On 18 March 2010 14:57, Christopher Hegarty -Sun Microsystems Ireland <christopher.hega...@sun.com> wrote: > Pavel Tisnovsky wrote: >> >> Christopher Hegarty -Sun Microsystems Ireland wrote: >>> >>> Alan Bateman wrote: >>>> >>>> Pavel Tisnovsky wrote: >>>>> >>>>> Hi, >>>>> >>>>> please review new regression test for java.net.* API. This test check >>>>> if the cacerts keytool database is configured properly and SSL is really >>>>> working. The test should not fail if SSL is working (in other case it >>>>> simply >>>>> throws IOException). Webrev si available at >>>>> http://cr.openjdk.java.net/~ptisnovs/TestHttps/ >>>>> >>>>> Thanks in advance >>>>> Pavel Tisnovsky >>>> >>>> I suspect the dependency on verisign.com will be problematic. Isn't SSL >>>> already covered by the javax.net and https tests? >>> >>> I'm not sure what the prime motivation of the test is. Pavel, can you >>> please elaborate? >>> >>> Reading between the lines I guess the test is verifying that the correct >>> root Certification Authority is installed in cacerts, i.e. the cert from >>> www.verisign.com can be validated. >> >> Hi Chris, you guessed correctly :-) And we can use other URL if >> verisign.com is problematic. > > OK, so the test is trying to validate cacerts. > > Does it make sense to validate this certificate store in a general purpose > regression test? The test will of course pass with Sun's priority build and > probably RedHats too, since they contain the root certificate for verisign, > but an OpenJDK build will not contain it, right? So the test will fail. > > Security folk: > Do we currently have any tests with a dependency on cacerts? > > -Chris. > > >> >>> >>> Alan is correct there are already tests for SSL/Https in javax.net, but I >>> believe these use self signed certs, no dependency on cacerts. >>> >>> -Chris. >>> >>>> >>>> -Alan. >> >
Yes, it will fail. >From an OpenJDK build: $ /mnt/builder/jdk7/j2sdk-image/bin/java TestHttps Exception in thread "main" javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty This has been posted about before; OpenJDK currently can't bootstrap itself because it doesn't have a working cacerts store (the JAXP URL uses https). I don't know how to solve this; we can certainly have the cacerts file populated on GNU/Linux systems, but I don't have a clue how you'd do it on Solaris or Windows. How do Sun populate it? Can that be shared? -- Andrew :-) Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com) Support Free Java! Contribute to GNU Classpath and the OpenJDK http://www.gnu.org/software/classpath http://openjdk.java.net PGP Key: 94EFD9D8 (http://subkeys.pgp.net) Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
