[arch-commits] Commit in (7 files)

Jan de Groot jgc at archlinux.org
Sun May 10 16:25:56 EDT 2009


    Date: Sunday, May 10, 2009 @ 16:25:56
  Author: jgc
Revision: 38906

add global java keystore package

Added:
  ca-certificates-java/
  ca-certificates-java/repos/
  ca-certificates-java/trunk/
  ca-certificates-java/trunk/PKGBUILD
  ca-certificates-java/trunk/default
  ca-certificates-java/trunk/init-jks-keystore
  ca-certificates-java/trunk/jks-keystore.hook

-------------------+
 PKGBUILD          |   37 +++++++++++++++++++++++
 default           |   10 ++++++
 init-jks-keystore |   69 +++++++++++++++++++++++++++++++++++++++++++
 jks-keystore.hook |   82 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 198 insertions(+)

Added: ca-certificates-java/trunk/PKGBUILD
===================================================================
--- ca-certificates-java/trunk/PKGBUILD	                        (rev 0)
+++ ca-certificates-java/trunk/PKGBUILD	2009-05-10 20:25:56 UTC (rev 38906)
@@ -0,0 +1,37 @@
+# $Id: $
+# Maintainer: Jan de Groot <jgc at archlinux.org>
+
+pkgname=ca-certificates-java
+pkgver=20081028
+pkgrel=1
+pkgdesc='Common CA certificates (JKS keystore)'
+arch=('i686' 'x86_64')
+url='http://packages.qa.debian.org/c/ca-certificates-java.html'
+license=('GPL')
+depends=('ca-certificates')
+makedepends=('java-runtime')
+install=ca-certificates-java.install
+source=(jks-keystore.hook init-jks-keystore default)
+md5sums=('fcf88086da2e4c31abec9faddb19c259'
+         '50edf13b04904011e492aab419d9254b'
+         '0ded97abeff69c2362939e2e881e214a')
+
+build() {
+  cd "${srcdir}"
+  install -d -m755 "${pkgdir}/etc/ca-certificates/update.d"
+  install -d -m755 "${pkgdir}/etc/ssl/certs/java"
+  install -d -m755 "${pkgdir}/etc/default"
+  install -d -m755 "${pkgdir}/usr/share/ca-certificates-java"
+  install -d -m755 "${pkgdir}/usr/sbin"
+
+  install -m755 jks-keystore.hook "${pkgdir}/etc/ca-certificates/update.d/jks-keystore" || return 1
+  install -m600 default "${pkgdir}/etc/default/cacerts" || return 1
+  install -m755 init-jks-keystore "${pkgdir}/usr/sbin/" || return 1
+
+  for crt in `find /usr/share/ca-certificates -name '*.crt' -printf '%P '`; do
+    alias=`basename $crt .crt | tr A-Z a-z | tr -cs a-z0-9 _`
+    alias=${alias%*_}
+    echo "IMPORT: $crt, alias=$alias"
+    keytool -importcert -trustcacerts -keystore "${pkgdir}/usr/share/ca-certificates-java/cacerts" -storepass 'changeit' -noprompt -alias "$alias" -file "/usr/share/ca-certificates/$crt"
+  done
+}

Added: ca-certificates-java/trunk/default
===================================================================
--- ca-certificates-java/trunk/default	                        (rev 0)
+++ ca-certificates-java/trunk/default	2009-05-10 20:25:56 UTC (rev 38906)
@@ -0,0 +1,10 @@
+# defaults for ca-certificates-java
+
+# The password which is used to protect the integrity of the keystore.
+# storepass must be at least 6 characters long. It must be provided to
+# all commands that access the keystore contents.
+# Only change this if adding private certificates.
+#storepass=''
+
+# enable/disable updates of the keystore /etc/ssl/certs/java/cacerts
+cacerts_updates=yes

Added: ca-certificates-java/trunk/init-jks-keystore
===================================================================
--- ca-certificates-java/trunk/init-jks-keystore	                        (rev 0)
+++ ca-certificates-java/trunk/init-jks-keystore	2009-05-10 20:25:56 UTC (rev 38906)
@@ -0,0 +1,69 @@
+#!/bin/bash
+for jvm in /usr/lib/jvm/java-1.6.0-openjdk /opt/java/jre; do
+  if [ -x $jvm/bin/keytool ]; then
+    break
+  fi
+done
+if [ ! -x $jvm/bin/keytool ]; then
+  echo "No supported JRE installed"
+  exit 1
+fi
+export JAVA_HOME=$jvm
+PATH=$JAVA_HOME/bin:$PATH
+
+KEYSTORE=/etc/ssl/certs/java/cacerts
+storepass='changeit'
+if [ -f /etc/default/cacerts ]; then
+  . /etc/default/cacerts
+fi
+
+echo "creating $KEYSTORE..."
+cp /usr/share/ca-certificates-java/cacerts $KEYSTORE
+cacertdir=/usr/share/ca-certificates
+pregenerated=$(mktemp)
+LANG=C LC_ALL=C keytool -list -keystore $KEYSTORE -storepass "$storepass" \
+  | awk -F, '/^Certificate fingerprint/ { print s } { s=$1 } ' \
+  | sort > $pregenerated
+
+grep -v -E '^ *$|^#' /etc/ca-certificates.conf | ( \
+errors=0
+while read line; do
+  pem=${line#!*}
+  alias=$(basename $pem .crt | tr A-Z a-z | tr -cs a-z0-9 _)
+  alias=${alias%*_}
+  case "$line" in
+    !*)
+      if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
+          -storepass "$storepass" -alias "$alias" > /dev/null
+      then
+        echo "  removed untrusted certificate $pem"
+      fi
+      ;;
+
+    *)
+      if [ ! -f "$cacertdir/$pem" ]; then
+        echo >&2 "warning: /etc/ca-certificates.conf lists $pem,"
+        echo >&2 "warning:   but $cacertdir/$pem does not exist."
+        continue
+      fi
+      if ! grep -q "^${alias}$" $pregenerated; then
+        if LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \
+             -noprompt -storepass "$storepass" \
+             -alias "$alias" -file "$cacertdir/$pem"
+        then
+          echo "  added certificate $pem $alias"
+        else
+          echo >&2 "  error adding ${line#+*}"
+          errors=$(expr $errors + 1)
+        fi
+      fi
+  esac
+done
+
+rm -f $pregenerated
+if [ $errors -gt 0 ]; then
+  echo >&2 "failed."
+  exit 1
+fi
+echo "done."
+)


Property changes on: ca-certificates-java/trunk/init-jks-keystore
___________________________________________________________________
Added: svn:executable
   + *

Added: ca-certificates-java/trunk/jks-keystore.hook
===================================================================
--- ca-certificates-java/trunk/jks-keystore.hook	                        (rev 0)
+++ ca-certificates-java/trunk/jks-keystore.hook	2009-05-10 20:25:56 UTC (rev 38906)
@@ -0,0 +1,82 @@
+#! /bin/sh
+
+set -e
+
+storepass='changeit'
+if [ -f /etc/default/cacerts ]; then
+    . /etc/default/cacerts
+fi
+
+KEYSTORE=/etc/ssl/certs/java/cacerts
+
+echo ""
+if [ "$cacerts_updates" != yes ] || [ "$CACERT_UPDATES" = disabled ]; then
+    echo "updates of cacerts keystore disabled."
+    exit 0
+fi
+
+for jvm in /usr/lib/jvm/java-1.6.0-openjdk /opt/java/jre; do
+    if [ -x $jvm/bin/keytool ]; then
+	break
+    fi
+done
+
+if [ ! -x $jvm/bin/keytool ]; then
+  exit 0
+fi
+
+export JAVA_HOME=$jvm
+PATH=$JAVA_HOME/bin:$PATH
+
+# read lines of the form: [+-]/etc/ssl/certs/*.pem
+echo "updating keystore $KEYSTORE..."
+
+errors=0
+while read line; do
+    pem=${line#[+-]*}
+    alias=$(basename $pem .crt | tr A-Z a-z | tr -cs a-z0-9 _)
+    alias=${alias%*_}
+    LANG=C LC_ALL=C keytool -list -keystore $KEYSTORE \
+	-storepass "$storepass" -alias "$alias" >/dev/null 2>&1 \
+	&& exists=yes || exists=no
+    case "$line" in
+    +*)
+	if [ "$exists" = yes ]; then
+	    echo "  already exists: ${line#+*}"
+	else
+	    if LANG=C LC_ALL=C keytool -importcert -trustcacerts \
+		-keystore $KEYSTORE -noprompt -storepass "$storepass" \
+		-alias "$alias" -file "$pem"
+	    then
+		echo "  added: ${line#+*}"
+	    else
+		echo >&2 "  error adding ${line#+*}"
+		errors=$(expr $errors + 1)
+	    fi
+	fi
+	;;
+    -*)
+	if [ "$exists" = yes ]; then
+	    if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
+		-noprompt -storepass "$storepass" \
+		-alias "$alias"
+	    then
+		echo "  removed ${line#-*}"
+	    else
+		echo >&2 "  error removing ${line#+*}"
+		errors=$(expr $errors + 1)
+	    fi
+	else
+	    echo "  does not exists: ${line#-*}"
+	fi
+	;;
+    *)
+	echo >&2 "  $0: Unknown line $line"
+    esac
+done
+
+if [ $errors -gt 0 ]; then
+    echo >&2 "failed."
+    exit 1
+fi
+echo "done."



More information about the arch-commits mailing list