Cacerts generation in IcedTea6 - please review changes in build scripts

Andrew John Hughes ahughes at redhat.com
Tue May 11 09:41:32 PDT 2010 

On 11 May 2010 17:38, Andrew John Hughes <ahughes at redhat.com> wrote:
> On 11 May 2010 17:37, Andrew John Hughes <ahughes at redhat.com> wrote:
>> On 11 May 2010 17:08, Pavel Tisnovsky <ptisnovs at redhat.com> wrote:
>>> Hi,
>>>
>>> I changed IcedTea6 build scripts namely configure.ac and Makefile.am to
>>> generate proper (i.e. not empty) cacerts file for J2SDK and also JRE images.
>>> Cacerts generation could be enabled by configuration flag
>>> --enable-openssh-cacerts.
>>
>> I think --enable-cacerts-generation would be a better choice of name.
>> I don't see why we are even referring to openssh when these are SSL
>> certificates from Mozilla if I understand correctly.
>>
>>> Cacerts generator (i.e. the script named
>>> "generate-cacerts.sh") is written in Bash and uses keytool from compiled
>>> J2SDK so this also does basic check whether J2SDK is built correctly.
>>
>> A standard build does a more through test by building OpenJDK with the
>> JDK just built.
>>
>>>
>>> Can you please check whether it is possible to push the changes to the
>>> IcedTea repository?
>>>
>>
>> There is a hardcoded path:
>>
>> /etc/pki/tls/certs/ca-bundle.crt
>>
>> which doesn't exist on either of the Debian or Gentoo systems I just
>> checked.  Something along the lines of AC_CHECK_FOR_OPENJDK is needed
>> which checks the normal locations on a range of distros and allows an
>> alternate to be specified.  I don't see much advantage in adding a
>> feature which only works on one particular system.
>>
>
> I'd also rearrange things so that the file is not removed until one is
> successfully generated.  You don't currently check anything about what
> is generated.
>

Gentoo does the following:

for c in /usr/share/ca-certificates/*/*.crt; do
        openssl x509 -text -in "${c}" >> all.crt || die
    done
    ./generate-cacerts.pl "${ddest}/bin/keytool" all.crt || die
    cp -vRP cacerts "${ddest}/jre/lib/security/" || die
    chmod 644 "${ddest}/jre/lib/security/cacerts" || die

>>> TODO:
>>> - allow specification of directory containing OpenSSH certificates (new
>>> configuration flag)
>>> - allow certificates downloading during build (from Mozilla project - is it
>>> possible?)
>>>
>>> Cheers
>>> Pavel
>>>
>>> --- configure.ac        2010-05-11 17:51:45.000000000 +0200
>>> +++ /jck/2/configure.ac 2010-05-11 15:57:48.000000000 +0200
>>> @@ -159,6 +159,14 @@
>>>   AC_MSG_RESULT([disabled by default (edit java.security to enable)])
>>>  fi
>>>
>>> +AC_MSG_CHECKING([whether to generate cacerts file using OpenSSH
>>> certificates])
>>> +AC_ARG_ENABLE([openssh-cacerts],
>>> +              [AS_HELP_STRING([--enable-openssh-cacerts],
>>> +                              [Enable cacerts generation using OpenSSH
>>> certificates])],
>>> +              [enable_openssh_cacerts="${enableval}"],
>>> [enable-openssh-cacerts="no"])
>>> +AM_CONDITIONAL(GENERATE_CACERTS, test "x${enable_openssh_cacerts}" =
>>> "xyes")
>>> +AC_MSG_RESULT(${enable_openssh_cacerts})
>>> +
>>>  IT_GET_PKGVERSION
>>>  IT_GET_LSB_DATA
>>>
>>>
>>> --- Makefile.am 2010-05-11 17:51:45.000000000 +0200
>>> +++ /jck/2/Makefile.am  2010-05-11 17:39:31.000000000 +0200
>>> @@ -1314,6 +1314,14 @@
>>>        cp $(abs_top_builddir)/tz.properties \
>>>          $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib;
>>>  endif
>>> +if GENERATE_CACERTS
>>> +       rm -rf pems
>>> +       rm -f $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts
>>> +       rm -f $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts
>>> +       mkdir -p pems
>>> +       sh scripts/generate-cacerts.sh
>>> $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool /etc/pki/tls/certs/ca-bundle.crt
>>> pems $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts
>>> +       cp $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts
>>> $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts
>>> +endif
>>>        @echo "IcedTea is served:" $(BUILD_OUTPUT_DIR)
>>>        mkdir -p stamps
>>>        touch stamps/icedtea.stamp
>>> @@ -1404,6 +1412,14 @@
>>>        cp $(abs_top_builddir)/tz.properties \
>>>          $(BUILD_OUTPUT_DIR)-debug/j2sdk-image/jre/lib;
>>>  endif
>>> +if GENERATE_CACERTS
>>> +       rm -rf pems
>>> +       rm -f $(BUILD_OUTPUT_DIR)-debug/j2re-image/lib/security/cacerts
>>> +       rm -f $(BUILD_OUTPUT_DIR)-debug/j2sdk-image/jre/lib/security/cacerts
>>> +       mkdir -p pems
>>> +       sh scripts/generate-cacerts.sh
>>> $(BUILD_OUTPUT_DIR)-debug/j2sdk-image/bin/keytool
>>> /etc/pki/tls/certs/ca-bundle.crt pems
>>> $(BUILD_OUTPUT_DIR)-debug/j2re-image/lib/security/cacerts
>>> +       cp $(BUILD_OUTPUT_DIR)-debug/j2re-image/lib/security/cacerts
>>> $(BUILD_OUTPUT_DIR)-debug/j2sdk-image/jre/lib/security/cacerts
>>> +endif
>>>        @echo "IcedTea (debug build) is served:" \
>>>          $(BUILD_OUTPUT_DIR)-debug
>>>        mkdir -p stamps
>>>
>>>
>>
>>
>>
>> --
>> Andrew :-)
>>
>> Free Java Software Engineer
>> Red Hat, Inc. (http://www.redhat.com)
>>
>> Support Free Java!
>> Contribute to GNU Classpath and the OpenJDK
>> http://www.gnu.org/software/classpath
>> http://openjdk.java.net
>>
>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
>> Fingerprint: F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8
>>
>
>
>
> --
> Andrew :-)
>
> Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
>
> Support Free Java!
> Contribute to GNU Classpath and the OpenJDK
> http://www.gnu.org/software/classpath
> http://openjdk.java.net
>
> PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
> Fingerprint: F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8
>



-- 
Andrew :-)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net

PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8

More information about the distro-pkg-dev mailing list