Package: ca-certificates-java Version: 20180413 Severity: important Dear Maintainer,
The fix for bug #894979 which updated ca-certificates-java to generate JKS keystores by default - instead OpenJDK's 9+ default of PKCS12 - only fixes new installs. Any user already affected by that issue won't benefit from the fix, as the file /etc/ssl/certs/java/cacerts is at most updated by the jks-keystore hook. The only way to actually change it from the PKCS12 to the JKS format is to remove the cacerts file and then calling 'update-ca-certificates -f' - which is also accomplished by removing and then reinstalling the ca-certificates-java package. The attached patch fixes this behavior by: 1) Detecting if a PKCS12 cacert exists 2) Converting it to JKS and saving it to cacerts.dpkg-new Finally, if, and only if, 'cacerts_updates' is set to 'yes': 3) Moving the old PKCS12 cacerts to a cacerts.dpkg-old and the dpkg-new into /etc/ssl/certs/java/cacerts. Additionally, a few other fixes are also addressed in the debdiff: 1) Only set JAVA_HOME if a jvm is found. Previously if none of the the jvms in the list were found the last one jvm was used - although that didn't cause any unexpected errors, it was wrong. 2) Avoid generating a jvm.cfg as openjdk has it's own logic for providing a well defined default jvm.cfg in such scenarios. 3) On Ubuntu it should depend on openjdk-11-jre-headless instead of openjdk-8. Please review and consider applying the provided debdiff. Regards, Tiago Daitx -- System Information: Debian Release: buster/sid APT prefers cosmic APT policy: (500, 'cosmic'), (400, 'cosmic-proposed') Architecture: amd64 (x86_64) Kernel: Linux 4.15.0-20-lowlatency (SMP w/8 CPU cores; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru ca-certificates-java-20180413/debian/changelog ca-certificates-java-20180413.1/debian/changelog --- ca-certificates-java-20180413/debian/changelog 2018-04-13 09:15:39.000000000 -0300 +++ ca-certificates-java-20180413.1/debian/changelog 2018-05-14 23:16:43.000000000 -0300 @@ -1,3 +1,18 @@ +ca-certificates-java (20180413.1) unstable; urgency=medium + + [ Tiago Stürmer Daitx ] + * debian/jks-keystore.hook.in: Don't create a jvm-*.cfg file, a default file + with the right configuration is already supplied by the openjdk packages. + * debian/jks-keystore.hook.in, debian/postinst.in: Only export JAVA_HOME + and update PATH if a known jvm was found. + * debian/postinst.in: Detect PKCS12 cacert keystore generated by + previous ca-certificates-java and convert them to JKS. + + [ Matthias Klose ] + * Explicitly depend on openjdk-11-jre-headless, needed to configure. + + -- Tiago Stürmer Daitx <tiago.da...@ubuntu.com> Tue, 15 May 2018 02:16:43 +0000 + ca-certificates-java (20180413) unstable; urgency=medium * Team upload. diff -Nru ca-certificates-java-20180413/debian/jks-keystore.hook.in ca-certificates-java-20180413.1/debian/jks-keystore.hook.in --- ca-certificates-java-20180413/debian/jks-keystore.hook.in 2018-04-13 09:02:14.000000000 -0300 +++ ca-certificates-java-20180413.1/debian/jks-keystore.hook.in 2018-05-14 23:16:43.000000000 -0300 @@ -45,20 +45,12 @@ oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \ java-11-openjdk-$arch java-11-openjdk \ oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch; do -if [ -x /usr/lib/jvm/$jvm/bin/java ]; then + if [ -x /usr/lib/jvm/$jvm/bin/java ]; then + export JAVA_HOME=/usr/lib/jvm/$jvm + PATH=$JAVA_HOME/bin:$PATH break -fi + fi done -export JAVA_HOME=/usr/lib/jvm/$jvm -PATH=$JAVA_HOME/bin:$PATH - -temp_jvm_cfg= -if [ ! -f /etc/${jvm%-$arch}/jvm-$arch.cfg ]; then - # the jre is not yet configured, but jvm.cfg is needed to run it - temp_jvm_cfg=/etc/${jvm%-$arch}/jvm-$arch.cfg - mkdir -p /etc/${jvm%-$arch} - printf -- "-server KNOWN\n" > $temp_jvm_cfg -fi if dpkg-query --version >/dev/null; then nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libnss3\.so$,\1,p'|head -n 1) diff -Nru ca-certificates-java-20180413/debian/postinst.in ca-certificates-java-20180413.1/debian/postinst.in --- ca-certificates-java-20180413/debian/postinst.in 2018-04-13 09:03:15.000000000 -0300 +++ ca-certificates-java-20180413.1/debian/postinst.in 2018-05-14 23:16:43.000000000 -0300 @@ -35,12 +35,50 @@ oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \ java-11-openjdk-$arch java-11-openjdk \ oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch; do - if [ -x /usr/lib/jvm/$jvm/bin/java ]; then - break + if [ -x /usr/lib/jvm/$jvm/bin/java ]; then + export JAVA_HOME=/usr/lib/jvm/$jvm + PATH=$JAVA_HOME/bin:$PATH + break fi done - export JAVA_HOME=/usr/lib/jvm/$jvm - PATH=$JAVA_HOME/bin:$PATH +} + +check_proc() +{ + if ! mountpoint -q /proc; then + echo >&2 "the keytool command requires a mounted proc fs (/proc)." + exit 1 + fi +} + +convert_pkcs12_keystore_to_jks() +{ + if ! keytool -importkeystore \ + -srckeystore /etc/ssl/certs/java/cacerts \ + -destkeystore /etc/ssl/certs/java/cacerts.dpkg-new \ + -srcstoretype PKCS12 \ + -deststoretype JKS \ + -srcstorepass "$storepass" \ + -deststorepass "$storepass" \ + -noprompt; then + echo "failed to convert PKCS12 keystore to JKS" >&2 + exit 1 + fi + + # only update if /etc/default/cacerts allows + if [ "$cacerts_updates" = "yes" ]; then + mv -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old + mv -f /etc/ssl/certs/java/cacerts.dpkg-new /etc/ssl/certs/java/cacerts + fi +} + +do_cleanup() +{ + [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg + if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ] + then + rm -f $nssjdk/libnss3.so + fi } first_install() @@ -74,15 +112,6 @@ echo "done." } -do_cleanup() -{ - [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg - if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ] - then - rm -f $nssjdk/libnss3.so - fi -} - case "$1" in configure) if dpkg --compare-versions "$2" lt "20110912ubuntu6"; then @@ -91,14 +120,18 @@ cp -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old fi fi - if [ -z "$2" -o -n "$FIXOLD" ]; then - setup_path - if ! mountpoint -q /proc; then - echo >&2 "the keytool command requires a mounted proc fs (/proc)." - exit 1 - fi + setup_path + if dpkg --compare-versions "$2" lt "20180413"; then + if [ -e /etc/ssl/certs/java/cacerts \ + -a "$(head -c4 /etc/ssl/certs/java/cacerts)" != "$(echo -en '\xfe\xed\xfe\xed')" ]; then + check_proc + convert_pkcs12_keystore_to_jks + fi + fi + if [ -z "$2" -o -n "$FIXOLD" ]; then + check_proc trap do_cleanup EXIT first_install fi diff -Nru ca-certificates-java-20180413/debian/rules ca-certificates-java-20180413.1/debian/rules --- ca-certificates-java-20180413/debian/rules 2018-04-13 08:54:35.000000000 -0300 +++ ca-certificates-java-20180413.1/debian/rules 2018-05-14 23:16:23.000000000 -0300 @@ -6,7 +6,7 @@ ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes),yes) SUBSTVARS = -Vnss:Depends="libnss3 (>= 3.12.9+ckbi-1.82-0ubuntu3~)" \ - -Vjre:Depends="openjdk-8-jre-headless" + -Vjre:Depends="openjdk-11-jre-headless" nss_lib = libnss3 else SUBSTVARS = -Vnss:Depends="libnss3 (>= 3.12.10-2~)" \