Path: csiph.com!fu-berlin.de!bofh.it!news.nic.it!robomod From: Vladimir Petko Newsgroups: linux.debian.maint.java Subject: Re: ca-certificate-java/openjdk installation issues Date: Tue, 21 Feb 2023 22:10:01 +0100 Message-ID: References: X-Mailbox-Line: From debian-java-request@lists.debian.org Tue Feb 21 21:05:50 2023 Old-Return-Path: X-Amavis-Spam-Status: No, score=-9.401 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FOURLA=0.1, LDO_WHITELIST=-5, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no X-Policyd-Weight: using cached result; rate: -5.5 X-Gm-Message-State: AO0yUKWvDC1ak9njww98A8U0HPqHRbe0uLMZ+5gFhoNl7pWI6WzaLQst D50+r1mAhjY1u84oQ+ZHdq77BeepPN6Wcnep41xbfCDnycG9MS6lKxYRKGmS6gIjI9w3NultkGY G2RAYbW0HR010sO5fGIQz33Savo6ACggQl1OGpKzGyAwhu4tgr34GNqwMehl72C9Ffw== X-Received: by 2002:a63:3506:0:b0:4fb:8fb6:37e3 with SMTP id c6-20020a633506000000b004fb8fb637e3mr831861pga.6.1677013525344; Tue, 21 Feb 2023 13:05:25 -0800 (PST) X-Google-SMTP-Source: AK7set+DFjr5Vy8QbSeiJKBi9XCrl7kizfBdAK7YAJcCId25tV/SkK+sWWIylLCW0AwLVdi5hkNqVH0oe2RV3Ad+pqQ= X-Received: by 2002:a63:3506:0:b0:4fb:8fb6:37e3 with SMTP id c6-20020a633506000000b004fb8fb637e3mr831858pga.6.1677013524988; Tue, 21 Feb 2023 13:05:24 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailing-List: archive/latest/23230 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/CALFf3kdPbsbF-TJkPTF6VaQXphy-xCKiJ9WRLFk6KRD-OsufWg@mail.gmail.com Approved: robomod@news.nic.it Lines: 126 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: debian-java@lists.debian.org X-Original-Date: Wed, 22 Feb 2023 10:05:14 +1300 X-Original-Message-ID: X-Original-References: Xref: csiph.com linux.debian.maint.java:12575 Hi, Just a small clarification, openssl itself allows importing a single certificate and its chain and overwrites the store in the process, so we need something like p11-kit. Another grey area is ORACLE_TrustedKeyUsage attribute - at the moment store implementation sets it on save, but it does not seem to be checked anywhere. If we use p11-kit, then it will not be present and something might break in the future. In this case we will have to replace p11-kit with our own tool. Best Regards, Vladimir. On Wed, Feb 22, 2023 at 9:22 AM Emmanuel Bourg wrote: > > Hi Vladimir, > > Thank you for tackling this annoying issue. > > You said that JKS was required to support OpenJDK 8, but there is no such= requirement, at the Debian level at least. What about generating a PKCS#12= certstore with OpenSSL instead, would that work? The python script could s= till be used for OpenJDK 8 (with a dedicated ca-certificate-java8 package m= aybe). This way installing openjdk-17 would not drag in python dependencies= . > > Emmanuel Bourg > > > Le 2023-02-07 20:12, Vladimir Petko a =C3=A9crit : > > Dear Maintainers, > > Would it be possible to consider a proposal to break dependency of ca-cer= tificates-java on the installed JVM? > > Abstract > > ca-certificates-java package contains a circular dependency with Java tha= t > causes issues during openjdk installation. > I am proposing switching the ca-certificate-java certificate import tool = to > Python to break the dependency cycle. > > Rationale > > The certificate import tool in ca-certificate-java is written in Java. > This is a constant source of bugs [1] and requires updates (including sta= ble > release updates [2]) whenever a new JDK version comes out. Switching > certificate import to Python will remove the maintenance load and break > a cyclic dependency. > > Existing Functionality > > ca-certificates-java synchronizes content of Java keystore > /etc/ssl/certs/java/cacerts with trusted certificates in PEM format locat= ed > in /etc/ssl/certs using jks-keystore hook registered with ca-certificates > package. > > During hook invocation or post installation following actions are perform= ed: > - ca-certificates-java checks the format of /etc/ssl/certs/java/cacerts a= nd > attempts to convert it into legacy Java Key Store(JKS) format due to th= e > requirement to support OpenJDK 8. > OpenJDK 11 and up support both legacy and PKCS11 formats. > - ca-certificate-java lists all available certificates in the keystore us= ing > Java keytool, filters certificate aliases and compares the list with th= e > system certificates. > An input file containing '+debian:' for addition= and > '-debian:' is generated and passed to import uti= lity. > Import utility updates /etc/ssl/certs/java/cacerts and sets updated > certificate alias to 'debian:' > Note: Import utility only updates certificates with > 'debian:' alias > > Requirements > > In order to remove dependency on Java, the certificate import tool must: > - List certificate aliases > - Add or update certificate in Java Key Store > - Convert PKCS12 store to JKS format > - Load certificate in PEM format > - Retain any user's certificates in Java Key Store > > Implementation > > This functionality can be implemented using the following Python packages= : > - python3-pyjks: Java Key Store format support [4]. It supports loading, > manipulation and serialization of the JKS files. > It is needed for requirements 1 and 2. > - python3-oscrypto: PKCS12 and X509 support [3]. The package depends on > OpenSSL 3.0. The package supports loading PKCS12 certificate store and > extracting certificates along with SafeBag aliases. > It is needed for requirements 3 and 4. > > ca-certificates-java will install the /usr/sbin/ca-certificates-java too= l. > > It will accept following options: > - sync - synchronize the keystore > - list =E2=80=93 list certificate aliases in the keystore > - convert =E2=80=93 convert the keystore= into > JKS format. > > Best Regards, > Vladimir. > > [1] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java > [2] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1= 998065 > [3] https://launchpad.net/ubuntu/+source/oscrypto > [4] https://launchpad.net/ubuntu/+source/pyjks > >