Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8193255

Root Certificates should be stored in text format and assembled at build time

    Details

    • Subcomponent:
    • Introduced In Version:
      10
    • Resolved In Build:
      b24

      Backports

        Description

        "JEP 319: Root Certificates" open-sourced the Oracle JDK Root Certificates and contributed them to the OpenJDK code base. But the certificates have been contributed in a binary format (Java Key Store, JKS) which is not particularly suitable for being maintained in a version control system like Mercurial because of several reasons:

         - we can not add a license and copyright to it
         - it is that it is hard to look inside the file to see what it provides
         - updates to the file will be opaque (we can only see that the file has been changed)
         - it's strange to maintain a security-relevant part of the OpenJDK in an opaque, binary blob

        I'd therefor propose to store the certificates in text format (maybe PEM format (https://raw.githubusercontent.com/curl/curl/master/lib/mk-ca-bundle.pl), or the NSS format used by the Mozilla certdata.txt file (https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt)) and assemble the "cacerts" file from at build time from the text representation. The AdoptOpenJDK project has some instructions (https://github.com/AdoptOpenJDK/openjdk-build/tree/master/security) on how they assemble their "cacerts" file from the Mozilla certificates which are stored in text format.

        Storing the OpenJDK certificates in text format would also allow to simply merge them with additional user certificates provided at configuration/build time (i.e. with a configuration option like '--with-additional-certificates').

        This whole topic has been discussed in the following mail thread:

        http://mail.openjdk.java.net/pipermail/security-dev/2017-December/thread.html#16590

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  weijun Weijun Wang
                  Reporter:
                  simonis Volker Simonis
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: