Re: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 [v2]
On Tue, 19 Oct 2021 18:49:11 GMT, Sean Mullan wrote:
>> Weijun Wang has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> use a standard name
>
> make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java line 54:
>
>> 52: public static void store(String dir, OutputStream stream) throws
>> Exception {
>> 53:
>> 54: CertificateFactory cf = CertificateFactory.getInstance("X509");
>
> Nit: better to use the standard name here: "X.509".
OK.
-
PR: https://git.openjdk.java.net/jdk/pull/5948
Re: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 [v2]
On Tue, 19 Oct 2021 19:48:23 GMT, Weijun Wang wrote:
>> The cacerts file is now a password-less PKCS12 file. This make sure old code
>> that uses a JKS KeyStore object can continuously load it using a null
>> password (in fact, any password) and see all certificates inside.
>
> Weijun Wang has updated the pull request incrementally with one additional
> commit since the last revision:
>
> use a standard name
Marked as reviewed by mullan (Reviewer).
make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java line 54:
> 52: public static void store(String dir, OutputStream stream) throws
> Exception {
> 53:
> 54: CertificateFactory cf = CertificateFactory.getInstance("X509");
Nit: better to use the standard name here: "X.509".
-
PR: https://git.openjdk.java.net/jdk/pull/5948
Re: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 [v2]
> The cacerts file is now a password-less PKCS12 file. This make sure old code > that uses a JKS KeyStore object can continuously load it using a null > password (in fact, any password) and see all certificates inside. Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: use a standard name - Changes: - all: https://git.openjdk.java.net/jdk/pull/5948/files - new: https://git.openjdk.java.net/jdk/pull/5948/files/0ee2c53c..285ed1b3 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk=5948=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk=5948=00-01 Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod Patch: https://git.openjdk.java.net/jdk/pull/5948.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5948/head:pull/5948 PR: https://git.openjdk.java.net/jdk/pull/5948
Re: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12
On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang wrote: > The cacerts file is now a password-less PKCS12 file. This make sure old code > that uses a JKS KeyStore object can continuously load it using a null > password (in fact, any password) and see all certificates inside. Marked as reviewed by ihse (Reviewer). - PR: https://git.openjdk.java.net/jdk/pull/5948
Re: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12
On Fri, 15 Oct 2021 14:56:23 GMT, Weijun Wang wrote: >> If that means the build will become non-reproducible, then *I* certainly >> have thoughts about it! ;-) > > The certificate stored in a PKCS12 file has no date associated. Whenever you > load a keystore, the creation time is set to the load time. > > In fact, the `VerifyCACerts.java` maintains a SHA-256 hash of the keystore > and it will not change unless the certs themselves are changed. > > Here is the actual bytes for one certificate entry inside: > > :1AD48 [] SEQUENCE > 0005:0659 [0] SEQUENCE > 0009:000D [00] OID 1.2.840.113549.1.12.10.1.3 (CertBag) > 0016:05DB [01] cont [0] > 001A:05D7 [010] SEQUENCE > 001E:000C [0100] OID 1.2.840.113549.1.9.22.1 (CertTypeX509) > 002A:05C7 [0101] cont [0] > 002E:05C3 [01010] OCTET STRING (1729119956) > : 30 82 05 BB 30 82 03 A3 A0 03 > 02 01 02 02 08 57 0...0..W > 0010: 0A 11 97 42 C4 E3 CC 30 0D 06 > 09 2A 86 48 86 F7 ...B...0...*.H.. > 0020: 0D 01 01 0B 05 00 30 6B 31 0B > 30 09 06 03 55 04 ..0k1.0...U. (1471 bytes) > 05F1:006D [02] SET > 05F3:0053 [020] SEQUENCE > 05F5:000B [0200] OID 1.2.840.113549.1.9.20 (FriendlyName) > 0600:0046 [0201] SET > 0602:0044 [02010] STRING "actalisauthenticationrootca > [jdk]" > 0646:0018 [021] SEQUENCE > 0648:000E [0210] OID 2.16.840.1.113894.746875.1.1 > (ORACLE_TrustedKeyUsage) > 0656:0008 [0211] SET > 0658:0006 [02110] OID 2.5.29.37.0 (anyExtendedKeyUsage) As long as the file content is not date dependent, I'm happy :) - PR: https://git.openjdk.java.net/jdk/pull/5948
Re: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12
On Fri, 15 Oct 2021 14:12:55 GMT, Magnus Ihse Bursie wrote: >> make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java line >> 74: >> >>> 72: cert = (X509Certificate) cf.generateCertificate(fis); >>> 73: } >>> 74: ks.setCertificateEntry(alias, cert); >> >> In the previous code, we always used a fixed date (cert's notBefore) for the >> creation date. Now, it seems it will be always different and based on when >> it was created. I'm not really sure if this is an issue in practice, but I >> think it is worth thinking about a bit more - do you have any thoughts on >> this? > > If that means the build will become non-reproducible, then *I* certainly have > thoughts about it! ;-) The certificate stored in a PKCS12 file has no date associated. Whenever you load a keystore, the creation time is set to the load time. In fact, the `VerifyCACerts.java` maintains a SHA-256 hash of the keystore and it will not change unless the certs themselves are changed. Here is the actual bytes for one certificate entry inside: :1AD48 [] SEQUENCE 0005:0659 [0] SEQUENCE 0009:000D [00] OID 1.2.840.113549.1.12.10.1.3 (CertBag) 0016:05DB [01] cont [0] 001A:05D7 [010] SEQUENCE 001E:000C [0100] OID 1.2.840.113549.1.9.22.1 (CertTypeX509) 002A:05C7 [0101] cont [0] 002E:05C3 [01010] OCTET STRING (1729119956) : 30 82 05 BB 30 82 03 A3 A0 03 02 01 02 02 08 57 0...0..W 0010: 0A 11 97 42 C4 E3 CC 30 0D 06 09 2A 86 48 86 F7 ...B...0...*.H.. 0020: 0D 01 01 0B 05 00 30 6B 31 0B 30 09 06 03 55 04 ..0k1.0...U. (1471 bytes) 05F1:006D [02] SET 05F3:0053 [020] SEQUENCE 05F5:000B [0200] OID 1.2.840.113549.1.9.20 (FriendlyName) 0600:0046 [0201] SET 0602:0044 [02010] STRING "actalisauthenticationrootca [jdk]" 0646:0018 [021] SEQUENCE 0648:000E [0210] OID 2.16.840.1.113894.746875.1.1 (ORACLE_TrustedKeyUsage) 0656:0008 [0211] SET 0658:0006 [02110] OID 2.5.29.37.0 (anyExtendedKeyUsage) - PR: https://git.openjdk.java.net/jdk/pull/5948
Re: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12
On Fri, 15 Oct 2021 14:02:15 GMT, Sean Mullan wrote: >> The cacerts file is now a password-less PKCS12 file. This make sure old code >> that uses a JKS KeyStore object can continuously load it using a null >> password (in fact, any password) and see all certificates inside. > > make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java line 74: > >> 72: cert = (X509Certificate) cf.generateCertificate(fis); >> 73: } >> 74: ks.setCertificateEntry(alias, cert); > > In the previous code, we always used a fixed date (cert's notBefore) for the > creation date. Now, it seems it will be always different and based on when it > was created. I'm not really sure if this is an issue in practice, but I think > it is worth thinking about a bit more - do you have any thoughts on this? If that means the build will become non-reproducible, then *I* certainly have thoughts about it! ;-) - PR: https://git.openjdk.java.net/jdk/pull/5948
Re: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12
On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang wrote: > The cacerts file is now a password-less PKCS12 file. This make sure old code > that uses a JKS KeyStore object can continuously load it using a null > password (in fact, any password) and see all certificates inside. make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java line 74: > 72: cert = (X509Certificate) cf.generateCertificate(fis); > 73: } > 74: ks.setCertificateEntry(alias, cert); In the previous code, we always used a fixed date (cert's notBefore) for the creation date. Now, it seems it will be always different and based on when it was created. I'm not really sure if this is an issue in practice, but I think it is worth thinking about a bit more - do you have any thoughts on this? - PR: https://git.openjdk.java.net/jdk/pull/5948
Re: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12
On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang wrote: > The cacerts file is now a password-less PKCS12 file. This make sure old code > that uses a JKS KeyStore object can continuously load it using a null > password (in fact, any password) and see all certificates inside. For password-less pksc12, JDK-8231107 is more relevant. JDK-8274913 still has MacData, which is quite useless for cacerts, and leaving a well-known password there is awkward. - PR: https://git.openjdk.java.net/jdk/pull/5948
Re: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12
On Thu, 14 Oct 2021 20:02:32 GMT, Weijun Wang wrote: > > > For password-less pksc12, JDK-8231107 is more relevant. JDK-8274913 still has > MacData, which is quite useless for cacerts, and leaving a well-known > password there is awkward. Agree, makes sense. BTW: https://github.com/ctron/pem-keystore#reading-a-ca-bundle - PR: https://git.openjdk.java.net/jdk/pull/5948
Re: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12
On Thu, 14 Oct 2021 19:50:33 GMT, Weijun Wang wrote: > > > No, this PR is totally independent. Once a password-less pkcs12 file is > generated, it can be read by any JDK since JDK 7u with a null password and > the certs are visible. The other 2 tickets are all about storing, storing > with a null password, storing with a default algorithm. > > I've made JDK-8274913 public. It's just an idea and not proposed to any > release. OK, now I see. This makes sense now. Storing is a different and as I see in your code somewhere `NONE` needs to be provided and it is not obvious apparently. Storing will remain a pain in all JDK versions unless JDK-8274913 is implemented which will solve JDK-8231107. - PR: https://git.openjdk.java.net/jdk/pull/5948
Re: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12
On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang wrote: > The cacerts file is now a password-less PKCS12 file. This make sure old code > that uses a JKS KeyStore object can continuously load it using a null > password (in fact, any password) and see all certificates inside. No, this PR is totally independent. Once a password-less pkcs12 file is generated, it can be read by any JDK since JDK 7u with a null password and the certs are visible. The other 2 tickets are all about storing, storing with a null password, storing with a default algorithm. I've made JDK-8274913 public. It's just an idea and not proposed to any release. - PR: https://git.openjdk.java.net/jdk/pull/5948
Re: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12
On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang wrote: > The cacerts file is now a password-less PKCS12 file. This make sure old code > that uses a JKS KeyStore object can continuously load it using a null > password (in fact, any password) and see all certificates inside. Let me summarize/rephrase your last message: To trick in the Makefile and the changed Java code (same way as I do in my code) produce a password-less truststore. Now since JDK-8231107 depicts that loading with a null password does not work the same way as with JKS this means that JDK-8231107 must also be applied to all supported JDK versions to make the output of this PR usable. Doesn't it? Note: JDK-8274913 is not publically available and I don't have a JBS account also I do report issues with Apache projects to Rory O'Donnell sometimes. - PR: https://git.openjdk.java.net/jdk/pull/5948
Re: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12
On Thu, 14 Oct 2021 19:07:55 GMT, Michael Osipov wrote: > Generating this trust store with Java code like I do? What do you mean "like you do"? If you accept the proposed format in this PR, then just follow what `GenerateCACerts.java` is doing and how it's called. If you are thinking about reading the openssl trust store, that's not what this PR is for. This PR intends to find a modern format that is 100% interoperable with older JDK releases. As for the other two tickets, they are related. If JDK-8231107 is resolved, then there's no need to set the 2 system properties. JDK-8194702 is not fixable because the certificates are already encrypted. Instead, https://bugs.openjdk.java.net/browse/JDK-8274913 was proposed, but only newly generated keystores after it will get the benefit. Still, this PR does not depend on the other two tickets. This PR is about one single keystore -- cacerts -- which can be treated special. - PR: https://git.openjdk.java.net/jdk/pull/5948
Re: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12
On Thu, 14 Oct 2021 17:31:26 GMT, Weijun Wang wrote: > > > If you look into the code change for `make/ToolsJdk.gmk`, you can see 2 > system properties used while generating the new cacerts file. With them, the > new file becomes password-less. This I have seen, but what about: * Generating this trust store with Java code like I do? * Will this solve the two mentioned tickets? - PR: https://git.openjdk.java.net/jdk/pull/5948
Re: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12
On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang wrote: > The cacerts file is now a password-less PKCS12 file. This make sure old code > that uses a JKS KeyStore object can continuously load it using a null > password (in fact, any password) and see all certificates inside. If you look into the code change for `make/ToolsJdk.gmk`, you can see 2 system properties used while generating the new cacerts file. With them, the new file becomes password-less. - PR: https://git.openjdk.java.net/jdk/pull/5948
Re: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12
On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang wrote: > The cacerts file is now a password-less PKCS12 file. This make sure old code > that uses a JKS KeyStore object can continuously load it using a null > password (in fact, any password) and see all certificates inside. I don't understand how this can work at all. I wrote a custom `CertDownloader` for our company use where I wanted to migrate to PKCS#12. Suddenly all of my applications started to fail on OpenJDK8u until I have figured out that PKCS#12 was not designed to be passwordless and due to the missing ecryption the trusted CA aren't visible. This bug is known as: * https://bugs.openjdk.java.net/browse/JDK-8231107 * https://bugs.openjdk.java.net/browse/JDK-8194702 I had to revert to JKS for now. Unless those drizzle down to 8u, 11u, 17u this is going to be hard. I still would love to see a trust store (not key store) which either reads OpenSSL's [`CAfile` or `CApath`](https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_load_verify_locations.html). This would greatly improve compat between Java and the OS default store on may OS, e.g., Debian, FreeBSD, RHEL, etc. - PR: https://git.openjdk.java.net/jdk/pull/5948
Re: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12
On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang wrote: > The cacerts file is now a password-less PKCS12 file. This make sure old code > that uses a JKS KeyStore object can continuously load it using a null > password (in fact, any password) and see all certificates inside. Build change looks good. - Marked as reviewed by erikj (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5948
