Bug#623672: Chokes on certificates with accented characters (LANG=C LC_ALL=C is wrong)

Ondřej Surý Fri, 22 Apr 2011 00:06:19 -0700

Package: ca-certificates-java
Version: 20100412
Severity: grave
Tags: patch


The pattern for errors is non-us-ascii characters in CA cert names.

creating /etc/ssl/certs/java/cacerts...
  added certificate mozilla/ACEDICOM_Root.crt
  error adding mozilla/AC_Raíz_Certicámara_S.A..crt
  added certificate mozilla/ApplicationCA_-_Japanese_Government.crt
  added certificate 
mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
  added certificate mozilla/Buypass_Class_2_CA_1.crt
  added certificate mozilla/Buypass_Class_3_CA_1.crt
  added certificate mozilla/CA_Disig.crt
  added certificate mozilla/CNNIC_ROOT.crt
  added certificate mozilla/Certigna.crt
  added certificate mozilla/Chambers_of_Commerce_Root_-_2008.crt
  added certificate mozilla/ComSign_CA.crt
  added certificate mozilla/ComSign_Secured_CA.crt
  added certificate mozilla/Cybertrust_Global_Root.crt
  added certificate 
mozilla/E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.crt
  error adding mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
  added certificate mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt
  added certificate mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt
  added certificate mozilla/GlobalSign_Root_CA_-_R3.crt
  added certificate mozilla/Global_Chambersign_Root_-_2008.crt
  added certificate mozilla/Hongkong_Post_Root_CA_1.crt
  added certificate mozilla/IGC_A.crt
  added certificate mozilla/Izenpe.com.crt
  added certificate mozilla/Juur-SK.crt
  added certificate mozilla/Microsec_e-Szigno_Root_CA.crt
  added certificate mozilla/Microsec_e-Szigno_Root_CA_2009.crt
  error adding mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt
  added certificate mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt
  added certificate 
mozilla/S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.crt
  added certificate mozilla/SecureSign_RootCA11.crt
  added certificate mozilla/Security_Communication_EV_RootCA1.crt
   added certificate mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt
  added certificate mozilla/TC_TrustCenter_Class_2_CA_II.crt
  added certificate mozilla/TC_TrustCenter_Class_3_CA_II.crt
  added certificate mozilla/TC_TrustCenter_Universal_CA_I.crt
  added certificate mozilla/TC_TrustCenter_Universal_CA_III.crt
  error adding 
mozilla/TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.crt
  added certificate 
mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
  added certificate mozilla/VeriSign_Universal_Root_Certification_Authority.crt
  added certificate mozilla/certSIGN_ROOT_CA.crt
  added certificate mozilla/ePKI_Root_Certification_Authority.crt
  added certificate mozilla/thawte_Primary_Root_CA_-_G2.crt
  added certificate mozilla/thawte_Primary_Root_CA_-_G3.crt

I tried hacking the scripts and the problem is LANG=C LC_ALL=C which
breaks unicode characters.

I am attaching a patch which fixes this breakage.

O.

-- System Information:
Debian Release: 6.0.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ca-certificates-java depends on:
ii  ca-certificates    20090814+nmu2         Common CA certificates
ii  default-jre-headle 1:1.6-40              Standard Java or Java compatible R
ii  openjdk-6-jre-head 6b18-1.8.3-2+squeeze1 OpenJDK Java runtime, using Hotspo

Versions of packages ca-certificates-java recommends:
ii  libnss3-1d             3.12.8-1+squeeze1 Network Security Service libraries

ca-certificates-java suggests no packages.

-- Configuration Files:
/etc/default/cacerts [Errno 13] Permission denied: u'/etc/default/cacerts'

-- no debconf information

diff -urNap ca-certificates-java-20100412~/debian/control ca-certificates-java-20100412/debian/control
--- ca-certificates-java-20100412~/debian/control	2010-04-11 19:11:52.000000000 +0000
+++ ca-certificates-java-20100412/debian/control	2011-04-22 06:56:13.918886021 +0000
@@ -3,12 +3,12 @@ Section: java
 Priority: optional
 Maintainer: OpenJDK Team <open...@lists.launchpad.net>
 Uploaders: Matthias Klose <d...@ubuntu.com>
-Build-Depends: debhelper (>= 6), ca-certificates (>= 20090814), openjdk-6-jre-headless (>= 6b16-1.6.1-2)
+Build-Depends: debhelper (>= 6), locales-all, ca-certificates (>= 20090814), openjdk-6-jre-headless (>= 6b16-1.6.1-2)
 Standards-Version: 3.8.4
 
 Package: ca-certificates-java
 Architecture: all
-Depends: ca-certificates (>= 20090814), openjdk-6-jre-headless (>= 6b16-1.6.1-2) | java6-runtime-headless, ${misc:Depends}
+Depends: locales-all, ca-certificates (>= 20090814), openjdk-6-jre-headless (>= 6b16-1.6.1-2) | java6-runtime-headless, ${misc:Depends}
 Recommends: libnss3-1d
 Description: Common CA certificates (JKS keystore)
  This package uses the hooks of the ca-certificates package to update the
diff -urNap ca-certificates-java-20100412~/debian/jks-keystore.hook ca-certificates-java-20100412/debian/jks-keystore.hook
--- ca-certificates-java-20100412~/debian/jks-keystore.hook	2010-04-11 18:47:48.000000000 +0000
+++ ca-certificates-java-20100412/debian/jks-keystore.hook	2011-04-22 06:57:09.442884938 +0000
@@ -46,7 +46,7 @@ while read line; do
     pem=${line#[+-]*}
     alias=$(basename $pem .crt | tr A-Z a-z | tr -cs a-z0-9 _)
     alias=${alias%*_}
-    LANG=C LC_ALL=C keytool -list -keystore $KEYSTORE \
+    LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -list -keystore $KEYSTORE \
 	-storepass "$storepass" -alias "$alias" >/dev/null 2>&1 \
 	&& exists=yes || exists=no
     case "$line" in
@@ -54,12 +54,12 @@ while read line; do
 	if [ "$exists" = yes ]; then
 	    echo "  already exists: ${line#+*}"
 	else
-	  if LANG=C LC_ALL=C keytool -importcert -trustcacerts \
+	  if LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -importcert -trustcacerts \
 		-keystore $KEYSTORE -noprompt -storepass "$storepass" \
 		-alias "$alias" -file "$pem" > $log 2>&1
 	  then
 	      echo "  added: ${line#+*}"
-	  elif LANG=C LC_ALL=C keytool -importcert -trustcacerts \
+	  elif LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -importcert -trustcacerts \
 		-keystore $KEYSTORE -noprompt -storepass "$storepass" \
 	        -providerClass sun.security.pkcs11.SunPKCS11 \
 	        -providerArg '${java.home}/lib/security/nss.cfg' \
@@ -77,12 +77,12 @@ while read line; do
 	;;
     -*)
 	if [ "$exists" = yes ]; then
-	    if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
+	    if LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -delete -keystore $KEYSTORE \
 		-noprompt -storepass "$storepass" \
 		-alias "$alias"
 	    then
 		echo "  removed ${line#-*}"
-	    elif LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
+	    elif LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -delete -keystore $KEYSTORE \
 		-noprompt -storepass "$storepass" \
 	        -providerClass sun.security.pkcs11.SunPKCS11 \
 	        -providerArg '${java.home}/lib/security/nss.cfg' \
diff -urNap ca-certificates-java-20100412~/debian/postinst ca-certificates-java-20100412/debian/postinst
--- ca-certificates-java-20100412~/debian/postinst	2010-04-11 18:44:23.000000000 +0000
+++ ca-certificates-java-20100412/debian/postinst	2011-04-22 06:56:43.045376122 +0000
@@ -27,7 +27,7 @@ first_install()
 
     # aliases of pregenerated files
     pregenerated=$(tempfile)
-    LANG=C LC_ALL=C keytool -list -keystore $KEYSTORE -storepass "$storepass" \
+    LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -list -keystore $KEYSTORE -storepass "$storepass" \
 	| awk -F, '/^Certificate fingerprint/ { print s } { s=$1 } ' \
 	| sort > $pregenerated
 
@@ -40,7 +40,7 @@ first_install()
 	case "$line" in
 	    !*)
 	        # remove untrusted certificate
-		if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
+		if LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -delete -keystore $KEYSTORE \
 		    -storepass "$storepass" -alias "$alias" >/dev/null
 		then
 		    echo "  removed untrusted certificate $pem"
@@ -56,12 +56,12 @@ first_install()
 		    continue
 		fi
 		if ! grep -q "^${alias}$" $pregenerated; then
-		  if LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \
+		  if LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -importcert -trustcacerts -keystore $KEYSTORE \
 			-noprompt -storepass "$storepass" \
 			-alias "$alias" -file "$cacertdir/$pem" > $log 2>&1
 		  then
 		      echo "  added certificate $pem"
-		  elif LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \
+		  elif LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -importcert -trustcacerts -keystore $KEYSTORE \
 		        -providerClass sun.security.pkcs11.SunPKCS11 \
 		        -providerArg '${java.home}/lib/security/nss.cfg' \
 			-noprompt -storepass "$storepass" \
diff -urNap ca-certificates-java-20100412~/debian/rules ca-certificates-java-20100412/debian/rules
--- ca-certificates-java-20100412~/debian/rules	2010-04-11 18:41:56.000000000 +0000
+++ ca-certificates-java-20100412/debian/rules	2011-04-22 06:59:31.726384953 +0000
@@ -17,12 +17,12 @@ build-stamp:
 	  alias=$$(basename $$crt .crt | tr A-Z a-z | tr -cs a-z0-9 _); \
 	  alias=$${alias%*_}; \
 	  echo "IMPORT: $$crt, alias=$$alias"; \
-	  if keytool -importcert -trustcacerts -keystore build/cacerts \
+	  if LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -importcert -trustcacerts -keystore build/cacerts \
 	    -storepass 'changeit' \
 	    -alias "$$alias" -file "/usr/share/ca-certificates/$$crt" > keytool.log 2>&1; \
 	  then \
 	    cat keytool.log; \
-	  elif keytool -importcert -trustcacerts -keystore build/cacerts \
+	  elif LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 keytool -importcert -trustcacerts -keystore build/cacerts \
 	    -providerClass sun.security.pkcs11.SunPKCS11 \
 	    -providerArg '$${java.home}/lib/security/nss.cfg' \
 	    -storepass 'changeit' \

Bug#623672: Chokes on certificates with accented characters (LANG=C LC_ALL=C is wrong)

Reply via email to