RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12
Magnus Ihse Bursie
ihse at openjdk.java.net
Mon Oct 18 09:36:49 UTC 2021
On Fri, 15 Oct 2021 14:56:23 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> If that means the build will become non-reproducible, then *I* certainly have thoughts about it! ;-)
>
> The certificate stored in a PKCS12 file has no date associated. Whenever you load a keystore, the creation time is set to the load time.
>
> In fact, the `VerifyCACerts.java` maintains a SHA-256 hash of the keystore and it will not change unless the certs themselves are changed.
>
> Here is the actual bytes for one certificate entry inside:
>
> 0000:1AD48 [] SEQUENCE
> 0005:0659 [0] SEQUENCE
> 0009:000D [00] OID 1.2.840.113549.1.12.10.1.3 (CertBag)
> 0016:05DB [01] cont [0]
> 001A:05D7 [010] SEQUENCE
> 001E:000C [0100] OID 1.2.840.113549.1.9.22.1 (CertTypeX509)
> 002A:05C7 [0101] cont [0]
> 002E:05C3 [01010] OCTET STRING (1729119956)
> 0000: 30 82 05 BB 30 82 03 A3 A0 03 02 01 02 02 08 57 0...0..........W
> 0010: 0A 11 97 42 C4 E3 CC 30 0D 06 09 2A 86 48 86 F7 ...B...0...*.H..
> 0020: 0D 01 01 0B 05 00 30 6B 31 0B 30 09 06 03 55 04 ......0k1.0...U. (1471 bytes)
> 05F1:006D [02] SET
> 05F3:0053 [020] SEQUENCE
> 05F5:000B [0200] OID 1.2.840.113549.1.9.20 (FriendlyName)
> 0600:0046 [0201] SET
> 0602:0044 [02010] STRING "actalisauthenticationrootca [jdk]"
> 0646:0018 [021] SEQUENCE
> 0648:000E [0210] OID 2.16.840.1.113894.746875.1.1 (ORACLE_TrustedKeyUsage)
> 0656:0008 [0211] SET
> 0658:0006 [02110] OID 2.5.29.37.0 (anyExtendedKeyUsage)
As long as the file content is not date dependent, I'm happy :)
-------------
PR: https://git.openjdk.java.net/jdk/pull/5948
More information about the build-dev
mailing list