Using the tested I confirm that a previous PKCS12 keystore cacerts was successfully converted to a JKS format. Other users reported the same in bug 1770553.
** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of OpenJDK, which is subscribed to ca-certificates-java in Ubuntu. https://bugs.launchpad.net/bugs/1771363 Title: ca-certificates-java: convert PKCS12 cacerts keystore to JKS Status in ca-certificates-java package in Ubuntu: Fix Released Status in ca-certificates-java source package in Bionic: Fix Committed Status in ca-certificates-java package in Debian: Fix Released Bug description: [Impact] Any user already affected by the issue described in bug 1739631 won't benefit from the fix as that fix only prevents the issue from happening in new installs. [Cause] Same as described in bug 1739631 and copied here. The ca-certificate-java version 20170930 (or earlier) used the default keystore to create /etc/ssl/certs/java/cacerts - if the file already existed its contents were just updated without changing the keystore type. From openjdk-9 upwards the default keystore type changed from 'jks' to 'pkcs12' [1] by means of JEP 229 [2]. A JKS keystore can be read without supplying a password (or by supplying an empty one) while a PKCS12 keystore requires a password to be set. Thus a /etc/ssl/certs/java/cacerts created in the pkcs12 format will fail to be loaded as, by default, the truststore password is empty - in order to avoid that the user must set -Djavax.net.ssl.trustStorePassword=<passwd> or define it in /etc/java- XX-openjdk/management/management.properties. A JKS keystore will work normally, as the certificates in it can be ready when the truststore password is empty. Ubuntu does *not* set the javax.net.ssl.trustStorePassword by default thus any user that got a cacerts generated in JKCS12 won't be able to use any secure connections from java. [Test Case] Start on a new bionic install/chroot without openjdk 1. Install openjdk-11 $ sudo apt-get install openjdk-11-jdk 2. Test the keystore with an empty password (optional) and make sure it is a PKCS12 $ keytool -list -cacerts Enter keystore password: <leave empty> ***************** WARNING WARNING WARNING ***************** * The integrity of the information stored in your keystore * * has NOT been verified! In order to verify its integrity, * * you must provide your keystore password. * ***************** WARNING WARNING WARNING ***************** Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 0 entries 3. Test with the "changeit" password $ keytool -list -cacerts Enter keystore password: changeit Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 133 entries <snipped various certs> 4. Create the java test file $ cat <<EOF >HttpsTester.java import java.net.URL; import javax.net.ssl.HttpsURLConnection; public class HttpsTester { public static void main(String[] args) throws java.io.IOException { HttpsURLConnection connection = (HttpsURLConnection) new URL("https://www.ubuntu.com";).openConnection(); System.out.println("Response code: " + connection.getResponseCode()); System.out.println("It worked!"); } } EOF 5. Compile it $ javac HttpsTester.java 6. Call it $ /usr/lib/jvm/java-11-openjdk-amd64/bin/java HttpsTester 7. Call it again, this time set the store password $ /usr/lib/jvm/java-11-openjdk-amd64/bin/java \ -Djavax.net.ssl.trustStorePassword=changeit HttpsTester Response code: 200 It worked! 8. Install the newer ca-certificates-java 20180516, it should migrate cacerts from PKCS12 to JKS. Check that by running step #2 again $ keytool -list -cacerts Enter keystore password: <leave empty> ***************** WARNING WARNING WARNING ***************** * The integrity of the information stored in your keystore * * has NOT been verified! In order to verify its integrity, * * you must provide your keystore password. * ***************** WARNING WARNING WARNING ***************** Keystore type: JKS Keystore provider: SUN Your keystore contains 133 entries <snipped various certs> 9. The old keystore should be saved in /etc/ssl/certs/java/cacerts.dpkg-old, test it exists: $ keytool -list -keystore /etc/ssl/certs/java/cacerts.dpkg-old Enter keystore password: <leave empty> ***************** WARNING WARNING WARNING ***************** * The integrity of the information stored in your keystore * * has NOT been verified! In order to verify its integrity, * * you must provide your keystore password. * ***************** WARNING WARNING WARNING ***************** Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 0 entries [Regression Potential] * If a user has manually set his own JKCS12 cacerts and didn't update /etc/default/cacerts to set "cacerts_updates=no" (from the default of "cacerts_updates=yes") then his custom cacerts will be converted and overwritten. Still, a copy from the previous cacert is kept at /etc/ssl/certs/java/cacerts.dpkg-old. [Other Info] The cacerts keystore fix is related to 2 bugs: 1) bug #1739631, fixed by ca-certificates-java-20180413, which changed the default keystore type generated by ca-certificates-java to JKS [References] [1] The default keystore is defined by the keystore.type in the /etc/java-XX-openjdk/security/java.security file. http://hg.openjdk.java.net/jdk-updates/jdk9u/jdk/annotate/46bd35a597eb/src/java.base/share/conf/security/java.security#l186 [2] JEP 229: Create PKCS12 Keystores by Default http://openjdk.java.net/jeps/229 [Original bug description] The fix for Debian #894979 and Ubuntu bug #1739631 which updated ca-certificates-java to generate JKS keystores by default - instead OpenJDK's 9+ default of PKCS12 - only fixes new installs. Any user already affected by that issue won't benefit from the fix, as the file /etc/ssl/certs/java/cacerts is at most updated by the jks-keystore hook. The only way to actually change it from the PKCS12 to the JKS format is to remove the cacerts file and then calling 'update-ca-certificates -f' - which is also accomplished by removing and then reinstalling the ca-certificates-java package. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1771363/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~openjdk Post to : openjdk@lists.launchpad.net Unsubscribe : https://launchpad.net/~openjdk More help : https://help.launchpad.net/ListHelp
