Author: twerner Date: 2011-04-24 22:43:41 +0000 (Sun, 24 Apr 2011) New Revision: 13567
Added: trunk/ca-certificates-java/UpdateCertificates.java Modified: trunk/ca-certificates-java/debian/changelog trunk/ca-certificates-java/debian/control trunk/ca-certificates-java/debian/rules Log: UNRELEASED * Add Java code to update the keystore. (Closes: #623671) * Change Maintainer to Debian Java Maintainers and add myself to Uploaders. * Update Build-Depends. Added: trunk/ca-certificates-java/UpdateCertificates.java =================================================================== --- trunk/ca-certificates-java/UpdateCertificates.java (rev 0) +++ trunk/ca-certificates-java/UpdateCertificates.java 2011-04-24 22:43:41 UTC (rev 13567) @@ -0,0 +1,149 @@ +/* + * Copyright (C) 2011 Torsten Werner <twer...@debian.org> + * + * This code is a re-implementation of the idea from Ludwig Nussel found in + * http://gitorious.org/opensuse/ca-certificates/blobs/master/keystore.java + * for the Debian operating system. It updates the global JVM keystore. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * version 2 as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + */ + +import java.io.BufferedReader; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.InputStreamReader; +import java.io.Reader; +import java.security.GeneralSecurityException; +import java.security.KeyStore; +import java.security.cert.Certificate; +import java.security.cert.CertificateFactory; + +public class UpdateCertificates { + private static char[] password = null; + private static KeyStore keystore = null; + private static CertificateFactory certFactory = null; + + public static void main(String[] args) throws IOException, GeneralSecurityException { + String passwordString = "changeit"; + if (args.length == 2 && args[0].equals("-storepass")) { + passwordString = args[1]; + } + else if (args.length > 0) { + System.err.println("Usage: java UpdateCertificates [-storepass <password>]"); + System.exit(1); + } + password = passwordString.toCharArray(); + keystore = createKeyStore(); + certFactory = CertificateFactory.getInstance("X.509"); + processChanges(new InputStreamReader(System.in)); + writeKeyStore(); + } + + private static KeyStore createKeyStore() throws GeneralSecurityException, IOException { + KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); + File certInputFile = new File ("/etc/ssl/certs/java/cacerts"); + FileInputStream certInputStream = null; + if (certInputFile.canRead()) { + certInputStream = new FileInputStream(certInputFile); + } + try { + ks.load(certInputStream, password); + } + catch (IOException e) { + System.err.println("Cannot open Java keystore. Is the password correct? Message:\n " + + e.getMessage()); + System.exit(1); + } + if (certInputStream != null) { + certInputStream.close(); + } + return ks; + } + + private static void processChanges(Reader reader) + throws IOException, GeneralSecurityException { + String line; + BufferedReader bufferedStdinReader = new BufferedReader(reader); + while((line = bufferedStdinReader.readLine()) != null) { + parseLine(line); + } + } + + private static void deleteAlias(String alias) throws GeneralSecurityException { + if (keystore.containsAlias(alias)) { + System.out.println("Removing " + alias); + keystore.deleteEntry(alias); + } + } + + private static void parseLine(String line) + throws GeneralSecurityException, IOException { + String path = line.substring(1); + String filename = path.substring(path.lastIndexOf("/") + 1); + String alias = "debian:" + filename; + if(line.startsWith("+")) { + Certificate cert = createCertificate(path); + if (cert == null) { + return; + } + if(keystore.containsAlias(alias)) { + System.out.println("Replacing " + alias); + keystore.deleteEntry(alias); + } + else { + System.out.println("Adding " + alias); + } + keystore.setCertificateEntry(alias, cert); + } + else if (line.startsWith("-")) { + deleteAlias(alias); + // Remove old non-prefixed aliases, too. This code should be + // removed after the release of Wheezy. + deleteAlias(filename); + } + else { + System.err.println("Unknown input: " + line); + } + } + + private static Certificate createCertificate(String path) { + Certificate cert = null; + try { + FileInputStream certFile = new FileInputStream(path); + cert = certFactory.generateCertificate(certFile); + certFile.close(); + } + catch (Exception e) { + System.err.println("Warning: there was a problem reading the certificate file " + + path + ". Message:\n " + e.getMessage()); + } + return cert; + } + + private static void writeKeyStore() throws GeneralSecurityException { + try { + FileOutputStream certOutputFile = new FileOutputStream("/etc/ssl/certs/java/cacerts"); + keystore.store(certOutputFile, password); + certOutputFile.close(); + } + catch (IOException e) { + System.err.println("There was a problem saving the new Java keystore. Message:\n " + + e.getMessage()); + System.exit(1); + } + } +} Modified: trunk/ca-certificates-java/debian/changelog =================================================================== --- trunk/ca-certificates-java/debian/changelog 2011-04-24 22:08:53 UTC (rev 13566) +++ trunk/ca-certificates-java/debian/changelog 2011-04-24 22:43:41 UTC (rev 13567) @@ -1,3 +1,12 @@ +ca-certificates-java (20110425) unstable; urgency=low + + UNRELEASED + * Add Java code to update the keystore. (Closes: #623671) + * Change Maintainer to Debian Java Maintainers and add myself to Uploaders. + * Update Build-Depends. + + -- Torsten Werner <twer...@debian.org> Mon, 25 Apr 2011 00:29:23 +0200 + ca-certificates-java (20100412) unstable; urgency=low * Upload to unstable. Modified: trunk/ca-certificates-java/debian/control =================================================================== --- trunk/ca-certificates-java/debian/control 2011-04-24 22:08:53 UTC (rev 13566) +++ trunk/ca-certificates-java/debian/control 2011-04-24 22:43:41 UTC (rev 13567) @@ -1,9 +1,9 @@ Source: ca-certificates-java Section: java Priority: optional -Maintainer: OpenJDK Team <open...@lists.launchpad.net> -Uploaders: Matthias Klose <d...@ubuntu.com> -Build-Depends: debhelper (>= 6), ca-certificates (>= 20090814), openjdk-6-jre-headless (>= 6b16-1.6.1-2) +Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> +Uploaders: Matthias Klose <d...@ubuntu.com>, Torsten Werner <twer...@debian.org> +Build-Depends: debhelper (>= 6), default-jdk Standards-Version: 3.8.4 Package: ca-certificates-java Modified: trunk/ca-certificates-java/debian/rules =================================================================== --- trunk/ca-certificates-java/debian/rules 2011-04-24 22:08:53 UTC (rev 13566) +++ trunk/ca-certificates-java/debian/rules 2011-04-24 22:43:41 UTC (rev 13567) @@ -4,47 +4,20 @@ # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 +JAVA_HOME := /usr/lib/jvm/default-java + d = debian/ca-certificates-java build: build-stamp build-stamp: dh_testdir - rm -rf build - mkdir -p build - set -e; \ - yes | \ - for crt in $$(find /usr/share/ca-certificates -name '*.crt' -printf '%P '); do \ - alias=$$(basename $$crt .crt | tr A-Z a-z | tr -cs a-z0-9 _); \ - alias=$${alias%*_}; \ - echo "IMPORT: $$crt, alias=$$alias"; \ - if keytool -importcert -trustcacerts -keystore build/cacerts \ - -storepass 'changeit' \ - -alias "$$alias" -file "/usr/share/ca-certificates/$$crt" > keytool.log 2>&1; \ - then \ - cat keytool.log; \ - elif keytool -importcert -trustcacerts -keystore build/cacerts \ - -providerClass sun.security.pkcs11.SunPKCS11 \ - -providerArg '$${java.home}/lib/security/nss.cfg' \ - -storepass 'changeit' \ - -alias "$$alias" -file "/usr/share/ca-certificates/$$crt" > keytool.log 2>&1; \ - then \ - cat keytool.log; \ - elif grep -q 'Signature not available' keytool.log; then \ - echo "IGNORED IMPORT: $$crt, alias=$$alias"; \ - cat keytool.log; \ - else \ - cat keytool.log; \ - false; \ - fi; \ - done + $(JAVA_HOME)/bin/javac UpdateCertificates.java touch $@ clean: dh_testdir dh_testroot - rm -f build-stamp - rm -rf build - rm -f keytool.log + $(RM) build-stamp UpdateCertificates.class dh_clean install: build @@ -59,10 +32,9 @@ install -m755 debian/jks-keystore.hook \ $(d)/etc/ca-certificates/update.d/jks-keystore - install -m644 build/cacerts \ - $(d)/usr/share/ca-certificates-java/ install -m600 debian/default \ $(d)/etc/default/cacerts + dh_install UpdateCertificates.class /usr/share/ca-certificates-java/ # Build architecture-independent files here. binary-indep: build install _______________________________________________ pkg-java-commits mailing list pkg-java-comm...@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-commits