← Back to team overview

openjdk team mailing list archive

[Bug 1743139] Re: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

 

I'm not sure that changing the trust store password, or setting
javax.net.ssl.trustStorePassword by default, is the right way to fix
this. Oracle's JRE contains a keystore with the same password
("changeit") but doesn't require this property to be set.

I noticed that /etc/ssl/certs/java/cacerts in 18.04 is a PKCS12
keystore, whereas the keystore bundled with Oracle's JRE (as well as the
cacerts in 17.10) is a JKS keystore:

sam@sam-desktop:~$ keytool -list -keystore /etc/ssl/certs/java/cacerts -storepass changeit | grep 'Keystore type:'
Keystore type: PKCS12
sam@sam-desktop:~$ keytool -list -keystore jre-10.0.1/lib/security/cacerts -storepass changeit | grep 'Keystore type:'
Keystore type: JKS

If I convert my cacerts file, then things start to work again:

sam@sam-desktop:~$ sudo mv /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.old
...
sam@sam-desktop:~$ sudo keytool -importkeystore -destkeystore /etc/ssl/certs/java/cacerts -deststoretype jks -deststorepass changeit -srckeystore /etc/ssl/certs/java/cacerts.old -srcstoretype pkcs12 -srcstorepass changeit
...
sam@sam-desktop:~$ java HttpsTester
Response code: 200
It worked!

Not sure why a PKCS12 keystore needs a password but a JKS one doesn't,
but maybe whatever is generating /etc/ssl/certs/java/cacerts just needs
to be changed to generate JKS keystores again?

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-9 in Ubuntu.
https://bugs.launchpad.net/bugs/1743139

Title:
  java.security.InvalidAlgorithmParameterException: the trustAnchors
  parameter must be non-empty

Status in openjdk-9 package in Ubuntu:
  Confirmed

Bug description:
  When trying to access anything using Java + HTTPS, the process is
  terminated with an java.security.InvalidAlgorithmParameterException.
  Adding -Djavax.net.ssl.trustStorePassword=changeit to the command line
  flags of java fixes this problem.

  Either the trust store's password should be changed, or this flag
  sould be added by default.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-9/+bug/1743139/+subscriptions


References