All JDKs now come equipped with all Oracle-blessed CA certs: work/jdk8u-jdk8u342-b07.1/jdk/make/data/cacerts work/jdk11u-jdk-11.0.16-8-1/make/data/cacerts work/jdk17u-jdk-17.0.4-8-1/make/data/cacerts work/jdk18u-jdk-18.0.2-9-1/make/data/cacerts These directories contain one CA cert per file which are assembled into cacerts truststore at build time. Attached is a patch which removes the outdated cacerts files.
Created attachment 236969 [details] Patch against /usr/ports (main) Please evaluate this Git-formatted patch.
This change looks good to me
(In reply to Greg Lewis from comment #2) Are you willing to apply the patch then? I want to work on Bug 229329 which is basically trivial to do. As complement for certcl until OpenSSL 3.0.x can handle PKCS 12 trust stores with oracleJdkTruststoreUsage as bag attribute.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=60e0223972d80e21ef7a82b512728154e917ca73 commit 60e0223972d80e21ef7a82b512728154e917ca73 Author: Greg Lewis <glewis@FreeBSD.org> AuthorDate: 2022-11-04 05:50:24 +0000 Commit: Greg Lewis <glewis@FreeBSD.org> CommitDate: 2022-11-04 05:52:56 +0000 java/openjdk8: Use the distributed cacerts PR: 266723 Reported by: Michael Osipov <michael.osipov@siemens.com> java/openjdk8/Makefile | 2 +- java/openjdk8/files/cacerts (gone) | Bin 100515 -> 0 bytes 2 files changed, 1 insertion(+), 1 deletion(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=34c45542f75c54c35a44be1c80f0ac3076da8bee commit 34c45542f75c54c35a44be1c80f0ac3076da8bee Author: Greg Lewis <glewis@FreeBSD.org> AuthorDate: 2022-11-04 06:12:10 +0000 Commit: Greg Lewis <glewis@FreeBSD.org> CommitDate: 2022-11-04 06:13:16 +0000 java/openjdk11: Use the distributed cacerts PR: 266723 Reported by: Michael Osipov <michael.osipov@siemens.com> java/openjdk11/Makefile | 2 +- java/openjdk11/files/cacerts (gone) | Bin 98310 -> 0 bytes 2 files changed, 1 insertion(+), 1 deletion(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=381f9126c0345124633cc3379a7898829746e060 commit 381f9126c0345124633cc3379a7898829746e060 Author: Greg Lewis <glewis@FreeBSD.org> AuthorDate: 2022-11-04 06:30:13 +0000 Commit: Greg Lewis <glewis@FreeBSD.org> CommitDate: 2022-11-04 06:30:13 +0000 java/openjdk17: Use the distributed cacerts PR: 266723 Reported by: Michael Osipov <michael.osipov@siemens.com> java/openjdk17/Makefile | 2 +- java/openjdk17/files/cacerts (gone) | Bin 104100 -> 0 bytes 2 files changed, 1 insertion(+), 1 deletion(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=add6dd031a6aa7eb7d7f51e2c278f8c27ba27426 commit add6dd031a6aa7eb7d7f51e2c278f8c27ba27426 Author: Greg Lewis <glewis@FreeBSD.org> AuthorDate: 2022-11-04 06:43:18 +0000 Commit: Greg Lewis <glewis@FreeBSD.org> CommitDate: 2022-11-04 06:43:18 +0000 java/openjdk18: Use the distributed cacerts PR: 266723 Reported by: Michael Osipov <michael.osipov@siemens.com> java/openjdk18/Makefile | 2 +- java/openjdk18/files/cacerts (gone) | Bin 109961 -> 0 bytes 2 files changed, 1 insertion(+), 1 deletion(-)
Changes committed. I'm not convinced this is ideal for openjdk18, but perhaps we can find another method of keeping its cacerts up to date now that it is EoL, since it will be around until openjdk21
(In reply to Greg Lewis from comment #8) Can you rephrase?! I do not really understand what you refer to by EoL of what? Java 8? Java 11? They will live on for years to come. My current workaround is to apply: (cd /usr/local/openjdk8/jre/lib/security; rm cacerts; ln -sf /usr/local/etc/ssl/cacerts; pkg check -r openjdk8) cacerts contains the same combination certctl produces.
Java 18 is already end of life. So it is now stuck with whatever certificates it had. I'm thinking I should back out the change to it and instead update the cacerts file so that it is in sync with the other versions of Java.
(In reply to Greg Lewis from comment #10) OK, I see now what you are saying. I would rather say that Java 18 is frozen and no need to change it. If someone really requires another cacerts, one can take my oneliner for this. It just works in our post-installation (PI) process. Just keep it consistent with Java 17+ and move on. Java 19 doesn't have it anyway.