RFR 8189131: Open-source the Oracle JDK Root Certificates

Magnus Ihse Bursie magnus.ihse.bursie at oracle.com
Tue Dec 5 18:55:53 UTC 2017

On 2017-12-05 18:33, Sean Mullan wrote:
> On 12/5/17 12:01 PM, Volker Simonis wrote:
>> Hi Rajan,
>> 'cacerts' is a binary file and I thought we have at least the
>> convention in the OpenJDK project that we don't want to check in
>> binary artefact's if possible.
>> One problem with 'cacerts' being a binary file is that we can not add
>> a license and copyright to it. Another one is that it is hard to look
>> inside the file to see what it provides. The biggest problem from my
>> point of view is however that updates to the file will be opaque.
>> Wouldn't it make more sense to add the root certificates in plain text
>> format (e.g. like the Mozilla cacert data [1]) and create the binary
>> cacert file at build time? This would also make it easy to merge the
>> OpenJDK built-in root certificates with user/distributor provided
>> ones. But that's really just a nice side effect. The main reason for
>> my request is that I'm somehow feeling uncomfortable to maintain a
>> security-relevant part of the OpenJDK in an opaque, binary blob.
>> What do others think?
> When all is said and done, the certs themselves are binary; we cannot 
> change that. But I agree having some sort of build mechanism that 
> imports each cert from a textual representation (which can be 
> annotated with comments/copyright) to create the binary cacerts 
> keystore would be nice -- however, I think implementing something like 
> what Mozilla/NSS is doing is not a trivial project and would put this 
> JEP in jeopardy for making JDK 10.
> I suggest filing an RFE for now.
I agree. It would be nice compiling the binary keystore during the 
build. (Even though that, if we're talking serious security issues here, 
opens up a new attack vector if the compilation tool used is 
compromised.) And I agree that it is not trivial or at all doable for 
JDK 10.

There's no explicit prohibition on binary files, it's just as Volker 
says, something we try to avoid.


> --Sean
>> Regards,
>> Volker
>> [1] 
>> https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
>> On Fri, Dec 1, 2017 at 5:54 PM, Rajan Halade 
>> <rajan.halade at oracle.com> wrote:
>>> May I request for your review of this fix to open source the root
>>> certificates in Oracle's Java SE Root CA program. The fix is to 
>>> populate
>>> cacerts keystore with root certificates and add corresponding tests 
>>> for it
>>> as per the test plan outlined at JDK-8191711. interoperability tests 
>>> are
>>> added against CAs with available test certificates.
>>> Webrev: http://cr.openjdk.java.net/~rhalade/8189131/webrev.00/
>>> JEP: https://bugs.openjdk.java.net/browse/JDK-8191486
>>> Thanks,
>>> Rajan

More information about the build-dev mailing list