712290 – sys-apps/baselayout-java: generate cacerts also in PKCS#12 format (and JREs and JDKs >= 9 should consume this file)

Bug 712290 - sys-apps/baselayout-java: generate cacerts also in PKCS#12 format (and JREs and JDKs >= 9 should consume this file)

Summary: sys-apps/baselayout-java: generate cacerts also in PKCS#12 format (and JREs a...

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Java team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2020-03-12 21:06 UTC by Florian Schmaus
Modified:	2024-02-14 12:42 UTC (History)
CC List:	2 users (show)

See Also:	827146
Package list:
Runtime testing required:	---

Attachments
java.io.IOException: stream does not represent a PKCS12 key store (jks-vs-pkcs.txt,6.53 KB, text/plain) 2020-03-12 21:10 UTC, Florian Schmaus	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Schmaus gentoo-dev

2020-03-12 21:06:41 UTC

Java 9 and higher use PKCS#12 as default keystore format (JEP 229 [1], JDK-8044445 [2]), but sys-apps/baselayout-java only generates the (legacy) JavaKeyStore format. This means an Java application is unable to use TLS out of the box if it runs with dev-java/openjdk:11 (see attached file).

The root cause appears that  KeyStore.getDefaultType() will return 'pkcs' and not 'jks' on Java 9 or higher. Which leads to the runtime attempting to open the default cacerts file (${JAVA_HOME}/lib/security/cacerts) as PKCS#12, when it is actually in JavaKeyStore format on gentoo.

I suggest creating, additionaly to the existing /etc/ssl/certs/java/cacerts file, a /etc/ssl/certs/java/cacerts-pkcs12 file via the /etc/ca-certificates/update.d/java-cacerts hook (which is installed by sys-apps/baselayout-java). JRE and JDK ebuilds for Java version 9 or higher could then symlink their ${JAVA_HOME}/lib/security/cacerts to /etc/ssl/certs/java/cacerts-pkcs12 (instead of /etc/ssl/certs/java/cacerts like it is done now [3])


1: https://openjdk.java.net/jeps/229
2: https://bugs.openjdk.java.net/browse/JDK-8044445
3: https://gitweb.gentoo.org/repo/gentoo.git/tree/dev-java/openjdk/openjdk-11.0.6.ebuild#n238



Reproducible: Always

Comment 1 Florian Schmaus gentoo-dev

2020-03-12 21:10:33 UTC

Created attachment 618168 [details]
java.io.IOException: stream does not represent a PKCS12 key store

Comment 2 Florian Schmaus gentoo-dev

2021-01-18 20:09:05 UTC

An alternative to the approach in PR #19107 would be to have the openjdk ebuilds patch conf/security/java.security with s/^keystore.type=pkcs12/keystore.type=jks/

This would also require no changes to baselayout-java. OTOH it feels like a step backwards, e.g. using legacy/old JKS instead of PKCS12 used by newer Java versions.

Comment 3 Florian Schmaus gentoo-dev

2021-01-20 11:42:01 UTC

PR #19136 is what I currently do to fix the issue. But the real solution would be baselayout-java taking care that also a PKCS12 formated trust store, e.g. /etc/ssl/certs/java/cacerts.p12, is created.

Comment 4 Florian Schmaus gentoo-dev

2021-03-15 11:37:17 UTC

Note that this seems to be only cause if the Bouncy Castle Security Provider is involved. It does not appears to respect the keystore.type.compat=true settings in $JAVA_HOME/conf/security/java.security.

Comment 5 Volkmar W. Pogatzki 2024-02-14 12:42:14 UTC

PRs are closed.