On 2017-12-05 18:33, Sean Mullan wrote:
On 12/5/17 12:01 PM, Volker Simonis wrote:
Hi Rajan,
'cacerts' is a binary file and I thought we have at least the
convention in the OpenJDK project that we don't want to check in
binary artefact's if possible.
One problem with 'cacerts' being a binary file is that we can not add
a license and copyright to it. Another one is that it is hard to look
inside the file to see what it provides. The biggest problem from my
point of view is however that updates to the file will be opaque.
Wouldn't it make more sense to add the root certificates in plain text
format (e.g. like the Mozilla cacert data [1]) and create the binary
cacert file at build time? This would also make it easy to merge the
OpenJDK built-in root certificates with user/distributor provided
ones. But that's really just a nice side effect. The main reason for
my request is that I'm somehow feeling uncomfortable to maintain a
security-relevant part of the OpenJDK in an opaque, binary blob.
What do others think?
When all is said and done, the certs themselves are binary; we cannot
change that. But I agree having some sort of build mechanism that
imports each cert from a textual representation (which can be
annotated with comments/copyright) to create the binary cacerts
keystore would be nice -- however, I think implementing something like
what Mozilla/NSS is doing is not a trivial project and would put this
JEP in jeopardy for making JDK 10.
I suggest filing an RFE for now.
I agree. It would be nice compiling the binary keystore during the
build. (Even though that, if we're talking serious security issues here,
opens up a new attack vector if the compilation tool used is
compromised.) And I agree that it is not trivial or at all doable for
JDK 10.
There's no explicit prohibition on binary files, it's just as Volker
says, something we try to avoid.
/Magnus
--Sean
Regards,
Volker
[1]
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
On Fri, Dec 1, 2017 at 5:54 PM, Rajan Halade
<rajan.hal...@oracle.com> wrote:
May I request for your review of this fix to open source the root
certificates in Oracle's Java SE Root CA program. The fix is to
populate
cacerts keystore with root certificates and add corresponding tests
for it
as per the test plan outlined at JDK-8191711. interoperability tests
are
added against CAs with available test certificates.
Webrev: http://cr.openjdk.java.net/~rhalade/8189131/webrev.00/
JEP: https://bugs.openjdk.java.net/browse/JDK-8191486
Thanks,
Rajan
