Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1023748: ca-certificates-java: postinst script fails with OpenJDK 20: Error loading java.security file
2,862 views
Skip to first unread message
Emmanuel Bourg
Nov 9, 2022, 9:10:03 AM11/9/22
to
Package: ca-certificates-java
Version: 20220719
Severity: important
User: debia...@lists.debian.org
Usertags: default-java20
ca-certificates-java fails to install with OpenJDK 20 (using java-common/0.73+exp1
to change the default Java version), the following exception is thrown when the
postinst script is executed:
Setting up ca-certificates-java (20220719) ...
Exception in thread "main" java.lang.InternalError: Error loading java.security file
at java.base/java.security.Security.initialize(Security.java:104)
at java.base/java.security.Security.lambda$static$0(Security.java:83)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:319)
at java.base/java.security.Security.<clinit>(Security.java:82)
at java.base/sun.security.jca.ProviderList.<init>(ProviderList.java:179)
at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:96)
at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:319)
at java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:93)
at java.base/sun.security.jca.Providers.<clinit>(Providers.java:55)
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156)
at java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193)
at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:50)
at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65)
at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51)
The error appeared when using ratt to rebuild the Java packages with openjdk-20/20~20ea-1
Version: 20220719
Severity: important
User: debia...@lists.debian.org
Usertags: default-java20
ca-certificates-java fails to install with OpenJDK 20 (using java-common/0.73+exp1
to change the default Java version), the following exception is thrown when the
postinst script is executed:
Setting up ca-certificates-java (20220719) ...
Exception in thread "main" java.lang.InternalError: Error loading java.security file
at java.base/java.security.Security.initialize(Security.java:104)
at java.base/java.security.Security.lambda$static$0(Security.java:83)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:319)
at java.base/java.security.Security.<clinit>(Security.java:82)
at java.base/sun.security.jca.ProviderList.<init>(ProviderList.java:179)
at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:96)
at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:319)
at java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:93)
at java.base/sun.security.jca.Providers.<clinit>(Providers.java:55)
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156)
at java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193)
at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:50)
at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65)
at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51)
The error appeared when using ratt to rebuild the Java packages with openjdk-20/20~20ea-1
Vladimir Petko
Dec 9, 2022, 4:40:04 AM12/9/22
to
Dear Maintainer,
This particular issue is caused by https://github.com/openjdk/jdk/commit/1f9ff413126fb68e07b8fc1f36dd3cb17093a484
There is a change in behaviour: previously accessing java.security.Security did not require the java.security properties file to be present, now JDK 20 requires it.
Same behaviour applies to keytool - see exception below:
Exception in thread "main" java.lang.ExceptionInInitializerError
at java.base/javax.crypto.Cipher.getInstance(Cipher.java:548)
at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineLoad$1(PKCS
12KeyStore.java:2136)
at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12
KeyStore.java:257)
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStor
e.java:2134)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDele
gator.java:226)
at java.base/java.security.KeyStore.load(KeyStore.java:1502)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:1828)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:1710)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:944)
at java.base/sun.security.tools.keytool.Main.run(Main.java:420)
at java.base/sun.security.tools.keytool.Main.main(Main.java:413)
Caused by: java.lang.SecurityException: Can not initialize cryptographic mechani
sm
at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:119)
... 11 more
Caused by: java.lang.SecurityException: Couldn't parse jurisdiction policy files
in: unlimited
at java.base/javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecur
ity.java:364)
at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:110)
at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:107)
at java.base/java.security.AccessController.doPrivileged(AccessControlle
r.java:569)
at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:106)
... 11 more
at java.base/javax.crypto.Cipher.getInstance(Cipher.java:548)
at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineLoad$1(PKCS
12KeyStore.java:2136)
at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12
KeyStore.java:257)
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStor
e.java:2134)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDele
gator.java:226)
at java.base/java.security.KeyStore.load(KeyStore.java:1502)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:1828)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:1710)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:944)
at java.base/sun.security.tools.keytool.Main.run(Main.java:420)
at java.base/sun.security.tools.keytool.Main.main(Main.java:413)
Caused by: java.lang.SecurityException: Can not initialize cryptographic mechani
sm
at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:119)
... 11 more
Caused by: java.lang.SecurityException: Couldn't parse jurisdiction policy files
in: unlimited
at java.base/javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecur
ity.java:364)
at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:110)
at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:107)
at java.base/java.security.AccessController.doPrivileged(AccessControlle
r.java:569)
at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:106)
... 11 more
Both problems are caused by an attempt to run java before the package is configured.
Would it be possible to discuss whether it is possible to break dependency of ca-certificates-java on java? For example, the java application in the package could be replaced by C++ or Python utility capable of working with JKS.
Matthias Klose
Jul 12, 2023, 6:10:05 AM7/12/23
to
Version: 20230710
should be fixed now
should be fixed now
0 new messages