JDK-8275253 : Migrate cacerts from JKS to password-less PKCS12
  • Type: CSR
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 18
  • Submitted: 2021-10-13
  • Updated: 2021-10-19
  • Resolved: 2021-10-19
Related Reports
CSR :  
JDK-8275252 - Migrate cacerts from JKS to password-less PKCS12
Description
Summary
-------

Change the keystore type of `$JDK_HOME/lib/security/cacerts` file from JKS to password-less PKCS12. By password-less, it means the certificates are not encrypted and it contains no MacData for integrity check.

Problem
-------

The current cacerts file is in JKS format, which has several problems:

1. The JKS format is obsolete and we have been advising users to migrate to PKCS12 for years.
2. The keystore is protected by a password "changeit", which is weak and well-known. It also provides no real protection since anyone can modify the file and re-protect it with the same password. Also, the cacerts keystore is part of the JDK binary, which should ideally be installed in a location that cannot be modified by unauthorized users.

Solution
--------

Change the keystore type of `lib/security/cacerts` file from JKS to password-less PKCS12. The build process will be updated to create the new file. One can also migrate the current file with the following command:

    keytool -J-Dkeystore.pkcs12.certProtectionAlgorithm=NONE \
        -J-Dkeystore.pkcs12.macAlgorithm=NONE \
        -importkeystore -srckeystore cacerts -srcstorepass changeit \
        -deststoretype pkcs12 -destkeystore cacerts

Specification
-------------

The format of cacerts is an implementation detail.
Comments
Moving to Approved.
19-10-2021