Add support for the Java root store
nabla-c0d3 opened this issue · comments
This would require:
- Downloading the latest JRE at http://www.oracle.com/technetwork/java/javase/downloads/index.html
- Parsing the cacerts file in it
An alternative to downloading the full JRE/JDK distribution is parsing the file in the OpenJDK Mercurial repository: http://hg.openjdk.java.net/jdk/jdk/file/tip/src/java.base/share/lib/security/cacerts
This information is derived from:
- JDK enhancement proposal (JEP): http://openjdk.java.net/jeps/319 and
- Jira ticket: https://bugs.openjdk.java.net/browse/JDK-8191486
Please note that OpenJDK an Oracle JDK are two different implementations of the same Java specification. They should be identical. To play it safe it might make sense to treat Oracle JDK and OpenJDK as having two different CA stores and eventually add support for both of them.
Thanks for the details and I agree that they should be treated separately; the JEP says that
each CA must sign the Oracle Contributor Agreement (OCA), or an equivalent agreement, to grant Oracle the right to open-source their certificates. [...]. Those that do not sign an agreement will not be included at this time,
Hence the content of the stores will be different for sure.
Implemented in #7