java: add certificates from openjdk 11 (latest release)
adamdecaf opened this issue · comments
#12 mentioned this project uses Oracle's Java 8. Their newer releases require licensing for commercial use, but OpenJDK is free for projects to use.
cc @stefanb
Apparently Oracle hasn't yet publically released Java 11 JRE, only JDK. This is why build is currently failing as Java fetcher picked up older, slightly (in regards to certificate store) different JRE from Java 8. In #12 I adjusted the fetcher to work with that old JRE, but that is not a proper solution.
OpenJDK store should be added, not replacing the Oracle's one. See also #1.
The CA root certificates in the openjdk repository seem to be bundled in:
http://hg.openjdk.java.net/jdk/jdk/file/tip/src/java.base/share/lib/security/cacerts
The initial JEP, for version 10 was https://bugs.openjdk.java.net/browse/JDK-8191486
Or even better: check also what is actually being distributed to general public in the downloadable files/installers available at
https://openjdk.java.net/install/
So there would be several versions of the openjdk certificate store:
- 10 from https://jdk.java.net/10/
- 11 from https://jdk.java.net/11/ - latest release currently, most relevant
- 12 (early access) from https://jdk.java.net/12/
- Upcoming (tip in hg repository) - simplest
Earlier releases contained no CA certificates.
But this should be done similar as other stores - there are no different versions for other CA stores. Also all stores are either downloaded from source code repositories or some online collection, not the actual distribution, except for closed source Oracle Java (most likely that was the only source available).
I would say the most appropriate would be to use the latest from the HG source repository:
http://hg.openjdk.java.net/jdk/jdk/file/tip/src/java.base/share/lib/security/cacerts
@nabla-c0d3, please confirm.
Implemeted fetching of OpenJDK KeyStore (latest from Mercurial repository) in PR #14
As expected, OpenJDK and Oracle java trust stores are identical at the moment:
$ diff openjdk.yaml oracle_java.yaml
1c1
< platform: OPENJDK
---
> platform: ORACLE_JAVA
3,4c3,4
< url: https://download.java.net/java/GA/jdk11/13/GPL/openjdk-11.0.1_linux-x64_bin.tar.gz
< date_fetched: 2018-10-29
---
> url: http://download.oracle.com/otn-pub/java/jdk/11.0.1+13/90cf5d8f270a4347a95050320eef3fb7/jdk-11.0.1_linux-x64_bin.tar.gz
> date_fetched: 2018-10-28
It will be interesting to see how will they diverge.
OpejJDK has already removed 1 trusted certificate in the source repository:
5b02a40#diff-6028046a808fe35873392372c02de44fR85:
- subject_name: GTE CyberTrust Global Root
fingerprint: a53125188d2110aa964b02c7b7c6da3203170894e5fb71fffb6667d5e6810a36
...because it expired :)