** Tags added: bionic -- You received this bug notification because you are a member of OpenJDK, which is subscribed to ca-certificates-java in Ubuntu. https://bugs.launchpad.net/bugs/1770553
Title: [SRU] backport ca-certificates-java from cosmic (20180516ubuntu1) Status in ca-certificates-java package in Ubuntu: Confirmed Bug description: [Impact] Any user doing a new install - or upgrading if openjdk was not installed - can be affected as soon as they install any openjdk-11 package. [Cause] The ca-certificate-java version 20170930 (or earlier) used the default keystore to create /etc/ssl/certs/java/cacerts - if the file already existed its contents were just updated without changing the keystore type. From openjdk-9 upwards the default keystore type changed from 'jks' to 'pkcs12' [1] by means of JEP 229 [2]. A JKS keystore can be read without supplying a password (or by supplying an empty one) while a PKCS12 keystore requires a password to be set. Thus a /etc/ssl/certs/java/cacerts created in the pkcs12 format will fail to be loaded as, by default, the truststore password is empty - in order to avoid that the user must set -Djavax.net.ssl.trustStorePassword=<passwd> or define it in /etc/java- XX-openjdk/management/management.properties. A JKS keystore will work normally, as the certificates in it can be ready when the truststore password is empty. Ubuntu does *not* set the javax.net.ssl.trustStorePassword by default thus any user that got a cacerts generated in JKCS12 won't be able to use any secure connections from java. [Test Case with cacerts 20170930ubuntu1 or earlier] Start on a new bionic install/chroot without openjdk 1. Install openjdk-11 $ sudo apt-get install openjdk-11-jdk 2. Test the keystore with an empty password (optional) and make sure it is a PKCS12 $ keytool -list -cacerts Enter keystore password: <leave empty> ***************** WARNING WARNING WARNING ***************** * The integrity of the information stored in your keystore * * has NOT been verified! In order to verify its integrity, * * you must provide your keystore password. * ***************** WARNING WARNING WARNING ***************** Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 0 entries 3. Test with the "changeit" password $ keytool -list -cacerts Enter keystore password: changeit Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 133 entries <snipped various certs> 4. Create the java test file $ cat <<EOF >HttpsTester.java import java.net.URL; import javax.net.ssl.HttpsURLConnection; public class HttpsTester { public static void main(String[] args) throws java.io.IOException { HttpsURLConnection connection = (HttpsURLConnection) new URL("https://www.ubuntu.com").openConnection(); System.out.println("Response code: " + connection.getResponseCode()); System.out.println("It worked!"); } } EOF 5. Compile it $ javac HttpsTester.java 6. Call it $ /usr/lib/jvm/java-11-openjdk-amd64/bin/java HttpsTester 7. Call it again, this time set the store password $ /usr/lib/jvm/java-11-openjdk-amd64/bin/java \ -Djavax.net.ssl.trustStorePassword=changeit HttpsTester Response code: 200 It worked! 8. Install the newer ca-certificates-java 20180516, it should migrate cacerts from PKCS12 to JKS. Check that by running step #2 again $ keytool -list -cacerts Enter keystore password: <leave empty> ***************** WARNING WARNING WARNING ***************** * The integrity of the information stored in your keystore * * has NOT been verified! In order to verify its integrity, * * you must provide your keystore password. * ***************** WARNING WARNING WARNING ***************** Keystore type: JKS Keystore provider: SUN Your keystore contains 133 entries <snipped various certs> 9. The old keystore should be saved in /etc/ssl/certs/java/cacerts.dpkg-old, test it exists: $ keytool -list -keystore /etc/ssl/certs/java/cacerts.dpkg-old Enter keystore password: <leave empty> ***************** WARNING WARNING WARNING ***************** * The integrity of the information stored in your keystore * * has NOT been verified! In order to verify its integrity, * * you must provide your keystore password. * ***************** WARNING WARNING WARNING ***************** Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 0 entries [Test Case with cacerts 20180516 or later] Start on a new bionic install/chroot without openjdk 1. Install openjdk-11 $ sudo apt-get install openjdk-11-jdk 2. Test the keystore with an empty password (optional) and make sure it is a JKS $ keytool -list -cacerts Enter keystore password: ***************** WARNING WARNING WARNING ***************** * The integrity of the information stored in your keystore * * has NOT been verified! In order to verify its integrity, * * you must provide your keystore password. * ***************** WARNING WARNING WARNING ***************** Keystore type: JKS Keystore provider: SUN Your keystore contains 133 entries <snipped various certs> 3. Test with the "changeit" password keytool -list -cacerts Enter keystore password: changeit Keystore type: JKS Keystore provider: SUN Your keystore contains 133 entries <snipped various certs> 4. Create the java test file $ cat <<EOF >HttpsTester.java import java.net.URL; import javax.net.ssl.HttpsURLConnection; public class HttpsTester { public static void main(String[] args) throws java.io.IOException { HttpsURLConnection connection = (HttpsURLConnection) new URL("https://www.ubuntu.com").openConnection(); System.out.println("Response code: " + connection.getResponseCode()); System.out.println("It worked!"); } } EOF 5. Compile it $ javac HttpsTester.java 6. Call it $ /usr/lib/jvm/java-11-openjdk-amd64/bin/java HttpsTester Response code: 200 It worked! 7. Call it again, this time set the store password $ /usr/lib/jvm/java-11-openjdk-amd64/bin/java \ -Djavax.net.ssl.trustStorePassword=changeit HttpsTester Response code: 200 It worked! [Regression Potential] * If a user has manually set his own JKCS12 cacerts and didn't update /etc/default/cacerts to set "cacerts_updates=no" (from the default of "cacerts_updates=yes") then his custom cacerts will be converted and overwritten. Still, a copy from the previous cacert is kept at /etc/ssl/certs/java/cacerts.dpkg-old. [Other Info] The cacerts keystore fix is related to 2 bugs: 1) bug #1739631, fixed by ca-certificates-java-20180413, which changed the default keystore type generated by ca-certificates-java to JKS 2) bug #1771363, fixed by ca-certificates-java-20180516, which migrated cacerts keystore previously generated in PKCS12 to the correct JKS keystore type. [References] [1] The default keystore is defined by the keystore.type in the /etc/java-XX-openjdk/security/java.security file. http://hg.openjdk.java.net/jdk-updates/jdk9u/jdk/annotate/46bd35a597eb/src/java.base/share/conf/security/java.security#l186 [2] JEP 229: Create PKCS12 Keystores by Default http://openjdk.java.net/jeps/229 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1770553/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~openjdk Post to : openjdk@lists.launchpad.net Unsubscribe : https://launchpad.net/~openjdk More help : https://help.launchpad.net/ListHelp