unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* WIP Java certificates
@ 2016-06-15 13:48 Ricardo Wurmus
  2016-06-16  7:12 ` Ricardo Wurmus
  2016-06-16 11:21 ` Ludovic Courtès
  0 siblings, 2 replies; 3+ messages in thread
From: Ricardo Wurmus @ 2016-06-15 13:48 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1863 bytes --]

Hi Guix,

I noticed that IcedTea/OpenJDK does not actually generate a certificate
store at build time — the store at “$out/lib/security/cacerts” is
empty.  As a result, accessing websites via HTTPS fails.

I’m now attempting to write a package that provides such a keystore by
automatically importing all certificates from the nss-certs package.
This appears to work as far as I can tell from experiments in the REPL,
but I’ve run into a problem preventing me from actually building the
package.

As soon as I add

     #:use-module (gnu packages certs)

to the module definition of “(gnu packages java)” Guix complains with
errors that are usually indicative of a module loop.  Attached is a
patch to master.

Here are the errors I get when trying to build the package:

~~~~~~~~~~~~~~~~~~~~~~~
./pre-inst-env guix build java-nss-certs-keystore
guix build: warning: failed to load '(gnu packages abiword)':
ERROR: In procedure module-lookup: Unbound variable: nss
guix build: warning: failed to load '(gnu packages avr)':
ERROR: In procedure module-lookup: Unbound variable: gnu-make
guix build: warning: failed to load '(gnu packages bioinformatics)':
ERROR: In procedure module-lookup: Unbound variable: perl-libwww
guix build: warning: failed to load '(gnu packages make-bootstrap)':
ERROR: no binding `%final-inputs' in module (gnu packages commencement)
guix build: warning: failed to load '(gnu packages mate)':
ERROR: In procedure module-lookup: Unbound variable: gtk+
guix build: warning: failed to load '(gnu packages unrtf)':
ERROR: In procedure module-lookup: Unbound variable: coreutils
guix build: error: java-nss-certs-keystore: unknown package
~~~~~~~~~~~~~~~~~~~~~~~

Do you have an idea what’s going on here?  “(gnu packages certs)” is not
used by any other module.

~~ Ricardo



[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-WIP-java-certs.patch --]
[-- Type: text/x-patch, Size: 4693 bytes --]

From d59da0b155d7fc246811edaf0ee3673cdd705ce2 Mon Sep 17 00:00:00 2001
From: Ricardo Wurmus <rekado@elephly.net>
Date: Wed, 15 Jun 2016 09:23:00 +0200
Subject: [PATCH] WIP: java certs

---
 gnu/packages/java.scm | 84 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 84 insertions(+)

diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index e165193..69cf43d 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -24,8 +24,10 @@
   #:use-module (guix download)
   #:use-module (guix utils)
   #:use-module (guix build-system ant)
+  #:use-module (guix build-system trivial)
   #:use-module (guix build-system gnu)
   #:use-module (gnu packages)
+  #:use-module (gnu packages certs)
   #:use-module (gnu packages attr)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages base)
@@ -47,6 +49,7 @@
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages mit-krb5)
+  #:use-module (gnu packages tls)
   #:use-module (gnu packages xml)
   #:use-module (gnu packages xorg)
   #:use-module (gnu packages zip)
@@ -840,6 +843,87 @@ build process and its dependencies, whereas Make uses Makefile format.")
 
 (define-public icedtea icedtea-7)
 
+(define-public java-nss-certs-keystore
+  (package
+    (name "java-nss-certs-keystore")
+    (version (package-version nss-certs))
+    (source #f)
+    (build-system trivial-build-system)
+    (arguments
+     `(#:modules ((guix build utils)
+                  (ice-9 rdelim)
+                  (ice-9 popen))
+       #:builder
+       (begin
+         (use-modules (guix build utils)
+                      (ice-9 rdelim)
+                      (ice-9 popen))
+         (let* ((target-dir (string-append %output "/lib/security/"))
+                (keystore   (string-append target-dir "cacerts"))
+                (certs-dir  (string-append
+                             (assoc-ref %build-inputs "nss-certs")
+                             "/etc/ssl/certs/"))
+                (now        (current-time)))
+
+           (define (valid? cert)
+             (let ((enddate (let* ((port (open-pipe* OPEN_READ
+                                                     "openssl"
+                                                     "x509" "-enddate"
+                                                     "-in" cert))
+                                   (str  (read-line port)))
+                              (close-pipe port)
+                              (string->date str "~b ~d ~H:~M:~S ~Y"))))
+               (time>? (date->time-utc enddate) now)))
+
+           (define (extract-cert file target)
+             (call-with-input-file file
+               (lambda (in)
+                 (call-with-output-file target
+                   (lambda (out)
+                     (let loop ((line (read-line in 'concat))
+                                (copying? #f))
+                       (cond
+                        ((eof-object? line) #t)
+                        ((string-prefix? "-----BEGIN" line)
+                         (display line out)
+                         (loop (read-line in 'concat) #t))
+                        ((string-prefix? "-----END" line)
+                         (display line out)
+                         #t)
+                        (else
+                         (when copying? (display line out))
+                         (loop (read-line in 'concat) copying?)))))))))
+
+           (define (import-cert cert)
+             (let ((tmp (tmpfile)))
+               (extract-cert cert tmp)
+               (let ((port (open-pipe* OPEN_WRITE
+                                       (which "keytool")
+                                       "-import"
+                                       "-alias" (basename cert)
+                                       "-keystore" keystore
+                                       "-storepass" "changeit"
+                                       "-file" tmp)))
+                 (display "yes\n" port)
+                 (when (not (eqv? 0 (status:exit-val (close-pipe port))))
+                   (error "Failed to import certificate.")))
+               (delete-file tmp)))
+
+           (mkdir-p target-dir)
+           (for-each import-cert
+                     (filter valid? (find-files certs-dir "\\.pem$")))
+           #t))))
+    (inputs
+     `(("nss-certs" ,nss-certs)))
+    (native-inputs
+     `(("jre" ,icedtea)
+       ("openssl" ,openssl)
+       ("coreutils" ,coreutils)))
+    (home-page "TODO")
+    (synopsis "TODO")
+    (description "TODO")
+    (license (package-license nss-certs))))
+
 (define-public java-xz
   (package
    (name "java-xz")
-- 
2.8.3


^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2016-06-16 11:21 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-06-15 13:48 WIP Java certificates Ricardo Wurmus
2016-06-16  7:12 ` Ricardo Wurmus
2016-06-16 11:21 ` Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).