RFR 8189131: Open-source the Oracle JDK Root Certificates

Volker Simonis volker.simonis at gmail.com
Tue Dec 5 17:01:31 UTC 2017

Hi Rajan,

'cacerts' is a binary file and I thought we have at least the
convention in the OpenJDK project that we don't want to check in
binary artefact's if possible.

One problem with 'cacerts' being a binary file is that we can not add
a license and copyright to it. Another one is that it is hard to look
inside the file to see what it provides. The biggest problem from my
point of view is however that updates to the file will be opaque.

Wouldn't it make more sense to add the root certificates in plain text
format (e.g. like the Mozilla cacert data [1]) and create the binary
cacert file at build time? This would also make it easy to merge the
OpenJDK built-in root certificates with user/distributor provided
ones. But that's really just a nice side effect. The main reason for
my request is that I'm somehow feeling uncomfortable to maintain a
security-relevant part of the OpenJDK in an opaque, binary blob.

What do others think?


[1] https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

On Fri, Dec 1, 2017 at 5:54 PM, Rajan Halade <rajan.halade at oracle.com> wrote:
> May I request for your review of this fix to open source the root
> certificates in Oracle's Java SE Root CA program. The fix is to populate
> cacerts keystore with root certificates and add corresponding tests for it
> as per the test plan outlined at JDK-8191711. interoperability tests are
> added against CAs with available test certificates.
> Webrev: http://cr.openjdk.java.net/~rhalade/8189131/webrev.00/
> JEP: https://bugs.openjdk.java.net/browse/JDK-8191486
> Thanks,
> Rajan

More information about the security-dev mailing list