Bug#795244: ca-certificates-java.jar - String index out of range: -1
Luca Capello
luca.capello at unige.ch
Thu Apr 2 15:32:13 BST 2020
tags 795244 + patch
thanks
Hi there,
On Thu, 12 Apr 2018 16:11:08 +0200, Raphael Hertzog wrote:
> On Wed, 12 Aug 2015, Christian Hammers wrote:
> > It does not work though:
> >
> > # java -Xmx64m -jar /usr/share/ca-certificates-java/ca-certificates-java.jar -storepass changeit
>
> That's because the program expects data on standard input. A list of
> certificates to add (prefixed with "+") or remove (prefixed with "-").
>
> I'm not sure that there's a real issue here.
Thus, what is the purpose of the same command in
/etc/ca-certificates/update.d/jks-keystore? As the reporter said the
command line was taken from that file. Disclaimer: I am not a Java
expert...
While the /usr/share/doc/ca-certificates-java/README.Debian says that
the package "doesn't automagically handle local certificates" (as
Michael Shuler noted[1]), the solution is quite simple and can be
directly taken from postinst:
```
diff --git a/ca-certificates/update.d/jks-keystore b/ca-certificates/update.d/jks-keystore
index e0c3445..b5744ce 100755
--- a/ca-certificates/update.d/jks-keystore
+++ b/ca-certificates/update.d/jks-keystore
@@ -79,7 +79,19 @@ do_cleanup()
fi
}
-if java -Xmx64m -jar $JAR -storepass "$storepass"; then
+## <https://bugs.debian.org/795244>
+find /etc/ssl/certs -name \*.pem | \
+while read filename; do
+ alias=$(basename $filename .pem | tr A-Z a-z | tr -cs a-z0-9 _)
+ alias=${alias%*_}
+ if [ -n "$FIXOLD" ]; then
+ echo "-${alias}"
+ echo "-${alias}_pem"
+ fi
+ echo "+${filename}"
+ done | \
+ java -Xmx64m -jar $JAR -storepass "$storepass"
+if [ $? -eq 0 ]; then
do_cleanup
else
do_cleanup
```
[1] <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795244#10>
The only drawback is that the cacerts default keystore will be updated
at every invocation of update-ca-certificates.
I am aware that the very same README advises to uses
`update-ca-certificates -f` for a full re-import, but IMHO the patch
proposed is more consistent with the "normal" update-ca-certificates
behavior.
Thx, bye,
Luca
--
Dr. Luca Capello
Ingénieur HPC
Division du Système et des Technologies de l'Information et de la Communication
Université de Genève | 24 rue Général-Dufour
Tél +41 22 379 72 42 | Bureau 151
https://hpc-community.unige.ch
mailto:luca.capello at unige.ch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20200402/897f6713/attachment-0001.sig>
More information about the pkg-java-maintainers
mailing list