Bug#795244: ca-certificates-java.jar - String index out of range: -1

2020-04-02 Thread Luca Capello 
tags 795244 + patch
thanks

Hi there,

On Thu, 12 Apr 2018 16:11:08 +0200, Raphael Hertzog wrote:
> On Wed, 12 Aug 2015, Christian Hammers wrote:
> > It does not work though:
> > 
> > # java -Xmx64m -jar 
> > /usr/share/ca-certificates-java/ca-certificates-java.jar -storepass changeit
> 
> That's because the program expects data on standard input. A list of
> certificates to add (prefixed with "+") or remove (prefixed with "-").
> 
> I'm not sure that there's a real issue here.

Thus, what is the purpose of the same command in
/etc/ca-certificates/update.d/jks-keystore?  As the reporter said the
command line was taken from that file.  Disclaimer: I am not a Java
expert...

While the /usr/share/doc/ca-certificates-java/README.Debian says that
the package "doesn't automagically handle local certificates" (as
Michael Shuler noted[1]), the solution is quite simple and can be
directly taken from postinst:
```
diff --git a/ca-certificates/update.d/jks-keystore 
b/ca-certificates/update.d/jks-keystore
index e0c3445..b5744ce 100755
--- a/ca-certificates/update.d/jks-keystore
+++ b/ca-certificates/update.d/jks-keystore
@@ -79,7 +79,19 @@ do_cleanup()
 fi
 }
 
-if java -Xmx64m -jar $JAR -storepass "$storepass"; then
+## 
+find /etc/ssl/certs -name \*.pem | \
+while read filename; do
+alias=$(basename $filename .pem | tr A-Z a-z | tr -cs a-z0-9 _)
+alias=${alias%*_}
+if [ -n "$FIXOLD" ]; then
+echo "-${alias}"
+echo "-${alias}_pem"
+fi
+echo "+${filename}"
+ done | \
+ java -Xmx64m -jar $JAR -storepass "$storepass"
+if [ $? -eq 0 ]; then
 do_cleanup
 else
 do_cleanup
```

[1] 

The only drawback is that the cacerts default keystore will be updated
at every invocation of update-ca-certificates.

I am aware that the very same README advises to uses
`update-ca-certificates -f` for a full re-import, but IMHO the patch
proposed is more consistent with the "normal" update-ca-certificates
behavior.

Thx, bye,
Luca

-- 
Dr. Luca Capello
Ingénieur HPC
Division du Système et des Technologies de l'Information et de la Communication
Université de Genève | 24 rue Général-Dufour
Tél +41 22 379 72 42 | Bureau 151
https://hpc-community.unige.ch
mailto:luca.cape...@unige.ch


signature.asc
Description: PGP signature

Bug#795244: ca-certificates-java.jar - String index out of range: -1

2018-04-12 Thread Raphael Hertzog 
Hello,

On Wed, 12 Aug 2015, Christian Hammers wrote:
> It does not work though:
> 
> # java -Xmx64m -jar 
> /usr/share/ca-certificates-java/ca-certificates-java.jar -storepass changeit

That's because the program expects data on standard input. A list of
certificates to add (prefixed with "+") or remove (prefixed with "-").

I'm not sure that there's a real issue here.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Bug#795244: ca-certificates-java.jar - String index out of range: -1

2015-08-12 Thread Michael Shuler 

Control: reassign 795244 ca-certificates-java 20140324

On 08/12/2015 03:35 AM, Christian Hammers wrote:

One of my Java applications does not recognize a CA certificate from
/usr/local/share/ca-certificates/ as valid so I tried the following
program in the hope it would somehow update the Java Keystore.

It does not work though:

 # java -Xmx64m -jar 
/usr/share/ca-certificates-java/ca-certificates-java.jar -storepass changeit

 Exception in thread "main" java.lang.StringIndexOutOfBoundsException: 
String index out of range: -1
 at java.lang.String.substring(String.java:1875)
 at 
org.debian.security.UpdateCertificates.parseLine(UpdateCertificates.java:89)
 at 
org.debian.security.UpdateCertificates.processChanges(UpdateCertificates.java:76)
 at 
org.debian.security.UpdateCertificates.main(UpdateCertificates.java:53)

The command line options were taken from 
/etc/ca-certificates/update.d/jks-keystore.

Maybe this is caused by limited network connectivity as the server
is behind a firewall but even in this case, the error message is a
bit vague.


I'm assigning this to the correct package.

/usr/share/doc/ca-certificates-java/README.Debian says it "doesn't 
automagically handle local certificates" - just an observation.


--
Kind regards,
Michael

Bug#795244: ca-certificates-java.jar - String index out of range: -1

2015-08-12 Thread Christian Hammers 
Package: ca-certificates
Version: 20141019
Severity: normal

One of my Java applications does not recognize a CA certificate from
/usr/local/share/ca-certificates/ as valid so I tried the following
program in the hope it would somehow update the Java Keystore.

It does not work though:

# java -Xmx64m -jar 
/usr/share/ca-certificates-java/ca-certificates-java.jar -storepass changeit

Exception in thread "main" java.lang.StringIndexOutOfBoundsException: 
String index out of range: -1
at java.lang.String.substring(String.java:1875)
at 
org.debian.security.UpdateCertificates.parseLine(UpdateCertificates.java:89)
at 
org.debian.security.UpdateCertificates.processChanges(UpdateCertificates.java:76)
at 
org.debian.security.UpdateCertificates.main(UpdateCertificates.java:53)

The command line options were taken from 
/etc/ca-certificates/update.d/jks-keystore.

Maybe this is caused by limited network connectivity as the server
is behind a firewall but even in this case, the error message is a
bit vague.

best regards

-christian-


-- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ca-certificates depends on:
ii  debconf [debconf-2.0]  1.5.56
ii  openssl1.0.1k-3+deb8u1

ca-certificates recommends no packages.

ca-certificates suggests no packages.

-- debconf information:
* ca-certificates/enable_crts: mozilla/ACCVRAIZ1.crt, 
mozilla/ACEDICOM_Root.crt, mozilla/AC_Raíz_Certicámara_S.A..crt, 
mozilla/Actalis_Authentication_Root_CA.crt, mozilla/AddTrust_External_Root.crt, 
mozilla/AddTrust_Low-Value_Services_Root.crt, 
mozilla/AddTrust_Public_Services_Root.crt, 
mozilla/AddTrust_Qualified_Certificates_Root.crt, 
mozilla/AffirmTrust_Commercial.crt, mozilla/AffirmTrust_Networking.crt, 
mozilla/AffirmTrust_Premium.crt, mozilla/AffirmTrust_Premium_ECC.crt, 
mozilla/America_Online_Root_Certification_Authority_1.crt, 
mozilla/America_Online_Root_Certification_Authority_2.crt, 
mozilla/ApplicationCA_-_Japanese_Government.crt, 
mozilla/Atos_TrustedRoot_2011.crt, mozilla/A-Trust-nQual-03.crt, 
mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt, 
mozilla/Baltimore_CyberTrust_Root.crt, mozilla/Buypass_Class_2_CA_1.crt, 
mozilla/Buypass_Class_2_Root_CA.crt, mozilla/Buypass_Class_3_CA_1.crt, 
mozilla/Buypass_Class_3_Root_CA.crt, mozilla/CA_Disig.crt, mozilla/CA
 _Disig_Root_R1.crt, mozilla/CA_Disig_Root_R2.crt, 
mozilla/Camerfirma_Chambers_of_Commerce_Root.crt, 
mozilla/Camerfirma_Global_Chambersign_Root.crt, mozilla/Certigna.crt, 
mozilla/Certinomis_-_Autorité_Racine.crt, 
mozilla/Certplus_Class_2_Primary_CA.crt, mozilla/certSIGN_ROOT_CA.crt, 
mozilla/Certum_Root_CA.crt, mozilla/Certum_Trusted_Network_CA.crt, 
mozilla/Chambers_of_Commerce_Root_-_2008.crt, 
mozilla/China_Internet_Network_Information_Center_EV_Certificates_Root.crt, 
mozilla/CNNIC_ROOT.crt, mozilla/Comodo_AAA_Services_root.crt, 
mozilla/COMODO_Certification_Authority.crt, 
mozilla/COMODO_ECC_Certification_Authority.crt, 
mozilla/Comodo_Secure_Services_root.crt, 
mozilla/Comodo_Trusted_Services_root.crt, mozilla/ComSign_CA.crt, 
mozilla/ComSign_Secured_CA.crt, mozilla/Cybertrust_Global_Root.crt, 
mozilla/Deutsche_Telekom_Root_CA_2.crt, 
mozilla/DigiCert_Assured_ID_Root_CA.crt, 
mozilla/DigiCert_Assured_ID_Root_G2.crt, 
mozilla/DigiCert_Assured_ID_Root_G3.crt, mozilla/DigiCert_Global_Root_CA.
 crt, mozilla/DigiCert_Global_Root_G2.crt, mozilla/DigiCert_Global_Root_G3.crt, 
mozilla/DigiCert_High_Assurance_EV_Root_CA.crt, 
mozilla/DigiCert_Trusted_Root_G4.crt, 
mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt, 
mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt, 
mozilla/DST_ACES_CA_X6.crt, mozilla/DST_Root_CA_X3.crt, 
mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt, 
mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt, 
mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt, mozilla/EC-ACC.crt, 
mozilla/EE_Certification_Centre_Root_CA.crt, 
mozilla/E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.crt, 
mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt, 
mozilla/Entrust_Root_Certification_Authority.crt, 
mozilla/ePKI_Root_Certification_Authority.crt, mozilla/Equifax_Secure_CA.crt, 
mozilla/Equifax_Secure_eBusiness_CA_1.crt, 
mozilla/Equifax_Secure_Global_eBusiness_CA.crt, 
mozilla/E-Tugra_Certification_Authority.crt, mozilla/GeoTrust_Global_CA_2.crt, 
mozilla/GeoTrust_Global_CA.crt, moz
 illa/GeoTrust_Primary_Certification_Authority.crt, 
mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt, 
mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt, 
mozilla/GeoTrust_Universal_CA_2.crt, mozilla/GeoTrust_Universal_CA.crt, 
mozilla/Global_Chambersign_Root_-_2008.crt, mozilla/GlobalSign_Root_CA.crt, 
mozilla/Global