[Git][java-team/ca-certificates-java][master] Harden conversion from pkcs12 to jks

Tue, 24 Feb 2026 11:43:56 -0800 


Bastien Roucariès pushed to branch master at Debian Java Maintainers / 
ca-certificates-java


Commits:
bb7b99c0 by Bastien Roucariès at 2026-02-24T20:43:29+01:00
Harden conversion from pkcs12 to jks

- - - - -


1 changed file:

- debian/ca-certificates-java.postinst


Changes:

=====================================
debian/ca-certificates-java.postinst
=====================================
@@ -26,9 +26,66 @@ check_proc()
     fi
 }
 
+check_cacerts_store_format()
+{
+    local file="$1"
+    local pass="$2"
+
+    output=$(LC_ALL="C" keytool -list -keystore "$file" -storepass "$pass" 
2>&1)
+    status=$?
+    if [ $status -ne 0 ] ; then
+        echo >&2 "ERROR: keytool probing '$file' failed (exit code $status)" 
>&2
+        echo "$output" >&2
+        return $status
+    fi
+
+    local type
+    type=$(
+        printf "%s\n" "$output" |
+        tr '[:upper:]' '[:lower:]' |
+        sed -n '
+        /^[[:space:]]*keystore[[:space:]]*type[[:space:]]*:/ {
+            s/^[[:space:]]*keystore[[:space:]]*type[[:space:]]*:[[:space:]]*//;
+            s/^[[:space:]]*//;
+            s/[[:space:]]*$//;
+            p
+        }
+        '
+    )
+
+    if [ -z "$type" ]; then
+        echo >&2 "ERROR: keytool probing '$file' failed to find keystore type" 
>&2
+        echo "$output" >&2
+        return 1
+    fi
+
+    echo "$type"
+    return 0
+}
+
 convert_pkcs12_keystore_to_jks()
 {
+    local type
+
     check_proc
+    if ! type=$(check_cacerts_store_format /etc/ssl/certs/java/cacerts 
"$storepass"); then
+        exit $?
+    fi
+
+    case "$type" in
+    jks)
+        # here we race
+        return 0
+        ;;
+    pkcs12)
+        # continue
+        ;;
+    *)
+        echo "failed to convert PKCS12 keystore to JKS unknown 
/etc/ssl/certs/java/cacerts format '$type'" >&2
+        exit 1
+        ;;
+    esac
+
     if ! keytool -importkeystore \
                  -srckeystore /etc/ssl/certs/java/cacerts \
                  -destkeystore /etc/ssl/certs/java/cacerts.dpkg-new \



View it on GitLab: 
https://salsa.debian.org/java-team/ca-certificates-java/-/commit/bb7b99c055a9b1bc3affc41b93b6bccc992b9e29

-- 
View it on GitLab: 
https://salsa.debian.org/java-team/ca-certificates-java/-/commit/bb7b99c055a9b1bc3affc41b93b6bccc992b9e29
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
pkg-java-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits

Reply via email to