Submitted By: DJ Lucas Date: 2011-01-25 Initial Package Version: 1.9 Upstream Status: submitted Origin: self Description: Allows the build to generate a valid JDK cacerts file using the system installed CA certificates. Rediffed for 1.9.4. diff -Naurp icedtea6-1.9.4-orig//acinclude.m4 icedtea6-1.9.4//acinclude.m4 --- icedtea6-1.9.4-orig//acinclude.m4 2011-01-22 21:34:29.000000000 -0600 +++ icedtea6-1.9.4//acinclude.m4 2011-01-22 21:34:58.000000000 -0600 @@ -316,6 +316,91 @@ AC_DEFUN_ONCE([IT_CAN_HARDLINK_TO_SOURCE AM_CONDITIONAL([SRC_DIR_HARDLINKABLE], test x"${it_cv_hardlink_src}" = "xyes") ]) +AC_DEFUN([IT_GENERATE_CACERTS], +[ + AC_MSG_CHECKING([whether to generate a cacerts file for distribution]) + AC_ARG_ENABLE([cacerts], + [AS_HELP_STRING(--enable-cacerts, generate a cacerts file for distribution [[default=no]])], + [ + case "${enableval}" in + no) + generate_cacerts=no + ;; + *) + generate_cacerts=yes + ;; + esac + ], + [ + generate_cacerts=no + ]) + AC_MSG_RESULT([$generate_cacerts]) + AM_CONDITIONAL([GENERATE_CACERTS], test x"${generate_cacerts}" = "xyes") +]) + +AC_DEFUN([IT_GET_LOCAL_CACERTS], +[ + AC_MSG_CHECKING([for a local x509 certificate directory]) + AC_ARG_WITH([ca-dir], + [AS_HELP_STRING(--with-ca-dir=DIR, specify a top-level local x509 certificate directory)], + [ + if test -d "${withval}"; then + CADIR="${withval}" + fi + ], + [ + CADIR= + ]) + if test -z "${CADIR}"; then + for dir in /etc/pki/tls/certs \ + /usr/share/ca-certificates \ + /etc/ssl/certs \ + /etc/certs ; do + if test -d "${dir}"; then + CADIR="${dir}" + break + fi + done + if test -z "${CADIR}"; then + CADIR=no + fi + fi + AC_MSG_RESULT(${CADIR}) + AC_SUBST(CADIR) + + AC_MSG_CHECKING([for a local x509 certificate file]) + AC_ARG_WITH([ca-file], + [AS_HELP_STRING(--with-ca-file=FILE, specify a local x509 certificate file)], + [ + if test -f "${withval}"; then + CAFILE="${withval}" + fi + ], + [ + CAFILE= + ]) + if test -z "${CAFILE}"; then + for file in /etc/pki/tls/certs/ca-bundle.crt \ + /etc/ssl/certs/ca-bundle.crt \ + /etc/ssl/ca-bundle.crt \ + /etc/ca-bundle.crt ; do + if test -e "${file}"; then + CAFILE=$file + break + fi + done + if test -z "${CAFILE}"; then + CAFILE=no + fi + fi + AC_MSG_RESULT(${CAFILE}) + AC_SUBST(CAFILE) + if test "${CADIR}x" = "nox" -a "${CAFILE}x" = "nox"; then + AC_MSG_WARN([Could not find a suitable x509 certificate store.]) + AC_MSG_ERROR([Supply a valid location using --with-ca-dir or --with-ca-file, or remove the --enable-cacerts switch.]) + fi +]) + AC_DEFUN([FIND_ECJ_JAR], [ AC_MSG_CHECKING([for an ecj JAR file]) diff -Naurp icedtea6-1.9.4-orig//configure.ac icedtea6-1.9.4//configure.ac --- icedtea6-1.9.4-orig//configure.ac 2011-01-22 21:34:29.000000000 -0600 +++ icedtea6-1.9.4//configure.ac 2011-01-22 21:34:58.000000000 -0600 @@ -135,6 +135,13 @@ else AC_MSG_RESULT([disabled by default (edit java.security to enable)]) fi +IT_GENERATE_CACERTS + +if test "x${generate_cacerts}" = "xyes" +then + IT_GET_LOCAL_CACERTS +fi + IT_GET_PKGVERSION IT_GET_LSB_DATA diff -Naurp icedtea6-1.9.4-orig//Makefile.am icedtea6-1.9.4//Makefile.am --- icedtea6-1.9.4-orig//Makefile.am 2011-01-22 21:34:29.000000000 -0600 +++ icedtea6-1.9.4//Makefile.am 2011-01-22 21:34:58.000000000 -0600 @@ -1342,7 +1342,7 @@ if ENABLE_SYSTEMTAP $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot_jni.stp; \ fi; \ cp $(abs_top_builddir)/tapset/jstack.stp \ - $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp + $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp; endif cp $(abs_top_builddir)/nss.cfg \ $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security; @@ -1350,6 +1350,19 @@ if WITH_TZDATA_DIR cp $(abs_top_builddir)/tz.properties \ $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib; endif +if GENERATE_CACERTS + if test -n "${CADIR}"; then \ + sh scripts/mkcacerts.sh -d "${CADIR}" \ + -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \ + -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \ + else \ + sh scripts/mkcacerts.sh -f "${CAFILE}" \ + -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \ + -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \ + fi; \ + cp -f $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts \ + $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts; +endif @echo "IcedTea is served:" $(BUILD_OUTPUT_DIR) mkdir -p stamps touch stamps/icedtea.stamp @@ -1406,7 +1419,7 @@ if ENABLE_SYSTEMTAP $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot_jni.stp; \ fi; \ cp $(abs_top_builddir)/tapset/jstack.stp \ - $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp + $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp; endif cp $(abs_top_builddir)/nss.cfg \ $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security; @@ -1414,6 +1427,19 @@ if WITH_TZDATA_DIR cp $(abs_top_builddir)/tz.properties \ $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib; endif +if GENERATE_CACERTS + if test -n "${CADIR}"; then \ + sh scripts/mkcacerts.sh -d "${CADIR}" \ + -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \ + -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \ + else \ + sh scripts/mkcacerts.sh -f "${CAFILE}" \ + -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \ + -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \ + fi; \ + cp -f $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts \ + $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts; +endif @echo "IcedTea (debug build) is served:" \ $(DEBUG_BUILD_OUTPUT_DIR) mkdir -p stamps diff -Naurp icedtea6-1.9.4-orig//Makefile.in icedtea6-1.9.4//Makefile.in --- icedtea6-1.9.4-orig//Makefile.in 2011-01-22 21:34:29.000000000 -0600 +++ icedtea6-1.9.4//Makefile.in 2011-01-22 21:34:58.000000000 -0600 @@ -180,6 +180,8 @@ AWK = @AWK@ BUILD_ARCH_DIR = @BUILD_ARCH_DIR@ BUILD_OS_DIR = @BUILD_OS_DIR@ CACAO_IMPORT_PATH = @CACAO_IMPORT_PATH@ +CADIR = @CADIR@ +CAFILE = @CAFILE@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -1806,11 +1808,22 @@ stamps/icedtea.stamp: stamps/bootstrap-d @ENABLE_SYSTEMTAP_TRUE@ $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot_jni.stp; \ @ENABLE_SYSTEMTAP_TRUE@ fi; \ @ENABLE_SYSTEMTAP_TRUE@ cp $(abs_top_builddir)/tapset/jstack.stp \ -@ENABLE_SYSTEMTAP_TRUE@ $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp +@ENABLE_SYSTEMTAP_TRUE@ $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp; cp $(abs_top_builddir)/nss.cfg \ $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security; @WITH_TZDATA_DIR_TRUE@ cp $(abs_top_builddir)/tz.properties \ @WITH_TZDATA_DIR_TRUE@ $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib; +@GENERATE_CACERTS_TRUE@ if test -n "${CADIR}"; then \ +@GENERATE_CACERTS_TRUE@ sh scripts/mkcacerts.sh -d "${CADIR}" \ +@GENERATE_CACERTS_TRUE@ -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \ +@GENERATE_CACERTS_TRUE@ -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \ +@GENERATE_CACERTS_TRUE@ else \ +@GENERATE_CACERTS_TRUE@ sh scripts/mkcacerts.sh -f "${CAFILE}" \ +@GENERATE_CACERTS_TRUE@ -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \ +@GENERATE_CACERTS_TRUE@ -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \ +@GENERATE_CACERTS_TRUE@ fi; \ +@GENERATE_CACERTS_TRUE@ cp -f $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts \ +@GENERATE_CACERTS_TRUE@ $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts; @echo "IcedTea is served:" $(BUILD_OUTPUT_DIR) mkdir -p stamps touch stamps/icedtea.stamp @@ -1858,11 +1871,22 @@ stamps/icedtea-debug.stamp: stamps/boots @ENABLE_SYSTEMTAP_TRUE@ $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot_jni.stp; \ @ENABLE_SYSTEMTAP_TRUE@ fi; \ @ENABLE_SYSTEMTAP_TRUE@ cp $(abs_top_builddir)/tapset/jstack.stp \ -@ENABLE_SYSTEMTAP_TRUE@ $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp +@ENABLE_SYSTEMTAP_TRUE@ $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp; cp $(abs_top_builddir)/nss.cfg \ $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security; @WITH_TZDATA_DIR_TRUE@ cp $(abs_top_builddir)/tz.properties \ @WITH_TZDATA_DIR_TRUE@ $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib; +@GENERATE_CACERTS_TRUE@ if test -n "${CADIR}"; then \ +@GENERATE_CACERTS_TRUE@ sh scripts/mkcacerts.sh -d "${CADIR}" \ +@GENERATE_CACERTS_TRUE@ -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \ +@GENERATE_CACERTS_TRUE@ -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \ +@GENERATE_CACERTS_TRUE@ else \ +@GENERATE_CACERTS_TRUE@ sh scripts/mkcacerts.sh -f "${CAFILE}" \ +@GENERATE_CACERTS_TRUE@ -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \ +@GENERATE_CACERTS_TRUE@ -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \ +@GENERATE_CACERTS_TRUE@ fi; \ +@GENERATE_CACERTS_TRUE@ cp -f $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts \ +@GENERATE_CACERTS_TRUE@ $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts; @echo "IcedTea (debug build) is served:" \ $(DEBUG_BUILD_OUTPUT_DIR) mkdir -p stamps diff -Naurp icedtea6-1.9.4-orig//scripts/mkcacerts.sh icedtea6-1.9.4//scripts/mkcacerts.sh --- icedtea6-1.9.4-orig//scripts/mkcacerts.sh 1969-12-31 18:00:00.000000000 -0600 +++ icedtea6-1.9.4//scripts/mkcacerts.sh 2011-01-22 21:34:58.000000000 -0600 @@ -0,0 +1,154 @@ +#!/bin/sh +# Simple script to extract x509 certificates and create a JRE cacerts file. + +function get_args() + { + if test -z "${1}" ; then + showhelp + exit 1 + fi + + while test -n "${1}" ; do + case "${1}" in + -f | --cafile) + check_arg $1 $2 + CAFILE="${2}" + shift 2 + ;; + -d | --cadir) + check_arg $1 $2 + CADIR="${2}" + shift 2 + ;; + -o | --outfile) + check_arg $1 $2 + OUTFILE="${2}" + shift 2 + ;; + -k | --keytool) + check_arg $1 $2 + KEYTOOL="${2}" + shift 2 + ;; + -h | --help) + showhelp + exit 0 + ;; + *) + showhelp + exit 1 + ;; + esac + done + } + +function check_arg() + { + echo "${2}" | grep -v "^-" > /dev/null + if [ -z "$?" -o ! -n "$2" ]; then + echo "Error: $1 requires a valid argument." + exit 1 + fi + } + + +function showhelp() + { + echo "`basename ${0}` creates a valid cacerts file for use with IcedTea." + echo "" + echo " -f --cafile The path to a file containing PEM formated CA" + echo " certificates. May not be used with -d/--cadir." + echo " -d --cadir The path to a diectory of PEM formatted CA" + echo " certificates. May not be used with -f/--cafile." + echo " -o --outfile The path to the output file." + echo "" + echo " -k --keytool The path to the java keytool utility." + echo "" + echo " -h --help Show this help message and exit." + echo "" + echo "" + } + +# Initialize empty variables so that the shell does not polute the script +CAFILE="" +CADIR="" +OUTFILE="" +KEYTOOL="" + +# Process command line arguments +get_args ${@} + +# Handle common errors +if test "${CAFILE}x" == "x" -a "${CADIR}x" == "x" ; then + echo "ERROR! You must provide an x509 certificate store!" + echo "\'$(basename ${0}) --help\' for more info." + echo "" + exit 1 +fi + +if test "${CAFILE}x" != "x" -a "${CADIR}x" != "x" ; then + echo "ERROR! You cannot provide two x509 certificate stores!" + echo "\'$(basename ${0}) --help\' for more info." + echo "" + exit 1 +fi + +if test "${KEYTOOL}x" == "x" ; then + echo "ERROR! You must provide a valid keytool program!" + echo "\'$(basename ${0}) --help\' for more info." + echo "" + exit 1 +fi + +if test "${OUTFILE}x" == "x" ; then + echo "ERROR! You must provide a valid output file!" + echo "\'$(basename ${0}) --help\' for more info." + echo "" + exit 1 +fi + +# Get on with the work + +# If using a CAFILE, split it into individual files in a temp directory +if test "${CAFILE}x" != "x" ; then + TEMPDIR=`mktemp -d` + CADIR="${TEMPDIR}" + + # Get a list of staring lines for each cert + CERTLIST=`grep -n "^-----BEGIN" "${CAFILE}" | cut -d ":" -f 1` + + # Get a list of ending lines for each cert + ENDCERTLIST=`grep -n "^-----END" "${CAFILE}" | cut -d ":" -f 1` + + # Start a loop + for certbegin in `echo "${CERTLIST}"` ; do + for certend in `echo "${ENDCERTLIST}"` ; do + if test "${certend}" -gt "${certbegin}"; then + break + fi + done + sed -n "${certbegin},${certend}p" "${CAFILE}" > "${CADIR}/${certbegin}" + keyhash=`openssl x509 -noout -in "${CADIR}/${certbegin}" -hash` + echo "Generated PEM file with hash: ${keyhash}." + mv "${CADIR}/${certbegin}" "${CADIR}/${keyhash}.pem" + done +fi + +# Write the output file +for cert in `find "${CADIR}" -type f -name "*.pem" -o -name "*.crt"` +do + ls "${cert}" + tempfile=`mktemp` + certbegin=`grep -n "^-----BEGIN" "${cert}" | cut -d ":" -f 1` + certend=`grep -n "^-----END" "${cert}" | cut -d ":" -f 1` + sed -n "${certbegin},${certend}p" "${cert}" > "${tempfile}" + echo yes | "${KEYTOOL}" -import -alias `basename "${cert}"` -keystore \ + "${OUTFILE}" -storepass 'changeit' -file "${tempfile}" + rm "${tempfile}" +done + +if test "${TEMPDIR}x" != "x" ; then + rm -rf "${TEMPDIR}" +fi +exit 0 +