佳佳的博客

Appearance

JEP 319: Root Certificates | 根证书

原文

JEP 319: Root Certificates

摘要

在 JDK 中提供一个默认的根证书颁发机构(CA)证书集。

目标

将 Oracle Java SE Root CA 程序中的根证书开源,以吸引更多开发者使用 OpenJDK 构建,并减少这些构建与 Oracle JDK 构建之间的差异。

动机

cacerts 密钥库是 JDK 的一部分,旨在包含一组根证书,这些证书可用于建立对各种安全协议中使用的证书链的信任。然而,JDK 源代码中的 cacerts 密钥库目前为空。因此,在 OpenJDK 构建中,如 TLS 等关键安全组件默认不起作用。为了解决这个问题,用户必须按照文档(例如 JDK 9 发行说明)中的说明配置和填充 cacerts 密钥库。

描述

cacerts 密钥库将填充由 Oracle Java SE Root CA 程序中的 CA 颁发的根证书。作为先决条件,每个 CA 必须签署 Oracle 贡献者协议(OCA) 或等效协议,以授予 Oracle 将其证书开源的权利。以下是已签署必要协议的 CA 列表,以及每个 CA 将包含的根证书列表(通过唯一名称标识)。此列表包括目前 Oracle Java SE Root CA 程序的大多数成员。未签署协议的 CA 目前不包括在内。处理时间较长的 CA 将在下一个版本中包括。

Actalis S.p.A.

  1. CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT

Buypass AS

  1. CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
  2. CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO

Camerfirma

  1. CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
  2. CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
  3. CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU

Certum

  1. CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
  2. CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Chunghwa Telecom Co., Ltd.

  1. OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd.", C=TW

Comodo CA Ltd.

  1. CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
  2. CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
  3. CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
  4. CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
  5. CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
  6. CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
  7. CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
  8. CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
  9. CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  10. CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  11. CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US

Digicert Inc.

  1. CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
  2. CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
  3. CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  4. CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
  5. CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
  6. CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
  7. CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  8. CN=DigiCert Assured ID Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
  9. CN=DigiCert Assured ID Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
  10. CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  11. OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  12. CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
  13. CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
  14. CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  15. CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
  16. CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
  17. CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
  18. CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
  19. CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
  20. CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
  21. CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US
  22. CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
  23. EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  24. CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
  25. OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  26. OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  27. CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  28. OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  29. CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  30. OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  31. OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  32. CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  33. CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  34. CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  35. CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

DocuSign

  1. CN=Class 2 Primary CA, O=Certplus, C=FR
  2. CN=Class 3P Primary CA, O=Certplus, C=FR
  3. CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR

D-TRUST GmbH

  1. CN=D-TRUST Root Class 3 CA 2 2009, O=D-Trust GmbH, C=DE
  2. CN=D-TRUST Root Class 3 CA 2 EV 2009, O=D-Trust GmbH, C=DE

IdenTrust

  1. CN=DST Root CA X3, O=Digital Signature Trust Co.
  2. CN=IdenTrust Public Sector Root CA 1, O=IdenTrust, C=US
  3. CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US

Let's Encrypt

  1. CN=ISRG Root X1, O=Internet Security Research Group, C=US

LuxTrust

  1. CN=LuxTrust Global Root, O=LuxTrust s.a., C=LU

QuoVadis Ltd.

  1. CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
  2. CN=QuoVadis Root CA 1 G3, O=QuoVadis Limited, C=BM
  3. CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM
  4. CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
  5. CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
  6. CN=QuoVadis Root CA 3 G3, O=QuoVadis Limited, C=BM

Secom Trust Systems

  1. OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
  2. OU=Security Communication RootCA2, O="SECOM Trust Systems CO.,LTD.", C=JP
  3. OU=Security Communication EV RootCA1, O="SECOM Trust Systems CO.,LTD.", C=JP

SwissSign AG

  1. CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
  2. CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
  3. CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH

Telia

  1. CN=Sonera Class2 CA, O=Sonera, C=FI

Trustwave

  1. CN=SecureTrust CA, O=SecureTrust Corporation, C=US
  2. CN=XRamp Global Certification Authority, O=XRamp Security Services Inc, OU=www.xrampsecurity.com, C=US

测试

将创建测试来验证 cacerts 密钥库的完整性,通过验证每个根证书的 SHA-256 指纹来实现。如果条件允许,还将编写测试来验证由 CA 颁发的测试证书,这些证书链回包括的根证书。此外,还将添加额外的测试,以确保依赖根证书的安全组件在 OpenJDK 构建中能够即插即用,无需任何额外的配置。

这些测试将确保 cacerts 密钥库中的证书集合是正确且未被篡改的,并且相关的安全组件能够正常工作。通过自动化测试,我们可以确保在每次 JDK 更新或构建时,根证书集合都保持有效和可靠,从而增强 Java 平台的安全性。这些测试也将为 Java 社区提供信心,知道他们的应用程序在使用 OpenJDK 构建时将具有与 Oracle JDK 构建相同的信任根。