tb/java-scratchspace
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

java-cacerts: initial import

Browse Source
This commit is contained in:
Danny Rawlins 2021-02-03 19:46:10 +11:00
parent 30515cb29b
commit ae0967749a
5 changed files with 21990 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
java-cacerts/.footprint Normal file
View File

@ -0,0 +1,4 @@
drwxr-xr-x root/root etc/
drwxr-xr-x root/root etc/ssl/
drwxr-xr-x root/root etc/ssl/java/
-rw-r--r-- root/root etc/ssl/java/cacerts

3
java-cacerts/.md5sum Normal file
View File

@ -0,0 +1,3 @@
e754eded722beba13b7ea6573d0f3801 certdata-bc61343b5d68.txt
f565a0fc7a2873113378094c59f42fb4 mozilla-rootcerts-2020Q4.sh
cf7c19d06924c2bbb812b49668ad4358 openjdk8-boot-20190719-bin.tar.xz

53
java-cacerts/Pkgfile Normal file
View File

@ -0,0 +1,53 @@
# Description: CACERTS for JAVA
# URL: https://openjdk.java.net/
# Maintainer: John Vogel, jvogel4 at stny dot rr dot com
## https://hg.mozilla.org/mozilla-central/log/tip/security/nss/lib/ckfw/builtins/certdata.txt
## cvsweb.netbsd.org/bsdweb.cgi/~checkout~/pkgsrc/security/mozilla-rootcerts/Makefile?rev=1.42&content-type=text/plain
name=java-cacerts
version=20201204
certdata_rev=bc61343b5d68
pkgsrc_quarter=2020Q4
release=1
source=(certdata-$certdata_rev.txt
mozilla-rootcerts-$pkgsrc_quarter.sh
openjdk8-boot-20190719-bin.tar.xz)
build() {
sed -e "/# cd \/etc\/openssl\/certs/s//# cd \/usr\/share\/$name\/certs/" \
-e '/@AWK@/s,,/usr/bin/awk,' \
-e "/@DATADIR@/s,,/usr/share/$name," \
-e '/@ECHO@/s,,/bin/echo,' \
-e '/@EXPR@/s,,/usr/bin/expr,' \
-e '/@LN@/s,,/bin/ln,' \
-e '/@LS@/s,,/bin/ls,' \
-e '/@MKDIR@/s,,/bin/mkdir,' \
-e '/@OPENSSL@/s,,/usr/bin/openssl,' \
-e '/@PREFIX@/s,,/usr,' \
-e "/@SSLDIR@/s,,/usr/share/$name," \
-e '/@RM@/s,,/bin/rm,' \
-e 's,self extract,self -f $certfile extract,' \
-e 's,self rehash,self -f $certfile rehash,' \
$SRC/mozilla-rootcerts-$pkgsrc_quarter.sh > $SRC/mozilla-rootcerts
OLD_PATH=$PATH
export JAVA_HOME=$SRC/openjdk8-boot
export PATH=$JAVA_HOME/bin:$OLD_PATH
# Generate java's cacerts.
# Big thanks to pkgsrc's mozilla-rootcerts and openjdk pkg's for this part.
install -d -m 0755 $PKG/etc/ssl/java
mkdir $SRC/cacerts
cd $SRC/cacerts
sh $SRC/mozilla-rootcerts -f $SRC/certdata-$certdata_rev.txt extract
for cert in *.pem; do
keytool \
-noprompt \
-importcert \
-keystore $PKG/etc/ssl/java/cacerts \
-alias $(echo $cert | sed 's,.*/\([^/]*\)\.pem,\1,') \
-file $cert \
-storepass changeit
done
}

21706
java-cacerts/certdata-bc61343b5d68.txt Normal file
View File

File diff suppressed because it is too large Load Diff

224
java-cacerts/mozilla-rootcerts-2020Q4.sh Normal file
View File

@ -0,0 +1,224 @@
#!@SH@
#
# $NetBSD: mozilla-rootcerts.sh,v 1.21 2020/06/02 22:32:02 jperkin Exp $
#
# This script is meant to be used as follows:
#
# # cd /etc/openssl/certs
# # mozilla-rootcerts extract
# # mozilla-rootcerts rehash
#
: ${AWK=@AWK@}
: ${DATADIR=@DATADIR@}
: ${ECHO=@ECHO@}
: ${EXPR=@EXPR@}
: ${LN=@LN@}
: ${LS=@LS@}
: ${MKDIR=@MKDIR@}
: ${OPENSSL=@OPENSSL@}
: ${PREFIX=@PREFIX@}
: ${SSLDIR=@SSLDIR@}
: ${RM=@RM@}
self="${PREFIX}/sbin/mozilla-rootcerts"
certfile="${DATADIR}/certdata.txt"
certdir=${SSLDIR}/certs
destdir=
usage()
{
${ECHO} 1>&2 "usage: $self [-d destdir] [-f certfile] extract|rehash|install"
exit $1
}
while [ $# -gt 0 ]; do
case "$1" in
-d) destdir="$2"; shift 2;;
-f) certfile="$2"; shift 2 ;;
--) shift; break ;;
-*) ${ECHO} 1>&2 "$self: unknown option -- $1"
usage 128 ;;
*) break ;;
esac
done
[ $# -eq 1 ] || usage 128
action="$1"; shift
#
# link_hash pemtype pemfile
#
# Link a certificate or CRL to its subject name hash value.
# Each hash is of the form <hash>.<n> for certificates and
# <hash>.r<n> for CRLs, where n is an integer. If the hash
# value already exists, then we need to up the value of n, unless
# it's a duplicate, in which case we skip the link. We check
# for duplicates by comparing fingerprints.
#
link_hash()
{
_pemtype="$1"; _pemfile="$2"; shift 2
_hash=`${OPENSSL} "$_pemtype" -hash -noout -in "$_pemfile"`
_fprint=`${OPENSSL} "$_pemtype" -fingerprint -noout -in "$_pemfile"`
_suffix=0
while [ 1 = 1 ] ; do
case $_pemtype in
crl) _hashfile="$_hash.r$_suffix" ;;
x509|*) _hashfile="$_hash.$_suffix" ;;
esac
if [ ! -f "$_hashfile" ]; then
${ECHO} "$_pemfile => $_hashfile"
${LN} -sf "$_pemfile" "$_hashfile"
break
fi
_fprintold=`${OPENSSL} "$_pemtype" -fingerprint -noout -in "$_hashfile"`
if [ "$_fprint" = "$_fprintold" ]; then
${ECHO} 1>&2 "WARNING: Skipping duplicate certificate $_pemfile"
return
fi
_suffix=`${EXPR} $_suffix + 1`
done
}
case $action in
rehash)
# Delete any existing symbolic links.
${LS} | while read entry; do
[ ! -h "$entry" ] || ${RM} -f "$entry"
done
${LS} | while read pemfile; do
case $pemfile in
*.pem) ;;
*) continue ;;
esac
pemtype=
while read line; do
case $line in
"-----BEGIN CERTIFICATE-----"|\
"-----BEGIN X509 CERTIFICATE-----"|\
"-----BEGIN TRUSTED CERTIFICATE-----")
pemtype=x509
break
;;
"-----BEGIN X509 CRL-----")
pemtype=crl
break
;;
esac
done < "$pemfile"
case $pemtype in
x509|crl)
link_hash "$pemtype" "$pemfile"
;;
*)
${ECHO} 1>&2 "WARNING: $pemfile does not contain a certificate or CRL: skipping"
continue
;;
esac
done
;;
extract)
#
# Certificates in octal-encoded DER format are delimited by
# "CKA_VALUE MULTILINE_OCTAL"/"END" pairs. Convert them into
# long character strings and pipe them through openssl to
# convert from DER to PEM format.
#
# The resulting PEM format certificates are saved as
# "mozilla-rootcert-<n>.pem" in the current working directory.
#
# gawk will corrupt the output data stream in multibyte locales,
# so force the locale to "C".
# Setting just LANG is not enough. LC_ALL has higher priority.
#
cat "$certfile" | LC_ALL=C LANG=C ${AWK} -v OPENSSL=${OPENSSL} '
function base8to10(o, octal, decimal, power, i, n) {
decimal = 0
n = split(o, octal, "")
while (n > 0) {
power = 1
for (i = 1; i < n; i++)
power *= 8
decimal += octal[4-n] * power
n--
}
return decimal
}
BEGIN {
filenum = 0
while (getline) {
if ($0 !~ /^CKA_VALUE MULTILINE_OCTAL/) continue
filename = "mozilla-rootcert-" filenum ".pem"
filenum++
cmd = OPENSSL " x509 -inform der -outform pem -text >" filename
print filename
while (getline) {
if ($0 ~ /^END/) break
n = split($0, line, "\\")
for (i = 2; i <= n; i++) {
printf("%c", base8to10(line[i])) | cmd
}
}
close(cmd)
# kill untrusted certificates (not clean, but the script which comes
# with "curl" works the same way)
untrusted = 0
# Read lines only until we find the trust data
# following the certificate, then stop.
while (getline) {
if ($0 ~ /^CKA_TRUST_SERVER_AUTH/) break
}
# Test the result for untrusted status
if ($0 ~ /^CKA_TRUST_SERVER_AUTH.*CK_TRUST.*CKT_NSS_NOT_TRUSTED$/)
untrusted = 1
if ($0 ~ /^CKA_TRUST_SERVER_AUTH.*CK_TRUST.*CKT_NETSCAPE_UNTRUSTED$/)
untrusted = 1
if (untrusted) {
print filename " untrusted"
system("rm -f " filename)
}
}
}'
;;
install)
# ${WHATEVER}/etc/openssl/certs should exist, but an
# install/removal cycle of mozilla-rootcerts-openssl might have removed it.
if [ ! -d $destdir$certdir ]; then
${ECHO} 1>&2 "WARNING: $destdir$certdir does not exist. Creating it."
${MKDIR} -p $destdir$certdir
fi
cd $destdir$certdir
if [ -n "`${LS}`" ]; then
# \todo Explain why this must fail if the user has
# installed certificates from other than the mozilla
# default root set.
${ECHO} 1>&2 "ERROR: $destdir$certdir already contains certificates, aborting."
exit 1
fi
set -e
$self extract
$self rehash
set +e
# \todo Explain why if we are willing to write
# ca-certificates.crt, we are not willing to remove and
# re-create it. Arguably install should be idempotent without
# error.
if [ -e $destdir$certdir/ca-certificates.crt ]; then
${ECHO} 1>&2 "ERROR: $destdir$certdir/ca-certificates.crt already exists, aborting."
exit 1
fi
set -e
# \todo This is appparently for users of gnutls, but it is not
# clear where it should be and why. In particular, this file
# should perhaps be created at package build time and be
# managed by pkgsrc.
cat $destdir$certdir/*.pem > $destdir$certdir/ca-certificates.crt
esac