Author: bdubbs
Date: Wed Sep 11 10:21:08 2013
New Revision: 11820
Log:
Add instructions to create caceerts for Open JDK.
Modified:
trunk/BOOK/general.ent
trunk/BOOK/general/prog/openjdk.xml
trunk/BOOK/introduction/welcome/changelog.xml
trunk/BOOK/postlfs/security/cacerts.xml
Modified: trunk/BOOK/general.ent
==============================================================================
--- trunk/BOOK/general.ent Tue Sep 10 16:59:56 2013 (r11819)
+++ trunk/BOOK/general.ent Wed Sep 11 10:21:08 2013 (r11820)
@@ -1,12 +1,12 @@
<!-- $LastChangedBy$ $Date$ -->
-<!ENTITY day "10"> <!-- Always 2 digits -->
+<!ENTITY day "11"> <!-- Always 2 digits -->
<!ENTITY month "09"> <!-- Always 2 digits -->
<!ENTITY year "2013">
<!ENTITY copyrightdate "2001-&year;">
<!ENTITY copyholder "The BLFS Development Team">
<!ENTITY version "&year;-&month;-&day;">
-<!ENTITY releasedate "September 10th, &year;">
+<!ENTITY releasedate "September 11th, &year;">
<!ENTITY pubdate "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
<!ENTITY blfs-version "svn"> <!-- svn|[release #] -->
<!ENTITY lfs-version "development"> <!--
version|testing|unstable|development] -->
Modified: trunk/BOOK/general/prog/openjdk.xml
==============================================================================
--- trunk/BOOK/general/prog/openjdk.xml Tue Sep 10 16:59:56 2013 (r11819)
+++ trunk/BOOK/general/prog/openjdk.xml Wed Sep 11 10:21:08 2013 (r11820)
@@ -462,6 +462,255 @@
</sect3>
+ <sect3 id='ojdk-certs'>
+ <title>Install or update the JRE Certificate Authority Certificates
(cacerts) file</title>
+
+ <para>Use the following procedure to check if the cacerts file was
+ successfully installed during the OpenJDK installation or if the <xref
+ linkend="cacerts"/> have been updated, the following instructions will
+ generate a new JRE <filename>cacerts</filename> file. First, check if the
+ <filename>cacerts</filename> have been successfully installed: </para>
+
+<screen role="root"><userinput>cd /opt/jdk
+bin/keytool -list -keystore jre/lib/security/cacerts</userinput></screen>
+
+ <para>At the prompt "Enter keystore password:", press the "Enter" key if
+ there is no keystore password defined. If the
+ <filename>cacerts</filename> was installed correctly, you will see a
+ list of the certificates with related information for each one. If not,
+ you need to manually install them. First, generate the
+ <command>mkcacerts</command> script as the
+ <systemitem class="username">root</systemitem> user:</para>
+
+<screen role="root"><userinput>cat > /opt/jdk/bin/mkcacerts << "EOF"
+<literal>#!/bin/sh
+# Simple script to extract x509 certificates and create a JRE cacerts file.
+
+function get_args()
+ {
+ if test -z "${1}" ; then
+ showhelp
+ exit 1
+ fi
+
+ while test -n "${1}" ; do
+ case "${1}" in
+ -f | --cafile)
+ check_arg $1 $2
+ CAFILE="${2}"
+ shift 2
+ ;;
+ -d | --cadir)
+ check_arg $1 $2
+ CADIR="${2}"
+ shift 2
+ ;;
+ -o | --outfile)
+ check_arg $1 $2
+ OUTFILE="${2}"
+ shift 2
+ ;;
+ -k | --keytool)
+ check_arg $1 $2
+ KEYTOOL="${2}"
+ shift 2
+ ;;
+ -s | --openssl)
+ check_arg $1 $2
+ OPENSSL="${2}"
+ shift 2
+ ;;
+ -h | --help)
+ showhelp
+ exit 0
+ ;;
+ *)
+ showhelp
+ exit 1
+ ;;
+ esac
+ done
+ }
+
+function check_arg()
+ {
+ echo "${2}" | grep -v "^-" > /dev/null
+ if [ -z "$?" -o ! -n "$2" ]; then
+ echo "Error: $1 requires a valid argument."
+ exit 1
+ fi
+ }
+
+# The date binary is not reliable on 32bit systems for dates after 2038
+function mydate()
+ {
+ local y=$( echo $1 | cut -d" " -f4 )
+ local M=$( echo $1 | cut -d" " -f1 )
+ local d=$( echo $1 | cut -d" " -f2 )
+ local m
+
+ if [ ${d} -lt 10 ]; then d="0${d}"; fi
+
+ case $M in
+ Jan) m="01";;
+ Feb) m="02";;
+ Mar) m="03";;
+ Apr) m="04";;
+ May) m="05";;
+ Jun) m="06";;
+ Jul) m="07";;
+ Aug) m="08";;
+ Sep) m="09";;
+ Oct) m="10";;
+ Nov) m="11";;
+ Dec) m="12";;
+ esac
+
+ certdate="${y}${m}${d}"
+ }
+
+function showhelp()
+ {
+ echo "`basename ${0}` creates a valid cacerts file for use with
IcedTea."
+ echo ""
+ echo " -f --cafile The path to a file containing PEM
formated CA"
+ echo " certificates. May not be used with
-d/--cadir."
+ echo " -d --cadir The path to a diectory of PEM
formatted CA"
+ echo " certificates. May not be used with
-f/--cafile."
+ echo " -o --outfile The path to the output file."
+ echo ""
+ echo " -k --keytool The path to the java keytool
utility."
+ echo ""
+ echo " -s --openssl The path to the openssl utility."
+ echo ""
+ echo " -h --help Show this help message and exit."
+ echo ""
+ echo ""
+ }
+
+# Initialize empty variables so that the shell does not polute the script
+CAFILE=""
+CADIR=""
+OUTFILE=""
+OPENSSL=""
+KEYTOOL=""
+certdate=""
+date=""
+today=$( date +%Y%m%d )
+
+# Process command line arguments
+get_args ${@}
+
+# Handle common errors
+if test "${CAFILE}x" == "x" -a "${CADIR}x" == "x" ; then
+ echo "ERROR! You must provide an x509 certificate store!"
+ echo "\'$(basename ${0}) --help\' for more info."
+ echo ""
+ exit 1
+fi
+
+if test "${CAFILE}x" != "x" -a "${CADIR}x" != "x" ; then
+ echo "ERROR! You cannot provide two x509 certificate stores!"
+ echo "\'$(basename ${0}) --help\' for more info."
+ echo ""
+ exit 1
+fi
+
+if test "${KEYTOOL}x" == "x" ; then
+ echo "ERROR! You must provide a valid keytool program!"
+ echo "\'$(basename ${0}) --help\' for more info."
+ echo ""
+ exit 1
+fi
+
+if test "${OPENSSL}x" == "x" ; then
+ echo "ERROR! You must provide a valid path to openssl!"
+ echo "\'$(basename ${0}) --help\' for more info."
+ echo ""
+ exit 1
+fi
+
+if test "${OUTFILE}x" == "x" ; then
+ echo "ERROR! You must provide a valid output file!"
+ echo "\'$(basename ${0}) --help\' for more info."
+ echo ""
+ exit 1
+fi
+
+# Get on with the work
+
+# If using a CAFILE, split it into individual files in a temp directory
+if test "${CAFILE}x" != "x" ; then
+ TEMPDIR=`mktemp -d`
+ CADIR="${TEMPDIR}"
+
+ # Get a list of staring lines for each cert
+ CERTLIST=`grep -n "^-----BEGIN" "${CAFILE}" | cut -d ":" -f 1`
+
+ # Get a list of ending lines for each cert
+ ENDCERTLIST=`grep -n "^-----END" "${CAFILE}" | cut -d ":" -f 1`
+
+ # Start a loop
+ for certbegin in `echo "${CERTLIST}"` ; do
+ for certend in `echo "${ENDCERTLIST}"` ; do
+ if test "${certend}" -gt "${certbegin}"; then
+ break
+ fi
+ done
+ sed -n "${certbegin},${certend}p" "${CAFILE}" >
"${CADIR}/${certbegin}.pem"
+ keyhash=`${OPENSSL} x509 -noout -in "${CADIR}/${certbegin}.pem" -hash`
+ echo "Generated PEM file with hash: ${keyhash}."
+ done
+fi
+
+# Write the output file
+for cert in `find "${CADIR}" -type f -name "*.pem" -o -name "*.crt"`
+do
+
+ # Make sure the certificate date is valid...
+ date=$( ${OPENSSL} x509 -enddate -in "${cert}" -noout | sed
's/^notAfter=//' )
+ mydate "${date}"
+ if test "${certdate}" -lt "${today}" ; then
+ echo "${cert} expired on ${certdate}! Skipping..."
+ unset date certdate
+ continue
+ fi
+ unset date certdate
+ ls "${cert}"
+ tempfile=`mktemp`
+ certbegin=`grep -n "^-----BEGIN" "${cert}" | cut -d ":" -f 1`
+ certend=`grep -n "^-----END" "${cert}" | cut -d ":" -f 1`
+ sed -n "${certbegin},${certend}p" "${cert}" > "${tempfile}"
+ echo yes | env LC_ALL=C "${KEYTOOL}" -import -alias `basename "${cert}"`
-keystore \
+ "${OUTFILE}" -storepass 'changeit' -file "${tempfile}"
+ rm "${tempfile}"
+done
+
+if test "${TEMPDIR}x" != "x" ; then
+ rm -rf "${TEMPDIR}"
+fi
+exit 0</literal>
+EOF
+
+chmod -c 0755 /opt/jdk/bin/mkcacerts</userinput></screen>
+
+ <note>
+ <para>
+ Doing a very large copy/paste directly to a terminal may result in a
+ corrupted file. Copying to an editor may overcome this issue.
+ </para>
+ </note>
+
+ <para>After making a backup of the
+ <filename>/opt/jdk/jre/lib/security/cacerts</filename> file, if there is
+ any. To create a new one, as the
+ <systemitem class="username">root</systemitem> user:</para>
+
+<screen><userinput>/opt/jdk/bin/mkcacerts -d "/etc/ssl/certs/" -k
"/opt/jdk/bin/keytool" \
+ -s "/usr/bin/openssl" -o
"/opt/jdk/jre/lib/security/cacerts"</userinput></screen>
+
+ </sect3>
+
</sect2>
<sect2 role="content">
Modified: trunk/BOOK/introduction/welcome/changelog.xml
==============================================================================
--- trunk/BOOK/introduction/welcome/changelog.xml Tue Sep 10 16:59:56
2013 (r11819)
+++ trunk/BOOK/introduction/welcome/changelog.xml Wed Sep 11 10:21:08
2013 (r11820)
@@ -44,6 +44,17 @@
-->
<listitem>
+ <para>September 11th, 2013</para>
+ <itemizedlist>
+ <listitem>
+ <para>[fernando] - Update to OJDK to add procedures to
+ check/update Certificate Authority Certificates. Fixes
+ <ulink url="&blfs-ticket-root;3997">#3997</ulink>.</para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+
+ <listitem>
<para>September 10th, 2013</para>
<itemizedlist>
<listitem>
Modified: trunk/BOOK/postlfs/security/cacerts.xml
==============================================================================
--- trunk/BOOK/postlfs/security/cacerts.xml Tue Sep 10 16:59:56 2013
(r11819)
+++ trunk/BOOK/postlfs/security/cacerts.xml Wed Sep 11 10:21:08 2013
(r11820)
@@ -325,6 +325,10 @@
<screen><userinput>rm -r certs BLFS-ca-bundle*</userinput></screen>
+ <para>After installing or updating certificates, if OpenJDK is installed,
+ update the certificates for Java using the procedures at <xref
linkend='ojdk-certs'/>.</para>
+
+
</sect2>
<sect2 role="content">
--
http://linuxfromscratch.org/mailman/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
