Re: ca-certificate-java/openjdk installation issues

[Emmanuel Bourg <ebourg@apache.org>]

Hi Vladimir,

Thank you for tackling this annoying issue.

You said that JKS was required to support OpenJDK 8, but there is no such requirement, at the Debian level at least. What about generating a PKCS#12 certstore with OpenSSL instead, would that work? The python script could still be used for OpenJDK 8 (with a dedicated ca-certificate-java8 package maybe). This way installing openjdk-17 would not drag in python dependencies.

Emmanuel Bourg

Le 2023-02-07 20:12, Vladimir Petko a écrit :

Dear Maintainers, 

 

Would it be possible to consider a proposal to break dependency of ca-certificates-java on the installed JVM?

 

Abstract

ca-certificates-java package contains a circular dependency with Java that
causes issues during openjdk installation.
I am proposing switching the ca-certificate-java certificate import tool to
Python to break the dependency cycle.

Rationale

The certificate import tool in ca-certificate-java is written in Java.
This is a constant source of bugs [1] and requires updates (including stable
release updates [2])  whenever a new JDK version comes out. Switching
certificate import to Python will remove the maintenance load and break
a cyclic dependency.

Existing Functionality

ca-certificates-java synchronizes content of Java keystore
/etc/ssl/certs/java/cacerts with trusted certificates in PEM format located
in /etc/ssl/certs using jks-keystore hook registered with ca-certificates
package.

During hook invocation or post installation following actions are performed:
- ca-certificates-java checks the format of /etc/ssl/certs/java/cacerts and
  attempts to convert it into legacy Java Key Store(JKS) format due to the
  requirement to support OpenJDK 8.
  OpenJDK 11 and up support both legacy and PKCS11 formats.
- ca-certificate-java lists all available certificates in the keystore using
  Java keytool, filters certificate aliases and compares the list with the
  system certificates.
  An input file containing '+debian:<certificate-file-name>' for addition and
  '-debian:<certificate-file-name>' is generated and passed to import utility.
  Import utility updates /etc/ssl/certs/java/cacerts and sets updated
  certificate alias to 'debian:<certificate-file-name>'
  Note: Import utility only updates certificates with
  'debian:<certificate-file-name>' alias

Requirements

In order to remove dependency on Java, the certificate import tool must:
- List certificate aliases
- Add or update certificate in Java Key Store
- Convert PKCS12 store to JKS format
- Load certificate in PEM format
- Retain any user's certificates in Java Key Store

Implementation

This functionality can be implemented using the following Python packages:
- python3-pyjks: Java Key Store format support [4]. It supports loading,
  manipulation and serialization of the JKS files.
  It is needed for  requirements 1 and 2.
- python3-oscrypto: PKCS12 and X509 support [3]. The package depends on
  OpenSSL 3.0. The package supports loading PKCS12 certificate store and
  extracting certificates along with SafeBag aliases.
  It is needed for requirements 3 and 4.

ca-certificates-java will install the  /usr/sbin/ca-certificates-java tool.

It will accept following options:
- sync <password> <input-file> - synchronize the keystore
- list <password> – list certificate aliases in the keystore
- convert <password> <oldstore> <newstore> – convert the keystore into
  JKS format.

 

Best  Regards, 

  Vladimir.

[1] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java
[2] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1998065
[3] https://launchpad.net/ubuntu/+source/oscrypto
[4] https://launchpad.net/ubuntu/+source/pyjks