Ubuntu
ca-certificates-java package

Unable to install ca-certificates-java (20220719) on machine with PKCS12 keystore

Bug #1999103 reported by Vladimir Petko on 2022-12-08

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	ca-certificates-java (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

$ lsb_release -rd
Description: Ubuntu 22.10
Release: 22.10

$apt-cache policy ca-certificates-java
ca-certificates-java:
Installed: 20220719
Candidate: 20220719

Steps to reproduce:
` sudo apt install openjdk-19-jre`

Expected: install succeeds
Actual result:
`
sudo apt install openjdk-19-jre
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  ca-certificates-java fonts-dejavu-extra java-common libatk-wrapper-java
  libatk-wrapper-java-jni openjdk-19-jre-headless
Suggested packages:
  default-jre fonts-ipafont-gothic fonts-ipafont-mincho fonts-wqy-microhei
  | fonts-wqy-zenhei
The following NEW packages will be installed:
  ca-certificates-java fonts-dejavu-extra java-common libatk-wrapper-java
  libatk-wrapper-java-jni openjdk-19-jre openjdk-19-jre-headless
0 upgraded, 7 newly installed, 0 to remove and 49 not upgraded.
Need to get 52.4 MB of archives.
After this operation, 212 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://nz.archive.ubuntu.com/ubuntu kinetic/main amd64 ca-certificates-java all 20220719 [12.4 kB]
Get:2 http://nz.archive.ubuntu.com/ubuntu kinetic/main amd64 fonts-dejavu-extra all 2.37-2build1 [2,041 kB]
Get:3 http://nz.archive.ubuntu.com/ubuntu kinetic/main amd64 java-common all 0.72build2 [6,782 B]
Get:4 http://nz.archive.ubuntu.com/ubuntu kinetic/main amd64 libatk-wrapper-java all 0.40.0-2 [53.1 kB]
Get:5 http://nz.archive.ubuntu.com/ubuntu kinetic/main amd64 libatk-wrapper-java-jni amd64 0.40.0-2 [48.6 kB]
Get:6 http://nz.archive.ubuntu.com/ubuntu kinetic-updates/universe amd64 openjdk-19-jre-headless amd64 19.0.1+10-1 [50.1 MB]
Get:7 http://nz.archive.ubuntu.com/ubuntu kinetic-updates/universe amd64 openjdk-19-jre amd64 19.0.1+10-1 [180 kB]
Fetched 52.4 MB in 1s (36.9 MB/s)
Selecting previously unselected package ca-certificates-java.
(Reading database ... 196473 files and directories currently installed.)
Preparing to unpack .../0-ca-certificates-java_20220719_all.deb ...
Unpacking ca-certificates-java (20220719) ...
Selecting previously unselected package fonts-dejavu-extra.
Preparing to unpack .../1-fonts-dejavu-extra_2.37-2build1_all.deb ...
Unpacking fonts-dejavu-extra (2.37-2build1) ...
Selecting previously unselected package java-common.
Preparing to unpack .../2-java-common_0.72build2_all.deb ...
Unpacking java-common (0.72build2) ...
Selecting previously unselected package libatk-wrapper-java.
Preparing to unpack .../3-libatk-wrapper-java_0.40.0-2_all.deb ...
Unpacking libatk-wrapper-java (0.40.0-2) ...
Selecting previously unselected package libatk-wrapper-java-jni:amd64.
Preparing to unpack .../4-libatk-wrapper-java-jni_0.40.0-2_amd64.deb ...
Unpacking libatk-wrapper-java-jni:amd64 (0.40.0-2) ...
Selecting previously unselected package openjdk-19-jre-headless:amd64.
Preparing to unpack .../5-openjdk-19-jre-headless_19.0.1+10-1_amd64.deb ...
Unpacking openjdk-19-jre-headless:amd64 (19.0.1+10-1) ...
Selecting previously unselected package openjdk-19-jre:amd64.
Preparing to unpack .../6-openjdk-19-jre_19.0.1+10-1_amd64.deb ...
Unpacking openjdk-19-jre:amd64 (19.0.1+10-1) ...
Setting up java-common (0.72build2) ...
Setting up fonts-dejavu-extra (2.37-2build1) ...
Setting up libatk-wrapper-java (0.40.0-2) ...
Setting up ca-certificates-java (20220719) ...
Exception in thread "main" java.lang.ExceptionInInitializerError
at java.base/javax.crypto.Cipher.getInstance(Cipher.java:548)
at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineLoad$1(PKCS
12KeyStore.java:2136)
at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12
KeyStore.java:257)
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStor
e.java:2134)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDele
gator.java:226)
at java.base/java.security.KeyStore.load(KeyStore.java:1502)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:1828)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:1710)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:944)
at java.base/sun.security.tools.keytool.Main.run(Main.java:420)
at java.base/sun.security.tools.keytool.Main.main(Main.java:413)
Caused by: java.lang.SecurityException: Can not initialize cryptographic mechani
sm
at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:119)
... 11 more
Caused by: java.lang.SecurityException: Couldn't parse jurisdiction policy files
in: unlimited
at java.base/javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecur
ity.java:364)
at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:110)
at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:107)
at java.base/java.security.AccessController.doPrivileged(AccessControlle
r.java:569)
at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:106)
... 11 more
org.debian.security.InvalidKeystorePasswordException: Cannot open Java keystore.
Is the password correct?
at org.debian.security.KeyStoreHandler.load(KeyStoreHandler.java:68)
at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:52)
at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java
:65)
at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:5
1)
Caused by: java.io.IOException: Invalid keystore format
at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.
java:688)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDele
gator.java:226)
at java.base/java.security.KeyStore.load(KeyStore.java:1502)
at org.debian.security.KeyStoreHandler.load(KeyStoreHandler.java:66)
... 3 more
dpkg: error processing package ca-certificates-java (--configure):
installed ca-certificates-java package post-installation script subprocess retu
rned error exit status 1
dpkg: dependency problems prevent configuration of openjdk-19-jre-headless:amd64
:
openjdk-19-jre-headless:amd64 depends on ca-certificates-java (>= 20190405~); h
owever:
  Package ca-certificates-java is not configured yet.

dpkg: error processing package openjdk-19-jre-headless:amd64 (--configure):
dependency problems - leaving unconfigured
Setting up libatk-wrapper-java-jni:amd64 (0.40.0-2) ...
No apport report written because the error message indicates its a followup erro
r from a previous failure.
dpkg: dependency problems prevent configuration of ope
njdk-19-jre:amd64:
openjdk-19-jre:amd64 depends on openjdk-19-jre-headless (= 19.0.1+10-1); howeve
r:
Package openjdk-19-jre-headless:amd64 is not configured yet.

dpkg: error processing package openjdk-19-jre:amd64 (--configure):
dependency problems - leaving unconfigured
Processing triggers for fontconfig (2.13.1-4.4ubuntu1) ...
No apport report written because the error message indicates its a followup erro
r from a previous failure.
Processing triggers for desktop-file-utils (0.26-1ubun
tu4) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for gnome-menus (3.36.0-1ubuntu3) ...
Processing triggers for man-db (2.10.2-2) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Errors were encountered while processing:
ca-certificates-java
openjdk-19-jre-headless:amd64
openjdk-19-jre:amd64
E: Sub-process /usr/bin/dpkg returned an error code (1)
`

Same applies for openjdk-11:

`
sudo apt install openjdk-11-jre
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  openjdk-11-jre-headless
Suggested packages:
  fonts-ipafont-gothic fonts-ipafont-mincho fonts-wqy-microhei
  | fonts-wqy-zenhei
The following NEW packages will be installed:
  openjdk-11-jre openjdk-11-jre-headless
0 upgraded, 2 newly installed, 0 to remove and 49 not upgraded.
3 not fully installed or removed.
Need to get 41.5 MB of archives.
After this operation, 172 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://nz.archive.ubuntu.com/ubuntu kinetic-updates/main amd64 openjdk-11-jre-headless amd64 11.0.17+8-1ubuntu2 [41.3 MB]
Get:2 http://nz.archive.ubuntu.com/ubuntu kinetic-updates/main amd64 openjdk-11-jre amd64 11.0.17+8-1ubuntu2 [189 kB]
Fetched 41.5 MB in 6s (6,627 kB/s)
Selecting previously unselected package openjdk-11-jre-headless:amd64.
(Reading database ... 196855 files and directories currently installed.)
Preparing to unpack .../openjdk-11-jre-headless_11.0.17+8-1ubuntu2_amd64.deb ...
Unpacking openjdk-11-jre-headless:amd64 (11.0.17+8-1ubuntu2) ...
Selecting previously unselected package openjdk-11-jre:amd64.
Preparing to unpack .../openjdk-11-jre_11.0.17+8-1ubuntu2_amd64.deb ...
Unpacking openjdk-11-jre:amd64 (11.0.17+8-1ubuntu2) ...
Setting up ca-certificates-java (20220719) ...
Exception in thread "main" java.lang.ExceptionInInitializerError
at java.base/javax.crypto.SecretKeyFactory.nextSpi(SecretKeyFactory.java
:303)
at java.base/javax.crypto.SecretKeyFactory.<init>(SecretKeyFactory.java:
121)
at java.base/javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.
java:168)
at java.base/sun.security.pkcs12.PKCS12KeyStore.getPBEKey(PKCS12KeyStore
.java:853)
at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineLoad$1(PKCS
12KeyStore.java:2108)
at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12
KeyStore.java:276)
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStor
e.java:2106)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDele
gator.java:222)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:1807)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:1687)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:928)
at java.base/sun.security.tools.keytool.Main.run(Main.java:412)
at java.base/sun.security.tools.keytool.Main.main(Main.java:405)
Caused by: java.lang.SecurityException: Can not initialize cryptographic mechani
sm
at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:120)
... 14 more
Caused by: java.lang.SecurityException: Couldn't parse jurisdiction policy files
in: unlimited
at java.base/javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecur
ity.java:357)
at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:111)
at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:108)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:107)
... 14 more
org.debian.security.InvalidKeystorePasswordException: Cannot open Java keystore.
Is the password correct?
at org.debian.security.KeyStoreHandler.load(KeyStoreHandler.java:68)
at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:52)
at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java
:65)
at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:5
1)
Caused by: java.io.IOException: Invalid keystore format
at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.
java:670)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDele
gator.java:222)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)
at org.debian.security.KeyStoreHandler.load(KeyStoreHandler.java:66)
... 3 more
dpkg: error processing package ca-certificates-java (--configure):
installed ca-certificates-java package post-installation script subprocess retu
rned error exit status 1
dpkg: dependency problems prevent configuration of openjdk-19-jre-headless:amd64
:
openjdk-19-jre-headless:amd64 depends on ca-certificates-java (>= 20190405~); h
owever:
  Package ca-certificates-java is not configured yet.

dpkg: error processing package openjdk-19-jre-headless:amd64 (--configure):
dependency problems - leaving unconfigured
No apport report written because the error message indicates its a followup erro
r from a previous failure.
dpkg: dependency problems prevent configuration of ope
njdk-11-jre-headless:amd64:
openjdk-11-jre-headless:amd64 depends on ca-certificates-java (>= 20190405~); h
owever:
Package ca-certificates-java is not configured yet.

dpkg: error processing package openjdk-11-jre-headless:amd64 (--configure):
dependency problems - leaving unconfigured
No apport report written because the error message indicates its a followup erro
r from a previous failure.
dpkg: dependency problems prevent configuration of ope
njdk-11-jre:amd64:
openjdk-11-jre:amd64 depends on openjdk-11-jre-headless (= 11.0.17+8-1ubuntu2);
however:
Package openjdk-11-jre-headless:amd64 is not configured yet.

dpkg: error processing package openjdk-11-jre:amd64 (--configure):
dependency problems - leaving unconfigured
No apport report written because MaxReports is reached already
dpkg: dependency p
roblems prevent configuration of openjdk-19-jre:amd64:
openjdk-19-jre:amd64 depends on openjdk-19-jre-headless (= 19.0.1+10-1); howeve
r:
Package openjdk-19-jre-headless:amd64 is not configured yet.

dpkg: error processing package openjdk-19-jre:amd64 (--configure):
dependency problems - leaving unconfigured
No apport report written because MaxReports is reached already
Processing trigger
s for desktop-file-utils (0.26-1ubuntu4) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for gnome-menus (3.36.0-1ubuntu3) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Errors were encountered while processing:
ca-certificates-java
openjdk-19-jre-headless:amd64
openjdk-11-jre-headless:amd64
openjdk-11-jre:amd64
openjdk-19-jre:amd64
E: Sub-process /usr/bin/dpkg returned an error code (1)
`

Related branches

~vpa1977/ubuntu/+source/openjdk-17:ca-certificates-java-fix

Merged into ubuntu/+source/openjdk-17:ubuntu/devel at revision a583c8df64ed07763c6f457dd8cff6d7b87b5a45

Steve Langasek (community): Approve on 2023-03-02

git-ubuntu import: Pending requested 2023-03-01

~vpa1977/ubuntu/+source/ca-certificates-java:dpkg-trigger

Merged into ubuntu/+source/ca-certificates-java:ubuntu/devel at revision 1a1275024ad4cbf1cea8fd74dfc78dce54e62806

Steve Langasek (community): Approve on 2023-03-02

git-ubuntu import: Pending requested 2023-03-01

Revision history for this message

Vladimir Petko (vpa1977) wrote on 2022-12-08:

Probable root cause:
- package attempts to run keytool before jdk is configured and thus jdk is missing configuration

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-02-17:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ca-certificates-java (Ubuntu):
status:	New → Confirmed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-03-12:

This bug was fixed in the package ca-certificates-java - 20230103ubuntu1

---------------
ca-certificates-java (20230103ubuntu1) lunar; urgency=medium

  * Resolve circular JRE dependency (LP: #2003750, LP: #1999103, LP: #2004061)
    - debian/ca-certificates-java.postinst: remove setup_path from "configure"
      stage.
    - debian/ca-certificates-java.postinst: do "fresh" update if cacerts file is
      not found. Certificates are refreshed only in response to the trigger
      activated by OpenJDK packages.
    - debian/ca-certificates-java.postinst: fix cacert enumeration command for
      Java 8.
    - debian/control: remove JRE dependency.
    - debian/control: add Breaks condition.
    - debian/tests: add smoke tests.
    - debian/ca-certificates-java.triggers: remove file trigger /usr/jvm,
      explicitly declare triggers as -await.

-- Vladimir Petko <email address hidden> Wed, 01 Mar 2023 13:31:58 +1300

Changed in ca-certificates-java (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

tom (tmassimi) wrote on 2023-04-17:

it is possible to have a backport to 22.10?

https://packages.ubuntu.com/search?keywords=ca-certificates-java

kinetic (22.10) (misc): Common CA certificates (JKS keystore)
20220719: all
lunar (misc): Common CA certificates (JKS keystore)
20230103ubuntu1: all

Revision history for this message

Vladimir Petko (vpa1977) wrote on 2023-04-17:

I will try to do SRU for the ca-certificates-java changes after the Java security release, as all OpenJDK packages neeed to be updated before backporting the ca-certificates-java changes.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuca-certificates-java package

Unable to install ca-certificates-java (20220719) on machine with PKCS12 keystore

Bug Description

Related branches

Other bug subscribers

Remote bug watches

Ubuntu
ca-certificates-java package