File: //var/lib/dpkg/info/ca-certificates-java.postinst
#!/bin/bash
set -e
# use the locale C.UTF-8
unset LC_ALL
LC_CTYPE=C.UTF-8
export LC_CTYPE
storepass='changeit'
if [ -f /etc/default/cacerts ]; then
. /etc/default/cacerts
fi
arch=`dpkg --print-architecture`
JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar
nsslib_name()
{
if dpkg --assert-multi-arch 2>/dev/null; then
echo "libnss3:${arch}"
else
echo "libnss3"
fi
}
setup_path()
{
for version in 8 9 10 11 12 13 14 15 16 17 18 19 20 21 ; do
for jvm in \
java-${version}-openjdk-${arch} \
java-${version}-openjdk \
oracle-java${version}-jre-${arch} \
oracle-java${version}-server-jre-${arch} \
oracle-java${version}-jdk-${arch}
do
if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
export JAVA_HOME=/usr/lib/jvm/$jvm
PATH=$JAVA_HOME/bin:$PATH
# copy java.security to allow import to function
security_conf=/etc/java-${version}-openjdk/security
if [ -f ${security_conf}/java.security.dpkg-new ] \
&& [ ! -f ${security_conf}/java.security ]; then
cp ${security_conf}/java.security.dpkg-new \
${security_conf}/java.security
fi
break 2
fi
done
done
if ! which java >/dev/null; then
echo "No JRE found. Skipping Java certificates setup."
exit 0
fi
}
check_proc()
{
if ! mountpoint -q /proc; then
echo >&2 "the keytool command requires a mounted proc fs (/proc)."
exit 1
fi
}
convert_pkcs12_keystore_to_jks()
{
if ! keytool -importkeystore \
-srckeystore /etc/ssl/certs/java/cacerts \
-destkeystore /etc/ssl/certs/java/cacerts.dpkg-new \
-srcstoretype PKCS12 \
-deststoretype JKS \
-srcstorepass "$storepass" \
-deststorepass "$storepass" \
-noprompt; then
echo "failed to convert PKCS12 keystore to JKS" >&2
exit 1
fi
# only update if /etc/default/cacerts allows
if [ "$cacerts_updates" = "yes" ]; then
mv -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old
mv -f /etc/ssl/certs/java/cacerts.dpkg-new /etc/ssl/certs/java/cacerts
fi
}
first_install()
{
if which dpkg-query >/dev/null; then
nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libnss3\.so$,\1,p'|head -n 1)
nsscfg=/etc/${jvm%-$arch}/security/nss.cfg
nssjdk=$(test ! -f $nsscfg || sed -n '/nssLibraryDirectory/s/.*= *\(.*\)/\1/p' $nsscfg)
if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]; then
ln -sf $nsspkg/libnss3.so $nssjdk/libnss3.so
fi
fi
# Forcibly remove diginotar cert (LP: #920758)
if [ -n "$FIXOLD" ]; then
echo -e "-diginotar_root_ca\n-diginotar_root_ca_pem" | \
java -Xmx64m -jar $JAR -storepass "$storepass"
fi
find /etc/ssl/certs -name \*.pem | \
while read filename; do
alias=$(basename $filename .pem | tr A-Z a-z | tr -cs a-z0-9 _)
alias=${alias%*_}
if [ -n "$FIXOLD" ]; then
echo "-${alias}"
echo "-${alias}_pem"
fi
echo "+${filename}"
done | \
java -Xmx64m -jar $JAR -storepass "$storepass"
echo "done."
}
do_cleanup()
{
[ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]
then
rm -f $nssjdk/libnss3.so
fi
}
case "$1" in
configure)
if dpkg --compare-versions "$2" lt "20110912ubuntu6"; then
FIXOLD="true"
if [ -e /etc/ssl/certs/java/cacerts ]; then
cp -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old
fi
fi
setup_path
if dpkg --compare-versions "$2" lt "20180516"; then
if [ -e /etc/ssl/certs/java/cacerts \
-a "$(head -c4 /etc/ssl/certs/java/cacerts)" != "$(echo -en '\xfe\xed\xfe\xed')" ]; then
check_proc
convert_pkcs12_keystore_to_jks
fi
fi
if [ -z "$2" -o -n "$FIXOLD" ]; then
check_proc
trap do_cleanup EXIT
first_install
fi
chmod 600 /etc/default/cacerts || true
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
*)
echo "postinst called with unknown argument \`$1'" >&2
exit 1
;;
esac
exit 0