RFR 8193255: Root Certificates should be stored in text format and assembled at build time

Sean Mullan sean.mullan at oracle.com
Fri May 31 15:15:07 UTC 2019 

On 5/30/19 8:49 PM, Weijun Wang wrote:
> Sure. How many info do you want to see?
> 
> I can prepend `keytool -printcert` but that's too much. At least I think the extensions part is not needed. Also, I don't wish people reading the fingerprint inside as genuine and does not calculate it from the cert itself.
> 
> So, I'm thinking of
> 
> Owner: CN=XRamp Global Certification Authority, O=XRamp Security Services Inc, OU=www.xrampsecurity.com, C=US
> Issuer: CN=XRamp Global Certification Authority, O=XRamp Security Services Inc, OU=www.xrampsecurity.com, C=US
> Serial number: 50946cec18ead59c4dd597ef758fa0ad
> Valid from: 1 Nov 2004 17:14:04 GMT until: 1 Jan 2035 05:37:19 GMT
> Signature algorithm name: SHA1withRSA
> Subject Public Key Algorithm: 2048-bit RSA key
> Version: 3
> 
> Is that OK?

This is good. Did you use keytool to emit those fields? It might make 
sense to add a brief README in this directory with instructions or a 
code snippet so that the next time we add a cert we know what to include 
at the top for consistency.

Thanks,
Sean

> 
> Thanks,
> Max
> 
> p.s. `keytool -printcert` shows validity in local timezone. Does not look good to me.
> 
>> On May 31, 2019, at 6:51 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>>
>> One suggestion is to put a printable form of the contents of the certificate at the top of each of the PEM files. It would be nice as a quick-look to see what is in the certificate. Of course, you can also use keytool -printcert to do that, but if I am just perusing the source code via a browser or something like that, it would be nice to not have to do that.
>>
>> --Sean
>>
>> On 5/30/19 9:01 AM, Weijun Wang wrote:
>>> Please take a review at
>>>     http://cr.openjdk.java.net/~weijun/8193255/webrev.00/
>>> Please pay attention to the 1st 3 and the last 2 files. Others are PEM files for all certs inside the original cacerts.
>>> There is one thing I cannot get correct. If I update the GenerateCacerts.java file and rerun make, the cacerts file is unchanged. I thought the following line
>>>     $(GENDATA_CACERTS): $(BUILD_TOOLS) $(GENDATA_CACERTS_SRC)
>>> means when when the tool is changed, GENDATA_CACERTS will be called.
>>> Thanks,
>>> Max
>

More information about the build-dev mailing list