[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#935082: openjdk-7: Missed sun.security.ec package

Package: openjdk-7-jre-headless
Version: 7u231-2.6.19-1~deb8u1
Followup-For: Bug #935082

Dear Maintainer,

I'm also seeing this issue and it prevents eg. ActiveMQ from starting when
using EC certificates and keys in the key store. I'm attaching a small sample
program which shows the same issue when run against a key store that was
generated with a command like

    keytool -genkeypair -dname CN=Test -keyalg EC -keysize 256 -keystore keystore.jks

Please note that the above command must be run on eg. Stretch or Buster (with a
newer version of OpenJDK), on Jessie, this fails with a
    java.lang.RuntimeException: Cannot load SunEC provider
exception on 7u231-2.6.19-1~deb8u1 and a 
    java.security.NoSuchProviderException: no such provider: SunEC
exception on the older 7u221-2.6.18-1~deb8u1 version of openjdk-7-jre-headless.
This is likely a closely related issue that was probably already reported in
Debian bug #909671 [1]. Running the sample program on the older
7u221-2.6.18-1~deb8u1 version against the generated key store, this should
output something like "mykey: X.509, EC", when run with 7u231-2.6.19-1~deb8u1,
this gives the
    java.lang.ClassNotFoundException: sun.security.ec.ECParameters

I don't know if the (new) lack of EC support is just a packaging issue or an
upstream bug, but the upstream NEWS file [2] contains an entry
>   - S7194075: Various classes of sunec.jar are duplicated in rt.jar
in the "Import of OpenJDK 7 u231 build 1" section, so there clearly was an
upstream change in this area. And when comparing the rt.jar files from the two
versions of the package, then the older version still contained some
EC-related classes (in /sun/security/ec), which are not present anymore in the
newer version - sunec.jar doesn't seem to be present in any version of the
openjdk-7 packages. I quickly tried to build the openjdk-7 packages from the
sources retrieved with apt-get source to see if I notice something during the
build or can find a sunec.jar file in the build artifacts, but the build failed
early on a for a non-obvious reason, which is where I stopped debugging.

Kind regards

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909671
[2] /usr/share/doc/openjdk-7-jre-headless/NEWS.IcedTea.gz

-- System Information:
Debian Release: 8.11
  APT prefers oldoldstable
  APT policy: (500, 'oldoldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_CH.utf8, LC_CTYPE=de_CH.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages openjdk-7-jre-headless depends on:
ii  ca-certificates-java  20140324
ii  initscripts           2.88dsf-59
ii  java-common           0.52
ii  libc6                 2.19-18+deb8u10
ii  libcups2              1.7.5-11+deb8u4
ii  libfontconfig1        2.11.0-6.3+deb8u1
ii  libfreetype6          2.5.2-3+deb8u3
ii  libgcc1               1:4.9.2-10+deb8u2
ii  libglib2.0-0          2.42.1-1+deb8u3
ii  libjpeg62-turbo       1:1.3.1-12+deb8u2
ii  libkrb5-3             1.12.1+dfsg-19+deb8u5
ii  liblcms2-2            2.6-3+deb8u2
ii  libnss3               2:3.26-1+debu8u5
ii  libpcsclite1          1.8.13-1+deb8u1
ii  libpulse0             5.0-13
ii  libsctp1              1.0.16+dfsg-2
ii  libstdc++6            4.9.2-10+deb8u2
ii  tzdata-java           2019a-0+deb8u1
ii  zlib1g                1:1.2.8.dfsg-2+b1

openjdk-7-jre-headless recommends no packages.

Versions of packages openjdk-7-jre-headless suggests:
ii  fonts-dejavu-extra    2.34-1
pn  fonts-indic           <none>
pn  fonts-ipafont-gothic  <none>
ii  fonts-ipafont-mincho  00303-12
pn  fonts-wqy-microhei    <none>
pn  fonts-wqy-zenhei      <none>
ii  icedtea-7-jre-jamvm   7u231-2.6.19-1~deb8u1
pn  libnss-mdns           <none>
pn  sun-java6-fonts       <none>

-- no debconf information
import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.Enumeration;

public class KeystoreViewer {
	public static void main(String[] args) {
		if (args.length < 2) {
					.println("Usage: KeystoreViewer <keystore password> <keystore file");
		KeyStore ks = null;
		try {
			ks = KeyStore.getInstance(KeyStore.getDefaultType());
		} catch (KeyStoreException e) {
			System.err.println("Failed to load keystore: " + e);

		char[] password = args[0].toCharArray();
		FileInputStream fis = null;
		try {
			fis = new FileInputStream(args[1]);
			ks.load(fis, password);
		} catch (IOException e) {
			System.err.println("Failed to open keystore file: " + e);
		} catch (NoSuchAlgorithmException e) {
			System.err.println("Missing algorithm: " + e);
		} catch (CertificateException e) {
			System.err.println("Problem with certificate: " + e);
		} finally {
			if (fis != null) {
				try {
				} catch (IOException e) {
					System.err.println("Failed to close stream: " + e);

		try {
			Enumeration<String> aliases = ks.aliases();
			while (aliases.hasMoreElements()) {
				String alias = aliases.nextElement();
				Certificate certificate = ks.getCertificate(alias);
				System.out.println(alias + ": " + certificate.getType() + ", "
						+ certificate.getPublicKey().getAlgorithm());

		} catch (KeyStoreException e) {
			System.err.println("Failed to get aliases: " + e);

Reply to: