Bug#1039472: ca-certificates-java: openjdk-17 update caused install regressions

[some]

Package: ca-certificates-java
Followup-For: Bug #1039472
Control: severity -1 critical

This makes unrelated software on the system break, making unrelated packages 
unusable without guidance on how to fix it.

Bug#1039472: ca-certificates-java: openjdk-17 update caused install regressions

[Andreas Beckmann]

Followup-For: Bug #1039472
X-Debbugs-Cc: t...@security.debian.org
Control: found -1 20190909
Control: tag -1 patch

This affects bullseye as well:

bullseye# apt-get install openjdk-17-jre-headless=17.0.7+7-1~deb11u1

fails with

...
  Setting up ca-certificates-java (20190909) ...
  head: cannot open '/etc/ssl/certs/java/cacerts' for reading: No such file or 
directory
  Exception in thread "main" java.lang.InternalError: Error loading 
java.security file
at java.base/java.security.Security.initialize(Security.java:106)
at java.base/java.security.Security$1.run(Security.java:84)
at java.base/java.security.Security$1.run(Security.java:82)
at 
java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at java.base/java.security.Security.(Security.java:82)
at java.base/sun.security.jca.ProviderList.(ProviderList.java:178)
at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:96)
at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94)
at 
java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at 
java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:93)
at java.base/sun.security.jca.Providers.(Providers.java:55)
at 
java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156)
at 
java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193)
at org.debian.security.KeyStoreHandler.(KeyStoreHandler.java:50)
at 
org.debian.security.UpdateCertificates.(UpdateCertificates.java:65)
at 
org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51)
  dpkg: error processing package ca-certificates-java (--configure):
   installed ca-certificates-java package post-installation script subprocess 
returned error exit status 1
  dpkg: dependency problems prevent configuration of 
openjdk-17-jre-headless:amd64:
   openjdk-17-jre-headless:amd64 depends on ca-certificates-java (>= 
20190405~); however:
Package ca-certificates-java is not configured yet.

  dpkg: error processing package openjdk-17-jre-headless:amd64 (--configure):
   dependency problems - leaving unconfigured
  Processing triggers for libc-bin (2.31-13+deb11u6) ...
  Processing triggers for ca-certificates (20210119) ...
  Updating certificates in /etc/ssl/certs...
  0 added, 0 removed; done.
  Running hooks in /etc/ca-certificates/update.d...

  /etc/ca-certificates/update.d/jks-keystore: 82: java: not found
  E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.
  done.
  Errors were encountered while processing:
   ca-certificates-java
   openjdk-17-jre-headless:amd64


And for the reference, 

bookworm# apt-get install openjdk-17-jre=17.0.7+7-1~deb12u1

fails with 

...
  Setting up ca-certificates-java (20230103) ...
  Exception in thread "main" java.lang.InternalError: Error loading 
java.security file
at java.base/java.security.Security.initialize(Security.java:106)
at java.base/java.security.Security$1.run(Security.java:84)
at java.base/java.security.Security$1.run(Security.java:82)
at 
java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at java.base/java.security.Security.(Security.java:82)
at java.base/sun.security.jca.ProviderList.(ProviderList.java:178)
at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:96)
at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94)
at 
java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at 
java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:93)
at java.base/sun.security.jca.Providers.(Providers.java:55)
at 
java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156)
at 
java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193)
at org.debian.security.KeyStoreHandler.(KeyStoreHandler.java:50)
at 
org.debian.security.UpdateCertificates.(UpdateCertificates.java:65)
at 
org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51)
  dpkg: error processing package ca-certificates-java (--configure):
   installed ca-certificates-java package post-installation script subprocess 
returned error exit status 1
  dpkg: dependency problems prevent configuration of 
openjdk-17-jre-headless:amd64:
   openjdk-17-jre-headless:amd64 depends on ca-certificates-java (>= 
20190405~); however:
Package ca-certificates-java is not configured yet.
  
  dpkg: error processing package openjdk-17-jre-headless:amd64 (--configure):
   dependency problems - leaving unconfigured
  dpkg: dependency problems prevent configuration of openjdk-17-jre:amd64:
   openjdk-17-jre:amd64 depends on openjdk-17-jre-headless (= 
17.0.7+7-1~deb12u1); however:
Package ope

Bug#1039472: ca-certificates-java: openjdk-17 update caused install regressions

[Andreas Beckmann]

Package: ca-certificates-java
Version: 20230103
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
X-Debbugs-Cc: t...@security.debian.org
Control: fixed -1 20230620

The openjdk-17 upload to bookworm-security caused regressions when
installing openjdk/ca-certificates-java similar to 
https://bugs.debian.org/1035416
This has been fixed in ca-certificates-java 20230620 in sid (as well as
for openjdk-21 in experimental) and I veryfied that rebuilding that
package for bookworm fixes the issue there, too.

So far I did't see that this regression affects bullseye as well.


Andreas