Bug#898678: ca-certificates-java: convert PKCS12 cacerts keystore to JKS
Tiago Stürmer Daitx
tiago.daitx at canonical.com
Tue May 15 03:25:12 BST 2018
Package: ca-certificates-java
Version: 20180413
Severity: important
Dear Maintainer,
The fix for bug #894979 which updated ca-certificates-java to generate
JKS keystores by default - instead OpenJDK's 9+ default of PKCS12 - only
fixes new installs.
Any user already affected by that issue won't benefit from the fix, as
the file /etc/ssl/certs/java/cacerts is at most updated by the
jks-keystore hook. The only way to actually change it from the PKCS12
to the JKS format is to remove the cacerts file and then calling
'update-ca-certificates -f' - which is also accomplished by removing and
then reinstalling the ca-certificates-java package.
The attached patch fixes this behavior by:
1) Detecting if a PKCS12 cacert exists
2) Converting it to JKS and saving it to cacerts.dpkg-new
Finally, if, and only if, 'cacerts_updates' is set to 'yes':
3) Moving the old PKCS12 cacerts to a cacerts.dpkg-old and the dpkg-new
into /etc/ssl/certs/java/cacerts.
Additionally, a few other fixes are also addressed in the debdiff:
1) Only set JAVA_HOME if a jvm is found. Previously if none of the the
jvms in the list were found the last one jvm was used - although that
didn't cause any unexpected errors, it was wrong.
2) Avoid generating a jvm.cfg as openjdk has it's own logic for
providing a well defined default jvm.cfg in such scenarios.
3) On Ubuntu it should depend on openjdk-11-jre-headless instead
of openjdk-8.
Please review and consider applying the provided debdiff.
Regards,
Tiago Daitx
-- System Information:
Debian Release: buster/sid
APT prefers cosmic
APT policy: (500, 'cosmic'), (400, 'cosmic-proposed')
Architecture: amd64 (x86_64)
Kernel: Linux 4.15.0-20-lowlatency (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
diff -Nru ca-certificates-java-20180413/debian/changelog ca-certificates-java-20180413.1/debian/changelog
--- ca-certificates-java-20180413/debian/changelog 2018-04-13 09:15:39.000000000 -0300
+++ ca-certificates-java-20180413.1/debian/changelog 2018-05-14 23:16:43.000000000 -0300
@@ -1,3 +1,18 @@
+ca-certificates-java (20180413.1) unstable; urgency=medium
+
+ [ Tiago Stürmer Daitx ]
+ * debian/jks-keystore.hook.in: Don't create a jvm-*.cfg file, a default file
+ with the right configuration is already supplied by the openjdk packages.
+ * debian/jks-keystore.hook.in, debian/postinst.in: Only export JAVA_HOME
+ and update PATH if a known jvm was found.
+ * debian/postinst.in: Detect PKCS12 cacert keystore generated by
+ previous ca-certificates-java and convert them to JKS.
+
+ [ Matthias Klose ]
+ * Explicitly depend on openjdk-11-jre-headless, needed to configure.
+
+ -- Tiago Stürmer Daitx <tiago.daitx at ubuntu.com> Tue, 15 May 2018 02:16:43 +0000
+
ca-certificates-java (20180413) unstable; urgency=medium
* Team upload.
diff -Nru ca-certificates-java-20180413/debian/jks-keystore.hook.in ca-certificates-java-20180413.1/debian/jks-keystore.hook.in
--- ca-certificates-java-20180413/debian/jks-keystore.hook.in 2018-04-13 09:02:14.000000000 -0300
+++ ca-certificates-java-20180413.1/debian/jks-keystore.hook.in 2018-05-14 23:16:43.000000000 -0300
@@ -45,20 +45,12 @@
oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \
java-11-openjdk-$arch java-11-openjdk \
oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch; do
-if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
+ if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
+ export JAVA_HOME=/usr/lib/jvm/$jvm
+ PATH=$JAVA_HOME/bin:$PATH
break
-fi
+ fi
done
-export JAVA_HOME=/usr/lib/jvm/$jvm
-PATH=$JAVA_HOME/bin:$PATH
-
-temp_jvm_cfg=
-if [ ! -f /etc/${jvm%-$arch}/jvm-$arch.cfg ]; then
- # the jre is not yet configured, but jvm.cfg is needed to run it
- temp_jvm_cfg=/etc/${jvm%-$arch}/jvm-$arch.cfg
- mkdir -p /etc/${jvm%-$arch}
- printf -- "-server KNOWN\n" > $temp_jvm_cfg
-fi
if dpkg-query --version >/dev/null; then
nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libnss3\.so$,\1,p'|head -n 1)
diff -Nru ca-certificates-java-20180413/debian/postinst.in ca-certificates-java-20180413.1/debian/postinst.in
--- ca-certificates-java-20180413/debian/postinst.in 2018-04-13 09:03:15.000000000 -0300
+++ ca-certificates-java-20180413.1/debian/postinst.in 2018-05-14 23:16:43.000000000 -0300
@@ -35,12 +35,50 @@
oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \
java-11-openjdk-$arch java-11-openjdk \
oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch; do
- if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
- break
+ if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
+ export JAVA_HOME=/usr/lib/jvm/$jvm
+ PATH=$JAVA_HOME/bin:$PATH
+ break
fi
done
- export JAVA_HOME=/usr/lib/jvm/$jvm
- PATH=$JAVA_HOME/bin:$PATH
+}
+
+check_proc()
+{
+ if ! mountpoint -q /proc; then
+ echo >&2 "the keytool command requires a mounted proc fs (/proc)."
+ exit 1
+ fi
+}
+
+convert_pkcs12_keystore_to_jks()
+{
+ if ! keytool -importkeystore \
+ -srckeystore /etc/ssl/certs/java/cacerts \
+ -destkeystore /etc/ssl/certs/java/cacerts.dpkg-new \
+ -srcstoretype PKCS12 \
+ -deststoretype JKS \
+ -srcstorepass "$storepass" \
+ -deststorepass "$storepass" \
+ -noprompt; then
+ echo "failed to convert PKCS12 keystore to JKS" >&2
+ exit 1
+ fi
+
+ # only update if /etc/default/cacerts allows
+ if [ "$cacerts_updates" = "yes" ]; then
+ mv -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old
+ mv -f /etc/ssl/certs/java/cacerts.dpkg-new /etc/ssl/certs/java/cacerts
+ fi
+}
+
+do_cleanup()
+{
+ [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
+ if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]
+ then
+ rm -f $nssjdk/libnss3.so
+ fi
}
first_install()
@@ -74,15 +112,6 @@
echo "done."
}
-do_cleanup()
-{
- [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
- if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]
- then
- rm -f $nssjdk/libnss3.so
- fi
-}
-
case "$1" in
configure)
if dpkg --compare-versions "$2" lt "20110912ubuntu6"; then
@@ -91,14 +120,18 @@
cp -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old
fi
fi
- if [ -z "$2" -o -n "$FIXOLD" ]; then
- setup_path
- if ! mountpoint -q /proc; then
- echo >&2 "the keytool command requires a mounted proc fs (/proc)."
- exit 1
- fi
+ setup_path
+ if dpkg --compare-versions "$2" lt "20180413"; then
+ if [ -e /etc/ssl/certs/java/cacerts \
+ -a "$(head -c4 /etc/ssl/certs/java/cacerts)" != "$(echo -en '\xfe\xed\xfe\xed')" ]; then
+ check_proc
+ convert_pkcs12_keystore_to_jks
+ fi
+ fi
+ if [ -z "$2" -o -n "$FIXOLD" ]; then
+ check_proc
trap do_cleanup EXIT
first_install
fi
diff -Nru ca-certificates-java-20180413/debian/rules ca-certificates-java-20180413.1/debian/rules
--- ca-certificates-java-20180413/debian/rules 2018-04-13 08:54:35.000000000 -0300
+++ ca-certificates-java-20180413.1/debian/rules 2018-05-14 23:16:23.000000000 -0300
@@ -6,7 +6,7 @@
ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes),yes)
SUBSTVARS = -Vnss:Depends="libnss3 (>= 3.12.9+ckbi-1.82-0ubuntu3~)" \
- -Vjre:Depends="openjdk-8-jre-headless"
+ -Vjre:Depends="openjdk-11-jre-headless"
nss_lib = libnss3
else
SUBSTVARS = -Vnss:Depends="libnss3 (>= 3.12.10-2~)" \
More information about the pkg-java-maintainers
mailing list