[packages/icedtea7] Include a trusted CA list
jajcus
jajcus at pld-linux.org
Fri Apr 19 14:15:32 CEST 2013
commit 82144fcc4c742e6f8d4824c73931656577cdd077
Author: Jacek Konieczny <jajcus at jajcus.net>
Date: Fri Apr 19 13:37:30 2013 +0200
Include a trusted CA list
A trusted CA list will be built using current ca-certificates-update
data.
icedtea7.spec | 7 ++++
make-cacerts.sh | 104 ++++++++++++--------------------------------------------
2 files changed, 28 insertions(+), 83 deletions(-)
---
diff --git a/icedtea7.spec b/icedtea7.spec
index 599d255..60aca8a 100644
--- a/icedtea7.spec
+++ b/icedtea7.spec
@@ -4,6 +4,7 @@
%bcond_without bootstrap # don't build a bootstrap version, using icedtea6
%bcond_without nss # don't use NSS
+%bcond_without cacerts # don't include the default CA certificates
%if %{with bootstrap}
%define use_jdk icedtea6
@@ -52,6 +53,7 @@ Source6: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/langtools/a
# Source6-md5: afca36dae45fd483e2a455ccb57a1c8f
Source7: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/hotspot/archive/%{hotspot_changeset}.tar.gz
# Source7-md5: 35798cd6f8a870d8c0925fe907c561f7
+Source10: make-cacerts.sh
Patch0: %{name}-i486.patch
Patch1: %{name}-libpath.patch
URL: http://icedtea.classpath.org/wiki/Main_Page
@@ -60,6 +62,7 @@ BuildRequires: ant
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bash
+%{?with_cacerts:BuildRequires: ca-certificates-update}
BuildRequires: cups-devel
BuildRequires: /usr/bin/jar
BuildRequires: freetype-devel >= 2.3
@@ -440,6 +443,8 @@ chmod a+x build-bin/ant
DISTRIBUTION_PATCHES="$(echo pld-patches/*.patch)" \
PRINTF=/bin/printf
+%{?with_cacerts:%{__sh} %{SOURCE10}}
+
%install
rm -rf $RPM_BUILD_ROOT
install -d $RPM_BUILD_ROOT{%{_bindir},%{dstdir},%{_mandir}/ja} \
@@ -502,6 +507,8 @@ ln -s server/libjvm.so $RPM_BUILD_ROOT%{jredir}/lib/%{jre_arch}/libjvm.so
%{__rm} $RPM_BUILD_ROOT%{dstdir}/{,jre/}{ASSEMBLY_EXCEPTION,LICENSE,THIRD_PARTY_README}
+%{?with_cacerts:install cacerts $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/security}
+
%clean
rm -rf $RPM_BUILD_ROOT
diff --git a/make-cacerts.sh b/make-cacerts.sh
index 2a04877..865676f 100755
--- a/make-cacerts.sh
+++ b/make-cacerts.sh
@@ -1,5 +1,9 @@
#!/bin/sh -e
#
+# make-cacerts.sh
+#
+# based on:
+#
# update-ca-certificates
#
# Copyright (c) 2003 Fumitoshi UKAI <ukai at debian.or.jp>
@@ -22,19 +26,16 @@
#
verbose=0
-fresh=0
DESTDIR=
while [ $# -gt 0 ];
do
case $1 in
--verbose|-v)
verbose=1;;
- --fresh|-f)
- fresh=1;;
--destdir)
DESTDIR=$2; shift;;
--help|-h|*)
- echo "$0: [--verbose] [--fresh]"
+ echo "$0: [--verbose]"
exit;;
esac
shift
@@ -47,84 +48,41 @@ LOCALCERTSDIR=$DESTDIR/etc/certs
CERTBUNDLE=$DESTDIR/etc/certs/ca-certificates.crt
ETCCERTSDIR=$DESTDIR/etc/openssl/certs
-cleanup() {
- rm -f "$TEMPBUNDLE"
- rm -f "$ADDED"
- rm -f "$REMOVED"
-}
-trap cleanup 0
+KEYSTORE=$PWD/cacerts
+KEYTOOL=$PWD/openjdk.build/bin/keytool
-# Helper files. (Some of them are not simple arrays because we spawn
-# subshells later on.)
-TEMPBUNDLE="$(mktemp "${CERTBUNDLE}.tmp.XXXXXX")"
-ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
-REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
-
-# Adds a certificate to the list of trusted ones. This includes a symlink
-# in /etc/openssl/certs to the certificate file and its inclusion into the
-# bundle.
+# Adds a certificate to the list of trusted ones.
+# Adds the certificate to the cacerts file
add() {
CERT="$1"
- PEM="$ETCCERTSDIR/$(basename "$CERT" .pem | sed -e 's/.crt$//' -e 's/ /_/g' \
- -e 's/[()]/=/g' \
- -e 's/,/_/g').pem"
- if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ]
- then
- ln -sf "$CERT" "$PEM"
- echo +$PEM >> "$ADDED"
- fi
- cat "$CERT" >> "$TEMPBUNDLE"
- echo >> "$TEMPBUNDLE"
-}
+ NAME="$2"
+ ALIAS="$(echo "$NAME" | sed -e 's/.\(crt|pem\)$//' -e 's/ /_/g' \
+ -e 's/[()]/=/g' -e 's/,/_/g')"
-remove() {
- CERT="$1"
- PEM="$ETCCERTSDIR/$(basename "$CERT" .pem | sed 's/.crt$//').pem"
- if test -L "$PEM"
- then
- rm -f "$PEM"
- echo -$PEM >> "$REMOVED"
+ if [ "$verbose" = 1 ] ; then
+ echo " adding '$CERT' as '$ALIAS'"
fi
+ if ! $KEYTOOL -noprompt -import -alias "$ALIAS" \
+ -keystore $KEYSTORE -storepass 'changeit' \
+ -file "$CERT" ; then
+ echo "W: $NAME certification could not be added"
+ fi
}
cd $ETCCERTSDIR
-if [ "$fresh" = 1 ]; then
- echo -n "Clearing symlinks in $ETCCERTSDIR..."
- find . -type l -print | while read symlink
- do
- case $(readlink $symlink) in
- $CERTSDIR*) rm -f $symlink;;
- $LOCALCERTSDIR*) rm -f $symlink;;
- esac
- done
- find . -type l -print | while read symlink
- do
- test -f $symlink || rm -f $symlink
- done
- echo "done."
-fi
-
-echo -n "Updating certificates in $ETCCERTSDIR... "
for conf in $CERTSCONF $CERTSCONFD/*.conf; do
# skip inexistent files (matched by glob)
[ -f $conf ] || continue
- # Handle certificates that should be removed. This is an explicit act
- # by prefixing lines in the configuration files with exclamation marks (!).
- sed -n -e '/^$/d' -e 's/^!//p' $conf | while read crt
- do
- remove "$CERTSDIR/$crt"
- done
-
sed -e '/^$/d' -e '/^#/d' -e '/^!/d' $conf | while read crt
do
if test -f "$CERTSDIR/$crt"
then
- add "$CERTSDIR/$crt"
+ add "$CERTSDIR/$crt" "$crt"
elif test -f "$LOCALCERTSDIR/$crt"
then
- add "$LOCALCERTSDIR/$crt"
+ add "$LOCALCERTSDIR/$crt" "$crt"
else
echo "W: $CERTSDIR/$crt or $LOCALCERTSDIR/$crt not found, but listed in $conf." >&2
continue
@@ -132,26 +90,6 @@ for conf in $CERTSCONF $CERTSCONFD/*.conf; do
done
done
-rm -f "$CERTBUNDLE"
-
-ADDED_CNT=$(wc -l < "$ADDED")
-REMOVED_CNT=$(wc -l < "$REMOVED")
-
-if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ]
-then
- # only run if set of files has changed
- if [ "$verbose" = 0 ]
- then
- c_rehash.sh . > /dev/null
- else
- c_rehash.sh .
- fi
-fi
-
-chmod 0644 "$TEMPBUNDLE"
-mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
-
-echo "$ADDED_CNT added, $REMOVED_CNT removed; done."
echo "done."
# vim:set et sw=2:
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/icedtea7.git/commitdiff/ea4d6aceb9d6e0a02b371cd15c4ea136f0aa0df4
More information about the pld-cvs-commit
mailing list