Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 682308 - dev-java/openjdk should install certificates from /etc/ssl/certs instead of /usr/share/ca-certificates
Summary: dev-java/openjdk should install certificates from /etc/ssl/certs instead of /...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Georgy Yakovlev
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-02 08:42 UTC by Joakim Tjernlund
Modified: 2019-05-10 18:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Joakim Tjernlund 2019-04-02 08:42:15 UTC
Currently openjdk installs certs into openjdk from /usr/share/ca-certificates
but this certs store does not include locally installed certs.

/etc/ssl/certs holds the sum of all certs used on the system so best use that.
Comment 1 Joakim Tjernlund 2019-04-02 17:12:20 UTC
Made my own openjdk-8.212_p02 and replce the cert path with 
  "${EPREFIX}"/etc/ssl/certs/*.pem
seems to work fine.
Comment 2 Georgy Yakovlev archtester gentoo-dev 2019-04-16 19:30:27 UTC
I'll see what I can do here. Ideally I'd get rid of this conversion script completely if it's possible.
Comment 3 Joakim Tjernlund 2019-04-22 16:11:49 UTC
Why did you add new openjdk ebuilds with the old cert path?
Could you at least use  "${EPREFIX}"/etc/ssl/certs/*.pem until
you have figured out something better?
Comment 4 Georgy Yakovlev archtester gentoo-dev 2019-04-22 17:10:40 UTC
because one will have to re-emerge openjdk or update keystore manually if cert configuration changes if I point it to /etc.

currently you are free to update keystore manually, you can create a portage hook that generates certs according to your preference.

unsuspecting users should have java that just works.

I'm thinking on installing a hook into /etc/ca-certificates/update.d, which will re-generate keystore each time update-ca-certificates is run.

that way:
1) users will get custom set of ca-certs in keystore on installation if we point the script to /etc
2) if users update ca cert config, keystore will be updated.
win-win
Comment 5 Joakim Tjernlund 2019-04-22 21:09:42 UTC
(In reply to Georgy Yakovlev from comment #4)
> because one will have to re-emerge openjdk or update keystore manually if
> cert configuration changes if I point it to /etc.

How so? Or how is this different from todays use of /usr/share/ca-certificates ?

> 
> currently you are free to update keystore manually, you can create a portage
> hook that generates certs according to your preference.
> 
> unsuspecting users should have java that just works.

Exactly and by using /etc instead you get a few more certs, not only
the ones in /usr/share/ca-certificates but the locally installed too.

> 
> I'm thinking on installing a hook into /etc/ca-certificates/update.d, which
> will re-generate keystore each time update-ca-certificates is run.

While we wait for that, using /etc is better than /usr/share/ca-certificates.
That is really my point.

> 
> that way:
> 1) users will get custom set of ca-certs in keystore on installation if we
> point the script to /etc
> 2) if users update ca cert config, keystore will be updated.
> win-win
Comment 6 Georgy Yakovlev archtester gentoo-dev 2019-04-25 07:27:17 UTC
here's initial implementation:

https://github.com/gyakovlev/java-dev-overlay

if you want to help with testing please install baselayout-java and the new openjdk:8 from overlay.

on first installation baselayout-java will generate
/etc/ssl/certs/java/cacerts if it does not exist.

later, every time ca-certificates are updated ebuild will run update-ca-certificates and /etc/ssl/certs/java/cacerts will be re-populated.

also every time user runs update-ca-certificates the hook should generate new keystore with all the certs in system trust.


openjdk will just use a symlink

/usr/lib/jvm/openjdk-8/jre/lib/security/cacerts -> /etc/ssl/certs/java/cacerts

openjdk:11 comes with it's own bundle in the source.
this will be controlled by useflag, something like system-cacerts

same will happen to openjdk-bin, those come with bundled certs from adoptopenjdk, I'll remove certs on installation and symlink to /etc/ssl/certs/java/cacerts

how does that sound?
Comment 7 Georgy Yakovlev archtester gentoo-dev 2019-04-25 07:29:43 UTC
what I really need testing is how
trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose server-auth /etc/ssl/certs/java/cacerts

handles custom-installed certs.
with my limited testing it handles it just fine, but I'll appreciate if you give it more testing.

trust binary comes from app-crypt/p11-kit and is used by several distros to generate java cacert file.
Comment 8 Joakim Tjernlund 2019-04-25 12:24:41 UTC
(In reply to Georgy Yakovlev from comment #7)
> what I really need testing is how
> trust extract --overwrite --format=java-cacerts --filter=ca-anchors
> --purpose server-auth /etc/ssl/certs/java/cacerts
> 
> handles custom-installed certs.
> with my limited testing it handles it just fine, but I'll appreciate if you
> give it more testing.
> 
> trust binary comes from app-crypt/p11-kit and is used by several distros to
> generate java cacert file.

This look really great ! Thanks.

A bit short for time ATM but I have added /etc/ssl/certs/java/cacerts
and created symlinks from openjdk-8 and openjdk-11 in our internal gentoo img.

If something breaks I will hear about it but it will take some time(few weeks)
Comment 9 Joakim Tjernlund 2019-04-25 12:29:03 UTC
(In reply to Georgy Yakovlev from comment #7)
> what I really need testing is how
> trust extract --overwrite --format=java-cacerts --filter=ca-anchors
> --purpose server-auth /etc/ssl/certs/java/cacerts

I see the --purpose server-auth and wonder if this could trip up
java clients/webstart ?
Comment 10 Joakim Tjernlund 2019-05-09 07:06:12 UTC
(In reply to Joakim Tjernlund from comment #8)
> (In reply to Georgy Yakovlev from comment #7)
> > what I really need testing is how
> > trust extract --overwrite --format=java-cacerts --filter=ca-anchors
> > --purpose server-auth /etc/ssl/certs/java/cacerts
> > 
> > handles custom-installed certs.
> > with my limited testing it handles it just fine, but I'll appreciate if you
> > give it more testing.
> > 
> > trust binary comes from app-crypt/p11-kit and is used by several distros to
> > generate java cacert file.
> 
> This look really great ! Thanks.
> 
> A bit short for time ATM but I have added /etc/ssl/certs/java/cacerts
> and created symlinks from openjdk-8 and openjdk-11 in our internal gentoo
> img.
> 
> If something breaks I will hear about it but it will take some time(few
> weeks)

Got no complaints from our site so I think this is ready to go into Gentoo proper
Comment 11 Larry the Git Cow gentoo-dev 2019-05-09 23:05:44 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5639d638e79f48967589eaef945193eac8607d28

commit 5639d638e79f48967589eaef945193eac8607d28
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2019-05-09 23:01:27 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2019-05-09 23:04:57 +0000

    dev-java/openjdk-jre-bin: revbump :11, use system-wide ca-certificates
    
    Closes: https://bugs.gentoo.org/682308
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 .../openjdk-jre-bin-11.0.3_p7-r1.ebuild            | 97 ++++++++++++++++++++++
 1 file changed, 97 insertions(+)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4f38305d6ac41278ef15f3dc7fe73fd9712fc0a4

commit 4f38305d6ac41278ef15f3dc7fe73fd9712fc0a4
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2019-05-09 22:59:18 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2019-05-09 23:04:56 +0000

    dev-java/openjdk-jre-bin: revbump :8, use system-wide ca-certificates
    
    Bug: https://bugs.gentoo.org/682308
    
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 .../openjdk-jre-bin-8.212_p03-r1.ebuild            | 99 ++++++++++++++++++++++
 1 file changed, 99 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=058aae49c68c2e4c30961da6c15fa4b95b0b1cde

commit 058aae49c68c2e4c30961da6c15fa4b95b0b1cde
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2019-05-09 21:43:21 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2019-05-09 23:04:55 +0000

    dev-java/openjdk-bin: revbump :11, use system-wide ca-certificates
    
    Bug: https://bugs.gentoo.org/682308
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 .../openjdk-bin/openjdk-bin-11.0.3_p7-r1.ebuild    | 108 +++++++++++++++++++++
 dev-java/openjdk-bin/openjdk-bin-11.0.3_p7.ebuild  |   6 +-
 2 files changed, 113 insertions(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a3bb754abefe828d3266c293035377f2552cc4d

commit 7a3bb754abefe828d3266c293035377f2552cc4d
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2019-05-09 21:40:48 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2019-05-09 23:04:54 +0000

    dev-java/openjdk-bin: revbump :8, use system-wide ca-certificates
    
    Bug: https://bugs.gentoo.org/682308
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 .../openjdk-bin/openjdk-bin-8.212_p03-r2.ebuild    | 107 +++++++++++++++++++++
 1 file changed, 107 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe8eba2c445f8c2c0b6d1a618c578b5285dfa17d

commit fe8eba2c445f8c2c0b6d1a618c578b5285dfa17d
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2019-05-09 21:24:59 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2019-05-09 23:04:54 +0000

    dev-java/openjdk: revbump :11, use system-wide ca-certificates
    
    Bug: https://bugs.gentoo.org/682308
    
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk/openjdk-11.0.3_p7-r1.ebuild | 222 +++++++++++++++++++++++++++
 1 file changed, 222 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b901cc7b71e0b6745cb8ee783ba3bcbe45c1b90

commit 8b901cc7b71e0b6745cb8ee783ba3bcbe45c1b90
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2019-05-09 20:58:16 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2019-05-09 23:04:53 +0000

    dev-java/openjdk: revbump :8, use system-wide ca-certificates
    
    Bug: https://bugs.gentoo.org/682308
    
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk/openjdk-8.212_p03-r1.ebuild | 241 +++++++++++++++++++++++++++
 1 file changed, 241 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdae1196b3a9e3ee1f597449fc0098fce0229306

commit fdae1196b3a9e3ee1f597449fc0098fce0229306
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2019-05-09 20:51:30 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2019-05-09 23:04:52 +0000

    sys-apps/baselayout-java: generate system-wide java keystore
    
    keystore is created in etc/ssl/certs/java/cacerts
    
    ebuild now installs ca-certificates/update.d snippet which
    will regenerate certs on every ca-certificates run/update
    allowing us to have all system certs in java keystore.
    
    Bug: https://bugs.gentoo.org/682308
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 .../baselayout-java-0.1.0-r1.ebuild                | 49 ++++++++++++++++++++++
 1 file changed, 49 insertions(+)
Comment 12 Joakim Tjernlund 2019-05-10 14:20:40 UTC
After updating to dev-java/openjdk-8.212_p03-r1 I got:
cat /etc/ca-certificates/update.d/java-cacerts
#!/bin/sh
exec trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose server-auth ""/etc/ssl/certs/java/cacerts

Notice the extra "" in there, was this intentional ?
Comment 13 Georgy Yakovlev archtester gentoo-dev 2019-05-10 18:16:26 UTC
yeah, intentional.

it's here for possible spaces in prefix path - it will end up quoted. does not affect unprefixed users.