-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation #6647
Conversation
…minsitic cacerts generation Signed-off-by: Andrew Leonard <anleonar@redhat.com>
👋 Welcome back aleonard! A progress list of the required criteria for merging this PR into |
@andrew-m-leonard The following labels will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command. |
…minsitic cacerts generation Signed-off-by: Andrew Leonard <anleonar@redhat.com>
Webrevs
|
I have a question related to the custom cacerts which can be added to the OpenJDK bundle. How do you pass the tests like test/jdk/sun/security/lib/cacerts/VerifyCACerts.java using that custom jdk bundle? Probably we can add an additional configuration to that test so it will check the custom cacerts passed to the build as well? |
/label add security |
@coffeys |
@mrserb If a developer or other provider decide to provide their own cacerts file, then it is up to them to have verified and trust those certificates. They won't run the VerifyCACerts which is specific to the openjdk certs. |
…ministic cacerts generation Signed-off-by: Andrew Leonard <anleonar@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
@andrew-m-leonard This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 1 new commit pushed to the
Please see this link for an up-to-date comparison between the source branch of this pull request and the ➡️ To integrate this PR with the above commit message to the |
I don’t have any major concerns with this change, as long as the default cacerts are still the ones that are in the JDK. As an aside, using Mozilla's root certificates might be fine for TLS certificates, but if you need to support code signing certificates you may run into issues with missing CAs as Mozilla's Root program does not support that use case. Also, by overriding the roots included in the JDK, you are taking on the responsibility (which is significant, in my opinion) of ensuring that those roots are trusted and have not been compromised, revoked, have weak keys, etc. |
@seanjmullan Thanks Sean, I'll pass your comment on, cheers Andrew |
/integrate |
Going to push as commit dc2abc9.
Your commit was automatically rebased without conflicts. |
@andrew-m-leonard Pushed as commit dc2abc9. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
@@ -71,6 +71,9 @@ $(GENDATA_CACERTS): $(BUILD_TOOLS_JDK) $(wildcard $(GENDATA_CACERTS_SRC)/*) | |||
ifeq ($(CACERTS_FILE), ) | |||
TARGETS += $(GENDATA_CACERTS) | |||
endif | |||
ifneq ($(CACERTS_SRC), ) | |||
GENDATA_CACERTS_SRC := $(CACERTS_SRC) | |||
endif |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this even work?! You are reassigning the variable after it has been used. The := assignment means that it not a macro.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would have expected to see something like:
ifneq ($(CACERTS_SRC), )
GENDATA_CACERTS_SRC := $(CACERTS_SRC)
else
GENDATA_CACERTS_SRC := $(TOPDIR)/make/data/cacerts/
endif
at line 63.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you make a valid point, but i've tested this numerous times, but let me check again
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
my assumption was the recipe gets resolved later
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this was my understanding: https://www.gnu.org/software/make/manual/html_node/Variables-in-Recipes.html
This occurs after make has finished reading all the makefiles and the target is determined to be out of date; so, the recipes for targets which are not rebuilt are never expanded.
but i'm going to double check I was checking the resultant cacerts correctly in my tests
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I didn't expand the diff far enough to actually see the context correctly when I reviewed this as I would never have imagined the conditional to be placed after the rule. While this will work as so far as using the correct files, incremental builds will not be correct, because the rules are defined in the first pass.
I very much agree with Magnus that this conditional belongs around line 63.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, thanks, feeling rather stupid here! i'll raise an issue to fix
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@andrew-m-leonard Don't be. Make is a horrible programming language, both syntactically and semantically. It's taken me years to be somewhat comfortable with it, and often I just manage to get it right only by sticking to a few, well-proven and battle-hardened patterns. :)
But they didn't think skipping this test was too strong a step? For example validation of the certs expiration is quite useful. I tried to update the test to take into account additional certs, but it caused a merge conflict each time the certs in OpenJDK are updated. Probably we can add a config file that can inject/override some info in the test(at least skip the checksum validation)? By default this config file will be empty and will not be modified in the OpenJDK, but the vendors will be able to modify it. @wangweij @rhalade what do you think? |
The purpose of this test is to ensure integrity of the cacerts file along with basic validation of included roots. Having a config file with this information sounds like a good idea for now to be able to handle multiple files. |
Addition of a configure option --with-cacerts-src='user cacerts folder' to allow developers to specify their own cacerts PEM folder for generation of the cacerts store using the deterministic openjdk GenerateCacerts tool.
Signed-off-by: Andrew Leonard anleonar@redhat.com
Progress
Issue
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/6647/head:pull/6647
$ git checkout pull/6647
Update a local copy of the PR:
$ git checkout pull/6647
$ git pull https://git.openjdk.java.net/jdk pull/6647/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 6647
View PR using the GUI difftool:
$ git pr show -t 6647
Using diff file
Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/6647.diff