Dear Maintainer, This bug is also present in Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1998697
This particular issue is caused by https://github.com/openjdk/jdk/commit/1f9ff413126fb68e07b8fc1f36dd3cb17093a484 There is a change in behaviour: previously accessing java.security.Security did not require the java.security properties file to be present, now JDK 20 requires it. See https://bugs.openjdk.org/browse/JDK-8292297 Same behaviour applies to keytool - see exception below: Exception in thread "main" java.lang.ExceptionInInitializerError at java.base/javax.crypto.Cipher.getInstance(Cipher.java:548) at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineLoad$1(PKCS 12KeyStore.java:2136) at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12 KeyStore.java:257) at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStor e.java:2134) at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDele gator.java:226) at java.base/java.security.KeyStore.load(KeyStore.java:1502) at java.base/java.security.KeyStore.getInstance(KeyStore.java:1828) at java.base/java.security.KeyStore.getInstance(KeyStore.java:1710) at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:944) at java.base/sun.security.tools.keytool.Main.run(Main.java:420) at java.base/sun.security.tools.keytool.Main.main(Main.java:413) Caused by: java.lang.SecurityException: Can not initialize cryptographic mechani sm at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:119) ... 11 more Caused by: java.lang.SecurityException: Couldn't parse jurisdiction policy files in: unlimited at java.base/javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecur ity.java:364) at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:110) at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:107) at java.base/java.security.AccessController.doPrivileged(AccessControlle r.java:569) at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:106) ... 11 more Both problems are caused by an attempt to run java before the package is configured. Would it be possible to discuss whether it is possible to break dependency of ca-certificates-java on java? For example, the java application in the package could be replaced by C++ or Python utility capable of working with JKS.
