openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #05728
Bug#623672: Chokes on certificates with accented characters (LANG=C LC_ALL=C is wrong)
Package: ca-certificates-java
Version: 20100412
Severity: grave
Tags: patch
The pattern for errors is non-us-ascii characters in CA cert names.
creating /etc/ssl/certs/java/cacerts...
added certificate mozilla/ACEDICOM_Root.crt
error adding mozilla/AC_Raíz_Certicámara_S.A..crt
added certificate mozilla/ApplicationCA_-_Japanese_Government.crt
added certificate mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
added certificate mozilla/Buypass_Class_2_CA_1.crt
added certificate mozilla/Buypass_Class_3_CA_1.crt
added certificate mozilla/CA_Disig.crt
added certificate mozilla/CNNIC_ROOT.crt
added certificate mozilla/Certigna.crt
added certificate mozilla/Chambers_of_Commerce_Root_-_2008.crt
added certificate mozilla/ComSign_CA.crt
added certificate mozilla/ComSign_Secured_CA.crt
added certificate mozilla/Cybertrust_Global_Root.crt
added certificate mozilla/E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.crt
error adding mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
added certificate mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt
added certificate mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt
added certificate mozilla/GlobalSign_Root_CA_-_R3.crt
added certificate mozilla/Global_Chambersign_Root_-_2008.crt
added certificate mozilla/Hongkong_Post_Root_CA_1.crt
added certificate mozilla/IGC_A.crt
added certificate mozilla/Izenpe.com.crt
added certificate mozilla/Juur-SK.crt
added certificate mozilla/Microsec_e-Szigno_Root_CA.crt
added certificate mozilla/Microsec_e-Szigno_Root_CA_2009.crt
error adding mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt
added certificate mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt
added certificate mozilla/S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.crt
added certificate mozilla/SecureSign_RootCA11.crt
added certificate mozilla/Security_Communication_EV_RootCA1.crt
added certificate mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt
added certificate mozilla/TC_TrustCenter_Class_2_CA_II.crt
added certificate mozilla/TC_TrustCenter_Class_3_CA_II.crt
added certificate mozilla/TC_TrustCenter_Universal_CA_I.crt
added certificate mozilla/TC_TrustCenter_Universal_CA_III.crt
error adding mozilla/TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.crt
added certificate mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
added certificate mozilla/VeriSign_Universal_Root_Certification_Authority.crt
added certificate mozilla/certSIGN_ROOT_CA.crt
added certificate mozilla/ePKI_Root_Certification_Authority.crt
added certificate mozilla/thawte_Primary_Root_CA_-_G2.crt
added certificate mozilla/thawte_Primary_Root_CA_-_G3.crt
I tried hacking the scripts and the problem is LANG=C LC_ALL=C which
breaks unicode characters.
I am attaching a patch which fixes this breakage.
O.
-- System Information:
Debian Release: 6.0.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages ca-certificates-java depends on:
ii ca-certificates 20090814+nmu2 Common CA certificates
ii default-jre-headle 1:1.6-40 Standard Java or Java compatible R
ii openjdk-6-jre-head 6b18-1.8.3-2+squeeze1 OpenJDK Java runtime, using Hotspo
Versions of packages ca-certificates-java recommends:
ii libnss3-1d 3.12.8-1+squeeze1 Network Security Service libraries
ca-certificates-java suggests no packages.
-- Configuration Files:
/etc/default/cacerts [Errno 13] Permission denied: u'/etc/default/cacerts'
-- no debconf information
diff -urNap ca-certificates-java-20100412~/debian/control ca-certificates-java-20100412/debian/control
--- ca-certificates-java-20100412~/debian/control 2010-04-11 19:11:52.000000000 +0000
+++ ca-certificates-java-20100412/debian/control 2011-04-22 06:56:13.918886021 +0000
@@ -3,12 +3,12 @@ Section: java
Priority: optional
Maintainer: OpenJDK Team <openjdk@xxxxxxxxxxxxxxxxxxx>
Uploaders: Matthias Klose <doko@xxxxxxxxxx>
-Build-Depends: debhelper (>= 6), ca-certificates (>= 20090814), openjdk-6-jre-headless (>= 6b16-1.6.1-2)
+Build-Depends: debhelper (>= 6), locales-all, ca-certificates (>= 20090814), openjdk-6-jre-headless (>= 6b16-1.6.1-2)
Standards-Version: 3.8.4
Package: ca-certificates-java
Architecture: all
-Depends: ca-certificates (>= 20090814), openjdk-6-jre-headless (>= 6b16-1.6.1-2) | java6-runtime-headless, ${misc:Depends}
+Depends: locales-all, ca-certificates (>= 20090814), openjdk-6-jre-headless (>= 6b16-1.6.1-2) | java6-runtime-headless, ${misc:Depends}
Recommends: libnss3-1d
Description: Common CA certificates (JKS keystore)
This package uses the hooks of the ca-certificates package to update the
diff -urNap ca-certificates-java-20100412~/debian/jks-keystore.hook ca-certificates-java-20100412/debian/jks-keystore.hook
--- ca-certificates-java-20100412~/debian/jks-keystore.hook 2010-04-11 18:47:48.000000000 +0000
+++ ca-certificates-java-20100412/debian/jks-keystore.hook 2011-04-22 06:57:09.442884938 +0000
@@ -46,7 +46,7 @@ while read line; do
pem=${line#[+-]*}
alias=$(basename $pem .crt | tr A-Z a-z | tr -cs a-z0-9 _)
alias=${alias%*_}
- LANG=C LC_ALL=C keytool -list -keystore $KEYSTORE \
+ LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -list -keystore $KEYSTORE \
-storepass "$storepass" -alias "$alias" >/dev/null 2>&1 \
&& exists=yes || exists=no
case "$line" in
@@ -54,12 +54,12 @@ while read line; do
if [ "$exists" = yes ]; then
echo " already exists: ${line#+*}"
else
- if LANG=C LC_ALL=C keytool -importcert -trustcacerts \
+ if LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -importcert -trustcacerts \
-keystore $KEYSTORE -noprompt -storepass "$storepass" \
-alias "$alias" -file "$pem" > $log 2>&1
then
echo " added: ${line#+*}"
- elif LANG=C LC_ALL=C keytool -importcert -trustcacerts \
+ elif LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -importcert -trustcacerts \
-keystore $KEYSTORE -noprompt -storepass "$storepass" \
-providerClass sun.security.pkcs11.SunPKCS11 \
-providerArg '${java.home}/lib/security/nss.cfg' \
@@ -77,12 +77,12 @@ while read line; do
;;
-*)
if [ "$exists" = yes ]; then
- if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
+ if LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -delete -keystore $KEYSTORE \
-noprompt -storepass "$storepass" \
-alias "$alias"
then
echo " removed ${line#-*}"
- elif LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
+ elif LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -delete -keystore $KEYSTORE \
-noprompt -storepass "$storepass" \
-providerClass sun.security.pkcs11.SunPKCS11 \
-providerArg '${java.home}/lib/security/nss.cfg' \
diff -urNap ca-certificates-java-20100412~/debian/postinst ca-certificates-java-20100412/debian/postinst
--- ca-certificates-java-20100412~/debian/postinst 2010-04-11 18:44:23.000000000 +0000
+++ ca-certificates-java-20100412/debian/postinst 2011-04-22 06:56:43.045376122 +0000
@@ -27,7 +27,7 @@ first_install()
# aliases of pregenerated files
pregenerated=$(tempfile)
- LANG=C LC_ALL=C keytool -list -keystore $KEYSTORE -storepass "$storepass" \
+ LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -list -keystore $KEYSTORE -storepass "$storepass" \
| awk -F, '/^Certificate fingerprint/ { print s } { s=$1 } ' \
| sort > $pregenerated
@@ -40,7 +40,7 @@ first_install()
case "$line" in
!*)
# remove untrusted certificate
- if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
+ if LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -delete -keystore $KEYSTORE \
-storepass "$storepass" -alias "$alias" >/dev/null
then
echo " removed untrusted certificate $pem"
@@ -56,12 +56,12 @@ first_install()
continue
fi
if ! grep -q "^${alias}$" $pregenerated; then
- if LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \
+ if LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -importcert -trustcacerts -keystore $KEYSTORE \
-noprompt -storepass "$storepass" \
-alias "$alias" -file "$cacertdir/$pem" > $log 2>&1
then
echo " added certificate $pem"
- elif LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \
+ elif LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -importcert -trustcacerts -keystore $KEYSTORE \
-providerClass sun.security.pkcs11.SunPKCS11 \
-providerArg '${java.home}/lib/security/nss.cfg' \
-noprompt -storepass "$storepass" \
diff -urNap ca-certificates-java-20100412~/debian/rules ca-certificates-java-20100412/debian/rules
--- ca-certificates-java-20100412~/debian/rules 2010-04-11 18:41:56.000000000 +0000
+++ ca-certificates-java-20100412/debian/rules 2011-04-22 06:59:31.726384953 +0000
@@ -17,12 +17,12 @@ build-stamp:
alias=$$(basename $$crt .crt | tr A-Z a-z | tr -cs a-z0-9 _); \
alias=$${alias%*_}; \
echo "IMPORT: $$crt, alias=$$alias"; \
- if keytool -importcert -trustcacerts -keystore build/cacerts \
+ if LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -importcert -trustcacerts -keystore build/cacerts \
-storepass 'changeit' \
-alias "$$alias" -file "/usr/share/ca-certificates/$$crt" > keytool.log 2>&1; \
then \
cat keytool.log; \
- elif keytool -importcert -trustcacerts -keystore build/cacerts \
+ elif LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -importcert -trustcacerts -keystore build/cacerts \
-providerClass sun.security.pkcs11.SunPKCS11 \
-providerArg '$${java.home}/lib/security/nss.cfg' \
-storepass 'changeit' \
