Hi Christoph, this looks good to me. I don't know if anybody has issues with the failing tests. Should they get added to a problem list?
Best regards, Martin -----Original Message----- From: jdk8u-dev <jdk8u-dev-boun...@openjdk.java.net> On Behalf Of Langer, Christoph Sent: Dienstag, 7. Mai 2019 16:15 To: 'jdk8u-...@openjdk.java.net' <jdk8u-...@openjdk.java.net>; security-dev <security-dev@openjdk.java.net> Subject: [CAUTION] RE: [8u] RFR: 8189131: Open-source the Oracle JDK Root Certificates (Integration for JEP 319: Root Certificates) Ping: can I please have a review for this? From: Langer, Christoph Sent: Donnerstag, 2. Mai 2019 14:55 To: 'jdk8u-...@openjdk.java.net' <jdk8u-...@openjdk.java.net>; security-dev <security-dev@openjdk.java.net> Subject: [8u] RFR: 8189131: Open-source the Oracle JDK Root Certificates (Integration for JEP 319: Root Certificates) Hi, as was already discussed and requested on the mailing lists ([0], [1]), I hereby propose a change to add the root certificates of upstream OpenJDK to OpenJDK 8 updates. The main bug that (initially) brought the Oracle certificates to OpenJDK is 8189131: Open-source the Oracle JDK Root Certificates [2]. My proposed change will also backport all updates to the contents of cacerts since then: 8191844: Remove SECOM root (secomevrootca1) 8189949: Remove Baltimore Cybertrust Code Signing CA 8191031: Remove several Symantec Root CAs 8196141: Add GoDaddy root certificates 8204923: Restore Symantec root verisignclass2g2ca 8195774: Add Entrust root certificates 8199779: Add T-Systems, GlobalSign and Starfield services root certificates 8209506: Add Google Trust Services GlobalSign root certificates 8210432: Add additional TeliaSonera root certificate 8195793: Remove GTE CyberTrust Global Root 8216577: Add GlobalSign's R6 Root certificate 8222137: Remove T-Systems root CA certificate Please find the webrev here: http://cr.openjdk.java.net/~clanger/webrevs/8189131.8u/ I took the current state of cacerts from the jdk/jdk repo along with the provided testcases and brought them down to the jdk8 repository layout. To make the test run in JDK8, I had to a) modify test/sun/security/lib/cacerts/VerifyCACerts.java: 240 private static final HashSet<String> EXPIRY_EXC_ENTRIES = new HashSet<String>() { I needed to add the String type to the constructor of the HashSet, since the JDK8 java compiler will not accept <> in that place. b) modify test/security/infra/java/security/cert/CertPathValidator/certification/ValidatePathWithParams.java 60 private static final String CACERTS_STORE = System.getProperty("test.jdk") 61 + FS + "jre" + FS + "lib" + FS + "security" + FS + "cacerts"; I needed to adapt the path to cacerts in a JDK8 JDK/JRE as it is located in subdirectory jre there. Out of the tests in test/security/infra/java/security/cert/CertPathValidator/certification, there are 2 failing: FAILED: security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java FAILED: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java However, for jdk/jdk it is the same. JBS Issues for these tests exist and are yet unresolved: JDK-8202651 and JDK-8215546. Since the tests don't seem to be part of any tier, I propose to include them in this backport and later on also backport possible fixes to them. Thanks Christoph [0] https://mail.openjdk.java.net/pipermail/security-dev/2019-March/019557.html [1] https://mail.openjdk.java.net/pipermail/security-dev/2019-April/019733.html [2] https://bugs.openjdk.java.net/browse/JDK-8189131
