On Fri, 15 Oct 2021 14:56:23 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> If that means the build will become non-reproducible, then *I* certainly >> have thoughts about it! ;-) > > The certificate stored in a PKCS12 file has no date associated. Whenever you > load a keystore, the creation time is set to the load time. > > In fact, the `VerifyCACerts.java` maintains a SHA-256 hash of the keystore > and it will not change unless the certs themselves are changed. > > Here is the actual bytes for one certificate entry inside: > > 0000:1AD48 [] SEQUENCE > 0005:0659 [0] SEQUENCE > 0009:000D [00] OID 1.2.840.113549.1.12.10.1.3 (CertBag) > 0016:05DB [01] cont [0] > 001A:05D7 [010] SEQUENCE > 001E:000C [0100] OID 1.2.840.113549.1.9.22.1 (CertTypeX509) > 002A:05C7 [0101] cont [0] > 002E:05C3 [01010] OCTET STRING (1729119956) > 0000: 30 82 05 BB 30 82 03 A3 A0 03 > 02 01 02 02 08 57 0...0..........W > 0010: 0A 11 97 42 C4 E3 CC 30 0D 06 > 09 2A 86 48 86 F7 ...B...0...*.H.. > 0020: 0D 01 01 0B 05 00 30 6B 31 0B > 30 09 06 03 55 04 ......0k1.0...U. (1471 bytes) > 05F1:006D [02] SET > 05F3:0053 [020] SEQUENCE > 05F5:000B [0200] OID 1.2.840.113549.1.9.20 (FriendlyName) > 0600:0046 [0201] SET > 0602:0044 [02010] STRING "actalisauthenticationrootca > [jdk]" > 0646:0018 [021] SEQUENCE > 0648:000E [0210] OID 2.16.840.1.113894.746875.1.1 > (ORACLE_TrustedKeyUsage) > 0656:0008 [0211] SET > 0658:0006 [02110] OID 2.5.29.37.0 (anyExtendedKeyUsage) As long as the file content is not date dependent, I'm happy :) ------------- PR: https://git.openjdk.java.net/jdk/pull/5948