openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #12966
[Bug 1770553] [NEW] [SRU] backport ca-certificates-java from cosmic (20180413ubuntu1)
Public bug reported:
[Impact]
Any user doing a new install - or upgrading, if openjdk was not installed - can be affected as soon as they install any openjdk-11 package.
[Cause]
The ca-certificate-java version 20170930 (or earlier) used the default keystore to create /etc/ssl/certs/java/cacerts - if the file already existed its contents were just updated.
>From openjdk-9 upwards the default keystore type changed from 'jks' to
'pkcs12' [1] by means of JEP 229 [2]. A JKS keystore can be read without
supplying a password (or by supplying an empty one) while a PKCS12
keystore requires a password to be set.
Thus a /etc/ssl/certs/java/cacerts created in the pkcs12 format will
fail to be loaded as, by default, the truststore password is empty - in
order to avoid that the user must set
-Djavax.net.ssl.trustStorePassword=<passwd> or define it in /etc/java-
XX-openjdk/management/management.properties. A JKS keystore will work
normally, as the certificates in it can be ready when the truststore
password is empty.
[Test Case with cacerts 20170930ubuntu1 or earlier]
Start on a new bionic install/chroot without openjdk
1. Install openjdk-11
$ sudo apt-get install openjdk-11-jdk
2. Test the keystore with an empty password (optional) and make sure it is a PKCS12
$ keytool -list -cacerts
Enter keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 0 entries
3. Test with the "changeit" password
keytool -list -cacerts
Enter keystore password: changeit
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 133 entries
<snipped various certs>
4. Create the java test file
$ cat <<EOF >HttpsTester.java
import java.net.URL;
import javax.net.ssl.HttpsURLConnection;
public class HttpsTester {
public static void main(String[] args) throws java.io.IOException {
HttpsURLConnection connection = (HttpsURLConnection) new URL("https://www.ubuntu.com").openConnection();
System.out.println("Response code: " + connection.getResponseCode());
System.out.println("It worked!");
}
}
5. Compile it
$ javac HttpsTester.java
6. Call it
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/java HttpsTester
7. Call it again, this time set the store password
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/java \
-Djavax.net.ssl.trustStorePassword=changeit HttpsTester
Response code: 200
It worked!
[Test Case with cacerts 20180413 or later]
Start on a new bionic install/chroot without openjdk
1. Install openjdk-11
$ sudo apt-get install openjdk-11-jdk
2. Test the keystore with an empty password (optional) and make sure it is a JKS
keytool -list -cacerts
Enter keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 133 entries
<snipped various certs>
3. Test with the "changeit" password
keytool -list -cacerts
Enter keystore password: changeit
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 133 entries
<snipped various certs>
4. Create the java test file
$ cat <<EOF >HttpsTester.java
import java.net.URL;
import javax.net.ssl.HttpsURLConnection;
public class HttpsTester {
public static void main(String[] args) throws java.io.IOException {
HttpsURLConnection connection = (HttpsURLConnection) new URL("https://www.ubuntu.com").openConnection();
System.out.println("Response code: " + connection.getResponseCode());
System.out.println("It worked!");
}
}
5. Compile it
$ javac HttpsTester.java
6. Call it
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/java HttpsTester
Response code: 200
It worked!
7. Call it again, this time set the store password
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/java \
-Djavax.net.ssl.trustStorePassword=changeit HttpsTester
Response code: 200
It worked!
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result
of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[References]
[1] The default keystore is defined by the keystore.type in the
/etc/java-XX-openjdk/security/java.security file.
http://hg.openjdk.java.net/jdk-updates/jdk9u/jdk/annotate/46bd35a597eb/src/java.base/share/conf/security/java.security#l186
[2] JEP 229: Create PKCS12 Keystores by Default
http://openjdk.java.net/jeps/229
** Affects: ca-certificates-java (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to ca-certificates-java in Ubuntu.
https://bugs.launchpad.net/bugs/1770553
Title:
[SRU] backport ca-certificates-java from cosmic (20180413ubuntu1)
Status in ca-certificates-java package in Ubuntu:
New
Bug description:
[Impact]
Any user doing a new install - or upgrading, if openjdk was not installed - can be affected as soon as they install any openjdk-11 package.
[Cause]
The ca-certificate-java version 20170930 (or earlier) used the default keystore to create /etc/ssl/certs/java/cacerts - if the file already existed its contents were just updated.
From openjdk-9 upwards the default keystore type changed from 'jks' to
'pkcs12' [1] by means of JEP 229 [2]. A JKS keystore can be read
without supplying a password (or by supplying an empty one) while a
PKCS12 keystore requires a password to be set.
Thus a /etc/ssl/certs/java/cacerts created in the pkcs12 format will
fail to be loaded as, by default, the truststore password is empty -
in order to avoid that the user must set
-Djavax.net.ssl.trustStorePassword=<passwd> or define it in /etc/java-
XX-openjdk/management/management.properties. A JKS keystore will work
normally, as the certificates in it can be ready when the truststore
password is empty.
[Test Case with cacerts 20170930ubuntu1 or earlier]
Start on a new bionic install/chroot without openjdk
1. Install openjdk-11
$ sudo apt-get install openjdk-11-jdk
2. Test the keystore with an empty password (optional) and make sure it is a PKCS12
$ keytool -list -cacerts
Enter keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 0 entries
3. Test with the "changeit" password
keytool -list -cacerts
Enter keystore password: changeit
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 133 entries
<snipped various certs>
4. Create the java test file
$ cat <<EOF >HttpsTester.java
import java.net.URL;
import javax.net.ssl.HttpsURLConnection;
public class HttpsTester {
public static void main(String[] args) throws java.io.IOException {
HttpsURLConnection connection = (HttpsURLConnection) new URL("https://www.ubuntu.com").openConnection();
System.out.println("Response code: " + connection.getResponseCode());
System.out.println("It worked!");
}
}
5. Compile it
$ javac HttpsTester.java
6. Call it
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/java HttpsTester
7. Call it again, this time set the store password
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/java \
-Djavax.net.ssl.trustStorePassword=changeit HttpsTester
Response code: 200
It worked!
[Test Case with cacerts 20180413 or later]
Start on a new bionic install/chroot without openjdk
1. Install openjdk-11
$ sudo apt-get install openjdk-11-jdk
2. Test the keystore with an empty password (optional) and make sure it is a JKS
keytool -list -cacerts
Enter keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 133 entries
<snipped various certs>
3. Test with the "changeit" password
keytool -list -cacerts
Enter keystore password: changeit
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 133 entries
<snipped various certs>
4. Create the java test file
$ cat <<EOF >HttpsTester.java
import java.net.URL;
import javax.net.ssl.HttpsURLConnection;
public class HttpsTester {
public static void main(String[] args) throws java.io.IOException {
HttpsURLConnection connection = (HttpsURLConnection) new URL("https://www.ubuntu.com").openConnection();
System.out.println("Response code: " + connection.getResponseCode());
System.out.println("It worked!");
}
}
5. Compile it
$ javac HttpsTester.java
6. Call it
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/java HttpsTester
Response code: 200
It worked!
7. Call it again, this time set the store password
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/java \
-Djavax.net.ssl.trustStorePassword=changeit HttpsTester
Response code: 200
It worked!
[Regression Potential]
* discussion of how regressions are most likely to manifest as a
result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[References]
[1] The default keystore is defined by the keystore.type in the
/etc/java-XX-openjdk/security/java.security file.
http://hg.openjdk.java.net/jdk-updates/jdk9u/jdk/annotate/46bd35a597eb/src/java.base/share/conf/security/java.security#l186
[2] JEP 229: Create PKCS12 Keystores by Default
http://openjdk.java.net/jeps/229
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1770553/+subscriptions
Follow ups
-
[Bug 1770553] Update Released
From: Łukasz Zemczak, 2018-07-30
-
[Bug 1770553] Re: [SRU] backport ca-certificates-java from cosmic (20180516ubuntu1)
From: Launchpad Bug Tracker, 2018-07-30
-
[Bug 1770553] Re: [SRU] backport ca-certificates-java from cosmic (20180516ubuntu1)
From: Stefan Huehner, 2018-07-18
-
[Bug 1770553] Re: [SRU] backport ca-certificates-java from cosmic (20180516ubuntu1)
From: Cliff Ingham, 2018-07-18
-
[Bug 1770553] Re: [SRU] backport ca-certificates-java from cosmic (20180516ubuntu1)
From: Fab Trillaud, 2018-07-18
-
[Bug 1770553] Re: [SRU] backport ca-certificates-java from cosmic (20180516ubuntu1)
From: Fab Trillaud, 2018-07-18
-
[Bug 1770553] Re: [SRU] backport ca-certificates-java from cosmic (20180516ubuntu1)
From: Łukasz Zemczak, 2018-07-18
-
[Bug 1770553] Re: [SRU] backport ca-certificates-java from cosmic (20180516ubuntu1)
From: Julian Andres Klode, 2018-07-17
-
[Bug 1770553] Re: [SRU] backport ca-certificates-java from cosmic (20180516ubuntu1)
From: Tiago Stürmer Daitx, 2018-07-13
-
[Bug 1770553] Re: [SRU] backport ca-certificates-java from cosmic (20180516ubuntu1)
From: Tiago Stürmer Daitx, 2018-07-13
-
[Bug 1770553] Re: [SRU] backport ca-certificates-java from cosmic (20180516ubuntu1)
From: Tiago Stürmer Daitx, 2018-07-13
-
[Bug 1770553] Re: [SRU] backport ca-certificates-java from cosmic (20180516ubuntu1)
From: F. H., 2018-07-12
-
[Bug 1770553] Re: [SRU] backport ca-certificates-java from cosmic (20180516ubuntu1)
From: Michael Aaron Murphy, 2018-07-06
-
[Bug 1770553] Re: [SRU] backport ca-certificates-java from cosmic (20180516ubuntu1)
From: Kay Drangmeister, 2018-06-30
-
[Bug 1770553] Re: [SRU] backport ca-certificates-java from cosmic (20180516ubuntu1)
From: Aditya Bhargava, 2018-06-30
-
[Bug 1770553] Re: [SRU] backport ca-certificates-java from cosmic (20180516ubuntu1)
From: Tiago Stürmer Daitx, 2018-05-17
-
[Bug 1770553] Re: [SRU] backport ca-certificates-java from cosmic (20180516ubuntu1)
From: Tiago Stürmer Daitx, 2018-05-17
-
[Bug 1770553] Re: [SRU] backport ca-certificates-java from cosmic (20180516ubuntu1)
From: Tiago Stürmer Daitx, 2018-05-17
-
[Bug 1770553] Re: [SRU] backport ca-certificates-java from cosmic (20180516ubuntu1)
From: Tiago Stürmer Daitx, 2018-05-17
-
[Bug 1770553] Re: [SRU] backport ca-certificates-java from cosmic (20180413ubuntu1)
From: Launchpad Bug Tracker, 2018-05-11