RFR 8189131: Open-source the Oracle JDK Root Certificates

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

RFR 8189131: Open-source the Oracle JDK Root Certificates

Rajan Halade
May I request for your review of this fix to open source the root certificates in Oracle's Java SE Root CA program. The fix is to populate cacerts keystore with root certificates and add corresponding tests for it as per the test plan outlined at JDK-8191711. interoperability tests are added against CAs with available test certificates.

Webrev: http://cr.openjdk.java.net/~rhalade/8189131/webrev.00/
JEP: https://bugs.openjdk.java.net/browse/JDK-8191486

Thanks,
Rajan

Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

Volker Simonis
Hi Rajan,

great to see this finally happen!

I have just a quick question related to the tests. As far as I can
see, the tests will only succeed if the OpenJDK will be build with the
new open sourced, Oracle root certificates. But what if somebody is
building the OpenJDK with his own set of root certificates (by using
the --with-cacerts-file option)? Do you see any possibility of
restricting these tests only to builds which used the original,
checked in cacerts file?

Regards,
Volker


On Fri, Dec 1, 2017 at 5:54 PM, Rajan Halade <[hidden email]> wrote:

> May I request for your review of this fix to open source the root
> certificates in Oracle's Java SE Root CA program. The fix is to populate
> cacerts keystore with root certificates and add corresponding tests for it
> as per the test plan outlined at JDK-8191711. interoperability tests are
> added against CAs with available test certificates.
>
> Webrev: http://cr.openjdk.java.net/~rhalade/8189131/webrev.00/
> JEP: https://bugs.openjdk.java.net/browse/JDK-8191486
>
> Thanks,
> Rajan
>
Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

Alan Bateman


On 01/12/2017 17:16, Volker Simonis wrote:

> Hi Rajan,
>
> great to see this finally happen!
>
> I have just a quick question related to the tests. As far as I can
> see, the tests will only succeed if the OpenJDK will be build with the
> new open sourced, Oracle root certificates. But what if somebody is
> building the OpenJDK with his own set of root certificates (by using
> the --with-cacerts-file option)? Do you see any possibility of
> restricting these tests only to builds which used the original,
> checked in cacerts file?
If needed, you could add a keyword (@key tag) on these tests, or any
tests that depend on the OpenJDK cacerts file, so can you control if the
tests are run or not.

-Alan

Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

Volker Simonis
On Fri, Dec 1, 2017 at 6:22 PM, Alan Bateman <[hidden email]> wrote:

>
>
> On 01/12/2017 17:16, Volker Simonis wrote:
>>
>> Hi Rajan,
>>
>> great to see this finally happen!
>>
>> I have just a quick question related to the tests. As far as I can
>> see, the tests will only succeed if the OpenJDK will be build with the
>> new open sourced, Oracle root certificates. But what if somebody is
>> building the OpenJDK with his own set of root certificates (by using
>> the --with-cacerts-file option)? Do you see any possibility of
>> restricting these tests only to builds which used the original,
>> checked in cacerts file?
>
> If needed, you could add a keyword (@key tag) on these tests, or any tests
> that depend on the OpenJDK cacerts file, so can you control if the tests are
> run or not.
>

Yes, but as far as I know @key tags are implemented by querying VM
properties. In this case however there's no VM property which
indicates how the VM has been configured. --with-cacerts-file is just
changing the copy rule which copies the cacerts fine into the final
image. If we would like to query this information at runtime, we must
save the --with-cacerts-file configuration option in a property. I'm
not sure if that is worth it.

Maybe everybody will use the new Oracle JDK Root Certificates once
they are available? Or maybe we should just make the tests manual
tests which are not automatically executed? I just think if you build
your own version of OpenJDK with --with-cacerts-file and run the JTreg
tests afterwards, it will be confusing to get test errors because of
your trust store.

> -Alan
>
Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

Sean Mullan
In reply to this post by Alan Bateman
On 12/1/17 12:22 PM, Alan Bateman wrote:

>
>
> On 01/12/2017 17:16, Volker Simonis wrote:
>> Hi Rajan,
>>
>> great to see this finally happen!
>>
>> I have just a quick question related to the tests. As far as I can
>> see, the tests will only succeed if the OpenJDK will be build with the
>> new open sourced, Oracle root certificates. But what if somebody is
>> building the OpenJDK with his own set of root certificates (by using
>> the --with-cacerts-file option)? Do you see any possibility of
>> restricting these tests only to builds which used the original,
>> checked in cacerts file?
> If needed, you could add a keyword (@key tag) on these tests, or any
> tests that depend on the OpenJDK cacerts file, so can you control if the
> tests are run or not.

Also, the interop tests are not part of any of the 3 tiers, so they
won't be run unless you specifically include the jdk_security_infra group.

So only the VerifyCACerts test would potentially fail by default (it is
part of tier2). If this becomes a big issue, we can follow-up later and
investigate more with some sort of fix, but I don't think this should
hold up the current fix.

Thanks,
Sean

Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

Volker Simonis
On Fri, Dec 1, 2017 at 7:09 PM, Sean Mullan <[hidden email]> wrote:

> On 12/1/17 12:22 PM, Alan Bateman wrote:
>>
>>
>>
>> On 01/12/2017 17:16, Volker Simonis wrote:
>>>
>>> Hi Rajan,
>>>
>>> great to see this finally happen!
>>>
>>> I have just a quick question related to the tests. As far as I can
>>> see, the tests will only succeed if the OpenJDK will be build with the
>>> new open sourced, Oracle root certificates. But what if somebody is
>>> building the OpenJDK with his own set of root certificates (by using
>>> the --with-cacerts-file option)? Do you see any possibility of
>>> restricting these tests only to builds which used the original,
>>> checked in cacerts file?
>>
>> If needed, you could add a keyword (@key tag) on these tests, or any tests
>> that depend on the OpenJDK cacerts file, so can you control if the tests are
>> run or not.
>
>
> Also, the interop tests are not part of any of the 3 tiers, so they won't be
> run unless you specifically include the jdk_security_infra group.
>
> So only the VerifyCACerts test would potentially fail by default (it is part
> of tier2). If this becomes a big issue, we can follow-up later and
> investigate more with some sort of fix, but I don't think this should hold
> up the current fix.
>

No, I didn't want to hold up this fix - I'm quite happy to finally see
it in the OpenJDK. I just wanted to point out potential issues but I
agree that we can handle them later, when they become real.

Regards,
Volker

> Thanks,
> Sean
>
Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

Alan Bateman
In reply to this post by Volker Simonis


On 01/12/2017 18:05, Volker Simonis wrote:
> :
> Yes, but as far as I know @key tags are implemented by querying VM
> properties. In this case however there's no VM property which
> indicates how the VM has been configured.
jtreg -k allows keyword expressions to be specified. It's one way of
selecting tests to execute.

-Alan
Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

Sean Mullan
In reply to this post by Rajan Halade
This fix looks good to me.

Thanks,
Sean

On 12/1/17 11:54 AM, Rajan Halade wrote:

> May I request for your review of this fix to open source the root
> certificates in Oracle's Java SE Root CA program. The fix is to populate
> cacerts keystore with root certificates and add corresponding tests for
> it as per the test plan outlined at JDK-8191711. interoperability tests
> are added against CAs with available test certificates.
>
> *Webrev*: http://cr.openjdk.java.net/~rhalade/8189131/webrev.00/
> *JEP*: https://bugs.openjdk.java.net/browse/JDK-8191486
>
> Thanks,
> Rajan
>
Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

Rajan Halade
In reply to this post by Volker Simonis
Thanks for your reviews. I have updated webrev -

http://cr.openjdk.java.net/~rhalade/8189131/webrev.01/

I realized an error in my script which missed 7 new root certs listed in
JEP, these are added now.  Update also includes some code enhancements
in VerifyCACerts.java to get rid of un-ncessary code as per Jamil's
suggestions.

Thanks,
Rajan

On 12/1/17 10:17 AM, Volker Simonis wrote:

> On Fri, Dec 1, 2017 at 7:09 PM, Sean Mullan <[hidden email]> wrote:
>> On 12/1/17 12:22 PM, Alan Bateman wrote:
>>>
>>>
>>> On 01/12/2017 17:16, Volker Simonis wrote:
>>>> Hi Rajan,
>>>>
>>>> great to see this finally happen!
>>>>
>>>> I have just a quick question related to the tests. As far as I can
>>>> see, the tests will only succeed if the OpenJDK will be build with the
>>>> new open sourced, Oracle root certificates. But what if somebody is
>>>> building the OpenJDK with his own set of root certificates (by using
>>>> the --with-cacerts-file option)? Do you see any possibility of
>>>> restricting these tests only to builds which used the original,
>>>> checked in cacerts file?
>>> If needed, you could add a keyword (@key tag) on these tests, or any tests
>>> that depend on the OpenJDK cacerts file, so can you control if the tests are
>>> run or not.
>>
>> Also, the interop tests are not part of any of the 3 tiers, so they won't be
>> run unless you specifically include the jdk_security_infra group.
>>
>> So only the VerifyCACerts test would potentially fail by default (it is part
>> of tier2). If this becomes a big issue, we can follow-up later and
>> investigate more with some sort of fix, but I don't think this should hold
>> up the current fix.
>>
> No, I didn't want to hold up this fix - I'm quite happy to finally see
> it in the OpenJDK. I just wanted to point out potential issues but I
> agree that we can handle them later, when they become real.
>
> Regards,
> Volker
>
>> Thanks,
>> Sean
>>

Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

Rajan Halade
In reply to this post by Sean Mullan
On 12/1/17 10:09 AM, Sean Mullan wrote:
> So only the VerifyCACerts test would potentially fail by default (it
> is part of tier2). If this becomes a big issue, we can follow-up later
> and investigate more with some sort of fix, but I don't think this
> should hold up the current fix.
Would it be acceptable if I change blocks at line 227-231 and 234-239 to
soft-failures? Essentially then this test will only validate a cert if
it is present in keystore. This test is designed to check integrity of
cacerts keystore but if we are to allow test to pass with different
cacerts specified using --with-cacerts-file then it may be acceptable.

Thanks,
Rajan
Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

Sean Mullan
On 12/1/17 2:25 PM, Rajan Halade wrote:

> On 12/1/17 10:09 AM, Sean Mullan wrote:
>> So only the VerifyCACerts test would potentially fail by default (it
>> is part of tier2). If this becomes a big issue, we can follow-up later
>> and investigate more with some sort of fix, but I don't think this
>> should hold up the current fix.
> Would it be acceptable if I change blocks at line 227-231 and 234-239 to
> soft-failures? Essentially then this test will only validate a cert if
> it is present in keystore. This test is designed to check integrity of
> cacerts keystore but if we are to allow test to pass with different
> cacerts specified using --with-cacerts-file then it may be acceptable.

I don't think we should do that. This could more easily allow a
non-approved cert to accidentally make its way into the real cacerts
keystore without detection.

We can handle the alternate cacerts keystore issue with a better
solution later, if necessary.

--Sean
Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

Sean Mullan
In reply to this post by Rajan Halade
On 12/1/17 2:12 PM, Rajan Halade wrote:
> Thanks for your reviews. I have updated webrev -
>
> http://cr.openjdk.java.net/~rhalade/8189131/webrev.01/
>
> I realized an error in my script which missed 7 new root certs listed in
> JEP, these are added now.  Update also includes some code enhancements
> in VerifyCACerts.java to get rid of un-ncessary code as per Jamil's
> suggestions.

The updated webrev looks good.

--Sean
Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

Magnus Ihse Bursie
In reply to this post by Volker Simonis
On 2017-12-01 18:16, Volker Simonis wrote:

> Hi Rajan,
>
> great to see this finally happen!
>
> I have just a quick question related to the tests. As far as I can
> see, the tests will only succeed if the OpenJDK will be build with the
> new open sourced, Oracle root certificates. But what if somebody is
> building the OpenJDK with his own set of root certificates (by using
> the --with-cacerts-file option)? Do you see any possibility of
> restricting these tests only to builds which used the original,
> checked in cacerts file?

My question is if the --with-cacerts-file option is still relevant after
this? I see a good chance of simplifying some build logic here. :-)

/Magnus

>
> Regards,
> Volker
>
>
> On Fri, Dec 1, 2017 at 5:54 PM, Rajan Halade <[hidden email]> wrote:
>> May I request for your review of this fix to open source the root
>> certificates in Oracle's Java SE Root CA program. The fix is to populate
>> cacerts keystore with root certificates and add corresponding tests for it
>> as per the test plan outlined at JDK-8191711. interoperability tests are
>> added against CAs with available test certificates.
>>
>> Webrev: http://cr.openjdk.java.net/~rhalade/8189131/webrev.00/
>> JEP: https://bugs.openjdk.java.net/browse/JDK-8191486
>>
>> Thanks,
>> Rajan
>>

Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

Volker Simonis
On Tue, Dec 5, 2017 at 9:19 AM, Magnus Ihse Bursie
<[hidden email]> wrote:

> On 2017-12-01 18:16, Volker Simonis wrote:
>>
>> Hi Rajan,
>>
>> great to see this finally happen!
>>
>> I have just a quick question related to the tests. As far as I can
>> see, the tests will only succeed if the OpenJDK will be build with the
>> new open sourced, Oracle root certificates. But what if somebody is
>> building the OpenJDK with his own set of root certificates (by using
>> the --with-cacerts-file option)? Do you see any possibility of
>> restricting these tests only to builds which used the original,
>> checked in cacerts file?
>
>
> My question is if the --with-cacerts-file option is still relevant after
> this? I see a good chance of simplifying some build logic here. :-)
>

I think the folks from the AdoptOpenJDK project are using this option
(CC-ed adoption-discuss). I'm not sure if they want to drop their root
certificates in favor of the new ones.

It general I think it would be useful to have something like
"--add-cacerts-file" which will merge in additional certificates
although this will most certainly complicate the build logic :)

Regards,
Volker

> /Magnus
>
>
>>
>> Regards,
>> Volker
>>
>>
>> On Fri, Dec 1, 2017 at 5:54 PM, Rajan Halade <[hidden email]>
>> wrote:
>>>
>>> May I request for your review of this fix to open source the root
>>> certificates in Oracle's Java SE Root CA program. The fix is to populate
>>> cacerts keystore with root certificates and add corresponding tests for
>>> it
>>> as per the test plan outlined at JDK-8191711. interoperability tests are
>>> added against CAs with available test certificates.
>>>
>>> Webrev: http://cr.openjdk.java.net/~rhalade/8189131/webrev.00/
>>> JEP: https://bugs.openjdk.java.net/browse/JDK-8191486
>>>
>>> Thanks,
>>> Rajan
>>>
>
Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

Magnus Ihse Bursie
On 2017-12-05 09:44, Volker Simonis wrote:

> On Tue, Dec 5, 2017 at 9:19 AM, Magnus Ihse Bursie
> <[hidden email]> wrote:
>> On 2017-12-01 18:16, Volker Simonis wrote:
>>> Hi Rajan,
>>>
>>> great to see this finally happen!
>>>
>>> I have just a quick question related to the tests. As far as I can
>>> see, the tests will only succeed if the OpenJDK will be build with the
>>> new open sourced, Oracle root certificates. But what if somebody is
>>> building the OpenJDK with his own set of root certificates (by using
>>> the --with-cacerts-file option)? Do you see any possibility of
>>> restricting these tests only to builds which used the original,
>>> checked in cacerts file?
>>
>> My question is if the --with-cacerts-file option is still relevant after
>> this? I see a good chance of simplifying some build logic here. :-)
>>
> I think the folks from the AdoptOpenJDK project are using this option
> (CC-ed adoption-discuss). I'm not sure if they want to drop their root
> certificates in favor of the new ones.
Maybe they can upstream their root certs as well, if it seems prudent?
> It general I think it would be useful to have something like
> "--add-cacerts-file" which will merge in additional certificates
> although this will most certainly complicate the build logic :)
I see your point, but if the idea is that distributors should be able to
supply their own set of root certs (which kind of makes sense, after
all) we should probably keep the current functionality. Otherwise
there's no way to remove a root cert, which is also something you might
want to do (if a CA goes rouge, or whatever).

But then again, I think this borders just on the line were it's
reasonable for configure to provide an option to replace the file. If a
distributor is not satisfied with the contents of a file in OpenJDK,
they are always free to replace it. The normal way to do this is to use
patches that are applied on top of the OpenJDK source distribution. If
you want to have your own ca root store, you would just need a patch
with your own file. Voilà! The only reason this was made an option is
that the OpenJDK distribution didn't include a root store at all by
default, so *all* users needed to provide one for it to be usable. Now
that this changes, the need to have build support to replace it
diminishes greatly.

/Magnus

>
> Regards,
> Volker
>
>> /Magnus
>>
>>
>>> Regards,
>>> Volker
>>>
>>>
>>> On Fri, Dec 1, 2017 at 5:54 PM, Rajan Halade <[hidden email]>
>>> wrote:
>>>> May I request for your review of this fix to open source the root
>>>> certificates in Oracle's Java SE Root CA program. The fix is to populate
>>>> cacerts keystore with root certificates and add corresponding tests for
>>>> it
>>>> as per the test plan outlined at JDK-8191711. interoperability tests are
>>>> added against CAs with available test certificates.
>>>>
>>>> Webrev: http://cr.openjdk.java.net/~rhalade/8189131/webrev.00/
>>>> JEP: https://bugs.openjdk.java.net/browse/JDK-8191486
>>>>
>>>> Thanks,
>>>> Rajan
>>>>

Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

Volker Simonis
On Tue, Dec 5, 2017 at 10:08 AM, Magnus Ihse Bursie
<[hidden email]> wrote:

> On 2017-12-05 09:44, Volker Simonis wrote:
>>
>> On Tue, Dec 5, 2017 at 9:19 AM, Magnus Ihse Bursie
>> <[hidden email]> wrote:
>>>
>>> On 2017-12-01 18:16, Volker Simonis wrote:
>>>>
>>>> Hi Rajan,
>>>>
>>>> great to see this finally happen!
>>>>
>>>> I have just a quick question related to the tests. As far as I can
>>>> see, the tests will only succeed if the OpenJDK will be build with the
>>>> new open sourced, Oracle root certificates. But what if somebody is
>>>> building the OpenJDK with his own set of root certificates (by using
>>>> the --with-cacerts-file option)? Do you see any possibility of
>>>> restricting these tests only to builds which used the original,
>>>> checked in cacerts file?
>>>
>>>
>>> My question is if the --with-cacerts-file option is still relevant after
>>> this? I see a good chance of simplifying some build logic here. :-)
>>>
>> I think the folks from the AdoptOpenJDK project are using this option
>> (CC-ed adoption-discuss). I'm not sure if they want to drop their root
>> certificates in favor of the new ones.
>
> Maybe they can upstream their root certs as well, if it seems prudent?
>>
>> It general I think it would be useful to have something like
>> "--add-cacerts-file" which will merge in additional certificates
>> although this will most certainly complicate the build logic :)
>
> I see your point, but if the idea is that distributors should be able to
> supply their own set of root certs (which kind of makes sense, after all) we
> should probably keep the current functionality. Otherwise there's no way to
> remove a root cert, which is also something you might want to do (if a CA
> goes rouge, or whatever).
>
> But then again, I think this borders just on the line were it's reasonable
> for configure to provide an option to replace the file. If a distributor is
> not satisfied with the contents of a file in OpenJDK, they are always free
> to replace it. The normal way to do this is to use patches that are applied
> on top of the OpenJDK source distribution. If you want to have your own ca
> root store, you would just need a patch with your own file. Voilà! The only

I think the most common case would be that distributors want to add
their certificates to the existing ones? And that's not easily
achievable with a patch because the cacerts file is a binary file. So
you need to call keytool for importing additional certificates. It
would be of course convenient if this could happen as part of the
build process.

> reason this was made an option is that the OpenJDK distribution didn't
> include a root store at all by default, so *all* users needed to provide one
> for it to be usable. Now that this changes, the need to have build support
> to replace it diminishes greatly.
>
> /Magnus
>
>
>>
>> Regards,
>> Volker
>>
>>> /Magnus
>>>
>>>
>>>> Regards,
>>>> Volker
>>>>
>>>>
>>>> On Fri, Dec 1, 2017 at 5:54 PM, Rajan Halade <[hidden email]>
>>>> wrote:
>>>>>
>>>>> May I request for your review of this fix to open source the root
>>>>> certificates in Oracle's Java SE Root CA program. The fix is to
>>>>> populate
>>>>> cacerts keystore with root certificates and add corresponding tests for
>>>>> it
>>>>> as per the test plan outlined at JDK-8191711. interoperability tests
>>>>> are
>>>>> added against CAs with available test certificates.
>>>>>
>>>>> Webrev: http://cr.openjdk.java.net/~rhalade/8189131/webrev.00/
>>>>> JEP: https://bugs.openjdk.java.net/browse/JDK-8191486
>>>>>
>>>>> Thanks,
>>>>> Rajan
>>>>>
>
Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

Magnus Ihse Bursie
On 2017-12-05 10:25, Volker Simonis wrote:

> On Tue, Dec 5, 2017 at 10:08 AM, Magnus Ihse Bursie
> <[hidden email]> wrote:
>> On 2017-12-05 09:44, Volker Simonis wrote:
>>> On Tue, Dec 5, 2017 at 9:19 AM, Magnus Ihse Bursie
>>> <[hidden email]> wrote:
>>>> On 2017-12-01 18:16, Volker Simonis wrote:
>>>>> Hi Rajan,
>>>>>
>>>>> great to see this finally happen!
>>>>>
>>>>> I have just a quick question related to the tests. As far as I can
>>>>> see, the tests will only succeed if the OpenJDK will be build with the
>>>>> new open sourced, Oracle root certificates. But what if somebody is
>>>>> building the OpenJDK with his own set of root certificates (by using
>>>>> the --with-cacerts-file option)? Do you see any possibility of
>>>>> restricting these tests only to builds which used the original,
>>>>> checked in cacerts file?
>>>>
>>>> My question is if the --with-cacerts-file option is still relevant after
>>>> this? I see a good chance of simplifying some build logic here. :-)
>>>>
>>> I think the folks from the AdoptOpenJDK project are using this option
>>> (CC-ed adoption-discuss). I'm not sure if they want to drop their root
>>> certificates in favor of the new ones.
>> Maybe they can upstream their root certs as well, if it seems prudent?
>>> It general I think it would be useful to have something like
>>> "--add-cacerts-file" which will merge in additional certificates
>>> although this will most certainly complicate the build logic :)
>> I see your point, but if the idea is that distributors should be able to
>> supply their own set of root certs (which kind of makes sense, after all) we
>> should probably keep the current functionality. Otherwise there's no way to
>> remove a root cert, which is also something you might want to do (if a CA
>> goes rouge, or whatever).
>>
>> But then again, I think this borders just on the line were it's reasonable
>> for configure to provide an option to replace the file. If a distributor is
>> not satisfied with the contents of a file in OpenJDK, they are always free
>> to replace it. The normal way to do this is to use patches that are applied
>> on top of the OpenJDK source distribution. If you want to have your own ca
>> root store, you would just need a patch with your own file. Voilà! The only
> I think the most common case would be that distributors want to add
> their certificates to the existing ones? And that's not easily
> achievable with a patch because the cacerts file is a binary file. So
> you need to call keytool for importing additional certificates. It
> would be of course convenient if this could happen as part of the
> build process.
If you say.

Let's see if that *really* becomes an issue. In the meantime, I'm always
open for patches from distributors. :)

/Magnus

>
>> reason this was made an option is that the OpenJDK distribution didn't
>> include a root store at all by default, so *all* users needed to provide one
>> for it to be usable. Now that this changes, the need to have build support
>> to replace it diminishes greatly.
>>
>> /Magnus
>>
>>
>>> Regards,
>>> Volker
>>>
>>>> /Magnus
>>>>
>>>>
>>>>> Regards,
>>>>> Volker
>>>>>
>>>>>
>>>>> On Fri, Dec 1, 2017 at 5:54 PM, Rajan Halade <[hidden email]>
>>>>> wrote:
>>>>>> May I request for your review of this fix to open source the root
>>>>>> certificates in Oracle's Java SE Root CA program. The fix is to
>>>>>> populate
>>>>>> cacerts keystore with root certificates and add corresponding tests for
>>>>>> it
>>>>>> as per the test plan outlined at JDK-8191711. interoperability tests
>>>>>> are
>>>>>> added against CAs with available test certificates.
>>>>>>
>>>>>> Webrev: http://cr.openjdk.java.net/~rhalade/8189131/webrev.00/
>>>>>> JEP: https://bugs.openjdk.java.net/browse/JDK-8191486
>>>>>>
>>>>>> Thanks,
>>>>>> Rajan
>>>>>>

Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

dalibor topic-2
In reply to this post by Magnus Ihse Bursie


On 05.12.2017 10:08, Magnus Ihse Bursie wrote:
>> I think the folks from the AdoptOpenJDK project are using this option
>> (CC-ed adoption-discuss). I'm not sure if they want to drop their root
>> certificates in favor of the new ones.
> Maybe they can upstream their root certs as well, if it seems prudent?

Afaik, pretty much all downstream builds use the Mozilla PKI
certificates. It already has a very active upstream at Mozilla, so
upstreaming it into OpenJDK doesn't make a lot of sense. ;)

> The only reason this was made an option is
> that the OpenJDK distribution didn't include a root store at all by
> default, so *all* users needed to provide one for it to be usable. Now
> that this changes, the need to have build support to replace it
> diminishes greatly.

Fwiw, it can still be easily replaced on installation of a package by a
symbolic link to (or a copy of) the Mozilla root certificates, for
example. So I don't think that it's necessary for the build support to
remain, once this change goes in.

cheers,
dalibor topic

--
<http://www.oracle.com> Dalibor Topic | Principal Product Manager
Phone: +494089091214 <tel:+494089091214> | Mobile: +491737185961
<tel:+491737185961>

ORACLE Deutschland B.V. & Co. KG | Kühnehöfe 5 | 22761 Hamburg

ORACLE Deutschland B.V. & Co. KG
Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Jan Schultheiss, Val Maher

<http://www.oracle.com/commitment> Oracle is committed to developing
practices and products that help protect the environment
Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

Volker Simonis
In reply to this post by Rajan Halade
Hi Rajan,

'cacerts' is a binary file and I thought we have at least the
convention in the OpenJDK project that we don't want to check in
binary artefact's if possible.

One problem with 'cacerts' being a binary file is that we can not add
a license and copyright to it. Another one is that it is hard to look
inside the file to see what it provides. The biggest problem from my
point of view is however that updates to the file will be opaque.

Wouldn't it make more sense to add the root certificates in plain text
format (e.g. like the Mozilla cacert data [1]) and create the binary
cacert file at build time? This would also make it easy to merge the
OpenJDK built-in root certificates with user/distributor provided
ones. But that's really just a nice side effect. The main reason for
my request is that I'm somehow feeling uncomfortable to maintain a
security-relevant part of the OpenJDK in an opaque, binary blob.

What do others think?

Regards,
Volker

[1] https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

On Fri, Dec 1, 2017 at 5:54 PM, Rajan Halade <[hidden email]> wrote:

> May I request for your review of this fix to open source the root
> certificates in Oracle's Java SE Root CA program. The fix is to populate
> cacerts keystore with root certificates and add corresponding tests for it
> as per the test plan outlined at JDK-8191711. interoperability tests are
> added against CAs with available test certificates.
>
> Webrev: http://cr.openjdk.java.net/~rhalade/8189131/webrev.00/
> JEP: https://bugs.openjdk.java.net/browse/JDK-8191486
>
> Thanks,
> Rajan
>
Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

Sean Mullan
On 12/5/17 12:01 PM, Volker Simonis wrote:

> Hi Rajan,
>
> 'cacerts' is a binary file and I thought we have at least the
> convention in the OpenJDK project that we don't want to check in
> binary artefact's if possible.
>
> One problem with 'cacerts' being a binary file is that we can not add
> a license and copyright to it. Another one is that it is hard to look
> inside the file to see what it provides. The biggest problem from my
> point of view is however that updates to the file will be opaque.
>
> Wouldn't it make more sense to add the root certificates in plain text
> format (e.g. like the Mozilla cacert data [1]) and create the binary
> cacert file at build time? This would also make it easy to merge the
> OpenJDK built-in root certificates with user/distributor provided
> ones. But that's really just a nice side effect. The main reason for
> my request is that I'm somehow feeling uncomfortable to maintain a
> security-relevant part of the OpenJDK in an opaque, binary blob.
>
> What do others think?

When all is said and done, the certs themselves are binary; we cannot
change that. But I agree having some sort of build mechanism that
imports each cert from a textual representation (which can be annotated
with comments/copyright) to create the binary cacerts keystore would be
nice -- however, I think implementing something like what Mozilla/NSS is
doing is not a trivial project and would put this JEP in jeopardy for
making JDK 10.

I suggest filing an RFE for now.

--Sean

>
> Regards,
> Volker
>
> [1] https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
>
> On Fri, Dec 1, 2017 at 5:54 PM, Rajan Halade <[hidden email]> wrote:
>> May I request for your review of this fix to open source the root
>> certificates in Oracle's Java SE Root CA program. The fix is to populate
>> cacerts keystore with root certificates and add corresponding tests for it
>> as per the test plan outlined at JDK-8191711. interoperability tests are
>> added against CAs with available test certificates.
>>
>> Webrev: http://cr.openjdk.java.net/~rhalade/8189131/webrev.00/
>> JEP: https://bugs.openjdk.java.net/browse/JDK-8191486
>>
>> Thanks,
>> Rajan
>>
12