Re: ca-certificate-java/openjdk installation issues
Hi,
That's a great idea. I was thinking of using p11-kit [1] to generate
Java 11 + certificates [2]. I have abandoned it because
ca-certificates-java attempts to synchronize the store, keeping user's
certificates that were added for Java only.
I wonder if we can drop this requirement and declare that Java trust
roots are always in sync with the machine? Then we can make a very
simple ca-certificates-java package in line with Alpine and more
complex and ugly for the legacy Java support.
This will require some changes to the packaging of Java 8 (or all
other JDKs), as at the moment all JDKs share the same cacerts files.
[1] https://tracker.debian.org/pkg/p11-kit
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929685#42
On Wed, Feb 22, 2023 at 9:22 AM Emmanuel Bourg <ebourg@apache.org> wrote:
>
> Hi Vladimir,
>
> Thank you for tackling this annoying issue.
>
> You said that JKS was required to support OpenJDK 8, but there is no such requirement, at the Debian level at least. What about generating a PKCS#12 certstore with OpenSSL instead, would that work? The python script could still be used for OpenJDK 8 (with a dedicated ca-certificate-java8 package maybe). This way installing openjdk-17 would not drag in python dependencies.
>
> Emmanuel Bourg
>
>
> Le 2023-02-07 20:12, Vladimir Petko a écrit :
>
> Dear Maintainers,
>
> Would it be possible to consider a proposal to break dependency of ca-certificates-java on the installed JVM?
>
> Abstract
>
> ca-certificates-java package contains a circular dependency with Java that
> causes issues during openjdk installation.
> I am proposing switching the ca-certificate-java certificate import tool to
> Python to break the dependency cycle.
>
> Rationale
>
> The certificate import tool in ca-certificate-java is written in Java.
> This is a constant source of bugs [1] and requires updates (including stable
> release updates [2]) whenever a new JDK version comes out. Switching
> certificate import to Python will remove the maintenance load and break
> a cyclic dependency.
>
> Existing Functionality
>
> ca-certificates-java synchronizes content of Java keystore
> /etc/ssl/certs/java/cacerts with trusted certificates in PEM format located
> in /etc/ssl/certs using jks-keystore hook registered with ca-certificates
> package.
>
> During hook invocation or post installation following actions are performed:
> - ca-certificates-java checks the format of /etc/ssl/certs/java/cacerts and
> attempts to convert it into legacy Java Key Store(JKS) format due to the
> requirement to support OpenJDK 8.
> OpenJDK 11 and up support both legacy and PKCS11 formats.
> - ca-certificate-java lists all available certificates in the keystore using
> Java keytool, filters certificate aliases and compares the list with the
> system certificates.
> An input file containing '+debian:<certificate-file-name>' for addition and
> '-debian:<certificate-file-name>' is generated and passed to import utility.
> Import utility updates /etc/ssl/certs/java/cacerts and sets updated
> certificate alias to 'debian:<certificate-file-name>'
> Note: Import utility only updates certificates with
> 'debian:<certificate-file-name>' alias
>
> Requirements
>
> In order to remove dependency on Java, the certificate import tool must:
> - List certificate aliases
> - Add or update certificate in Java Key Store
> - Convert PKCS12 store to JKS format
> - Load certificate in PEM format
> - Retain any user's certificates in Java Key Store
>
> Implementation
>
> This functionality can be implemented using the following Python packages:
> - python3-pyjks: Java Key Store format support [4]. It supports loading,
> manipulation and serialization of the JKS files.
> It is needed for requirements 1 and 2.
> - python3-oscrypto: PKCS12 and X509 support [3]. The package depends on
> OpenSSL 3.0. The package supports loading PKCS12 certificate store and
> extracting certificates along with SafeBag aliases.
> It is needed for requirements 3 and 4.
>
> ca-certificates-java will install the /usr/sbin/ca-certificates-java tool.
>
> It will accept following options:
> - sync <password> <input-file> - synchronize the keystore
> - list <password> – list certificate aliases in the keystore
> - convert <password> <oldstore> <newstore> – convert the keystore into
> JKS format.
>
> Best Regards,
> Vladimir.
>
> [1] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java
> [2] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1998065
> [3] https://launchpad.net/ubuntu/+source/oscrypto
> [4] https://launchpad.net/ubuntu/+source/pyjks
>
>
Reply to: