2018-05-15 14:07:24 |
Tiago Stürmer Daitx |
bug |
|
|
added bug |
2018-05-15 14:11:46 |
Tiago Stürmer Daitx |
attachment added |
|
ca-certificates-java_20180413ubuntu1_debdiff_20180413ubuntu2.patch https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1771363/+attachment/5139841/+files/ca-certificates-java_20180413ubuntu1_debdiff_20180413ubuntu2.patch |
|
2018-05-15 14:12:13 |
Tiago Stürmer Daitx |
tags |
|
bionic cosmic patch |
|
2018-05-15 14:13:16 |
Tiago Stürmer Daitx |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898678 |
|
2018-05-15 14:13:16 |
Tiago Stürmer Daitx |
bug task added |
|
ca-certificates-java (Debian) |
|
2018-05-15 14:18:53 |
Tiago Stürmer Daitx |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2018-05-15 14:43:18 |
Bug Watch Updater |
ca-certificates-java (Debian): status |
Unknown |
New |
|
2018-05-16 01:23:29 |
Launchpad Janitor |
ca-certificates-java (Ubuntu): status |
New |
Confirmed |
|
2018-05-17 13:33:57 |
Julian Andres Klode |
ca-certificates-java (Ubuntu): importance |
Undecided |
High |
|
2018-05-17 13:34:34 |
Julian Andres Klode |
nominated for series |
|
Ubuntu Bionic |
|
2018-05-17 13:34:34 |
Julian Andres Klode |
bug task added |
|
ca-certificates-java (Ubuntu Bionic) |
|
2018-05-17 13:34:43 |
Julian Andres Klode |
ca-certificates-java (Ubuntu Bionic): importance |
Undecided |
High |
|
2018-05-17 13:35:22 |
Julian Andres Klode |
ca-certificates-java (Ubuntu Bionic): status |
New |
Triaged |
|
2018-05-17 13:35:24 |
Julian Andres Klode |
ca-certificates-java (Ubuntu): status |
Confirmed |
Triaged |
|
2018-05-17 13:41:40 |
Julian Andres Klode |
ca-certificates-java (Ubuntu): status |
Triaged |
In Progress |
|
2018-05-17 13:41:42 |
Julian Andres Klode |
ca-certificates-java (Ubuntu): status |
In Progress |
Fix Committed |
|
2018-05-17 13:45:04 |
Tiago Stürmer Daitx |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2018-05-17 16:03:29 |
Bug Watch Updater |
ca-certificates-java (Debian): status |
New |
Fix Released |
|
2018-05-17 17:04:14 |
Launchpad Janitor |
ca-certificates-java (Ubuntu): status |
Fix Committed |
Fix Released |
|
2018-05-25 19:44:50 |
Don-vip |
bug |
|
|
added subscriber Don-vip |
2018-07-17 17:02:58 |
Tiago Stürmer Daitx |
description |
The fix for Debian #894979 and Ubuntu bug #1739631 which updated ca-certificates-java to generate
JKS keystores by default - instead OpenJDK's 9+ default of PKCS12 - only fixes new installs.
Any user already affected by that issue won't benefit from the fix, as the file /etc/ssl/certs/java/cacerts is at most updated by the jks-keystore hook. The only way to actually change it from the PKCS12 to the JKS format is to remove the cacerts file and then calling
'update-ca-certificates -f' - which is also accomplished by removing and then reinstalling the ca-certificates-java package. |
[Impact]
Any user already affected by the issue described in bug 1739631 won't benefit from the fix as that fix only prevents the issue from happening in new installs.
[Cause]
Same as described in bug 1739631 and copied here.
The ca-certificate-java version 20170930 (or earlier) used the default keystore to create /etc/ssl/certs/java/cacerts - if the file already existed its contents were just updated without changing the keystore
type.
From openjdk-9 upwards the default keystore type changed from 'jks' to 'pkcs12' [1] by means of JEP 229 [2]. A JKS keystore can be read without supplying a password (or by supplying an empty one) while a PKCS12 keystore requires a password to be set.
Thus a /etc/ssl/certs/java/cacerts created in the pkcs12 format will fail to be loaded as, by default, the truststore password is empty - in order to avoid that the user must set -Djavax.net.ssl.trustStorePassword=<passwd> or define it in /etc/java-XX-openjdk/management/management.properties. A JKS keystore will work normally, as the certificates in it can be ready when the truststore password is empty.
Ubuntu does *not* set the javax.net.ssl.trustStorePassword by default
thus any user that got a cacerts generated in JKCS12 won't be able
to use any secure connections from java.
[Test Case]
Start on a new bionic install/chroot without openjdk
1. Install openjdk-11
$ sudo apt-get install openjdk-11-jdk
2. Test the keystore with an empty password (optional) and make sure it is a PKCS12
$ keytool -list -cacerts
Enter keystore password: <leave empty>
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 0 entries
3. Test with the "changeit" password
$ keytool -list -cacerts
Enter keystore password: changeit
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 133 entries
<snipped various certs>
4. Create the java test file
$ cat <<EOF >HttpsTester.java
import java.net.URL;
import javax.net.ssl.HttpsURLConnection;
public class HttpsTester {
public static void main(String[] args) throws java.io.IOException {
HttpsURLConnection connection = (HttpsURLConnection) new URL("https://www.ubuntu.com").openConnection();
System.out.println("Response code: " + connection.getResponseCode());
System.out.println("It worked!");
}
}
EOF
5. Compile it
$ javac HttpsTester.java
6. Call it
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/java HttpsTester
7. Call it again, this time set the store password
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/java \
-Djavax.net.ssl.trustStorePassword=changeit HttpsTester
Response code: 200
It worked!
8. Install the newer ca-certificates-java 20180516, it should
migrate cacerts from PKCS12 to JKS. Check that by running step #2
again
$ keytool -list -cacerts
Enter keystore password: <leave empty>
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 133 entries
<snipped various certs>
9. The old keystore should be saved in
/etc/ssl/certs/java/cacerts.dpkg-old, test it exists:
$ keytool -list -keystore /etc/ssl/certs/java/cacerts.dpkg-old
Enter keystore password: <leave empty>
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 0 entries
[Regression Potential]
* If a user has manually set his own JKCS12 cacerts and didn't update
/etc/default/cacerts to set "cacerts_updates=no" (from the default
of "cacerts_updates=yes") then his custom cacerts will be converted and overwritten. Still, a copy from the previous cacert is kept at
/etc/ssl/certs/java/cacerts.dpkg-old.
[Other Info]
The cacerts keystore fix is related to 2 bugs:
1) bug #1739631, fixed by ca-certificates-java-20180413, which changed the default keystore type generated by ca-certificates-java to JKS
[References]
[1] The default keystore is defined by the keystore.type in the
/etc/java-XX-openjdk/security/java.security file.
http://hg.openjdk.java.net/jdk-updates/jdk9u/jdk/annotate/46bd35a597eb/src/java.base/share/conf/security/java.security#l186
[2] JEP 229: Create PKCS12 Keystores by Default
http://openjdk.java.net/jeps/229
[Original bug description]
The fix for Debian #894979 and Ubuntu bug #1739631 which updated ca-certificates-java to generate
JKS keystores by default - instead OpenJDK's 9+ default of PKCS12 - only fixes new installs.
Any user already affected by that issue won't benefit from the fix, as the file /etc/ssl/certs/java/cacerts is at most updated by the jks-keystore hook. The only way to actually change it from the PKCS12 to the JKS format is to remove the cacerts file and then calling
'update-ca-certificates -f' - which is also accomplished by removing and then reinstalling the ca-certificates-java package. |
|
2018-07-18 06:52:41 |
Łukasz Zemczak |
ca-certificates-java (Ubuntu Bionic): status |
Triaged |
Fix Committed |
|
2018-07-18 06:52:42 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2018-07-18 06:52:45 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
2018-07-18 06:52:48 |
Łukasz Zemczak |
tags |
bionic cosmic patch |
bionic cosmic patch verification-needed verification-needed-bionic |
|
2018-07-25 14:14:15 |
Tiago Stürmer Daitx |
tags |
bionic cosmic patch verification-needed verification-needed-bionic |
bionic cosmic patch verification-done-bionic |
|
2018-07-30 16:14:36 |
Launchpad Janitor |
ca-certificates-java (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2018-07-30 16:14:54 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2019-09-17 15:51:07 |
Vlad |
bug |
|
|
added subscriber Vlad |