Bug#935082: openjdk-7: Missed sun.security.ec package
Package: openjdk-7-jre-headless
Version: 7u231-2.6.19-1~deb8u1
Followup-For: Bug #935082
Dear Maintainer,
I'm also seeing this issue and it prevents eg. ActiveMQ from starting when
using EC certificates and keys in the key store. I'm attaching a small sample
program which shows the same issue when run against a key store that was
generated with a command like
keytool -genkeypair -dname CN=Test -keyalg EC -keysize 256 -keystore keystore.jks
Please note that the above command must be run on eg. Stretch or Buster (with a
newer version of OpenJDK), on Jessie, this fails with a
java.lang.RuntimeException: Cannot load SunEC provider
exception on 7u231-2.6.19-1~deb8u1 and a
java.security.NoSuchProviderException: no such provider: SunEC
exception on the older 7u221-2.6.18-1~deb8u1 version of openjdk-7-jre-headless.
This is likely a closely related issue that was probably already reported in
Debian bug #909671 [1]. Running the sample program on the older
7u221-2.6.18-1~deb8u1 version against the generated key store, this should
output something like "mykey: X.509, EC", when run with 7u231-2.6.19-1~deb8u1,
this gives the
java.lang.ClassNotFoundException: sun.security.ec.ECParameters
exception.
I don't know if the (new) lack of EC support is just a packaging issue or an
upstream bug, but the upstream NEWS file [2] contains an entry
> - S7194075: Various classes of sunec.jar are duplicated in rt.jar
in the "Import of OpenJDK 7 u231 build 1" section, so there clearly was an
upstream change in this area. And when comparing the rt.jar files from the two
versions of the package, then the older version still contained some
EC-related classes (in /sun/security/ec), which are not present anymore in the
newer version - sunec.jar doesn't seem to be present in any version of the
openjdk-7 packages. I quickly tried to build the openjdk-7 packages from the
sources retrieved with apt-get source to see if I notice something during the
build or can find a sunec.jar file in the build artifacts, but the build failed
early on a for a non-obvious reason, which is where I stopped debugging.
Kind regards
Manfred
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909671
[2] /usr/share/doc/openjdk-7-jre-headless/NEWS.IcedTea.gz
-- System Information:
Debian Release: 8.11
APT prefers oldoldstable
APT policy: (500, 'oldoldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_CH.utf8, LC_CTYPE=de_CH.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages openjdk-7-jre-headless depends on:
ii ca-certificates-java 20140324
ii initscripts 2.88dsf-59
ii java-common 0.52
ii libc6 2.19-18+deb8u10
ii libcups2 1.7.5-11+deb8u4
ii libfontconfig1 2.11.0-6.3+deb8u1
ii libfreetype6 2.5.2-3+deb8u3
ii libgcc1 1:4.9.2-10+deb8u2
ii libglib2.0-0 2.42.1-1+deb8u3
ii libjpeg62-turbo 1:1.3.1-12+deb8u2
ii libkrb5-3 1.12.1+dfsg-19+deb8u5
ii liblcms2-2 2.6-3+deb8u2
ii libnss3 2:3.26-1+debu8u5
ii libpcsclite1 1.8.13-1+deb8u1
ii libpulse0 5.0-13
ii libsctp1 1.0.16+dfsg-2
ii libstdc++6 4.9.2-10+deb8u2
ii tzdata-java 2019a-0+deb8u1
ii zlib1g 1:1.2.8.dfsg-2+b1
openjdk-7-jre-headless recommends no packages.
Versions of packages openjdk-7-jre-headless suggests:
ii fonts-dejavu-extra 2.34-1
pn fonts-indic <none>
pn fonts-ipafont-gothic <none>
ii fonts-ipafont-mincho 00303-12
pn fonts-wqy-microhei <none>
pn fonts-wqy-zenhei <none>
ii icedtea-7-jre-jamvm 7u231-2.6.19-1~deb8u1
pn libnss-mdns <none>
pn sun-java6-fonts <none>
-- no debconf information
import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.Enumeration;
public class KeystoreViewer {
public static void main(String[] args) {
if (args.length < 2) {
System.err
.println("Usage: KeystoreViewer <keystore password> <keystore file");
System.exit(1);
}
KeyStore ks = null;
try {
ks = KeyStore.getInstance(KeyStore.getDefaultType());
} catch (KeyStoreException e) {
System.err.println("Failed to load keystore: " + e);
}
char[] password = args[0].toCharArray();
FileInputStream fis = null;
try {
fis = new FileInputStream(args[1]);
ks.load(fis, password);
} catch (IOException e) {
System.err.println("Failed to open keystore file: " + e);
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
System.err.println("Missing algorithm: " + e);
e.printStackTrace();
} catch (CertificateException e) {
System.err.println("Problem with certificate: " + e);
e.printStackTrace();
} finally {
if (fis != null) {
try {
fis.close();
} catch (IOException e) {
System.err.println("Failed to close stream: " + e);
e.printStackTrace();
}
}
}
try {
Enumeration<String> aliases = ks.aliases();
while (aliases.hasMoreElements()) {
String alias = aliases.nextElement();
Certificate certificate = ks.getCertificate(alias);
System.out.println(alias + ": " + certificate.getType() + ", "
+ certificate.getPublicKey().getAlgorithm());
}
} catch (KeyStoreException e) {
System.err.println("Failed to get aliases: " + e);
e.printStackTrace();
}
}
}
Reply to: