Import Debian version 20180516

ca-certificates-java (20180516) unstable; urgency=medium

  * Team upload.

  [ Tiago Stürmer Daitx ]
  * debian/jks-keystore.hook.in: don't create a jvm-*.cfg file, a default file
    with the right configuration is already supplied by the openjdk packages.
  * debian/jks-keystore.hook.in, debian/postinst.in: Only export JAVA_HOME
    and update PATH if a known jvm was found.
  * debian/postinst.in: Detect PKCS12 cacert keystore generated by
    previous ca-certificates-java and convert them to JKS. (Closes: #898678)
    (LP: #1771363)

  [ Matthias Klose ]
  * debian/rules: Explicitly depend on openjdk-11-jre-headless, needed to
    configure.

  [ Emmanuel Bourg ]
  * Use salsa.debian.org Vcs-* URLs

ca-certificates-java (20180413) unstable; urgency=medium

  * Team upload.
  * Always generate a JKS keystore instead of using the default format
    (Closes: #894979)
  * Look for Java 10 and Java 11 when detecting the JRE
  * Removed Damien Raude-Morvan from the uploaders (Closes: #889412)
  * Standards-Version updated to 4.1.4
  * Switch to debhelper level 11

ca-certificates-java (20170930) unstable; urgency=medium

  * Team upload.
  * Revert the last two NMUs.
    - Depend again on openjdk-8 after the stretch release.
    - Stop fiddling around with jvm-*.cfg files. ca-certificates-java
      has no business with providing an initial cacerts file. This is
      implemented in the openjdk packages. We are not 2008 anymore.
  * Bump standards version.
  * Remove Torsten Werner as uploader.

ca-certificates-java (20170929) unstable; urgency=low

  [ Gianfranco Costamagna ]
  * Team upload.
  * Ack previous NMU, thanks

  [ Rico Tzschichholz ]
  * Fix temporary jvm-*.cfg generation on armhf (Closes: #874276)
    - the armhf installation path is different from other architectures.

ca-certificates-java (20170531+nmu1) unstable; urgency=high

  * Non-maintainer upload.
  * Revert to depending on openjdk-7 instead of openjdk-8, since this triggers
    a failure to dist-upgrade, due to the triggers loop (See: #864597). The
    openjdk-7 package was dropped from stretch, but the java7-runtime-headless
    alternative dependency is satisfied by openjdk-8.

ca-certificates-java (20170531) unstable; urgency=medium

  * Team upload.
  * Depend on openjdk-8 instead of openjdk-7 (Closes: #863803)
  * Moved the package to Git

ca-certificates-java (20161107) unstable; urgency=medium

  * Team upload.
  * postinst: Use exit trap instead of if condition to not fail silently
    (e.g. in case the java binary is not found) (Closes: #822201)
  * Bump Standards-Version to 3.9.8 (no changes)

ca-certificates-java (20160321) unstable; urgency=medium

  * Team upload.
  * Drop support for obsolete Java 6 (Closes: #776897)
  * Add support for Java 8 and 9 (Closes: #775775)
  * Bump Standards-Version to 3.9.7 (no changes)
  * Use secure HTTPS URI for Vcs-Browser

ca-certificates-java (20140324) unstable; urgency=medium

  * Team upload.
  * Fixed a test failure caused by the removal of the CAcert.org root
    certificate from the ca-certificates package (Closes: #741755)
  * Limit the memory used by java to 64M when updating the certificates
    (Closes: #576453)
  * Mavenized the project
  * Code refactoring
  * d/control: Standards-Version updated to 3.9.5 (no changes)
  * Switch to debhelper level 9

ca-certificates-java (20130815) unstable; urgency=low

  * Acknowledge NMU done by Don Armstrong and Andreas Beckmann.
  * Fix tests to works with new cacert certificates names (Closes:
    #713138).
  * d/control: Use canonical value for Vcs-* fields.
  * d/control: Remove deprecated DMUA flag.
  * d/control: Bump Standards-Version to 3.9.4 (no changes needed).

ca-certificates-java (20121112+nmu2) unstable; urgency=medium

  * Non-maintainer upload.
  * postinst, jks-keystore.hook: Do not fail if nss.cfg does not (yet) exist,
    i.e. if openjdk-?-jre-headless is unpacked but not yet configured.
    (Closes: #694888)
  * Set urgency to medium for RC bugfix.

ca-certificates-java (20121112+nmu1) unstable; urgency=low

  * Non-maintainer upload
  * Fix test for dpkg-query in postinst; there was an extraneous --version
    here. [Probably don't even need to bother to check for dpkg-query, but
    why not.] (Closes: #690204)
  * Library path for softokn3pkg and nsspkg is potentially wrong if there
    are multiple different paths; fix it.
  * Do not run the hook if ca-certificates-java has been removed but not
    purged.
  * Use the new trigger support provided by ca-certificates (>=20121114).

ca-certificates-java (20120721) unstable; urgency=low

  * Fix jks-keystore and postinst to work on multi-arch system.
    Use dpkg-query -L package:arch. (Closes: #680618).
  * As libnss3-1d is a transitional package on both Debian and Ubuntu,
    upgrade Depends to use libnss3.

ca-certificates-java (20120608) unstable; urgency=low

  [ James Page ]
  * Switch primary JRE dependency from openjdk-6 to openjdk-7 to support
    demotion of openjdk-6 to universe in Ubuntu:
    - d/control, rules: Generate primary JRE dependency at build time to
      allow differentiation between Ubuntu and Debian.
  * Added myself to uploaders.

  [ Damien Raude-Morvan ]
  * Update to unstable.
  * Set DMUA flag for James Page.

ca-certificates-java (20120603) unstable; urgency=low

  * Use javahelper as buildsystem:
    - d/control: Add Build-Depends on javahelper.
    - d/rules: Use jh_build to call javac.
  * Create a testsuite for this package:
    - Refactor UpdateCertificates code to send exceptions instead of
      System.exit(1).
    - New testsuite: UpdateCertificatesTest.
    - d/control: Build-Depends on junit4.
    - d/rules: Launch junit after build and handle "nocheck" option in
      DEB_BUILD_OPTIONS.

ca-certificates-java (20120524) unstable; urgency=low

  [ Marc Deslauriers ]
  * debian/preinst, debian/postinst: remove the 20110912ubuntu1 work-around
    since it is no longer needed.
  * debian/postinst: don't put a symlink in / if jvm doesn't contain nss
    configuration. (Closes: #665754, #665749).
  * debian/postinst: force migration to new alias names again. The
    migration was supposed to occur on upgrades to Oneiric, but failed
    because of an NSS error.
  * debian/postinst: forcibly remove diginotar cert. It could be left
    behind under certain circumstances. (LP: #920758)
  * debian/postinst: also look for jvm in multiarch locations (LP: #962378)
  * debian/postinst: retrigger first_install to properly get cert store.

  [ James Page ]
  * d/rules: Ensure java is built with source/target == 1.6 for backwards
    compatibility with openjdk-6. 

  [ Damien Raude-Morvan ]
  * Sync handling of nss.cfg between debian/jks-keystore.hook.in and
    debian/postinst.in.
  * Merge changes from Ubuntu (Thanks to James Page and Marc Deslauriers).
  * Improve handling of certificate with UTF-8 filenames:
    - UpdateCertificates: Force read System.in with UTF-8
    - debian/postinst: Set LC_CTYPE to C.UTF-8

ca-certificates-java (20120225) unstable; urgency=low

  [ Steve Langasek ]
  * debian/jks-keystore.hook: If we *don't* find libnss3 / libnss3-1d,
    don't remove files from the filesystem in do_cleanup(),
    since this has a nasty tendency of nuking system libraries.
    LP: #855171.
  * debian/preinst, debian/postinst: when upgrading from version
    20110912ubuntu1, disable the buggy hook script early to prevent it from
    being run before our new version is configured; and re-enable the script
    in the postinst.  LP: #855246.

  [ Matthias Klose ]
  * Mark as Multi-Arch: foreign.
  * Adjust the libnss3-1d versioned dependency.

  [ Damien Raude-Morvan ]
  * Add myself to Uploaders.
  * Use dh_gencontrol and dpkg-vendor to allow:
    - New substvar ${nss:Depends} for libnss3-1d versionning.
    - New @NSS_LIB@ parameter for debian/*.in files.
  * Bump Standards-Version to 3.9.3:
    - Add recommended build-arch / build-indep targets.

ca-certificates-java (20111223) unstable; urgency=low

  * Support new multiarch JRE packages in postinst.

ca-certificates-java (20110912) unstable; urgency=low

  * Support new multiarch JRE packages in jks-keystore. (Closes: #641306)
  * Support OpenJDK 7. (Closes: #641305)

ca-certificates-java (20110816) unstable; urgency=low

  * Upgrade Recommends: libnss3-1d to a versioned Depends due to multiarch
    changes. (Closes: #635571)
  * Use the locale C.UTF-8 for the hook script to be more robust.

ca-certificates-java (20110531) unstable; urgency=low

  * Prepare for multiarch libnss3 update.

ca-certificates-java (20110426) unstable; urgency=low

  * Test for existing file in postinst before copying it. (Closes: #624152)
  * Add Vcs headers to debian/control.

ca-certificates-java (20110425) unstable; urgency=low

  * Add Java code to update the keystore and support UTF-8 encoded filenames.
    (Closes: #607245, #623671)
  * Change Maintainer to Debian Java Maintainers and add myself to Uploaders.
  * Update Build-Depends.
  * Replace old inconsistent keystore aliases. (Closes: #623888)
  * Add support for openjdk-7 and remove support for old cacao VM.
  * Add a NEWS file explaining the update.
  * Update README.Debian.

ca-certificates-java (20100412) unstable; urgency=low

  * Upload to unstable.

ca-certificates-java (20100406ubuntu1) lucid; urgency=low

  * Make the installation and import of certificates more robust,
    if the NSS based security provider is disabled or not built.

ca-certificates-java (20100406) unstable; urgency=low

  * Explicitely fail the installation, if /proc is not mounted.
    Currently required by the java tools, changed in OpenJDK7.
    Closes: #576453. LP: #556044.
  * Print name of JVM in case of errors.
  * Set priority to optional, set section to java. Closes: #566855.
  * Remove /etc/ssl/certs on package purge, if empty. Closes: #566853.

ca-certificates-java (20091021) unstable; urgency=low

  * Clarify output for keytool errors (although it shouldnn't be
    necessary anymore). Closes: #540490.

ca-certificates-java (20090928) karmic; urgency=low

  * Rebuild with OpenJDK supporting PKCS11 cryptography, rebuild with
    ca-certificates 20090814.

ca-certificates-java (20090629) unstable; urgency=low

  * debian/rules, debian/postinst, debian/jks-keystore.hook: Filter out
    SHA384withECDSA certificates since keytool won't support them.
    LP: #392104, closes: #534520.
  * Fix typo in hook. Closes: #534533.
  * Use java6-runtime-headless as alternative dependency. Closes: #512293.

ca-certificates-java (20081028) unstable; urgency=low

  * Ignore LANG and LC_ALL setting when running keytool. LP: #289934.

ca-certificates-java (20081027) unstable; urgency=medium

  * Merge from Ubuntu:
    - Don't try to import certificates, which are listed in
      /etc/ca-certificates.conf, but not available on the system.
      Just warn about those. LP: #289091.
    - Need to run keytool, when the jre is unpacked, but not yet configured.
      Create a temporary jvm.cfg for the time in that postinst and the
      jks-keystore.hook are run, and remove it afterwards. LP: #289199.

ca-certificates-java (20081024) unstable; urgency=low

  * Install /etc/default/cacerts with mode 600.

ca-certificates-java (20081022) unstable; urgency=low

  * debian/jks-keystore.hook:
    - Don't stop after first error during the update. LP: #244412.
      Closes: #489748.
    - Call keytool with -noprompt.
  * On initial install, add locally added certificates. LP: #244410.
    Closes: #489748.
  * Install /etc/default/cacerts to set options:
    - storepass, holding the password for the keystore.
    - updates, to enable/disable updates of the keystore.
  * Only use the keytool command from OpenJDK or Sun Java. Closes: #496587.

ca-certificates-java (20080712) unstable; urgency=low

  * Upload to main.

ca-certificates-java (20080711) unstable; urgency=low

  * debian/jks-keystore.hook: Fix typo. Closes: #489747, LP: #244408.

ca-certificates-java (20080514) unstable; urgency=low

  * Initial release.

debian/NEWS

+ca-certificates-java (20110425) unstable; urgency=low
+
+  The package will add a prefix 'debian:' to the aliases in the keystore from
+  now on. Old entries will be removed during the update but other local
+  changes will be kept. A backup of the old keystore can be found in
+  /etc/ssl/certs/java/cacerts.dpkg-old.
+
+ -- Torsten Werner <twerner@debian.org>  Mon, 25 Apr 2011 15:18:22 +0200

debian/README.Debian

+ca-certificates-java for Debian
+-------------------------------
+
+This package uses the hooks of the ca-certificates package to update the JKS
+keystore /etc/ssl/certs/java/cacerts used for many java runtimes. The alias used
+to store the certificate is the basename prefixed with 'debian:'. It will import
+all *.pem files found in /etc/ssl/certs during its first installation.
+
+ca-certificates-java doesn't automagically handle local certificates,
+although these are not overwritten on updates.
+
+A full re-import can be triggered with the command 'update-ca-certificates -f'
+if needed.
+
+ -- Torsten Werner <twerner@debian.org>  Mon, 25 Apr 2011 15:18:22 +0200

debian/ca-certificates-java.triggers

+activate update-ca-certificates

debian/changelog

+ca-certificates-java (20180516) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Tiago Stürmer Daitx ]
+  * debian/jks-keystore.hook.in: don't create a jvm-*.cfg file, a default file
+    with the right configuration is already supplied by the openjdk packages.
+  * debian/jks-keystore.hook.in, debian/postinst.in: Only export JAVA_HOME
+    and update PATH if a known jvm was found.
+  * debian/postinst.in: Detect PKCS12 cacert keystore generated by
+    previous ca-certificates-java and convert them to JKS. (Closes: #898678)
+    (LP: #1771363)
+
+  [ Matthias Klose ]
+  * debian/rules: Explicitly depend on openjdk-11-jre-headless, needed to
+    configure.
+
+  [ Emmanuel Bourg ]
+  * Use salsa.debian.org Vcs-* URLs
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Wed, 16 May 2018 23:00:38 +0200
+
+ca-certificates-java (20180413) unstable; urgency=medium
+
+  * Team upload.
+  * Always generate a JKS keystore instead of using the default format
+    (Closes: #894979)
+  * Look for Java 10 and Java 11 when detecting the JRE
+  * Removed Damien Raude-Morvan from the uploaders (Closes: #889412)
+  * Standards-Version updated to 4.1.4
+  * Switch to debhelper level 11
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Fri, 13 Apr 2018 14:15:39 +0200
+
+ca-certificates-java (20170930) unstable; urgency=medium
+
+  * Team upload.
+  * Revert the last two NMUs.
+    - Depend again on openjdk-8 after the stretch release.
+    - Stop fiddling around with jvm-*.cfg files. ca-certificates-java
+      has no business with providing an initial cacerts file. This is
+      implemented in the openjdk packages. We are not 2008 anymore.
+  * Bump standards version.
+  * Remove Torsten Werner as uploader.
+
+ -- Matthias Klose <doko@debian.org>  Sat, 30 Sep 2017 02:02:28 +0200
+
+ca-certificates-java (20170929) unstable; urgency=low
+
+  [ Gianfranco Costamagna ]
+  * Team upload.
+  * Ack previous NMU, thanks
+
+  [ Rico Tzschichholz ]
+  * Fix temporary jvm-*.cfg generation on armhf (Closes: #874276)
+    - the armhf installation path is different from other architectures.
+
+ -- Rico Tzschichholz <ricotz@ubuntu.com>  Wed, 27 Sep 2017 17:17:59 +0200
+
+ca-certificates-java (20170531+nmu1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Revert to depending on openjdk-7 instead of openjdk-8, since this triggers
+    a failure to dist-upgrade, due to the triggers loop (See: #864597). The
+    openjdk-7 package was dropped from stretch, but the java7-runtime-headless
+    alternative dependency is satisfied by openjdk-8.
+
+ -- Cyril Brulebois <kibi@debian.org>  Thu, 15 Jun 2017 17:33:00 +0200
+
+ca-certificates-java (20170531) unstable; urgency=medium
+
+  * Team upload.
+  * Depend on openjdk-8 instead of openjdk-7 (Closes: #863803)
+  * Moved the package to Git
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Wed, 31 May 2017 15:02:23 +0200
+
+ca-certificates-java (20161107) unstable; urgency=medium
+
+  * Team upload.
+  * postinst: Use exit trap instead of if condition to not fail silently
+    (e.g. in case the java binary is not found) (Closes: #822201)
+  * Bump Standards-Version to 3.9.8 (no changes)
+
+ -- Benjamin Drung <benjamin.drung@profitbricks.com>  Mon, 07 Nov 2016 13:45:23 +0100
+
+ca-certificates-java (20160321) unstable; urgency=medium
+
+  * Team upload.
+  * Drop support for obsolete Java 6 (Closes: #776897)
+  * Add support for Java 8 and 9 (Closes: #775775)
+  * Bump Standards-Version to 3.9.7 (no changes)
+  * Use secure HTTPS URI for Vcs-Browser
+
+ -- Benjamin Drung <benjamin.drung@profitbricks.com>  Mon, 21 Mar 2016 14:34:49 +0100
+
+ca-certificates-java (20140324) unstable; urgency=medium
+
+  * Team upload.
+  * Fixed a test failure caused by the removal of the CAcert.org root
+    certificate from the ca-certificates package (Closes: #741755)
+  * Limit the memory used by java to 64M when updating the certificates
+    (Closes: #576453)
+  * Mavenized the project
+  * Code refactoring
+  * d/control: Standards-Version updated to 3.9.5 (no changes)
+  * Switch to debhelper level 9
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Mon, 24 Mar 2014 09:42:08 +0100
+
+ca-certificates-java (20130815) unstable; urgency=low
+
+  * Acknowledge NMU done by Don Armstrong and Andreas Beckmann.
+  * Fix tests to works with new cacert certificates names (Closes:
+    #713138).
+  * d/control: Use canonical value for Vcs-* fields.
+  * d/control: Remove deprecated DMUA flag.
+  * d/control: Bump Standards-Version to 3.9.4 (no changes needed).
+
+ -- Damien Raude-Morvan <drazzib@debian.org>  Thu, 15 Aug 2013 13:52:46 +0200
+
+ca-certificates-java (20121112+nmu2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * postinst, jks-keystore.hook: Do not fail if nss.cfg does not (yet) exist,
+    i.e. if openjdk-?-jre-headless is unpacked but not yet configured.
+    (Closes: #694888)
+  * Set urgency to medium for RC bugfix.
+
+ -- Andreas Beckmann <anbe@debian.org>  Sun, 27 Jan 2013 14:19:41 +0100
+
+ca-certificates-java (20121112+nmu1) unstable; urgency=low
+
+  * Non-maintainer upload
+  * Fix test for dpkg-query in postinst; there was an extraneous --version
+    here. [Probably don't even need to bother to check for dpkg-query, but
+    why not.] (Closes: #690204)
+  * Library path for softokn3pkg and nsspkg is potentially wrong if there
+    are multiple different paths; fix it.
+  * Do not run the hook if ca-certificates-java has been removed but not
+    purged.
+  * Use the new trigger support provided by ca-certificates (>=20121114).
+
+ -- Don Armstrong <don@debian.org>  Mon, 12 Nov 2012 15:45:50 -0800
+
+ca-certificates-java (20120721) unstable; urgency=low
+
+  * Fix jks-keystore and postinst to work on multi-arch system.
+    Use dpkg-query -L package:arch. (Closes: #680618).
+  * As libnss3-1d is a transitional package on both Debian and Ubuntu,
+    upgrade Depends to use libnss3.
+
+ -- Damien Raude-Morvan <drazzib@debian.org>  Sat, 21 Jul 2012 01:06:32 +0200
+
+ca-certificates-java (20120608) unstable; urgency=low
+
+  [ James Page ]
+  * Switch primary JRE dependency from openjdk-6 to openjdk-7 to support
+    demotion of openjdk-6 to universe in Ubuntu:
+    - d/control, rules: Generate primary JRE dependency at build time to
+      allow differentiation between Ubuntu and Debian.
+  * Added myself to uploaders.
+
+  [ Damien Raude-Morvan ]
+  * Update to unstable.
+  * Set DMUA flag for James Page.
+
+ -- James Page <james.page@ubuntu.com>  Fri, 08 Jun 2012 09:44:58 +0100
+
+ca-certificates-java (20120603) unstable; urgency=low
+
+  * Use javahelper as buildsystem:
+    - d/control: Add Build-Depends on javahelper.
+    - d/rules: Use jh_build to call javac.
+  * Create a testsuite for this package:
+    - Refactor UpdateCertificates code to send exceptions instead of
+      System.exit(1).
+    - New testsuite: UpdateCertificatesTest.
+    - d/control: Build-Depends on junit4.
+    - d/rules: Launch junit after build and handle "nocheck" option in
+      DEB_BUILD_OPTIONS.
+
+ -- Damien Raude-Morvan <drazzib@debian.org>  Sun, 03 Jun 2012 12:10:26 +0200
+
+ca-certificates-java (20120524) unstable; urgency=low
+
+  [ Marc Deslauriers ]
+  * debian/preinst, debian/postinst: remove the 20110912ubuntu1 work-around
+    since it is no longer needed.
+  * debian/postinst: don't put a symlink in / if jvm doesn't contain nss
+    configuration. (Closes: #665754, #665749).
+  * debian/postinst: force migration to new alias names again. The
+    migration was supposed to occur on upgrades to Oneiric, but failed
+    because of an NSS error.
+  * debian/postinst: forcibly remove diginotar cert. It could be left
+    behind under certain circumstances. (LP: #920758)
+  * debian/postinst: also look for jvm in multiarch locations (LP: #962378)
+  * debian/postinst: retrigger first_install to properly get cert store.
+
+  [ James Page ]
+  * d/rules: Ensure java is built with source/target == 1.6 for backwards
+    compatibility with openjdk-6. 
+
+  [ Damien Raude-Morvan ]
+  * Sync handling of nss.cfg between debian/jks-keystore.hook.in and
+    debian/postinst.in.
+  * Merge changes from Ubuntu (Thanks to James Page and Marc Deslauriers).
+  * Improve handling of certificate with UTF-8 filenames:
+    - UpdateCertificates: Force read System.in with UTF-8
+    - debian/postinst: Set LC_CTYPE to C.UTF-8
+
+ -- Damien Raude-Morvan <drazzib@debian.org>  Tue, 22 May 2012 23:41:41 +0200
+
+ca-certificates-java (20120225) unstable; urgency=low
+
+  [ Steve Langasek ]
+  * debian/jks-keystore.hook: If we *don't* find libnss3 / libnss3-1d,
+    don't remove files from the filesystem in do_cleanup(),
+    since this has a nasty tendency of nuking system libraries.
+    LP: #855171.
+  * debian/preinst, debian/postinst: when upgrading from version
+    20110912ubuntu1, disable the buggy hook script early to prevent it from
+    being run before our new version is configured; and re-enable the script
+    in the postinst.  LP: #855246.
+
+  [ Matthias Klose ]
+  * Mark as Multi-Arch: foreign.
+  * Adjust the libnss3-1d versioned dependency.
+
+  [ Damien Raude-Morvan ]
+  * Add myself to Uploaders.
+  * Use dh_gencontrol and dpkg-vendor to allow:
+    - New substvar ${nss:Depends} for libnss3-1d versionning.
+    - New @NSS_LIB@ parameter for debian/*.in files.
+  * Bump Standards-Version to 3.9.3:
+    - Add recommended build-arch / build-indep targets.
+
+ -- Damien Raude-Morvan <drazzib@debian.org>  Sat, 25 Feb 2012 15:06:32 +0100
+
+ca-certificates-java (20111223) unstable; urgency=low
+
+  * Support new multiarch JRE packages in postinst.
+
+ -- Torsten Werner <twerner@debian.org>  Fri, 23 Dec 2011 13:46:15 +0100
+
+ca-certificates-java (20110912) unstable; urgency=low
+
+  * Support new multiarch JRE packages in jks-keystore. (Closes: #641306)
+  * Support OpenJDK 7. (Closes: #641305)
+
+ -- Torsten Werner <twerner@debian.org>  Mon, 12 Sep 2011 21:23:22 +0200
+
+ca-certificates-java (20110816) unstable; urgency=low
+
+  * Upgrade Recommends: libnss3-1d to a versioned Depends due to multiarch
+    changes. (Closes: #635571)
+  * Use the locale C.UTF-8 for the hook script to be more robust.
+
+ -- Torsten Werner <twerner@debian.org>  Tue, 16 Aug 2011 11:00:33 +0200
+
+ca-certificates-java (20110531) unstable; urgency=low
+
+  * Prepare for multiarch libnss3 update.
+
+ -- Matthias Klose <doko@ubuntu.com>  Tue, 31 May 2011 15:20:52 +0200
+
+ca-certificates-java (20110426) unstable; urgency=low
+
+  * Test for existing file in postinst before copying it. (Closes: #624152)
+  * Add Vcs headers to debian/control.
+
+ -- Torsten Werner <twerner@debian.org>  Tue, 26 Apr 2011 09:23:03 +0200
+
+ca-certificates-java (20110425) unstable; urgency=low
+
+  * Add Java code to update the keystore and support UTF-8 encoded filenames.
+    (Closes: #607245, #623671)
+  * Change Maintainer to Debian Java Maintainers and add myself to Uploaders.
+  * Update Build-Depends.
+  * Replace old inconsistent keystore aliases. (Closes: #623888)
+  * Add support for openjdk-7 and remove support for old cacao VM.
+  * Add a NEWS file explaining the update.
+  * Update README.Debian.
+
+ -- Torsten Werner <twerner@debian.org>  Mon, 25 Apr 2011 15:28:55 +0200
+
+ca-certificates-java (20100412) unstable; urgency=low
+
+  * Upload to unstable.
+
+ -- Matthias Klose <doko@ubuntu.com>  Mon, 12 Apr 2010 03:15:47 +0200
+
+ca-certificates-java (20100406ubuntu1) lucid; urgency=low
+
+  * Make the installation and import of certificates more robust,
+    if the NSS based security provider is disabled or not built.
+
+ -- Matthias Klose <doko@ubuntu.com>  Sun, 11 Apr 2010 20:54:43 +0200
+
+ca-certificates-java (20100406) unstable; urgency=low
+
+  * Explicitely fail the installation, if /proc is not mounted.
+    Currently required by the java tools, changed in OpenJDK7.
+    Closes: #576453. LP: #556044.
+  * Print name of JVM in case of errors.
+  * Set priority to optional, set section to java. Closes: #566855.
+  * Remove /etc/ssl/certs on package purge, if empty. Closes: #566853.
+
+ -- Matthias Klose <doko@debian.org>  Tue, 06 Apr 2010 21:41:39 +0200
+
+ca-certificates-java (20091021) unstable; urgency=low
+
+  * Clarify output for keytool errors (although it shouldnn't be
+    necessary anymore). Closes: #540490.
+
+ -- Matthias Klose <doko@ubuntu.com>  Wed, 21 Oct 2009 22:00:53 +0200
+
+ca-certificates-java (20090928) karmic; urgency=low
+
+  * Rebuild with OpenJDK supporting PKCS11 cryptography, rebuild with
+    ca-certificates 20090814.
+
+ -- Matthias Klose <doko@ubuntu.com>  Mon, 28 Sep 2009 16:47:09 +0200
+
+ca-certificates-java (20090629) unstable; urgency=low
+
+  * debian/rules, debian/postinst, debian/jks-keystore.hook: Filter out
+    SHA384withECDSA certificates since keytool won't support them.
+    LP: #392104, closes: #534520.
+  * Fix typo in hook. Closes: #534533.
+  * Use java6-runtime-headless as alternative dependency. Closes: #512293.
+
+ -- Matthias Klose <doko@ubuntu.com>  Mon, 29 Jun 2009 11:27:59 +0200
+
+ca-certificates-java (20081028) unstable; urgency=low
+
+  * Ignore LANG and LC_ALL setting when running keytool. LP: #289934.
+
+ -- Matthias Klose <doko@debian.org>  Tue, 28 Oct 2008 07:20:16 +0100
+
+ca-certificates-java (20081027) unstable; urgency=medium
+
+  * Merge from Ubuntu:
+    - Don't try to import certificates, which are listed in
+      /etc/ca-certificates.conf, but not available on the system.
+      Just warn about those. LP: #289091.
+    - Need to run keytool, when the jre is unpacked, but not yet configured.
+      Create a temporary jvm.cfg for the time in that postinst and the
+      jks-keystore.hook are run, and remove it afterwards. LP: #289199.
+
+ -- Matthias Klose <doko@debian.org>  Mon, 27 Oct 2008 13:58:14 +0100
+
+ca-certificates-java (20081024) unstable; urgency=low
+
+  * Install /etc/default/cacerts with mode 600.
+
+ -- Matthias Klose <doko@debian.org>  Fri, 24 Oct 2008 15:10:48 +0200
+
+ca-certificates-java (20081022) unstable; urgency=low
+
+  * debian/jks-keystore.hook:
+    - Don't stop after first error during the update. LP: #244412.
+      Closes: #489748.
+    - Call keytool with -noprompt.
+  * On initial install, add locally added certificates. LP: #244410.
+    Closes: #489748.
+  * Install /etc/default/cacerts to set options:
+    - storepass, holding the password for the keystore.
+    - updates, to enable/disable updates of the keystore.
+  * Only use the keytool command from OpenJDK or Sun Java. Closes: #496587.
+
+ -- Matthias Klose <doko@ubuntu.com>  Wed, 22 Oct 2008 20:51:24 +0200
+
+ca-certificates-java (20080712) unstable; urgency=low
+
+  * Upload to main.
+
+ -- Matthias Klose <doko@ubuntu.com>  Sat, 12 Jul 2008 12:19:00 +0200
+
+ca-certificates-java (20080711) unstable; urgency=low
+
+  * debian/jks-keystore.hook: Fix typo. Closes: #489747, LP: #244408.
+
+ -- Matthias Klose <doko@ubuntu.com>  Fri, 11 Jul 2008 20:38:04 +0200
+
+ca-certificates-java (20080514) unstable; urgency=low
+
+  * Initial release.
+
+ -- Matthias Klose <doko@ubuntu.com>  Mon, 02 Jun 2008 14:52:46 +0000
+

debian/compat

+11

debian/control

+Source: ca-certificates-java
+Section: java
+Priority: optional
+Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
+Uploaders: Matthias Klose <doko@ubuntu.com>,
+           James Page <james.page@ubuntu.com>
+Build-Depends: debhelper (>= 11), default-jdk, javahelper, junit4
+Standards-Version: 4.1.4
+Vcs-Git: https://salsa.debian.org/java-team/ca-certificates-java.git
+Vcs-Browser: https://salsa.debian.org/java-team/ca-certificates-java
+
+Package: ca-certificates-java
+Architecture: all
+Multi-Arch: foreign
+Depends: ca-certificates (>= 20121114),
+         ${jre:Depends} | java8-runtime-headless,
+         ${misc:Depends},
+         ${nss:Depends}
+# We need a versioned Depends due to multiarch changes (bug #635571).
+Description: Common CA certificates (JKS keystore)
+ This package uses the hooks of the ca-certificates package to update the
+ cacerts JKS keystore used for many java runtimes.

debian/copyright

+This package was debianized by Matthias Klose <doko@ubuntu.com>
+on Mon, 02 Jun 2008 14:52:46 +0000.
+
+Authors:
+
+    Matthias Klose <doko@ubuntu.com>
+    Torsten Werner <twerner@debian.org>
+
+Copyright:
+
+    Copyright (C) 2008 Canonical Ltd
+    Copyright (C) 2011 Torsten Werner <twerner@debian.org>
+
+License:
+
+The Debian package is (C) 2008, Canonical Ltd and (C) 2011, Torsten Werner
+<twerner@debian.org> and is licensed under the GPL, see
+`/usr/share/common-licenses/GPL'.

debian/default

+# defaults for ca-certificates-java
+
+# The password which is used to protect the integrity of the keystore.
+# storepass must be at least 6 characters long. It must be provided to
+# all commands that access the keystore contents.
+# Only change this if adding private certificates.
+#storepass=''
+
+# enable/disable updates of the keystore /etc/ssl/certs/java/cacerts
+cacerts_updates=yes

debian/jks-keystore.hook.in

+#!/bin/sh
+
+set -e
+
+# use the locale C.UTF-8
+unset LC_ALL
+LC_CTYPE=C.UTF-8
+export LC_CTYPE
+
+storepass='changeit'
+if [ -f /etc/default/cacerts ]; then
+    . /etc/default/cacerts
+fi
+
+arch=`dpkg --print-architecture`
+JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar
+
+nsslib_name()
+{
+    if dpkg --assert-multi-arch 2>/dev/null; then
+        echo "@NSS_LIB@:${arch}"
+    else
+        echo "@NSS_LIB@"
+    fi
+}
+
+echo ""
+if [ "$cacerts_updates" != yes ] || [ "$CACERT_UPDATES" = disabled ] || [ ! -e $JAR ]; then
+    echo "updates of cacerts keystore disabled."
+    exit 0
+fi
+
+if ! mountpoint -q /proc; then
+    echo >&2 "the keytool command requires a mounted proc fs (/proc)."
+    exit 1
+fi
+
+for jvm in java-7-openjdk-$arch java-7-openjdk \
+           oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \
+           java-8-openjdk-$arch java-8-openjdk \
+           oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \
+           java-9-openjdk-$arch java-9-openjdk \
+           oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch \
+           java-10-openjdk-$arch java-10-openjdk \
+           oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \
+           java-11-openjdk-$arch java-11-openjdk \
+           oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch; do
+    if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
+        export JAVA_HOME=/usr/lib/jvm/$jvm
+        PATH=$JAVA_HOME/bin:$PATH
+    	break
+    fi
+done
+
+if dpkg-query --version >/dev/null; then
+    nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libnss3\.so$,\1,p'|head -n 1)
+    nsscfg=/etc/${jvm%-$arch}/security/nss.cfg
+    nssjdk=$(test ! -f $nsscfg || sed -n '/nssLibraryDirectory/s/.*= *\(.*\)/\1/p' $nsscfg)
+    if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]; then
+        ln -sf $nsspkg/libnss3.so $nssjdk/libnss3.so
+    fi
+    softokn3pkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libsoftokn3\.so$,\1,p'|head -n 1)
+    if [ -n "$softokn3pkg" ] && [ -n "$nssjdk" ] && [ "$softokn3pkg" != "$nssjdk" ]; then
+        ln -sf $softokn3pkg/libsoftokn3.so $nssjdk/libsoftokn3.so
+    fi
+fi
+
+do_cleanup()
+{
+    [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
+    if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]
+    then
+        rm -f $nssjdk/libnss3.so
+    fi
+    if [ -n "$softokn3pkg" ] && [ -n "$nssjdk" ] \
+       && [ "$softokn3pkg" != "$nssjdk" ]
+    then
+        rm -f $nssjdk/libsoftokn3.so
+    fi
+}
+
+if java -Xmx64m -jar $JAR -storepass "$storepass"; then
+    do_cleanup
+else
+    do_cleanup
+    exit 1
+fi
+
+echo "done."

debian/postinst.in

+#!/bin/bash
+set -e
+
+# use the locale C.UTF-8
+unset LC_ALL
+LC_CTYPE=C.UTF-8
+export LC_CTYPE
+
+storepass='changeit'
+if [ -f /etc/default/cacerts ]; then
+    . /etc/default/cacerts
+fi
+
+arch=`dpkg --print-architecture`
+JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar
+
+nsslib_name()
+{
+    if dpkg --assert-multi-arch 2>/dev/null; then
+        echo "@NSS_LIB@:${arch}"
+    else
+        echo "@NSS_LIB@"
+    fi
+}
+
+setup_path()
+{
+    for jvm in java-7-openjdk-$arch java-7-openjdk \
+               oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \
+               java-8-openjdk-$arch java-8-openjdk \
+               oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \
+               java-9-openjdk-$arch java-9-openjdk \
+               oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch \
+               java-10-openjdk-$arch java-10-openjdk \
+               oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \
+               java-11-openjdk-$arch java-11-openjdk \
+               oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch; do
+        if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
+            export JAVA_HOME=/usr/lib/jvm/$jvm
+            PATH=$JAVA_HOME/bin:$PATH
+            break
+        fi
+    done
+}
+
+check_proc()
+{
+    if ! mountpoint -q /proc; then
+        echo >&2 "the keytool command requires a mounted proc fs (/proc)."
+        exit 1
+    fi
+}
+
+convert_pkcs12_keystore_to_jks()
+{
+    if ! keytool -importkeystore \
+                 -srckeystore /etc/ssl/certs/java/cacerts \
+                 -destkeystore /etc/ssl/certs/java/cacerts.dpkg-new \
+                 -srcstoretype PKCS12 \
+                 -deststoretype JKS \
+                 -srcstorepass "$storepass" \
+                 -deststorepass "$storepass" \
+                 -noprompt; then
+        echo "failed to convert PKCS12 keystore to JKS" >&2
+        exit 1
+    fi
+
+    # only update if /etc/default/cacerts allows
+    if [ "$cacerts_updates" = "yes" ]; then
+        mv -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old
+        mv -f /etc/ssl/certs/java/cacerts.dpkg-new /etc/ssl/certs/java/cacerts
+    fi
+}
+
+first_install()
+{
+    if which dpkg-query >/dev/null; then
+        nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libnss3\.so$,\1,p'|head -n 1)
+        nsscfg=/etc/${jvm%-$arch}/security/nss.cfg
+        nssjdk=$(test ! -f $nsscfg || sed -n '/nssLibraryDirectory/s/.*= *\(.*\)/\1/p' $nsscfg)
+        if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]; then
+            ln -sf $nsspkg/libnss3.so $nssjdk/libnss3.so
+        fi
+    fi
+
+    # Forcibly remove diginotar cert (LP: #920758)
+    if [ -n "$FIXOLD" ]; then
+        echo -e "-diginotar_root_ca\n-diginotar_root_ca_pem" | \
+        java -Xmx64m -jar $JAR -storepass "$storepass"
+    fi
+
+    find /etc/ssl/certs -name \*.pem | \
+    while read filename; do
+        alias=$(basename $filename .pem | tr A-Z a-z | tr -cs a-z0-9 _)
+        alias=${alias%*_}
+        if [ -n "$FIXOLD" ]; then
+            echo "-${alias}"
+            echo "-${alias}_pem"
+        fi
+        echo "+${filename}"
+    done | \
+    java -Xmx64m -jar $JAR -storepass "$storepass"
+    echo "done."
+}
+
+do_cleanup()
+{
+    [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
+    if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]
+    then
+        rm -f $nssjdk/libnss3.so
+    fi
+}
+
+case "$1" in
+    configure)
+        if dpkg --compare-versions "$2" lt "20110912ubuntu6"; then
+            FIXOLD="true"
+            if [ -e /etc/ssl/certs/java/cacerts ]; then
+                cp -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old
+            fi
+        fi
+
+        setup_path
+
+        if dpkg --compare-versions "$2" lt "20180516"; then
+            if [ -e /etc/ssl/certs/java/cacerts \
+                 -a "$(head -c4 /etc/ssl/certs/java/cacerts)" != "$(echo -en '\xfe\xed\xfe\xed')" ]; then
+                check_proc
+                convert_pkcs12_keystore_to_jks
+            fi
+        fi
+
+        if [ -z "$2" -o -n "$FIXOLD" ]; then
+            check_proc
+            trap do_cleanup EXIT
+            first_install
+        fi
+        chmod 600 /etc/default/cacerts || true
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+#DEBHELPER#
+
+exit 0

debian/postrm

+#!/bin/sh
+
+set -e
+
+case "$1" in
+    purge)
+	rm -f /etc/ca-certificates/update.d/jks-keystore
+	rm -rf /etc/ssl/certs/java
+	rmdir /etc/ssl/certs 2>/dev/null || true
+	;;
+    remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+    	;;
+    *)
+        echo "postrm called with unknown argument \`$1'" >&2
+        exit 1
+	;;
+esac
+
+#DEBHELPER#
+
+exit 0
+
+

debian/rules

+#!/usr/bin/make -f
+# -*- makefile -*-
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes),yes)
+	SUBSTVARS = -Vnss:Depends="libnss3 (>= 3.12.9+ckbi-1.82-0ubuntu3~)" \
+				-Vjre:Depends="openjdk-11-jre-headless"
+	nss_lib = libnss3
+else
+	SUBSTVARS = -Vnss:Depends="libnss3 (>= 3.12.10-2~)" \
+				-Vjre:Depends="openjdk-8-jre-headless"
+	nss_lib = libnss3
+endif
+
+JAVA_HOME := /usr/lib/jvm/default-java
+export JAVA_HOME
+OPTS := --no-javadoc --main=org.debian.security.UpdateCertificates --javacopts="-source 1.7 -target 1.7"
+CLASSPATH := /usr/share/java/junit4.jar
+export CLASSPATH
+
+do_junit = $(if $(findstring nocheck,$(DEB_BUILD_OPTIONS)),,yes)
+
+d = debian/ca-certificates-java
+
+build-arch: build
+build-indep: build
+build: build-stamp
+build-stamp:
+	dh_testdir
+	mkdir target
+	jh_build $(OPTS) target/ca-certificates-java.jar src/main/java
+ifeq ($(do_junit),yes)
+	jh_build --no-javadoc --javacopts="-source 1.7 -target 1.7 -cp target/ca-certificates-java.jar:${CLASSPATH}" \
+	         target/ca-certificates-java-tests.jar src/test/java
+	mkdir target/test-classes
+	cp -R src/test/resources/* target/test-classes
+	$(JAVA_HOME)/bin/java -cp /usr/share/java/junit4.jar:target/ca-certificates-java.jar:target/ca-certificates-java-tests.jar \
+	org.junit.runner.JUnitCore \
+	org.debian.security.UpdateCertificatesTest org.debian.security.KeyStoreHandlerTest
+endif
+	touch $@
+
+clean:
+	dh_testdir
+	dh_testroot
+	jh_build --clean
+	$(RM) -R build-stamp target
+	dh_clean
+	for f in debian/*.in; do \
+	  f2=$$(echo $$f | sed ';s/\.in$$//'); \
+	  rm -f $$f2; \
+	done
+
+install: build
+	dh_testdir
+	dh_testroot
+	dh_prep
+	dh_installdirs \
+		usr/share/ca-certificates-java \
+		etc/default \
+		etc/ssl/certs/java \
+		etc/ca-certificates/update.d
+	for f in debian/*.in; do \
+	  f2=$$(echo $$f | sed 's/\.in$$//'); \
+	  sed -e 's/@NSS_LIB@/$(nss_lib)/g' \
+	    $$f > $$f2; \
+	done
+	install -m755 debian/jks-keystore.hook \
+		$(d)/etc/ca-certificates/update.d/jks-keystore
+	install -m600 debian/default \
+		$(d)/etc/default/cacerts
+	dh_install target/ca-certificates-java.jar /usr/share/ca-certificates-java/
+
+# Build architecture-independent files here.
+binary-indep: build install
+	dh_testdir
+	dh_testroot
+	dh_installchangelogs 
+	dh_installdocs
+	dh_compress
+	dh_fixperms
+	dh_installdeb
+	dh_gencontrol -- $(SUBSTVARS)
+	dh_md5sums
+	dh_builddeb
+
+# Build architecture-dependent files here.
+binary-arch: build install
+# We have nothing to do by default.
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install

debian/source/format

+3.0 (native)

pom.xml

+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>org.debian</groupId>
+  <artifactId>ca-certificates-java</artifactId>
+  <version>20160321</version>
+  <packaging>jar</packaging>
+  <name>ca-certificates-java</name>
+  <description>Common CA certificates</description>
+
+  <dependencies>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.11</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>2.1</version>
+        <configuration>
+          <source>1.7</source>
+          <target>1.7</target>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>

src/main/java/org/debian/security/InvalidKeystorePasswordException.java

+/*
+ * Copyright (C) 2012 Damien Raude-Morvan <drazzib@debian.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+package org.debian.security;
+
+/**
+ * Unable to open keystore from provided location (might be an invalid password
+ * or IO error).
+ */
+public class InvalidKeystorePasswordException extends Exception {
+    private static final long serialVersionUID = 7004201816889107694L;
+
+    public InvalidKeystorePasswordException(String message, Exception e) {
+        super(message, e);
+    }
+}

src/main/java/org/debian/security/KeyStoreHandler.java

+/*
+ * Copyright (C) 2011 Torsten Werner <twerner@debian.org>
+ * Copyright (C) 2012 Damien Raude-Morvan <drazzib@debian.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+package org.debian.security;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+
+/**
+ * Handles read/write operations on a keystore.
+ */
+class KeyStoreHandler {
+
+    /** The path of the keystore */
+    private String filename;
+
+    /** The password of the keystore */
+    private char[] password;
+
+    private KeyStore ks;
+    
+    private CertificateFactory certFactory;
+
+    KeyStoreHandler(String filename, char[] password) throws GeneralSecurityException, IOException, InvalidKeystorePasswordException {
+        this.filename = filename;
+        this.password = password;
+        this.certFactory = CertificateFactory.getInstance("X.509");
+        
+        load();
+    }
+
+    /**
+     * Try to open an existing keystore or create an new one.
+     */
+    public void load() throws GeneralSecurityException, IOException, InvalidKeystorePasswordException {
+        KeyStore ks = KeyStore.getInstance("JKS");
+        File file = new File(filename);
+        FileInputStream in = null;
+        if (file.canRead()) {
+            in = new FileInputStream(file);
+        }
+        try {
+            ks.load(in, password);
+        } catch (IOException e) {
+            throw new InvalidKeystorePasswordException("Cannot open Java keystore. Is the password correct?", e);
+        } finally {
+            if (in != null) {
+                in.close();
+            }
+        }
+        this.ks = ks;
+    }
+
+    /**
+     * Write actual keystore content to disk.
+     */
+    public void save() throws GeneralSecurityException, UnableToSaveKeystoreException {
+        try {
+            FileOutputStream certOutputFile = new FileOutputStream(filename);
+            ks.store(certOutputFile, password);
+            certOutputFile.close();
+        } catch (IOException e) {
+            throw new UnableToSaveKeystoreException("There was a problem saving the new Java keystore.", e);
+        }
+    }
+
+    /**
+     * Add or replace existing cert in keystore with given alias.
+     */
+    public void addAlias(String alias, String path) throws KeyStoreException {
+        Certificate cert = loadCertificate(path);
+        if (cert == null) {
+            return;
+        }
+        addAlias(alias, cert);
+    }
+    
+    /**
+     * Add or replace existing cert in keystore with given alias.
+     */
+    public void addAlias(String alias, Certificate cert) throws KeyStoreException {
+        if (contains(alias)) {
+            System.out.println("Replacing " + alias);
+            ks.deleteEntry(alias);
+        } else {
+            System.out.println("Adding " + alias);
+        }
+        ks.setCertificateEntry(alias, cert);
+    }
+
+    /**
+     * Delete cert in keystore at given alias.
+     */
+    public void deleteAlias(String alias) throws GeneralSecurityException {
+        if (contains(alias)) {
+            System.out.println("Removing " + alias);
+            ks.deleteEntry(alias);
+        }
+    }
+
+    /**
+     * Returns true when alias exist in keystore.
+     */
+    public boolean contains(String alias) throws KeyStoreException {
+        return ks.containsAlias(alias);
+    }
+
+    /**
+     * Try to load a certificate instance from given path.
+     */
+    private Certificate loadCertificate(String path) {
+        Certificate certificate = null;
+        try {
+            FileInputStream in = new FileInputStream(path);
+            certificate = certFactory.generateCertificate(in);
+            in.close();
+        } catch (Exception e) {
+            System.err.println("Warning: there was a problem reading the certificate file " +
+                    path + ". Message:\n  " + e.getMessage());
+        }
+        return certificate;
+    }
+}

src/main/java/org/debian/security/UnableToSaveKeystoreException.java

+/*
+ * Copyright (C) 2012 Damien Raude-Morvan <drazzib@debian.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+package org.debian.security;
+
+/**
+ * Unable to save keystore to provided location.
+ */
+public class UnableToSaveKeystoreException extends Exception {
+    private static final long serialVersionUID = 3632154306237688490L;
+
+    public UnableToSaveKeystoreException(String message, Exception e) {
+        super(message, e);
+    }
+}

src/main/java/org/debian/security/UnknownInputException.java

+/*
+ * Copyright (C) 2012 Damien Raude-Morvan <drazzib@debian.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+package org.debian.security;
+
+/**
+ * Data send in stdin is invalid (neither "+" or "-" command).
+ */
+public class UnknownInputException extends Exception {
+    private static final long serialVersionUID = 5698253678856993527L;
+
+    public UnknownInputException(String message) {
+        super(message);
+    }
+}

src/main/java/org/debian/security/UpdateCertificates.java

+/*
+ * Copyright (C) 2011 Torsten Werner <twerner@debian.org>
+ * Copyright (C) 2012 Damien Raude-Morvan <drazzib@debian.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+package org.debian.security;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.Reader;
+import java.security.GeneralSecurityException;
+import java.security.cert.Certificate;
+
+/**
+ * This code is a re-implementation of the idea from Ludwig Nussel found in
+ * https://github.com/openSUSE/ca-certificates/blob/41917f5a/keystore.java
+ * for the Debian operating system. It updates the global JVM keystore.
+ *
+ * @author Torsten Werner
+ * @author Damien Raude-Morvan
+ */
+public class UpdateCertificates {
+
+    private KeyStoreHandler keystore;
+
+    public static void main(String[] args) throws IOException, GeneralSecurityException {
+        String passwordString = "changeit";
+        if (args.length == 2 && args[0].equals("-storepass")) {
+            passwordString = args[1];
+        } else if (args.length > 0) {
+            System.err.println("Usage: java org.debian.security.UpdateCertificates [-storepass <password>]");
+            System.exit(1);
+        }
+
+        try {
+            UpdateCertificates uc = new UpdateCertificates("/etc/ssl/certs/java/cacerts", passwordString);
+            // Force reading of inputstream in UTF-8
+            uc.processChanges(new InputStreamReader(System.in, "UTF8"));
+            uc.finish();
+        } catch (InvalidKeystorePasswordException e) {
+            e.printStackTrace(System.err);
+            System.exit(1);
+        } catch (UnableToSaveKeystoreException e) {
+            e.printStackTrace(System.err);
+            System.exit(1);
+        }
+    }
+
+    public UpdateCertificates(String keystoreFile, String password) throws IOException, GeneralSecurityException, InvalidKeystorePasswordException {
+        this.keystore = new KeyStoreHandler(keystoreFile, password.toCharArray());
+    }
+
+    /**
+     * Until reader EOF, try to read changes and send each to {@link #parseLine(String)}.
+     */
+    protected void processChanges(Reader reader) throws IOException, GeneralSecurityException {
+        String line;
+        BufferedReader in = new BufferedReader(reader);
+        while ((line = in.readLine()) != null) {
+            try {
+                parseLine(line);
+            } catch (UnknownInputException e) {
+                System.err.println("Unknown input: " + line);
+                // Keep processing for others lines
+            }
+        }
+    }
+
+    /**
+     * Parse given line to choose between {@link #addAlias(String, Certificate)}
+     * or {@link #deleteAlias(String)}.
+     */
+    protected void parseLine(final String line) throws GeneralSecurityException, IOException, UnknownInputException {
+        String path = line.substring(1);
+        String filename = path.substring(path.lastIndexOf("/") + 1);
+        String alias = "debian:" + filename;
+        if (line.startsWith("+")) {
+            keystore.addAlias(alias, path);
+        } else if (line.startsWith("-")) {
+            keystore.deleteAlias(alias);
+            // Remove old non-prefixed aliases, too. This code should be
+            // removed after the release of Wheezy.
+            keystore.deleteAlias(filename);
+        } else {
+            throw new UnknownInputException(line);
+        }
+    }
+
+    /**
+     * Write the pending changes to the keystore file.
+     */
+    protected void finish() throws GeneralSecurityException, UnableToSaveKeystoreException {
+        keystore.save();
+    }
+}

src/test/java/org/debian/security/KeyStoreHandlerTest.java

+/*
+ * Copyright (C) 2012 Damien Raude-Morvan <drazzib@debian.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+package org.debian.security;
+
+import java.io.File;
+
+import org.junit.Test;
+
+import static org.junit.Assert.*;
+
+/**
+ * @author Emmanuel Bourg
+ * @version $Revision$, $Date$
+ */
+public class KeyStoreHandlerTest {
+
+    private String ksFilename = "./target/test-classes/tests-cacerts";
+    private char[] ksPassword = "changeit".toCharArray();
+
+    /**
+     * Test a simple open then write without any modification.
+     */
+    @Test
+    public void testNoop() throws Exception {
+        KeyStoreHandler keystore = new KeyStoreHandler(ksFilename, ksPassword);
+        keystore.save();
+    }
+
+    /**
+     * Test a to open a keystore and write without any modification
+     * and then try to open it again with wrong password : will throw a
+     * InvalidKeystorePassword
+     */
+    @Test
+    public void testWriteThenOpenWrongPwd() throws Exception {
+        try {
+            KeyStoreHandler keystore = new KeyStoreHandler(ksFilename, ksPassword);
+            keystore.save();
+        } catch (InvalidKeystorePasswordException e) {
+            fail();
+        }
+
+        try {
+            KeyStoreHandler keystore = new KeyStoreHandler(ksFilename, "wrongpassword".toCharArray());
+            fail();
+            keystore.save();
+        } catch (InvalidKeystorePasswordException e) {
+            assertEquals("Cannot open Java keystore. Is the password correct?", e.getMessage());
+        }
+    }
+
+    /**
+     * Test a to open a keystore then remove its backing File (and replace it
+     * with a directory with the same name) and try to write in to disk :
+     * will throw an UnableToSaveKeystore
+     */
+    @Test
+    public void testDeleteThenWrite() throws Exception {
+        try {
+            KeyStoreHandler keystore = new KeyStoreHandler(ksFilename, ksPassword);
+
+            // Replace actual file by a directory !
+            File file = new File(ksFilename);
+            file.delete();
+            file.mkdir();
+
+            // Will fail with some IOException
+            keystore.save();
+            fail();
+        } catch (UnableToSaveKeystoreException e) {
+            assertEquals("There was a problem saving the new Java keystore.", e.getMessage());
+        }
+    }
+}