RFR 8189131: Open-source the Oracle JDK Root Certificates
Sean Mullan
sean.mullan at oracle.com
Tue Dec 5 17:33:36 UTC 2017
On 12/5/17 12:01 PM, Volker Simonis wrote:
> Hi Rajan,
>
> 'cacerts' is a binary file and I thought we have at least the
> convention in the OpenJDK project that we don't want to check in
> binary artefact's if possible.
>
> One problem with 'cacerts' being a binary file is that we can not add
> a license and copyright to it. Another one is that it is hard to look
> inside the file to see what it provides. The biggest problem from my
> point of view is however that updates to the file will be opaque.
>
> Wouldn't it make more sense to add the root certificates in plain text
> format (e.g. like the Mozilla cacert data [1]) and create the binary
> cacert file at build time? This would also make it easy to merge the
> OpenJDK built-in root certificates with user/distributor provided
> ones. But that's really just a nice side effect. The main reason for
> my request is that I'm somehow feeling uncomfortable to maintain a
> security-relevant part of the OpenJDK in an opaque, binary blob.
>
> What do others think?
When all is said and done, the certs themselves are binary; we cannot
change that. But I agree having some sort of build mechanism that
imports each cert from a textual representation (which can be annotated
with comments/copyright) to create the binary cacerts keystore would be
nice -- however, I think implementing something like what Mozilla/NSS is
doing is not a trivial project and would put this JEP in jeopardy for
making JDK 10.
I suggest filing an RFE for now.
--Sean
>
> Regards,
> Volker
>
> [1] https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
>
> On Fri, Dec 1, 2017 at 5:54 PM, Rajan Halade <rajan.halade at oracle.com> wrote:
>> May I request for your review of this fix to open source the root
>> certificates in Oracle's Java SE Root CA program. The fix is to populate
>> cacerts keystore with root certificates and add corresponding tests for it
>> as per the test plan outlined at JDK-8191711. interoperability tests are
>> added against CAs with available test certificates.
>>
>> Webrev: http://cr.openjdk.java.net/~rhalade/8189131/webrev.00/
>> JEP: https://bugs.openjdk.java.net/browse/JDK-8191486
>>
>> Thanks,
>> Rajan
>>
More information about the security-dev
mailing list