diff -urN icedtea6-1.10.4/acinclude.m4 icedtea6-mod/acinclude.m4 --- icedtea6-1.10.4/acinclude.m4 2011-07-11 16:43:43.361068652 -0500 +++ icedtea6-mod/acinclude.m4 2011-10-27 18:49:43.510729915 -0500 @@ -326,6 +326,91 @@ AM_CONDITIONAL([SRC_DIR_HARDLINKABLE], test x"${it_cv_hardlink_src}" = "xyes") ]) +AC_DEFUN([IT_GENERATE_CACERTS], +[ + AC_MSG_CHECKING([whether to generate a cacerts file for distribution]) + AC_ARG_ENABLE([cacerts], + [AS_HELP_STRING(--enable-cacerts, generate a cacerts file for distribution [[default=no]])], + [ + case "${enableval}" in + no) + generate_cacerts=no + ;; + *) + generate_cacerts=yes + ;; + esac + ], + [ + generate_cacerts=no + ]) + AC_MSG_RESULT([$generate_cacerts]) + AM_CONDITIONAL([GENERATE_CACERTS], test x"${generate_cacerts}" = "xyes") +]) + +AC_DEFUN([IT_GET_LOCAL_CACERTS], +[ + AC_MSG_CHECKING([for a local x509 certificate directory]) + AC_ARG_WITH([ca-dir], + [AS_HELP_STRING(--with-ca-dir=DIR, specify a top-level local x509 certificate directory)], + [ + if test -d "${withval}"; then + CADIR="${withval}" + fi + ], + [ + CADIR= + ]) + if test -z "${CADIR}"; then + for dir in /etc/pki/tls/certs \ + /usr/share/ca-certificates \ + /etc/ssl/certs \ + /etc/certs ; do + if test -d "${dir}"; then + CADIR="${dir}" + break + fi + done + if test -z "${CADIR}"; then + CADIR=no + fi + fi + AC_MSG_RESULT(${CADIR}) + AC_SUBST(CADIR) + + AC_MSG_CHECKING([for a local x509 certificate file]) + AC_ARG_WITH([ca-file], + [AS_HELP_STRING(--with-ca-file=FILE, specify a local x509 certificate file)], + [ + if test -f "${withval}"; then + CAFILE="${withval}" + fi + ], + [ + CAFILE= + ]) + if test -z "${CAFILE}"; then + for file in /etc/pki/tls/certs/ca-bundle.crt \ + /etc/ssl/certs/ca-bundle.crt \ + /etc/ssl/ca-bundle.crt \ + /etc/ca-bundle.crt ; do + if test -e "${file}"; then + CAFILE=$file + break + fi + done + if test -z "${CAFILE}"; then + CAFILE=no + fi + fi + AC_MSG_RESULT(${CAFILE}) + AC_SUBST(CAFILE) + if test "${CADIR}x" = "nox" -a "${CAFILE}x" = "nox"; then + AC_MSG_WARN([Could not find a suitable x509 certificate store.]) + AC_MSG_ERROR([Supply a valid location using --with-ca-dir or --with-ca-file, or remove the --enable-cacerts switch.]) + fi +]) + AC_DEFUN([IT_FIND_ECJ_JAR], [ AC_MSG_CHECKING([for an ecj JAR file]) diff -urN icedtea6-1.10.4/configure.ac icedtea6-mod/configure.ac --- icedtea6-1.10.4/configure.ac 2011-10-13 12:39:16.561204799 -0500 +++ icedtea6-mod/configure.ac 2011-10-27 18:51:27.674729852 -0500 @@ -138,6 +138,13 @@ AC_MSG_RESULT([disabled by default (edit java.security to enable)]) fi +IT_GENERATE_CACERTS + +if test "x${generate_cacerts}" = "xyes" +then + IT_GET_LOCAL_CACERTS +fi + IT_GET_PKGVERSION IT_GET_LSB_DATA diff -urN icedtea6-1.10.4/Makefile.am icedtea6-mod/Makefile.am --- icedtea6-1.10.4/Makefile.am 2011-10-13 11:27:35.063986484 -0500 +++ icedtea6-mod/Makefile.am 2011-10-27 18:58:37.188729584 -0500 @@ -1375,6 +1375,19 @@ if ENABLE_JAMVM printf -- '-jamvm ALIASED_TO -server\n' >> $(BUILD_JRE_ARCH_DIR)/jvm.cfg endif +if GENERATE_CACERTS + if test -n "${CADIR}"; then \ + sh scripts/mkcacerts.sh -d "${CADIR}" \ + -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \ + -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \ + else \ + sh scripts/mkcacerts.sh -f "${CAFILE}" \ + -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \ + -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \ + fi; \ + cp -f $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts \ + $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts; +endif @echo "IcedTea is served:" $(BUILD_OUTPUT_DIR) mkdir -p stamps touch stamps/icedtea.stamp @@ -1406,6 +1419,19 @@ if ENABLE_JAMVM printf -- '-jamvm ALIASED_TO -server\n' >> $(BUILD_DEBUG_JRE_ARCH_DIR)/jvm.cfg endif +if GENERATE_CACERTS + if test -n "${CADIR}"; then \ + sh scripts/mkcacerts.sh -d "${CADIR}" \ + -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \ + -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \ + else \ + sh scripts/mkcacerts.sh -f "${CAFILE}" \ + -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \ + -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \ + fi; \ + cp -f $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts \ + $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts; +endif @echo "IcedTea (debug build) is served:" \ $(DEBUG_BUILD_OUTPUT_DIR) mkdir -p stamps @@ -1456,7 +1482,7 @@ $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot_jni.stp; \ fi cp $(abs_top_builddir)/tapset/jstack.stp \ - $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp + $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp; endif touch stamps/add-systemtap.stamp @@ -1482,7 +1508,7 @@ $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot_jni.stp; \ fi cp $(abs_top_builddir)/tapset/jstack.stp \ - $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp + $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp; endif touch stamps/add-systemtap-debug.stamp diff -urN icedtea6-1.10.4/scripts/mkcacerts.sh icedtea6-mod/scripts/mkcacerts.sh --- icedtea6-1.10.4/scripts/mkcacerts.sh 1969-12-31 18:00:00.000000000 -0600 +++ icedtea6-mod/scripts/mkcacerts.sh 2011-10-27 19:07:38.521729245 -0500 @@ -0,0 +1,154 @@ +#!/bin/sh +# Simple script to extract x509 certificates and create a JRE cacerts file. + +function get_args() + { + if test -z "${1}" ; then + showhelp + exit 1 + fi + + while test -n "${1}" ; do + case "${1}" in + -f | --cafile) + check_arg $1 $2 + CAFILE="${2}" + shift 2 + ;; + -d | --cadir) + check_arg $1 $2 + CADIR="${2}" + shift 2 + ;; + -o | --outfile) + check_arg $1 $2 + OUTFILE="${2}" + shift 2 + ;; + -k | --keytool) + check_arg $1 $2 + KEYTOOL="${2}" + shift 2 + ;; + -h | --help) + showhelp + exit 0 + ;; + *) + showhelp + exit 1 + ;; + esac + done + } + +function check_arg() + { + echo "${2}" | grep -v "^-" > /dev/null + if [ -z "$?" -o ! -n "$2" ]; then + echo "Error: $1 requires a valid argument." + exit 1 + fi + } + + +function showhelp() + { + echo "`basename ${0}` creates a valid cacerts file for use with IcedTea." + echo "" + echo " -f --cafile The path to a file containing PEM formated CA" + echo " certificates. May not be used with -d/--cadir." + echo " -d --cadir The path to a diectory of PEM formatted CA" + echo " certificates. May not be used with -f/--cafile." + echo " -o --outfile The path to the output file." + echo "" + echo " -k --keytool The path to the java keytool utility." + echo "" + echo " -h --help Show this help message and exit." + echo "" + echo "" + } + +# Initialize empty variables so that the shell does not polute the script +CAFILE="" +CADIR="" +OUTFILE="" +KEYTOOL="" + +# Process command line arguments +get_args ${@} + +# Handle common errors +if test "${CAFILE}x" == "x" -a "${CADIR}x" == "x" ; then + echo "ERROR! You must provide an x509 certificate store!" + echo "\'$(basename ${0}) --help\' for more info." + echo "" + exit 1 +fi + +if test "${CAFILE}x" != "x" -a "${CADIR}x" != "x" ; then + echo "ERROR! You cannot provide two x509 certificate stores!" + echo "\'$(basename ${0}) --help\' for more info." + echo "" + exit 1 +fi + +if test "${KEYTOOL}x" == "x" ; then + echo "ERROR! You must provide a valid keytool program!" + echo "\'$(basename ${0}) --help\' for more info." + echo "" + exit 1 +fi + +if test "${OUTFILE}x" == "x" ; then + echo "ERROR! You must provide a valid output file!" + echo "\'$(basename ${0}) --help\' for more info." + echo "" + exit 1 +fi + +# Get on with the work + +# If using a CAFILE, split it into individual files in a temp directory +if test "${CAFILE}x" != "x" ; then + TEMPDIR=`mktemp -d` + CADIR="${TEMPDIR}" + + # Get a list of staring lines for each cert + CERTLIST=`grep -n "^-----BEGIN" "${CAFILE}" | cut -d ":" -f 1` + + # Get a list of ending lines for each cert + ENDCERTLIST=`grep -n "^-----END" "${CAFILE}" | cut -d ":" -f 1` + + # Start a loop + for certbegin in `echo "${CERTLIST}"` ; do + for certend in `echo "${ENDCERTLIST}"` ; do + if test "${certend}" -gt "${certbegin}"; then + break + fi + done + sed -n "${certbegin},${certend}p" "${CAFILE}" > "${CADIR}/${certbegin}" + keyhash=`openssl x509 -noout -in "${CADIR}/${certbegin}" -hash` + echo "Generated PEM file with hash: ${keyhash}." + mv "${CADIR}/${certbegin}" "${CADIR}/${keyhash}.pem" + done +fi + +# Write the output file +for cert in `find "${CADIR}" -type f -name "*.pem" -o -name "*.crt"` +do + ls "${cert}" + tempfile=`mktemp` + certbegin=`grep -n "^-----BEGIN" "${cert}" | cut -d ":" -f 1` + certend=`grep -n "^-----END" "${cert}" | cut -d ":" -f 1` + sed -n "${certbegin},${certend}p" "${cert}" > "${tempfile}" + echo yes | "${KEYTOOL}" -import -alias `basename "${cert}"` -keystore \ + "${OUTFILE}" -storepass 'changeit' -file "${tempfile}" + rm "${tempfile}" +done + +if test "${TEMPDIR}x" != "x" ; then + rm -rf "${TEMPDIR}" +fi +exit 0 +