summaryrefslogtreecommitdiffstats
path: root/java/icedtea6/icedtea6-1.11.1-generate_cacerts-1.patch
blob: 0e3af9c9aead23033a8efb228cb9d37a899e657a (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
diff -urN icedtea6-1.10.4/acinclude.m4 icedtea6-mod/acinclude.m4
--- icedtea6-1.10.4/acinclude.m4	2011-07-11 16:43:43.361068652 -0500
+++ icedtea6-mod/acinclude.m4	2011-10-27 18:49:43.510729915 -0500
@@ -326,6 +326,91 @@
   AM_CONDITIONAL([SRC_DIR_HARDLINKABLE], test x"${it_cv_hardlink_src}" = "xyes")
 ])
 
+AC_DEFUN([IT_GENERATE_CACERTS],
+[
+  AC_MSG_CHECKING([whether to generate a cacerts file for distribution])
+  AC_ARG_ENABLE([cacerts],
+              [AS_HELP_STRING(--enable-cacerts, generate a cacerts file for distribution [[default=no]])],
+  [
+    case "${enableval}" in
+      no)
+        generate_cacerts=no
+        ;;
+      *)
+        generate_cacerts=yes
+        ;;
+    esac
+  ],
+  [
+    generate_cacerts=no
+  ])
+  AC_MSG_RESULT([$generate_cacerts])
+  AM_CONDITIONAL([GENERATE_CACERTS], test x"${generate_cacerts}" = "xyes")
+])
+
+AC_DEFUN([IT_GET_LOCAL_CACERTS],
+[
+  AC_MSG_CHECKING([for a local x509 certificate directory])
+  AC_ARG_WITH([ca-dir],
+              [AS_HELP_STRING(--with-ca-dir=DIR, specify a top-level local x509 certificate directory)],
+  [
+    if test -d "${withval}"; then
+      CADIR="${withval}"
+    fi
+  ],
+  [
+    CADIR=
+  ])
+  if test -z "${CADIR}"; then
+    for dir in /etc/pki/tls/certs \
+      /usr/share/ca-certificates \
+      /etc/ssl/certs \
+      /etc/certs ; do
+        if test -d "${dir}"; then
+          CADIR="${dir}"
+          break
+        fi
+    done
+    if test -z "${CADIR}"; then
+      CADIR=no
+    fi
+  fi
+  AC_MSG_RESULT(${CADIR})
+  AC_SUBST(CADIR)
+
+  AC_MSG_CHECKING([for a local x509 certificate file])
+  AC_ARG_WITH([ca-file],
+              [AS_HELP_STRING(--with-ca-file=FILE, specify a local x509 certificate file)],
+  [
+    if test -f "${withval}"; then
+      CAFILE="${withval}"
+    fi
+  ],
+  [
+    CAFILE=
+  ])
+  if test -z "${CAFILE}"; then
+    for file in /etc/pki/tls/certs/ca-bundle.crt \
+      /etc/ssl/certs/ca-bundle.crt \
+      /etc/ssl/ca-bundle.crt \
+      /etc/ca-bundle.crt ; do
+        if test -e "${file}"; then
+          CAFILE=$file
+          break
+        fi
+    done
+    if test -z "${CAFILE}"; then
+      CAFILE=no
+    fi
+  fi
+  AC_MSG_RESULT(${CAFILE})
+  AC_SUBST(CAFILE)
+  if test "${CADIR}x" = "nox" -a "${CAFILE}x" = "nox"; then
+    AC_MSG_WARN([Could not find a suitable x509 certificate store.])
+    AC_MSG_ERROR([Supply a valid location using --with-ca-dir or --with-ca-file, or remove the --enable-cacerts switch.])
+  fi
+])
+
 AC_DEFUN([IT_FIND_ECJ_JAR],
 [
   AC_MSG_CHECKING([for an ecj JAR file])
diff -urN icedtea6-1.10.4/configure.ac icedtea6-mod/configure.ac
--- icedtea6-1.10.4/configure.ac	2011-10-13 12:39:16.561204799 -0500
+++ icedtea6-mod/configure.ac	2011-10-27 18:51:27.674729852 -0500
@@ -138,6 +138,13 @@
   AC_MSG_RESULT([disabled by default (edit java.security to enable)])
 fi
 
+IT_GENERATE_CACERTS
+
+if test "x${generate_cacerts}" = "xyes"
+then
+  IT_GET_LOCAL_CACERTS
+fi
+
 IT_GET_PKGVERSION
 IT_GET_LSB_DATA
 
diff -urN icedtea6-1.10.4/Makefile.am icedtea6-mod/Makefile.am
--- icedtea6-1.10.4/Makefile.am	2011-10-13 11:27:35.063986484 -0500
+++ icedtea6-mod/Makefile.am	2011-10-27 18:58:37.188729584 -0500
@@ -1375,6 +1375,19 @@
 if ENABLE_JAMVM
 	printf -- '-jamvm ALIASED_TO -server\n' >> $(BUILD_JRE_ARCH_DIR)/jvm.cfg
 endif
+if GENERATE_CACERTS
+	if test -n "${CADIR}"; then \
+	  sh scripts/mkcacerts.sh -d "${CADIR}" \
+	    -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
+	    -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
+	else \
+	  sh scripts/mkcacerts.sh -f "${CAFILE}" \
+	    -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
+	    -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
+	fi; \
+	cp -f $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts \
+	   $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts;
+endif
 	@echo "IcedTea is served:" $(BUILD_OUTPUT_DIR)
 	mkdir -p stamps
 	touch stamps/icedtea.stamp
@@ -1406,6 +1419,19 @@
 if ENABLE_JAMVM
 	printf -- '-jamvm ALIASED_TO -server\n' >> $(BUILD_DEBUG_JRE_ARCH_DIR)/jvm.cfg
 endif
+if GENERATE_CACERTS
+	if test -n "${CADIR}"; then \
+	  sh scripts/mkcacerts.sh -d "${CADIR}" \
+	    -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
+	    -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
+	else \
+	  sh scripts/mkcacerts.sh -f "${CAFILE}" \
+	    -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
+	    -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
+	fi; \
+	cp -f $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts \
+	   $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts;
+endif
 	@echo "IcedTea (debug build) is served:" \
 	  $(DEBUG_BUILD_OUTPUT_DIR)
 	mkdir -p stamps
@@ -1456,7 +1482,7 @@
 	    $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot_jni.stp; \
 	fi
 	cp $(abs_top_builddir)/tapset/jstack.stp \
-	  $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp
+	  $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp;
 endif
 	touch stamps/add-systemtap.stamp
 
@@ -1482,7 +1508,7 @@
 	    $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot_jni.stp; \
 	fi
 	cp $(abs_top_builddir)/tapset/jstack.stp \
-	  $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp
+	  $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp;
 endif
 	touch stamps/add-systemtap-debug.stamp
 
diff -urN icedtea6-1.10.4/scripts/mkcacerts.sh icedtea6-mod/scripts/mkcacerts.sh
--- icedtea6-1.10.4/scripts/mkcacerts.sh	1969-12-31 18:00:00.000000000 -0600
+++ icedtea6-mod/scripts/mkcacerts.sh	2011-10-27 19:07:38.521729245 -0500
@@ -0,0 +1,154 @@
+#!/bin/sh
+# Simple script to extract x509 certificates and create a JRE cacerts file.
+
+function get_args()
+    {
+        if test -z "${1}" ; then
+            showhelp
+            exit 1
+        fi
+
+        while test -n "${1}" ; do
+            case "${1}" in
+                -f | --cafile)
+                    check_arg $1 $2
+                    CAFILE="${2}"
+                    shift 2
+                ;;
+                -d | --cadir)
+                    check_arg $1 $2
+                    CADIR="${2}"
+                    shift 2
+                ;;
+                -o | --outfile)
+                    check_arg $1 $2
+                    OUTFILE="${2}"
+                    shift 2
+                ;;
+                -k | --keytool)
+                    check_arg $1 $2
+                    KEYTOOL="${2}"
+                    shift 2
+                ;;
+                -h | --help)
+                     showhelp
+                     exit 0
+                ;;
+                *)
+                   showhelp
+                   exit 1
+                ;;
+            esac
+        done
+    }
+
+function check_arg()
+    {
+        echo "${2}" | grep -v "^-" > /dev/null
+        if [ -z "$?" -o ! -n "$2" ]; then
+            echo "Error:  $1 requires a valid argument."
+            exit 1
+        fi
+    }
+
+
+function showhelp()
+    {
+        echo "`basename ${0}` creates a valid cacerts file for use with IcedTea."
+        echo ""
+        echo "        -f  --cafile        The path to a file containing PEM formated CA"
+        echo "                            certificates.  May not be used with -d/--cadir."
+        echo "        -d  --cadir         The path to a diectory of PEM formatted CA"
+        echo "                            certificates.  May not be used with -f/--cafile."
+        echo "        -o  --outfile       The path to the output file."
+        echo ""
+        echo "        -k  --keytool       The path to the java keytool utility."
+        echo ""
+        echo "        -h  --help          Show this help message and exit."
+        echo ""
+        echo ""
+    }
+
+# Initialize empty variables so that the shell does not polute the script
+CAFILE=""
+CADIR=""
+OUTFILE=""
+KEYTOOL=""
+
+# Process command line arguments
+get_args ${@}
+
+# Handle common errors
+if test "${CAFILE}x" == "x" -a "${CADIR}x" == "x" ; then
+    echo "ERROR!  You must provide an x509 certificate store!"
+    echo "\'$(basename ${0}) --help\' for more info."
+    echo ""
+    exit 1
+fi
+
+if test "${CAFILE}x" != "x" -a "${CADIR}x" != "x" ; then
+    echo "ERROR!  You cannot provide two x509 certificate stores!"
+    echo "\'$(basename ${0}) --help\' for more info."
+    echo ""
+    exit 1
+fi
+
+if test "${KEYTOOL}x" == "x" ; then
+    echo "ERROR!  You must provide a valid keytool program!"
+    echo "\'$(basename ${0}) --help\' for more info."
+    echo ""
+    exit 1
+fi
+
+if test "${OUTFILE}x" == "x" ; then
+    echo "ERROR!  You must provide a valid output file!"
+    echo "\'$(basename ${0}) --help\' for more info."
+    echo ""
+    exit 1
+fi
+
+# Get on with the work
+
+# If using a CAFILE, split it into individual files in a temp directory
+if test "${CAFILE}x" != "x" ; then
+    TEMPDIR=`mktemp -d`
+    CADIR="${TEMPDIR}"
+
+    # Get a list of staring lines for each cert
+    CERTLIST=`grep -n "^-----BEGIN" "${CAFILE}" | cut -d ":" -f 1`
+
+    # Get a list of ending lines for each cert
+    ENDCERTLIST=`grep -n "^-----END" "${CAFILE}" | cut -d ":" -f 1`
+
+    # Start a loop
+    for certbegin in `echo "${CERTLIST}"` ; do
+        for certend in `echo "${ENDCERTLIST}"` ; do
+            if test "${certend}" -gt "${certbegin}"; then
+                break
+            fi
+        done
+        sed -n "${certbegin},${certend}p" "${CAFILE}" > "${CADIR}/${certbegin}"
+        keyhash=`openssl x509 -noout -in "${CADIR}/${certbegin}" -hash`
+        echo "Generated PEM file with hash:  ${keyhash}."
+        mv "${CADIR}/${certbegin}" "${CADIR}/${keyhash}.pem"
+    done
+fi
+
+# Write the output file
+for cert in `find "${CADIR}" -type f -name "*.pem" -o -name "*.crt"`
+do
+    ls "${cert}"
+    tempfile=`mktemp`
+    certbegin=`grep -n "^-----BEGIN" "${cert}" | cut -d ":" -f 1`
+    certend=`grep -n "^-----END" "${cert}" | cut -d ":" -f 1`
+    sed -n "${certbegin},${certend}p" "${cert}" > "${tempfile}"
+    echo yes | "${KEYTOOL}" -import -alias `basename "${cert}"` -keystore \
+                   "${OUTFILE}" -storepass 'changeit' -file "${tempfile}"
+    rm "${tempfile}"
+done
+
+if test "${TEMPDIR}x" != "x" ; then
+    rm -rf "${TEMPDIR}"
+fi
+exit 0
+