Sunday, July 7. 2013
OCSP Java Bug (Part III)
After the previous post about the OCSP bug I have exchanged a few words via email with Andrew Hughes (the guy in charge of icedtea) and he recommended me to try with openjdk-8 because bugs usually are fixed in the next version and then backported to the current one. If the bug was still present there he asked me to send a patch against that version. Besides looking my first post about this issue he stated that the custody of openjdk-6 has passed over to Red Hat, thing that I did not know.
So here it is a new entry about the same issue but now using openjdk-8. The first thing to do was compiling the current openjdk-8 tree. I followed the steps explained in the openjdk instructions:
First cloning and getting all the sources is necessary:
$ hg clone http://hg.openjdk.java.net/jdk8/jdk8 jdk8 $ cd jdk8 $ bash ./get_source.sh
Then the needed development packages are checked (they should be installed in the box).
$ bash ./configure
In my case (debian testing) the following packages were added:
# apt-get install libX11-dev libxext-dev libxrender-dev libxtst-dev libcups2-dev libasound2-dev ccache
Finally everything is compiled (this step took about half an hour for me).
$ make all
And that is all. A beautiful JVM version 8 is deployed inside the build directory:
$ cd build/linux-x86_64-normal-server-release/images/j2sdk-image/bin $ ./java -version openjdk version "1.8.0-internal" OpenJDK Runtime Environment (build 1.8.0-internal-ricky_2013_05_21_20_13-b00) OpenJDK 64-Bit Server VM (build 25.0-b32, mixed mode)
Finally I tried to test the new JVM. The jtreg application is needed and the current version in debian does not support the testng tests. Finally I compiled it by myself (I do not explain the steps because there a lot of different things, basically I followed the build instructions using the ant version but I did a lot of minor and weird extra things to make it work). After the compilation the jtreg is located in the <JT_CLONE_DIR>/dist/jtreg directory and the new JVM can be tested like this.
$ make JT_HOME=/home/ricky/jdk8/jtreg/dist/jtreg test
Only three tests fail (there are almost 3,500) and the complete process took about one hour and a half in my laptop.
Once I had the current openjdk-8 compiled I tested my problem. It was still reproducible and, looking to the sources, the code is different to previous versions 7 and 6 but much more similar to openjdk-6. Here there is not a list and the responderCert (certificate configured via java properties, for example ocsp.responderCertSubjectName) or the issuerCert (the certificate which issued the one to be checked) are passed as the only valid certificate to sign the OCSP response. But now OCSPChecker class has disappeared and a new RevocationChecker has arrived. I did another patch, which is more similar to the one provided for version 6 than the one done for 7. I tested all the situations again using the openssl OCSP engine (exactly as in the first entry of this issues) and I repeated the jtreg automated tests (the same three tests failed).
Finally I sent an email to the security-dev mailing list commenting the issue and with the patch attached (just as Andrew told me). It seems that now things are moving on. Until this moment a bug has been opened about the issue and I was requested to sign the OCA agreement (which I did some weeks ago) in order to admit my patch. The OCA has just been processed and my name can be seen in the contributors list. (In Spain everyone has the given name and two surnames. The first one comes from the father and the second from the mother. Now there are laws that let the parents to invert the order, to swap the surnames. When I work with english-speaking people they always remove my father's surname. My mother is very pleased with that. )
On the road again!
Comments