Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #12573

Re: ca-certificate-java/openjdk installation issues

From Emmanuel Bourg <ebourg@apache.org>
Newsgroups linux.debian.maint.java
Subject Re: ca-certificate-java/openjdk installation issues
Date 2023-02-21 21:30 +0100
Message-ID <G1HqW-7xt9-5@gated-at.bofh.it> (permalink)
References <FWBFv-4dUm-5@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Hi Vladimir,

Thank you for tackling this annoying issue.

You said that JKS was required to support OpenJDK 8, but there is no 
such requirement, at the Debian level at least. What about generating a 
PKCS#12 certstore with OpenSSL instead, would that work? The python 
script could still be used for OpenJDK 8 (with a dedicated 
ca-certificate-java8 package maybe). This way installing openjdk-17 
would not drag in python dependencies.

Emmanuel Bourg

Le 2023-02-07 20:12, Vladimir Petko a écrit :

> Dear Maintainers,
> 
> Would it be possible to consider a proposal to break dependency of 
> ca-certificates-java on the installed JVM?
> Abstract
> 
> ca-certificates-java package contains a circular dependency with Java 
> that
> causes issues during openjdk installation.
> I am proposing switching the ca-certificate-java certificate import 
> tool to
> Python to break the dependency cycle.
> 
> Rationale
> 
> The certificate import tool in ca-certificate-java is written in Java.
> This is a constant source of bugs [1] and requires updates (including 
> stable
> release updates [2])  whenever a new JDK version comes out. Switching
> certificate import to Python will remove the maintenance load and break
> a cyclic dependency.
> 
> Existing Functionality
> 
> ca-certificates-java synchronizes content of Java keystore
> /etc/ssl/certs/java/cacerts with trusted certificates in PEM format 
> located
> in /etc/ssl/certs using jks-keystore hook registered with 
> ca-certificates
> package.
> 
> During hook invocation or post installation following actions are 
> performed:
> - ca-certificates-java checks the format of /etc/ssl/certs/java/cacerts 
> and
> attempts to convert it into legacy Java Key Store(JKS) format due to 
> the
> requirement to support OpenJDK 8.
> OpenJDK 11 and up support both legacy and PKCS11 formats.
> - ca-certificate-java lists all available certificates in the keystore 
> using
> Java keytool, filters certificate aliases and compares the list with 
> the
> system certificates.
> An input file containing '+debian:<certificate-file-name>' for addition 
> and
> '-debian:<certificate-file-name>' is generated and passed to import 
> utility.
> Import utility updates /etc/ssl/certs/java/cacerts and sets updated
> certificate alias to 'debian:<certificate-file-name>'
> Note: Import utility only updates certificates with
> 'debian:<certificate-file-name>' alias
> 
> Requirements
> 
> In order to remove dependency on Java, the certificate import tool 
> must:
> - List certificate aliases
> - Add or update certificate in Java Key Store
> - Convert PKCS12 store to JKS format
> - Load certificate in PEM format
> - Retain any user's certificates in Java Key Store
> 
> Implementation
> 
> This functionality can be implemented using the following Python 
> packages:
> - python3-pyjks: Java Key Store format support [4]. It supports 
> loading,
> manipulation and serialization of the JKS files.
> It is needed for  requirements 1 and 2.
> - python3-oscrypto: PKCS12 and X509 support [3]. The package depends on
> OpenSSL 3.0. The package supports loading PKCS12 certificate store and
> extracting certificates along with SafeBag aliases.
> It is needed for requirements 3 and 4.
> 
> ca-certificates-java will install the  /usr/sbin/ca-certificates-java 
> tool.
> 
> It will accept following options:
> - sync <password> <input-file> - synchronize the keystore
> - list <password> - list certificate aliases in the keystore
> - convert <password> <oldstore> <newstore> - convert the keystore into
> JKS format.
> 
> Best  Regards,
> Vladimir.
> 
> [1] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java
> [2] 
> https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1998065
> [3] https://launchpad.net/ubuntu/+source/oscrypto
> [4] https://launchpad.net/ubuntu/+source/pyjks

Back to linux.debian.maint.java | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-07 20:20 +0100
  Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-07 20:40 +0100
    Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-07 20:40 +0100
    Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-07 21:10 +0100
  Re: ca-certificate-java/openjdk installation issues Emmanuel Bourg <ebourg@apache.org> - 2023-02-21 21:30 +0100
    Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-21 21:40 +0100
    Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-21 22:10 +0100
      Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-21 22:40 +0100
        Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-21 23:00 +0100
          Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-21 23:00 +0100
            Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-21 23:40 +0100
              Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-22 00:00 +0100
              Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-22 00:00 +0100
                Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-23 04:00 +0100
                Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-23 20:50 +0100
                Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-23 21:00 +0100
                Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-23 21:00 +0100
                Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-24 05:20 +0100
                Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-24 06:30 +0100
                Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-27 08:20 +0100

csiph-web