RFR 8189131: Open-source the Oracle JDK Root Certificates
Magnus Ihse Bursie
magnus.ihse.bursie at oracle.com
Tue Dec 5 18:55:53 UTC 2017
On 2017-12-05 18:33, Sean Mullan wrote:
> On 12/5/17 12:01 PM, Volker Simonis wrote:
>> Hi Rajan,
>> 'cacerts' is a binary file and I thought we have at least the
>> convention in the OpenJDK project that we don't want to check in
>> binary artefact's if possible.
>> One problem with 'cacerts' being a binary file is that we can not add
>> a license and copyright to it. Another one is that it is hard to look
>> inside the file to see what it provides. The biggest problem from my
>> point of view is however that updates to the file will be opaque.
>> Wouldn't it make more sense to add the root certificates in plain text
>> format (e.g. like the Mozilla cacert data ) and create the binary
>> cacert file at build time? This would also make it easy to merge the
>> OpenJDK built-in root certificates with user/distributor provided
>> ones. But that's really just a nice side effect. The main reason for
>> my request is that I'm somehow feeling uncomfortable to maintain a
>> security-relevant part of the OpenJDK in an opaque, binary blob.
>> What do others think?
> When all is said and done, the certs themselves are binary; we cannot
> change that. But I agree having some sort of build mechanism that
> imports each cert from a textual representation (which can be
> annotated with comments/copyright) to create the binary cacerts
> keystore would be nice -- however, I think implementing something like
> what Mozilla/NSS is doing is not a trivial project and would put this
> JEP in jeopardy for making JDK 10.
> I suggest filing an RFE for now.
I agree. It would be nice compiling the binary keystore during the
build. (Even though that, if we're talking serious security issues here,
opens up a new attack vector if the compilation tool used is
compromised.) And I agree that it is not trivial or at all doable for
There's no explicit prohibition on binary files, it's just as Volker
says, something we try to avoid.
>> On Fri, Dec 1, 2017 at 5:54 PM, Rajan Halade
>> <rajan.halade at oracle.com> wrote:
>>> May I request for your review of this fix to open source the root
>>> certificates in Oracle's Java SE Root CA program. The fix is to
>>> cacerts keystore with root certificates and add corresponding tests
>>> for it
>>> as per the test plan outlined at JDK-8191711. interoperability tests
>>> added against CAs with available test certificates.
>>> Webrev: http://cr.openjdk.java.net/~rhalade/8189131/webrev.00/
>>> JEP: https://bugs.openjdk.java.net/browse/JDK-8191486
More information about the build-dev