RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12

Weijun Wang weijun at openjdk.java.net
Fri Oct 15 15:00:50 UTC 2021 

On Fri, 15 Oct 2021 14:12:55 GMT, Magnus Ihse Bursie <ihse at openjdk.org> wrote:

>> make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java line 74:
>> 
>>> 72:                 cert = (X509Certificate) cf.generateCertificate(fis);
>>> 73:             }
>>> 74:             ks.setCertificateEntry(alias, cert);
>> 
>> In the previous code, we always used a fixed date (cert's notBefore) for the creation date. Now, it seems it will be always different and based on when it was created. I'm not really sure if this is an issue in practice, but I think it is worth thinking about a bit more - do you have any thoughts on this?
>
> If that means the build will become non-reproducible, then *I* certainly have thoughts about it! ;-)

The certificate stored in a PKCS12 file has no date associated. Whenever you load a keystore, the creation time is set to the load time.

In fact, the `VerifyCACerts.java` maintains a SHA-256 hash of the keystore and it will not change unless the certs themselves are changed.

Here is the actual bytes for one certificate entry inside:

0000:1AD48  [] SEQUENCE
0005:0659  [0]     SEQUENCE
0009:000D  [00]         OID 1.2.840.113549.1.12.10.1.3 (CertBag)
0016:05DB  [01]         cont [0]
001A:05D7  [010]             SEQUENCE
001E:000C  [0100]                 OID 1.2.840.113549.1.9.22.1 (CertTypeX509)
002A:05C7  [0101]                 cont [0]
002E:05C3  [01010]                     OCTET STRING  (1729119956)
                                      0000: 30 82 05 BB 30 82 03 A3   A0 03 02 01 02 02 08 57  0...0..........W
                                      0010: 0A 11 97 42 C4 E3 CC 30   0D 06 09 2A 86 48 86 F7  ...B...0...*.H..
                                      0020: 0D 01 01 0B 05 00 30 6B   31 0B 30 09 06 03 55 04  ......0k1.0...U. (1471 bytes)
05F1:006D  [02]         SET
05F3:0053  [020]             SEQUENCE
05F5:000B  [0200]                 OID 1.2.840.113549.1.9.20 (FriendlyName)
0600:0046  [0201]                 SET
0602:0044  [02010]                     STRING "actalisauthenticationrootca [jdk]"
0646:0018  [021]             SEQUENCE
0648:000E  [0210]                 OID 2.16.840.1.113894.746875.1.1 (ORACLE_TrustedKeyUsage)
0656:0008  [0211]                 SET
0658:0006  [02110]                     OID 2.5.29.37.0 (anyExtendedKeyUsage)

-------------

PR: https://git.openjdk.java.net/jdk/pull/5948

More information about the build-dev mailing list