Path: csiph.com!1.us.feeder.erje.net!3.us.feeder.erje.net!2.eu.feeder.erje.net!feeder.erje.net!fu-berlin.de!bofh.it!news.nic.it!robomod From: Emmanuel Bourg Newsgroups: linux.debian.maint.java Subject: Re: ca-certificate-java/openjdk installation issues Date: Tue, 21 Feb 2023 21:30:02 +0100 Message-ID: References: X-Original-To: Vladimir Petko X-Mailbox-Line: From debian-java-request@lists.debian.org Tue Feb 21 20:22:14 2023 Old-Return-Path: X-Amavis-Spam-Status: No, score=-4.92 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, FOURLA=0.1, HTML_MESSAGE=2, LDO_WHITELIST=-5, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=no autolearn_force=no X-Policyd-Weight: using cached result; rate: -3.5 X-Greylist: delayed 7799 seconds by postgrey-1.36 at bendel; Tue, 21 Feb 2023 20:21:53 UTC MIME-Version: 1.0 User-Agent: Roundcube Webmail/1.4.13 X-Sender: ebourg@apache.org X-Originating-IP: 78.197.213.85 X-Webmail-Userid: ebourg-oss@ariane-software.com Content-Type: multipart/alternative; boundary="=_d7ffdabad32ab97f90d75b2a123da921" X-Ovh-Tracer-ID: 363947146358421686 X-Vr-Spamstate: OK X-Vr-Spamscore: -100 X-Vr-Spamcause: gggruggvucftvghtrhhoucdtuddrgedvhedrudejjedguddtgecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpeggfffhvfevufgjfhgfkfigihgtsegrtdhjredtreejnecuhfhrohhmpefgmhhmrghnuhgvlhcuuehouhhrghcuoegvsghouhhrghesrghprggthhgvrdhorhhgqeenucggtffrrghtthgvrhhnpeejgeegvdejkeetleefueevhfeugfelhfdufffgjeegffettdfhtddukeehvedtheenucffohhmrghinheplhgruhhntghhphgrugdrnhgvthenucfkphepuddvjedrtddrtddruddpjeekrdduleejrddvudefrdekhedpudehuddrkedtrddvledrudeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepuddvjedrtddrtddruddpmhgrihhlfhhrohhmpeeovggsohhurhhgsegrphgrtghhvgdrohhrgheqpdhnsggprhgtphhtthhopedupdhrtghpthhtohepuggvsghirghnqdhjrghvrgeslhhishhtshdruggvsghirghnrdhorhhgpdfovfetjfhoshhtpehmohehkeegpdhmohguvgepshhmthhpohhuth X-Mailing-List: archive/latest/23228 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/c2ec8737fb5a03f1039a2e90ab925594@apache.org Approved: robomod@news.nic.it Lines: 206 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: debian-java@lists.debian.org X-Original-Date: Tue, 21 Feb 2023 18:53:17 +0100 X-Original-Message-ID: X-Original-References: Xref: csiph.com linux.debian.maint.java:12573 --=_d7ffdabad32ab97f90d75b2a123da921 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8; format=flowed Hi Vladimir, Thank you for tackling this annoying issue. You said that JKS was required to support OpenJDK 8, but there is no such requirement, at the Debian level at least. What about generating a PKCS#12 certstore with OpenSSL instead, would that work? The python script could still be used for OpenJDK 8 (with a dedicated ca-certificate-java8 package maybe). This way installing openjdk-17 would not drag in python dependencies. Emmanuel Bourg Le 2023-02-07 20:12, Vladimir Petko a écrit : > Dear Maintainers, > > Would it be possible to consider a proposal to break dependency of > ca-certificates-java on the installed JVM? > Abstract > > ca-certificates-java package contains a circular dependency with Java > that > causes issues during openjdk installation. > I am proposing switching the ca-certificate-java certificate import > tool to > Python to break the dependency cycle. > > Rationale > > The certificate import tool in ca-certificate-java is written in Java. > This is a constant source of bugs [1] and requires updates (including > stable > release updates [2]) whenever a new JDK version comes out. Switching > certificate import to Python will remove the maintenance load and break > a cyclic dependency. > > Existing Functionality > > ca-certificates-java synchronizes content of Java keystore > /etc/ssl/certs/java/cacerts with trusted certificates in PEM format > located > in /etc/ssl/certs using jks-keystore hook registered with > ca-certificates > package. > > During hook invocation or post installation following actions are > performed: > - ca-certificates-java checks the format of /etc/ssl/certs/java/cacerts > and > attempts to convert it into legacy Java Key Store(JKS) format due to > the > requirement to support OpenJDK 8. > OpenJDK 11 and up support both legacy and PKCS11 formats. > - ca-certificate-java lists all available certificates in the keystore > using > Java keytool, filters certificate aliases and compares the list with > the > system certificates. > An input file containing '+debian:' for addition > and > '-debian:' is generated and passed to import > utility. > Import utility updates /etc/ssl/certs/java/cacerts and sets updated > certificate alias to 'debian:' > Note: Import utility only updates certificates with > 'debian:' alias > > Requirements > > In order to remove dependency on Java, the certificate import tool > must: > - List certificate aliases > - Add or update certificate in Java Key Store > - Convert PKCS12 store to JKS format > - Load certificate in PEM format > - Retain any user's certificates in Java Key Store > > Implementation > > This functionality can be implemented using the following Python > packages: > - python3-pyjks: Java Key Store format support [4]. It supports > loading, > manipulation and serialization of the JKS files. > It is needed for requirements 1 and 2. > - python3-oscrypto: PKCS12 and X509 support [3]. The package depends on > OpenSSL 3.0. The package supports loading PKCS12 certificate store and > extracting certificates along with SafeBag aliases. > It is needed for requirements 3 and 4. > > ca-certificates-java will install the /usr/sbin/ca-certificates-java > tool. > > It will accept following options: > - sync - synchronize the keystore > - list - list certificate aliases in the keystore > - convert - convert the keystore into > JKS format. > > Best Regards, > Vladimir. > > [1] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java > [2] > https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1998065 > [3] https://launchpad.net/ubuntu/+source/oscrypto > [4] https://launchpad.net/ubuntu/+source/pyjks --=_d7ffdabad32ab97f90d75b2a123da921 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8

Hi Vladimir,

Thank you for tackling this annoying issue.

You said that JKS was required to support OpenJDK 8, but there is no suc= h requirement, at the Debian level at least. What about generating a PKCS#1= 2 certstore with OpenSSL instead, would that work? The python script could = still be used for OpenJDK 8 (with a dedicated ca-certificate-java8 package = maybe). This way installing openjdk-17 would not drag in python dependencie= s.

Emmanuel Bourg


Le 2023-02-07 20:12, Vladimir Petko a écrit&nb= sp;:

Dear Maintainers, 
 
Would it be possible to consider a proposal to break dependency of ca-= certificates-java on the installed JVM?
 
Abstract

ca-certificates-java package contains a circular depend= ency with Java that
causes issues during openjdk installation.
I= am proposing switching the ca-certificate-java certificate import tool to<= br />Python to break the dependency cycle.

Rationale

= The certificate import tool in ca-certificate-java is written in Java.
This is a constant source of bugs [1] and requires updates (including sta= ble
release updates [2])  whenever a new JDK version comes out. = Switching
certificate import to Python will remove the maintenance lo= ad and break
a cyclic dependency.

Existing Functionality
ca-certificates-java synchronizes content of Java keystore
/= etc/ssl/certs/java/cacerts with trusted certificates in PEM format located =
in /etc/ssl/certs using jks-keystore hook registered with ca-certific= ates
package.

During hook invocation or post installation = following actions are performed:
- ca-certificates-java checks the for= mat of /etc/ssl/certs/java/cacerts and
  attempts to convert it = into legacy Java Key Store(JKS) format due to the
  requirement = to support OpenJDK 8.
  OpenJDK 11 and up support both legacy an= d PKCS11 formats.
- ca-certificate-java lists all available certificat= es in the keystore using
  Java keytool, filters certificate ali= ases and compares the list with the
  system certificates.
  An input file containing '+debian:<certificate-file-name>' fo= r addition and
  '-debian:<certificate-file-name>' is gene= rated and passed to import utility.
  Import utility updates /etc= /ssl/certs/java/cacerts and sets updated
  certificate alias to '= debian:<certificate-file-name>'
  Note: Import utility only= updates certificates with
  'debian:<certificate-file-name&g= t;' alias

Requirements

In order to remove dependency = on Java, the certificate import tool must:
- List certificate aliases<= br />- Add or update certificate in Java Key Store
- Convert PKCS12 st= ore to JKS format
- Load certificate in PEM format
- Retain any u= ser's certificates in Java Key Store

Implementation

T= his functionality can be implemented using the following Python packages:- python3-pyjks: Java Key Store format support [4]. It supports loading= ,
  manipulation and serialization of the JKS files.
 = ; It is needed for  requirements 1 and 2.
- python3-oscrypto: PKC= S12 and X509 support [3]. The package depends on
  OpenSSL 3.0. = The package supports loading PKCS12 certificate store and
  extr= acting certificates along with SafeBag aliases.
  It is needed f= or requirements 3 and 4.

ca-certificates-java will install the &= nbsp;/usr/sbin/ca-certificates-java tool.

It will accept followi= ng options:
- sync <password> <input-file> - synchronize t= he keystore
- list <password> – list certificate aliases i= n the keystore
- convert <password> <oldstore> <newstor= e> – convert the keystore into
  JKS format.
 
Best  Regards, 
  Vladimir.


--=_d7ffdabad32ab97f90d75b2a123da921--