[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
Launchpad has imported 20 comments from the remote bug at http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=356. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2009-06-25T14:26:48+00:00 Matthias Klose wrote: IcedTea6-1.5: keytool error: java.security.NoSuchAlgorithmException: SHA384withECDSA Signature not available error adding /etc/ssl/certs/COMODO_ECC_Certification_Authority.pem Reply at: https://bugs.launchpad.net/ubuntu/+source/ca- certificates/+bug/392104/comments/2 On 2009-07-06T18:39:23+00:00 Pantelis Koukousoulas wrote: Created attachment 240 A small testcase that illustrates the missing SHA384withECDSA Signature Algorithm problem. Reply at: https://bugs.launchpad.net/ubuntu/+source/ca- certificates/+bug/392104/comments/13 On 2009-07-07T15:26:00+00:00 ankostis wrote: * Needed to add a suitable for 'SHA384withECDSA' provider into 'java.security' config-file. * Supposedly SHA384withECDSA provided by sun.security.pkcs11.SunPKCS11 with NSS as the native backend, as described in: http://blogs.sun.com/andreas/entry/the_java_pkcs_11_provider with the following config-file: name = NSS nssLibraryDirectory = /opt/tests/nss/lib nssDbMode = noDb attributes = compatibility * In fedora needed to install nss-devel-3.12.3-4.fc11.i586 due to a missing NSS lib. * Debug java-prop: java.security.debug={all|provider|sunpkcs11} * But NSS does *NOT* by default compile ECC! according to: http://www.mozilla.org/projects/security/pki/nss/nss-3.11/nss-3.11-algorithms.html * BUT Testcrypto.java TestCase also fails in sun's jdk!! Reply at: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/392104/comments/14 On 2009-07-07T16:35:10+00:00 ankostis wrote: Managed to import COMODO's ECC certificate. This bug is present also in sun's JDK and it gets fixed as prescribed by Andreas Sterbenz: http://blogs.sun.com/andreas/entry/the_java_pkcs_11_provider We need to add the 'sun.security.pkcs11.SunPKCS11' provider with a single config-arg pointing to a file containing the following properties: name = NSS nssLibraryDirectory = /usr/lib nssDbMode = noDb attributes = compatibility Tested on: * Gentoo, needs devlibs/nss installed and a minor config modification: nssLibraryDirectory=/usr/lib/nss and it works ok. * Debian just needs libnss3-1d installed, and it also works ok. * Fedora's NSS, by default is compiled most probably *without* ECC! So it fails. (see: http://www.mozilla.org/projects/security/pki/nss/nss-3.11/nss-3.11-algorithms.html) Reply at: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/392104/comments/15 On 2009-07-14T20:47:45+00:00 Jon-vanalten wrote: I'll be the first to admit I know little about nss, but it looks like you're absolutely correct as some others have had similar issues: https://bugzilla.redhat.com/show_bug.cgi?id=492124 May I suggest that you post these details (or simply a link to this bug) in a new nss bug on the Red Hat bugzilla: https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora I'd do so myself but it's not my itch to scratch :D (more importantly, someone with more intimate knowledge of the issue could contribute more meaningfully to the report). From the above convo and the bits I've read elsewhere on the subject it seems this is not an IcedTea bug, so I'm closing this. Feel free to reopen if I am mistaken. Reply at: https://bugs.launchpad.net/ubuntu/+source/ca- certificates/+bug/392104/comments/16 On 2009-07-14T21:05:21+00:00 Matthias Klose wrote: are you sure about closing the report? At least java.security needs to be aware of the new security provider. One possibility would be a configure check in IcedTea, and modification of the java.security file. Reply at: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/392104/comments/17 On 2009-07-14T21:46:29+00:00 Jon-vanalten wrote: Fairly sure. From Andreas Sterbenz's 2006 blog posting linked by Kostis in comment #2 and #3, programs wishing to use this (not new) provider should add it (ie Security.insertProviderAt(nss, 1); at runtime, and set up config file as described. So unless I have misunderstood completely, this is not a build or configure
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
** Changed in: ca-certificates-java (Debian) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/392104 Title: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates- java from installing To manage notifications about this bug go to: https://bugs.launchpad.net/icedtea/+bug/392104/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
** Changed in: icedtea Importance: Unknown = Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/392104 Title: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates- java from installing -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
** Branch linked: lp:debian/ca-certificates-java -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
openjdk now supports PKCS11 cryptography via NSS, all certificates in ca-certificates can be imported ** Changed in: ca-certificates-java (Ubuntu) Status: In Progress = Fix Released ** Changed in: openjdk-6 (Ubuntu) Status: In Progress = Fix Released -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
** Changed in: openjdk-6 (Ubuntu) Status: New = In Progress ** Changed in: ca-certificates-java (Ubuntu) Status: Fix Released = In Progress -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
** Changed in: icedtea Status: In Progress = Fix Released -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
** Changed in: icedtea Status: Confirmed = In Progress -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
During our little coding camp in greece, this was one of the issues we looked into. It turns out it is possible to use libnss as a PKCS11 provider, thereby making the import of the specific certificate (and potential others in the future that want to use the same algorithm) work. The details are in http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=356 Since it only needs a new dependency openjdk - libnss and a simple config file this should be a viable solution. There is already a patched version of openjdk in my ppa: https://launchpad.net/~pktoss/+archive/ppa/ -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
I've unsubscribed ubuntu-main-sponsors to get this off the sponsorship list, as there doesn't appear to be anything to sponsor for openjdk-6 right now. Please resubscribe if necessary. -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
This is currently thwarting the 389 Directory Server project at https://launchpad.net/~ubuntu-389-directory-server It is also affecting bug 382261 Please fix ASAP! -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
** Changed in: ca-certificates-java (Ubuntu) Status: New = In Progress ** Changed in: ca-certificates-java (Ubuntu) Assignee: (unassigned) = Thierry Carrez (ttx) -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
ca-certificates-java with SHA384withECDSA certificates filtering Results for initial install (postinst): creating /etc/ssl/certs/java/cacerts... removed untrusted certificate mozilla/Equifax_Secure_Global_eBusiness_CA.crt removed untrusted certificate mozilla/UTN_USERFirst_Object_Root_CA.crt ignored certificate mozilla/COMODO_ECC_Certification_Authority.crt (SHA384withECDSA unsupported) Certificate was added to keystore added certificate mozilla/DigiNotar_Root_CA.crt Certificate was added to keystore added certificate mozilla/Network_Solutions_Certificate_Authority.crt Certificate was added to keystore added certificate mozilla/WellsSecure_Public_Root_Certificate_Authority.crt done. Results for ca-certificates upgrade (hook): Updating certificates in /etc/ssl/certs... 4 added, 2 removed; done. Running hooks in /etc/ca-certificates/update.d updating keystore /etc/ssl/certs/java/cacerts... ignored (SHA384withECDSA unsupported): /etc/ssl/certs/COMODO_ECC_Certification_Authority.pem Certificate was added to keystore added: /etc/ssl/certs/DigiNotar_Root_CA.pem Certificate was added to keystore added: /etc/ssl/certs/Network_Solutions_Certificate_Authority.pem Certificate was added to keystore added: /etc/ssl/certs/WellsSecure_Public_Root_Certificate_Authority.pem does not exists: /etc/ssl/certs/Equifax_Secure_Global_eBusiness_CA.pem does not exists: /etc/ssl/certs/UTN_USERFirst_Object_Root_CA.pem done. done. ** Attachment added: ca-certificates-java_20081028ubuntu1.debdiff http://launchpadlibrarian.net/28500622/ca-certificates-java_20081028ubuntu1.debdiff -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
Like Matthias said, it's better to workaround it in ca-certificates- java. ** Changed in: ca-certificates (Ubuntu) Status: Confirmed = Invalid ** Changed in: ca-certificates-java (Ubuntu) Status: In Progress = Confirmed ** Changed in: ca-certificates-java (Ubuntu) Assignee: Thierry Carrez (ttx) = (unassigned) -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
Hmm... This fails to build on an uptodate karmic buildd because the current ca-certificates-java gets installed as a build dependency... which fails with ca-certificates-20090624. I guess it's necessary to first revert ca-certificates, build ca- certificates-java, then resync ca-certificates ? -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
ca-certificates-20090624build1 uploaded (not running the hooks), ca- certificates-java 20090629 needs a sync from Debian unstable/incoming -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
fixed in ca-certificates-java 20090629 ** Changed in: ca-certificates-java (Ubuntu) Status: Confirmed = Fix Released -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
** Changed in: ca-certificates-java (Debian) Status: New = Confirmed -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
Proposed quick fix for ca-certificates (avoid installing the certificate in question). ** Attachment added: ca-certificates_20090624ubuntu1.debdiff http://launchpadlibrarian.net/28369803/ca-certificates_20090624ubuntu1.debdiff ** Changed in: ca-certificates (Ubuntu) Status: New = Confirmed -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
** Changed in: ca-certificates-java (Debian) Status: Unknown = New -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
** Also affects: openjdk-6 (Ubuntu) Importance: Undecided Status: New ** Bug watch added: Iced Tea Bugzilla #356 http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=356 ** Also affects: icedtea via http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=356 Importance: Unknown Status: Unknown -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
could we fix this in ca-certificates-java instead by checking the signature type, and then omit it? -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
** Changed in: icedtea Status: Unknown = Confirmed -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
We could use openssl in jks-keystore.hook to decode proposed .pem contents and specifically exclude the one(s) with: Signature Algorithm: 1.2.840.10045.4.3.3 (which maps to SHA384withECDSA according to http://javadoc.iaik.tugraz.at/cms_smime/current/iaik/cms/CMSAlgorithmID.html) I'm just unsure that would be the only one we would want to exclude... -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 392104] Re: [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing
On Thu, Jun 25, 2009 at 03:10:53PM -, Thierry Carrez wrote: We could use openssl in jks-keystore.hook to decode proposed .pem contents and specifically exclude the one(s) with: Signature Algorithm: 1.2.840.10045.4.3.3 (which maps to SHA384withECDSA according to http://javadoc.iaik.tugraz.at/cms_smime/current/iaik/cms/CMSAlgorithmID.html) I'm just unsure that would be the only one we would want to exclude... Currently, yes. AFAICS. Kind regards, Philipp Kern -- [Karmic] Update to ca-certificates 20090624 prevents ca-certificates-java from installing https://bugs.launchpad.net/bugs/392104 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs