From: Julien Lepiller <julien@lepiller.eu>
To: 66879@debbugs.gnu.org
Cc: "Björn Höfling" <bjoern.hoefling@bjoernhoefling.de>,
"Julien Lepiller" <julien@lepiller.eu>
Subject: [bug#66879] [PATCH v2 1/5] gnu: openjdk9: Install default certificates.
Date: Thu, 2 Nov 2023 07:50:09 +0100 [thread overview]
Message-ID: <a56b64518165eee5dad9935874bba9aca60c47c8.1698907813.git.julien@lepiller.eu> (raw)
In-Reply-To: <20231101135338.2634f780@tachikoma.lepiller.eu>
* gnu/packages/java.scm (openjdk9)[arguments]: Add a phase to install
certificates from nss-certs to the expected location.
(openjdk10, openjdk11): Adapt to also install the certificates.
Change-Id: I6ef626324386419e84a9c0eace5a278ca11c573c
---
gnu/packages/java.scm | 87 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 86 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index f482c4c16d..567fb05f77 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -878,7 +878,14 @@ (define-public openjdk9
(build-system gnu-build-system)
(outputs '("out" "jdk" "doc"))
(arguments
- `(#:tests? #f; require jtreg
+ `(#:imported-modules
+ ((guix build ant-build-system)
+ ,@%gnu-build-system-modules)
+ #:modules
+ ((guix build utils)
+ (guix build gnu-build-system)
+ (ice-9 popen))
+ #:tests? #f; require jtreg
#:make-flags '("all")
#:disallowed-references ,(list (gexp-input icedtea-8)
(gexp-input icedtea-8 "jdk"))
@@ -971,6 +978,80 @@ (define-public openjdk9
(find-files "."
"\\.c$|\\.h$"))
#t)))
+ ;; By default OpenJDK only generates an empty keystore. In order to
+ ;; be able to use certificates in Java programs we need to generate a
+ ;; keystore from a set of certificates. For convenience we use the
+ ;; certificates from the nss-certs package.
+ (add-after 'install 'install-keystore
+ (lambda* (#:key inputs outputs #:allow-other-keys)
+ (use-modules (ice-9 rdelim))
+ (let* ((keystore "cacerts")
+ (certs-dir (search-input-directory inputs
+ "etc/ssl/certs"))
+ (keytool (string-append (assoc-ref outputs "jdk")
+ "/bin/keytool")))
+ (define (extract-cert file target)
+ (call-with-input-file file
+ (lambda (in)
+ (call-with-output-file target
+ (lambda (out)
+ (let loop ((line (read-line in 'concat))
+ (copying? #f))
+ (cond
+ ((eof-object? line) #t)
+ ((string-prefix? "-----BEGIN" line)
+ (display line out)
+ (loop (read-line in 'concat) #t))
+ ((string-prefix? "-----END" line)
+ (display line out)
+ #t)
+ (else
+ (when copying? (display line out))
+ (loop (read-line in 'concat) copying?)))))))))
+ (define (import-cert cert)
+ (format #t "Importing certificate ~a\n" (basename cert))
+ (let ((temp "tmpcert"))
+ (extract-cert cert temp)
+ (let ((port (open-pipe* OPEN_WRITE keytool
+ "-import"
+ "-alias" (basename cert)
+ "-keystore" keystore
+ "-storepass" "changeit"
+ "-file" temp)))
+ (display "yes\n" port)
+ (when (not (zero? (status:exit-val (close-pipe port))))
+ (format #t "failed to import ~a\n" cert)))
+ (delete-file temp)))
+
+ ;; This is necessary because the certificate directory contains
+ ;; files with non-ASCII characters in their names.
+ (setlocale LC_ALL "en_US.utf8")
+ (setenv "LC_ALL" "en_US.utf8")
+
+ (copy-file (string-append (assoc-ref outputs "out")
+ "/lib/security/cacerts")
+ keystore)
+ (chmod keystore #o644)
+ (for-each import-cert (find-files certs-dir "\\.pem$"))
+ (mkdir-p (string-append (assoc-ref outputs "out")
+ "/lib/security"))
+ (mkdir-p (string-append (assoc-ref outputs "jdk")
+ "/lib/security"))
+
+ ;; The cacerts files we are going to overwrite are chmod'ed as
+ ;; read-only (444) in icedtea-8 (which derives from this
+ ;; package). We have to change this so we can overwrite them.
+ (chmod (string-append (assoc-ref outputs "out")
+ "/lib/security/" keystore) #o644)
+ (chmod (string-append (assoc-ref outputs "jdk")
+ "/lib/security/" keystore) #o644)
+
+ (install-file keystore
+ (string-append (assoc-ref outputs "out")
+ "/lib/security"))
+ (install-file keystore
+ (string-append (assoc-ref outputs "jdk")
+ "/lib/security")))))
;; Some of the libraries in the lib/ folder link to libjvm.so.
;; But that shared object is located in the server/ folder, so it
;; cannot be found. This phase creates a symbolic link in the
@@ -1044,6 +1125,7 @@ (define-public openjdk9
("icedtea-8:jdk" ,icedtea-8 "jdk")
;; XXX: The build system fails with newer versions of GNU Make.
("make@4.2" ,gnu-make-4.2)
+ ("nss-certs" ,nss-certs)
("unzip" ,unzip)
("which" ,which)
("zip" ,zip)))
@@ -1126,6 +1208,7 @@ (define-public openjdk10
`(("openjdk9" ,openjdk9)
("openjdk9:jdk" ,openjdk9 "jdk")
("make@4.2" ,gnu-make-4.2)
+ ("nss-certs" ,nss-certs)
("unzip" ,unzip)
("which" ,which)
("zip" ,zip)))))
@@ -1152,6 +1235,7 @@ (define-public openjdk11
#:modules `((guix build gnu-build-system)
(guix build utils)
(ice-9 match)
+ (ice-9 popen)
(srfi srfi-1)
(srfi srfi-26))
#:disallowed-references (list (gexp-input openjdk10)
@@ -1394,6 +1478,7 @@ (define-public openjdk11
openjdk10
`(,openjdk10 "jdk")
gnu-make-4.2
+ nss-certs
pkg-config
unzip
which
base-commit: c95104c2e96f660d482e603c497c1e01968788d3
--
2.41.0
next prev parent reply other threads:[~2023-11-02 6:51 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-01 12:53 [bug#66879] [PATCH] gnu: josm: Update to 18822 Julien Lepiller
2023-11-02 6:50 ` Julien Lepiller [this message]
2023-11-02 6:50 ` [bug#66879] [PATCH v2 2/5] guix: ant: Optionally build with java modules Julien Lepiller
2023-11-02 6:50 ` [bug#66879] [PATCH v2 3/5] gnu: Add java-jakarta-json Julien Lepiller
2023-11-02 6:50 ` [bug#66879] [PATCH v2 4/5] gnu: Add java-parsson Julien Lepiller
2023-11-02 6:50 ` [bug#66879] [PATCH v2 5/5] gnu: josm: Update to 18822 Julien Lepiller
2023-11-02 10:00 ` Andreas Enge
2023-11-09 18:10 ` bug#66879: " Julien Lepiller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a56b64518165eee5dad9935874bba9aca60c47c8.1698907813.git.julien@lepiller.eu \
--to=julien@lepiller.eu \
--cc=66879@debbugs.gnu.org \
--cc=bjoern.hoefling@bjoernhoefling.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).