Plans for IcedTea6 1.11
Dr Andrew John Hughes
ahughes at redhat.com
Wed Mar 9 08:28:45 PST 2011
On 21:04 Tue 08 Mar , DJ Lucas wrote:
> On 03/08/2011 10:41 AM, Dr Andrew John Hughes wrote:
> > On 23:28 Mon 07 Mar , DJ Lucas wrote:
> >> On 03/07/2011 09:58 AM, Dr Andrew John Hughes wrote:
> >>> Posting the patch to the list will allow it to be reviewed.
> >>>
> >>> Is there really any value to having this optional? I don't see why anyone
> >>> would want the existing broken cacerts file that prevents HTTPS from working.
> >>> I see this as something being depended on by make install, which isn't yet present.
> >> Reply off list, I wasn't sure if you had intended for this to go to list
> >> (I originally replied incorrectly). Feel free to reply on list with quoting.
> >>
> > Yeah, it ended up off-list because I replied to your off-list response.
> > I'll cc this back on to the list.
> >
> >> The effort was to not be heavy handed here...see my reply to Pavel. The
> >> possibility exists to simply include a populated cacerts file and and
> >> alternate --with-cacerts switch. I'd personally rather trust the
> >> sysadmin WRT CA trusts and use the system's certs as opposed to defining
> >> a default policy (regardless if it is mozzila.org or whomever), however,
> >> the script that I slapped together requires OpenSSL. Debian and friends
> >> might not like that requirement in favor of gnutls given their
> >> preference to GPL software over other free licenses. I had intended to
> >> get around that by adding the --with-cacerts switch for distributions'
> >> use. While I'm personally against it, the --with-cacerts and a supplied
> >> cacerts file would work nicely to solve all previously voiced concerns
> >> except my own WRT security policy, but I can easily add cacerts
> >> generation to my own system certificates package if that is the
> >> direction deemed appropriate by the group.
> >>
> > Most distros already have a solution. The main aim of this is to get this
> > stuff into the main distribution instead of them hoarding their own personal
> > implementations. They are of course welcome to ignore this and use their
> > own, but https should work on IcedTea for normal users building it with
> > minimal intervention.
> >
> >> Alternately, I'm not sure if RedHat's Perl variant has any external
> >> dependencies besides Perl as distributed with default CPAN modules. The
> >> parts I've ripped out for use in LFS's internal use work fine for
> >> sanitizing the mozzila.org certs, but I always install OpenSSL and the
> >> CPAN::Bundle immediately (and this is how I create the system
> >> certificates package for BLFS). Also, it just occurred to me that if the
> >> script I wrote is to be utilized, then a conditional check for openssl
> >> would need to be added to configure. I didn't realize there wasn't
> >> one...just looked. I'll slap together a 3rd revision and add a switch to
> >> the mkcacerts.sh script to account for that in case it is needed, but I
> >> won't have time until Wed. Perhaps somebody else will chime in on list
> >> regarding the option of shipping of a populated cacerts file before then.
> >>
> > I guess we have to do some dependency checking.
>
> Okay, had a few extra minutes tonight so I reworked the patch for above
> considerations, along with stream lining it a bit (all conditional on
> the previous tests as the additional checks are not needed if a cacerts
> file is supplied). I haven't completed a build yet (ran the configure
> script and mkcacerts.sh script though various quick tests), but wondered
> if the conditional ac tests are alright, or should they be run
> unconditionally (unnecessarily)?
>
I've commented inline.
If I follow all this right, it tries to detect a usable cacerts by default,
right? generate_cacerts will be set to "forced" and automatic detection
applied if I specify no additional arguments. I think that's the right
thing if that's what this is doing.
There's a general issue with handling yes/no in --with-x calls. It's just
a matter of coming up with a sensible way to handle these, depending on
context and doing so. It's not a major issue, but it would be better
to handle this than go looking for 'yes' or 'no' especially if we search
the patch and find /bin/yes.
> -- DJ Lucas
>
>
> --
> This message has been scanned for viruses and
> dangerous content, and is believed to be clean.
>
> diff -Naur icedtea6-1.10-orig/acinclude.m4 icedtea6-1.10/acinclude.m4
> --- icedtea6-1.10-orig/acinclude.m4 2011-02-23 16:31:48.000000000 -0600
> +++ icedtea6-1.10/acinclude.m4 2011-03-08 20:58:36.000000000 -0600
> @@ -326,6 +326,168 @@
> AM_CONDITIONAL([SRC_DIR_HARDLINKABLE], test x"${it_cv_hardlink_src}" = "xyes")
> ])
>
> +AC_DEFUN([IT_WITH_CACERTS],
> +[
> + AC_MSG_CHECKING([whether a cacerts file is provided for distribution])
> + AC_ARG_WITH([cacerts],
> + [AS_HELP_STRING(--with-cacerts=FILE,specify the location of a pre-generated cacerts file for distribution)],
> + [
> + if test -f "${withval}"; then
> + CACERTS_FILE="${withval}"
> + cacerts_file_set=yes
> + fi
> + ],
> + [
> + CACERTS_FILE=
> + ])
> + if test -z "${CACERTS_FILE}"; then
> + CACERTS_FILE=no
> + cacerts_file_set=no
Is there a reason to set CACERTS_FILE here?
> + fi
> + AC_MSG_RESULT(${CACERTS_FILE})
> + AC_SUBST(CACERTS_FILE)
> + AM_CONDITIONAL([CACERTS_FILE_SET], test x"${cacerts_file_set}" = "xyes")
> +])
What if withval is "yes" or "no" (generated by --with-cacerts and --without-cacerts respectively)?
> +
> +AC_DEFUN([IT_GENERATE_CACERTS],
> +[
> + AC_MSG_CHECKING([whether to generate a cacerts file for distribution])
> + AC_ARG_ENABLE([generate-cacerts],
> + [AS_HELP_STRING(--enable-generate-cacerts, generate a cacerts file for distribution [[default=auto]])],
> + [
--enable-cacerts-generation would read better.
> + case "${enableval}" in
> + no)
> + generate_cacerts=no
> + ;;
> + *)
> + generate_cacerts=yes
> + ;;
> + esac
> + ],
> + [
> + if test x"${cacerts_file_set}" = "xno"; then
> + generate_cacerts=forced
> + else
> + if test x"${cacerts_file_set}" = "xyes"; then
> + generate_cacerts=no
> + else
> + generate_cacerts=yes
> + fi
> + fi
> + ])
> + AC_MSG_RESULT([$generate_cacerts])
> + AM_CONDITIONAL([GENERATE_CACERTS], test x"${generate_cacerts}" = "xyes" -o x"${generate_cacerts}" = "xforced")
> + if test x"${generate_cacerts}" = "xyes" \
> + -o x"${generate_cacerts}" = "xforced"; then
Why break one line and not the other?
> + IT_GET_LOCAL_CADIR
> + IT_FIND_OPENSSL
> + fi
> +])
> +
> +AC_DEFUN([IT_GET_LOCAL_CADIR],
> +[
> + AC_MSG_CHECKING([for a local x509 certificate directory])
> + AC_ARG_WITH([ca-dir],
> + [AS_HELP_STRING(--with-ca-dir=DIR, specify a top-level local x509 certificate directory for cacerts generation)],
> + [
> + if test -d "${withval}"; then
> + CADIR="${withval}"
> + fi
> + ],
> + [
> + CADIR=
> + ])
Same issue with not handling yes/no.
> + if test -z "${CADIR}"; then
Better to use test -d here too?
> + for dir in /etc/pki/tls/certs \
> + /usr/share/ca-certificates \
> + /etc/ssl/certs \
> + /etc/certs ; do
> + if test -d "${dir}"; then
> + CADIR="${dir}"
> + break
> + fi
> + done
> + if test -z "${CADIR}"; then
> + CADIR=no
> + fi
> + fi
> + AC_MSG_RESULT(${CADIR})
> + AC_SUBST(CADIR)
> + if test x"${CADIR}" = "xno"; then
> + IT_GET_LOCAL_CAFILE
Is there a reason directories have preference over files?
> + fi
> +])
> +
> +AC_DEFUN([IT_GET_LOCAL_CAFILE],
> +[
> + AC_MSG_CHECKING([for a local x509 certificate file])
> + AC_ARG_WITH([ca-file],
> + [AS_HELP_STRING(--with-ca-file=FILE, specify a local x509 certificate file for cacerts generation)],
> + [
> + if test -f "${withval}"; then
> + CAFILE="${withval}"
> + fi
> + ],
> + [
> + CAFILE=
> + ])
Again, yes/no.
> + if test -z "${CAFILE}"; then
test -e.
> + for file in /etc/pki/tls/certs/ca-bundle.crt \
> + /etc/ssl/certs/ca-bundle.crt \
> + /etc/ssl/ca-bundle.crt \
> + /etc/ca-bundle.crt ; do
> + if test -e "${file}"; then
> + CAFILE=$file
> + break
> + fi
> + done
> + if test -z "${CAFILE}"; then
> + CAFILE=no
> + fi
> + fi
> + AC_MSG_RESULT(${CAFILE})
> + AC_SUBST(CAFILE)
> + if test "${CADIR}x" = "nox" -a "${CAFILE}x" = "nox"; then
> + AC_MSG_WARN([Could not find a suitable x509 certificate store.])
> + AC_MSG_ERROR([Supply a valid location using --with-ca-dir or --with-ca-file, or remove the --enable-generate-cacerts switch.])
I think this should just be an error.
> + fi
> +])
> +
> +AC_DEFUN([IT_FIND_OPENSSL],
> +[
> + AC_MSG_CHECKING([for openssl])
> + AC_ARG_WITH([openssl],
> + [AS_HELP_STRING(--with-openssl=PATH, specify the path of the openssl utility)],
> + [
> + if test -f "${withval}"; then
> + OPENSSL="${withval}"
> + fi
> + if test -f "${withval}/openssl"; then
> + OPENSSL="${withval}/openssl"
> + fi
Should the second one be an else? I don't think it will do any harm as is but might make this clearer.
AS I read it, it tests first if the openssl utility is specified in full, and then if just the directory
is passed (in which case ${withval}/openssl is the executable).
I think the tests should be -x rather than -f.
Again, you've guessed it, we should handle yes/no explicitly so we don't go looking for ./yes or ./no.
> + ],
> + [
> + OPENSSL=
> + ])
> + if test -z "${OPENSSL}"; then
> + for dir in $(echo $PATH | sed 's@:@ @g'); do
I assume the sed is to do the separation of the elements. Could you not just set LFS to ':'?
> + if test -f "${dir}/openssl"; then
> + OPENSSL="${dir}/openssl"
> + break
> + fi
-x again.
> + done
> + if test -z "${OPENSSL}"; then
> + OPENSSL=no
> + fi
> + fi
> + AC_MSG_RESULT(${OPENSSL})
> + AC_SUBST(OPENSSL)
> + if test "${OPENSSL}x" = "nox"; then
> + AC_MSG_WARN([Could not find a suitable openssl utility.])
> + AC_MSG_ERROR([Supply a valid openssl utility using --with-openssl=PATH or remove the --enable-generate-cacerts switch.])
> + fi
Again, I think just one shorter AC_MSG_ERROR is appropriate.
> +])
> +
> AC_DEFUN([IT_FIND_ECJ_JAR],
> [
> AC_MSG_CHECKING([for an ecj JAR file])
> diff -Naur icedtea6-1.10-orig/configure.ac icedtea6-1.10/configure.ac
> --- icedtea6-1.10-orig/configure.ac 2011-03-02 12:34:58.000000000 -0600
> +++ icedtea6-1.10/configure.ac 2011-03-08 20:58:36.000000000 -0600
> @@ -138,6 +138,10 @@
> AC_MSG_RESULT([disabled by default (edit java.security to enable)])
> fi
>
> +IT_WITH_CACERTS
> +
> +IT_GENERATE_CACERTS
> +
Rather than calling both here, IT_GENERATE_CACERTS should AC_REQUIRE([IT_WITH_CACERTS]).
> IT_GET_PKGVERSION
> IT_GET_LSB_DATA
>
> diff -Naur icedtea6-1.10-orig/Makefile.am icedtea6-1.10/Makefile.am
> --- icedtea6-1.10-orig/Makefile.am 2011-03-02 13:48:14.000000000 -0600
> +++ icedtea6-1.10/Makefile.am 2011-03-08 20:58:36.000000000 -0600
> @@ -1384,25 +1384,31 @@
>
> stamps/icedtea-against-icedtea.stamp: stamps/icedtea.stamp \
> stamps/add-jamvm.stamp stamps/add-cacao.stamp stamps/add-zero.stamp \
> - stamps/add-systemtap.stamp stamps/add-pulseaudio.stamp stamps/add-nss.stamp stamps/add-tzdata-support.stamp
> + stamps/add-systemtap.stamp stamps/add-pulseaudio.stamp stamps/add-nss.stamp \
> + stamps/add-tzdata-support.stamp stamps/copy-cacerts.stamp \
> + stamps/generate-cacerts.stamp
I would do these as one target, stamps/add-cacerts.stamp (rename the current copy-cacerts).
> mkdir -p stamps
> touch stamps/icedtea-against-icedtea.stamp
>
> clean-icedtea-against-icedtea: clean-add-jamvm clean-add-zero clean-add-cacao \
> clean-add-systemtap clean-add-pulseaudio \
> - clean-add-nss clean-add-tzdata-support
> + clean-add-nss clean-add-tzdata-support clean-cacerts clean-generated-cacerts
> rm -f stamps/icedtea-against-icedtea.stamp
>
Likewise, clean-cacerts should handle it all. The clean-* ones also need to be added to .PHONY.
> stamps/icedtea-debug-against-icedtea.stamp: stamps/icedtea-debug.stamp \
> stamps/add-jamvm-debug.stamp stamps/add-cacao-debug.stamp \
> - stamps/add-zero-debug.stamp stamps/add-systemtap-debug.stamp stamps/add-pulseaudio-debug.stamp \
> - stamps/add-nss-debug.stamp stamps/add-tzdata-support-debug.stamp
> + stamps/add-zero-debug.stamp stamps/add-systemtap-debug.stamp \
> + stamps/add-pulseaudio-debug.stamp stamps/add-nss-debug.stamp \
> + stamps/add-tzdata-support-debug.stamp stamps/copy-cacerts-debug.stamp \
> + stamps/generate-cacerts-debug.stamp
> mkdir -p stamps
> touch stamps/icedtea-debug-against-icedtea.stamp
>
add-cacerts-debug.stamp
> clean-icedtea-debug-against-icedtea: clean-add-zero-debug \
> clean-add-jamvm-debug clean-add-cacao-debug clean-add-systemtap-debug \
> - clean-add-pulseaudio-debug clean-add-nss-debug clean-add-tzdata-support-debug
> + clean-add-pulseaudio-debug clean-add-nss-debug \
> + clean-add-tzdata-support-debug clean-cacerts-debug \
> + clean-generated-cacerts-debug
> rm -f stamps/icedtea-debug-against-icedtea.stamp
>
clean-cacerts-debug
> stamps/add-systemtap.stamp: stamps/icedtea.stamp
> @@ -1543,6 +1549,76 @@
> rm -f $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/tz.properties
> rm -f stamps/add-tzdata-support-debug.stamp
>
> +stamps/copy-cacerts.stamp: stamps/icedtea.stamp
> +if CACERTS_FILE_SET
> + cp $(CACERTS_FILE) $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
> + cp $(CACERTS_FILE) $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts;
> +endif
> + touch stamps/copy-cacerts.stamp
> +
Should depend on generate-cacerts.
> +clean-cacerts:
> + rm -f $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts
> + rm -f $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts
> + rm -f stamps/copy-cacerts.stamp
> +
> +stamps/copy-cacerts-debug.stamp: stamps/icedtea-debug.stamp
> +if CACERTS_FILE_SET
> + cp $(CACERTS_FILE) $(DEBUG_BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
> + cp $(CACERTS_FILE) $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts
> +endif
> + touch stamps/copy-cacerts-debug.stamp
> +
Likewise, generate-cacerts-debug.
> +clean-cacerts-debug:
> + rm -f $(DEBUG_BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts
> + rm -f $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts
> + rm -f stamps/copy-cacerts-debug.stamp
> +
> +stamps/generate-cacerts.stamp: stamps/icedtea.stamp
> +if GENERATE_CACERTS
> + if test -n "${CADIR}"; then \
> + sh scripts/mkcacerts.sh -d "${CADIR}" \
> + -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
> + -s $(OPENSSL) \
> + -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
> + else \
> + sh scripts/mkcacerts.sh -f "${CAFILE}" \
> + -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
> + -s $(OPENSSL) \
> + -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
> + fi; \
> + cp -f $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts \
> + $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts;
> +endif
> + touch stamps/generate-cacerts.stamp
> +
Duplicate copying here. add-cacerts should do the copying. generate-cacerts
should generate a file or symlink the specified one. add-cacerts should then
copy those into place, regardless of which option was used.
> +clean-generated-cacerts:
> + rm -f $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts
> + rm -f $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts
> + rm -f stamps/generate-cacerts.stamp
> +
> +stamps/generate-cacerts-debug.stamp: stamps/icedtea-debug.stamp
> +if GENERATE_CACERTS
> + if test -n "${CADIR}"; then \
> + sh scripts/mkcacerts.sh -d "${CADIR}" \
> + -k $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
> + -s $(OPENSSL) \
> + -o $(DEBUG_BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
> + else \
> + sh scripts/mkcacerts.sh -f "${CAFILE}" \
> + -k $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
> + -s $(OPENSSL) \
> + -o $(DEBUG_BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
> + fi; \
> + cp -f $(DEBUG_BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts \
> + $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts;
> +endif
> + touch stamps/generate-cacerts-debug.stamp
> +
> +clean-generated-cacerts-debug:
> + rm -f $(DEBUG_BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts
> + rm -f $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts
> + rm -f stamps/generate-cacerts-debug.stamp
> +
> # OpenJDK ecj Targets
> # ===================
>
You miss cacerts for the -ecj targets.
I assume the script below works. It looks ok. I guess issues will be found in
testing on various systems.
> diff -Naur icedtea6-1.10-orig/scripts/mkcacerts.sh icedtea6-1.10/scripts/mkcacerts.sh
> --- icedtea6-1.10-orig/scripts/mkcacerts.sh 1969-12-31 18:00:00.000000000 -0600
> +++ icedtea6-1.10/scripts/mkcacerts.sh 2011-03-08 20:58:56.000000000 -0600
> @@ -0,0 +1,172 @@
> +#!/bin/sh
> +# Simple script to extract x509 certificates and create a JRE cacerts file.
> +
> +function get_args()
> + {
> + if test -z "${1}" ; then
> + showhelp
> + exit 1
> + fi
> +
> + while test -n "${1}" ; do
> + case "${1}" in
> + -f | --cafile)
> + check_arg $1 $2
> + CAFILE="${2}"
> + shift 2
> + ;;
> + -d | --cadir)
> + check_arg $1 $2
> + CADIR="${2}"
> + shift 2
> + ;;
> + -o | --outfile)
> + check_arg $1 $2
> + OUTFILE="${2}"
> + shift 2
> + ;;
> + -k | --keytool)
> + check_arg $1 $2
> + KEYTOOL="${2}"
> + shift 2
> + ;;
> + -s | --openssl)
> + check_arg $1 $2
> + OPENSSL="${2}"
> + shift 2
> + ;;
> + -h | --help)
> + showhelp
> + exit 0
> + ;;
> + *)
> + showhelp
> + exit 1
> + ;;
> + esac
> + done
> + }
> +
> +function check_arg()
> + {
> + echo "${2}" | grep -v "^-" > /dev/null
> + if [ -z "$?" -o ! -n "$2" ]; then
> + echo "Error: $1 requires a valid argument."
> + exit 1
> + fi
> + }
> +
> +
> +function showhelp()
> + {
> + echo "`basename ${0}` creates a valid cacerts file for use with IcedTea."
> + echo ""
> + echo " -f --cafile The path to a file containing PEM formated CA"
> + echo " certificates. May not be used with -d/--cadir."
> + echo " -d --cadir The path to a diectory of PEM formatted CA"
> + echo " certificates. May not be used with -f/--cafile."
> + echo " -o --outfile The path to the output file."
> + echo ""
> + echo " -k --keytool The path to the java keytool utility."
> + echo ""
> + echo " -s --openssl The path to the openssl utility."
> + echo ""
> + echo " -h --help Show this help message and exit."
> + echo ""
> + echo ""
> + }
> +
> +# Initialize empty variables so that the shell does not polute the script
> +CAFILE=""
> +CADIR=""
> +OUTFILE=""
> +OPENSSL=""
> +KEYTOOL=""
> +
> +# Process command line arguments
> +get_args ${@}
> +
> +# Handle common errors
> +if test "${CAFILE}x" == "x" -a "${CADIR}x" == "x" ; then
> + echo "ERROR! You must provide an x509 certificate store!"
> + echo "\'$(basename ${0}) --help\' for more info."
> + echo ""
> + exit 1
> +fi
> +
> +if test "${CAFILE}x" != "x" -a "${CADIR}x" != "x" ; then
> + echo "ERROR! You cannot provide two x509 certificate stores!"
> + echo "\'$(basename ${0}) --help\' for more info."
> + echo ""
> + exit 1
> +fi
> +
> +if test "${KEYTOOL}x" == "x" ; then
> + echo "ERROR! You must provide a valid keytool program!"
> + echo "\'$(basename ${0}) --help\' for more info."
> + echo ""
> + exit 1
> +fi
> +
> +if test "${OPENSSL}x" == "x" ; then
> + echo "ERROR! You must provide a valid path to openssl!"
> + echo "\'$(basename ${0}) --help\' for more info."
> + echo ""
> + exit 1
> +fi
> +
> +if test "${OUTFILE}x" == "x" ; then
> + echo "ERROR! You must provide a valid output file!"
> + echo "\'$(basename ${0}) --help\' for more info."
> + echo ""
> + exit 1
> +fi
> +
> +# Get on with the work
> +
> +# If using a CAFILE, split it into individual files in a temp directory
> +if test "${CAFILE}x" != "x" ; then
> + TEMPDIR=`mktemp -d`
> + CADIR="${TEMPDIR}"
> +
> + # Get a list of staring lines for each cert
> + CERTLIST=`grep -n "^-----BEGIN" "${CAFILE}" | cut -d ":" -f 1`
> +
> + # Get a list of ending lines for each cert
> + ENDCERTLIST=`grep -n "^-----END" "${CAFILE}" | cut -d ":" -f 1`
> +
> + # Start a loop
> + for certbegin in `echo "${CERTLIST}"` ; do
> + for certend in `echo "${ENDCERTLIST}"` ; do
> + if test "${certend}" -gt "${certbegin}"; then
> + break
> + fi
> + done
> + sed -n "${certbegin},${certend}p" "${CAFILE}" > "${CADIR}/${certbegin}.pem"
> + keyhash=`${OPENSSL} x509 -noout -in "${CADIR}/${certbegin}.pem" -hash`
> + echo "Generated PEM file with hash: ${keyhash}."
> + done
> +fi
> +
> +# Write the output file
> +for cert in `find "${CADIR}" -type f -name "*.pem" -o -name "*.crt"`
> +do
> + if test `date -d "$( ${OPENSSL} x509 -enddate -in "${cert}" -noout | sed /^notAfter=/d )" +%Y%m%d` -lt `date +%Y%m%d`; then
> + echo "${cert} is expired! Skipping..."
> + continue
> + fi
> + ls "${cert}"
> + tempfile=`mktemp`
> + certbegin=`grep -n "^-----BEGIN" "${cert}" | cut -d ":" -f 1`
> + certend=`grep -n "^-----END" "${cert}" | cut -d ":" -f 1`
> + sed -n "${certbegin},${certend}p" "${cert}" > "${tempfile}"
> + echo yes | "${KEYTOOL}" -import -alias `basename "${cert}"` -keystore \
> + "${OUTFILE}" -storepass 'changeit' -file "${tempfile}"
> + rm "${tempfile}"
> +done
> +
> +if test "${TEMPDIR}x" != "x" ; then
> + rm -rf "${TEMPDIR}"
> +fi
> +exit 0
> +
--
Andrew :)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
Support Free Java!
Contribute to GNU Classpath and IcedTea
http://www.gnu.org/software/classpath
http://icedtea.classpath.org
PGP Key: F5862A37 (https://keys.indymedia.org/)
Fingerprint = EA30 D855 D50F 90CD F54D 0698 0713 C3ED F586 2A37
More information about the distro-pkg-dev
mailing list