Date: Sunday, October 24, 2010 @ 09:34:03 Author: pierre Revision: 96730
upstream update Added: ca-certificates-java/trunk/jks-keystore.hook.patch Modified: ca-certificates-java/trunk/PKGBUILD ca-certificates-java/trunk/ca-certificates-java.install ca-certificates-java/trunk/init-jks-keystore ------------------------------+ PKGBUILD | 73 ++++++++++++++++++--------- ca-certificates-java.install | 19 ++----- init-jks-keystore | 107 ++++++++++++++++++++--------------------- jks-keystore.hook.patch | 44 ++++++++++++++++ 4 files changed, 153 insertions(+), 90 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2010-10-24 12:38:03 UTC (rev 96729) +++ PKGBUILD 2010-10-24 13:34:03 UTC (rev 96730) @@ -2,36 +2,59 @@ # Maintainer: Jan de Groot <j...@archlinux.org> pkgname=ca-certificates-java -pkgver=20090629 -pkgrel=2 +pkgver=20100412 +pkgrel=1 pkgdesc='Common CA certificates (JKS keystore)' -arch=(any) +arch=('any') url='http://packages.qa.debian.org/c/ca-certificates-java.html' license=('GPL') -depends=('ca-certificates') -makedepends=('java-runtime') -install=ca-certificates-java.install -source=(jks-keystore.hook init-jks-keystore default) -md5sums=('c7f271d9a2efbd5c2c00a1c0d66efa64' - 'f253225bebcc9e9faa331d8e9fb39c1d' - '0ded97abeff69c2362939e2e881e214a') +depends=('ca-certificates' 'nss') +makedepends=('openjdk6') +install='ca-certificates-java.install' +source=("http://ftp.debian.org/debian/pool/main/c/${pkgname}/${pkgname}_${pkgver}.tar.gz" + 'jks-keystore.hook.patch' 'init-jks-keystore') +md5sums=('16a5d04148d17923a4d838214dd9b867' + 'e2009af18d0c61d067117ca982dee97f' + '82dcec93bb328ae68db33c8177fb3858') build() { - cd "${srcdir}" - install -d -m755 "${pkgdir}/etc/ca-certificates/update.d" - install -d -m755 "${pkgdir}/etc/ssl/certs/java" - install -d -m755 "${pkgdir}/etc/default" - install -d -m755 "${pkgdir}/usr/share/ca-certificates-java" - install -d -m755 "${pkgdir}/usr/sbin" + cd ${srcdir} - install -m755 jks-keystore.hook "${pkgdir}/etc/ca-certificates/update.d/jks-keystore" || return 1 - install -m600 default "${pkgdir}/etc/default/cacerts" || return 1 - install -m755 init-jks-keystore "${pkgdir}/usr/sbin/" || return 1 + patch -p0 -i ${srcdir}/jks-keystore.hook.patch ${pkgname}-${pkgver}/debian/jks-keystore.hook - for crt in `find /usr/share/ca-certificates -name '*.crt' -printf '%P '`; do - alias=`basename $crt .crt | tr A-Z a-z | tr -cs a-z0-9 _` - alias=${alias%*_} - echo "IMPORT: $crt, alias=$alias" - keytool -importcert -trustcacerts -keystore "${pkgdir}/usr/share/ca-certificates-java/cacerts" -storepass 'changeit' -noprompt -alias "$alias" -file "/usr/share/ca-certificates/$crt" || continue - done + mkdir build + cd build + + for crt in $(find /usr/share/ca-certificates -name '*.crt' -printf '%P '); do + alias=$(basename $crt .crt | tr A-Z a-z | tr -cs a-z0-9 _) + alias=${alias%*_} + echo "IMPORT: $crt, alias=$alias" + if keytool -importcert -trustcacerts -keystore cacerts \ + -storepass 'changeit' -noprompt \ + -alias "$alias" -file "/usr/share/ca-certificates/$crt" > keytool.log 2>&1; then + cat keytool.log + elif keytool -importcert -trustcacerts -keystore cacerts \ + -providerClass sun.security.pkcs11.SunPKCS11 \ + -providerArg '/usr/lib/jvm/java-6-openjdk/jre/lib/security/nss.cfg' \ + -storepass 'changeit' -noprompt \ + -alias "$alias" -file "/usr/share/ca-certificates/$crt" > keytool.log 2>&1; then + cat keytool.log + elif grep -q 'Signature not available' keytool.log; then + echo "IGNORED IMPORT: $crt, alias=$alias" + cat keytool.log + else + cat keytool.log + false + fi + done } + +package() { + cd ${srcdir}/${pkgname}-${pkgver} + + install -d -m755 ${pkgdir}/etc/ssl/certs/java + install -D -m755 debian/jks-keystore.hook ${pkgdir}/etc/ca-certificates/update.d/jks-keystore + install -D -m644 ${srcdir}/build/cacerts ${pkgdir}/usr/share/ca-certificates-java/cacerts + install -D -m600 debian/default ${pkgdir}/etc/default/cacerts + install -D -m755 ${srcdir}/init-jks-keystore ${pkgdir}/usr/sbin/init-jks-keystore +} \ No newline at end of file Modified: ca-certificates-java.install =================================================================== --- ca-certificates-java.install 2010-10-24 12:38:03 UTC (rev 96729) +++ ca-certificates-java.install 2010-10-24 13:34:03 UTC (rev 96730) @@ -1,20 +1,15 @@ post_install() { - if [ ! -f /etc/ssl/certs/java/cacerts ]; then - for jvm in /usr/lib/jvm/java-6-openjdk /opt/java/jre; do - if [ -x $jvm/bin/keytool ]; then - break - fi - done - if [ -x $jvm/bin/keytool ]; then - /usr/sbin/init-jks-keystore - fi - fi + if [ ! -f /etc/ssl/certs/java/cacerts ]; then + if [ -x /usr/lib/jvm/java-6-openjdk/bin/keytool ]; then + /usr/sbin/init-jks-keystore + fi + fi } post_upgrade() { - post_install + post_install } post_remove() { - rm -rf /etc/ssl/certs/java + rm -rf /etc/ssl/certs/java } Modified: init-jks-keystore =================================================================== --- init-jks-keystore 2010-10-24 12:38:03 UTC (rev 96729) +++ init-jks-keystore 2010-10-24 13:34:03 UTC (rev 96730) @@ -1,74 +1,75 @@ #!/bin/bash -for jvm in /usr/lib/jvm/java-6-openjdk /opt/java/jre; do - if [ -x $jvm/bin/keytool ]; then - break - fi -done -if [ ! -x $jvm/bin/keytool ]; then - echo "No supported JRE installed" - exit 1 -fi -export JAVA_HOME=$jvm -PATH=$JAVA_HOME/bin:$PATH KEYSTORE=/etc/ssl/certs/java/cacerts + storepass='changeit' if [ -f /etc/default/cacerts ]; then - . /etc/default/cacerts + . /etc/default/cacerts fi -echo "creating $KEYSTORE..." -cp /usr/share/ca-certificates-java/cacerts $KEYSTORE cacertdir=/usr/share/ca-certificates +log=$(mktemp) + +# aliases of pregenerated files pregenerated=$(mktemp) LANG=C LC_ALL=C keytool -list -keystore $KEYSTORE -storepass "$storepass" \ - | awk -F, '/^Certificate fingerprint/ { print s } { s=$1 } ' \ - | sort > $pregenerated + | awk -F, '/^Certificate fingerprint/ { print s } { s=$1 } ' \ + | sort > $pregenerated grep -v -E '^ *$|^#' /etc/ca-certificates.conf | ( \ errors=0 -log=$(mktemp) while read line; do - pem=${line#!*} - alias=$(basename $pem .crt | tr A-Z a-z | tr -cs a-z0-9 _) - alias=${alias%*_} - case "$line" in - !*) - if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \ - -storepass "$storepass" -alias "$alias" > /dev/null - then - echo " removed untrusted certificate $pem" - fi - ;; - - *) - if [ ! -f "$cacertdir/$pem" ]; then - echo >&2 "warning: /etc/ca-certificates.conf lists $pem," - echo >&2 "warning: but $cacertdir/$pem does not exist." - continue - fi - if ! grep -q "^${alias}$" $pregenerated; then - if LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \ - -noprompt -storepass "$storepass" \ - -alias "$alias" -file "$cacertdir/$pem" > $log 2>&1 - then - echo " added certificate $pem $alias" - elif grep -q 'Signature not available' $log; then - echo " ignored import, signature not available: ${line#+*}" - cat $log - else - echo >&2 " error adding ${line#+*}" - errors=$(expr $errors + 1) - fi - fi - esac + pem=${line#!*} + alias=$(basename $pem .crt | tr A-Z a-z | tr -cs a-z0-9 _) + alias=${alias%*_} + case "$line" in + !*) + # remove untrusted certificate + if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \ + -storepass "$storepass" -alias "$alias" >/dev/null + then + echo " removed untrusted certificate $pem" + else + # not (anymore) in keystore + : + fi;; + *) + # add certificate not yet in keystore + if [ ! -f "$cacertdir/$pem" ]; then + echo >&2 "warning: /etc/ca-certificates.conf lists $pem," + echo >&2 "warning: but $cacertdir/$pem does not exist." + continue + fi + if ! grep -q "^${alias}$" $pregenerated; then + if LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \ + -noprompt -storepass "$storepass" \ + -alias "$alias" -file "$cacertdir/$pem" > $log 2>&1 + then + echo " added certificate $pem" + elif LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \ + -providerClass sun.security.pkcs11.SunPKCS11 \ + -providerArg '/usr/lib/jvm/java-6-openjdk/jre/lib/security/nss.cfg' \ + -noprompt -storepass "$storepass" \ + -alias "$alias" -file "$cacertdir/$pem" > $log 2>&1 + then + echo " added certificate $pem (using NSS provider)" + elif grep -q 'Signature not available' $log; then + echo " ignored import, signature not available: ${line#+*}" + sed -e 's/^/ -> /' $log + else + echo >&2 " error adding ${line#+*}" + errors=$(expr $errors + 1) + fi + fi + esac done rm -f $log - rm -f $pregenerated if [ $errors -gt 0 ]; then - echo >&2 "failed." - exit 1 + echo >&2 "failed (VM used: $jvm)." + exit 1 fi echo "done." ) + +exit 0 Added: jks-keystore.hook.patch =================================================================== --- jks-keystore.hook.patch (rev 0) +++ jks-keystore.hook.patch 2010-10-24 13:34:03 UTC (rev 96730) @@ -0,0 +1,44 @@ +--- jks-keystore.hook 2010-04-11 20:47:48.000000000 +0200 ++++ jks-keystore.hook 2010-10-24 14:52:38.837234542 +0200 +@@ -28,14 +28,6 @@ + export JAVA_HOME=/usr/lib/jvm/$jvm + PATH=$JAVA_HOME/bin:$PATH + +-temp_jvm_cfg= +-if [ ! -f /etc/$jvm/jvm.cfg ]; then +- # the jre is not yet configured, but jvm.cfg is needed to run it +- temp_jvm_cfg=/etc/$jvm/jvm.cfg +- mkdir -p /etc/$jvm +- printf -- "-server KNOWN\n" > $temp_jvm_cfg +-fi +- + # read lines of the form: [+-]/etc/ssl/certs/*.pem + + echo "updating keystore $KEYSTORE..." +@@ -62,7 +54,7 @@ + elif LANG=C LC_ALL=C keytool -importcert -trustcacerts \ + -keystore $KEYSTORE -noprompt -storepass "$storepass" \ + -providerClass sun.security.pkcs11.SunPKCS11 \ +- -providerArg '${java.home}/lib/security/nss.cfg' \ ++ -providerArg '/usr/lib/jvm/java-6-openjdk/jre/lib/security/nss.cfg' \ + -alias "$alias" -file "$pem" > $log 2>&1 + then + echo " added: ${line#+*} (using NSS provider)" +@@ -85,7 +77,7 @@ + elif LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \ + -noprompt -storepass "$storepass" \ + -providerClass sun.security.pkcs11.SunPKCS11 \ +- -providerArg '${java.home}/lib/security/nss.cfg' \ ++ -providerArg '/usr/lib/jvm/java-6-openjdk/jre/lib/security/nss.cfg' \ + -alias "$alias" + then + echo " removed ${line#-*} (using NSS provider)" +@@ -103,8 +95,6 @@ + done + rm -f $log + +-[ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg +- + if [ $errors -gt 0 ]; then + echo >&2 "failed (VM used: $jvm)." + exit 1