Hi Martin, thanks for your review.
Regarding the failing tests: They are not executed in any tier. You'd either have to execute all tests below jdk/test or the test group "jdk_security_infra". But anyway, I'll follow up on these tests as we see the issues in our test system and have to exclude them locally. /Christoph > -----Original Message----- > From: Doerr, Martin > Sent: Dienstag, 14. Mai 2019 10:22 > To: Langer, Christoph <christoph.lan...@sap.com>; 'jdk8u- > d...@openjdk.java.net' <jdk8u-...@openjdk.java.net>; security-dev > <security-dev@openjdk.java.net> > Subject: RE: [8u] RFR: 8189131: Open-source the Oracle JDK Root Certificates > (Integration for JEP 319: Root Certificates) > > Hi Christoph, > > this looks good to me. > I don't know if anybody has issues with the failing tests. Should they get > added to a problem list? > > Best regards, > Martin > > > -----Original Message----- > From: jdk8u-dev <jdk8u-dev-boun...@openjdk.java.net> On Behalf Of > Langer, Christoph > Sent: Dienstag, 7. Mai 2019 16:15 > To: 'jdk8u-...@openjdk.java.net' <jdk8u-...@openjdk.java.net>; security- > dev <security-dev@openjdk.java.net> > Subject: [CAUTION] RE: [8u] RFR: 8189131: Open-source the Oracle JDK Root > Certificates (Integration for JEP 319: Root Certificates) > > Ping: can I please have a review for this? > > From: Langer, Christoph > Sent: Donnerstag, 2. Mai 2019 14:55 > To: 'jdk8u-...@openjdk.java.net' <jdk8u-...@openjdk.java.net>; security- > dev <security-dev@openjdk.java.net> > Subject: [8u] RFR: 8189131: Open-source the Oracle JDK Root Certificates > (Integration for JEP 319: Root Certificates) > > Hi, > > as was already discussed and requested on the mailing lists ([0], [1]), I > hereby > propose a change to add the root certificates of upstream OpenJDK to > OpenJDK 8 updates. > > The main bug that (initially) brought the Oracle certificates to OpenJDK is > 8189131: Open-source the Oracle JDK Root Certificates [2]. My proposed > change will also backport all updates to the contents of cacerts since then: > > 8191844: Remove SECOM root (secomevrootca1) > 8189949: Remove Baltimore Cybertrust Code Signing CA > 8191031: Remove several Symantec Root CAs > 8196141: Add GoDaddy root certificates > 8204923: Restore Symantec root verisignclass2g2ca > 8195774: Add Entrust root certificates > 8199779: Add T-Systems, GlobalSign and Starfield services root certificates > 8209506: Add Google Trust Services GlobalSign root certificates > 8210432: Add additional TeliaSonera root certificate > 8195793: Remove GTE CyberTrust Global Root > 8216577: Add GlobalSign's R6 Root certificate > 8222137: Remove T-Systems root CA certificate > > Please find the webrev here: > http://cr.openjdk.java.net/~clanger/webrevs/8189131.8u/ > > I took the current state of cacerts from the jdk/jdk repo along with the > provided testcases and brought them down to the jdk8 repository layout. > > To make the test run in JDK8, I had to > a) modify test/sun/security/lib/cacerts/VerifyCACerts.java: > 240 private static final HashSet<String> EXPIRY_EXC_ENTRIES = new > HashSet<String>() { > I needed to add the String type to the constructor of the HashSet, since the > JDK8 java compiler will not accept <> in that place. > > b) modify > test/security/infra/java/security/cert/CertPathValidator/certification/Validat > ePathWithParams.java > > 60 private static final String CACERTS_STORE = > System.getProperty("test.jdk") > > 61 + FS + "jre" + FS + "lib" + FS + "security" + FS + "cacerts"; > I needed to adapt the path to cacerts in a JDK8 JDK/JRE as it is located in > subdirectory jre there. > > Out of the tests in > test/security/infra/java/security/cert/CertPathValidator/certification, there > are 2 failing: > FAILED: > security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.ja > va > FAILED: > security/infra/java/security/cert/CertPathValidator/certification/ComodoCA. > java > However, for jdk/jdk it is the same. JBS Issues for these tests exist and are > yet unresolved: JDK-8202651 and JDK-8215546. > > Since the tests don't seem to be part of any tier, I propose to include them > in > this backport and later on also backport possible fixes to them. > > Thanks > Christoph > > [0] https://mail.openjdk.java.net/pipermail/security-dev/2019- > March/019557.html > [1] https://mail.openjdk.java.net/pipermail/security-dev/2019- > April/019733.html > [2] https://bugs.openjdk.java.net/browse/JDK-8189131
