Hi Vladimir,
Thank you for tackling this annoying issue.
You said that JKS was required to support OpenJDK 8, but there is no
such requirement, at the Debian level at least. What about generating a
PKCS#12 certstore with OpenSSL instead, would that work? The python
script could still be used for OpenJDK 8 (with a dedicated
ca-certificate-java8 package maybe). This way installing openjdk-17
would not drag in python dependencies.
Emmanuel Bourg
Le 2023-02-07 20:12, Vladimir Petko a écrit :
Dear Maintainers,
Would it be possible to consider a proposal to break dependency of
ca-certificates-java on the installed JVM?
Abstract
ca-certificates-java package contains a circular dependency with Java
that
causes issues during openjdk installation.
I am proposing switching the ca-certificate-java certificate import
tool to
Python to break the dependency cycle.
Rationale
The certificate import tool in ca-certificate-java is written in Java.
This is a constant source of bugs [1] and requires updates (including
stable
release updates [2]) whenever a new JDK version comes out. Switching
certificate import to Python will remove the maintenance load and break
a cyclic dependency.
Existing Functionality
ca-certificates-java synchronizes content of Java keystore
/etc/ssl/certs/java/cacerts with trusted certificates in PEM format
located
in /etc/ssl/certs using jks-keystore hook registered with
ca-certificates
package.
During hook invocation or post installation following actions are
performed:
- ca-certificates-java checks the format of /etc/ssl/certs/java/cacerts
and
attempts to convert it into legacy Java Key Store(JKS) format due to
the
requirement to support OpenJDK 8.
OpenJDK 11 and up support both legacy and PKCS11 formats.
- ca-certificate-java lists all available certificates in the keystore
using
Java keytool, filters certificate aliases and compares the list with
the
system certificates.
An input file containing '+debian:<certificate-file-name>' for addition
and
'-debian:<certificate-file-name>' is generated and passed to import
utility.
Import utility updates /etc/ssl/certs/java/cacerts and sets updated
certificate alias to 'debian:<certificate-file-name>'
Note: Import utility only updates certificates with
'debian:<certificate-file-name>' alias
Requirements
In order to remove dependency on Java, the certificate import tool
must:
- List certificate aliases
- Add or update certificate in Java Key Store
- Convert PKCS12 store to JKS format
- Load certificate in PEM format
- Retain any user's certificates in Java Key Store
Implementation
This functionality can be implemented using the following Python
packages:
- python3-pyjks: Java Key Store format support [4]. It supports
loading,
manipulation and serialization of the JKS files.
It is needed for requirements 1 and 2.
- python3-oscrypto: PKCS12 and X509 support [3]. The package depends on
OpenSSL 3.0. The package supports loading PKCS12 certificate store and
extracting certificates along with SafeBag aliases.
It is needed for requirements 3 and 4.
ca-certificates-java will install the /usr/sbin/ca-certificates-java
tool.
It will accept following options:
- sync <password> <input-file> - synchronize the keystore
- list <password> - list certificate aliases in the keystore
- convert <password> <oldstore> <newstore> - convert the keystore into
JKS format.
Best Regards,
Vladimir.
[1] https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java
[2]
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1998065
[3] https://launchpad.net/ubuntu/+source/oscrypto
[4] https://launchpad.net/ubuntu/+source/pyjks
