RFR 8189131: Open-source the Oracle JDK Root Certificates

Sean Mullan sean.mullan at oracle.com
Tue Dec 5 17:33:36 UTC 2017

On 12/5/17 12:01 PM, Volker Simonis wrote:
> Hi Rajan,
> 'cacerts' is a binary file and I thought we have at least the
> convention in the OpenJDK project that we don't want to check in
> binary artefact's if possible.
> One problem with 'cacerts' being a binary file is that we can not add
> a license and copyright to it. Another one is that it is hard to look
> inside the file to see what it provides. The biggest problem from my
> point of view is however that updates to the file will be opaque.
> Wouldn't it make more sense to add the root certificates in plain text
> format (e.g. like the Mozilla cacert data [1]) and create the binary
> cacert file at build time? This would also make it easy to merge the
> OpenJDK built-in root certificates with user/distributor provided
> ones. But that's really just a nice side effect. The main reason for
> my request is that I'm somehow feeling uncomfortable to maintain a
> security-relevant part of the OpenJDK in an opaque, binary blob.
> What do others think?

When all is said and done, the certs themselves are binary; we cannot 
change that. But I agree having some sort of build mechanism that 
imports each cert from a textual representation (which can be annotated 
with comments/copyright) to create the binary cacerts keystore would be 
nice -- however, I think implementing something like what Mozilla/NSS is 
doing is not a trivial project and would put this JEP in jeopardy for 
making JDK 10.

I suggest filing an RFE for now.


> Regards,
> Volker
> [1] https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
> On Fri, Dec 1, 2017 at 5:54 PM, Rajan Halade <rajan.halade at oracle.com> wrote:
>> May I request for your review of this fix to open source the root
>> certificates in Oracle's Java SE Root CA program. The fix is to populate
>> cacerts keystore with root certificates and add corresponding tests for it
>> as per the test plan outlined at JDK-8191711. interoperability tests are
>> added against CAs with available test certificates.
>> Webrev: http://cr.openjdk.java.net/~rhalade/8189131/webrev.00/
>> JEP: https://bugs.openjdk.java.net/browse/JDK-8191486
>> Thanks,
>> Rajan

More information about the build-dev mailing list