Bug#922981: ca-certificates-java: "update-ca-certificates -f" doesn't update "/etc/ssl/certs/java/cacerts"
Andreas Beckmann
anbe at debian.org
Wed Jan 20 00:20:18 GMT 2021
Followup-For: Bug #922981
Control: found -1 20110425
Control: severity -1 serious
Control: retitle -1 ca-certificates-java: /etc/ca-certificates/update.d/jks-keystore doesn't update /etc/ssl/certs/java/cacerts
Control: tag -1 security patch
Control: block 929685 with -1
The jks-keystore hook script has never worked, at least since
UpdateCertificates.java was added in 20110425. UpdateCertificates expects
certificates (files or aliases) prefixed with '+' or '-' on stdin as
add/remove actions, but the hook script does not supply anything (while
the postinst does).
Even running the hook after /etc/ssl/certs/java/cacerts got deleted will
only create an empty keystore.
Only on initial installation (not upgrades), the postinst will populate
the keystore with the certificates in /etc/ssl/certs at that point in time.
The attached patch fixes this by adding new certificates and removing gone
certificates. It does not cover the case where a certificate needs to be
refreshed since its content but not its name has changed. Or is this only
a theoretical possibility?
Andreas
installing ca-certificates/sid on bullseye with patched ca-certificates-java:
Preconfiguring packages ...
(Reading database ... 15445 files and directories currently installed.)
Preparing to unpack .../ca-certificates_20210119_all.deb ...
Unpacking ca-certificates (20210119) over (20200601) ...
Setting up ca-certificates (20210119) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.)
debconf: falling back to frontend: Readline
Updating certificates in /etc/ssl/certs...
8 added, 7 removed; done.
Processing triggers for ca-certificates (20210119) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
Removing debian:ee_certification_centre_root_ca.pem
Removing debian:geotrust_universal_ca_2.pem
Removing debian:luxtrust_global_root_2.pem
Removing debian:oiste_wisekey_global_root_ga_ca.pem
Removing debian:staat_der_nederlanden_root_ca_-_g2.pem
Removing debian:taiwan_grca.pem
Removing debian:verisign_class_3_public_primary_certification_authority_-_g3.pem
Adding debian:certSIGN_Root_CA_G2.pem
Adding debian:e-Szigno_Root_CA_2017.pem
Adding debian:Microsoft_ECC_Root_Certificate_Authority_2017.pem
Adding debian:Microsoft_RSA_Root_Certificate_Authority_2017.pem
Adding debian:NAVER_Global_Root_Certification_Authority.pem
Adding debian:Trustwave_Global_Certification_Authority.pem
Adding debian:Trustwave_Global_ECC_P256_Certification_Authority.pem
Adding debian:Trustwave_Global_ECC_P384_Certification_Authority.pem
done.
done.
-------------- next part --------------
>From ad180a53e2b32c8a6303ca05adcb32e0bc0a44cc Mon Sep 17 00:00:00 2001
From: Andreas Beckmann <anbe at debian.org>
Date: Wed, 20 Jan 2021 00:32:27 +0100
Subject: [PATCH] fix the hook script to actually update
/etc/ssl/certs/java/cacerts
---
debian/changelog | 8 +++++++
debian/jks-keystore.hook | 50 ++++++++++++++++++++++++++++++++++++++--
2 files changed, 56 insertions(+), 2 deletions(-)
mode change 100644 => 100755 debian/jks-keystore.hook
diff --git a/debian/changelog b/debian/changelog
index e35274e..2b5cf18 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ca-certificates-java (20210119) UNRELEASED; urgency=medium
+
+ * Actually update /etc/ssl/certs/java/cacerts by having the jks-keystore
+ hook script supply add/remove actions to ca-certificates-java.jar on
+ stdin. (Closes: #922981)
+
+ -- Andreas Beckmann <anbe at debian.org> Tue, 19 Jan 2021 23:57:51 +0100
+
ca-certificates-java (20190909) unstable; urgency=medium
* Team upload.
diff --git a/debian/jks-keystore.hook b/debian/jks-keystore.hook
old mode 100644
new mode 100755
index e0c3445..94e03a1
--- a/debian/jks-keystore.hook
+++ b/debian/jks-keystore.hook
@@ -48,7 +48,7 @@ for jvm in java-7-openjdk-$arch java-7-openjdk \
if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
export JAVA_HOME=/usr/lib/jvm/$jvm
PATH=$JAVA_HOME/bin:$PATH
- break
+ break
fi
done
@@ -65,8 +65,11 @@ if dpkg-query --version >/dev/null; then
fi
fi
+actions=$(mktemp)
+
do_cleanup()
{
+ rm -f "$actions"
[ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]
then
@@ -79,7 +82,50 @@ do_cleanup()
fi
}
-if java -Xmx64m -jar $JAR -storepass "$storepass"; then
+# these are currently activated in /etc/ssl/certs/java/cacerts
+if [ -f /etc/ssl/certs/java/cacerts ]; then
+ isactivated=$(keytool -cacerts -storepass changeit -list -rfc | sed -n 's/^Alias name: *//ip' | tr '\n' ' ')
+else
+ isactivated=
+fi
+
+# these are currently activated in /etc/ssl/certs
+shouldactivate=$(find /etc/ssl/certs -name \*.pem | while read filename; do echo -n "debian:$(basename "$filename" | tr A-Z a-z) "; done)
+
+# remove certificates from /etc/ssl/certs/java/cacerts that are no longer in
+# /etc/ssl/certs
+for alias in $isactivated ; do
+ case " ${shouldactivate} " in
+ (*" ${alias} "*)
+ : # keep activated
+ ;;
+ (*)
+ # deactivate
+ echo "-${alias}" >> "$actions"
+ ;;
+ esac
+done
+
+# add certificates to /etc/ssl/certs/java/cacerts that newly appeared in
+# /etc/ssl/certs
+find /etc/ssl/certs -name \*.pem | sort -f | \
+while read filename; do
+ alias="debian:$(basename "$filename" | tr A-Z a-z)"
+ case " ${isactivated} " in
+ (*" ${alias} "*)
+ : # already activated
+ ;;
+ (*)
+ # activate
+ echo "+${filename}" >> "$actions"
+ ;;
+ esac
+done
+
+# FIXME: this does not cover the case where a certificate has changed content
+# (but not name) in /etc/ssl/certs and therefore needs to be refreshed
+
+if java -Xmx64m -jar $JAR -storepass "$storepass" < "$actions"; then
do_cleanup
else
do_cleanup
--
2.20.1
-------------- next part --------------
>From 0845cc4b752eb5225d0e24c95791faebd3fb8b78 Mon Sep 17 00:00:00 2001
From: Andreas Beckmann <anbe at debian.org>
Date: Wed, 20 Jan 2021 00:52:14 +0100
Subject: [PATCH 2/2] sync setup_path between jks-keystore.hook and postinst
---
debian/jks-keystore.hook | 50 ++++++++++++++++++++++++----------------
debian/postinst | 42 ++++++++++++---------------------
2 files changed, 45 insertions(+), 47 deletions(-)
diff --git a/debian/jks-keystore.hook b/debian/jks-keystore.hook
index 94e03a1..7bf84fe 100755
--- a/debian/jks-keystore.hook
+++ b/debian/jks-keystore.hook
@@ -24,33 +24,43 @@ nsslib_name()
fi
}
+setup_path()
+{
+ # keep in sync with debian/postinst
+ for version in 7 8 9 10 11 12 13 14 15 16 17 ; do
+ for jvm in \
+ java-${version}-openjdk-${arch} \
+ java-${version}-openjdk \
+ oracle-java${version}-jre-${arch} \
+ oracle-java${version}-server-jre-${arch} \
+ oracle-java${version}-jdk-${arch}
+ do
+ if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
+ export JAVA_HOME=/usr/lib/jvm/$jvm
+ PATH=$JAVA_HOME/bin:$PATH
+ break 2
+ fi
+ done
+ done
+}
+
+check_proc()
+{
+ if ! mountpoint -q /proc; then
+ echo >&2 "the keytool command requires a mounted proc fs (/proc)."
+ exit 1
+ fi
+}
+
echo ""
if [ "$cacerts_updates" != yes ] || [ "$CACERT_UPDATES" = disabled ] || [ ! -e $JAR ]; then
echo "updates of cacerts keystore disabled."
exit 0
fi
-if ! mountpoint -q /proc; then
- echo >&2 "the keytool command requires a mounted proc fs (/proc)."
- exit 1
-fi
+check_proc
-for jvm in java-7-openjdk-$arch java-7-openjdk \
- oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \
- java-8-openjdk-$arch java-8-openjdk \
- oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \
- java-9-openjdk-$arch java-9-openjdk \
- oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch \
- java-10-openjdk-$arch java-10-openjdk \
- oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \
- java-11-openjdk-$arch java-11-openjdk \
- oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch; do
- if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
- export JAVA_HOME=/usr/lib/jvm/$jvm
- PATH=$JAVA_HOME/bin:$PATH
- break
- fi
-done
+setup_path
if dpkg-query --version >/dev/null; then
nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libnss3\.so$,\1,p'|head -n 1)
diff --git a/debian/postinst b/debian/postinst
index 555f87b..737be4c 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -25,33 +25,21 @@ nsslib_name()
setup_path()
{
- for jvm in java-7-openjdk-$arch java-7-openjdk \
- oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \
- java-8-openjdk-$arch java-8-openjdk \
- oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \
- java-9-openjdk-$arch java-9-openjdk \
- oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch \
- java-10-openjdk-$arch java-10-openjdk \
- oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \
- java-11-openjdk-$arch java-11-openjdk \
- oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch \
- java-12-openjdk-$arch java-12-openjdk \
- oracle-java12-jre-$arch oracle-java12-server-jre-$arch oracle-java12-jdk-$arch \
- java-13-openjdk-$arch java-13-openjdk \
- oracle-java13-jre-$arch oracle-java13-server-jre-$arch oracle-java13-jdk-$arch \
- java-14-openjdk-$arch java-14-openjdk \
- oracle-java14-jre-$arch oracle-java14-server-jre-$arch oracle-java14-jdk-$arch \
- java-15-openjdk-$arch java-15-openjdk \
- oracle-java15-jre-$arch oracle-java15-server-jre-$arch oracle-java15-jdk-$arch \
- java-16-openjdk-$arch java-16-openjdk \
- oracle-java16-jre-$arch oracle-java16-server-jre-$arch oracle-java16-jdk-$arch \
- java-17-openjdk-$arch java-17-openjdk \
- oracle-java17-jre-$arch oracle-java17-server-jre-$arch oracle-java17-jdk-$arch; do
- if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
- export JAVA_HOME=/usr/lib/jvm/$jvm
- PATH=$JAVA_HOME/bin:$PATH
- break
- fi
+ # keep in sync with debian/jks-keystore.hook
+ for version in 7 8 9 10 11 12 13 14 15 16 17 ; do
+ for jvm in \
+ java-${version}-openjdk-${arch} \
+ java-${version}-openjdk \
+ oracle-java${version}-jre-${arch} \
+ oracle-java${version}-server-jre-${arch} \
+ oracle-java${version}-jdk-${arch}
+ do
+ if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
+ export JAVA_HOME=/usr/lib/jvm/$jvm
+ PATH=$JAVA_HOME/bin:$PATH
+ break 2
+ fi
+ done
done
}
--
2.20.1
More information about the pkg-java-maintainers
mailing list