From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ricardo Wurmus Subject: Re: [PATCH 3/3] gnu: icedtea-6: Generate keystore. Date: Fri, 22 Jul 2016 21:14:59 +0200 Message-ID: <878twteb7w.fsf@mdc-berlin.de> References: <20160718115941.17707-1-ricardo.wurmus@mdc-berlin.de> <20160718115941.17707-4-ricardo.wurmus@mdc-berlin.de> <87fur5lrje.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:57429) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bQfuj-00055L-2B for guix-devel@gnu.org; Fri, 22 Jul 2016 15:15:14 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bQfue-00018I-Sp for guix-devel@gnu.org; Fri, 22 Jul 2016 15:15:12 -0400 In-Reply-To: <87fur5lrje.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel@gnu.org Ludovic Court=C3=A8s writes: > Ricardo Wurmus skribis: > >> From: Ricardo Wurmus >> >> * gnu/packages/java.scm (icedtea-6)[arguments]: Add phase >> "install-keystore". >> [native-inputs]: Add nss-certs and openssl. > > [...] > >> + (add-after 'install 'install-keystore >> + (lambda* (#:key inputs outputs #:allow-other-keys) > > Could you add a comment to explain what=E2=80=99s going on here? > > Too bad IceTea=E2=80=99s build system doesn=E2=80=99t take care of that= . > >> + (let* ((keystore "cacerts") >> + (certs-dir (string-append (assoc-ref inputs "nss-= certs") >> + "/etc/ssl/certs")) >> + (keytool (string-append (assoc-ref outputs "jdk= ") >> + "/bin/keytool")) >> + (openssl (which "openssl")) >> + (recent (date->time-utc (string->date "2016-1-= 1" >> + "~Y-~m-~= d")))) >> + (define (valid? cert) >> + (let* ((port (open-pipe* OPEN_READ openssl >> + "x509" "-enddate" "-in" cer= t "-noout")) >> + (str (read-line port)) >> + (end (begin (close-pipe port) >> + ;; TODO: use match? >> + (cadr (string-split str #\=3D)))= )) > > Why not use =E2=80=98match=E2=80=99, indeed. :-) No big deal though. > >> + (time>? (date->time-utc >> + (string->date end "~b ~d ~H:~M:~S ~Y")) r= ecent))) >> + >> + (define (import-cert cert) >> + (format #t "Importing certificate ~a\n" (basename ce= rt)) >> + (let* ((port (open-pipe* OPEN_WRITE keytool >> + "-import" >> + "-alias" (basename cert) >> + "-keystore" keystore >> + "-storepass" "changeit" >> + "-file" cert))) >> + (display "yes\n" port) >> + (when (not (eqv? 0 (status:exit-val (close-pipe po= rt)))) > > Maybe (zero? (status:exit-val =E2=80=A6)). > >> + (format (current-error-port) >> + "Failed to import certificate.\n")))) > > Rather (error "failed to import" cert) so the process stops here. > >> + ;; This is necessary because the certificate directory= contains >> + ;; files with non-ASCII characters in their names. >> + (setlocale LC_ALL "en_US.utf8") >> + (setenv "LC_ALL" "en_US.utf8") >> + >> + (for-each import-cert >> + (filter valid? (find-files certs-dir "\\.pem= $"))) > > Why do we need to filter out invalid certificates? > > The problem I see is that the result of =E2=80=98valid?=E2=80=99, and t= hus the output of > the build process, depends on the build time, which isn=E2=80=99t great= . > > I would prefer to unconditionally install all the certificates if that > doesn=E2=80=99t cause any problems. WDYT? I removed the validation (because I expect certs to be validated at runtime). I also added a comment explaining why this is needed and made the suggested changes. (I pushed from my workstation without signing key, because I forgot that I normally push from my laptop. Sorry, won=E2=80=99t happen again! Key replacement is on my list, and then I=E2=80=99ll get myself a subkey for = the office workstation.) Thanks for the review! ~~ Ricardo