** Description changed:
+ [Impact]
+ Any user already affected by the issue described in bug 1739631 won't benefit
from the fix as that fix only prevents the issue from happening in new installs.
+
+ [Cause]
+ Same as described in bug 1739631 and copied here.
+
+ The ca-certificate-java version 20170930 (or earlier) used the default
keystore to create /etc/ssl/certs/java/cacerts - if the file already existed
its contents were just updated without changing the keystore
+ type.
+
+ From openjdk-9 upwards the default keystore type changed from 'jks' to
+ 'pkcs12' [1] by means of JEP 229 [2]. A JKS keystore can be read without
+ supplying a password (or by supplying an empty one) while a PKCS12
+ keystore requires a password to be set.
+
+ Thus a /etc/ssl/certs/java/cacerts created in the pkcs12 format will
+ fail to be loaded as, by default, the truststore password is empty - in
+ order to avoid that the user must set
+ -Djavax.net.ssl.trustStorePassword=<passwd> or define it in /etc/java-
+ XX-openjdk/management/management.properties. A JKS keystore will work
+ normally, as the certificates in it can be ready when the truststore
+ password is empty.
+
+ Ubuntu does *not* set the javax.net.ssl.trustStorePassword by default
+ thus any user that got a cacerts generated in JKCS12 won't be able
+ to use any secure connections from java.
+
+
+ [Test Case]
+ Start on a new bionic install/chroot without openjdk
+
+ 1. Install openjdk-11
+ $ sudo apt-get install openjdk-11-jdk
+
+ 2. Test the keystore with an empty password (optional) and make sure it is a
PKCS12
+ $ keytool -list -cacerts
+ Enter keystore password: <leave empty>
+ ***************** WARNING WARNING WARNING *****************
+ * The integrity of the information stored in your keystore *
+ * has NOT been verified! In order to verify its integrity, *
+ * you must provide your keystore password. *
+ ***************** WARNING WARNING WARNING *****************
+ Keystore type: PKCS12
+ Keystore provider: SUN
+ Your keystore contains 0 entries
+
+ 3. Test with the "changeit" password
+ $ keytool -list -cacerts
+ Enter keystore password: changeit
+ Keystore type: PKCS12
+ Keystore provider: SUN
+ Your keystore contains 133 entries
+ <snipped various certs>
+
+ 4. Create the java test file
+ $ cat <<EOF >HttpsTester.java
+ import java.net.URL;
+ import javax.net.ssl.HttpsURLConnection;
+ public class HttpsTester {
+ public static void main(String[] args) throws java.io.IOException {
+ HttpsURLConnection connection = (HttpsURLConnection) new
URL("https://www.ubuntu.com";).openConnection();
+ System.out.println("Response code: " + connection.getResponseCode());
+ System.out.println("It worked!");
+ }
+ }
+ EOF
+
+ 5. Compile it
+ $ javac HttpsTester.java
+
+ 6. Call it
+ $ /usr/lib/jvm/java-11-openjdk-amd64/bin/java HttpsTester
+
+ 7. Call it again, this time set the store password
+ $ /usr/lib/jvm/java-11-openjdk-amd64/bin/java \
+ -Djavax.net.ssl.trustStorePassword=changeit HttpsTester
+ Response code: 200
+ It worked!
+
+ 8. Install the newer ca-certificates-java 20180516, it should
+ migrate cacerts from PKCS12 to JKS. Check that by running step #2
+ again
+ $ keytool -list -cacerts
+ Enter keystore password: <leave empty>
+ ***************** WARNING WARNING WARNING *****************
+ * The integrity of the information stored in your keystore *
+ * has NOT been verified! In order to verify its integrity, *
+ * you must provide your keystore password. *
+ ***************** WARNING WARNING WARNING *****************
+ Keystore type: JKS
+ Keystore provider: SUN
+ Your keystore contains 133 entries
+ <snipped various certs>
+
+ 9. The old keystore should be saved in
+ /etc/ssl/certs/java/cacerts.dpkg-old, test it exists:
+ $ keytool -list -keystore /etc/ssl/certs/java/cacerts.dpkg-old
+ Enter keystore password: <leave empty>
+ ***************** WARNING WARNING WARNING *****************
+ * The integrity of the information stored in your keystore *
+ * has NOT been verified! In order to verify its integrity, *
+ * you must provide your keystore password. *
+ ***************** WARNING WARNING WARNING *****************
+ Keystore type: PKCS12
+ Keystore provider: SUN
+ Your keystore contains 0 entries
+
+
+ [Regression Potential]
+ * If a user has manually set his own JKCS12 cacerts and didn't update
+ /etc/default/cacerts to set "cacerts_updates=no" (from the default
+ of "cacerts_updates=yes") then his custom cacerts will be converted and
overwritten. Still, a copy from the previous cacert is kept at
+ /etc/ssl/certs/java/cacerts.dpkg-old.
+
+ [Other Info]
+ The cacerts keystore fix is related to 2 bugs:
+ 1) bug #1739631, fixed by ca-certificates-java-20180413, which changed the
default keystore type generated by ca-certificates-java to JKS
+
+ [References]
+ [1] The default keystore is defined by the keystore.type in the
+ /etc/java-XX-openjdk/security/java.security file.
+
http://hg.openjdk.java.net/jdk-updates/jdk9u/jdk/annotate/46bd35a597eb/src/java.base/share/conf/security/java.security#l186
+
+ [2] JEP 229: Create PKCS12 Keystores by Default
+ http://openjdk.java.net/jeps/229
+
+ [Original bug description]
The fix for Debian #894979 and Ubuntu bug #1739631 which updated
ca-certificates-java to generate
JKS keystores by default - instead OpenJDK's 9+ default of PKCS12 - only
fixes new installs.
Any user already affected by that issue won't benefit from the fix, as the
file /etc/ssl/certs/java/cacerts is at most updated by the jks-keystore hook.
The only way to actually change it from the PKCS12 to the JKS format is to
remove the cacerts file and then calling
'update-ca-certificates -f' - which is also accomplished by removing and then
reinstalling the ca-certificates-java package.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1771363
Title:
ca-certificates-java: convert PKCS12 cacerts keystore to JKS
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1771363/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
