JDK-8243559 : Remove root certificates with 1024-bit keys
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7,8,11,15,16
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2020-04-24
  • Updated: 2021-05-11
  • Resolved: 2020-11-24
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 7 JDK 8 Other
11.0.12Fixed 7u311Fixed 8u301Fixed openjdk8u302Fixed
Related Reports
CSR :  
Relates :  
Relates :  
Relates :  
Relates :  
Sub Tasks
JDK-8256902 :  
Description
There are 5 roots with 1024-bit keys in the JDK cacerts keystore. Their keystore aliases and Distinguished Names are as follows:

1. thawtepremiumserverca

EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

2. verisignclass2g2ca

OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

3. verisignclass3ca

OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

4. verisignclass3g2ca

OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

5. verisigntsaca

CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
Comments
Fix Request (OpenJDK 8u): Please approve backporting this to OpenJDK 8u (8u302). The JDK 11 patch applies clean after path shuffeling. VerifyCACerts test passes. This keeps JDKs in sync in terms of provided root certificates. CSR (approved; includes 8u): https://bugs.openjdk.java.net/browse/JDK-8262079
18-03-2021

Fix Request (11u) Should get backported for parity with 11.0.12-oracle. Doesn't apply cleanly. Review thread: http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2021-March/005319.html webrev: http://cr.openjdk.java.net/~mdoerr/8243559_root_ca_11u/webrev.00/ Shared CSR: JDK-8262079
16-03-2021

Fix request (15u) the change applies to 15u very well. CSR is approved. The relevant tests run also as expected.
25-02-2021

Fix request (13u): I'd like to port this fix to 13u, too. Applied almost clean: no merging was necessary, and exception list in the test was not changed (soon-to-be-expired and now removed certificates never have been added there); all relevant tests run as expected.
20-02-2021

Changeset: dbfeb90d Author: Sean Mullan <mullan@openjdk.org> Date: 2020-11-24 18:14:05 +0000 URL: https://github.com/openjdk/jdk/commit/dbfeb90d
24-11-2020