Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #12575

Re: ca-certificate-java/openjdk installation issues

Path csiph.com!fu-berlin.de!bofh.it!news.nic.it!robomod
From Vladimir Petko <vladimir.petko@canonical.com>
Newsgroups linux.debian.maint.java
Subject Re: ca-certificate-java/openjdk installation issues
Date Tue, 21 Feb 2023 22:10:01 +0100
Message-ID <G1I3D-7xWb-13@gated-at.bofh.it> (permalink)
References <FWBFv-4dUm-5@gated-at.bofh.it> <G1HqW-7xt9-5@gated-at.bofh.it>
X-Mailbox-Line From debian-java-request@lists.debian.org Tue Feb 21 21:05:50 2023
Old-Return-Path <vladimir.petko@canonical.com>
X-Amavis-Spam-Status No, score=-9.401 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FOURLA=0.1, LDO_WHITELIST=-5, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
X-Policyd-Weight using cached result; rate: -5.5
X-Gm-Message-State AO0yUKWvDC1ak9njww98A8U0HPqHRbe0uLMZ+5gFhoNl7pWI6WzaLQst D50+r1mAhjY1u84oQ+ZHdq77BeepPN6Wcnep41xbfCDnycG9MS6lKxYRKGmS6gIjI9w3NultkGY G2RAYbW0HR010sO5fGIQz33Savo6ACggQl1OGpKzGyAwhu4tgr34GNqwMehl72C9Ffw==
X-Received by 2002:a63:3506:0:b0:4fb:8fb6:37e3 with SMTP id c6-20020a633506000000b004fb8fb637e3mr831861pga.6.1677013525344; Tue, 21 Feb 2023 13:05:25 -0800 (PST)
X-Google-SMTP-Source AK7set+DFjr5Vy8QbSeiJKBi9XCrl7kizfBdAK7YAJcCId25tV/SkK+sWWIylLCW0AwLVdi5hkNqVH0oe2RV3Ad+pqQ=
X-Received by 2002:a63:3506:0:b0:4fb:8fb6:37e3 with SMTP id c6-20020a633506000000b004fb8fb637e3mr831858pga.6.1677013524988; Tue, 21 Feb 2023 13:05:24 -0800 (PST)
MIME-Version 1.0
Content-Type text/plain; charset="UTF-8"
Content-Transfer-Encoding quoted-printable
X-Mailing-List <debian-java@lists.debian.org> archive/latest/23230
List-ID <debian-java.lists.debian.org>
List-URL <https://lists.debian.org/debian-java/>
List-Archive https://lists.debian.org/msgid-search/CALFf3kdPbsbF-TJkPTF6VaQXphy-xCKiJ9WRLFk6KRD-OsufWg@mail.gmail.com
Approved robomod@news.nic.it
Lines 126
Organization linux.* mail to news gateway
Sender robomod@news.nic.it
X-Original-Cc debian-java@lists.debian.org
X-Original-Date Wed, 22 Feb 2023 10:05:14 +1300
X-Original-Message-ID <CALFf3kdPbsbF-TJkPTF6VaQXphy-xCKiJ9WRLFk6KRD-OsufWg@mail.gmail.com>
X-Original-References <CALFf3kckwyx6X93=1JNjcnBdyctJe9AtfXYQsOoJf5qeUUjNEw@mail.gmail.com> <c2ec8737fb5a03f1039a2e90ab925594@apache.org>
Xref csiph.com linux.debian.maint.java:12575

Show key headers only | View raw

Hi,

Just a small clarification, openssl itself allows importing a single
certificate and its chain and overwrites the store in the process, so
we need something like p11-kit.
Another grey area is ORACLE_TrustedKeyUsage attribute - at the moment
store implementation sets it on save, but it does not seem to be
checked anywhere. If we use p11-kit, then it will not be present and
something might break in the future. In this case we will have to
replace p11-kit with our own tool.

Best Regards,
 Vladimir.

On Wed, Feb 22, 2023 at 9:22 AM Emmanuel Bourg <ebourg@apache.org> wrote:
>
> Hi Vladimir,
>
> Thank you for tackling this annoying issue.
>
> You said that JKS was required to support OpenJDK 8, but there is no such requirement, at the Debian level at least. What about generating a PKCS#12 certstore with OpenSSL instead, would that work? The python script could still be used for OpenJDK 8 (with a dedicated ca-certificate-java8 package maybe). This way installing openjdk-17 would not drag in python dependencies.
>
> Emmanuel Bourg
>
>
> Le 2023-02-07 20:12, Vladimir Petko a écrit :
>
> Dear Maintainers,
>
> Would it be possible to consider a proposal to break dependency of ca-certificates-java on the installed JVM?
>
> Abstract
>
> ca-certificates-java package contains a circular dependency with Java that
> causes issues during openjdk installation.
> I am proposing switching the ca-certificate-java certificate import tool to
> Python to break the dependency cycle.
>
> Rationale
>
> The certificate import tool in ca-certificate-java is written in Java.
> This is a constant source of bugs [1] and requires updates (including stable
> release updates [2])  whenever a new JDK version comes out. Switching
> certificate import to Python will remove the maintenance load and break
> a cyclic dependency.
>
> Existing Functionality
>
> ca-certificates-java synchronizes content of Java keystore
> /etc/ssl/certs/java/cacerts with trusted certificates in PEM format located
> in /etc/ssl/certs using jks-keystore hook registered with ca-certificates
> package.
>
> During hook invocation or post installation following actions are performed:
> - ca-certificates-java checks the format of /etc/ssl/certs/java/cacerts and
>   attempts to convert it into legacy Java Key Store(JKS) format due to the
>   requirement to support OpenJDK 8.
>   OpenJDK 11 and up support both legacy and PKCS11 formats.
> - ca-certificate-java lists all available certificates in the keystore using
>   Java keytool, filters certificate aliases and compares the list with the
>   system certificates.
>   An input file containing '+debian:<certificate-file-name>' for addition and
>   '-debian:<certificate-file-name>' is generated and passed to import utility.
>   Import utility updates /etc/ssl/certs/java/cacerts and sets updated
>   certificate alias to 'debian:<certificate-file-name>'
>   Note: Import utility only updates certificates with
>   'debian:<certificate-file-name>' alias
>
> Requirements
>
> In order to remove dependency on Java, the certificate import tool must:
> - List certificate aliases
> - Add or update certificate in Java Key Store
> - Convert PKCS12 store to JKS format
> - Load certificate in PEM format
> - Retain any user's certificates in Java Key Store
>
> Implementation
>
> This functionality can be implemented using the following Python packages:
> - python3-pyjks: Java Key Store format support [4]. It supports loading,
>   manipulation and serialization of the JKS files.
>   It is needed for  requirements 1 and 2.
> - python3-oscrypto: PKCS12 and X509 support [3]. The package depends on
>   OpenSSL 3.0. The package supports loading PKCS12 certificate store and
>   extracting certificates along with SafeBag aliases.
>   It is needed for requirements 3 and 4.
>
> ca-certificates-java will install the  /usr/sbin/ca-certificates-java tool.
>
> It will accept following options:
> - sync <password> <input-file> - synchronize the keystore
> - list <password> – list certificate aliases in the keystore
> - convert <password> <oldstore> <newstore> – convert the keystore into
>   JKS format.
>
> Best  Regards,
>   Vladimir.
>
> [1] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java
> [2] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1998065
> [3] https://launchpad.net/ubuntu/+source/oscrypto
> [4] https://launchpad.net/ubuntu/+source/pyjks
>
>

Back to linux.debian.maint.java | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-07 20:20 +0100
  Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-07 20:40 +0100
    Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-07 20:40 +0100
    Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-07 21:10 +0100
  Re: ca-certificate-java/openjdk installation issues Emmanuel Bourg <ebourg@apache.org> - 2023-02-21 21:30 +0100
    Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-21 21:40 +0100
    Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-21 22:10 +0100
      Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-21 22:40 +0100
        Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-21 23:00 +0100
          Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-21 23:00 +0100
            Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-21 23:40 +0100
              Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-22 00:00 +0100
              Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-22 00:00 +0100
                Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-23 04:00 +0100
                Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-23 20:50 +0100
                Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-23 21:00 +0100
                Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-23 21:00 +0100
                Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-24 05:20 +0100
                Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-24 06:30 +0100
                Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-27 08:20 +0100

csiph-web