Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8262079

Remove root certificates with 1024-bit keys

    XMLWordPrintable

    Details

    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      Hide
      The vast majority of certificates issued by these CAs are now expired and very few, if any certificates are still being issued from these roots. It is possible that some signed and timestamped JARs may still be in use (allowing them to be used beyond the code signing certificate's expiration date), but this should not be a risk even for JDK 13, as these are primarily for use cases which are deprecated or not supported in JDK 13, specifically applets and WebStart applications.
      Show
      The vast majority of certificates issued by these CAs are now expired and very few, if any certificates are still being issued from these roots. It is possible that some signed and timestamped JARs may still be in use (allowing them to be used beyond the code signing certificate's expiration date), but this should not be a risk even for JDK 13, as these are primarily for use cases which are deprecated or not supported in JDK 13, specifically applets and WebStart applications.
    • Interface Kind:
      Other
    • Scope:
      JDK

      Description

      Summary

      Remove root certificates with 1024-bit RSA public keys from the cacerts keystore.

      Problem

      There are 5 root certificates with 1024-bit RSA public keys in the system-wide cacerts keystore. These roots should be removed as the key size is weak.

      Solution

      Remove the following root certificates (keystore alias and Distinguished Name shown below) from the cacerts keystore:

      thawtepremiumserverca [jdk]
      
      EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
      
      verisignclass2g2ca [jdk]
      
      OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
      
      verisignclass3ca [jdk]
      
      OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
      
      verisignclass3g2ca [jdk]
      
      OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
      
      verisigntsaca [jdk]
      
      CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA

      Specification

      The keystore aliases listed in the Solution section will be removed from the {java.home}/lib/security/cacerts file. Since this file is binary, it is not possible to show a diff. The following files containing the certificates will be deleted from the JDK source code:

      make/data/cacerts/thawtepremiumserverca
      make/data/cacerts/verisignclass2g2ca
      make/data/cacerts/verisignclass3ca
      make/data/cacerts/verisignclass3g2ca
      make/data/cacerts/verisigntsaca

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              yan Yuri Nesterenko
              Reporter:
              mullan Sean Mullan
              Reviewed By:
              Christoph Langer
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: