← Back to team overview

openjdk team mailing list archive

[Bug 1999103] Re: Unable to install ca-certificates-java (20220719) on machine with PKCS12 keystore

 

Probable root cause:
 - package attempts to run keytool before jdk is configured and thus jdk is missing configuration

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to ca-certificates-java in Ubuntu.
https://bugs.launchpad.net/bugs/1999103

Title:
  Unable to install ca-certificates-java (20220719) on machine with
  PKCS12 keystore

Status in ca-certificates-java package in Ubuntu:
  New

Bug description:
  
  $ lsb_release -rd
  Description:	Ubuntu 22.10
  Release:	22.10

  $apt-cache policy ca-certificates-java
  ca-certificates-java:
    Installed: 20220719
    Candidate: 20220719

  Steps to reproduce:
  ` sudo apt install openjdk-19-jre`

  Expected: install succeeds
  Actual result:
  `
  sudo apt install openjdk-19-jre
  Reading package lists... Done
  Building dependency tree... Done
  Reading state information... Done
  The following additional packages will be installed:
    ca-certificates-java fonts-dejavu-extra java-common libatk-wrapper-java
    libatk-wrapper-java-jni openjdk-19-jre-headless
  Suggested packages:
    default-jre fonts-ipafont-gothic fonts-ipafont-mincho fonts-wqy-microhei
    | fonts-wqy-zenhei
  The following NEW packages will be installed:
    ca-certificates-java fonts-dejavu-extra java-common libatk-wrapper-java
    libatk-wrapper-java-jni openjdk-19-jre openjdk-19-jre-headless
  0 upgraded, 7 newly installed, 0 to remove and 49 not upgraded.
  Need to get 52.4 MB of archives.
  After this operation, 212 MB of additional disk space will be used.
  Do you want to continue? [Y/n] Y
  Get:1 http://nz.archive.ubuntu.com/ubuntu kinetic/main amd64 ca-certificates-java all 20220719 [12.4 kB]
  Get:2 http://nz.archive.ubuntu.com/ubuntu kinetic/main amd64 fonts-dejavu-extra all 2.37-2build1 [2,041 kB]
  Get:3 http://nz.archive.ubuntu.com/ubuntu kinetic/main amd64 java-common all 0.72build2 [6,782 B]
  Get:4 http://nz.archive.ubuntu.com/ubuntu kinetic/main amd64 libatk-wrapper-java all 0.40.0-2 [53.1 kB]
  Get:5 http://nz.archive.ubuntu.com/ubuntu kinetic/main amd64 libatk-wrapper-java-jni amd64 0.40.0-2 [48.6 kB]
  Get:6 http://nz.archive.ubuntu.com/ubuntu kinetic-updates/universe amd64 openjdk-19-jre-headless amd64 19.0.1+10-1 [50.1 MB]
  Get:7 http://nz.archive.ubuntu.com/ubuntu kinetic-updates/universe amd64 openjdk-19-jre amd64 19.0.1+10-1 [180 kB]
  Fetched 52.4 MB in 1s (36.9 MB/s)   
  Selecting previously unselected package ca-certificates-java.
  (Reading database ... 196473 files and directories currently installed.)
  Preparing to unpack .../0-ca-certificates-java_20220719_all.deb ...
  Unpacking ca-certificates-java (20220719) ...
  Selecting previously unselected package fonts-dejavu-extra.
  Preparing to unpack .../1-fonts-dejavu-extra_2.37-2build1_all.deb ...
  Unpacking fonts-dejavu-extra (2.37-2build1) ...
  Selecting previously unselected package java-common.
  Preparing to unpack .../2-java-common_0.72build2_all.deb ...
  Unpacking java-common (0.72build2) ...
  Selecting previously unselected package libatk-wrapper-java.
  Preparing to unpack .../3-libatk-wrapper-java_0.40.0-2_all.deb ...
  Unpacking libatk-wrapper-java (0.40.0-2) ...
  Selecting previously unselected package libatk-wrapper-java-jni:amd64.
  Preparing to unpack .../4-libatk-wrapper-java-jni_0.40.0-2_amd64.deb ...
  Unpacking libatk-wrapper-java-jni:amd64 (0.40.0-2) ...
  Selecting previously unselected package openjdk-19-jre-headless:amd64.
  Preparing to unpack .../5-openjdk-19-jre-headless_19.0.1+10-1_amd64.deb ...
  Unpacking openjdk-19-jre-headless:amd64 (19.0.1+10-1) ...
  Selecting previously unselected package openjdk-19-jre:amd64.
  Preparing to unpack .../6-openjdk-19-jre_19.0.1+10-1_amd64.deb ...
  Unpacking openjdk-19-jre:amd64 (19.0.1+10-1) ...
  Setting up java-common (0.72build2) ...
  Setting up fonts-dejavu-extra (2.37-2build1) ...
  Setting up libatk-wrapper-java (0.40.0-2) ...
  Setting up ca-certificates-java (20220719) ...
  Exception in thread "main" java.lang.ExceptionInInitializerError
  	at java.base/javax.crypto.Cipher.getInstance(Cipher.java:548)
  	at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineLoad$1(PKCS
  12KeyStore.java:2136)
  	at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12
  KeyStore.java:257)
  	at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStor
  e.java:2134)
  	at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDele
  gator.java:226)
  	at java.base/java.security.KeyStore.load(KeyStore.java:1502)
  	at java.base/java.security.KeyStore.getInstance(KeyStore.java:1828)
  	at java.base/java.security.KeyStore.getInstance(KeyStore.java:1710)
  	at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:944)
  	at java.base/sun.security.tools.keytool.Main.run(Main.java:420)
  	at java.base/sun.security.tools.keytool.Main.main(Main.java:413)
  Caused by: java.lang.SecurityException: Can not initialize cryptographic mechani
  sm
  	at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:119)
  	... 11 more
  Caused by: java.lang.SecurityException: Couldn't parse jurisdiction policy files
   in: unlimited
  	at java.base/javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecur
  ity.java:364)
  	at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:110)
  	at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:107)
  	at java.base/java.security.AccessController.doPrivileged(AccessControlle
  r.java:569)
  	at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:106)
  	... 11 more
  org.debian.security.InvalidKeystorePasswordException: Cannot open Java keystore.
   Is the password correct?
  	at org.debian.security.KeyStoreHandler.load(KeyStoreHandler.java:68)
  	at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:52)
  	at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java
  :65)
  	at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:5
  1)
  Caused by: java.io.IOException: Invalid keystore format
  	at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.
  java:688)
  	at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDele
  gator.java:226)
  	at java.base/java.security.KeyStore.load(KeyStore.java:1502)
  	at org.debian.security.KeyStoreHandler.load(KeyStoreHandler.java:66)
  	... 3 more
  dpkg: error processing package ca-certificates-java (--configure):
   installed ca-certificates-java package post-installation script subprocess retu
  rned error exit status 1
  dpkg: dependency problems prevent configuration of openjdk-19-jre-headless:amd64
  :
   openjdk-19-jre-headless:amd64 depends on ca-certificates-java (>= 20190405~); h
  owever:
    Package ca-certificates-java is not configured yet.

  dpkg: error processing package openjdk-19-jre-headless:amd64 (--configure):
   dependency problems - leaving unconfigured
  Setting up libatk-wrapper-java-jni:amd64 (0.40.0-2) ...
  No apport report written because the error message indicates its a followup erro
  r from a previous failure.
                            dpkg: dependency problems prevent configuration of ope
  njdk-19-jre:amd64:
   openjdk-19-jre:amd64 depends on openjdk-19-jre-headless (= 19.0.1+10-1); howeve
  r:
    Package openjdk-19-jre-headless:amd64 is not configured yet.

  dpkg: error processing package openjdk-19-jre:amd64 (--configure):
   dependency problems - leaving unconfigured
  Processing triggers for fontconfig (2.13.1-4.4ubuntu1) ...
  No apport report written because the error message indicates its a followup erro
  r from a previous failure.
                            Processing triggers for desktop-file-utils (0.26-1ubun
  tu4) ...
  Processing triggers for hicolor-icon-theme (0.17-2) ...
  Processing triggers for gnome-menus (3.36.0-1ubuntu3) ...
  Processing triggers for man-db (2.10.2-2) ...
  Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
  Errors were encountered while processing:
   ca-certificates-java
   openjdk-19-jre-headless:amd64
   openjdk-19-jre:amd64
  E: Sub-process /usr/bin/dpkg returned an error code (1)
  `

  Same applies for openjdk-11:

  `
   sudo apt install openjdk-11-jre
  Reading package lists... Done
  Building dependency tree... Done
  Reading state information... Done
  The following additional packages will be installed:
    openjdk-11-jre-headless
  Suggested packages:
    fonts-ipafont-gothic fonts-ipafont-mincho fonts-wqy-microhei
    | fonts-wqy-zenhei
  The following NEW packages will be installed:
    openjdk-11-jre openjdk-11-jre-headless
  0 upgraded, 2 newly installed, 0 to remove and 49 not upgraded.
  3 not fully installed or removed.
  Need to get 41.5 MB of archives.
  After this operation, 172 MB of additional disk space will be used.
  Do you want to continue? [Y/n] Y
  Get:1 http://nz.archive.ubuntu.com/ubuntu kinetic-updates/main amd64 openjdk-11-jre-headless amd64 11.0.17+8-1ubuntu2 [41.3 MB]
  Get:2 http://nz.archive.ubuntu.com/ubuntu kinetic-updates/main amd64 openjdk-11-jre amd64 11.0.17+8-1ubuntu2 [189 kB]
  Fetched 41.5 MB in 6s (6,627 kB/s)                                             
  Selecting previously unselected package openjdk-11-jre-headless:amd64.
  (Reading database ... 196855 files and directories currently installed.)
  Preparing to unpack .../openjdk-11-jre-headless_11.0.17+8-1ubuntu2_amd64.deb ...
  Unpacking openjdk-11-jre-headless:amd64 (11.0.17+8-1ubuntu2) ...
  Selecting previously unselected package openjdk-11-jre:amd64.
  Preparing to unpack .../openjdk-11-jre_11.0.17+8-1ubuntu2_amd64.deb ...
  Unpacking openjdk-11-jre:amd64 (11.0.17+8-1ubuntu2) ...
  Setting up ca-certificates-java (20220719) ...
  Exception in thread "main" java.lang.ExceptionInInitializerError
  	at java.base/javax.crypto.SecretKeyFactory.nextSpi(SecretKeyFactory.java
  :303)
  	at java.base/javax.crypto.SecretKeyFactory.<init>(SecretKeyFactory.java:
  121)
  	at java.base/javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.
  java:168)
  	at java.base/sun.security.pkcs12.PKCS12KeyStore.getPBEKey(PKCS12KeyStore
  .java:853)
  	at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineLoad$1(PKCS
  12KeyStore.java:2108)
  	at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12
  KeyStore.java:276)
  	at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStor
  e.java:2106)
  	at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDele
  gator.java:222)
  	at java.base/java.security.KeyStore.load(KeyStore.java:1479)
  	at java.base/java.security.KeyStore.getInstance(KeyStore.java:1807)
  	at java.base/java.security.KeyStore.getInstance(KeyStore.java:1687)
  	at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:928)
  	at java.base/sun.security.tools.keytool.Main.run(Main.java:412)
  	at java.base/sun.security.tools.keytool.Main.main(Main.java:405)
  Caused by: java.lang.SecurityException: Can not initialize cryptographic mechani
  sm
  	at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:120)
  	... 14 more
  Caused by: java.lang.SecurityException: Couldn't parse jurisdiction policy files
   in: unlimited
  	at java.base/javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecur
  ity.java:357)
  	at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:111)
  	at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:108)
  	at java.base/java.security.AccessController.doPrivileged(Native Method)
  	at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:107)
  	... 14 more
  org.debian.security.InvalidKeystorePasswordException: Cannot open Java keystore.
   Is the password correct?
  	at org.debian.security.KeyStoreHandler.load(KeyStoreHandler.java:68)
  	at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:52)
  	at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java
  :65)
  	at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:5
  1)
  Caused by: java.io.IOException: Invalid keystore format
  	at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.
  java:670)
  	at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDele
  gator.java:222)
  	at java.base/java.security.KeyStore.load(KeyStore.java:1479)
  	at org.debian.security.KeyStoreHandler.load(KeyStoreHandler.java:66)
  	... 3 more
  dpkg: error processing package ca-certificates-java (--configure):
   installed ca-certificates-java package post-installation script subprocess retu
  rned error exit status 1
  dpkg: dependency problems prevent configuration of openjdk-19-jre-headless:amd64
  :
   openjdk-19-jre-headless:amd64 depends on ca-certificates-java (>= 20190405~); h
  owever:
    Package ca-certificates-java is not configured yet.

  dpkg: error processing package openjdk-19-jre-headless:amd64 (--configure):
   dependency problems - leaving unconfigured
  No apport report written because the error message indicates its a followup erro
  r from a previous failure.
                            dpkg: dependency problems prevent configuration of ope
  njdk-11-jre-headless:amd64:
   openjdk-11-jre-headless:amd64 depends on ca-certificates-java (>= 20190405~); h
  owever:
    Package ca-certificates-java is not configured yet.

  dpkg: error processing package openjdk-11-jre-headless:amd64 (--configure):
   dependency problems - leaving unconfigured
  No apport report written because the error message indicates its a followup erro
  r from a previous failure.
                            dpkg: dependency problems prevent configuration of ope
  njdk-11-jre:amd64:
   openjdk-11-jre:amd64 depends on openjdk-11-jre-headless (= 11.0.17+8-1ubuntu2);
   however:
    Package openjdk-11-jre-headless:amd64 is not configured yet.

  dpkg: error processing package openjdk-11-jre:amd64 (--configure):
   dependency problems - leaving unconfigured
  No apport report written because MaxReports is reached already
                                                                dpkg: dependency p
  roblems prevent configuration of openjdk-19-jre:amd64:
   openjdk-19-jre:amd64 depends on openjdk-19-jre-headless (= 19.0.1+10-1); howeve
  r:
    Package openjdk-19-jre-headless:amd64 is not configured yet.

  dpkg: error processing package openjdk-19-jre:amd64 (--configure):
   dependency problems - leaving unconfigured
  No apport report written because MaxReports is reached already
                                                                Processing trigger
  s for desktop-file-utils (0.26-1ubuntu4) ...
  Processing triggers for hicolor-icon-theme (0.17-2) ...
  Processing triggers for gnome-menus (3.36.0-1ubuntu3) ...
  Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
  Errors were encountered while processing:
   ca-certificates-java
   openjdk-19-jre-headless:amd64
   openjdk-11-jre-headless:amd64
   openjdk-11-jre:amd64
   openjdk-19-jre:amd64
  E: Sub-process /usr/bin/dpkg returned an error code (1)
  `

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1999103/+subscriptions



References