From mboxrd@z Thu Jan 1 00:00:00 1970 From: Roel Janssen Subject: [PATCH] gnu: icedtea-8: Build keystore without id-ecPublicKey certificates. Date: Fri, 10 Feb 2017 12:32:26 +0100 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:54587) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cc9RP-0006B1-Fp for guix-devel@gnu.org; Fri, 10 Feb 2017 06:32:40 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cc9RM-0001yO-9r for guix-devel@gnu.org; Fri, 10 Feb 2017 06:32:39 -0500 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:37300) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cc9RM-0001yH-5v for guix-devel@gnu.org; Fri, 10 Feb 2017 06:32:36 -0500 Received: from [143.121.198.177] (port=55456 helo=cog147) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1cc9RL-0003YA-Fy for guix-devel@gnu.org; Fri, 10 Feb 2017 06:32:35 -0500 List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=0001-gnu-icedtea-8-Build-keystore-without-id-ecPublicKey-.patch >From 8383c24c8a3c723535fe59f700a5fd18c50b4780 Mon Sep 17 00:00:00 2001 From: Roel Janssen Date: Fri, 10 Feb 2017 12:23:22 +0100 Subject: [PATCH] gnu: icedtea-8: Build keystore without id-ecPublicKey certificates. * gnu/packages/java.scm (icedtea-8): Add 'install-keystore phase. --- gnu/packages/java.scm | 125 +++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 124 insertions(+), 1 deletion(-) diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm index 92cbe2a02..2b204d860 100644 --- a/gnu/packages/java.scm +++ b/gnu/packages/java.scm @@ -1025,7 +1025,130 @@ build process and its dependencies, whereas Make uses Makefile format.") #t))) ;; FIXME: This phase is needed but fails with this version of ;; IcedTea. - (delete 'install-keystore) + (replace 'install-keystore + (lambda* (#:key inputs outputs #:allow-other-keys) + (let* ((keystore "cacerts") + (certs-dir (string-append (assoc-ref inputs "nss-certs") + "/etc/ssl/certs")) + (keytool (string-append (assoc-ref outputs "jdk") + "/bin/keytool"))) + (define (extract-cert file target) + (call-with-input-file file + (lambda (in) + (call-with-output-file target + (lambda (out) + (let loop ((line (read-line in 'concat)) + (copying? #f)) + (cond + ((eof-object? line) #t) + ((string-prefix? "-----BEGIN" line) + (display line out) + (loop (read-line in 'concat) #t)) + ((string-prefix? "-----END" line) + (display line out) + #t) + (else + (when copying? (display line out)) + (loop (read-line in 'concat) copying?))))))))) + (define (import-cert cert) + ;; These certificates use a different public key algorithm: + ;; id-ecPublicKey. The keytool does not seem to be able to + ;; import these certificates. + (let ((bad-certs + (list + (string-append "CA_WoSign_ECC_Root:2.16.104.74.88." + "112.128.107.240.143.2.250.246.222." + "232.176.144.144.pem") + (string-append "AffirmTrust_Premium_ECC:2.8.116.151" + ".37.138.199.63.122.84.pem") + (string-append "GeoTrust_Primary_Certification_Aut" + "hority_-_G2:2.16.60.178.244.72.10." + "0.226.254.235.36.59.94.96.62.195.1" + "07.pem") + (string-append "DigiCert_Assured_ID_Root_G3:2.16.1" + "1.161.90.250.29.223.160.181.73.68." + "175.205.36.160.108.236.pem") + (string-append "COMODO_ECC_Certification_Authority" + ":2.16.31.71.175.170.98.0.112.80.84" + ".76.1.158.155.99.153.42.pem") + (string-append "OpenTrust_Root_CA_G3:2.18.17.32.23" + "0.248.76.252.36.176.190.5.64.172.2" + "18.131.27.52.96.63.pem") + (string-append "DigiCert_Global_Root_G3:2.16.5.85." + "86.188.242.94.164.53.53.195.164.15" + ".213.171.69.114.pem") + (string-append "GlobalSign_ECC_Root_CA_-_R5:2.17.9" + "6.89.73.224.38.46.187.85.249.10.11" + "9.138.113.249.74.216.108.pem") + (string-append "VeriSign_Class_3_Public_Primary_Ce" + "rtification_Authority_-_G4:2.16.47" + ".128.254.35.140.14.34.15.72.103.18" + ".40.145.135.172.179.pem") + (string-append "Entrust_Root_Certification_Authori" + "ty_-_EC1:2.13.0.166.139.121.41.0.0" + ".0.0.80.208.145.249.pem") + (string-append "thawte_Primary_Root_CA_-_G2:2.16.5" + "3.252.38.92.217.132.79.201.61.38.6" + "1.87.155.174.215.86.pem") + (string-append "Certplus_Root_CA_G2:2.18.17.32.217" + ".145.206.174.163.232.197.231.255.2" + "33.2.175.207.115.188.85.pem") + (string-append "Hellenic_Academic_and_Research_Ins" + "titutions_ECC_RootCA_2015:2.1.0.pe" + "m") + (string-append "USERTrust_ECC_Certification_Author" + "ity:2.16.92.139.153.197.90.148.197" + ".210.113.86.222.205.137.128.204.38" + ".pem") + (string-append "GlobalSign_ECC_Root_CA_-_R4:2.17.4" + "2.56.164.28.150.10.4.222.66.178.40" + ".165.11.232.52.152.2.pem")))) + (unless (member (basename cert) bad-certs) + (format #t "Importing certificate ~a\n" (basename cert)) + (let ((temp "tmpcert")) + (extract-cert cert temp) + (let ((port (open-pipe* OPEN_WRITE keytool + "-import" + "-alias" (basename cert) + "-keystore" keystore + "-storepass" "changeit" + "-file" temp))) + (display "yes\n" port) + (when (not (zero? (status:exit-val (close-pipe port)))) + (error "failed to import" cert))) + (delete-file temp))))) + ;; This is necessary because the certificate directory contains + ;; files with non-ASCII characters in their names. + (setlocale LC_ALL "en_US.utf8") + (setenv "LC_ALL" "en_US.utf8") + + (for-each import-cert (find-files certs-dir "\\.pem$")) + (mkdir-p (string-append (assoc-ref outputs "out") + "/lib/security")) + (mkdir-p (string-append (assoc-ref outputs "jdk") + "/jre/lib/security")) + + ;; The cacerts files we are going to overwrite are chmod'ed + ;; as read-only (444). We have to change this temporarily. + (chmod (string-append (assoc-ref outputs "out") + "/lib/security/" keystore) #o644) + (chmod (string-append (assoc-ref outputs "jdk") + "/jre/lib/security/" keystore) #o644) + + (install-file keystore + (string-append (assoc-ref outputs "out") + "/lib/security")) + (install-file keystore + (string-append (assoc-ref outputs "jdk") + "/jre/lib/security")) + + ;; Now make it read-only again. + (chmod (string-append (assoc-ref outputs "out") + "/lib/security/" keystore) #o444) + + (chmod (string-append (assoc-ref outputs "jdk") + "/jre/lib/security/" keystore) #o444) + #t))) (replace 'install (lambda* (#:key outputs #:allow-other-keys) (let ((doc (string-append (assoc-ref outputs "doc") -- 2.11.1 --=-=-= Content-Type: text/plain Dear Guix, Currently, for icedtea-8 we use an empty "keystore". This results in Java processes using our icedtea-8 package not being able to verify the validity of a certificate from a CA, because there are none in its store. This patch imports most certificates from nss-certs. Those using a "id-ecPublicKey" public key algorithm are left out. I realize this patch is big and inelegant, so I welcome anyone to come up with suggestions. For example, could I somehow gather the public key algorithm from the certificate and then check that instead of creating this blacklist? Thanks! Kind regards, Roel Janssen --=-=-=--