ca-certificates post-install hook crashes when password is not the default one

Bug #1717256 reported by G.M. on 2017-09-14
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ca-certificates (Ubuntu)
Undecided
Unassigned

Bug Description

As a security measure, we changed the default password of java's keystore.

When updating "ca-certificates" package, this results in:

Running hooks in /etc/ca-certificates/update.d....
org.debian.security.InvalidKeystorePasswordException: Cannot open Java keystore. Is the password correct?
        at org.debian.security.KeyStoreHandler.load(KeyStoreHandler.java:68)
        at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:52)
        at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65)
        at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51)
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
        at java.security.KeyStore.load(KeyStore.java:1214)
        at org.debian.security.KeyStoreHandler.load(KeyStoreHandler.java:66)
        ... 3 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)
        ... 6 more
E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.

Expected behaviour is that hook asks for password (either always or after checking that the default one is not working).

information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers