java: add certificates from openjdk 11 (latest release)

Question

java: add certificates from openjdk 11 (latest release)

adamdecaf opened this issue 6 years ago · comments

#12 mentioned this project uses Oracle's Java 8. Their newer releases require licensing for commercial use, but OpenJDK is free for projects to use.

Adam Shannon · Answer 1 · Fri Oct 26 2018 01:43:41 GMT+0800 (China Standard Time)

cc @stefanb

Štefan Baebler · Answer 2 · Fri Oct 26 2018 02:00:30 GMT+0800 (China Standard Time)

Apparently Oracle hasn't yet publically released Java 11 JRE, only JDK. This is why build is currently failing as Java fetcher picked up older, slightly (in regards to certificate store) different JRE from Java 8. In #12 I adjusted the fetcher to work with that old JRE, but that is not a proper solution.

OpenJDK store should be added, not replacing the Oracle's one. See also #1.

Štefan Baebler · Answer 3 · Fri Oct 26 2018 02:56:24 GMT+0800 (China Standard Time)

The CA root certificates in the openjdk repository seem to be bundled in:
http://hg.openjdk.java.net/jdk/jdk/file/tip/src/java.base/share/lib/security/cacerts

The initial JEP, for version 10 was https://bugs.openjdk.java.net/browse/JDK-8191486

Adam Shannon · Answer 4 · Fri Oct 26 2018 03:04:16 GMT+0800 (China Standard Time)

That's master though (Java 12 pre-release). We probably want to grab the latest 11 tag http://hg.openjdk.java.net/jdk/jdk/file/76072a077ee1/src/java.base/share/lib/security/cacerts

…

On Thu, Oct 25, 2018 at 11:56 AM Štefan Baebler ***@***.***> wrote: The CA root certificates in the repository seems to be in: http://hg.openjdk.java.net/jdk/jdk/file/tip/src/java.base/share/lib/security/cacerts — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#13 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAHYdzvoOHVfG-bDosonF8yuiDFiFC4zks5uoglagaJpZM4X6xvD> .

Štefan Baebler · Answer 5 · Fri Oct 26 2018 03:12:05 GMT+0800 (China Standard Time)

Or even better: check also what is actually being distributed to general public in the downloadable files/installers available at
https://openjdk.java.net/install/

So there would be several versions of the openjdk certificate store:

10 from https://jdk.java.net/10/
11 from https://jdk.java.net/11/ - latest release currently, most relevant
12 (early access) from https://jdk.java.net/12/
Upcoming (tip in hg repository) - simplest

Earlier releases contained no CA certificates.

But this should be done similar as other stores - there are no different versions for other CA stores. Also all stores are either downloaded from source code repositories or some online collection, not the actual distribution, except for closed source Oracle Java (most likely that was the only source available).

I would say the most appropriate would be to use the latest from the HG source repository:
http://hg.openjdk.java.net/jdk/jdk/file/tip/src/java.base/share/lib/security/cacerts

@nabla-c0d3, please confirm.

Štefan Baebler · Answer 6 · Sat Oct 27 2018 15:32:27 GMT+0800 (China Standard Time)

Implemeted fetching of OpenJDK KeyStore (latest from Mercurial repository) in PR #14

Štefan Baebler · Answer 7 · Tue Oct 30 2018 14:28:09 GMT+0800 (China Standard Time)

As expected, OpenJDK and Oracle java trust stores are identical at the moment:

$ diff openjdk.yaml oracle_java.yaml
1c1
< platform: OPENJDK
---
> platform: ORACLE_JAVA
3,4c3,4
< url: https://download.java.net/java/GA/jdk11/13/GPL/openjdk-11.0.1_linux-x64_bin.tar.gz
< date_fetched: 2018-10-29
---
> url: http://download.oracle.com/otn-pub/java/jdk/11.0.1+13/90cf5d8f270a4347a95050320eef3fb7/jdk-11.0.1_linux-x64_bin.tar.gz
> date_fetched: 2018-10-28

It will be interesting to see how will they diverge.

OpejJDK has already removed 1 trusted certificate in the source repository:
5b02a40#diff-6028046a808fe35873392372c02de44fR85:

- subject_name: GTE CyberTrust Global Root
  fingerprint: a53125188d2110aa964b02c7b7c6da3203170894e5fb71fffb6667d5e6810a36

...because it expired :)