[pkg-java] r13567 - in trunk/ca-certificates-java: . debian
Torsten Werner
twerner at alioth.debian.org
Sun Apr 24 22:43:41 UTC 2011
Author: twerner
Date: 2011-04-24 22:43:41 +0000 (Sun, 24 Apr 2011)
New Revision: 13567
Added:
trunk/ca-certificates-java/UpdateCertificates.java
Modified:
trunk/ca-certificates-java/debian/changelog
trunk/ca-certificates-java/debian/control
trunk/ca-certificates-java/debian/rules
Log:
UNRELEASED
* Add Java code to update the keystore. (Closes: #623671)
* Change Maintainer to Debian Java Maintainers and add myself to Uploaders.
* Update Build-Depends.
Added: trunk/ca-certificates-java/UpdateCertificates.java
===================================================================
--- trunk/ca-certificates-java/UpdateCertificates.java (rev 0)
+++ trunk/ca-certificates-java/UpdateCertificates.java 2011-04-24 22:43:41 UTC (rev 13567)
@@ -0,0 +1,149 @@
+/*
+ * Copyright (C) 2011 Torsten Werner <twerner at debian.org>
+ *
+ * This code is a re-implementation of the idea from Ludwig Nussel found in
+ * http://gitorious.org/opensuse/ca-certificates/blobs/master/keystore.java
+ * for the Debian operating system. It updates the global JVM keystore.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ */
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.Reader;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+
+public class UpdateCertificates {
+ private static char[] password = null;
+ private static KeyStore keystore = null;
+ private static CertificateFactory certFactory = null;
+
+ public static void main(String[] args) throws IOException, GeneralSecurityException {
+ String passwordString = "changeit";
+ if (args.length == 2 && args[0].equals("-storepass")) {
+ passwordString = args[1];
+ }
+ else if (args.length > 0) {
+ System.err.println("Usage: java UpdateCertificates [-storepass <password>]");
+ System.exit(1);
+ }
+ password = passwordString.toCharArray();
+ keystore = createKeyStore();
+ certFactory = CertificateFactory.getInstance("X.509");
+ processChanges(new InputStreamReader(System.in));
+ writeKeyStore();
+ }
+
+ private static KeyStore createKeyStore() throws GeneralSecurityException, IOException {
+ KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+ File certInputFile = new File ("/etc/ssl/certs/java/cacerts");
+ FileInputStream certInputStream = null;
+ if (certInputFile.canRead()) {
+ certInputStream = new FileInputStream(certInputFile);
+ }
+ try {
+ ks.load(certInputStream, password);
+ }
+ catch (IOException e) {
+ System.err.println("Cannot open Java keystore. Is the password correct? Message:\n " +
+ e.getMessage());
+ System.exit(1);
+ }
+ if (certInputStream != null) {
+ certInputStream.close();
+ }
+ return ks;
+ }
+
+ private static void processChanges(Reader reader)
+ throws IOException, GeneralSecurityException {
+ String line;
+ BufferedReader bufferedStdinReader = new BufferedReader(reader);
+ while((line = bufferedStdinReader.readLine()) != null) {
+ parseLine(line);
+ }
+ }
+
+ private static void deleteAlias(String alias) throws GeneralSecurityException {
+ if (keystore.containsAlias(alias)) {
+ System.out.println("Removing " + alias);
+ keystore.deleteEntry(alias);
+ }
+ }
+
+ private static void parseLine(String line)
+ throws GeneralSecurityException, IOException {
+ String path = line.substring(1);
+ String filename = path.substring(path.lastIndexOf("/") + 1);
+ String alias = "debian:" + filename;
+ if(line.startsWith("+")) {
+ Certificate cert = createCertificate(path);
+ if (cert == null) {
+ return;
+ }
+ if(keystore.containsAlias(alias)) {
+ System.out.println("Replacing " + alias);
+ keystore.deleteEntry(alias);
+ }
+ else {
+ System.out.println("Adding " + alias);
+ }
+ keystore.setCertificateEntry(alias, cert);
+ }
+ else if (line.startsWith("-")) {
+ deleteAlias(alias);
+ // Remove old non-prefixed aliases, too. This code should be
+ // removed after the release of Wheezy.
+ deleteAlias(filename);
+ }
+ else {
+ System.err.println("Unknown input: " + line);
+ }
+ }
+
+ private static Certificate createCertificate(String path) {
+ Certificate cert = null;
+ try {
+ FileInputStream certFile = new FileInputStream(path);
+ cert = certFactory.generateCertificate(certFile);
+ certFile.close();
+ }
+ catch (Exception e) {
+ System.err.println("Warning: there was a problem reading the certificate file " +
+ path + ". Message:\n " + e.getMessage());
+ }
+ return cert;
+ }
+
+ private static void writeKeyStore() throws GeneralSecurityException {
+ try {
+ FileOutputStream certOutputFile = new FileOutputStream("/etc/ssl/certs/java/cacerts");
+ keystore.store(certOutputFile, password);
+ certOutputFile.close();
+ }
+ catch (IOException e) {
+ System.err.println("There was a problem saving the new Java keystore. Message:\n " +
+ e.getMessage());
+ System.exit(1);
+ }
+ }
+}
Modified: trunk/ca-certificates-java/debian/changelog
===================================================================
--- trunk/ca-certificates-java/debian/changelog 2011-04-24 22:08:53 UTC (rev 13566)
+++ trunk/ca-certificates-java/debian/changelog 2011-04-24 22:43:41 UTC (rev 13567)
@@ -1,3 +1,12 @@
+ca-certificates-java (20110425) unstable; urgency=low
+
+ UNRELEASED
+ * Add Java code to update the keystore. (Closes: #623671)
+ * Change Maintainer to Debian Java Maintainers and add myself to Uploaders.
+ * Update Build-Depends.
+
+ -- Torsten Werner <twerner at debian.org> Mon, 25 Apr 2011 00:29:23 +0200
+
ca-certificates-java (20100412) unstable; urgency=low
* Upload to unstable.
Modified: trunk/ca-certificates-java/debian/control
===================================================================
--- trunk/ca-certificates-java/debian/control 2011-04-24 22:08:53 UTC (rev 13566)
+++ trunk/ca-certificates-java/debian/control 2011-04-24 22:43:41 UTC (rev 13567)
@@ -1,9 +1,9 @@
Source: ca-certificates-java
Section: java
Priority: optional
-Maintainer: OpenJDK Team <openjdk at lists.launchpad.net>
-Uploaders: Matthias Klose <doko at ubuntu.com>
-Build-Depends: debhelper (>= 6), ca-certificates (>= 20090814), openjdk-6-jre-headless (>= 6b16-1.6.1-2)
+Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
+Uploaders: Matthias Klose <doko at ubuntu.com>, Torsten Werner <twerner at debian.org>
+Build-Depends: debhelper (>= 6), default-jdk
Standards-Version: 3.8.4
Package: ca-certificates-java
Modified: trunk/ca-certificates-java/debian/rules
===================================================================
--- trunk/ca-certificates-java/debian/rules 2011-04-24 22:08:53 UTC (rev 13566)
+++ trunk/ca-certificates-java/debian/rules 2011-04-24 22:43:41 UTC (rev 13567)
@@ -4,47 +4,20 @@
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
+JAVA_HOME := /usr/lib/jvm/default-java
+
d = debian/ca-certificates-java
build: build-stamp
build-stamp:
dh_testdir
- rm -rf build
- mkdir -p build
- set -e; \
- yes | \
- for crt in $$(find /usr/share/ca-certificates -name '*.crt' -printf '%P '); do \
- alias=$$(basename $$crt .crt | tr A-Z a-z | tr -cs a-z0-9 _); \
- alias=$${alias%*_}; \
- echo "IMPORT: $$crt, alias=$$alias"; \
- if keytool -importcert -trustcacerts -keystore build/cacerts \
- -storepass 'changeit' \
- -alias "$$alias" -file "/usr/share/ca-certificates/$$crt" > keytool.log 2>&1; \
- then \
- cat keytool.log; \
- elif keytool -importcert -trustcacerts -keystore build/cacerts \
- -providerClass sun.security.pkcs11.SunPKCS11 \
- -providerArg '$${java.home}/lib/security/nss.cfg' \
- -storepass 'changeit' \
- -alias "$$alias" -file "/usr/share/ca-certificates/$$crt" > keytool.log 2>&1; \
- then \
- cat keytool.log; \
- elif grep -q 'Signature not available' keytool.log; then \
- echo "IGNORED IMPORT: $$crt, alias=$$alias"; \
- cat keytool.log; \
- else \
- cat keytool.log; \
- false; \
- fi; \
- done
+ $(JAVA_HOME)/bin/javac UpdateCertificates.java
touch $@
clean:
dh_testdir
dh_testroot
- rm -f build-stamp
- rm -rf build
- rm -f keytool.log
+ $(RM) build-stamp UpdateCertificates.class
dh_clean
install: build
@@ -59,10 +32,9 @@
install -m755 debian/jks-keystore.hook \
$(d)/etc/ca-certificates/update.d/jks-keystore
- install -m644 build/cacerts \
- $(d)/usr/share/ca-certificates-java/
install -m600 debian/default \
$(d)/etc/default/cacerts
+ dh_install UpdateCertificates.class /usr/share/ca-certificates-java/
# Build architecture-independent files here.
binary-indep: build install
More information about the pkg-java-commits
mailing list