RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation [v2]

[Sean Mullan]

On Thu, 2 Dec 2021 12:13:03 GMT, Andrew Leonard <aleonard at openjdk.org> wrote:

>> Addition of a configure option --with-cacerts-src='user cacerts folder' to allow developers to specify their own cacerts PEM folder for generation of the cacerts store using the deterministic openjdk GenerateCacerts tool.
>> 
>> Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>
> Andrew Leonard has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains four additional commits since the last revision:
> 
>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation
>    
>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>  - Merge branch 'master' of https://github.com/openjdk/jdk into cacertssrc
>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable determinsitic cacerts generation
>    
>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable determinsitic cacerts generation
>    
>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>

I don’t have any major concerns with this change, as long as the default cacerts are still the ones that are in the JDK. As an aside, using Mozilla's root certificates might be fine for TLS certificates, but if you need to support code signing certificates you may run into issues with missing CAs as Mozilla's Root program does not support that use case. Also, by overriding the roots included in the JDK, you are taking on the responsibility (which is significant, in my opinion) of ensuring that those roots are trusted and have not been compromised, revoked, have weak keys, etc.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6647