跳到主要内容

JEP 319:根证书

QWen Max 中英对照 JEP 319 Root Certificates

概述

在 JDK 中提供一组默认的根证书颁发机构 (CA) 证书。

目标

开源 Oracle Java SE Root CA 计划中的根证书,以使 OpenJDK 构建版本对开发者更具吸引力,并减少这些构建版本与 Oracle JDK 构建版本之间的差异。

动机

cacerts 密钥库是 JDK 的一部分,旨在包含一组根证书,这些根证书可用于在各种安全协议中使用的证书链建立信任。然而,JDK 源代码中的 cacerts 密钥库当前为空。因此,在 OpenJDK 构建中,默认情况下关键的安全组件(例如 TLS)无法正常工作。为了解决此问题,用户必须根据文档配置并填充 cacerts 密钥库的一组根证书,例如在 JDK 9 发行说明 中记录的内容。

描述

cacerts 密钥库将填充由 Oracle 的 Java SE Root CA 计划中的证书颁发机构(CA)签发的一组根证书。作为先决条件,每个 CA 必须签署 Oracle 贡献者协议 (OCA) 或同等协议,以授予 Oracle 开源其证书的权利。以下列出了已签署所需协议的 CA,并且针对每个 CA 列出了将包含的根证书(通过专有名称标识)。此列表包括了当前大多数属于 Oracle Java SE Root CA 计划成员的 CA。尚未签署协议的 CA 将暂时不被包含在内,而那些处理时间较长的 CA 将被包含在下一个版本中。

Actalis S.p.A.

  1. CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=米兰,C=IT

Buypass AS

  1. CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO
  2. CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO

Camerfirma

  1. CN=商会根证书,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
  2. CN=商会根证书 - 2008,O=AC Camerfirma S.A.,序列号=A82743287,L=马德里(当前地址见 www.camerfirma.com/address),C=EU
  3. CN=全球商会根证书 - 2008,O=AC Camerfirma S.A.,序列号=A82743287,L=马德里(当前地址见 www.camerfirma.com/address),C=EU

Certum

  1. CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
  2. CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

中华电信股份有限公司

  1. OU=ePKI 根证书认证机构,O="中华电信股份有限公司",C=TW

Comodo CA Ltd.

  1. CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
  2. CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
  3. CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
  4. CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
  5. CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
  6. CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
  7. CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
  8. CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
  9. CN=UTN - USERFirst - Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
  10. CN=UTN - USERFirst - Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
  11. CN=UTN - USERFirst - Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Digicert Inc.

  1. CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
  2. CN=Baltimore CyberTrust Code Signing Root,OU=CyberTrust,O=Baltimore,C=IE
  3. CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
  4. CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
  5. CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
  6. CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US
  7. CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
  8. CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
  9. CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
  10. CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
  11. OU=Equifax Secure Certificate Authority,O=Equifax,C=US
  12. CN=Equifax Secure eBusiness CA - 1,O=Equifax Secure Inc.,C=US
  13. CN=Equifax Secure Global eBusiness CA - 1,O=Equifax Secure Inc.,C=US
  14. CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
  15. CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
  16. CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
  17. CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
  18. CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
  19. CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
  20. CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
  21. CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
  22. CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
  23. EMAILADDRESS=premium - server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
  24. CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA
  25. OU=Class 1 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
  26. OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 1 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
  27. CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
  28. OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
  29. CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
  30. OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
  31. OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
  32. CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
  33. CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
  34. CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
  35. CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US

DocuSign

  1. CN=Class 2 Primary CA,O=Certplus,C=FR
  2. CN=Class 3P Primary CA,O=Certplus,C=FR
  3. CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR

D-TRUST 有限公司

  1. CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
  2. CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE

IdenTrust

  1. CN=DST Root CA X3,O=Digital Signature Trust Co.
  2. CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US
  3. CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US

Let's Encrypt

  1. CN=ISRG Root X1,O=Internet Security Research Group,C=US

LuxTrust

  1. CN=LuxTrust Global Root,O=LuxTrust s.a.,C=LU

QuoVadis 有限公司

  1. CN=QuoVadis 根证书认证机构,OU=根证书认证机构,O=QuoVadis 有限公司,C=BM
  2. CN=QuoVadis 根 CA 1 G3,O=QuoVadis 有限公司,C=BM
  3. CN=QuoVadis 根 CA 2,O=QuoVadis 有限公司,C=BM
  4. CN=QuoVadis 根 CA 2 G3,O=QuoVadis 有限公司,C=BM
  5. CN=QuoVadis 根 CA 3,O=QuoVadis 有限公司,C=BM
  6. CN=QuoVadis 根 CA 3 G3,O=QuoVadis 有限公司,C=BM

Secom 信任系统

  1. OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
  2. OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
  3. OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP

SwissSign AG

  1. CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
  2. CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
  3. CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH

Telia

  1. CN=Sonera Class2 CA,O=Sonera,C=FI

Trustwave

  1. CN=SecureTrust CA,O=SecureTrust Corporation,C=US
  2. CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US

测试

将创建测试来通过验证每个根证书的 SHA-256 指纹以确认 cacerts 密钥库的完整性。如果可行,还将编写测试来验证由这些 CA 签发的、能够追溯到所包含根证书的测试证书。将添加额外的测试以确保依赖于根证书的安全组件在 OpenJDK 构建版本中开箱即用,无需任何额外配置。