-
CSR
-
Resolution: Approved
-
P3
-
None
-
binary
-
low
-
A PKCS12 file can be loaded as a JKS keystore, and a password-less PKCS12 keystore can be loaded with any password. Together this means that any code that can load the JKS cacerts will still be able to load the new cacerts file.
-
File or wire format
-
Implementation
Summary
Change the keystore type of $JDK_HOME/lib/security/cacerts file from JKS to password-less PKCS12. By password-less, it means the certificates are not encrypted and it contains no MacData for integrity check.
Problem
The current cacerts file is in JKS format, which has several problems:
- The JKS format is obsolete and we have been advising users to migrate to PKCS12 for years.
- The keystore is protected by a password "changeit", which is weak and well-known. It also provides no real protection since anyone can modify the file and re-protect it with the same password. Also, the cacerts keystore is part of the JDK binary, which should ideally be installed in a location that cannot be modified by unauthorized users.
Solution
Change the keystore type of lib/security/cacerts file from JKS to password-less PKCS12. The build process will be updated to create the new file. One can also migrate the current file with the following command:
keytool -J-Dkeystore.pkcs12.certProtectionAlgorithm=NONE \
-J-Dkeystore.pkcs12.macAlgorithm=NONE \
-importkeystore -srckeystore cacerts -srcstorepass changeit \
-deststoretype pkcs12 -destkeystore cacertsSpecification
The format of cacerts is an implementation detail.
- csr of
-
JDK-8275252 Migrate cacerts from JKS to password-less PKCS12
-
- Resolved
-