Followup-For: Bug #1039472
X-Debbugs-Cc: t...@security.debian.org
Control: found -1 20190909
Control: tag -1 patch

This affects bullseye as well:

bullseye# apt-get install openjdk-17-jre-headless=17.0.7+7-1~deb11u1

fails with

...
  Setting up ca-certificates-java (20190909) ...
  head: cannot open '/etc/ssl/certs/java/cacerts' for reading: No such file or 
directory
  Exception in thread "main" java.lang.InternalError: Error loading 
java.security file
        at java.base/java.security.Security.initialize(Security.java:106)
        at java.base/java.security.Security$1.run(Security.java:84)
        at java.base/java.security.Security$1.run(Security.java:82)
        at 
java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
        at java.base/java.security.Security.<clinit>(Security.java:82)
        at java.base/sun.security.jca.ProviderList.<init>(ProviderList.java:178)
        at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:96)
        at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94)
        at 
java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
        at 
java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:93)
        at java.base/sun.security.jca.Providers.<clinit>(Providers.java:55)
        at 
java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156)
        at 
java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193)
        at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:50)
        at 
org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65)
        at 
org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51)
  dpkg: error processing package ca-certificates-java (--configure):
   installed ca-certificates-java package post-installation script subprocess 
returned error exit status 1
  dpkg: dependency problems prevent configuration of 
openjdk-17-jre-headless:amd64:
   openjdk-17-jre-headless:amd64 depends on ca-certificates-java (>= 
20190405~); however:
    Package ca-certificates-java is not configured yet.

  dpkg: error processing package openjdk-17-jre-headless:amd64 (--configure):
   dependency problems - leaving unconfigured
  Processing triggers for libc-bin (2.31-13+deb11u6) ...
  Processing triggers for ca-certificates (20210119) ...
  Updating certificates in /etc/ssl/certs...
  0 added, 0 removed; done.
  Running hooks in /etc/ca-certificates/update.d...

  /etc/ca-certificates/update.d/jks-keystore: 82: java: not found
  E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.
  done.
  Errors were encountered while processing:
   ca-certificates-java
   openjdk-17-jre-headless:amd64


And for the reference, 

bookworm# apt-get install openjdk-17-jre=17.0.7+7-1~deb12u1

fails with 

...
  Setting up ca-certificates-java (20230103) ...
  Exception in thread "main" java.lang.InternalError: Error loading 
java.security file
        at java.base/java.security.Security.initialize(Security.java:106)
        at java.base/java.security.Security$1.run(Security.java:84)
        at java.base/java.security.Security$1.run(Security.java:82)
        at 
java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
        at java.base/java.security.Security.<clinit>(Security.java:82)
        at java.base/sun.security.jca.ProviderList.<init>(ProviderList.java:178)
        at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:96)
        at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94)
        at 
java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
        at 
java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:93)
        at java.base/sun.security.jca.Providers.<clinit>(Providers.java:55)
        at 
java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156)
        at 
java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193)
        at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:50)
        at 
org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65)
        at 
org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51)
  dpkg: error processing package ca-certificates-java (--configure):
   installed ca-certificates-java package post-installation script subprocess 
returned error exit status 1
  dpkg: dependency problems prevent configuration of 
openjdk-17-jre-headless:amd64:
   openjdk-17-jre-headless:amd64 depends on ca-certificates-java (>= 
20190405~); however:
    Package ca-certificates-java is not configured yet.
  
  dpkg: error processing package openjdk-17-jre-headless:amd64 (--configure):
   dependency problems - leaving unconfigured
  dpkg: dependency problems prevent configuration of openjdk-17-jre:amd64:
   openjdk-17-jre:amd64 depends on openjdk-17-jre-headless (= 
17.0.7+7-1~deb12u1); however:
    Package openjdk-17-jre-headless:amd64 is not configured yet.
  
  dpkg: error processing package openjdk-17-jre:amd64 (--configure):
   dependency problems - leaving unconfigured
  Processing triggers for libc-bin (2.36-9) ...
  Processing triggers for ca-certificates (20230311) ...
  Updating certificates in /etc/ssl/certs...
  0 added, 0 removed; done.
  Running hooks in /etc/ca-certificates/update.d...
  done.
  Errors were encountered while processing:
   ca-certificates-java
   openjdk-17-jre-headless:amd64
   openjdk-17-jre:amd64


I'm attaching two patches with the backported changes from sid that seem
to fix this issue. More installation and upgrade tests are running.


Andreas

Attachment: openjdk-17-jre-headless_17.0.7+7-1~deb11u1.log.gz
Description: application/gzip

Attachment: openjdk-17-jre_17.0.7+7-1~deb12u1.log.gz
Description: application/gzip

>From f020db198e9e96dbc9ddaf4b3dbe3d9247b85ae5 Mon Sep 17 00:00:00 2001
From: Matthias Klose <d...@ubuntu.com>
Date: Tue, 20 Jun 2023 06:13:02 +0200
Subject: [PATCH]   [ Vladimir Petko ]   * d/ca-certificates-java.postinst:
 Work-around not yet configured jre.

(cherry picked from commit 561054ed46afe59b5996974e168418362c872d20)
---
 debian/changelog | 8 ++++++++
 debian/postinst  | 7 +++++++
 2 files changed, 15 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index e35274e..a49805a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ca-certificates-java (20190909+deb11u1) bullseye; urgency=medium
+
+  [ Vladimir Petko ]
+  * d/ca-certificates-java.postinst: Work-around not yet configured jre.
+    (Closes: #1039472)
+
+ -- Andreas Beckmann <a...@debian.org>  Tue, 27 Jun 2023 01:12:19 +0200
+
 ca-certificates-java (20190909) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/postinst b/debian/postinst
index 555f87b..7d68036 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -50,6 +50,13 @@ setup_path()
         if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
             export JAVA_HOME=/usr/lib/jvm/$jvm
             PATH=$JAVA_HOME/bin:$PATH
+           # copy java.security to allow import to function
+           security_conf=/etc/${jvm%-${arch}}/security
+           if [ -f ${security_conf}/java.security.dpkg-new ] \
+               && [ ! -f ${security_conf}/java.security ]; then
+                       cp -v ${security_conf}/java.security.dpkg-new \
+                               ${security_conf}/java.security
+           fi
             break
         fi
     done
-- 
2.20.1

>From 5e28251b06c164dff5e25f7429157285caac8d0d Mon Sep 17 00:00:00 2001
From: Matthias Klose <d...@ubuntu.com>
Date: Tue, 20 Jun 2023 06:13:02 +0200
Subject: [PATCH]   [ Vladimir Petko ]   * d/ca-certificates-java.postinst:
 Work-around not yet configured jre.

(cherry picked from commit 561054ed46afe59b5996974e168418362c872d20)
---
 debian/ca-certificates-java.postinst | 7 +++++++
 debian/changelog                     | 8 ++++++++
 2 files changed, 15 insertions(+)

diff --git a/debian/ca-certificates-java.postinst 
b/debian/ca-certificates-java.postinst
index 94c6c03..2c37582 100644
--- a/debian/ca-certificates-java.postinst
+++ b/debian/ca-certificates-java.postinst
@@ -31,6 +31,13 @@ setup_path()
                        if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
                                export JAVA_HOME=/usr/lib/jvm/$jvm
                                PATH=$JAVA_HOME/bin:$PATH
+                               # copy java.security to allow import to function
+                               security_conf=/etc/${jvm%-${arch}}/security
+                               if [ -f ${security_conf}/java.security.dpkg-new 
] \
+                                       && [ ! -f 
${security_conf}/java.security ]; then
+                                               cp -v 
${security_conf}/java.security.dpkg-new \
+                                                       
${security_conf}/java.security
+                               fi
                                break 2
                        fi
                done
diff --git a/debian/changelog b/debian/changelog
index c316775..6e242fe 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ca-certificates-java (20230103+deb12u1) bookworm; urgency=medium
+
+  [ Vladimir Petko ]
+  * d/ca-certificates-java.postinst: Work-around not yet configured jre.
+    (Closes: #1039472)
+
+ -- Andreas Beckmann <a...@debian.org>  Tue, 27 Jun 2023 01:57:21 +0200
+
 ca-certificates-java (20230103) unstable; urgency=medium
 
   * Promote again the JRE recommendation to a dependency. Otherwise
-- 
2.20.1

Reply via email to