ca-certificates-java: convert PKCS12 cacerts keystore to JKS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ca-certificates-java (Debian) |
Fix Released
|
Unknown
|
|||
ca-certificates-java (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
Any user already affected by the issue described in bug 1739631 won't benefit from the fix as that fix only prevents the issue from happening in new installs.
[Cause]
Same as described in bug 1739631 and copied here.
The ca-certificate-java version 20170930 (or earlier) used the default keystore to create /etc/ssl/
type.
From openjdk-9 upwards the default keystore type changed from 'jks' to 'pkcs12' [1] by means of JEP 229 [2]. A JKS keystore can be read without supplying a password (or by supplying an empty one) while a PKCS12 keystore requires a password to be set.
Thus a /etc/ssl/
Ubuntu does *not* set the javax.net.
thus any user that got a cacerts generated in JKCS12 won't be able
to use any secure connections from java.
[Test Case]
Start on a new bionic install/chroot without openjdk
1. Install openjdk-11
$ sudo apt-get install openjdk-11-jdk
2. Test the keystore with an empty password (optional) and make sure it is a PKCS12
$ keytool -list -cacerts
Enter keystore password: <leave empty>
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 0 entries
3. Test with the "changeit" password
$ keytool -list -cacerts
Enter keystore password: changeit
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 133 entries
<snipped various certs>
4. Create the java test file
$ cat <<EOF >HttpsTester.java
import java.net.URL;
import javax.net.
public class HttpsTester {
public static void main(String[] args) throws java.io.IOException {
HttpsURLConnection connection = (HttpsURLConnec
System.
System.
}
}
EOF
5. Compile it
$ javac HttpsTester.java
6. Call it
$ /usr/lib/
7. Call it again, this time set the store password
$ /usr/lib/
-Djavax.
Response code: 200
It worked!
8. Install the newer ca-certificates
migrate cacerts from PKCS12 to JKS. Check that by running step #2
again
$ keytool -list -cacerts
Enter keystore password: <leave empty>
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 133 entries
<snipped various certs>
9. The old keystore should be saved in
/etc/ssl/
$ keytool -list -keystore /etc/ssl/
Enter keystore password: <leave empty>
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 0 entries
[Regression Potential]
* If a user has manually set his own JKCS12 cacerts and didn't update
/etc/default/
of "cacerts_
/etc/ssl/
[Other Info]
The cacerts keystore fix is related to 2 bugs:
1) bug #1739631, fixed by ca-certificates
[References]
[1] The default keystore is defined by the keystore.type in the
/etc/java-
http://
[2] JEP 229: Create PKCS12 Keystores by Default
http://
[Original bug description]
The fix for Debian #894979 and Ubuntu bug #1739631 which updated ca-certificates
JKS keystores by default - instead OpenJDK's 9+ default of PKCS12 - only fixes new installs.
Any user already affected by that issue won't benefit from the fix, as the file /etc/ssl/
'update-
Changed in ca-certificates-java (Debian): | |
status: | Unknown → New |
Changed in ca-certificates-java (Ubuntu): | |
importance: | Undecided → High |
Changed in ca-certificates-java (Ubuntu Bionic): | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in ca-certificates-java (Ubuntu): | |
status: | Confirmed → Triaged |
Changed in ca-certificates-java (Ubuntu): | |
status: | Triaged → In Progress |
status: | In Progress → Fix Committed |
Changed in ca-certificates-java (Debian): | |
status: | New → Fix Released |
description: | updated |
tags: |
added: verification-done-bionic removed: verification-needed verification-needed-bionic |
The attached patch fixes this behavior by:
1) Detecting if a PKCS12 cacert exists
2) Converting it to JKS and saving it to cacerts.dpkg-new
Finally, if, and only if, 'cacerts_updates' is set to 'yes': certs/java/ cacerts.
3) Moving the old PKCS12 cacerts to a cacerts.dpkg-old and the dpkg-new into /etc/ssl/
Additionally, this the proposed debdiff also takes care of only setting JAVA_HOME if a jvm is found. Previously if none of the the jvms in the list were found the last one jvm was used - although that didn't cause any unexpected errors, it was wrong.