some non determinism built in so it > doesn't > >>> get generated exactly the same given the same input. This patch adds > >>> special handling when comparing that file by comparing the output of > >>> "keytool -list" on the files instead. > >>> > >>> Bug: https://bugs.openjdk.java.net/browse/JDK-8225392 > >>> > >>> Webrev: http://cr.openjdk.java.net/~erikj/8225392/webrev.01/ > >>> > >>> /Erik > >>> > >> > > > >