RFR: [8u] JDK-8193255: Root Certificates should be stored in text format and assembled at build time

Andrew John Hughes gnu.andrew at redhat.com
Wed Jan 29 07:42:04 UTC 2020 

Bug: https://bugs.openjdk.java.net/browse/JDK-8193255
Webrevs:
  Root: https://cr.openjdk.java.net/~andrew/openjdk8/8193255/root/
  JDK: https://cr.openjdk.java.net/~andrew/openjdk8/8193255/jdk/

This change gets rid of the binary cacerts file held in the repository
and instead generates it from individual text certificates at build time.

For 8u, it's as much a rewrite as a backport, due to changes in the
build system and the different requirements for build tools (they need
to work with 10 & 11 in OpenJDK 11, but 7 & 8 in OpenJDK 8)

The original JDK-8193255 also contains a number of changes to makefiles
which are really worthy of a separate bug and don't relate to this
change. These are changes to make/gendata/GendataBlacklistedCerts.gmk,
make/gendata/GendataBreakIterator.gmk and
make/gendata/GendataPublicSuffixList.gmk which replace BUILD_TOOLS with
BUILD_TOOLS_JDK. This is apparently a change that should have been made
when the repositories were unified [0], and it has little relation to
the cacerts change, other than the issue was discovered while it was
being developed. These changes aren't included in the backport,
especially as two of these makefiles don't even exist in 8u. Backporting
JDK-8047765 to generate blacklisted.certs may be worthwhile at some
point, though.

The makefile changes that are retained have been adapted to the style
used in 8u, but are in essence the same, though occasionally in
different locations. The default value for CACERTS_FILE is set by
configure in 8u, so that is removed in the top-level repository (the
empty value being used to trigger generation)

The build tool, GenerateCacerts.java, has been modified to avoid the use
of lambdas and the functional API from 8u, so it can be built using a
Java 7 JDK. I actually think this makes the code more readable, avoiding
some duplication and the need to wrap an exception in a RuntimeException.

JDK-8235142: "JDK-8193255 backport broke bootstrap with JDK 10" is
effectively included here as removing the use of Path.of() is essential
when the bootstrap JDKs are either 7 or 8.

Building with this patch produces a cacerts file containing the same
certificates as from a build of 8u242, with the exception of the Amazon
& LuxTrust certificates yet to be backported:

$ keytool -list -keystore
/home/andrew/builder/8u/jdk/lib/security/cacerts > 8u.list
$ keytool -list -keystore
/home/andrew/builder/8u-dev/jdk/lib/security/cacerts > 8u-dev.list
$ grep 'trustedCertEntry' 8u-dev.list | cut -d ' ' -f 1|sort > 8u-dev.sort
$ grep 'trustedCertEntry' 8u.list | cut -d ' ' -f 1|sort > 8u.sort
$ diff -u 8u.sort 8u-dev.sort --- 8u.sort	2020-01-29 06:24:17.108785705
+0000
+++ 8u-dev.sort	2020-01-29 06:24:11.636869008 +0000
@@ -6,10 +6,6 @@
 affirmtrustnetworkingca
 affirmtrustpremiumca
 affirmtrustpremiumeccca
-amazonrootca1
-amazonrootca2
-amazonrootca3
-amazonrootca4
 baltimorecybertrustca
 buypassclass2ca
 buypassclass3ca
@@ -54,7 +50,6 @@
 identrustpublicca
 keynectisrootca
 letsencryptisrgx1
-luxtrustglobalroot2ca
 luxtrustglobalrootca
 quovadisrootca

Once this is reviewed & approved, we'll follow this up with JDK-8225392
and as-is text based backports of the Amazon & LuxTrust certificates
that were added as binaries in 8u242 only.

[0]
https://mail.openjdk.java.net/pipermail/security-dev/2019-May/020044.html
-- 
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
https://keybase.io/gnu_andrew

More information about the jdk8u-dev mailing list