JDK-8233223 : Add Amazon Root CA certificates
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2019-10-30
  • Updated: 2021-04-13
  • Resolved: 2019-11-28
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 7 JDK 8 Other
11.0.6Fixed 7u251Fixed 8u241Fixed openjdk8u242Fixed
Sub Tasks
JDK-8234774 :  
Request to include the following 4 Amazon root CAs to the existing root program.

Certificate #1 Details
Certificate Name: Amazon Root CA 1
Certificate download URL: http://www.awstrust.com/repository/AmazonRootCA1.cer
Version: X.509 v3
SHA1 Fingerprint: 8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16
Public key length (for RSA, modulus length) in bits: 2048
Valid From : 2015-05-26
Valid To : 2038-01-17
CRL HTTP URL: http://crl.rootca1.amazontrust.com/rootca1.crl
OCSP URL: http://ocsp.rootca1.amazontrust.com/

Certificate #2 Details
Certificate Name: Amazon Root CA 2
Certificate download URL: http://www.awstrust.com/repository/AmazonRootCA2.cer
Version: X.509 v3
SHA1 Fingerprint: 5A:8C:EF:45:D7:A6:98:59:76:7A:8C:8B:44:96:B5:78:CF:47:4B:1A
Public key length (for RSA, modulus length) in bits: 4096
Valid From : 2015-05-26
Valid To : 2040-05-26
CRL HTTP URL: http://crl.rootca2.amazontrust.com/rootca2.crl
OCSP URL: http://ocsp.rootca2.amazontrust.com/

Certificate #3 Details
Certificate Name: Amazon Root CA 3
Certificate download URL: http://www.awstrust.com/repository/AmazonRootCA3.cer
Version: X.509 v3
SHA1 Fingerprint: 0D:44:DD:8C:3C:8C:1A:1A:58:75:64:81:E9:0F:2E:2A:FF:B3:D2:6E
Public key length (for RSA, modulus length) in bits: 256
Valid From: 2015-05-26
Valid To: 2040-05-26
CRL HTTP URL: http://crl.rootca3.amazontrust.com/rootca3.crl
OCSP URL: http://ocsp.rootca3.amazontrust.com/

Certificate #4 Details
Certificate Name: Amazon Root CA 4
Certificate download URL: http://www.awstrust.com/repository/AmazonRootCA4.cer
Version: X.509 v3
SHA1 Fingerprint: F6:10:84:07:D6:F8:BB:67:98:0C:C2:E2:44:C2:EB:AE:1C:EF:63:BE
Public key length (for RSA, modulus length) in bits: 384
Valid From : 2015-05-26
Valid To : 2040-05-26
CRL HTTP URL: http://crl.rootca4.amazontrust.com/rootca4.crl
OCSP URL: http://ocsp.rootca4.amazontrust.com/

Certificate Policy URL: http://www.awstrust.com/repository/cp-1.0.1.pdf
CPS URL: http://www.awstrust.com/repository/cps-1.0.1.pdf
Fix Request (8u): Needed for merge with 8u242. Patch applies cleanly now JDK-8193255 & JDK-8225392 is in place.

Approving binary blob backport for 8u242. Source backport should go to 8u252 following integration of JDK-8193255.

Fix Request (OpenJDK 8u): Please approve backporting this to OpenJDK 8u. Specifically for 8u242 as the backports adds a new root certificates for Amazon. 8u242 since it's in Oracle JDK 8u241. Note that the patch depends on backport of JDK-8232019. I'll be sure to include relevant bits of this in the backport of JDK-8193255 for 8u252. The patch has been reviewed by Volker Simonis, Christoph Langer and Martin Balao. It didn't apply cleanly - mostly because of missing JDK-8193255 - so needed a review. HG export patch (as this includes binary blob cacerts): https://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-8233223/jdk8/JDK-8233223.jdk8.export.patch Review thread: http://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-December/010814.html Testing (ActalisCA.java is problem-listed and tracked with JDK-8224768): Passed: sun/security/lib/cacerts/VerifyCACerts.java FAILED: security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java Passed: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java Passed: security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java Passed: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java Passed: security/infra/java/security/cert/CertPathValidator/certification/DTrustCA.java Passed: security/infra/java/security/cert/CertPathValidator/certification/EntrustCA.java Passed: security/infra/java/security/cert/CertPathValidator/certification/GlobalSignR6CA.java Passed: security/infra/java/security/cert/CertPathValidator/certification/GoDaddyCA.java Passed: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java Passed: security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java Passed: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java Passed: security/infra/java/security/cert/CertPathValidator/certification/TeliaSoneraCA.java Test results: passed: 12; failed: 1

Fix request (11u, 13u) I request to backport the addition of this important set of root certificates to 11u and 13u. For 11u, I requested jdk11u-critical to get it into 11.0.6. For 13u, I can see that it is already resolved in 13u-cpu. Maybe we can also push it to the open jdk13u repository. Patch applies cleanly and tests pass.

URL: https://hg.openjdk.java.net/jdk/jdk/rev/f29e5cd27300 User: rhalade Date: 2019-11-28 18:44:10 +0000