Bug#1023748: ca-certificates-java: postinst script fails with OpenJDK 20: Error loading java.security file
Vladimir Petko
vladimir.petko at canonical.com
Fri Dec 9 09:28:11 GMT 2022
Dear Maintainer,
This bug is also present in Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1998697
This particular issue is caused by
https://github.com/openjdk/jdk/commit/1f9ff413126fb68e07b8fc1f36dd3cb17093a484
There is a change in behaviour: previously accessing java.security.Security
did not require the java.security properties file to be present, now JDK 20
requires it.
See https://bugs.openjdk.org/browse/JDK-8292297
Same behaviour applies to keytool - see exception below:
Exception in thread "main" java.lang.ExceptionInInitializerError
at java.base/javax.crypto.Cipher.getInstance(Cipher.java:548)
at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineLoad$1(PKCS
12KeyStore.java:2136)
at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12
KeyStore.java:257)
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStor
e.java:2134)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDele
gator.java:226)
at java.base/java.security.KeyStore.load(KeyStore.java:1502)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:1828)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:1710)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:944)
at java.base/sun.security.tools.keytool.Main.run(Main.java:420)
at java.base/sun.security.tools.keytool.Main.main(Main.java:413)
Caused by: java.lang.SecurityException: Can not initialize cryptographic
mechani
sm
at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:119)
... 11 more
Caused by: java.lang.SecurityException: Couldn't parse jurisdiction policy
files
in: unlimited
at java.base/javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecur
ity.java:364)
at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:110)
at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:107)
at java.base/java.security.AccessController.doPrivileged(AccessControlle
r.java:569)
at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:106)
... 11 more
Both problems are caused by an attempt to run java before the package is
configured.
Would it be possible to discuss whether it is possible to break dependency
of ca-certificates-java on java? For example, the java application in the
package could be replaced by C++ or Python utility capable of working with
JKS.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20221209/a18220b1/attachment-0001.htm>
More information about the pkg-java-maintainers
mailing list