Bug#795244: ca-certificates-java.jar - String index out of range: -1

Thu Apr 2 15:32:13 BST 2020

tags 795244 + patch
thanks

Hi there,

On Thu, 12 Apr 2018 16:11:08 +0200, Raphael Hertzog wrote:
> On Wed, 12 Aug 2015, Christian Hammers wrote:
> > It does not work though:
> > 
> >     # java -Xmx64m -jar /usr/share/ca-certificates-java/ca-certificates-java.jar -storepass changeit
> 
> That's because the program expects data on standard input. A list of
> certificates to add (prefixed with "+") or remove (prefixed with "-").
> 
> I'm not sure that there's a real issue here.

Thus, what is the purpose of the same command in
/etc/ca-certificates/update.d/jks-keystore?  As the reporter said the
command line was taken from that file.  Disclaimer: I am not a Java
expert...

While the /usr/share/doc/ca-certificates-java/README.Debian says that
the package "doesn't automagically handle local certificates" (as
Michael Shuler noted[1]), the solution is quite simple and can be
directly taken from postinst:
```

diff --git a/ca-certificates/update.d/jks-keystore b/ca-certificates/update.d/jks-keystore
index e0c3445..b5744ce 100755
--- a/ca-certificates/update.d/jks-keystore
+++ b/ca-certificates/update.d/jks-keystore
@@ -79,7 +79,19 @@ do_cleanup()
     fi
 }
 
-if java -Xmx64m -jar $JAR -storepass "$storepass"; then
+## <https://bugs.debian.org/795244>
+find /etc/ssl/certs -name \*.pem | \
+while read filename; do
+    alias=$(basename $filename .pem | tr A-Z a-z | tr -cs a-z0-9 _)
+    alias=${alias%*_}
+    if [ -n "$FIXOLD" ]; then
+        echo "-${alias}"
+        echo "-${alias}_pem"
+    fi
+    echo "+${filename}"
+ done | \
+ java -Xmx64m -jar $JAR -storepass "$storepass"
+if [ $? -eq 0 ]; then
     do_cleanup
 else
     do_cleanup
```

[1] <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795244#10>

The only drawback is that the cacerts default keystore will be updated
at every invocation of update-ca-certificates.

I am aware that the very same README advises to uses
`update-ca-certificates -f` for a full re-import, but IMHO the patch
proposed is more consistent with the "normal" update-ca-certificates
behavior.

Thx, bye,
Luca

-- 
Dr. Luca Capello
Ingénieur HPC
Division du Système et des Technologies de l'Information et de la Communication
Université de Genève | 24 rue Général-Dufour
Tél +41 22 379 72 42 | Bureau 151
https://hpc-community.unige.ch
mailto:luca.capello at unige.ch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20200402/897f6713/attachment-0001.sig>
