Path: csiph.com!fu-berlin.de!bofh.it!news.nic.it!robomod From: Vladimir Petko Newsgroups: linux.debian.maint.java Subject: ca-certificate-java/openjdk installation issues Date: Tue, 07 Feb 2023 20:20:01 +0100 Message-ID: X-Original-To: debian-java@lists.debian.org X-Mailbox-Line: From debian-java-request@lists.debian.org Tue Feb 7 19:12:39 2023 Old-Return-Path: X-Amavis-Spam-Status: No, score=-7.501 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=2, LDO_WHITELIST=-5, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no X-Policyd-Weight: using cached result; rate: -5.5 X-Gm-Message-State: AO0yUKWAx3+CXH/AxJMF7kowVgFcdKAaVDcqV7OWZYxT/3gD9f4L9Dm0 SdNFEZLYDS1cKEtGlAd+uL/78NJ9gxg2IJphMrstOlD5z6q8fNc/5ctR8fMtGxx8HS2r+KwSFqi E6WHS1V41jvbBw+1qIWsJGrQsKpC1GLKDo9x1t2O7/H8G3tlwV+J2CatD48Rs/bQiGQ== X-Received: by 2002:a05:6402:50d:b0:4a3:43a2:f408 with SMTP id m13-20020a056402050d00b004a343a2f408mr52801edv.1.1675797135825; Tue, 07 Feb 2023 11:12:15 -0800 (PST) X-Google-SMTP-Source: AK7set/HrbwuXIENy61HwC5/DGihs1BkdY6GUbnJosk3+KlOVTsT0b3fWv2Du9Jh8Z5AvPCuOIdS7J7f4XJlQm7ABoo= X-Received: by 2002:a05:6402:50d:b0:4a3:43a2:f408 with SMTP id m13-20020a056402050d00b004a343a2f408mr52793edv.1.1675797135566; Tue, 07 Feb 2023 11:12:15 -0800 (PST) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="000000000000fb420a05f420ec23" X-Mailing-List: archive/latest/23181 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/CALFf3kckwyx6X93=1JNjcnBdyctJe9AtfXYQsOoJf5qeUUjNEw@mail.gmail.com Approved: robomod@news.nic.it Lines: 150 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Date: Wed, 8 Feb 2023 08:12:04 +1300 X-Original-Message-ID: Xref: csiph.com linux.debian.maint.java:12530 --000000000000fb420a05f420ec23 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Dear Maintainers, Would it be possible to consider a proposal to break dependency of ca-certificates-java on the installed JVM? Abstract ca-certificates-java package contains a circular dependency with Java that causes issues during openjdk installation. I am proposing switching the ca-certificate-java certificate import tool to Python to break the dependency cycle. Rationale The certificate import tool in ca-certificate-java is written in Java. This is a constant source of bugs [1] and requires updates (including stable release updates [2]) whenever a new JDK version comes out. Switching certificate import to Python will remove the maintenance load and break a cyclic dependency. Existing Functionality ca-certificates-java synchronizes content of Java keystore /etc/ssl/certs/java/cacerts with trusted certificates in PEM format located in /etc/ssl/certs using jks-keystore hook registered with ca-certificates package. During hook invocation or post installation following actions are performed= : - ca-certificates-java checks the format of /etc/ssl/certs/java/cacerts and attempts to convert it into legacy Java Key Store(JKS) format due to the requirement to support OpenJDK 8. OpenJDK 11 and up support both legacy and PKCS11 formats. - ca-certificate-java lists all available certificates in the keystore using Java keytool, filters certificate aliases and compares the list with the system certificates. An input file containing '+debian:' for addition and '-debian:' is generated and passed to import utility. Import utility updates /etc/ssl/certs/java/cacerts and sets updated certificate alias to 'debian:' Note: Import utility only updates certificates with 'debian:' alias Requirements In order to remove dependency on Java, the certificate import tool must: - List certificate aliases - Add or update certificate in Java Key Store - Convert PKCS12 store to JKS format - Load certificate in PEM format - Retain any user's certificates in Java Key Store Implementation This functionality can be implemented using the following Python packages: - python3-pyjks: Java Key Store format support [4]. It supports loading, manipulation and serialization of the JKS files. It is needed for requirements 1 and 2. - python3-oscrypto: PKCS12 and X509 support [3]. The package depends on OpenSSL 3.0. The package supports loading PKCS12 certificate store and extracting certificates along with SafeBag aliases. It is needed for requirements 3 and 4. ca-certificates-java will install the /usr/sbin/ca-certificates-java tool. It will accept following options: - sync - synchronize the keystore - list =E2=80=93 list certificate aliases in the keystore - convert =E2=80=93 convert the keystore i= nto JKS format. Best Regards, Vladimir. [1] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java [2] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1998065 [3] https://launchpad.net/ubuntu/+source/oscrypto [4] https://launchpad.net/ubuntu/+source/pyjks --000000000000fb420a05f420ec23 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Dear Maintainers,=C2=A0

Woul= d it be possible to consider a proposal to break dependency of ca-certifica= tes-java on the installed JVM?

Abstract

ca-certi= ficates-java package contains a circular dependency with Java that
cause= s issues during openjdk installation.
I am proposing switching the ca-c= ertificate-java certificate import tool to
Python to break the dependenc= y cycle.

Rationale

The certificate import tool in ca-certific= ate-java is written in Java.
This is a constant source of bugs [1] and = requires updates (including stable
release updates [2]) =C2=A0whenever = a new JDK version comes out. Switching
certificate import to Python wil= l remove the maintenance load and break
a cyclic dependency.

Exis= ting Functionality

ca-certificates-java synchronizes content of Java= keystore
/etc/ssl/certs/java/cacerts with trusted certificates in PEM = format located
in /etc/ssl/certs using jks-keystore hook registered wit= h ca-certificates
package.

During hook invocation or post instal= lation following actions are performed:
- ca-certificates-java checks th= e format of /etc/ssl/certs/java/cacerts and
=C2=A0 attempts to convert = it into legacy Java Key Store(JKS) format due to the
=C2=A0 requirement= to support OpenJDK 8.
=C2=A0 OpenJDK 11 and up support both legacy and= PKCS11 formats.
- ca-certificate-java lists all available certificates = in the keystore using
=C2=A0 Java keytool, filters certificate aliases = and compares the list with the
=C2=A0 system certificates.
=C2=A0 A= n input file containing '+debian:<certificate-file-name>' for= addition and
=C2=A0 '-debian:<certificate-file-name>' is= generated and passed to import utility.
=C2=A0 Import utility updates /= etc/ssl/certs/java/cacerts and sets updated
=C2=A0 certificate alias to = 'debian:<certificate-file-name>'
=C2=A0 Note: Import utili= ty only updates certificates with
=C2=A0 'debian:<certificate-fi= le-name>' alias

Requirements

In order to remove depend= ency on Java, the certificate import tool must:
- List certificate alias= es
- Add or update certificate in Java Key Store
- Convert PKCS12 sto= re to JKS format
- Load certificate in PEM format
- Retain any user&#= 39;s certificates in Java Key Store

Implementation

This funct= ionality can be implemented using the following Python packages:
- pytho= n3-pyjks: Java Key Store format support [4]. It supports loading,
=C2= =A0 manipulation and serialization of the JKS files.
=C2=A0 It is neede= d for =C2=A0requirements 1 and 2.
- python3-oscrypto: PKCS12 and X509 su= pport [3]. The package depends on
=C2=A0 OpenSSL 3.0. The package suppo= rts loading PKCS12 certificate store and
=C2=A0 extracting certificates= along with SafeBag aliases.
=C2=A0 It is needed for requirements 3 and= 4.

ca-certificates-java will install the =C2=A0/usr/sbin/ca-certifi= cates-java tool.

It will accept following options:
- sync <pas= sword> <input-file> - synchronize the keystore
- list <passw= ord> =E2=80=93 list certificate aliases in the keystore
- convert <= ;password> <oldstore> <newstore> =E2=80=93 convert the keyst= ore into
=C2=A0 JKS format.

Best=C2=A0 Regards,=C2= =A0
=C2=A0 Vladimir.
--000000000000fb420a05f420ec23--