Bastien Roucariès pushed to branch buster at Debian Java Maintainers / ca-certificates-java
Commits: 3a3d56af by Bastien Roucariès at 2026-02-27T22:59:06+01:00 Add changelog entry - - - - - 76e2ba2c by Bastien Roucariès at 2026-02-27T22:59:28+01:00 Harden conversion from pkcs12 to jks - - - - - c555f59e by Bastien Roucariès at 2026-02-27T22:59:30+01:00 Fix some nitpick reported by arnaudr co-author: Arnaud Rebillout <[email protected]> - - - - - 35bf361c by Arnaud Rebillout at 2026-02-27T22:59:32+01:00 Fix the bogus comparison for the keystore magic The `\x` is a bashism, it's not supported in eg. sh or dash: $ sh -c "echo -en '\xfe\xed\xfe\xed'" -en \xfe\xed\xfe\xed So it looks like this comparison never worked, ever? Fix it by comparing the hexadecimal output instead. - - - - - 2 changed files: - debian/ca-certificates-java.postinst - debian/changelog Changes: ===================================== debian/ca-certificates-java.postinst ===================================== @@ -26,9 +26,68 @@ check_proc() fi } +check_cacerts_store_format() +{ + local file="$1" + local pass="$2" + local output= + local type= + local status= + + output=$(keytool -list -keystore "$file" -storepass "$pass" 2>&1) + status=$? + if [ $status -ne 0 ] ; then + echo "ERROR: keytool probing '$file' failed (exit code $status)" >&2 + echo "$output" | head >&2 + return $status + fi + + local type + type=$( + printf "%s\n" "$output" | + tr '[:upper:]' '[:lower:]' | + sed -n ' + /^[[:space:]]*keystore[[:space:]]*type[[:space:]]*:/ { + s/^[[:space:]]*keystore[[:space:]]*type[[:space:]]*:[[:space:]]*//; + s/^[[:space:]]*//; + s/[[:space:]]*$//; + p + } + ' + ) + + if [ -z "$type" ]; then + echo "ERROR: keytool probing '$file' failed to find keystore type" >&2 + return 1 + fi + + echo "$type" + return 0 +} + convert_pkcs12_keystore_to_jks() { + local type + check_proc + if ! type=$(check_cacerts_store_format /etc/ssl/certs/java/cacerts "$storepass"); then + exit $? + fi + + case "$type" in + jks) + # here we race + return 0 + ;; + pkcs12) + # continue + ;; + *) + echo "failed to convert PKCS12 keystore to JKS, unknown /etc/ssl/certs/java/cacerts format '$type'" >&2 + exit 1 + ;; + esac + if ! keytool -importkeystore \ -srckeystore /etc/ssl/certs/java/cacerts \ -destkeystore /etc/ssl/certs/java/cacerts.dpkg-new \ @@ -146,7 +205,7 @@ if [ "$1" = "configure" ]; then if dpkg --compare-versions "$2" lt-nl "20180516"; then if [ -e /etc/ssl/certs/java/cacerts ] && \ - [ "$(head -c4 /etc/ssl/certs/java/cacerts)" != "$(echo -en '\xfe\xed\xfe\xed')" ]; then + [ "$(head -c4 /etc/ssl/certs/java/cacerts | od -A n -t x1 | tr -d ' ')" != "feedfeed" ]; then touch /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks fi fi ===================================== debian/changelog ===================================== @@ -1,3 +1,10 @@ +ca-certificates-java (20230710~deb12u1~deb11u1~deb10u2) unstable; urgency=medium + + * Non-maintainer upload by ELTS team. + * Harden conversion of PKCS12 to JKS for easing upgrade from stretch security + + -- Bastien Roucariès <[email protected]> Fri, 27 Feb 2026 22:58:36 +0100 + ca-certificates-java (20230710~deb12u1~deb11u1~deb10u1) buster-security; urgency=medium * Non-maintainer upload by ELTS team. View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/compare/dbb7fb503f49c90ec0fa79cd9fceea6a1635f40b...35bf361cab9f5a1c0d9e9d6596df1501646a9197 -- View it on GitLab: https://salsa.debian.org/java-team/ca-certificates-java/-/compare/dbb7fb503f49c90ec0fa79cd9fceea6a1635f40b...35bf361cab9f5a1c0d9e9d6596df1501646a9197 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
