Dear Maintainers,
Would it be possible to consider a proposal to break dependency of ca-certificates-java on the installed JVM?
Abstract
ca-certificates-java package contains a circular dependency with Java that
causes issues during openjdk installation.
I am proposing switching the ca-certificate-java certificate import tool to
Python to break the dependency cycle.
Rationale
The certificate import tool in ca-certificate-java is written in Java.
This is a constant source of bugs [1] and requires updates (including stable
release updates [2]) whenever a new JDK version comes out. Switching
certificate import to Python will remove the maintenance load and break
a cyclic dependency.
Existing Functionality
ca-certificates-java synchronizes content of Java keystore
/etc/ssl/certs/java/cacerts with trusted certificates in PEM format located
in /etc/ssl/certs using jks-keystore hook registered with ca-certificates
package.
During hook invocation or post installation following actions are performed:
- ca-certificates-java checks the format of /etc/ssl/certs/java/cacerts and
attempts to convert it into legacy Java Key Store(JKS) format due to the
requirement to support OpenJDK 8.
OpenJDK 11 and up support both legacy and PKCS11 formats.
- ca-certificate-java lists all available certificates in the keystore using
Java keytool, filters certificate aliases and compares the list with the
system certificates.
An input file containing '+debian:<certificate-file-name>' for addition and
'-debian:<certificate-file-name>' is generated and passed to import utility.
Import utility updates /etc/ssl/certs/java/cacerts and sets updated
certificate alias to 'debian:<certificate-file-name>'
Note: Import utility only updates certificates with
'debian:<certificate-file-name>' alias
Requirements
In order to remove dependency on Java, the certificate import tool must:
- List certificate aliases
- Add or update certificate in Java Key Store
- Convert PKCS12 store to JKS format
- Load certificate in PEM format
- Retain any user's certificates in Java Key Store
Implementation
This functionality can be implemented using the following Python packages:
- python3-pyjks: Java Key Store format support [4]. It supports loading,
manipulation and serialization of the JKS files.
It is needed for requirements 1 and 2.
- python3-oscrypto: PKCS12 and X509 support [3]. The package depends on
OpenSSL 3.0. The package supports loading PKCS12 certificate store and
extracting certificates along with SafeBag aliases.
It is needed for requirements 3 and 4.
ca-certificates-java will install the /usr/sbin/ca-certificates-java tool.
It will accept following options:
- sync <password> <input-file> - synchronize the keystore
- list <password> – list certificate aliases in the keystore
- convert <password> <oldstore> <newstore> – convert the keystore into
JKS format.
Best Regards,
Vladimir.