* WIP Java certificates
@ 2016-06-15 13:48 Ricardo Wurmus
2016-06-16 7:12 ` Ricardo Wurmus
2016-06-16 11:21 ` Ludovic Courtès
0 siblings, 2 replies; 3+ messages in thread
From: Ricardo Wurmus @ 2016-06-15 13:48 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1863 bytes --]
Hi Guix,
I noticed that IcedTea/OpenJDK does not actually generate a certificate
store at build time — the store at “$out/lib/security/cacerts” is
empty. As a result, accessing websites via HTTPS fails.
I’m now attempting to write a package that provides such a keystore by
automatically importing all certificates from the nss-certs package.
This appears to work as far as I can tell from experiments in the REPL,
but I’ve run into a problem preventing me from actually building the
package.
As soon as I add
#:use-module (gnu packages certs)
to the module definition of “(gnu packages java)” Guix complains with
errors that are usually indicative of a module loop. Attached is a
patch to master.
Here are the errors I get when trying to build the package:
~~~~~~~~~~~~~~~~~~~~~~~
./pre-inst-env guix build java-nss-certs-keystore
guix build: warning: failed to load '(gnu packages abiword)':
ERROR: In procedure module-lookup: Unbound variable: nss
guix build: warning: failed to load '(gnu packages avr)':
ERROR: In procedure module-lookup: Unbound variable: gnu-make
guix build: warning: failed to load '(gnu packages bioinformatics)':
ERROR: In procedure module-lookup: Unbound variable: perl-libwww
guix build: warning: failed to load '(gnu packages make-bootstrap)':
ERROR: no binding `%final-inputs' in module (gnu packages commencement)
guix build: warning: failed to load '(gnu packages mate)':
ERROR: In procedure module-lookup: Unbound variable: gtk+
guix build: warning: failed to load '(gnu packages unrtf)':
ERROR: In procedure module-lookup: Unbound variable: coreutils
guix build: error: java-nss-certs-keystore: unknown package
~~~~~~~~~~~~~~~~~~~~~~~
Do you have an idea what’s going on here? “(gnu packages certs)” is not
used by any other module.
~~ Ricardo
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-WIP-java-certs.patch --]
[-- Type: text/x-patch, Size: 4693 bytes --]
From d59da0b155d7fc246811edaf0ee3673cdd705ce2 Mon Sep 17 00:00:00 2001
From: Ricardo Wurmus <rekado@elephly.net>
Date: Wed, 15 Jun 2016 09:23:00 +0200
Subject: [PATCH] WIP: java certs
---
gnu/packages/java.scm | 84 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 84 insertions(+)
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index e165193..69cf43d 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -24,8 +24,10 @@
#:use-module (guix download)
#:use-module (guix utils)
#:use-module (guix build-system ant)
+ #:use-module (guix build-system trivial)
#:use-module (guix build-system gnu)
#:use-module (gnu packages)
+ #:use-module (gnu packages certs)
#:use-module (gnu packages attr)
#:use-module (gnu packages autotools)
#:use-module (gnu packages base)
@@ -47,6 +49,7 @@
#:use-module (gnu packages pkg-config)
#:use-module (gnu packages perl)
#:use-module (gnu packages mit-krb5)
+ #:use-module (gnu packages tls)
#:use-module (gnu packages xml)
#:use-module (gnu packages xorg)
#:use-module (gnu packages zip)
@@ -840,6 +843,87 @@ build process and its dependencies, whereas Make uses Makefile format.")
(define-public icedtea icedtea-7)
+(define-public java-nss-certs-keystore
+ (package
+ (name "java-nss-certs-keystore")
+ (version (package-version nss-certs))
+ (source #f)
+ (build-system trivial-build-system)
+ (arguments
+ `(#:modules ((guix build utils)
+ (ice-9 rdelim)
+ (ice-9 popen))
+ #:builder
+ (begin
+ (use-modules (guix build utils)
+ (ice-9 rdelim)
+ (ice-9 popen))
+ (let* ((target-dir (string-append %output "/lib/security/"))
+ (keystore (string-append target-dir "cacerts"))
+ (certs-dir (string-append
+ (assoc-ref %build-inputs "nss-certs")
+ "/etc/ssl/certs/"))
+ (now (current-time)))
+
+ (define (valid? cert)
+ (let ((enddate (let* ((port (open-pipe* OPEN_READ
+ "openssl"
+ "x509" "-enddate"
+ "-in" cert))
+ (str (read-line port)))
+ (close-pipe port)
+ (string->date str "~b ~d ~H:~M:~S ~Y"))))
+ (time>? (date->time-utc enddate) now)))
+
+ (define (extract-cert file target)
+ (call-with-input-file file
+ (lambda (in)
+ (call-with-output-file target
+ (lambda (out)
+ (let loop ((line (read-line in 'concat))
+ (copying? #f))
+ (cond
+ ((eof-object? line) #t)
+ ((string-prefix? "-----BEGIN" line)
+ (display line out)
+ (loop (read-line in 'concat) #t))
+ ((string-prefix? "-----END" line)
+ (display line out)
+ #t)
+ (else
+ (when copying? (display line out))
+ (loop (read-line in 'concat) copying?)))))))))
+
+ (define (import-cert cert)
+ (let ((tmp (tmpfile)))
+ (extract-cert cert tmp)
+ (let ((port (open-pipe* OPEN_WRITE
+ (which "keytool")
+ "-import"
+ "-alias" (basename cert)
+ "-keystore" keystore
+ "-storepass" "changeit"
+ "-file" tmp)))
+ (display "yes\n" port)
+ (when (not (eqv? 0 (status:exit-val (close-pipe port))))
+ (error "Failed to import certificate.")))
+ (delete-file tmp)))
+
+ (mkdir-p target-dir)
+ (for-each import-cert
+ (filter valid? (find-files certs-dir "\\.pem$")))
+ #t))))
+ (inputs
+ `(("nss-certs" ,nss-certs)))
+ (native-inputs
+ `(("jre" ,icedtea)
+ ("openssl" ,openssl)
+ ("coreutils" ,coreutils)))
+ (home-page "TODO")
+ (synopsis "TODO")
+ (description "TODO")
+ (license (package-license nss-certs))))
+
(define-public java-xz
(package
(name "java-xz")
--
2.8.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: WIP Java certificates
2016-06-15 13:48 WIP Java certificates Ricardo Wurmus
@ 2016-06-16 7:12 ` Ricardo Wurmus
2016-06-16 11:21 ` Ludovic Courtès
1 sibling, 0 replies; 3+ messages in thread
From: Ricardo Wurmus @ 2016-06-16 7:12 UTC (permalink / raw)
To: guix-devel
Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> writes:
> I noticed that IcedTea/OpenJDK does not actually generate a certificate
> store at build time — the store at “$out/lib/security/cacerts” is
> empty. As a result, accessing websites via HTTPS fails.
With some modifications to the patch (and by moving it from java.scm to
certs.scm) I managed to build a keystore from nss-certs. I confirmed
that it works by starting a Java application with these additional
options:
-Djavax.net.debug=ssl
-Djavax.net.ssl.trustStore=/gnu/store/62j3i7666wa3hwrlsgzjnx766fs4j06g-java-nss-certs-keystore-3.23/lib/security/cacerts
(Unfortunately, it is not deterministic yet.)
To make this available without the trustStore option I would need to
convert my package into a build phase for the icedtea packages.
However, I cannot do this as using the “certs” module in the “java”
module breaks Guix.
> As soon as I add
>
> #:use-module (gnu packages certs)
>
> to the module definition of “(gnu packages java)” Guix complains with
> errors that are usually indicative of a module loop. Attached is a
> patch to master.
>
> Here are the errors I get when trying to build the package:
>
> ~~~~~~~~~~~~~~~~~~~~~~~
> ./pre-inst-env guix build java-nss-certs-keystore
> guix build: warning: failed to load '(gnu packages abiword)':
> ERROR: In procedure module-lookup: Unbound variable: nss
> guix build: warning: failed to load '(gnu packages avr)':
> ERROR: In procedure module-lookup: Unbound variable: gnu-make
> guix build: warning: failed to load '(gnu packages bioinformatics)':
> ERROR: In procedure module-lookup: Unbound variable: perl-libwww
> guix build: warning: failed to load '(gnu packages make-bootstrap)':
> ERROR: no binding `%final-inputs' in module (gnu packages commencement)
> guix build: warning: failed to load '(gnu packages mate)':
> ERROR: In procedure module-lookup: Unbound variable: gtk+
> guix build: warning: failed to load '(gnu packages unrtf)':
> ERROR: In procedure module-lookup: Unbound variable: coreutils
> guix build: error: java-nss-certs-keystore: unknown package
> ~~~~~~~~~~~~~~~~~~~~~~~
Any hints as to how I can debug this?
~~ Ricardo
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: WIP Java certificates
2016-06-15 13:48 WIP Java certificates Ricardo Wurmus
2016-06-16 7:12 ` Ricardo Wurmus
@ 2016-06-16 11:21 ` Ludovic Courtès
1 sibling, 0 replies; 3+ messages in thread
From: Ludovic Courtès @ 2016-06-16 11:21 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 10413 bytes --]
Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> skribis:
> As soon as I add
>
> #:use-module (gnu packages certs)
>
> to the module definition of “(gnu packages java)” Guix complains with
> errors that are usually indicative of a module loop. Attached is a
> patch to master.
>
> Here are the errors I get when trying to build the package:
>
> ~~~~~~~~~~~~~~~~~~~~~~~
> ./pre-inst-env guix build java-nss-certs-keystore
> guix build: warning: failed to load '(gnu packages abiword)':
> ERROR: In procedure module-lookup: Unbound variable: nss
> guix build: warning: failed to load '(gnu packages avr)':
> ERROR: In procedure module-lookup: Unbound variable: gnu-make
> guix build: warning: failed to load '(gnu packages bioinformatics)':
> ERROR: In procedure module-lookup: Unbound variable: perl-libwww
> guix build: warning: failed to load '(gnu packages make-bootstrap)':
> ERROR: no binding `%final-inputs' in module (gnu packages commencement)
> guix build: warning: failed to load '(gnu packages mate)':
> ERROR: In procedure module-lookup: Unbound variable: gtk+
> guix build: warning: failed to load '(gnu packages unrtf)':
> ERROR: In procedure module-lookup: Unbound variable: coreutils
> guix build: error: java-nss-certs-keystore: unknown package
> ~~~~~~~~~~~~~~~~~~~~~~~
First, a debugging trick:
--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guile
GNU Guile 2.0.11.156-c3f95-dirty
Copyright (C) 1995-2016 Free Software Foundation, Inc.
Guile comes with ABSOLUTELY NO WARRANTY; for details type `,show w'.
This program is free software, and you are welcome to redistribute it
under certain conditions; type `,show c' for details.
Enter `,help' for help.
scheme@(guile-user)> (load "gnu/packages/abiword.scm")
gnu/packages/certs.scm:75:10: In procedure #<procedure 3dc3ea0 ()>:
gnu/packages/certs.scm:75:10: In procedure module-lookup: Unbound variable: nss
Entering a new prompt. Type `,bt' for a backtrace or `,q' to continue.
scheme@(gnu packages certs) [1]> ,bt
In ice-9/boot-9.scm:
2401:4417 (save-module-excursion #<procedure 29b0680 at ice-9/boot-9.scm:4045:3 ()>)
4052:9416 (#<procedure 29b0680 at ice-9/boot-9.scm:4045:3 ()>)
In unknown file:
415 (load-compiled/vm "/home/ludo/src/guix/gnu/packages/abiword.go")
In gnu/packages/abiword.scm:
20:0414 (#<procedure 28ef240 ()>)
In ice-9/boot-9.scm:
2951:4413 (define-module* (gnu packages abiword) #:filename "gnu/packages/abiword.scm" #:pure #f #:version #f …)
[...]
In unknown file:
64 (primitive-load-path "gnu/packages/gnuzilla" #<procedure 3b232c0 at ice-9/boot-9.scm:3072:32 ()>)
In gnu/packages/gnuzilla.scm:
23:0 63 (#<procedure 3b402e0 ()>)
In ice-9/boot-9.scm:
2951:4 62 (define-module* (gnu packages gnuzilla) #:filename "gnu/packages/gnuzilla.scm" #:pure #f #:version # …)
2926:10 61 (resolve-imports (((srfi srfi-1) #:hide (zip)) ((gnu packages)) ((guix licenses) #:prefix #) ((…)) …))
2864:2 60 (resolve-interface (gnu packages gstreamer) #:select #f #:hide #<variable 3b57280 value: ()> # #f # …)
2789:10 59 (#<procedure 2214640 at ice-9/boot-9.scm:2777:4 (name #:optional autoload version #:key ensure)> (…) …)
3065:16 58 (try-module-autoload (gnu packages gstreamer) #f)
2401:4 57 (save-module-excursion #<procedure 3b13270 at ice-9/boot-9.scm:3066:17 ()>)
3085:22 56 (#<procedure 3b13270 at ice-9/boot-9.scm:3066:17 ()>)
In unknown file:
55 (primitive-load-path "gnu/packages/gstreamer" #<procedure 3b593e0 at ice-9/boot-9.scm:3072:32 ()>)
In gnu/packages/gstreamer.scm:
23:0 54 (#<procedure 3b65640 ()>)
In ice-9/boot-9.scm:
2951:4 53 (define-module* (gnu packages gstreamer) #:filename "gnu/packages/gstreamer.scm" #:pure #f #:version …)
2926:10 52 (resolve-imports (((guix licenses) #:select (lgpl2.0+ lgpl2.1+ bsd-2 bsd-3 gpl2+)) ((guix #)) (#) …))
2864:2 51 (resolve-interface (gnu packages cdrom) #:select #f #:hide #<variable 3b661b0 value: ()> #:prefix #f …)
2789:10 50 (#<procedure 2214640 at ice-9/boot-9.scm:2777:4 (name #:optional autoload version #:key ensure)> (…) …)
3065:16 49 (try-module-autoload (gnu packages cdrom) #f)
2401:4 48 (save-module-excursion #<procedure 3b20ea0 at ice-9/boot-9.scm:3066:17 ()>)
3085:22 47 (#<procedure 3b20ea0 at ice-9/boot-9.scm:3066:17 ()>)
In unknown file:
46 (primitive-load-path "gnu/packages/cdrom" #<procedure 3b68ae0 at ice-9/boot-9.scm:3072:32 ()>)
In gnu/packages/cdrom.scm:
24:0 45 (#<procedure 3b75960 ()>)
In ice-9/boot-9.scm:
2951:4 44 (define-module* (gnu packages cdrom) #:filename "gnu/packages/cdrom.scm" #:pure #f #:version #f # # …)
2926:10 43 (resolve-imports (((guix download)) ((guix packages)) ((guix licenses) #:select (lgpl2.1+ # # …)) …))
2864:2 42 (resolve-interface (gnu packages wget) #:select #f #:hide #<variable 3b96900 value: ()> #:prefix #f …)
2789:10 41 (#<procedure 2214640 at ice-9/boot-9.scm:2777:4 (name #:optional autoload version #:key ensure)> (…) …)
3065:16 40 (try-module-autoload (gnu packages wget) #f)
2401:4 39 (save-module-excursion #<procedure 3b20600 at ice-9/boot-9.scm:3066:17 ()>)
3085:22 38 (#<procedure 3b20600 at ice-9/boot-9.scm:3066:17 ()>)
In unknown file:
37 (primitive-load-path "gnu/packages/wget" #<procedure 3b8c120 at ice-9/boot-9.scm:3072:32 ()>)
In gnu/packages/wget.scm:
20:0 36 (#<procedure 3b95c20 ()>)
In ice-9/boot-9.scm:
2951:4 35 (define-module* (gnu packages wget) #:filename "gnu/packages/wget.scm" #:pure #f #:version #f # () # …)
2926:10 34 (resolve-imports (((guix licenses)) ((gnu packages libidn)) ((gnu packages python)) ((gnu # #)) # …))
2864:2 33 (resolve-interface (gnu packages web) #:select #f #:hide #<variable 3b9c5e0 value: ()> #:prefix #f # …)
2789:10 32 (#<procedure 2214640 at ice-9/boot-9.scm:2777:4 (name #:optional autoload version #:key ensure)> (…) …)
3065:16 31 (try-module-autoload (gnu packages web) #f)
2401:4 30 (save-module-excursion #<procedure 3b20480 at ice-9/boot-9.scm:3066:17 ()>)
3085:22 29 (#<procedure 3b20480 at ice-9/boot-9.scm:3066:17 ()>)
In unknown file:
28 (primitive-load-path "gnu/packages/web" #<procedure 3b95480 at ice-9/boot-9.scm:3072:32 ()>)
In gnu/packages/web.scm:
32:0 27 (#<procedure 3c0d6e0 ()>)
In ice-9/boot-9.scm:
2951:4 26 (define-module* (gnu packages web) #:filename "gnu/packages/web.scm" #:pure #f #:version #f # () # # …)
2926:10 25 (resolve-imports (((ice-9 match)) ((guix licenses) #:prefix l:) ((guix packages)) ((guix #)) ((…)) …))
2864:2 24 (resolve-interface (gnu packages statistics) #:select #f #:hide #<variable 3cb5c00 value: ()> # #f # …)
2789:10 23 (#<procedure 2214640 at ice-9/boot-9.scm:2777:4 (name #:optional autoload version #:key ensure)> (…) …)
3065:16 22 (try-module-autoload (gnu packages statistics) #f)
2401:4 21 (save-module-excursion #<procedure 3c643f0 at ice-9/boot-9.scm:3066:17 ()>)
3085:22 20 (#<procedure 3c643f0 at ice-9/boot-9.scm:3066:17 ()>)
In unknown file:
19 (primitive-load-path "gnu/packages/statistics" #<procedure 3cb2120 at ice-9/boot-9.scm:3072:32 ()>)
In gnu/packages/statistics.scm:
25:0 18 (#<procedure 3cdc940 ()>)
In ice-9/boot-9.scm:
2951:4 17 (define-module* (gnu packages statistics) #:filename "gnu/packages/statistics.scm" #:pure #f # #f # …)
2926:10 16 (resolve-imports (((guix licenses) #:prefix license:) ((guix packages)) ((guix download)) ((# #)) …))
2864:2 15 (resolve-interface (gnu packages java) #:select #f #:hide #<variable 3405b40 value: ()> #:prefix #f …)
2789:10 14 (#<procedure 2214640 at ice-9/boot-9.scm:2777:4 (name #:optional autoload version #:key ensure)> (…) …)
3065:16 13 (try-module-autoload (gnu packages java) #f)
2401:4 12 (save-module-excursion #<procedure 33527e0 at ice-9/boot-9.scm:3066:17 ()>)
3085:22 11 (#<procedure 33527e0 at ice-9/boot-9.scm:3066:17 ()>)
In unknown file:
10 (primitive-load-path "gnu/packages/java" #<procedure 335d9e0 at ice-9/boot-9.scm:3072:32 ()>)
In gnu/packages/java.scm:
21:0 9 (#<procedure 33f6800 ()>)
In ice-9/boot-9.scm:
2951:4 8 (define-module* (gnu packages java) #:filename "gnu/packages/java.scm" #:pure #f #:version #f # () # …)
2926:10 7 (resolve-imports (((guix licenses) #:prefix license:) ((gnu packages certs)) ((guix packages)) (#) …))
2864:2 6 (resolve-interface (gnu packages certs) #:select #f #:hide #<variable 360cfe0 value: ()> #:prefix #f …)
2789:10 5 (#<procedure 2214640 at ice-9/boot-9.scm:2777:4 (name #:optional autoload version #:key ensure)> (…) …)
3065:16 4 (try-module-autoload (gnu packages certs) #f)
2401:4 3 (save-module-excursion #<procedure 3352300 at ice-9/boot-9.scm:3066:17 ()>)
3085:22 2 (#<procedure 3352300 at ice-9/boot-9.scm:3066:17 ()>)
In unknown file:
1 (primitive-load-path "gnu/packages/certs" #<procedure 3dc0660 at ice-9/boot-9.scm:3072:32 ()>)
In gnu/packages/certs.scm:
75:10 0 (#<procedure 3dc3ea0 ()>)
scheme@(gnu packages certs) [1]> ,error
gnu/packages/certs.scm:75:10: In procedure #<procedure 3dc3ea0 ()>:
gnu/packages/certs.scm:75:10: In procedure module-lookup: Unbound variable: nss
--8<---------------cut here---------------end--------------->8---
The problem is that certs.scm references ‘nss’ from (gnu packages
gnuzilla) at the top level.
However, it turns out that adding this #:use-module line means that
gnuzilla.scm now indirectly depends on certs.scm.
When we load (gnu packages abiword), we end up loading gnuzilla.scm
first, which then loads certs.scm; however, at that point, ‘nss’ isn’t
bound yet in (gnu packages gnuzilla), hence the error.
The solution is to not do cross-reference top-level references.
That is, ‘nss-certs’ should be defined in the same module as ‘nss’, or
it could simply not inherit from ‘nss’, which is probably since it
doesn’t share much with ‘nss’ (patch below.)
Thoughts?
Obviously this circular dependency story is not as nice as we’d like to,
but that’s how Guile works currently. In an ideal world, Guile would
not have to evaluate the whole module upfront when it loads it.
Thanks,
Ludo’.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 1752 bytes --]
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index dd7d339..9967cd2 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -24,7 +24,6 @@
#:use-module (guix build-system gnu)
#:use-module (guix build-system trivial)
#:use-module (gnu packages)
- #:use-module (gnu packages gnuzilla)
#:use-module (gnu packages python)
#:use-module (gnu packages perl)
#:use-module (gnu packages tls))
@@ -71,8 +70,20 @@
(home-page "http://pkgs.fedoraproject.org/cgit/ca-certificates.git/")))
(define-public nss-certs
- (package (inherit nss) ; to reuse the source, version and some metadata
+ (package
(name "nss-certs")
+ (version "3.23")
+ (source (origin
+ (method url-fetch)
+ (uri (let ((version-with-underscores
+ (string-join (string-split version #\.) "_")))
+ (string-append
+ "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
+ "releases/NSS_" version-with-underscores "_RTM/src/"
+ "nss-" version ".tar.gz")))
+ (sha256
+ (base32
+ "1kqidv91icq96m9m8zx50n7px08km2l88458rkgyjwcn3kiq7cwl"))))
(build-system gnu-build-system)
(outputs '("out"))
(native-inputs
@@ -124,4 +135,7 @@
(synopsis "CA certificates from Mozilla")
(description
"This package provides certificates for Certification Authorities (CA)
-taken from the NSS package and thus ultimately from the Mozilla project.")))
+taken from the NSS package and thus ultimately from the Mozilla project.")
+ (home-page
+ "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
+ (license license:mpl2.0)))
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-06-16 11:21 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-06-15 13:48 WIP Java certificates Ricardo Wurmus
2016-06-16 7:12 ` Ricardo Wurmus
2016-06-16 11:21 ` Ludovic Courtès
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).