NetBSD Problem Report #55758

From www@netbsd.org  Tue Oct 27 19:31:17 2020
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id B89C81A9239
	for <gnats-bugs@gnats.NetBSD.org>; Tue, 27 Oct 2020 19:31:17 +0000 (UTC)
Message-Id: <20201027193116.3B03B1A923A@mollari.NetBSD.org>
Date: Tue, 27 Oct 2020 19:31:16 +0000 (UTC)
From: ts1000@rad2know.net
Reply-To: ts1000@rad2know.net
To: gnats-bugs@NetBSD.org
Subject: OpenJDK11 does not work after installation
X-Send-Pr-Version: www-1.0

>Number:         55758
>Category:       pkg
>Synopsis:       OpenJDK11 does not work after installation
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Oct 27 19:35:00 +0000 2020
>Last-Modified:  Mon Jul 19 02:00:02 +0000 2021
>Originator:     ts1000
>Release:        NetBSD 91 amd64.   OpenJdk build 11.0.8-internal+0-adhoc.pkgsrc.openjdk-jdk11u-jdk-11.0.8-10-1
>Organization:
>Environment:
NetBSD nbsd1 9.1 NetBSD 9.1 (GENERIC) #0: Sun Oct 18 19:24:30 UTC 2020  mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64

---
nbsd1$ java --version
openjdk 11.0.8-internal 2020-07-14
OpenJDK Runtime Environment (build 11.0.8-internal+0-adhoc.pkgsrc.openjdk-jdk11u-jdk-11.0.8-10-1)
OpenJDK 64-Bit Server VM (build 11.0.8-internal+0-adhoc.pkgsrc.openjdk-jdk11u-jdk-11.0.8-10-1, mixed mode)
nbsd1$
>Description:
I have mentioned this problem on netbsd-users mailing list

https://mail-index.netbsd.org/netbsd-users/2020/10/25/msg025957.html


Any java code that relies on https will cause this error. Because OpenJDK distribution does not include (or does not correctly point to) certificates


In my specific case I am just running gradlew (a wrapper to build a Gradle-based project)


$ gradlew

Downloading https://services.gradle.org/distributions/gradle-6.5.1-all.zip

Exception in thread "main" javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
        at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1576)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:453)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
        at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
        at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1592)
        at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1520)
        at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:250)
        at org.gradle.wrapper.Download.downloadInternal(Download.java:67)
        at org.gradle.wrapper.Download.download(Download.java:52)
        at org.gradle.wrapper.Install$1.call(Install.java:62)
        at org.gradle.wrapper.Install$1.call(Install.java:48)
        at org.gradle.wrapper.ExclusiveFileAccessManager.access(ExclusiveFileAccessManager.java:69)
        at org.gradle.wrapper.Install.createDist(Install.java:48)
        at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:107)
        at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:62)
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:102)
        at java.base/sun.security.validator.Validator.getInstance(Validator.java:181)
        at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:300)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:176)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:189)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1403)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1309)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
        ... 14 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
        at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
        at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
        at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:99)
        ... 30 more
>How-To-Repeat:
pkgin install openjdk11

then run any java project (maven or gradle based) that requires a download of external packages

>Fix:

>Audit-Trail:
From: ts1000 <ts1000@rad2know.net>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: pkg/55758: OpenJDK11 does not work after installation
Date: Fri, 30 Oct 2020 02:18:33 +0000

 -- 

 I had found a cacerts file in the openjdk directory and seems to contain 
 entries (see below)
 but it is not clear what I need to do so that gradle and anything else 
 thats trying to use https in openJDK11 would work

 ---

 nbsd1# pwd
 /usr/pkg/java/openjdk11/lib/security
 nbsd1# keytool -list -keystore cacerts  -storepass changeit | more
 Warning: use -cacerts option to access cacerts keystore
 Keystore type: PKCS12
 Keystore provider: SUN

 Your keystore contains 146 entries

 mozilla-rootcert-0, Oct 30, 2020, trustedCertEntry,
 Certificate fingerprint (SHA-256): 
 EB:D4:10:40:E4:BB:3E:C7:42:C9:E3:81:D3:1E:F2:A4:1A:48:B6:68:5C:96:E7:CE:F3:C1:DF:6C:D4:33:1C:99
 mozilla-rootcert-1, Oct 30, 2020, trustedCertEntry,
 Certificate fingerprint (SHA-256): 
 CA:42:DD:41:74:5F:D0:B8:1E:B9:02:36:2C:F9:D8:BF:71:9D:A1:BD:1B:1E:FC:94:6F:5B:4C:99:F4:2C:1B:9E
 mozilla-rootcert-10, Oct 30, 2020, trustedCertEntry,
 Certificate fingerprint (SHA-256): 
 A0:23:4F:3B:C8:52:7C:A5:62:8E:EC:81:AD:5D:69:89:5D:A5:68:0D:C9:1D:1C:B8:47:7F:33:F8:78:B9:5B:0B
 mozilla-rootcert-100, Oct 30, 2020, trustedCertEntry,
 Certificate fingerprint (SHA-256): 
 17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24
 mozilla-rootcert-101, Oct 30, 2020, trustedCertEntry,
 Certificate fingerprint (SHA-256): 
 3C:4F:B0:B9:5A:B8:B3:00:32:F4:32:B8:6F:53:5F:E1:72:C1:85:D0:FD:39:86:58:37:CF:36:18:7F:A6:F4:28
 mozilla-rootcert-102, Oct 30, 2020, trustedCertEntry,
 Certificate fingerprint (SHA-256): 
 4D:24:91:41:4C:FE:95:67:46:EC:4C:EF:A6:CF:6F:72:E2:8A:13:29:43:2F:9D:8A:90:7A:C4:CB:5D:AD:C1:5A
 mozilla-rootcert-103, Oct 30, 2020, trustedCertEntry,
 Certificate fingerprint (SHA-256): 
 5D:56:49:9B:E4:D2:E0:8B:CF:CA:D0:8A:3E:38:72:3D:50:50:3B:DE:70:69:48:E4:2F:55:60:30:19:E5:28:AE
 mozilla-rootcert-104, Oct 30, 2020, trustedCertEntry,
 Certificate fingerprint (SHA-256): 
 30:D0:89:5A:9A:44:8A:26:20:91:63:55:22:D1:F5:20:10:B5:86:7A:CA:E1:2C:78:EF:95:8F:D4:F4:38:9F:2F
 --More--(byte 1565)



From: ts1000 <ts1000@rad2know.net>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: pkg/55758: OpenJDK11 does not work after installation
Date: Sun, 01 Nov 2020 16:26:49 -0500

 I found a workaround:


 -- script start --
 # ts1000: workaround to fix cacert store for OpenJDK 11 on NetBSD 9.1
 # this workaround just reimports existing certificates in 
 $JAVA_HOME/lib/security/cacerts
 # into a JKS format store, and then just replaces the cacerts with the 
 JKS version

 # must be done as root
 # also assuming keytool is in the $PATH
 # that is:  we have export JAVA_HOME=/usr/pkg/java/openjdk11
 # and export PATH=${PATH}:${JAVA_HOME}/bin

 cd /usr/pkg/java/openjdk11/lib/security
 keytool -importkeystore -srckeystore 
 /usr/pkg/java/openjdk11/lib/security/cacerts    -destkeystore 
 /usr/pkg/java/openjdkmv cacerts cacerts.org
 ln -s cacerts.jks cacerts



 -- script end --

 Similar problem was with Docker. So picked up a solution from there

 https://github.com/docker-library/openjdk/pull/263/files

From: David Holland <dholland-pbugs@netbsd.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: pkg/55758: OpenJDK11 does not work after installation
Date: Mon, 19 Jul 2021 01:57:55 +0000

 On Tue, Oct 27, 2020 at 07:35:00PM +0000, ts1000@rad2know.net wrote:
  > Any java code that relies on https will cause this error. Because
  > OpenJDK distribution does not include (or does not correctly point
  > to) certificates

 In general the proper solution is the security/mozilla-rootcerts
 package, and openjdk should probably be fixed to depend on and point
 at those.

 -- 
 David A. Holland
 dholland@netbsd.org

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.