Followup-For: Bug #922981 Control: found -1 20110425 Control: severity -1 serious Control: retitle -1 ca-certificates-java: /etc/ca-certificates/update.d/jks-keystore doesn't update /etc/ssl/certs/java/cacerts Control: tag -1 security patch Control: block 929685 with -1
The jks-keystore hook script has never worked, at least since UpdateCertificates.java was added in 20110425. UpdateCertificates expects certificates (files or aliases) prefixed with '+' or '-' on stdin as add/remove actions, but the hook script does not supply anything (while the postinst does). Even running the hook after /etc/ssl/certs/java/cacerts got deleted will only create an empty keystore. Only on initial installation (not upgrades), the postinst will populate the keystore with the certificates in /etc/ssl/certs at that point in time. The attached patch fixes this by adding new certificates and removing gone certificates. It does not cover the case where a certificate needs to be refreshed since its content but not its name has changed. Or is this only a theoretical possibility? Andreas installing ca-certificates/sid on bullseye with patched ca-certificates-java: Preconfiguring packages ... (Reading database ... 15445 files and directories currently installed.) Preparing to unpack .../ca-certificates_20210119_all.deb ... Unpacking ca-certificates (20210119) over (20200601) ... Setting up ca-certificates (20210119) ... debconf: unable to initialize frontend: Dialog debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.) debconf: falling back to frontend: Readline Updating certificates in /etc/ssl/certs... 8 added, 7 removed; done. Processing triggers for ca-certificates (20210119) ... Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... Removing debian:ee_certification_centre_root_ca.pem Removing debian:geotrust_universal_ca_2.pem Removing debian:luxtrust_global_root_2.pem Removing debian:oiste_wisekey_global_root_ga_ca.pem Removing debian:staat_der_nederlanden_root_ca_-_g2.pem Removing debian:taiwan_grca.pem Removing debian:verisign_class_3_public_primary_certification_authority_-_g3.pem Adding debian:certSIGN_Root_CA_G2.pem Adding debian:e-Szigno_Root_CA_2017.pem Adding debian:Microsoft_ECC_Root_Certificate_Authority_2017.pem Adding debian:Microsoft_RSA_Root_Certificate_Authority_2017.pem Adding debian:NAVER_Global_Root_Certification_Authority.pem Adding debian:Trustwave_Global_Certification_Authority.pem Adding debian:Trustwave_Global_ECC_P256_Certification_Authority.pem Adding debian:Trustwave_Global_ECC_P384_Certification_Authority.pem done. done.
>From ad180a53e2b32c8a6303ca05adcb32e0bc0a44cc Mon Sep 17 00:00:00 2001 From: Andreas Beckmann <[email protected]> Date: Wed, 20 Jan 2021 00:32:27 +0100 Subject: [PATCH] fix the hook script to actually update /etc/ssl/certs/java/cacerts --- debian/changelog | 8 +++++++ debian/jks-keystore.hook | 50 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 56 insertions(+), 2 deletions(-) mode change 100644 => 100755 debian/jks-keystore.hook diff --git a/debian/changelog b/debian/changelog index e35274e..2b5cf18 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +ca-certificates-java (20210119) UNRELEASED; urgency=medium + + * Actually update /etc/ssl/certs/java/cacerts by having the jks-keystore + hook script supply add/remove actions to ca-certificates-java.jar on + stdin. (Closes: #922981) + + -- Andreas Beckmann <[email protected]> Tue, 19 Jan 2021 23:57:51 +0100 + ca-certificates-java (20190909) unstable; urgency=medium * Team upload. diff --git a/debian/jks-keystore.hook b/debian/jks-keystore.hook old mode 100644 new mode 100755 index e0c3445..94e03a1 --- a/debian/jks-keystore.hook +++ b/debian/jks-keystore.hook @@ -48,7 +48,7 @@ for jvm in java-7-openjdk-$arch java-7-openjdk \ if [ -x /usr/lib/jvm/$jvm/bin/java ]; then export JAVA_HOME=/usr/lib/jvm/$jvm PATH=$JAVA_HOME/bin:$PATH - break + break fi done @@ -65,8 +65,11 @@ if dpkg-query --version >/dev/null; then fi fi +actions=$(mktemp) + do_cleanup() { + rm -f "$actions" [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ] then @@ -79,7 +82,50 @@ do_cleanup() fi } -if java -Xmx64m -jar $JAR -storepass "$storepass"; then +# these are currently activated in /etc/ssl/certs/java/cacerts +if [ -f /etc/ssl/certs/java/cacerts ]; then + isactivated=$(keytool -cacerts -storepass changeit -list -rfc | sed -n 's/^Alias name: *//ip' | tr '\n' ' ') +else + isactivated= +fi + +# these are currently activated in /etc/ssl/certs +shouldactivate=$(find /etc/ssl/certs -name \*.pem | while read filename; do echo -n "debian:$(basename "$filename" | tr A-Z a-z) "; done) + +# remove certificates from /etc/ssl/certs/java/cacerts that are no longer in +# /etc/ssl/certs +for alias in $isactivated ; do + case " ${shouldactivate} " in + (*" ${alias} "*) + : # keep activated + ;; + (*) + # deactivate + echo "-${alias}" >> "$actions" + ;; + esac +done + +# add certificates to /etc/ssl/certs/java/cacerts that newly appeared in +# /etc/ssl/certs +find /etc/ssl/certs -name \*.pem | sort -f | \ +while read filename; do + alias="debian:$(basename "$filename" | tr A-Z a-z)" + case " ${isactivated} " in + (*" ${alias} "*) + : # already activated + ;; + (*) + # activate + echo "+${filename}" >> "$actions" + ;; + esac +done + +# FIXME: this does not cover the case where a certificate has changed content +# (but not name) in /etc/ssl/certs and therefore needs to be refreshed + +if java -Xmx64m -jar $JAR -storepass "$storepass" < "$actions"; then do_cleanup else do_cleanup -- 2.20.1
>From 0845cc4b752eb5225d0e24c95791faebd3fb8b78 Mon Sep 17 00:00:00 2001 From: Andreas Beckmann <[email protected]> Date: Wed, 20 Jan 2021 00:52:14 +0100 Subject: [PATCH 2/2] sync setup_path between jks-keystore.hook and postinst --- debian/jks-keystore.hook | 50 ++++++++++++++++++++++++---------------- debian/postinst | 42 ++++++++++++--------------------- 2 files changed, 45 insertions(+), 47 deletions(-) diff --git a/debian/jks-keystore.hook b/debian/jks-keystore.hook index 94e03a1..7bf84fe 100755 --- a/debian/jks-keystore.hook +++ b/debian/jks-keystore.hook @@ -24,33 +24,43 @@ nsslib_name() fi } +setup_path() +{ + # keep in sync with debian/postinst + for version in 7 8 9 10 11 12 13 14 15 16 17 ; do + for jvm in \ + java-${version}-openjdk-${arch} \ + java-${version}-openjdk \ + oracle-java${version}-jre-${arch} \ + oracle-java${version}-server-jre-${arch} \ + oracle-java${version}-jdk-${arch} + do + if [ -x /usr/lib/jvm/$jvm/bin/java ]; then + export JAVA_HOME=/usr/lib/jvm/$jvm + PATH=$JAVA_HOME/bin:$PATH + break 2 + fi + done + done +} + +check_proc() +{ + if ! mountpoint -q /proc; then + echo >&2 "the keytool command requires a mounted proc fs (/proc)." + exit 1 + fi +} + echo "" if [ "$cacerts_updates" != yes ] || [ "$CACERT_UPDATES" = disabled ] || [ ! -e $JAR ]; then echo "updates of cacerts keystore disabled." exit 0 fi -if ! mountpoint -q /proc; then - echo >&2 "the keytool command requires a mounted proc fs (/proc)." - exit 1 -fi +check_proc -for jvm in java-7-openjdk-$arch java-7-openjdk \ - oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \ - java-8-openjdk-$arch java-8-openjdk \ - oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \ - java-9-openjdk-$arch java-9-openjdk \ - oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch \ - java-10-openjdk-$arch java-10-openjdk \ - oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \ - java-11-openjdk-$arch java-11-openjdk \ - oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch; do - if [ -x /usr/lib/jvm/$jvm/bin/java ]; then - export JAVA_HOME=/usr/lib/jvm/$jvm - PATH=$JAVA_HOME/bin:$PATH - break - fi -done +setup_path if dpkg-query --version >/dev/null; then nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libnss3\.so$,\1,p'|head -n 1) diff --git a/debian/postinst b/debian/postinst index 555f87b..737be4c 100644 --- a/debian/postinst +++ b/debian/postinst @@ -25,33 +25,21 @@ nsslib_name() setup_path() { - for jvm in java-7-openjdk-$arch java-7-openjdk \ - oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \ - java-8-openjdk-$arch java-8-openjdk \ - oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \ - java-9-openjdk-$arch java-9-openjdk \ - oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch \ - java-10-openjdk-$arch java-10-openjdk \ - oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \ - java-11-openjdk-$arch java-11-openjdk \ - oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch \ - java-12-openjdk-$arch java-12-openjdk \ - oracle-java12-jre-$arch oracle-java12-server-jre-$arch oracle-java12-jdk-$arch \ - java-13-openjdk-$arch java-13-openjdk \ - oracle-java13-jre-$arch oracle-java13-server-jre-$arch oracle-java13-jdk-$arch \ - java-14-openjdk-$arch java-14-openjdk \ - oracle-java14-jre-$arch oracle-java14-server-jre-$arch oracle-java14-jdk-$arch \ - java-15-openjdk-$arch java-15-openjdk \ - oracle-java15-jre-$arch oracle-java15-server-jre-$arch oracle-java15-jdk-$arch \ - java-16-openjdk-$arch java-16-openjdk \ - oracle-java16-jre-$arch oracle-java16-server-jre-$arch oracle-java16-jdk-$arch \ - java-17-openjdk-$arch java-17-openjdk \ - oracle-java17-jre-$arch oracle-java17-server-jre-$arch oracle-java17-jdk-$arch; do - if [ -x /usr/lib/jvm/$jvm/bin/java ]; then - export JAVA_HOME=/usr/lib/jvm/$jvm - PATH=$JAVA_HOME/bin:$PATH - break - fi + # keep in sync with debian/jks-keystore.hook + for version in 7 8 9 10 11 12 13 14 15 16 17 ; do + for jvm in \ + java-${version}-openjdk-${arch} \ + java-${version}-openjdk \ + oracle-java${version}-jre-${arch} \ + oracle-java${version}-server-jre-${arch} \ + oracle-java${version}-jdk-${arch} + do + if [ -x /usr/lib/jvm/$jvm/bin/java ]; then + export JAVA_HOME=/usr/lib/jvm/$jvm + PATH=$JAVA_HOME/bin:$PATH + break 2 + fi + done done } -- 2.20.1
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
