RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12
Sean Mullan
mullan at openjdk.java.net
Fri Oct 15 14:04:48 UTC 2021
On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> The cacerts file is now a password-less PKCS12 file. This make sure old code that uses a JKS KeyStore object can continuously load it using a null password (in fact, any password) and see all certificates inside.
make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java line 74:
> 72: cert = (X509Certificate) cf.generateCertificate(fis);
> 73: }
> 74: ks.setCertificateEntry(alias, cert);
In the previous code, we always used a fixed date (cert's notBefore) for the creation date. Now, it seems it will be always different and based on when it was created. I'm not really sure if this is an issue in practice, but I think it is worth thinking about a bit more - do you have any thoughts on this?
-------------
PR: https://git.openjdk.java.net/jdk/pull/5948
More information about the build-dev
mailing list