This functionality can be implemented using the following Python packages: […]
On Wed, 8 Feb 2023, Vladimir Petko wrote:
This functionality can be implemented using the following Python packages: […]
Make that an “or” dependency then, so that people who already
have the JVM installed don’t need to pull tons of Python3
packages.
bye,
//mirabilos
--
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
****************************************************
/⁀\ The UTF-8 Ribbon
╲ ╱ Campaign against Mit dem tarent-Newsletter nichts mehr verpassen:
╳ HTML eMail! Also, https://www.tarent.de/newsletter
╱ ╲ header encryption!
****************************************************
On Wed, 8 Feb 2023, Vladimir Petko wrote:
This functionality can be implemented using the following Python packages: […]
Make that an “or” dependency then, so that people who already
have the JVM installed don’t need to pull tons of Python3
packages.
bye,
//mirabilos
--
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
****************************************************
/⁀\ The UTF-8 Ribbon
╲ ╱ Campaign against Mit dem tarent-Newsletter nichts mehr verpassen:
╳ HTML eMail! Also, https://www.tarent.de/newsletter
╱ ╲ header encryption!
****************************************************
[2] <a href="https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1998065">https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1998065</a><br>[3] <a href="https://launchpad.net/ubuntu/+source/oscrypto">https://launchpad.net/ubuntu/+source/oscrypto</a><br>[4] <a href="https://launchpad.net/ubuntu/+source/pyjks">https://launchpad.net/ubuntu/+source/pyjks</a><br></div></div>
Hi Vladimir,with a dedicated ca-certificate-java8 package maybe). This way installing openjdk-17 would not drag in python dependencies.
Thank you for tackling this annoying issue.
You said that JKS was required to support OpenJDK 8, but there is no such requirement, at the Debian level at least. What about generating a PKCS#12 certstore with OpenSSL instead, would that work? The python script could still be used for OpenJDK 8 (
Emmanuel Bourg
Le 2023-02-07 20:12, Vladimir Petko a écrit :
Dear Maintainers,
Would it be possible to consider a proposal to break dependency of ca-certificates-java on the installed JVM?
Abstract
ca-certificates-java package contains a circular dependency with Java that causes issues during openjdk installation.
I am proposing switching the ca-certificate-java certificate import tool to Python to break the dependency cycle.
Rationale
The certificate import tool in ca-certificate-java is written in Java.
This is a constant source of bugs [1] and requires updates (including stable release updates [2]) whenever a new JDK version comes out. Switching certificate import to Python will remove the maintenance load and break
a cyclic dependency.
Existing Functionality
ca-certificates-java synchronizes content of Java keystore /etc/ssl/certs/java/cacerts with trusted certificates in PEM format located in /etc/ssl/certs using jks-keystore hook registered with ca-certificates package.
During hook invocation or post installation following actions are performed: - ca-certificates-java checks the format of /etc/ssl/certs/java/cacerts and
attempts to convert it into legacy Java Key Store(JKS) format due to the
requirement to support OpenJDK 8.
OpenJDK 11 and up support both legacy and PKCS11 formats.
- ca-certificate-java lists all available certificates in the keystore using
Java keytool, filters certificate aliases and compares the list with the
system certificates.
An input file containing '+debian:<certificate-file-name>' for addition and
'-debian:<certificate-file-name>' is generated and passed to import utility.
Import utility updates /etc/ssl/certs/java/cacerts and sets updated
certificate alias to 'debian:<certificate-file-name>'
Note: Import utility only updates certificates with
'debian:<certificate-file-name>' alias
Requirements
In order to remove dependency on Java, the certificate import tool must:
- List certificate aliases
- Add or update certificate in Java Key Store
- Convert PKCS12 store to JKS format
- Load certificate in PEM format
- Retain any user's certificates in Java Key Store
Implementation
This functionality can be implemented using the following Python packages:
- python3-pyjks: Java Key Store format support [4]. It supports loading,
manipulation and serialization of the JKS files.
It is needed for requirements 1 and 2.
- python3-oscrypto: PKCS12 and X509 support [3]. The package depends on
OpenSSL 3.0. The package supports loading PKCS12 certificate store and
extracting certificates along with SafeBag aliases.
It is needed for requirements 3 and 4.
ca-certificates-java will install the /usr/sbin/ca-certificates-java tool.
It will accept following options:
- sync <password> <input-file> - synchronize the keystore
- list <password> – list certificate aliases in the keystore
- convert <password> <oldstore> <newstore> – convert the keystore into
JKS format.
Best Regards,
Vladimir.
[1] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java
[2] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1998065
[3] https://launchpad.net/ubuntu/+source/oscrypto
[4] https://launchpad.net/ubuntu/+source/pyjks
Hi Vladimir,with a dedicated ca-certificate-java8 package maybe). This way installing openjdk-17 would not drag in python dependencies.
Thank you for tackling this annoying issue.
You said that JKS was required to support OpenJDK 8, but there is no such requirement, at the Debian level at least. What about generating a PKCS#12 certstore with OpenSSL instead, would that work? The python script could still be used for OpenJDK 8 (
Emmanuel Bourg
Le 2023-02-07 20:12, Vladimir Petko a écrit :
Dear Maintainers,
Would it be possible to consider a proposal to break dependency of ca-certificates-java on the installed JVM?
Abstract
ca-certificates-java package contains a circular dependency with Java that causes issues during openjdk installation.
I am proposing switching the ca-certificate-java certificate import tool to Python to break the dependency cycle.
Rationale
The certificate import tool in ca-certificate-java is written in Java.
This is a constant source of bugs [1] and requires updates (including stable release updates [2]) whenever a new JDK version comes out. Switching certificate import to Python will remove the maintenance load and break
a cyclic dependency.
Existing Functionality
ca-certificates-java synchronizes content of Java keystore /etc/ssl/certs/java/cacerts with trusted certificates in PEM format located in /etc/ssl/certs using jks-keystore hook registered with ca-certificates package.
During hook invocation or post installation following actions are performed: - ca-certificates-java checks the format of /etc/ssl/certs/java/cacerts and
attempts to convert it into legacy Java Key Store(JKS) format due to the
requirement to support OpenJDK 8.
OpenJDK 11 and up support both legacy and PKCS11 formats.
- ca-certificate-java lists all available certificates in the keystore using
Java keytool, filters certificate aliases and compares the list with the
system certificates.
An input file containing '+debian:<certificate-file-name>' for addition and
'-debian:<certificate-file-name>' is generated and passed to import utility.
Import utility updates /etc/ssl/certs/java/cacerts and sets updated
certificate alias to 'debian:<certificate-file-name>'
Note: Import utility only updates certificates with
'debian:<certificate-file-name>' alias
Requirements
In order to remove dependency on Java, the certificate import tool must:
- List certificate aliases
- Add or update certificate in Java Key Store
- Convert PKCS12 store to JKS format
- Load certificate in PEM format
- Retain any user's certificates in Java Key Store
Implementation
This functionality can be implemented using the following Python packages:
- python3-pyjks: Java Key Store format support [4]. It supports loading,
manipulation and serialization of the JKS files.
It is needed for requirements 1 and 2.
- python3-oscrypto: PKCS12 and X509 support [3]. The package depends on
OpenSSL 3.0. The package supports loading PKCS12 certificate store and
extracting certificates along with SafeBag aliases.
It is needed for requirements 3 and 4.
ca-certificates-java will install the /usr/sbin/ca-certificates-java tool.
It will accept following options:
- sync <password> <input-file> - synchronize the keystore
- list <password> – list certificate aliases in the keystore
- convert <password> <oldstore> <newstore> – convert the keystore into
JKS format.
Best Regards,
Vladimir.
[1] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java
[2] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1998065
[3] https://launchpad.net/ubuntu/+source/oscrypto
[4] https://launchpad.net/ubuntu/+source/pyjks
Dear Maintainers,<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt'>
Would it be possible to consider a proposal to break dependency of ca-certificates-java on the installed JVM?
Abstract
ca-certificates-java package contains a circular dependency with Java
that
causes issues during openjdk installation.
I am proposing switching the ca-certificate-java certificate import
tool to
Python to break the dependency cycle.
Rationale
The certificate import tool in ca-certificate-java is written in Java.
This is a constant source of bugs [1] and requires updates (including
stable
release updates [2]) whenever a new JDK version comes out. Switching certificate import to Python will remove the maintenance load and break
a cyclic dependency.
Existing Functionality
ca-certificates-java synchronizes content of Java keystore /etc/ssl/certs/java/cacerts with trusted certificates in PEM format
located
in /etc/ssl/certs using jks-keystore hook registered with
ca-certificates
package.
During hook invocation or post installation following actions are
performed:
- ca-certificates-java checks the format of /etc/ssl/certs/java/cacerts
and
attempts to convert it into legacy Java Key Store(JKS) format due to
the
requirement to support OpenJDK 8.
OpenJDK 11 and up support both legacy and PKCS11 formats.
- ca-certificate-java lists all available certificates in the keystore
using
Java keytool, filters certificate aliases and compares the list with
the
system certificates.
An input file containing '+debian:<certificate-file-name>' for addition
and
'-debian:<certificate-file-name>' is generated and passed to import
utility.
Import utility updates /etc/ssl/certs/java/cacerts and sets updated certificate alias to 'debian:<certificate-file-name>'
Note: Import utility only updates certificates with 'debian:<certificate-file-name>' alias
Requirements
In order to remove dependency on Java, the certificate import tool
must:
- List certificate aliases
- Add or update certificate in Java Key Store
- Convert PKCS12 store to JKS format
- Load certificate in PEM format
- Retain any user's certificates in Java Key Store
Implementation
This functionality can be implemented using the following Python
packages:
- python3-pyjks: Java Key Store format support [4]. It supports
loading,
manipulation and serialization of the JKS files.
It is needed for requirements 1 and 2.
- python3-oscrypto: PKCS12 and X509 support [3]. The package depends on OpenSSL 3.0. The package supports loading PKCS12 certificate store and extracting certificates along with SafeBag aliases.
It is needed for requirements 3 and 4.
ca-certificates-java will install the /usr/sbin/ca-certificates-java
tool.
It will accept following options:
- sync <password> <input-file> - synchronize the keystore
- list <password> - list certificate aliases in the keystore
- convert <password> <oldstore> <newstore> - convert the keystore into
JKS format.
Best Regards,
Vladimir.
[1] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java
[2] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1998065 [3] https://launchpad.net/ubuntu/+source/oscrypto
[4] https://launchpad.net/ubuntu/+source/pyjks
in sync. A possible scenario is CA being revoked, which results in an
On Wed, 22 Feb 2023, Vladimir Petko wrote:
Just a small clarification, openssl itself allows importing a single >certificate and its chain and overwrites the store in the process, so
we need something like p11-kit.
Another grey area is ORACLE_TrustedKeyUsage attribute - at the moment
Ugh.
How about doing it the “low-tech” way:
– ship a minimal JKS keystore with bin:ca-certificates-java,
generated at build time, that contains a manually vetted
list of roots, perhaps just what’s relevant for Debian
– use a Recommends to get at a JRE
– with trigger, generate a full keystore, once a JRE is there
(The shipped one would need to be in /usr/share/!(doc) and
copied so overwriting it with the generated one works and
we’ll probably need to track hashes of shipped ones so we
can honour admin choices to override the keystore if needed.)
bye,
//mirabilos
--
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
**************************************************** /⁀\ The UTF-8 Ribbon
╲ ╱ Campaign against Mit dem tarent-Newsletter nichts mehr verpassen:
╳ HTML eMail! Also, https://www.tarent.de/newsletter
╱ ╲ header encryption!
****************************************************
Just a small clarification, openssl itself allows importing a single >certificate and its chain and overwrites the store in the process, so
we need something like p11-kit.
Another grey area is ORACLE_TrustedKeyUsage attribute - at the moment
Alternative is to go with two packages: one for Java 11 and onwards
that does not use Java-based import, and the other - classic >ca-certificates-java with the trigger updated to watch Java 8?
On Wed, 22 Feb 2023, Vladimir Petko wrote:
in sync. A possible scenario is CA being revoked, which results in an
That’s why I was suggesting to keep it down to manually vetted
relevant ones.
But if that’s unpalatable (do talk to the security people!),
ship an empty JKS keystore by default. The JKS keystore will
have no nōn-Java users, and soon as the JRE is there it’ll
be regenerated.
This all won’t make bookworm any more either, so no need to
be hasty.
bye,
//mirabilos
--
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
**************************************************** /⁀\ The UTF-8 Ribbon
╲ ╱ Campaign against Mit dem tarent-Newsletter nichts mehr verpassen:
╳ HTML eMail! Also, https://www.tarent.de/newsletter
╱ ╲ header encryption!
****************************************************
On Wed, 22 Feb 2023, Vladimir Petko wrote:
The existing trigger "interest /usr/lib/jvm" causes the import to run
Unsure, I only used triggers once, a decade ago or so myself,
but isn’t this what the interest-await trigger method is for?
bye,
//mirabilos
--
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
**************************************************** /⁀\ The UTF-8 Ribbon
╲ ╱ Campaign against Mit dem tarent-Newsletter nichts mehr verpassen:
╳ HTML eMail! Also, https://www.tarent.de/newsletter
╱ ╲ header encryption!
****************************************************
Notice that ca-certificates-java attempts to process triggers before >default-jre is set up. This is exactly the condition we are trying to
avoid.
On Thu, 23 Feb 2023, Vladimir Petko wrote:
Notice that ca-certificates-java attempts to process triggers before >default-jre is set up. This is exactly the condition we are trying to >avoid.
It should run them again, and there’s got to be a way, but I’m
not a triggers expert and currently ill, please get some input
from people who know better about dpkg triggers.
bye,
//mirabilos
--
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
**************************************************** /⁀\ The UTF-8 Ribbon
╲ ╱ Campaign against Mit dem tarent-Newsletter nichts mehr verpassen:
╳ HTML eMail! Also, https://www.tarent.de/newsletter
╱ ╲ header encryption!
****************************************************
This is possible to do if we update openjdk packaging and make it
trigger certificates-ca-java, so that it always runs after the openjdk
Please get well!!!!!
On Fri, 24 Feb 2023, Vladimir Petko wrote:
This is possible to do if we update openjdk packaging and make it
trigger certificates-ca-java, so that it always runs after the openjdk
We can do that easily. I maintain 8 and doko the rest (I hope).
If that’s needed, i.e. if there’s no other way, that is. (And
this should not break with older ca-certificates-java, like in jessie/stretch-ELTS.)
Please get well!!!!!
Thank you.
bye,
//mirabilos
--
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
**************************************************** /⁀\ The UTF-8 Ribbon
╲ ╱ Campaign against Mit dem tarent-Newsletter nichts mehr verpassen:
╳ HTML eMail! Also, https://www.tarent.de/newsletter
╱ ╲ header encryption!
****************************************************
The issue is the migration procedure - those packages have to be
published together to avoid any nasty surprises.
- call update-certificates-java trigger after update-alternatives in
every jre-headless postinstall script
Potential problem:
- update-certificates-java trigger logs appearing multiple times when >different openjdk versions are installed at the same time
Is this REALLY necessary? AIUI triggers it shouldn’t, with
the correct invocations. Please do talk to people who know
about triggers well.
On Fri, 24 Feb 2023, Vladimir Petko wrote:
The issue is the migration procedure - those packages have to be
published together to avoid any nasty surprises.
Yeah, we’ll have to pick a time to do that, which is after
the bookworm release anyway (it’s not okay to upload things
to unstable right now that are not targetting the release,
and only small targetted fixes, not big changes).
- call update-certificates-java trigger after update-alternatives in
every jre-headless postinstall script
Is this REALLY necessary? AIUI triggers it shouldn’t, with
the correct invocations. Please do talk to people who know
about triggers well.
Potential problem:
- update-certificates-java trigger logs appearing multiple times when >different openjdk versions are installed at the same time
dpkg should merge them, but even if not, triggers must be
omnipotent anyway, so that’s not a problem.
bye,
//mirabilos
--
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
**************************************************** /⁀\ The UTF-8 Ribbon
╲ ╱ Campaign against Mit dem tarent-Newsletter nichts mehr verpassen:
╳ HTML eMail! Also, https://www.tarent.de/newsletter
╱ ╲ header encryption!
****************************************************
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (3 / 13) |
Uptime: | 16:35:53 |
Calls: | 6,707 |
Calls today: | 1 |
Files: | 12,239 |
Messages: | 5,351,254 |