← Back to team overview

openjdk team mailing list archive

Bug#602636: ca-certificates-java does not install in pbuilder

 

More information ...

On Sat, Nov 06, 2010 at 02:54:22PM -0500, Steve M. Robbins wrote:

> > failed (VM used: java-6-openjdk).
> > dpkg: error processing ca-certificates-java (--configure):
> >  subprocess installed post-installation script returned error exit status 1
> > configured to not write apport reports

I did a little digging into the post-install script.  It
is failing on the "keytool" invocation, as follows:

		if ! grep -q "^${alias}$" $pregenerated; then
		  if LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \
			-noprompt -storepass "$storepass" \
			-alias "$alias" -file "$cacertdir/$pem" > $log 2>&1
		  then
		      echo "  added certificate $pem"
		  elif LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \
		        -providerClass sun.security.pkcs11.SunPKCS11 \
		        -providerArg '${java.home}/lib/security/nss.cfg' \
			-noprompt -storepass "$storepass" \
			-alias "$alias" -file "$cacertdir/$pem" > $log 2>&1
		  then
		      echo "  added certificate $pem (using NSS provider)"
		  elif grep -q 'Signature not available' $log; then
		      echo "  ignored import, signature not available: ${line#+*}"
		      sed -e 's/^/   -> /' $log
		  else
		      echo >&2 "  error adding ${line#+*}"
		      errors=$(expr $errors + 1)
		  fi
		fi


Note that there are two attempts at "keytool", the difference is only
that the second attempt adds "-providerClass" and "-providerArg"
options.

Keytool is obviously failing both times since I see the "error adding
..."  output.  By adding a "-v" option to keytool and "type $log" at
the appropriate places, I captured the following output from keytool.

	First keytool attempt
	---------------------

keytool error: java.security.ProviderException: Could not initialize NSS
java.security.ProviderException: Could not initialize NSS
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:201)
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:532)
        at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:262)
        at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:244)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:244)
        at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:224)
        at sun.security.jca.ProviderList.getProvider(ProviderList.java:232)
        at sun.security.jca.ProviderList.getService(ProviderList.java:330)
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
        at java.security.Security.getImpl(Security.java:696)
        at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:130)
        at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:121)
        at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
        at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:381)
        at sun.security.x509.X509Key.parse(X509Key.java:168)
        at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
        at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705)
        at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
        at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1747)
        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:196)
        at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:107)
        at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:322)
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:763)
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
        at java.security.KeyStore.load(KeyStore.java:1201)
        at sun.security.tools.KeyTool.doCommands(KeyTool.java:647)
        at sun.security.tools.KeyTool.run(KeyTool.java:194)
        at sun.security.tools.KeyTool.main(KeyTool.java:188)
Caused by: java.io.IOException: NSS initialization failed
        at sun.security.pkcs11.Secmod.initialize(Secmod.java:216)
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:197)
        ... 32 more


	Second keytool attempt
	----------------------

keytool error: java.lang.reflect.InvocationTargetException
java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:532)
        at sun.security.tools.KeyTool.doCommands(KeyTool.java:538)
        at sun.security.tools.KeyTool.run(KeyTool.java:194)
        at sun.security.tools.KeyTool.main(KeyTool.java:188)
Caused by: java.security.ProviderException: Could not initialize NSS
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:201)
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
        ... 7 more
Caused by: java.io.IOException: NSS initialization failed
        at sun.security.pkcs11.Secmod.initialize(Secmod.java:216)
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:197)
        ... 8 more


I still have no root cause, but am hoping this information may trigger
a memory in you, dear reader.

Thanks,
-Steve

Attachment: signature.asc
Description: Digital signature