RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12
Michael Osipov
duke at openjdk.java.net
Thu Oct 14 15:45:50 UTC 2021
On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> The cacerts file is now a password-less PKCS12 file. This make sure old code that uses a JKS KeyStore object can continuously load it using a null password (in fact, any password) and see all certificates inside.
I don't understand how this can work at all. I wrote a custom `CertDownloader` for our company use where I wanted to migrate to PKCS#12. Suddenly all of my applications started to fail on OpenJDK8u until I have figured out that PKCS#12 was not designed to be passwordless and due to the missing ecryption the trusted CA aren't visible. This bug is known as:
* https://bugs.openjdk.java.net/browse/JDK-8231107
* https://bugs.openjdk.java.net/browse/JDK-8194702
I had to revert to JKS for now. Unless those drizzle down to 8u, 11u, 17u this is going to be hard.
I still would love to see a trust store (not key store) which either reads OpenSSL's [`CAfile` or `CApath`](https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_load_verify_locations.html). This would greatly improve compat between Java and the OS default store on may OS, e.g., Debian, FreeBSD, RHEL, etc.
-------------
PR: https://git.openjdk.java.net/jdk/pull/5948
More information about the build-dev
mailing list