Ubuntu
openjdk-6 package

open jdk 6 truststore points to privileged access area

Bug #224455 reported by Nitya Doraisamy
20
Affects Status Importance Assigned to Milestone
GlassFish
Unknown
Unknown
Iced Tea
Invalid
Medium
openjdk-6 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

open jdk 6 truststore setting "javax.net.ssl.trustStore" i.e "/etc/ssl/certs/ca-certificates.crt " points to an area in the filesystem (/etc/ssl) that usually requires privileged access for read, write and execute.

So any app run as a regular user that were to implicitly depend on the default truststore could end up not working in Ubuntu unless they overrode with a custom system prop which they were not earlier doing. This may be a problem for Java apps that did not have such an setting made earlier.

Seems to be by the following icedtea patch,
http://icedtea.classpath.org/hg/icedtea6/file/d0081b7856c8/patches/icedtea-certbundle.patch

The "javax.net.ssl.trustStorePassword" has been set to an empty string too. Why?

Revision history for this message
In , Sylvain Beucler (beuc) wrote :
Download full text (4.5 KiB)

Under Debian Etch, I compiled IcedTea6 (17 march), and installed tomcat5.5.

I configured it to run with SSL:
/usr/lib/jvm/java-6-openjdk/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/share/tomcat5.5/.keystore
# passwd: changeit
sudo chown tomcat55: /usr/share/tomcat5.5/.keystore
sudo chmod 600 /usr/share/tomcat5.5/.keystore
# Simulate Fedora path for now:
sudo mkdir -p /etc/pki/tls/certs/
sudo ln -s /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt
# Modify /etc/tomcat5.5/server.xml and uncomment "Define a SSL HTTP/1.1 Connector on port 8443"

Relevant config:
    <Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

On startup I get:

...
INFO: Initialisation de Coyote HTTP/1.1 sur http-8180
2 avr. 2008 16:55:26 org.apache.coyote.http11.Http11BaseProtocol init
GRAVE: Erreur à l'initialisation du point de contact
java.io.IOException: Invalid keystore format
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
        at java.security.KeyStore.load(KeyStore.java:1201)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:282)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESocketFactory.java:256)
        at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getTrustManagers(JSSE14SocketFactory.java:174)
        at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:111)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88)
        at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292)
        at org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:138)
        at org.apache.catalina.connector.Connector.initialize(Connector.java:1016)
        at org.apache.catalina.core.StandardService.initialize(StandardService.java:580)
        at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:791)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:503)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:523)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:266)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:431)
2 avr. 2008 16:55:26 org.apache.catalina.startup.Catalina load
GRAVE: Catalina.start
LifecycleException: L'initialisation du gestionnaire de protocole a échoué: java.io.IOException: Invalid keystore format
        at org.apache.catalina.connector.Connector.initi...

Read more...

Revision history for this message
Nitya Doraisamy (nitya-doraisamy) wrote :

This is adversely affecting GlassFish distribution. For a detailed account of what this affects, see: https://glassfish.dev.java.net/issues/show_bug.cgi?id=4986

Revision history for this message
Matthias Klose (doko) wrote :

fixed in 6b09dfsg-1ubuntu2

Changed in openjdk-6:
status: New → Fix Released
Revision history for this message
Craig (candrews-integralblue) wrote :

How does one get 6b09dfsg-1ubuntu2? Is there a PPA? Will be in Hardy or a backports repository? Thanks

Bug Watch Updater (bug-watch-updater)
Changed in icedtea:
status: Unknown → Confirmed
Revision history for this message
Matthias Klose (doko) wrote :

the PPA to look at is https://launchpad.net/~openjdk/+archive

Revision history for this message
exactt (giesbert) wrote :

i just came here from https://bugs.launchpad.net/ubuntu/+source/icedtea-java7/+bug/157721 . but with the ppa version i can't even run http://www.java.com/en/download/help/testvm.xml . on the console i get:

TestVM 4.18 sc
Copyright (c) 2008 Sun Microsystems, Inc.
All Rights Reserved.
Current JRE version set in file: 605
GCJ PLUGIN: thread 0x622910: plugin_in_pipe_callback
GCJ PLUGIN: thread 0x622910: plugin_in_pipe_callback: setting status Ausnahme: java.lang.NumberFormatException: For input string: " "
  PIPE: plugin read: status Ausnahme: java.lang.NumberFormatException: For input string: " "
GCJ PLUGIN: thread 0x622910: plugin_in_pipe_callback return
  PIPE: appletviewer wrote: status Ausnahme: java.lang.NumberFormatException: For input string: " "
java.lang.NumberFormatException: For input string: " "
 at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
 at java.lang.Integer.parseInt(Integer.java:470)
 at java.lang.Integer.<init>(Integer.java:636)
 at testvmDynamicJavaCom.init(testvmDynamicJavaCom.java:195)
 at sun.applet.AppletPanel.run(AppletPanel.java:436)
 at java.lang.Thread.run(Thread.java:636)

Revision history for this message
exactt (giesbert) wrote :

i just filed https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/234025 which seems to be a duplicate of https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/220690 . But the problem still isn't fixed for me even with the packages from https://launchpad.net/~openjdk/+archive . Hence either the bug isn't fixed or https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/220690 is not a duplicate. right?

Revision history for this message
In , Andrew John Hughes (ahughes) wrote :

There were some certificate-related patches being applied back then that have now changed. May be worth retrying with current IcedTea.

Bug Watch Updater (bug-watch-updater)
Changed in icedtea:
status: Confirmed → Invalid
Revision history for this message
In , Sylvain Beucler (beuc) wrote :

I confirm that it works now.

Bug Watch Updater (bug-watch-updater)
Changed in icedtea:
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.