JDK 10 新特性-JEP 319：根证书

JEP 319：根证书

QWen Max

中英对照

JEP 319 Root Certificates

概述​

在 JDK 中提供一组默认的根证书颁发机构 (CA) 证书。

目标​

开源 Oracle Java SE Root CA 计划中的根证书，以使 OpenJDK 构建版本对开发者更具吸引力，并减少这些构建版本与 Oracle JDK 构建版本之间的差异。

动机​

cacerts 密钥库是 JDK 的一部分，旨在包含一组根证书，这些根证书可用于在各种安全协议中使用的证书链建立信任。然而，JDK 源代码中的 cacerts 密钥库当前为空。因此，在 OpenJDK 构建中，默认情况下关键的安全组件（例如 TLS）无法正常工作。为了解决此问题，用户必须根据文档配置并填充 cacerts 密钥库的一组根证书，例如在 JDK 9 发行说明 中记录的内容。

描述​

cacerts 密钥库将填充由 Oracle 的 Java SE Root CA 计划中的证书颁发机构（CA）签发的一组根证书。作为先决条件，每个 CA 必须签署 Oracle 贡献者协议 (OCA) 或同等协议，以授予 Oracle 开源其证书的权利。以下列出了已签署所需协议的 CA，并且针对每个 CA 列出了将包含的根证书（通过专有名称标识）。此列表包括了当前大多数属于 Oracle Java SE Root CA 计划成员的 CA。尚未签署协议的 CA 将暂时不被包含在内，而那些处理时间较长的 CA 将被包含在下一个版本中。

Actalis S.p.A.​

CN=Actalis Authentication Root CA，O=Actalis S.p.A./03358520967，L=米兰，C=IT

Buypass AS​

CN=Buypass Class 2 Root CA，O=Buypass AS-983163327，C=NO

CN=Buypass Class 3 Root CA，O=Buypass AS-983163327，C=NO

Camerfirma​

CN=商会根证书，OU=http://www.chambersign.org，O=AC Camerfirma SA CIF A82743287，C=EU

CN=商会根证书 - 2008，O=AC Camerfirma S.A.，序列号=A82743287，L=马德里（当前地址见 www.camerfirma.com/address），C=EU

CN=全球商会根证书 - 2008，O=AC Camerfirma S.A.，序列号=A82743287，L=马德里（当前地址见 www.camerfirma.com/address），C=EU

Certum​

CN=Certum CA，O=Unizeto Sp. z o.o.，C=PL

CN=Certum Trusted Network CA，OU=Certum Certification Authority，O=Unizeto Technologies S.A.，C=PL

中华电信股份有限公司​

OU=ePKI 根证书认证机构，O="中华电信股份有限公司"，C=TW

Comodo CA Ltd.​

CN=AddTrust Class 1 CA Root，OU=AddTrust TTP Network，O=AddTrust AB，C=SE

CN=AddTrust External CA Root，OU=AddTrust External TTP Network，O=AddTrust AB，C=SE

CN=AddTrust Qualified CA Root，OU=AddTrust TTP Network，O=AddTrust AB，C=SE

CN=AAA Certificate Services，O=Comodo CA Limited，L=Salford，ST=Greater Manchester，C=GB

CN=COMODO ECC Certification Authority，O=COMODO CA Limited，L=Salford，ST=Greater Manchester，C=GB

CN=COMODO RSA Certification Authority，O=COMODO CA Limited，L=Salford，ST=Greater Manchester，C=GB

CN=USERTrust ECC Certification Authority，O=The USERTRUST Network，L=Jersey City，ST=New Jersey，C=US

CN=USERTrust RSA Certification Authority，O=The USERTRUST Network，L=Jersey City，ST=New Jersey，C=US

CN=UTN - USERFirst - Client Authentication and Email，OU=http://www.usertrust.com，O=The USERTRUST Network，L=Salt Lake City，ST=UT，C=US

CN=UTN - USERFirst - Hardware，OU=http://www.usertrust.com，O=The USERTRUST Network，L=Salt Lake City，ST=UT，C=US

CN=UTN - USERFirst - Object，OU=http://www.usertrust.com，O=The USERTRUST Network，L=Salt Lake City，ST=UT，C=US

Digicert Inc.​

CN=Baltimore CyberTrust Root，OU=CyberTrust，O=Baltimore，C=IE

CN=Baltimore CyberTrust Code Signing Root，OU=CyberTrust，O=Baltimore，C=IE

CN=DigiCert Global Root CA，OU=www.digicert.com，O=DigiCert Inc，C=US

CN=DigiCert Global Root G2，OU=www.digicert.com，O=DigiCert Inc，C=US

CN=DigiCert Global Root G3，OU=www.digicert.com，O=DigiCert Inc，C=US

CN=DigiCert Trusted Root G4，OU=www.digicert.com，O=DigiCert Inc，C=US

CN=DigiCert Assured ID Root CA，OU=www.digicert.com，O=DigiCert Inc，C=US

CN=DigiCert Assured ID Root G2，OU=www.digicert.com，O=DigiCert Inc，C=US

CN=DigiCert Assured ID Root G3，OU=www.digicert.com，O=DigiCert Inc，C=US

CN=DigiCert High Assurance EV Root CA，OU=www.digicert.com，O=DigiCert Inc，C=US

OU=Equifax Secure Certificate Authority，O=Equifax，C=US

CN=Equifax Secure eBusiness CA - 1，O=Equifax Secure Inc.，C=US

CN=Equifax Secure Global eBusiness CA - 1，O=Equifax Secure Inc.，C=US

CN=GeoTrust Global CA，O=GeoTrust Inc.，C=US

CN=GeoTrust Primary Certification Authority，O=GeoTrust Inc.，C=US

CN=GeoTrust Primary Certification Authority - G2，OU=(c) 2007 GeoTrust Inc. - For authorized use only，O=GeoTrust Inc.，C=US

CN=GeoTrust Primary Certification Authority - G3，OU=(c) 2008 GeoTrust Inc. - For authorized use only，O=GeoTrust Inc.，C=US

CN=GeoTrust Universal CA，O=GeoTrust Inc.，C=US

CN=GTE CyberTrust Global Root，OU="GTE CyberTrust Solutions, Inc."，O=GTE Corporation，C=US

CN=thawte Primary Root CA，OU="(c) 2006 thawte, Inc. - For authorized use only"，OU=Certification Services Division，O="thawte, Inc."，C=US

CN=thawte Primary Root CA - G2，OU="(c) 2007 thawte, Inc. - For authorized use only"，O="thawte, Inc."，C=US

CN=thawte Primary Root CA - G3，OU="(c) 2008 thawte, Inc. - For authorized use only"，OU=Certification Services Division，O="thawte, Inc."，C=US

EMAILADDRESS=premium - server@thawte.com，CN=Thawte Premium Server CA，OU=Certification Services Division，O=Thawte Consulting cc，L=Cape Town，ST=Western Cape，C=ZA

CN=Thawte Timestamping CA，OU=Thawte Certification，O=Thawte，L=Durbanville，ST=Western Cape，C=ZA

OU=Class 1 Public Primary Certification Authority，O="VeriSign, Inc."，C=US

OU=VeriSign Trust Network，OU="(c) 1998 VeriSign, Inc. - For authorized use only"，OU=Class 1 Public Primary Certification Authority - G2，O="VeriSign, Inc."，C=US

CN=VeriSign Class 1 Public Primary Certification Authority - G3，OU="(c) 1999 VeriSign, Inc. - For authorized use only"，OU=VeriSign Trust Network，O="VeriSign, Inc."，C=US

OU=VeriSign Trust Network，OU="(c) 1998 VeriSign, Inc. - For authorized use only"，OU=Class 2 Public Primary Certification Authority - G2，O="VeriSign, Inc."，C=US

CN=VeriSign Class 2 Public Primary Certification Authority - G3，OU="(c) 1999 VeriSign, Inc. - For authorized use only"，OU=VeriSign Trust Network，O="VeriSign, Inc."，C=US

OU=Class 3 Public Primary Certification Authority，O="VeriSign, Inc."，C=US

OU=VeriSign Trust Network，OU="(c) 1998 VeriSign, Inc. - For authorized use only"，OU=Class 3 Public Primary Certification Authority - G2，O="VeriSign, Inc."，C=US

CN=VeriSign Class 3 Public Primary Certification Authority - G3，OU="(c) 1999 VeriSign, Inc. - For authorized use only"，OU=VeriSign Trust Network，O="VeriSign, Inc."，C=US

CN=VeriSign Class 3 Public Primary Certification Authority - G4，OU="(c) 2007 VeriSign, Inc. - For authorized use only"，OU=VeriSign Trust Network，O="VeriSign, Inc."，C=US

CN=VeriSign Class 3 Public Primary Certification Authority - G5，OU="(c) 2006 VeriSign, Inc. - For authorized use only"，OU=VeriSign Trust Network，O="VeriSign, Inc."，C=US

CN=VeriSign Universal Root Certification Authority，OU="(c) 2008 VeriSign, Inc. - For authorized use only"，OU=VeriSign Trust Network，O="VeriSign, Inc."，C=US

DocuSign​

CN=Class 2 Primary CA，O=Certplus，C=FR

CN=Class 3P Primary CA，O=Certplus，C=FR

CN=KEYNECTIS ROOT CA，OU=ROOT，O=KEYNECTIS，C=FR

D-TRUST 有限公司​

CN=D-TRUST Root Class 3 CA 2 2009，O=D-Trust GmbH，C=DE

CN=D-TRUST Root Class 3 CA 2 EV 2009，O=D-Trust GmbH，C=DE

IdenTrust​

CN=DST Root CA X3，O=Digital Signature Trust Co.

CN=IdenTrust Public Sector Root CA 1，O=IdenTrust，C=US

CN=IdenTrust Commercial Root CA 1，O=IdenTrust，C=US

Let's Encrypt​

CN=ISRG Root X1，O=Internet Security Research Group，C=US

LuxTrust​

CN=LuxTrust Global Root，O=LuxTrust s.a.，C=LU

QuoVadis 有限公司​

CN=QuoVadis 根证书认证机构，OU=根证书认证机构，O=QuoVadis 有限公司，C=BM

CN=QuoVadis 根 CA 1 G3，O=QuoVadis 有限公司，C=BM

CN=QuoVadis 根 CA 2，O=QuoVadis 有限公司，C=BM

CN=QuoVadis 根 CA 2 G3，O=QuoVadis 有限公司，C=BM

CN=QuoVadis 根 CA 3，O=QuoVadis 有限公司，C=BM

CN=QuoVadis 根 CA 3 G3，O=QuoVadis 有限公司，C=BM

Secom 信任系统​

OU=Security Communication RootCA1，O=SECOM Trust.net，C=JP

OU=Security Communication RootCA2，O="SECOM Trust Systems CO.,LTD."，C=JP

OU=Security Communication EV RootCA1，O="SECOM Trust Systems CO.,LTD."，C=JP

SwissSign AG​

CN=SwissSign Gold CA - G2，O=SwissSign AG，C=CH

CN=SwissSign Platinum CA - G2，O=SwissSign AG，C=CH

CN=SwissSign Silver CA - G2，O=SwissSign AG，C=CH

Telia​

CN=Sonera Class2 CA，O=Sonera，C=FI

Trustwave​

CN=SecureTrust CA，O=SecureTrust Corporation，C=US

CN=XRamp Global Certification Authority，O=XRamp Security Services Inc，OU=www.xrampsecurity.com，C=US

测试​

将创建测试来通过验证每个根证书的 SHA-256 指纹以确认 cacerts 密钥库的完整性。如果可行，还将编写测试来验证由这些 CA 签发的、能够追溯到所包含根证书的测试证书。将添加额外的测试以确保依赖于根证书的安全组件在 OpenJDK 构建版本中开箱即用，无需任何额外配置。