** Description changed:

  [Impact]
- Any user doing a new install - or upgrading, if openjdk was not installed - 
can be affected as soon as they install any openjdk-11 package.
+ Any user doing a new install - or upgrading if openjdk was not installed - 
can be affected as soon as they install any openjdk-11 package.
  
  [Cause]
- The ca-certificate-java version 20170930 (or earlier) used the default 
keystore to create /etc/ssl/certs/java/cacerts - if the file already existed 
its contents were just updated.
+ The ca-certificate-java version 20170930 (or earlier) used the default 
keystore to create /etc/ssl/certs/java/cacerts - if the file already existed 
its contents were just updated without changing the keystore
+ type.
  
  From openjdk-9 upwards the default keystore type changed from 'jks' to
  'pkcs12' [1] by means of JEP 229 [2]. A JKS keystore can be read without
  supplying a password (or by supplying an empty one) while a PKCS12
  keystore requires a password to be set.
  
  Thus a /etc/ssl/certs/java/cacerts created in the pkcs12 format will
  fail to be loaded as, by default, the truststore password is empty - in
  order to avoid that the user must set
  -Djavax.net.ssl.trustStorePassword=<passwd> or define it in /etc/java-
  XX-openjdk/management/management.properties. A JKS keystore will work
  normally, as the certificates in it can be ready when the truststore
  password is empty.
  
+ Ubuntu does *not* set the javax.net.ssl.trustStorePassword by default
+ thus any user that got a cacerts generated in JKCS12 won't be able
+ to use any secure connections from java.
+ 
  [Test Case with cacerts 20170930ubuntu1 or earlier]
  Start on a new bionic install/chroot without openjdk
  
  1. Install openjdk-11
  $ sudo apt-get install openjdk-11-jdk
  
+ 
  2. Test the keystore with an empty password (optional) and make sure it is a 
PKCS12
  $ keytool -list -cacerts
- Enter keystore password:  
- 
+ Enter keystore password: <leave empty>
  *****************  WARNING WARNING WARNING  *****************
  * The integrity of the information stored in your keystore  *
  * has NOT been verified!  In order to verify its integrity, *
  * you must provide your keystore password.                  *
  *****************  WARNING WARNING WARNING  *****************
- 
  Keystore type: PKCS12
  Keystore provider: SUN
- 
  Your keystore contains 0 entries
  
+ 
  3. Test with the "changeit" password
- keytool -list -cacerts
- Enter keystore password: changeit 
+ $ keytool -list -cacerts
+ Enter keystore password: changeit
  Keystore type: PKCS12
  Keystore provider: SUN
- 
  Your keystore contains 133 entries
- 
  <snipped various certs>
  
+ 
  4. Create the java test file
- $ cat <<EOF >HttpsTester.java 
+ $ cat <<EOF >HttpsTester.java
  import java.net.URL;
  import javax.net.ssl.HttpsURLConnection;
  public class HttpsTester {
  public static void main(String[] args) throws java.io.IOException {
  HttpsURLConnection connection = (HttpsURLConnection) new 
URL("https://www.ubuntu.com";).openConnection();
  System.out.println("Response code: " + connection.getResponseCode());
  System.out.println("It worked!");
  }
  }
+ EOF
+ 
  
  5. Compile it
  $ javac HttpsTester.java
  
+ 
  6. Call it
  $ /usr/lib/jvm/java-11-openjdk-amd64/bin/java HttpsTester
  
+ 
  7. Call it again, this time set the store password
  $ /usr/lib/jvm/java-11-openjdk-amd64/bin/java \
-   -Djavax.net.ssl.trustStorePassword=changeit HttpsTester
+   -Djavax.net.ssl.trustStorePassword=changeit HttpsTester
  Response code: 200
  It worked!
  
- [Test Case with cacerts 20180413 or later]
+ 
+ 8. Install the newer ca-certificates-java 20180516, it should
+ migrate cacerts from PKCS12 to JKS. Check that by running step #2
+ again
+ $ keytool -list -cacerts
+ Enter keystore password: <leave empty>
+ *****************  WARNING WARNING WARNING  *****************
+ * The integrity of the information stored in your keystore  *
+ * has NOT been verified!  In order to verify its integrity, *
+ * you must provide your keystore password.                  *
+ *****************  WARNING WARNING WARNING  *****************
+ Keystore type: JKS
+ Keystore provider: SUN
+ Your keystore contains 133 entries
+ <snipped various certs>
+ 
+ 
+ 9. The old keystore should be saved in 
+ /etc/ssl/certs/java/cacerts.dpkg-old, test it exists:
+ $ keytool -list -keystore /etc/ssl/certs/java/cacerts.dpkg-old
+ Enter keystore password: <leave empty>
+ *****************  WARNING WARNING WARNING  *****************
+ * The integrity of the information stored in your keystore  *
+ * has NOT been verified!  In order to verify its integrity, *
+ * you must provide your keystore password.                  *
+ *****************  WARNING WARNING WARNING  *****************
+ Keystore type: PKCS12
+ Keystore provider: SUN
+ Your keystore contains 0 entries
+ 
+ [Test Case with cacerts 20180516 or later]
  Start on a new bionic install/chroot without openjdk
  
  1. Install openjdk-11
  $ sudo apt-get install openjdk-11-jdk
  
+ 
  2. Test the keystore with an empty password (optional) and make sure it is a 
JKS
- keytool -list -cacerts
- Enter keystore password:  
- 
+ $ keytool -list -cacerts
+ Enter keystore password:
  *****************  WARNING WARNING WARNING  *****************
  * The integrity of the information stored in your keystore  *
  * has NOT been verified!  In order to verify its integrity, *
  * you must provide your keystore password.                  *
  *****************  WARNING WARNING WARNING  *****************
- 
  Keystore type: JKS
  Keystore provider: SUN
+ Your keystore contains 133 entries
+ <snipped various certs>
  
- Your keystore contains 133 entries
- 
- <snipped various certs>
  
  3. Test with the "changeit" password
  keytool -list -cacerts
- Enter keystore password: changeit 
+ Enter keystore password: changeit
  Keystore type: JKS
  Keystore provider: SUN
- 
  Your keystore contains 133 entries
- 
  <snipped various certs>
  
+ 
  4. Create the java test file
- $ cat <<EOF >HttpsTester.java 
+ $ cat <<EOF >HttpsTester.java
  import java.net.URL;
  import javax.net.ssl.HttpsURLConnection;
  public class HttpsTester {
  public static void main(String[] args) throws java.io.IOException {
  HttpsURLConnection connection = (HttpsURLConnection) new 
URL("https://www.ubuntu.com";).openConnection();
  System.out.println("Response code: " + connection.getResponseCode());
  System.out.println("It worked!");
  }
  }
+ EOF
+ 
  
  5. Compile it
  $ javac HttpsTester.java
+ 
  
  6. Call it
  $ /usr/lib/jvm/java-11-openjdk-amd64/bin/java HttpsTester
  Response code: 200
  It worked!
  
+ 
  7. Call it again, this time set the store password
  $ /usr/lib/jvm/java-11-openjdk-amd64/bin/java \
-   -Djavax.net.ssl.trustStorePassword=changeit HttpsTester
+   -Djavax.net.ssl.trustStorePassword=changeit HttpsTester
  Response code: 200
  It worked!
  
  
- [Regression Potential] 
- 
-  * discussion of how regressions are most likely to manifest as a result
- of this change.
- 
-  * It is assumed that any SRU candidate patch is well-tested before
-    upload and has a low overall risk of regression, but it's important
-    to make the effort to think about what ''could'' happen in the
-    event of a regression.
- 
-  * This both shows the SRU team that the risks have been considered,
-    and provides guidance to testers in regression-testing the SRU.
+ [Regression Potential]
+ * If a user has manually set his own JKCS12 cacerts and didn't update
+ /etc/default/cacerts to set "cacerts_updates=no" (from the default
+ of "cacerts_updates=yes") then his custom cacerts will be converted and 
overwritten. Still, a copy from the previous cacert is kept at
+ /etc/ssl/certs/java/cacerts.dpkg-old.
  
  [Other Info]
-  
-  * Anything else you think is useful to include
-  * Anticipate questions from users, SRU, +1 maintenance, security teams and 
the Technical Board
-  * and address these questions in advance
+ The cacerts keystore fix is related to 2 bugs:
+ 1) bug #1739631, fixed by ca-certificates-java-20180413, which changed the 
default keystore type generated by ca-certificates-java to JKS
+ 2) bug #1771363, fixed by ca-certificates-java-20180516, which migrated
+ cacerts keystore previously generated in PKCS12 to the correct JKS keystore 
type.
+ 
  
  [References]
  [1] The default keystore is defined by the keystore.type in the
  /etc/java-XX-openjdk/security/java.security file.
  
http://hg.openjdk.java.net/jdk-updates/jdk9u/jdk/annotate/46bd35a597eb/src/java.base/share/conf/security/java.security#l186
  
  [2] JEP 229: Create PKCS12 Keystores by Default
  http://openjdk.java.net/jeps/229

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to ca-certificates-java in Ubuntu.
https://bugs.launchpad.net/bugs/1770553

Title:
  [SRU] backport ca-certificates-java from cosmic (20180516ubuntu1)

Status in ca-certificates-java package in Ubuntu:
  Confirmed

Bug description:
  [Impact]
  Any user doing a new install - or upgrading if openjdk was not installed - 
can be affected as soon as they install any openjdk-11 package.

  [Cause]
  The ca-certificate-java version 20170930 (or earlier) used the default 
keystore to create /etc/ssl/certs/java/cacerts - if the file already existed 
its contents were just updated without changing the keystore
  type.

  From openjdk-9 upwards the default keystore type changed from 'jks' to
  'pkcs12' [1] by means of JEP 229 [2]. A JKS keystore can be read
  without supplying a password (or by supplying an empty one) while a
  PKCS12 keystore requires a password to be set.

  Thus a /etc/ssl/certs/java/cacerts created in the pkcs12 format will
  fail to be loaded as, by default, the truststore password is empty -
  in order to avoid that the user must set
  -Djavax.net.ssl.trustStorePassword=<passwd> or define it in /etc/java-
  XX-openjdk/management/management.properties. A JKS keystore will work
  normally, as the certificates in it can be ready when the truststore
  password is empty.

  Ubuntu does *not* set the javax.net.ssl.trustStorePassword by default
  thus any user that got a cacerts generated in JKCS12 won't be able
  to use any secure connections from java.

  [Test Case with cacerts 20170930ubuntu1 or earlier]
  Start on a new bionic install/chroot without openjdk

  1. Install openjdk-11
  $ sudo apt-get install openjdk-11-jdk

  
  2. Test the keystore with an empty password (optional) and make sure it is a 
PKCS12
  $ keytool -list -cacerts
  Enter keystore password: <leave empty>
  *****************  WARNING WARNING WARNING  *****************
  * The integrity of the information stored in your keystore  *
  * has NOT been verified!  In order to verify its integrity, *
  * you must provide your keystore password.                  *
  *****************  WARNING WARNING WARNING  *****************
  Keystore type: PKCS12
  Keystore provider: SUN
  Your keystore contains 0 entries

  
  3. Test with the "changeit" password
  $ keytool -list -cacerts
  Enter keystore password: changeit
  Keystore type: PKCS12
  Keystore provider: SUN
  Your keystore contains 133 entries
  <snipped various certs>

  
  4. Create the java test file
  $ cat <<EOF >HttpsTester.java
  import java.net.URL;
  import javax.net.ssl.HttpsURLConnection;
  public class HttpsTester {
  public static void main(String[] args) throws java.io.IOException {
  HttpsURLConnection connection = (HttpsURLConnection) new 
URL("https://www.ubuntu.com";).openConnection();
  System.out.println("Response code: " + connection.getResponseCode());
  System.out.println("It worked!");
  }
  }
  EOF

  
  5. Compile it
  $ javac HttpsTester.java

  
  6. Call it
  $ /usr/lib/jvm/java-11-openjdk-amd64/bin/java HttpsTester

  
  7. Call it again, this time set the store password
  $ /usr/lib/jvm/java-11-openjdk-amd64/bin/java \
    -Djavax.net.ssl.trustStorePassword=changeit HttpsTester
  Response code: 200
  It worked!

  
  8. Install the newer ca-certificates-java 20180516, it should
  migrate cacerts from PKCS12 to JKS. Check that by running step #2
  again
  $ keytool -list -cacerts
  Enter keystore password: <leave empty>
  *****************  WARNING WARNING WARNING  *****************
  * The integrity of the information stored in your keystore  *
  * has NOT been verified!  In order to verify its integrity, *
  * you must provide your keystore password.                  *
  *****************  WARNING WARNING WARNING  *****************
  Keystore type: JKS
  Keystore provider: SUN
  Your keystore contains 133 entries
  <snipped various certs>

  
  9. The old keystore should be saved in 
  /etc/ssl/certs/java/cacerts.dpkg-old, test it exists:
  $ keytool -list -keystore /etc/ssl/certs/java/cacerts.dpkg-old
  Enter keystore password: <leave empty>
  *****************  WARNING WARNING WARNING  *****************
  * The integrity of the information stored in your keystore  *
  * has NOT been verified!  In order to verify its integrity, *
  * you must provide your keystore password.                  *
  *****************  WARNING WARNING WARNING  *****************
  Keystore type: PKCS12
  Keystore provider: SUN
  Your keystore contains 0 entries

  [Test Case with cacerts 20180516 or later]
  Start on a new bionic install/chroot without openjdk

  1. Install openjdk-11
  $ sudo apt-get install openjdk-11-jdk

  
  2. Test the keystore with an empty password (optional) and make sure it is a 
JKS
  $ keytool -list -cacerts
  Enter keystore password:
  *****************  WARNING WARNING WARNING  *****************
  * The integrity of the information stored in your keystore  *
  * has NOT been verified!  In order to verify its integrity, *
  * you must provide your keystore password.                  *
  *****************  WARNING WARNING WARNING  *****************
  Keystore type: JKS
  Keystore provider: SUN
  Your keystore contains 133 entries
  <snipped various certs>

  
  3. Test with the "changeit" password
  keytool -list -cacerts
  Enter keystore password: changeit
  Keystore type: JKS
  Keystore provider: SUN
  Your keystore contains 133 entries
  <snipped various certs>

  
  4. Create the java test file
  $ cat <<EOF >HttpsTester.java
  import java.net.URL;
  import javax.net.ssl.HttpsURLConnection;
  public class HttpsTester {
  public static void main(String[] args) throws java.io.IOException {
  HttpsURLConnection connection = (HttpsURLConnection) new 
URL("https://www.ubuntu.com";).openConnection();
  System.out.println("Response code: " + connection.getResponseCode());
  System.out.println("It worked!");
  }
  }
  EOF

  
  5. Compile it
  $ javac HttpsTester.java

  
  6. Call it
  $ /usr/lib/jvm/java-11-openjdk-amd64/bin/java HttpsTester
  Response code: 200
  It worked!

  
  7. Call it again, this time set the store password
  $ /usr/lib/jvm/java-11-openjdk-amd64/bin/java \
    -Djavax.net.ssl.trustStorePassword=changeit HttpsTester
  Response code: 200
  It worked!

  
  [Regression Potential]
  * If a user has manually set his own JKCS12 cacerts and didn't update
  /etc/default/cacerts to set "cacerts_updates=no" (from the default
  of "cacerts_updates=yes") then his custom cacerts will be converted and 
overwritten. Still, a copy from the previous cacert is kept at
  /etc/ssl/certs/java/cacerts.dpkg-old.

  [Other Info]
  The cacerts keystore fix is related to 2 bugs:
  1) bug #1739631, fixed by ca-certificates-java-20180413, which changed the 
default keystore type generated by ca-certificates-java to JKS
  2) bug #1771363, fixed by ca-certificates-java-20180516, which migrated
  cacerts keystore previously generated in PKCS12 to the correct JKS keystore 
type.

  
  [References]
  [1] The default keystore is defined by the keystore.type in the
  /etc/java-XX-openjdk/security/java.security file.
  
http://hg.openjdk.java.net/jdk-updates/jdk9u/jdk/annotate/46bd35a597eb/src/java.base/share/conf/security/java.security#l186

  [2] JEP 229: Create PKCS12 Keystores by Default
  http://openjdk.java.net/jeps/229

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1770553/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~openjdk
Post to     : openjdk@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openjdk
More help   : https://help.launchpad.net/ListHelp

Reply via email to