RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12

Magnus Ihse Bursie ihse at openjdk.java.net
Fri Oct 15 14:15:52 UTC 2021


On Fri, 15 Oct 2021 14:02:15 GMT, Sean Mullan <mullan at openjdk.org> wrote:

>> The cacerts file is now a password-less PKCS12 file. This make sure old code that uses a JKS KeyStore object can continuously load it using a null password (in fact, any password) and see all certificates inside.
>
> make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java line 74:
> 
>> 72:                 cert = (X509Certificate) cf.generateCertificate(fis);
>> 73:             }
>> 74:             ks.setCertificateEntry(alias, cert);
> 
> In the previous code, we always used a fixed date (cert's notBefore) for the creation date. Now, it seems it will be always different and based on when it was created. I'm not really sure if this is an issue in practice, but I think it is worth thinking about a bit more - do you have any thoughts on this?

If that means the build will become non-reproducible, then *I* certainly have thoughts about it! ;-)

-------------

PR: https://git.openjdk.java.net/jdk/pull/5948


More information about the security-dev mailing list