FS#12021 - openjdk cacerts file empty

Attached to Project: Arch Linux
Opened by David Langenbeg (langedb) - Thursday, 06 November 2008, 17:02 GMT
Last edited by Jan de Groot (JGC) - Sunday, 10 May 2009, 20:35 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Jan de Groot (JGC)
Andreas Radke (AndyRTR)
Architecture All
Severity High
Priority Normal
Reported Version None
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:

The cacerts keystore in the openjdk package contains no trusted root keys. This causes the JVM to throw a security exception when trying to perform SSL operations.

Additional info:
* package version(s)

openjdk6-1.3.1-2-i686

* config and/or log files etc.


Steps to reproduce:

To see problem: Try to use a java application which connects over SSL & does certificate verification. A SSL protected Java-Web-Start app will do the trick.

Alternatively, you could run:

keytool -list -keystore /usr/lib/jvm/java-1.6.0-openjdk/jre/lib/security/cacerts
This task depends upon

Closed by  Jan de Groot (JGC)
Sunday, 10 May 2009, 20:35 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed in svn trunk. Next update of openjdk6 will depend on ca-certificates-java.
Comment by Jan de Groot (JGC) - Friday, 07 November 2008, 09:14 GMT
We should generate these from the general ca-certificates package with a hook. I've been looking into this a while ago, but haven't got it working yet. I would expect some default keystore installed by openjdk, but it appears this is up to the distributors with icedtea/openjdk.
Comment by Rene Dohan (innusius) - Sunday, 01 February 2009, 15:29 GMT
here are steps to solve it : http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=270

hope it helps
Comment by Sigmund Lahn (gnud) - Saturday, 14 February 2009, 17:47 GMT
OK, here is a proposal of how to do this -- adding two source files (linked in the above comment) and a small block at the end of the build() function.
Now my keystore shows a great deal of certificates, but the page I had problems with, still won't load...

Does this solve any problems for anybody? =)
   PKGBUILD (6.4 KiB)
Comment by Richard Adenling (dreeze) - Friday, 27 February 2009, 19:01 GMT
The above PKGBUILD worked after I had patched generate-cacerts.pl (keytool uses localized "yes/no" input, which caused the script to malfunction for me). I wrote a bash-script which does the same thing as that perl script, except that it uses a directory containing .crt-files as input. That way you can pull in the certs from /usr/share/ca-certificastes if the ca-certificates package is installed. It seems to work for the few pages I have tested it on.

Maybe use this bash-script in the PKGBUILD instead? It would require ca-certificates to be a make-dependency for openjdk, though.
   generate-java-cacerts (1.3 KiB)
Comment by Sigmund Lahn (gnud) - Saturday, 28 February 2009, 12:26 GMT
Here is a new PKGBUILD using the great script dreeze added.

This package still won't let me show the login applet for my bank - so I'm stuck using Sun for now.
   PKGBUILD (6.5 KiB)
Comment by Anders Lund (andersl) - Sunday, 01 March 2009, 19:56 GMT
Maybe this is what makes the latest openjdk package not load my webbank? At first, the applet does not load, and if i reload the page, firefox crashes.
I went back to the prior openjdk6-1.4-2-x86_64 package, as the latest, openjdk6-1.4.1-1-x86_64, does not work.
Comment by Sigmund Lahn (gnud) - Thursday, 05 March 2009, 13:42 GMT
Yes, this is the bug that makes the norwegian BankID not load.

Install sun's jre ("jre" in community), and it will work.

Loading...