JDK-8209506 : Add Google Trust Services GlobalSign root certificates
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 11
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2018-08-14
  • Updated: 2019-05-14
  • Resolved: 2018-08-14
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 12 Other
11 b27Fixed 12Fixed openjdk8u222Fixed
Related Reports
Duplicate :  
JDK-8210002 - JDK 11 fails to connect to www.googleapis.com
Relates :  
JDK-8191486 - JEP 319: Root Certificates
Relates :  
JDK-8203230 - Remove cacerts.internal from Oracle JDK
Sub Tasks
JDK-8209512 :  
Release Note: Added Google Trust Services GlobalSign Root Certificates - Closed
Description
OpenJDK should contain the same root certificates as commonly available on Linux distros, e.g. on Ubuntu in /etc/ssl/certs/java/cacerts

 $ keytool -v -list -keystore /etc/ssl/certs/java/cacerts -storepass changeit | perl -ne 'print if /^Alias.*globalsign.*r[24]/ ... /^\*/'
Alias name: debian:globalsign_root_ca_-_r2.pem
Creation date: Apr 19, 2015
Entry type: trustedCertEntry

Owner: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
Serial number: 400000000010f8626e60d
Valid from: Fri Dec 15 00:00:00 PST 2006 until: Wed Dec 15 00:00:00 PST 2021
Certificate fingerprints:
	 MD5:  94:14:77:7E:3E:5E:FD:8F:30:BD:41:B0:CF:E7:D0:30
	 SHA1: 75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE
	 SHA256: CA:42:DD:41:74:5F:D0:B8:1E:B9:02:36:2C:F9:D8:BF:71:9D:A1:BD:1B:1E:FC:94:6F:5B:4C:99:F4:2C:1B:9E
	 Signature algorithm name: SHA1withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 9B E2 07 57 67 1C 1E C0   6A 06 DE 59 B4 9A 2D DF  ...Wg...j..Y..-.
0010: DC 19 86 2E                                        ....
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.globalsign.net/root-r2.crl]
]]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 9B E2 07 57 67 1C 1E C0   6A 06 DE 59 B4 9A 2D DF  ...Wg...j..Y..-.
0010: DC 19 86 2E                                        ....
]
]



*******************************************
Alias name: debian:globalsign_ecc_root_ca_-_r4.pem
Creation date: Feb 24, 2016
Entry type: trustedCertEntry

Owner: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4
Serial number: 2a38a41c960a04de42b228a50be8349802
Valid from: Mon Nov 12 16:00:00 PST 2012 until: Mon Jan 18 19:14:07 PST 2038
Certificate fingerprints:
	 MD5:  20:F0:27:68:D1:7E:A0:9D:0E:E6:2A:CA:DF:5C:89:8E
	 SHA1: 69:69:56:2E:40:80:F4:24:A1:E7:19:9F:14:BA:F3:EE:58:AB:6A:BB
	 SHA256: BE:C9:49:11:C2:95:56:76:DB:6C:0A:55:09:86:D7:6E:3B:A0:05:66:7C:44:2C:97:62:B4:FB:B7:73:DE:22:8C
	 Signature algorithm name: SHA256withECDSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 54 B0 7B AD 45 B8 E2 40   7F FB 0A 6E FB BE 33 C9  T...E..@...n..3.
0010: 3C A3 84 D5                                        <...
]
]



*******************************************
Comments
Fix Request: Backport to OpenJDK 8 will be resolved with push for JDK-8189131.
02-05-2019
Thanks - I can confirm that Rajan's commit to jdk11 allows java programs to access Google web sites, as demonstrated by: import java.io.*; import java.net.*; import javax.net.ssl.*; public class GoogleUrlConnect { public static void main(String[] args) { String[] urls = { "https://www.google.com", "https://gcr.io", "https://us.gcr.io", "https://www.googleapis.com", "https://ga-dev-tools.appspot.com", }; for (String url : urls) { try { new URL(url).openStream().close(); System.out.println("OK: " + url); } catch (SSLHandshakeException ex) { // This is bad System.err.println("ERROR: " + url + ": " + ex.toString()); } catch (IOException ex) { System.out.println("Warning: " + url + ": " + ex.toString()); } } } }
14-08-2018
Late enhancement approved by Project Lead This is very late, but it is also very low risk.
14-08-2018
Late Enhancement Request: Justification: This fix is required to add two Google issued root CAs to OpenJDK cacerts file. The risk is minimal as earlier Oracle JDK shipped with these roots. Estimate: 15th August 2018 Webrev: http://cr.openjdk.java.net/~rhalade/8209506/webrev.00/
14-08-2018
Rajan, thank you very much for taking this. Google designates including these two certificates in cacerts as being a Contribution under the OCA agreement.
14-08-2018
The Release Note at https://bugs.openjdk.java.net/browse/JDK-8207255 should also be updated after this is fixed.
14-08-2018
Two new root entries will be added to cacerts as part of this fix - + globalsigneccrootcar4 DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4 + globalsignr2ca DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
14-08-2018
Per your contributor agreement and as the owner of the certificates we'll work to make these available in OpenJDK under the OpenJDK license (GPLv2+CE). This will then be consistent with Oracle JDK builds whereby we distributed these certs under a commercial agreement.
14-08-2018