Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.maint.java > #12530
| From | Vladimir Petko <vladimir.petko@canonical.com> |
|---|---|
| Newsgroups | linux.debian.maint.java |
| Subject | ca-certificate-java/openjdk installation issues |
| Date | 2023-02-07 20:20 +0100 |
| Message-ID | <FWBFv-4dUm-5@gated-at.bofh.it> (permalink) |
| Organization | linux.* mail to news gateway |
[Multipart message — attachments visible in raw view] - view raw
Dear Maintainers, Would it be possible to consider a proposal to break dependency of ca-certificates-java on the installed JVM? Abstract ca-certificates-java package contains a circular dependency with Java that causes issues during openjdk installation. I am proposing switching the ca-certificate-java certificate import tool to Python to break the dependency cycle. Rationale The certificate import tool in ca-certificate-java is written in Java. This is a constant source of bugs [1] and requires updates (including stable release updates [2]) whenever a new JDK version comes out. Switching certificate import to Python will remove the maintenance load and break a cyclic dependency. Existing Functionality ca-certificates-java synchronizes content of Java keystore /etc/ssl/certs/java/cacerts with trusted certificates in PEM format located in /etc/ssl/certs using jks-keystore hook registered with ca-certificates package. During hook invocation or post installation following actions are performed: - ca-certificates-java checks the format of /etc/ssl/certs/java/cacerts and attempts to convert it into legacy Java Key Store(JKS) format due to the requirement to support OpenJDK 8. OpenJDK 11 and up support both legacy and PKCS11 formats. - ca-certificate-java lists all available certificates in the keystore using Java keytool, filters certificate aliases and compares the list with the system certificates. An input file containing '+debian:<certificate-file-name>' for addition and '-debian:<certificate-file-name>' is generated and passed to import utility. Import utility updates /etc/ssl/certs/java/cacerts and sets updated certificate alias to 'debian:<certificate-file-name>' Note: Import utility only updates certificates with 'debian:<certificate-file-name>' alias Requirements In order to remove dependency on Java, the certificate import tool must: - List certificate aliases - Add or update certificate in Java Key Store - Convert PKCS12 store to JKS format - Load certificate in PEM format - Retain any user's certificates in Java Key Store Implementation This functionality can be implemented using the following Python packages: - python3-pyjks: Java Key Store format support [4]. It supports loading, manipulation and serialization of the JKS files. It is needed for requirements 1 and 2. - python3-oscrypto: PKCS12 and X509 support [3]. The package depends on OpenSSL 3.0. The package supports loading PKCS12 certificate store and extracting certificates along with SafeBag aliases. It is needed for requirements 3 and 4. ca-certificates-java will install the /usr/sbin/ca-certificates-java tool. It will accept following options: - sync <password> <input-file> - synchronize the keystore - list <password> – list certificate aliases in the keystore - convert <password> <oldstore> <newstore> – convert the keystore into JKS format. Best Regards, Vladimir. [1] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java [2] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1998065 [3] https://launchpad.net/ubuntu/+source/oscrypto [4] https://launchpad.net/ubuntu/+source/pyjks
Back to linux.debian.maint.java | Previous | Next — Next in thread | Find similar
ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-07 20:20 +0100
Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-07 20:40 +0100
Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-07 20:40 +0100
Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-07 21:10 +0100
Re: ca-certificate-java/openjdk installation issues Emmanuel Bourg <ebourg@apache.org> - 2023-02-21 21:30 +0100
Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-21 21:40 +0100
Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-21 22:10 +0100
Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-21 22:40 +0100
Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-21 23:00 +0100
Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-21 23:00 +0100
Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-21 23:40 +0100
Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-22 00:00 +0100
Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-22 00:00 +0100
Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-23 04:00 +0100
Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-23 20:50 +0100
Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-23 21:00 +0100
Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-23 21:00 +0100
Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-24 05:20 +0100
Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-24 06:30 +0100
Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-27 08:20 +0100
csiph-web