From patchwork Thu Nov 2 06:50:09 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Julien Lepiller X-Patchwork-Id: 55813 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 545C927BBE9; Thu, 2 Nov 2023 06:51:50 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id C08C827BBE2 for ; Thu, 2 Nov 2023 06:51:43 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qyRYF-0005CA-LC; Thu, 02 Nov 2023 02:51:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qyRYA-0005AS-IO for guix-patches@gnu.org; Thu, 02 Nov 2023 02:51:30 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qyRYA-0001PD-AE for guix-patches@gnu.org; Thu, 02 Nov 2023 02:51:30 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qyRYg-0004ra-Es; Thu, 02 Nov 2023 02:52:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#66879] [PATCH v2 1/5] gnu: openjdk9: Install default certificates. References: <20231101135338.2634f780@tachikoma.lepiller.eu> In-Reply-To: <20231101135338.2634f780@tachikoma.lepiller.eu> Resent-From: Julien Lepiller Original-Sender: "Debbugs-submit" Resent-CC: bjoern.hoefling@bjoernhoefling.de, julien@lepiller.eu, guix-patches@gnu.org Resent-Date: Thu, 02 Nov 2023 06:52:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 66879 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 66879@debbugs.gnu.org Cc: =?utf-8?b?QmrDtnJuIEjDtmZsaW5n?= , Julien Lepiller X-Debbugs-Original-Xcc: =?utf-8?b?QmrDtnJuIEjDtmZsaW5n?= , Julien Lepiller Received: via spool by 66879-submit@debbugs.gnu.org id=B66879.169890788118595 (code B ref 66879); Thu, 02 Nov 2023 06:52:02 +0000 Received: (at 66879) by debbugs.gnu.org; 2 Nov 2023 06:51:21 +0000 Received: from localhost ([127.0.0.1]:53781 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qyRXw-0004pc-5L for submit@debbugs.gnu.org; Thu, 02 Nov 2023 02:51:20 -0400 Received: from lepiller.eu ([89.234.186.109]:36628 helo=hermes.lepiller.eu) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qyRXp-0004pB-8g for 66879@debbugs.gnu.org; Thu, 02 Nov 2023 02:51:14 -0400 Received: from hermes.lepiller.eu (localhost [127.0.0.1]) by hermes.lepiller.eu (OpenSMTPD) with ESMTP id 3cbc7c85 for <66879@debbugs.gnu.org>; Thu, 2 Nov 2023 06:50:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=from:to :subject:date:message-id:mime-version:content-transfer-encoding; s=dkim; bh=73/qEaF38kKDR/OUVHMsOGaEe7SXodtGIjOIKdcAnmE=; b=P3h/ 0Tb2ecdb/ddYoijoRsXSBL/71IOXQQ1XrmVMZnqlDwWealK23PmgFg9wf/AcH7wZ wIbWYi72DoirxljIdk9t4PDHc/PZRIxaAzKhLEkRibWyve/M2MppTsnEJKP155un qGC7QJQDaazrjsYF3fmNvAwR23cP2ZajBRYGcb1njPE7UTuG1dOM4xpjRSU/JgWO LxoJBZHrTMs9B307RMQFITh7ZULYDVm+BkKFInuHNKM8KzaJXtUtNf/W47V4f9mj YqriqdIofzJZNHzOcTrJak3nGkXgM18XBvfDxA5XKoD7PwHJ6UGp16POid2N1Ej+ xGAjL5Tnl2XX9H6jdA== Received: by hermes.lepiller.eu (OpenSMTPD) with ESMTPSA id a116e4e4 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for <66879@debbugs.gnu.org>; Thu, 2 Nov 2023 06:50:31 +0000 (UTC) From: Julien Lepiller Date: Thu, 2 Nov 2023 07:50:09 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/packages/java.scm (openjdk9)[arguments]: Add a phase to install certificates from nss-certs to the expected location. (openjdk10, openjdk11): Adapt to also install the certificates. Change-Id: I6ef626324386419e84a9c0eace5a278ca11c573c --- gnu/packages/java.scm | 87 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 86 insertions(+), 1 deletion(-) base-commit: c95104c2e96f660d482e603c497c1e01968788d3 diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm index f482c4c16d..567fb05f77 100644 --- a/gnu/packages/java.scm +++ b/gnu/packages/java.scm @@ -878,7 +878,14 @@ (define-public openjdk9 (build-system gnu-build-system) (outputs '("out" "jdk" "doc")) (arguments - `(#:tests? #f; require jtreg + `(#:imported-modules + ((guix build ant-build-system) + ,@%gnu-build-system-modules) + #:modules + ((guix build utils) + (guix build gnu-build-system) + (ice-9 popen)) + #:tests? #f; require jtreg #:make-flags '("all") #:disallowed-references ,(list (gexp-input icedtea-8) (gexp-input icedtea-8 "jdk")) @@ -971,6 +978,80 @@ (define-public openjdk9 (find-files "." "\\.c$|\\.h$")) #t))) + ;; By default OpenJDK only generates an empty keystore. In order to + ;; be able to use certificates in Java programs we need to generate a + ;; keystore from a set of certificates. For convenience we use the + ;; certificates from the nss-certs package. + (add-after 'install 'install-keystore + (lambda* (#:key inputs outputs #:allow-other-keys) + (use-modules (ice-9 rdelim)) + (let* ((keystore "cacerts") + (certs-dir (search-input-directory inputs + "etc/ssl/certs")) + (keytool (string-append (assoc-ref outputs "jdk") + "/bin/keytool"))) + (define (extract-cert file target) + (call-with-input-file file + (lambda (in) + (call-with-output-file target + (lambda (out) + (let loop ((line (read-line in 'concat)) + (copying? #f)) + (cond + ((eof-object? line) #t) + ((string-prefix? "-----BEGIN" line) + (display line out) + (loop (read-line in 'concat) #t)) + ((string-prefix? "-----END" line) + (display line out) + #t) + (else + (when copying? (display line out)) + (loop (read-line in 'concat) copying?))))))))) + (define (import-cert cert) + (format #t "Importing certificate ~a\n" (basename cert)) + (let ((temp "tmpcert")) + (extract-cert cert temp) + (let ((port (open-pipe* OPEN_WRITE keytool + "-import" + "-alias" (basename cert) + "-keystore" keystore + "-storepass" "changeit" + "-file" temp))) + (display "yes\n" port) + (when (not (zero? (status:exit-val (close-pipe port)))) + (format #t "failed to import ~a\n" cert))) + (delete-file temp))) + + ;; This is necessary because the certificate directory contains + ;; files with non-ASCII characters in their names. + (setlocale LC_ALL "en_US.utf8") + (setenv "LC_ALL" "en_US.utf8") + + (copy-file (string-append (assoc-ref outputs "out") + "/lib/security/cacerts") + keystore) + (chmod keystore #o644) + (for-each import-cert (find-files certs-dir "\\.pem$")) + (mkdir-p (string-append (assoc-ref outputs "out") + "/lib/security")) + (mkdir-p (string-append (assoc-ref outputs "jdk") + "/lib/security")) + + ;; The cacerts files we are going to overwrite are chmod'ed as + ;; read-only (444) in icedtea-8 (which derives from this + ;; package). We have to change this so we can overwrite them. + (chmod (string-append (assoc-ref outputs "out") + "/lib/security/" keystore) #o644) + (chmod (string-append (assoc-ref outputs "jdk") + "/lib/security/" keystore) #o644) + + (install-file keystore + (string-append (assoc-ref outputs "out") + "/lib/security")) + (install-file keystore + (string-append (assoc-ref outputs "jdk") + "/lib/security"))))) ;; Some of the libraries in the lib/ folder link to libjvm.so. ;; But that shared object is located in the server/ folder, so it ;; cannot be found. This phase creates a symbolic link in the @@ -1044,6 +1125,7 @@ (define-public openjdk9 ("icedtea-8:jdk" ,icedtea-8 "jdk") ;; XXX: The build system fails with newer versions of GNU Make. ("make@4.2" ,gnu-make-4.2) + ("nss-certs" ,nss-certs) ("unzip" ,unzip) ("which" ,which) ("zip" ,zip))) @@ -1126,6 +1208,7 @@ (define-public openjdk10 `(("openjdk9" ,openjdk9) ("openjdk9:jdk" ,openjdk9 "jdk") ("make@4.2" ,gnu-make-4.2) + ("nss-certs" ,nss-certs) ("unzip" ,unzip) ("which" ,which) ("zip" ,zip))))) @@ -1152,6 +1235,7 @@ (define-public openjdk11 #:modules `((guix build gnu-build-system) (guix build utils) (ice-9 match) + (ice-9 popen) (srfi srfi-1) (srfi srfi-26)) #:disallowed-references (list (gexp-input openjdk10) @@ -1394,6 +1478,7 @@ (define-public openjdk11 openjdk10 `(,openjdk10 "jdk") gnu-make-4.2 + nss-certs pkg-config unzip which