diff -urN icedtea6-1.10.4/acinclude.m4 icedtea6-mod/acinclude.m4
--- icedtea6-1.10.4/acinclude.m4 2011-07-11 16:43:43.361068652 -0500
+++ icedtea6-mod/acinclude.m4 2011-10-27 18:49:43.510729915 -0500
@@ -326,6 +326,91 @@
AM_CONDITIONAL([SRC_DIR_HARDLINKABLE], test x"${it_cv_hardlink_src}" = "xyes")
])
+AC_DEFUN([IT_GENERATE_CACERTS],
+[
+ AC_MSG_CHECKING([whether to generate a cacerts file for distribution])
+ AC_ARG_ENABLE([cacerts],
+ [AS_HELP_STRING(--enable-cacerts, generate a cacerts file for distribution [[default=no]])],
+ [
+ case "${enableval}" in
+ no)
+ generate_cacerts=no
+ ;;
+ *)
+ generate_cacerts=yes
+ ;;
+ esac
+ ],
+ [
+ generate_cacerts=no
+ ])
+ AC_MSG_RESULT([$generate_cacerts])
+ AM_CONDITIONAL([GENERATE_CACERTS], test x"${generate_cacerts}" = "xyes")
+])
+
+AC_DEFUN([IT_GET_LOCAL_CACERTS],
+[
+ AC_MSG_CHECKING([for a local x509 certificate directory])
+ AC_ARG_WITH([ca-dir],
+ [AS_HELP_STRING(--with-ca-dir=DIR, specify a top-level local x509 certificate directory)],
+ [
+ if test -d "${withval}"; then
+ CADIR="${withval}"
+ fi
+ ],
+ [
+ CADIR=
+ ])
+ if test -z "${CADIR}"; then
+ for dir in /etc/pki/tls/certs \
+ /usr/share/ca-certificates \
+ /etc/ssl/certs \
+ /etc/certs ; do
+ if test -d "${dir}"; then
+ CADIR="${dir}"
+ break
+ fi
+ done
+ if test -z "${CADIR}"; then
+ CADIR=no
+ fi
+ fi
+ AC_MSG_RESULT(${CADIR})
+ AC_SUBST(CADIR)
+
+ AC_MSG_CHECKING([for a local x509 certificate file])
+ AC_ARG_WITH([ca-file],
+ [AS_HELP_STRING(--with-ca-file=FILE, specify a local x509 certificate file)],
+ [
+ if test -f "${withval}"; then
+ CAFILE="${withval}"
+ fi
+ ],
+ [
+ CAFILE=
+ ])
+ if test -z "${CAFILE}"; then
+ for file in /etc/pki/tls/certs/ca-bundle.crt \
+ /etc/ssl/certs/ca-bundle.crt \
+ /etc/ssl/ca-bundle.crt \
+ /etc/ca-bundle.crt ; do
+ if test -e "${file}"; then
+ CAFILE=$file
+ break
+ fi
+ done
+ if test -z "${CAFILE}"; then
+ CAFILE=no
+ fi
+ fi
+ AC_MSG_RESULT(${CAFILE})
+ AC_SUBST(CAFILE)
+ if test "${CADIR}x" = "nox" -a "${CAFILE}x" = "nox"; then
+ AC_MSG_WARN([Could not find a suitable x509 certificate store.])
+ AC_MSG_ERROR([Supply a valid location using --with-ca-dir or --with-ca-file, or remove the --enable-cacerts switch.])
+ fi
+])
+
AC_DEFUN([IT_FIND_ECJ_JAR],
[
AC_MSG_CHECKING([for an ecj JAR file])
diff -urN icedtea6-1.10.4/configure.ac icedtea6-mod/configure.ac
--- icedtea6-1.10.4/configure.ac 2011-10-13 12:39:16.561204799 -0500
+++ icedtea6-mod/configure.ac 2011-10-27 18:51:27.674729852 -0500
@@ -138,6 +138,13 @@
AC_MSG_RESULT([disabled by default (edit java.security to enable)])
fi
+IT_GENERATE_CACERTS
+
+if test "x${generate_cacerts}" = "xyes"
+then
+ IT_GET_LOCAL_CACERTS
+fi
+
IT_GET_PKGVERSION
IT_GET_LSB_DATA
diff -urN icedtea6-1.10.4/Makefile.am icedtea6-mod/Makefile.am
--- icedtea6-1.10.4/Makefile.am 2011-10-13 11:27:35.063986484 -0500
+++ icedtea6-mod/Makefile.am 2011-10-27 18:58:37.188729584 -0500
@@ -1375,6 +1375,19 @@
if ENABLE_JAMVM
printf -- '-jamvm ALIASED_TO -server\n' >> $(BUILD_JRE_ARCH_DIR)/jvm.cfg
endif
+if GENERATE_CACERTS
+ if test -n "${CADIR}"; then \
+ sh scripts/mkcacerts.sh -d "${CADIR}" \
+ -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
+ -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
+ else \
+ sh scripts/mkcacerts.sh -f "${CAFILE}" \
+ -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
+ -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
+ fi; \
+ cp -f $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts \
+ $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts;
+endif
@echo "IcedTea is served:" $(BUILD_OUTPUT_DIR)
mkdir -p stamps
touch stamps/icedtea.stamp
@@ -1406,6 +1419,19 @@
if ENABLE_JAMVM
printf -- '-jamvm ALIASED_TO -server\n' >> $(BUILD_DEBUG_JRE_ARCH_DIR)/jvm.cfg
endif
+if GENERATE_CACERTS
+ if test -n "${CADIR}"; then \
+ sh scripts/mkcacerts.sh -d "${CADIR}" \
+ -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
+ -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
+ else \
+ sh scripts/mkcacerts.sh -f "${CAFILE}" \
+ -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
+ -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
+ fi; \
+ cp -f $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts \
+ $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts;
+endif
@echo "IcedTea (debug build) is served:" \
$(DEBUG_BUILD_OUTPUT_DIR)
mkdir -p stamps
@@ -1456,7 +1482,7 @@
$(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot_jni.stp; \
fi
cp $(abs_top_builddir)/tapset/jstack.stp \
- $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp
+ $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp;
endif
touch stamps/add-systemtap.stamp
@@ -1482,7 +1508,7 @@
$(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot_jni.stp; \
fi
cp $(abs_top_builddir)/tapset/jstack.stp \
- $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp
+ $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp;
endif
touch stamps/add-systemtap-debug.stamp
diff -urN icedtea6-1.10.4/scripts/mkcacerts.sh icedtea6-mod/scripts/mkcacerts.sh
--- icedtea6-1.10.4/scripts/mkcacerts.sh 1969-12-31 18:00:00.000000000 -0600
+++ icedtea6-mod/scripts/mkcacerts.sh 2011-10-27 19:07:38.521729245 -0500
@@ -0,0 +1,154 @@
+#!/bin/sh
+# Simple script to extract x509 certificates and create a JRE cacerts file.
+
+function get_args()
+ {
+ if test -z "${1}" ; then
+ showhelp
+ exit 1
+ fi
+
+ while test -n "${1}" ; do
+ case "${1}" in
+ -f | --cafile)
+ check_arg $1 $2
+ CAFILE="${2}"
+ shift 2
+ ;;
+ -d | --cadir)
+ check_arg $1 $2
+ CADIR="${2}"
+ shift 2
+ ;;
+ -o | --outfile)
+ check_arg $1 $2
+ OUTFILE="${2}"
+ shift 2
+ ;;
+ -k | --keytool)
+ check_arg $1 $2
+ KEYTOOL="${2}"
+ shift 2
+ ;;
+ -h | --help)
+ showhelp
+ exit 0
+ ;;
+ *)
+ showhelp
+ exit 1
+ ;;
+ esac
+ done
+ }
+
+function check_arg()
+ {
+ echo "${2}" | grep -v "^-" > /dev/null
+ if [ -z "$?" -o ! -n "$2" ]; then
+ echo "Error: $1 requires a valid argument."
+ exit 1
+ fi
+ }
+
+
+function showhelp()
+ {
+ echo "`basename ${0}` creates a valid cacerts file for use with IcedTea."
+ echo ""
+ echo " -f --cafile The path to a file containing PEM formated CA"
+ echo " certificates. May not be used with -d/--cadir."
+ echo " -d --cadir The path to a diectory of PEM formatted CA"
+ echo " certificates. May not be used with -f/--cafile."
+ echo " -o --outfile The path to the output file."
+ echo ""
+ echo " -k --keytool The path to the java keytool utility."
+ echo ""
+ echo " -h --help Show this help message and exit."
+ echo ""
+ echo ""
+ }
+
+# Initialize empty variables so that the shell does not polute the script
+CAFILE=""
+CADIR=""
+OUTFILE=""
+KEYTOOL=""
+
+# Process command line arguments
+get_args ${@}
+
+# Handle common errors
+if test "${CAFILE}x" == "x" -a "${CADIR}x" == "x" ; then
+ echo "ERROR! You must provide an x509 certificate store!"
+ echo "\'$(basename ${0}) --help\' for more info."
+ echo ""
+ exit 1
+fi
+
+if test "${CAFILE}x" != "x" -a "${CADIR}x" != "x" ; then
+ echo "ERROR! You cannot provide two x509 certificate stores!"
+ echo "\'$(basename ${0}) --help\' for more info."
+ echo ""
+ exit 1
+fi
+
+if test "${KEYTOOL}x" == "x" ; then
+ echo "ERROR! You must provide a valid keytool program!"
+ echo "\'$(basename ${0}) --help\' for more info."
+ echo ""
+ exit 1
+fi
+
+if test "${OUTFILE}x" == "x" ; then
+ echo "ERROR! You must provide a valid output file!"
+ echo "\'$(basename ${0}) --help\' for more info."
+ echo ""
+ exit 1
+fi
+
+# Get on with the work
+
+# If using a CAFILE, split it into individual files in a temp directory
+if test "${CAFILE}x" != "x" ; then
+ TEMPDIR=`mktemp -d`
+ CADIR="${TEMPDIR}"
+
+ # Get a list of staring lines for each cert
+ CERTLIST=`grep -n "^-----BEGIN" "${CAFILE}" | cut -d ":" -f 1`
+
+ # Get a list of ending lines for each cert
+ ENDCERTLIST=`grep -n "^-----END" "${CAFILE}" | cut -d ":" -f 1`
+
+ # Start a loop
+ for certbegin in `echo "${CERTLIST}"` ; do
+ for certend in `echo "${ENDCERTLIST}"` ; do
+ if test "${certend}" -gt "${certbegin}"; then
+ break
+ fi
+ done
+ sed -n "${certbegin},${certend}p" "${CAFILE}" > "${CADIR}/${certbegin}"
+ keyhash=`openssl x509 -noout -in "${CADIR}/${certbegin}" -hash`
+ echo "Generated PEM file with hash: ${keyhash}."
+ mv "${CADIR}/${certbegin}" "${CADIR}/${keyhash}.pem"
+ done
+fi
+
+# Write the output file
+for cert in `find "${CADIR}" -type f -name "*.pem" -o -name "*.crt"`
+do
+ ls "${cert}"
+ tempfile=`mktemp`
+ certbegin=`grep -n "^-----BEGIN" "${cert}" | cut -d ":" -f 1`
+ certend=`grep -n "^-----END" "${cert}" | cut -d ":" -f 1`
+ sed -n "${certbegin},${certend}p" "${cert}" > "${tempfile}"
+ echo yes | "${KEYTOOL}" -import -alias `basename "${cert}"` -keystore \
+ "${OUTFILE}" -storepass 'changeit' -file "${tempfile}"
+ rm "${tempfile}"
+done
+
+if test "${TEMPDIR}x" != "x" ; then
+ rm -rf "${TEMPDIR}"
+fi
+exit 0
+
