File: //var/lib/dpkg/info/ca-certificates-java.postinst
#!/bin/sh
set -e
# use the locale C.UTF-8
unset LC_ALL
LC_CTYPE=C.UTF-8
export LC_CTYPE
storepass='changeit'
if [ -f /etc/default/cacerts ]; then
. /etc/default/cacerts
fi
arch=`dpkg --print-architecture`
JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar
CERTSDIR=/usr/share/ca-certificates
LOCALCERTSDIR=/usr/local/share/ca-certificates
ETCCERTSDIR=/etc/ssl/certs
CACERTS=$ETCCERTSDIR/java/cacerts
check_proc()
{
if ! mountpoint -q /proc; then
echo >&2 "the keytool command requires a mounted proc fs (/proc)."
exit 1
fi
}
convert_pkcs12_keystore_to_jks()
{
check_proc
if ! keytool -importkeystore \
-srckeystore /etc/ssl/certs/java/cacerts \
-destkeystore /etc/ssl/certs/java/cacerts.dpkg-new \
-srcstoretype PKCS12 \
-deststoretype JKS \
-srcstorepass "$storepass" \
-deststorepass "$storepass" \
-noprompt; then
echo "failed to convert PKCS12 keystore to JKS" >&2
exit 1
fi
# only update if /etc/default/cacerts allows
if [ "$cacerts_updates" = "yes" ]; then
mv -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old
mv -f /etc/ssl/certs/java/cacerts.dpkg-new /etc/ssl/certs/java/cacerts
fi
}
find_pem_files()
{
find $ETCCERTSDIR -type l -name \*.pem | sort | while read symlink ; do
case $(readlink "$symlink") in
$CERTSDIR*|$LOCALCERTSDIR*)
echo "$symlink"
;;
esac
done
}
update_cacerts()
{
if [ "$cacerts_updates" != "yes" ] || [ "$CACERT_UPDATES" = "disabled" ]; then
echo "Updates of cacerts keystore are disabled."
exit 0
fi
if ! which java >/dev/null; then
echo "No JRE found. Skipping Java certificates setup."
exit 0
fi
if ! java -version 2> /dev/null; then
echo "Unable to execute Java. Skipping Java certificates setup."
exit 0
fi
if [ -f /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks ]; then
convert_pkcs12_keystore_to_jks
rm /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks
fi
if [ -f /var/lib/ca-certificates-java/fresh ]; then
>/var/lib/ca-certificates-java/fresh
pem_files=$(find_pem_files)
if [ -f "$CACERTS" ]; then
check_proc
# Java 8 does not have -cacerts option
if java -version 2>&1 | grep "1.8" > /dev/null ;
then
castore="-keystore ${CACERTS}"
else
castore="-cacerts"
fi
cacerts_aliases=$(keytool ${castore} -storepass "$storepass" -list -rfc | sed -n 's/^Alias name: *debian://ip' | tr '\n' ' ')
etc_ssl_certs_aliases=$(for pem in $pem_files ; do echo -n "$(basename "$pem" | tr A-Z a-z) "; done)
for alias in $cacerts_aliases ; do
case " $etc_ssl_certs_aliases " in
*" ${alias} "*)
: # keep
;;
*)
echo "-${alias}" >> /var/lib/ca-certificates-java/fresh
;;
esac
done
fi
for pem in $pem_files ; do
echo "+${pem}" >> /var/lib/ca-certificates-java/fresh
done
fi
if [ -s /var/lib/ca-certificates-java/fresh ]; then
java -Xmx64m -jar $JAR -storepass "$storepass" < /var/lib/ca-certificates-java/fresh
elif [ -s /var/lib/ca-certificates-java/pending ]; then
java -Xmx64m -jar $JAR -storepass "$storepass" < /var/lib/ca-certificates-java/pending
fi
echo "done."
rm -f /var/lib/ca-certificates-java/fresh
rm -f /var/lib/ca-certificates-java/pending
}
if [ "$1" = "configure" ]; then
if dpkg --compare-versions "$2" lt-nl "20210218" ; then
# clean up misplaced symlinks from ancient versions (#688415)
if [ -L /libnss3.so ]; then
rm -v /libnss3.so
fi
if [ -L /libsoftokn3.so ]; then
rm -v /libsoftokn3.so
fi
if [ -f /etc/default/cacerts ]; then
chmod 0600 /etc/default/cacerts
fi
fi
if dpkg --compare-versions "$2" lt-nl "20180516"; then
if [ -e /etc/ssl/certs/java/cacerts ] && \
[ "$(head -c4 /etc/ssl/certs/java/cacerts)" != "$(echo -en '\xfe\xed\xfe\xed')" ]; then
touch /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks
fi
fi
# older versions may not have received all updates from ca-certificates
if dpkg --compare-versions "$2" lt-nl "20210218" ; then
touch /var/lib/ca-certificates-java/fresh
fi
# initial install
if [ -z "$2" ]; then
touch /var/lib/ca-certificates-java/fresh
fi
update_cacerts
fi
if [ "$1" = "triggered" ]; then
case " $2 " in
*" update-ca-certificates-java-fresh "*)
touch /var/lib/ca-certificates-java/fresh
;;
esac
if [ ! -f $CACERTS ]; then
touch /var/lib/ca-certificates-java/fresh
fi
update_cacerts
fi