Hi, Just a small clarification, openssl itself allows importing a single certificate and its chain and overwrites the store in the process, so we need something like p11-kit. Another grey area is ORACLE_TrustedKeyUsage attribute - at the moment store implementation sets it on save, but it does not seem to be checked anywhere. If we use p11-kit, then it will not be present and something might break in the future. In this case we will have to replace p11-kit with our own tool.
Best Regards, Vladimir. On Wed, Feb 22, 2023 at 9:22 AM Emmanuel Bourg <ebo...@apache.org> wrote: > > Hi Vladimir, > > Thank you for tackling this annoying issue. > > You said that JKS was required to support OpenJDK 8, but there is no such > requirement, at the Debian level at least. What about generating a PKCS#12 > certstore with OpenSSL instead, would that work? The python script could > still be used for OpenJDK 8 (with a dedicated ca-certificate-java8 package > maybe). This way installing openjdk-17 would not drag in python dependencies. > > Emmanuel Bourg > > > Le 2023-02-07 20:12, Vladimir Petko a écrit : > > Dear Maintainers, > > Would it be possible to consider a proposal to break dependency of > ca-certificates-java on the installed JVM? > > Abstract > > ca-certificates-java package contains a circular dependency with Java that > causes issues during openjdk installation. > I am proposing switching the ca-certificate-java certificate import tool to > Python to break the dependency cycle. > > Rationale > > The certificate import tool in ca-certificate-java is written in Java. > This is a constant source of bugs [1] and requires updates (including stable > release updates [2]) whenever a new JDK version comes out. Switching > certificate import to Python will remove the maintenance load and break > a cyclic dependency. > > Existing Functionality > > ca-certificates-java synchronizes content of Java keystore > /etc/ssl/certs/java/cacerts with trusted certificates in PEM format located > in /etc/ssl/certs using jks-keystore hook registered with ca-certificates > package. > > During hook invocation or post installation following actions are performed: > - ca-certificates-java checks the format of /etc/ssl/certs/java/cacerts and > attempts to convert it into legacy Java Key Store(JKS) format due to the > requirement to support OpenJDK 8. > OpenJDK 11 and up support both legacy and PKCS11 formats. > - ca-certificate-java lists all available certificates in the keystore using > Java keytool, filters certificate aliases and compares the list with the > system certificates. > An input file containing '+debian:<certificate-file-name>' for addition and > '-debian:<certificate-file-name>' is generated and passed to import utility. > Import utility updates /etc/ssl/certs/java/cacerts and sets updated > certificate alias to 'debian:<certificate-file-name>' > Note: Import utility only updates certificates with > 'debian:<certificate-file-name>' alias > > Requirements > > In order to remove dependency on Java, the certificate import tool must: > - List certificate aliases > - Add or update certificate in Java Key Store > - Convert PKCS12 store to JKS format > - Load certificate in PEM format > - Retain any user's certificates in Java Key Store > > Implementation > > This functionality can be implemented using the following Python packages: > - python3-pyjks: Java Key Store format support [4]. It supports loading, > manipulation and serialization of the JKS files. > It is needed for requirements 1 and 2. > - python3-oscrypto: PKCS12 and X509 support [3]. The package depends on > OpenSSL 3.0. The package supports loading PKCS12 certificate store and > extracting certificates along with SafeBag aliases. > It is needed for requirements 3 and 4. > > ca-certificates-java will install the /usr/sbin/ca-certificates-java tool. > > It will accept following options: > - sync <password> <input-file> - synchronize the keystore > - list <password> – list certificate aliases in the keystore > - convert <password> <oldstore> <newstore> – convert the keystore into > JKS format. > > Best Regards, > Vladimir. > > [1] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java > [2] > https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1998065 > [3] https://launchpad.net/ubuntu/+source/oscrypto > [4] https://launchpad.net/ubuntu/+source/pyjks > >