#!/bin/bash set -e # use the locale C.UTF-8 unset LC_ALL LC_CTYPE=C.UTF-8 export LC_CTYPE storepass='changeit' if [ -f /etc/default/cacerts ]; then . /etc/default/cacerts fi arch=`dpkg --print-architecture` JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar nsslib_name() { if dpkg --assert-multi-arch 2>/dev/null; then echo "libnss3:${arch}" else echo "libnss3" fi } setup_path() { for version in 8 9 10 11 12 13 14 15 16 17 18 19 20 21 ; do for jvm in \ java-${version}-openjdk-${arch} \ java-${version}-openjdk \ oracle-java${version}-jre-${arch} \ oracle-java${version}-server-jre-${arch} \ oracle-java${version}-jdk-${arch} do if [ -x /usr/lib/jvm/$jvm/bin/java ]; then export JAVA_HOME=/usr/lib/jvm/$jvm PATH=$JAVA_HOME/bin:$PATH # copy java.security to allow import to function security_conf=/etc/java-${version}-openjdk/security if [ -f ${security_conf}/java.security.dpkg-new ] \ && [ ! -f ${security_conf}/java.security ]; then cp ${security_conf}/java.security.dpkg-new \ ${security_conf}/java.security fi break 2 fi done done if ! which java >/dev/null; then echo "No JRE found. Skipping Java certificates setup." exit 0 fi } check_proc() { if ! mountpoint -q /proc; then echo >&2 "the keytool command requires a mounted proc fs (/proc)." exit 1 fi } convert_pkcs12_keystore_to_jks() { if ! keytool -importkeystore \ -srckeystore /etc/ssl/certs/java/cacerts \ -destkeystore /etc/ssl/certs/java/cacerts.dpkg-new \ -srcstoretype PKCS12 \ -deststoretype JKS \ -srcstorepass "$storepass" \ -deststorepass "$storepass" \ -noprompt; then echo "failed to convert PKCS12 keystore to JKS" >&2 exit 1 fi # only update if /etc/default/cacerts allows if [ "$cacerts_updates" = "yes" ]; then mv -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old mv -f /etc/ssl/certs/java/cacerts.dpkg-new /etc/ssl/certs/java/cacerts fi } first_install() { if which dpkg-query >/dev/null; then nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libnss3\.so$,\1,p'|head -n 1) nsscfg=/etc/${jvm%-$arch}/security/nss.cfg nssjdk=$(test ! -f $nsscfg || sed -n '/nssLibraryDirectory/s/.*= *\(.*\)/\1/p' $nsscfg) if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]; then ln -sf $nsspkg/libnss3.so $nssjdk/libnss3.so fi fi # Forcibly remove diginotar cert (LP: #920758) if [ -n "$FIXOLD" ]; then echo -e "-diginotar_root_ca\n-diginotar_root_ca_pem" | \ java -Xmx64m -jar $JAR -storepass "$storepass" fi find /etc/ssl/certs -name \*.pem | \ while read filename; do alias=$(basename $filename .pem | tr A-Z a-z | tr -cs a-z0-9 _) alias=${alias%*_} if [ -n "$FIXOLD" ]; then echo "-${alias}" echo "-${alias}_pem" fi echo "+${filename}" done | \ java -Xmx64m -jar $JAR -storepass "$storepass" echo "done." } do_cleanup() { [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ] then rm -f $nssjdk/libnss3.so fi } case "$1" in configure) if dpkg --compare-versions "$2" lt "20110912ubuntu6"; then FIXOLD="true" if [ -e /etc/ssl/certs/java/cacerts ]; then cp -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old fi fi setup_path if dpkg --compare-versions "$2" lt "20180516"; then if [ -e /etc/ssl/certs/java/cacerts \ -a "$(head -c4 /etc/ssl/certs/java/cacerts)" != "$(echo -en '\xfe\xed\xfe\xed')" ]; then check_proc convert_pkcs12_keystore_to_jks fi fi if [ -z "$2" -o -n "$FIXOLD" ]; then check_proc trap do_cleanup EXIT first_install fi chmod 600 /etc/default/cacerts || true ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac exit 0