Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 712290 - sys-apps/baselayout-java: generate cacerts also in PKCS#12 format (and JREs and JDKs >= 9 should consume this file)
Summary: sys-apps/baselayout-java: generate cacerts also in PKCS#12 format (and JREs a...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Georgy Yakovlev
Keywords: PullRequest
Depends on:
Reported: 2020-03-12 21:06 UTC by Florian Schmaus
Modified: 2022-05-15 08:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments stream does not represent a PKCS12 key store (jks-vs-pkcs.txt,6.53 KB, text/plain)
2020-03-12 21:10 UTC, Florian Schmaus

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schmaus gentoo-dev 2020-03-12 21:06:41 UTC
Java 9 and higher use PKCS#12 as default keystore format (JEP 229 [1], JDK-8044445 [2]), but sys-apps/baselayout-java only generates the (legacy) JavaKeyStore format. This means an Java application is unable to use TLS out of the box if it runs with dev-java/openjdk:11 (see attached file).

The root cause appears that  KeyStore.getDefaultType() will return 'pkcs' and not 'jks' on Java 9 or higher. Which leads to the runtime attempting to open the default cacerts file (${JAVA_HOME}/lib/security/cacerts) as PKCS#12, when it is actually in JavaKeyStore format on gentoo.

I suggest creating, additionaly to the existing /etc/ssl/certs/java/cacerts file, a /etc/ssl/certs/java/cacerts-pkcs12 file via the /etc/ca-certificates/update.d/java-cacerts hook (which is installed by sys-apps/baselayout-java). JRE and JDK ebuilds for Java version 9 or higher could then symlink their ${JAVA_HOME}/lib/security/cacerts to /etc/ssl/certs/java/cacerts-pkcs12 (instead of /etc/ssl/certs/java/cacerts like it is done now [3])


Reproducible: Always
Comment 1 Florian Schmaus gentoo-dev 2020-03-12 21:10:33 UTC
Created attachment 618168 [details] stream does not represent a PKCS12 key store
Comment 2 Florian Schmaus gentoo-dev 2021-01-18 20:09:05 UTC
An alternative to the approach in PR #19107 would be to have the openjdk ebuilds patch conf/security/ with s/^keystore.type=pkcs12/keystore.type=jks/

This would also require no changes to baselayout-java. OTOH it feels like a step backwards, e.g. using legacy/old JKS instead of PKCS12 used by newer Java versions.
Comment 3 Florian Schmaus gentoo-dev 2021-01-20 11:42:01 UTC
PR #19136 is what I currently do to fix the issue. But the real solution would be baselayout-java taking care that also a PKCS12 formated trust store, e.g. /etc/ssl/certs/java/cacerts.p12, is created.
Comment 4 Florian Schmaus gentoo-dev 2021-03-15 11:37:17 UTC
Note that this seems to be only cause if the Bouncy Castle Security Provider is involved. It does not appears to respect the keystore.type.compat=true settings in $JAVA_HOME/conf/security/