>From 8383c24c8a3c723535fe59f700a5fd18c50b4780 Mon Sep 17 00:00:00 2001 From: Roel Janssen Date: Fri, 10 Feb 2017 12:23:22 +0100 Subject: [PATCH] gnu: icedtea-8: Build keystore without id-ecPublicKey certificates. * gnu/packages/java.scm (icedtea-8): Add 'install-keystore phase. --- gnu/packages/java.scm | 125 +++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 124 insertions(+), 1 deletion(-) diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm index 92cbe2a02..2b204d860 100644 --- a/gnu/packages/java.scm +++ b/gnu/packages/java.scm @@ -1025,7 +1025,130 @@ build process and its dependencies, whereas Make uses Makefile format.") #t))) ;; FIXME: This phase is needed but fails with this version of ;; IcedTea. - (delete 'install-keystore) + (replace 'install-keystore + (lambda* (#:key inputs outputs #:allow-other-keys) + (let* ((keystore "cacerts") + (certs-dir (string-append (assoc-ref inputs "nss-certs") + "/etc/ssl/certs")) + (keytool (string-append (assoc-ref outputs "jdk") + "/bin/keytool"))) + (define (extract-cert file target) + (call-with-input-file file + (lambda (in) + (call-with-output-file target + (lambda (out) + (let loop ((line (read-line in 'concat)) + (copying? #f)) + (cond + ((eof-object? line) #t) + ((string-prefix? "-----BEGIN" line) + (display line out) + (loop (read-line in 'concat) #t)) + ((string-prefix? "-----END" line) + (display line out) + #t) + (else + (when copying? (display line out)) + (loop (read-line in 'concat) copying?))))))))) + (define (import-cert cert) + ;; These certificates use a different public key algorithm: + ;; id-ecPublicKey. The keytool does not seem to be able to + ;; import these certificates. + (let ((bad-certs + (list + (string-append "CA_WoSign_ECC_Root:2.16.104.74.88." + "112.128.107.240.143.2.250.246.222." + "232.176.144.144.pem") + (string-append "AffirmTrust_Premium_ECC:2.8.116.151" + ".37.138.199.63.122.84.pem") + (string-append "GeoTrust_Primary_Certification_Aut" + "hority_-_G2:2.16.60.178.244.72.10." + "0.226.254.235.36.59.94.96.62.195.1" + "07.pem") + (string-append "DigiCert_Assured_ID_Root_G3:2.16.1" + "1.161.90.250.29.223.160.181.73.68." + "175.205.36.160.108.236.pem") + (string-append "COMODO_ECC_Certification_Authority" + ":2.16.31.71.175.170.98.0.112.80.84" + ".76.1.158.155.99.153.42.pem") + (string-append "OpenTrust_Root_CA_G3:2.18.17.32.23" + "0.248.76.252.36.176.190.5.64.172.2" + "18.131.27.52.96.63.pem") + (string-append "DigiCert_Global_Root_G3:2.16.5.85." + "86.188.242.94.164.53.53.195.164.15" + ".213.171.69.114.pem") + (string-append "GlobalSign_ECC_Root_CA_-_R5:2.17.9" + "6.89.73.224.38.46.187.85.249.10.11" + "9.138.113.249.74.216.108.pem") + (string-append "VeriSign_Class_3_Public_Primary_Ce" + "rtification_Authority_-_G4:2.16.47" + ".128.254.35.140.14.34.15.72.103.18" + ".40.145.135.172.179.pem") + (string-append "Entrust_Root_Certification_Authori" + "ty_-_EC1:2.13.0.166.139.121.41.0.0" + ".0.0.80.208.145.249.pem") + (string-append "thawte_Primary_Root_CA_-_G2:2.16.5" + "3.252.38.92.217.132.79.201.61.38.6" + "1.87.155.174.215.86.pem") + (string-append "Certplus_Root_CA_G2:2.18.17.32.217" + ".145.206.174.163.232.197.231.255.2" + "33.2.175.207.115.188.85.pem") + (string-append "Hellenic_Academic_and_Research_Ins" + "titutions_ECC_RootCA_2015:2.1.0.pe" + "m") + (string-append "USERTrust_ECC_Certification_Author" + "ity:2.16.92.139.153.197.90.148.197" + ".210.113.86.222.205.137.128.204.38" + ".pem") + (string-append "GlobalSign_ECC_Root_CA_-_R4:2.17.4" + "2.56.164.28.150.10.4.222.66.178.40" + ".165.11.232.52.152.2.pem")))) + (unless (member (basename cert) bad-certs) + (format #t "Importing certificate ~a\n" (basename cert)) + (let ((temp "tmpcert")) + (extract-cert cert temp) + (let ((port (open-pipe* OPEN_WRITE keytool + "-import" + "-alias" (basename cert) + "-keystore" keystore + "-storepass" "changeit" + "-file" temp))) + (display "yes\n" port) + (when (not (zero? (status:exit-val (close-pipe port)))) + (error "failed to import" cert))) + (delete-file temp))))) + ;; This is necessary because the certificate directory contains + ;; files with non-ASCII characters in their names. + (setlocale LC_ALL "en_US.utf8") + (setenv "LC_ALL" "en_US.utf8") + + (for-each import-cert (find-files certs-dir "\\.pem$")) + (mkdir-p (string-append (assoc-ref outputs "out") + "/lib/security")) + (mkdir-p (string-append (assoc-ref outputs "jdk") + "/jre/lib/security")) + + ;; The cacerts files we are going to overwrite are chmod'ed + ;; as read-only (444). We have to change this temporarily. + (chmod (string-append (assoc-ref outputs "out") + "/lib/security/" keystore) #o644) + (chmod (string-append (assoc-ref outputs "jdk") + "/jre/lib/security/" keystore) #o644) + + (install-file keystore + (string-append (assoc-ref outputs "out") + "/lib/security")) + (install-file keystore + (string-append (assoc-ref outputs "jdk") + "/jre/lib/security")) + + ;; Now make it read-only again. + (chmod (string-append (assoc-ref outputs "out") + "/lib/security/" keystore) #o444) + + (chmod (string-append (assoc-ref outputs "jdk") + "/jre/lib/security/" keystore) #o444) + #t))) (replace 'install (lambda* (#:key outputs #:allow-other-keys) (let ((doc (string-append (assoc-ref outputs "doc") -- 2.11.1