RFR 8189131: Open-source the Oracle JDK Root Certificates

Volker Simonis volker.simonis at gmail.com
Fri Dec 8 14:45:26 UTC 2017

On Tue, Dec 5, 2017 at 7:55 PM, Magnus Ihse Bursie
<magnus.ihse.bursie at oracle.com> wrote:
> On 2017-12-05 18:33, Sean Mullan wrote:
>> On 12/5/17 12:01 PM, Volker Simonis wrote:
>>> Hi Rajan,
>>> 'cacerts' is a binary file and I thought we have at least the
>>> convention in the OpenJDK project that we don't want to check in
>>> binary artefact's if possible.
>>> One problem with 'cacerts' being a binary file is that we can not add
>>> a license and copyright to it. Another one is that it is hard to look
>>> inside the file to see what it provides. The biggest problem from my
>>> point of view is however that updates to the file will be opaque.
>>> Wouldn't it make more sense to add the root certificates in plain text
>>> format (e.g. like the Mozilla cacert data [1]) and create the binary
>>> cacert file at build time? This would also make it easy to merge the
>>> OpenJDK built-in root certificates with user/distributor provided
>>> ones. But that's really just a nice side effect. The main reason for
>>> my request is that I'm somehow feeling uncomfortable to maintain a
>>> security-relevant part of the OpenJDK in an opaque, binary blob.
>>> What do others think?
>> When all is said and done, the certs themselves are binary; we cannot
>> change that. But I agree having some sort of build mechanism that imports
>> each cert from a textual representation (which can be annotated with
>> comments/copyright) to create the binary cacerts keystore would be nice --
>> however, I think implementing something like what Mozilla/NSS is doing is
>> not a trivial project and would put this JEP in jeopardy for making JDK 10.
>> I suggest filing an RFE for now.
> I agree. It would be nice compiling the binary keystore during the build.
> (Even though that, if we're talking serious security issues here, opens up a
> new attack vector if the compilation tool used is compromised.) And I agree
> that it is not trivial or at all doable for JDK 10.

OK, I've opened the RFR "JDK-8193255: Root Certificates should be
stored in text format and assembled at build time" for this issue.
I've also put some information about how the AdoptOpenJDK builds their
cacerts JKS file from the Mozilla certdata.txt data into the JBS
issue. I think we should do something similar in the OpenJDK at build

By the way, how did you create the JKS file which will be contributed
to the OpenJDK. I suppose Oracle gets all the contained certificates
in a text format and assembles them internally into the binary cacerts
file. So you must already have some tooling for doing this (although I
understand that it may be not suitable for direct inclusion into the
OpenJDK because of copyright/licensing issues).


[1] https://bugs.openjdk.java.net/browse/JDK-8193255

> There's no explicit prohibition on binary files, it's just as Volker says,
> something we try to avoid.
> /Magnus
>> --Sean
>>> Regards,
>>> Volker
>>> [1]
>>> https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
>>> On Fri, Dec 1, 2017 at 5:54 PM, Rajan Halade <rajan.halade at oracle.com>
>>> wrote:
>>>> May I request for your review of this fix to open source the root
>>>> certificates in Oracle's Java SE Root CA program. The fix is to populate
>>>> cacerts keystore with root certificates and add corresponding tests for
>>>> it
>>>> as per the test plan outlined at JDK-8191711. interoperability tests are
>>>> added against CAs with available test certificates.
>>>> Webrev: http://cr.openjdk.java.net/~rhalade/8189131/webrev.00/
>>>> JEP: https://bugs.openjdk.java.net/browse/JDK-8191486
>>>> Thanks,
>>>> Rajan

More information about the build-dev mailing list