Runtime java cacerts generation
Michal Vyskocil
mvyskocil at suse.cz
Thu Apr 15 07:28:07 PDT 2010
Hi all,
my brave colleague from security team is working on redesign of a certificates
system in SUSE[1]. For programs like Java requires an own format he wants to
be able to generate the new file after installation. The current approach
calling keytool for each certificate file is very slow and unusable. Each run
of keytool requires a start of whole JVM, which is not optimal for one small
file.
The keytool.java[2] is able to run over the directory, reads all pem files
from it and generate cacerts file in one run, which makes it very quick:
$ time java keystore -keystore cacerts -cadir /usr/share/ca-
certificates/mozilla/ -storepass 'changeit' -f
121 added, 0 removed.
real 0m0.852s
user 0m0.697s
sys 0m0.058s
and this can be called from %post of package after certificates update. I
tested the final cacerts using Pavel's TestHttps [3].
So your comments and thoughts are welcome.
BTW: it can be build using gcj and run under gij, but I did not test the gcc-
java created cacerts under openjdk.
[1] https://bugzilla.novell.com/show_bug.cgi?id=596177
[2] http://gitorious.org/opensuse/ca-certificates/blobs/master/keystore.java
[3] http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2010-
March/008774.html
Regards
Michal Vyskocil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20100415/a24a66b5/attachment.bin
More information about the distro-pkg-dev
mailing list