Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

Magnus Ihse Bursie

On 2017-12-05 18:33, Sean Mullan wrote:

> On 12/5/17 12:01 PM, Volker Simonis wrote:
>> Hi Rajan,
>>
>> 'cacerts' is a binary file and I thought we have at least the
>> convention in the OpenJDK project that we don't want to check in
>> binary artefact's if possible.
>>
>> One problem with 'cacerts' being a binary file is that we can not add
>> a license and copyright to it. Another one is that it is hard to look
>> inside the file to see what it provides. The biggest problem from my
>> point of view is however that updates to the file will be opaque.
>>
>> Wouldn't it make more sense to add the root certificates in plain text
>> format (e.g. like the Mozilla cacert data [1]) and create the binary
>> cacert file at build time? This would also make it easy to merge the
>> OpenJDK built-in root certificates with user/distributor provided
>> ones. But that's really just a nice side effect. The main reason for
>> my request is that I'm somehow feeling uncomfortable to maintain a
>> security-relevant part of the OpenJDK in an opaque, binary blob.
>>
>> What do others think?
>
> When all is said and done, the certs themselves are binary; we cannot
> change that. But I agree having some sort of build mechanism that
> imports each cert from a textual representation (which can be
> annotated with comments/copyright) to create the binary cacerts
> keystore would be nice -- however, I think implementing something like
> what Mozilla/NSS is doing is not a trivial project and would put this
> JEP in jeopardy for making JDK 10.
>
> I suggest filing an RFE for now.
I agree. It would be nice compiling the binary keystore during the
build. (Even though that, if we're talking serious security issues here,
opens up a new attack vector if the compilation tool used is
compromised.) And I agree that it is not trivial or at all doable for
JDK 10.

There's no explicit prohibition on binary files, it's just as Volker
says, something we try to avoid.

/Magnus

>
> --Sean
>
>>
>> Regards,
>> Volker
>>
>> [1]
>> https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
>>
>> On Fri, Dec 1, 2017 at 5:54 PM, Rajan Halade
>> <[hidden email]> wrote:
>>> May I request for your review of this fix to open source the root
>>> certificates in Oracle's Java SE Root CA program. The fix is to
>>> populate
>>> cacerts keystore with root certificates and add corresponding tests
>>> for it
>>> as per the test plan outlined at JDK-8191711. interoperability tests
>>> are
>>> added against CAs with available test certificates.
>>>
>>> Webrev: http://cr.openjdk.java.net/~rhalade/8189131/webrev.00/
>>> JEP: https://bugs.openjdk.java.net/browse/JDK-8191486
>>>
>>> Thanks,
>>> Rajan
>>>

Reply | Threaded
Open this post in threaded view
|

Re: RFR 8189131: Open-source the Oracle JDK Root Certificates

Weijun Wang


> On Dec 8, 2017, at 10:45 PM, Volker Simonis <[hidden email]> wrote:
>
> OK, I've opened the RFR "JDK-8193255: Root Certificates should be
> stored in text format and assembled at build time" for this issue.

In fact, I would recommend we directly release cacerts as a text file containing PEM certificates, for these reasons:

- We are navigating away from JKS because it's not standard

- Certificates in PKCS12 requires a password to read

- I see no necessity for protecting cacerts, either for integrity or confidentiality, with a password

- A publicly known password is worse than no password

- Arbitrary comments (outside the ----BEGIN/END CERTIFICATE----- blocks) can be added as attributes

Thanks
Max