openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #12977
[Bug 1771363] Re: ca-certificates-java: convert PKCS12 cacerts keystore to JKS
The attached patch fixes this behavior by:
1) Detecting if a PKCS12 cacert exists
2) Converting it to JKS and saving it to cacerts.dpkg-new
Finally, if, and only if, 'cacerts_updates' is set to 'yes':
3) Moving the old PKCS12 cacerts to a cacerts.dpkg-old and the dpkg-new into /etc/ssl/certs/java/cacerts.
Additionally, this the proposed debdiff also takes care of only setting
JAVA_HOME if a jvm is found. Previously if none of the the jvms in the
list were found the last one jvm was used - although that didn't cause
any unexpected errors, it was wrong.
** Patch added: "ca-certificates-java_20180413ubuntu1_debdiff_20180413ubuntu2.patch"
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1771363/+attachment/5139841/+files/ca-certificates-java_20180413ubuntu1_debdiff_20180413ubuntu2.patch
** Tags added: bionic cosmic patch
** Bug watch added: Debian Bug tracker #898678
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898678
** Also affects: ca-certificates-java (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898678
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to ca-certificates-java in Ubuntu.
https://bugs.launchpad.net/bugs/1771363
Title:
ca-certificates-java: convert PKCS12 cacerts keystore to JKS
Status in ca-certificates-java package in Ubuntu:
New
Status in ca-certificates-java package in Debian:
Unknown
Bug description:
The fix for Debian #894979 and Ubuntu bug #1739631 which updated ca-certificates-java to generate
JKS keystores by default - instead OpenJDK's 9+ default of PKCS12 - only fixes new installs.
Any user already affected by that issue won't benefit from the fix, as the file /etc/ssl/certs/java/cacerts is at most updated by the jks-keystore hook. The only way to actually change it from the PKCS12 to the JKS format is to remove the cacerts file and then calling
'update-ca-certificates -f' - which is also accomplished by removing and then reinstalling the ca-certificates-java package.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1771363/+subscriptions
References