From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ricardo Wurmus Subject: Re: [PATCH 3/3] gnu: icedtea-6: Generate keystore. Date: Tue, 19 Jul 2016 15:03:23 +0200 Message-ID: References: <20160718115941.17707-1-ricardo.wurmus@mdc-berlin.de> <20160718115941.17707-4-ricardo.wurmus@mdc-berlin.de> <87fur5lrje.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:45054) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bPUgT-0000CG-PQ for guix-devel@gnu.org; Tue, 19 Jul 2016 09:03:42 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bPUgO-0005n2-Qa for guix-devel@gnu.org; Tue, 19 Jul 2016 09:03:36 -0400 In-Reply-To: <87fur5lrje.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel@gnu.org Ludovic Court=C3=A8s writes: > Ricardo Wurmus skribis: > >> From: Ricardo Wurmus >> >> * gnu/packages/java.scm (icedtea-6)[arguments]: Add phase >> "install-keystore". >> [native-inputs]: Add nss-certs and openssl. > > [...] > >> + (add-after 'install 'install-keystore >> + (lambda* (#:key inputs outputs #:allow-other-keys) > > Could you add a comment to explain what=E2=80=99s going on here? Okay, I=E2=80=99ll add a comment. > Too bad IceTea=E2=80=99s build system doesn=E2=80=99t take care of that= . Yeah, there is an old bug report about this, but its resolution has been pushed to later releases repeatedly. All distributions have their own bash scripts to generate a keystore. >> + (let* ((keystore "cacerts") >> + (certs-dir (string-append (assoc-ref inputs "nss-= certs") >> + "/etc/ssl/certs")) >> + (keytool (string-append (assoc-ref outputs "jdk= ") >> + "/bin/keytool")) >> + (openssl (which "openssl")) >> + (recent (date->time-utc (string->date "2016-1-= 1" >> + "~Y-~m-~= d")))) >> + (define (valid? cert) >> + (let* ((port (open-pipe* OPEN_READ openssl >> + "x509" "-enddate" "-in" cer= t "-noout")) >> + (str (read-line port)) >> + (end (begin (close-pipe port) >> + ;; TODO: use match? >> + (cadr (string-split str #\=3D)))= )) > > Why not use =E2=80=98match=E2=80=99, indeed. :-) No big deal though. > >> + (time>? (date->time-utc >> + (string->date end "~b ~d ~H:~M:~S ~Y")) r= ecent))) >> + >> + (define (import-cert cert) >> + (format #t "Importing certificate ~a\n" (basename ce= rt)) >> + (let* ((port (open-pipe* OPEN_WRITE keytool >> + "-import" >> + "-alias" (basename cert) >> + "-keystore" keystore >> + "-storepass" "changeit" >> + "-file" cert))) >> + (display "yes\n" port) >> + (when (not (eqv? 0 (status:exit-val (close-pipe po= rt)))) > > Maybe (zero? (status:exit-val =E2=80=A6)). Okay. >> + (format (current-error-port) >> + "Failed to import certificate.\n")))) > > Rather (error "failed to import" cert) so the process stops here. Yes, that=E2=80=99s better. I changed this for testing purposes and forg= ot to change it back. >> + ;; This is necessary because the certificate directory= contains >> + ;; files with non-ASCII characters in their names. >> + (setlocale LC_ALL "en_US.utf8") >> + (setenv "LC_ALL" "en_US.utf8") >> + >> + (for-each import-cert >> + (filter valid? (find-files certs-dir "\\.pem= $"))) > > Why do we need to filter out invalid certificates? > > The problem I see is that the result of =E2=80=98valid?=E2=80=99, and t= hus the output of > the build process, depends on the build time, which isn=E2=80=99t great= . It actually depends on the arbitrary value of =E2=80=9Crecent=E2=80=9D, w= hich I set to 2016-1-1, but I must admit that I don=E2=80=99t know if we really must fi= lter out invalid certs at all. I don=E2=80=99t know if it is a problem if inv= alid certs are part of the keystore. Maybe it=E2=80=99s not an issue. ~~ Ricardo