From: Roel Janssen <roel@gnu.org>
To: guix-devel@gnu.org
Subject: [PATCH] gnu: icedtea-8: Build keystore without id-ecPublicKey certificates.
Date: Fri, 10 Feb 2017 12:32:26 +0100 [thread overview]
Message-ID: <rbuwpcycmd1.fsf@gnu.org> (raw)
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: 0001-gnu-icedtea-8-Build-keystore-without-id-ecPublicKey-.patch --]
[-- Type: text/x-diff, Size: 9136 bytes --]
From 8383c24c8a3c723535fe59f700a5fd18c50b4780 Mon Sep 17 00:00:00 2001
From: Roel Janssen <roel@gnu.org>
Date: Fri, 10 Feb 2017 12:23:22 +0100
Subject: [PATCH] gnu: icedtea-8: Build keystore without id-ecPublicKey
certificates.
* gnu/packages/java.scm (icedtea-8): Add 'install-keystore phase.
---
gnu/packages/java.scm | 125 +++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 124 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 92cbe2a02..2b204d860 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -1025,7 +1025,130 @@ build process and its dependencies, whereas Make uses Makefile format.")
#t)))
;; FIXME: This phase is needed but fails with this version of
;; IcedTea.
- (delete 'install-keystore)
+ (replace 'install-keystore
+ (lambda* (#:key inputs outputs #:allow-other-keys)
+ (let* ((keystore "cacerts")
+ (certs-dir (string-append (assoc-ref inputs "nss-certs")
+ "/etc/ssl/certs"))
+ (keytool (string-append (assoc-ref outputs "jdk")
+ "/bin/keytool")))
+ (define (extract-cert file target)
+ (call-with-input-file file
+ (lambda (in)
+ (call-with-output-file target
+ (lambda (out)
+ (let loop ((line (read-line in 'concat))
+ (copying? #f))
+ (cond
+ ((eof-object? line) #t)
+ ((string-prefix? "-----BEGIN" line)
+ (display line out)
+ (loop (read-line in 'concat) #t))
+ ((string-prefix? "-----END" line)
+ (display line out)
+ #t)
+ (else
+ (when copying? (display line out))
+ (loop (read-line in 'concat) copying?)))))))))
+ (define (import-cert cert)
+ ;; These certificates use a different public key algorithm:
+ ;; id-ecPublicKey. The keytool does not seem to be able to
+ ;; import these certificates.
+ (let ((bad-certs
+ (list
+ (string-append "CA_WoSign_ECC_Root:2.16.104.74.88."
+ "112.128.107.240.143.2.250.246.222."
+ "232.176.144.144.pem")
+ (string-append "AffirmTrust_Premium_ECC:2.8.116.151"
+ ".37.138.199.63.122.84.pem")
+ (string-append "GeoTrust_Primary_Certification_Aut"
+ "hority_-_G2:2.16.60.178.244.72.10."
+ "0.226.254.235.36.59.94.96.62.195.1"
+ "07.pem")
+ (string-append "DigiCert_Assured_ID_Root_G3:2.16.1"
+ "1.161.90.250.29.223.160.181.73.68."
+ "175.205.36.160.108.236.pem")
+ (string-append "COMODO_ECC_Certification_Authority"
+ ":2.16.31.71.175.170.98.0.112.80.84"
+ ".76.1.158.155.99.153.42.pem")
+ (string-append "OpenTrust_Root_CA_G3:2.18.17.32.23"
+ "0.248.76.252.36.176.190.5.64.172.2"
+ "18.131.27.52.96.63.pem")
+ (string-append "DigiCert_Global_Root_G3:2.16.5.85."
+ "86.188.242.94.164.53.53.195.164.15"
+ ".213.171.69.114.pem")
+ (string-append "GlobalSign_ECC_Root_CA_-_R5:2.17.9"
+ "6.89.73.224.38.46.187.85.249.10.11"
+ "9.138.113.249.74.216.108.pem")
+ (string-append "VeriSign_Class_3_Public_Primary_Ce"
+ "rtification_Authority_-_G4:2.16.47"
+ ".128.254.35.140.14.34.15.72.103.18"
+ ".40.145.135.172.179.pem")
+ (string-append "Entrust_Root_Certification_Authori"
+ "ty_-_EC1:2.13.0.166.139.121.41.0.0"
+ ".0.0.80.208.145.249.pem")
+ (string-append "thawte_Primary_Root_CA_-_G2:2.16.5"
+ "3.252.38.92.217.132.79.201.61.38.6"
+ "1.87.155.174.215.86.pem")
+ (string-append "Certplus_Root_CA_G2:2.18.17.32.217"
+ ".145.206.174.163.232.197.231.255.2"
+ "33.2.175.207.115.188.85.pem")
+ (string-append "Hellenic_Academic_and_Research_Ins"
+ "titutions_ECC_RootCA_2015:2.1.0.pe"
+ "m")
+ (string-append "USERTrust_ECC_Certification_Author"
+ "ity:2.16.92.139.153.197.90.148.197"
+ ".210.113.86.222.205.137.128.204.38"
+ ".pem")
+ (string-append "GlobalSign_ECC_Root_CA_-_R4:2.17.4"
+ "2.56.164.28.150.10.4.222.66.178.40"
+ ".165.11.232.52.152.2.pem"))))
+ (unless (member (basename cert) bad-certs)
+ (format #t "Importing certificate ~a\n" (basename cert))
+ (let ((temp "tmpcert"))
+ (extract-cert cert temp)
+ (let ((port (open-pipe* OPEN_WRITE keytool
+ "-import"
+ "-alias" (basename cert)
+ "-keystore" keystore
+ "-storepass" "changeit"
+ "-file" temp)))
+ (display "yes\n" port)
+ (when (not (zero? (status:exit-val (close-pipe port))))
+ (error "failed to import" cert)))
+ (delete-file temp)))))
+ ;; This is necessary because the certificate directory contains
+ ;; files with non-ASCII characters in their names.
+ (setlocale LC_ALL "en_US.utf8")
+ (setenv "LC_ALL" "en_US.utf8")
+
+ (for-each import-cert (find-files certs-dir "\\.pem$"))
+ (mkdir-p (string-append (assoc-ref outputs "out")
+ "/lib/security"))
+ (mkdir-p (string-append (assoc-ref outputs "jdk")
+ "/jre/lib/security"))
+
+ ;; The cacerts files we are going to overwrite are chmod'ed
+ ;; as read-only (444). We have to change this temporarily.
+ (chmod (string-append (assoc-ref outputs "out")
+ "/lib/security/" keystore) #o644)
+ (chmod (string-append (assoc-ref outputs "jdk")
+ "/jre/lib/security/" keystore) #o644)
+
+ (install-file keystore
+ (string-append (assoc-ref outputs "out")
+ "/lib/security"))
+ (install-file keystore
+ (string-append (assoc-ref outputs "jdk")
+ "/jre/lib/security"))
+
+ ;; Now make it read-only again.
+ (chmod (string-append (assoc-ref outputs "out")
+ "/lib/security/" keystore) #o444)
+
+ (chmod (string-append (assoc-ref outputs "jdk")
+ "/jre/lib/security/" keystore) #o444)
+ #t)))
(replace 'install
(lambda* (#:key outputs #:allow-other-keys)
(let ((doc (string-append (assoc-ref outputs "doc")
--
2.11.1
[-- Attachment #2: Type: text/plain, Size: 618 bytes --]
Dear Guix,
Currently, for icedtea-8 we use an empty "keystore". This results in
Java processes using our icedtea-8 package not being able to verify
the validity of a certificate from a CA, because there are none in its
store.
This patch imports most certificates from nss-certs. Those using a
"id-ecPublicKey" public key algorithm are left out.
I realize this patch is big and inelegant, so I welcome anyone to come
up with suggestions. For example, could I somehow gather the public key
algorithm from the certificate and then check that instead of creating
this blacklist?
Thanks!
Kind regards,
Roel Janssen
next reply other threads:[~2017-02-10 11:32 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-10 11:32 Roel Janssen [this message]
2017-02-26 0:44 ` [PATCH] gnu: icedtea-8: Build keystore without id-ecPublicKey certificates Carlo Zancanaro
2017-02-26 17:02 ` Roel Janssen
2017-02-27 12:45 ` Carlo Zancanaro
2017-02-27 14:02 ` Roel Janssen
2017-03-01 21:23 ` Carlo Zancanaro
2017-03-01 22:31 ` Ricardo Wurmus
2017-03-01 22:52 ` Roel Janssen
2017-03-02 7:07 ` Ricardo Wurmus
2017-02-27 15:01 ` Ricardo Wurmus
2017-02-27 21:16 ` Carlo Zancanaro
2017-02-27 22:07 ` Leo Famulari
2017-03-01 22:34 ` Ricardo Wurmus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=rbuwpcycmd1.fsf@gnu.org \
--to=roel@gnu.org \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.