On Fri, 15 Oct 2021 14:12:55 GMT, Magnus Ihse Bursie <i...@openjdk.org> wrote:
>> make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java line
>> 74:
>>
>>> 72: cert = (X509Certificate) cf.generateCertificate(fis);
>>> 73: }
>>> 74: ks.setCertificateEntry(alias, cert);
>>
>> In the previous code, we always used a fixed date (cert's notBefore) for the
>> creation date. Now, it seems it will be always different and based on when
>> it was created. I'm not really sure if this is an issue in practice, but I
>> think it is worth thinking about a bit more - do you have any thoughts on
>> this?
>
> If that means the build will become non-reproducible, then *I* certainly have
> thoughts about it! ;-)
The certificate stored in a PKCS12 file has no date associated. Whenever you
load a keystore, the creation time is set to the load time.
In fact, the `VerifyCACerts.java` maintains a SHA-256 hash of the keystore and
it will not change unless the certs themselves are changed.
Here is the actual bytes for one certificate entry inside:
0000:1AD48 [] SEQUENCE
0005:0659 [0] SEQUENCE
0009:000D [00] OID 1.2.840.113549.1.12.10.1.3 (CertBag)
0016:05DB [01] cont [0]
001A:05D7 [010] SEQUENCE
001E:000C [0100] OID 1.2.840.113549.1.9.22.1 (CertTypeX509)
002A:05C7 [0101] cont [0]
002E:05C3 [01010] OCTET STRING (1729119956)
0000: 30 82 05 BB 30 82 03 A3 A0 03 02
01 02 02 08 57 0...0..........W
0010: 0A 11 97 42 C4 E3 CC 30 0D 06 09
2A 86 48 86 F7 ...B...0...*.H..
0020: 0D 01 01 0B 05 00 30 6B 31 0B 30
09 06 03 55 04 ......0k1.0...U. (1471 bytes)
05F1:006D [02] SET
05F3:0053 [020] SEQUENCE
05F5:000B [0200] OID 1.2.840.113549.1.9.20 (FriendlyName)
0600:0046 [0201] SET
0602:0044 [02010] STRING "actalisauthenticationrootca
[jdk]"
0646:0018 [021] SEQUENCE
0648:000E [0210] OID 2.16.840.1.113894.746875.1.1
(ORACLE_TrustedKeyUsage)
0656:0008 [0211] SET
0658:0006 [02110] OID 2.5.29.37.0 (anyExtendedKeyUsage)
-------------
PR: https://git.openjdk.java.net/jdk/pull/5948
