From c2938b6ccba6df25a219d3ed81da49082cad4bdfdceba31d5054a574ee94f8d9 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Wed, 19 May 2010 10:03:57 +0000 Subject: [PATCH 1/9] - create java bundles OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates?expand=0&rev=14 --- ca-certificates.changes | 5 + ca-certificates.spec | 72 +++++++++++- java.run | 84 ++++++++++++++ keystore.java | 235 ++++++++++++++++++++++++++++++++++++++++ update-ca-certificates | 23 ++-- 5 files changed, 406 insertions(+), 13 deletions(-) create mode 100644 java.run create mode 100644 keystore.java diff --git a/ca-certificates.changes b/ca-certificates.changes index a1bdbb3..fab4fe2 100644 --- a/ca-certificates.changes +++ b/ca-certificates.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed May 19 09:57:41 UTC 2010 - lnussel@suse.de + +- create java bundles + ------------------------------------------------------------------- Tue Apr 27 14:17:24 UTC 2010 - lnussel@suse.de diff --git a/ca-certificates.spec b/ca-certificates.spec index 62490c0..45869b5 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -17,7 +17,13 @@ # norootforbuild +%bcond_without java + BuildRequires: openssl +%if %{with java} +BuildRequires: java-devel +BuildRequires: gcc-java +%endif Name: ca-certificates %define ssletcdir %{_sysconfdir}/ssl @@ -33,8 +39,9 @@ Source0: update-ca-certificates Source1: update-ca-certificates.8 Source2: GPL-2.0.txt Source3: certbundle.run +Source4: keystore.java +Source5: java.run BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildArch: noarch Url: http://gitorious.org/opensuse/ca-certificates # Requires: openssl @@ -44,9 +51,34 @@ Recommends: ca-certificates-mozilla # installed (bnc#594434). Obsoletes: openssl-certs < 0.9.9 +%if %{with java} +%package -n gcj-compat-ca-certificates +Group: Productivity/Networking/Security +Summary: Utilities CA certificate import to gcj +Requires(post): ca-certificates +Supplements: packageand(gcj-compat:ca-certificates) + +%package -n java-ca-certificates +Group: Productivity/Networking/Security +Summary: Utilities CA certificate import to java +Requires(post): ca-certificates +Supplements: packageand(java-1_6_0-sun:ca-certificates) +Supplements: packageand(java-1_6_0-openjdk:ca-certificates) + +%endif + %description Utilities for system wide CA certificate installation +%if %{with java} +%description -n gcj-compat-ca-certificates +Utilities CA certificate import to gcj + +%description -n java-ca-certificates +Utilities CA certificate import to java + +%endif + %prep %setup -qcT install -m 755 %{SOURCE0} . @@ -54,6 +86,11 @@ install -m 644 %{SOURCE1} . install -m 644 %{SOURCE2} COPYING %build +%if %{with java} +javac -d . %SOURCE4 +jar cfe keystore.jar keystore keystore*.class +gcj %SOURCE4 --main=keystore -o keystore +%endif %install mkdir -p %{buildroot}/%{etccadir} @@ -65,10 +102,19 @@ mkdir -p %{buildroot}%{_prefix}/lib/ca-certificates/update.d install -D -m 644 /dev/null %{buildroot}/%{cabundle} install -m 644 /dev/null %{buildroot}/etc/ca-certificates.conf install -m 755 %{SOURCE3} %{buildroot}%{_prefix}/lib/ca-certificates/update.d +install -m 755 %{SOURCE5} %{buildroot}%{_prefix}/lib/ca-certificates/update.d ln -s %{cabundle} %{buildroot}%{ssletcdir}/ca-bundle.pem install -m 755 update-ca-certificates %{buildroot}/%{_sbindir} install -m 644 update-ca-certificates.8 %{buildroot}/%{_mandir}/man8 +install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/ca-bundle.pem +%if %{with java} +mkdir -p %{buildroot}%{_prefix}/lib/ca-certificates/java +install -m 644 keystore.jar %{buildroot}%{_prefix}/lib/ca-certificates/java +install -m 755 keystore %{buildroot}%{_prefix}/lib/ca-certificates/java +install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/java-cacerts +install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/gcj-cacerts +%endif %post # this is just needed for those updating Factory, @@ -81,6 +127,14 @@ fi # as openssl changed the hash format between 0.9.8 and 1.0 update-ca-certificates -f || true +%if %{with java} +%post -n gcj-compat-ca-certificates +update-ca-certificates || true + +%post -n java-ca-certificates +update-ca-certificates || true +%endif + %clean rm -rf %{buildroot} @@ -100,5 +154,21 @@ rm -rf %{buildroot} %{_prefix}/lib/ca-certificates/update.d/* %{_sbindir}/update-ca-certificates %{_mandir}/man8/update-ca-certificates.8* +%ghost /var/lib/ca-certificates/ca-bundle.pem + +%if %{with java} +%files -n gcj-compat-ca-certificates +%defattr(-, root, root) +%dir %{_prefix}/lib/ca-certificates/java +%{_prefix}/lib/ca-certificates/java/keystore +%ghost /var/lib/ca-certificates/gcj-cacerts + +%files -n java-ca-certificates +%defattr(-, root, root) +%dir %{_prefix}/lib/ca-certificates/java +%{_prefix}/lib/ca-certificates/java/keystore.jar +%ghost /var/lib/ca-certificates/java-cacerts + +%endif %changelog diff --git a/java.run b/java.run new file mode 100644 index 0000000..022be5b --- /dev/null +++ b/java.run @@ -0,0 +1,84 @@ +#!/bin/bash + +unset ${!LC_*} ${!RC_LC_*} LANGUAGE RC_LANG +export LANG=en_US + +set -e + +libexecdir="/usr/lib/ca-certificates/java/" +cafile="/var/lib/ca-certificates/java-cacerts" +cafile_gcj="/var/lib/ca-certificates/gcj-cacerts" +cadir="/etc/ssl/certs" + +tmppem="$cafile.tmp" + +cleanup() +{ + rm -rf "$tmppem" +} +trap cleanup EXIT + +for i in "$@"; do + if [ "$i" = "-f" ]; then + fresh=1 + elif [ "$i" = "-v" ]; then + verbose=1 + fi +done + +umask 0022 + +if [ -z "$JAVA_HOME" -a -r /etc/profile.d/alljava.sh ]; then + . /etc/profile.d/alljava.sh +fi + +if [ -n "$JAVA_HOME" ]; then + java="$JAVA_HOME/bin/java" +else + java=`which java` +fi + +if [ ! -e "$libexecdir"/keystore.jar -a ! -x "$libexecdir"/keystore ]; then + # nothing to do + exit 0 +fi + +mustrun= +if [ -n "$fresh" ]; then + mustrun=1 +fi +if [ -e "$libexecdir"/keystore.jar -a "$cadir" -nt "$cafile" ]; then + mustrun=1 +fi +if [ -e "$libexecdir"/keystore -a "$cadir" -nt "$cafile_gcj" ]; then + mustrun=1 +fi + +[ -n "$mustrun" ] || exit 0 + +mkdir -p ${cafile%/*} +mkdir -p "$tmppem" +for i in "$cadir"/*.pem; do + # only include certificates trusted for server auth + if grep -q "BEGIN TRUSTED CERTIFICATE" "$i"; then + trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"` + case "$trust" in + *serverAuth*) ;; + *) [ -z "$verbose" ] || echo "skipping $i" >&2; continue ;; + esac + openssl x509 -in "$i" -out "$tmppem/${i##*/}" + else + ln -s "$i" "$tmppem" + fi +done + +if [ -x "$java" ]; then + echo "creating $cafile ..." + $java -jar $libexecdir/keystore.jar -keystore "$cafile" -cadir "$cadir" "$@" +fi +if [ -x "$libexecdir"/keystore ]; then + echo "creating $cafile_gcj ..." + $libexecdir/keystore -keystore "$cafile_gcj" -cadir "$cadir" "$@" +fi + +# vim: syntax=sh diff --git a/keystore.java b/keystore.java new file mode 100644 index 0000000..34ca526 --- /dev/null +++ b/keystore.java @@ -0,0 +1,235 @@ +/* + * Import system SSL certificates to java keystore + * Copyright (C) 2010 SUSE LINUX Products GmbH + * + * Author: Ludwig Nussel + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * version 2 as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + */ + +import java.security.KeyStore; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.io.BufferedInputStream; +import java.io.FilenameFilter; +import java.util.HashSet; +import java.util.Enumeration; +import java.util.Iterator; + +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; + +public class keystore +{ + static HashSet blacklist; + + public static void usage() { + System.err.println("Usage: java keystore -keystore -cadir [-storepass |-f|-v]"); + System.err.println(""); + System.err.println(" -keystore \tname of final keystore (required)"); + System.err.println(" -cadir \t\tdirectory contains certificates (required)"); + System.err.println(" -storepass \tthe password"); + System.err.println(" -f\t\t\t\tfresh existing keystore"); + System.err.println(" -v\t\t\t\tbe verbose"); + System.err.println(" -h/--help\t\t\tshow this help"); + } + + public static void main(String[] args) + throws java.security.KeyStoreException, + java.security.NoSuchAlgorithmException, + java.security.cert.CertificateException, + java.io.FileNotFoundException, + java.io.IOException + { + char[] password = null; + String ksfilename = null; + String cadirname = null; + boolean verbose = false; + boolean fresh = false; + + if (args.length == 0) { + usage(); + System.exit(1); + } + + + if (!System.getProperty("java.vendor").equals("Free Software Foundation, Inc.")) { + password = "changeit".toCharArray(); + } + + for (int i = 0; i < args.length; ++i) { + if (args[i].equals("-keystore")) { + ksfilename = args[++i]; + } else if (args[i].equals("-cadir")) { + cadirname = args[++i]; + } else if (args[i].equals("-storepass")) { + password = args[++i].toCharArray(); + } else if (args[i].equals("-v")) { + verbose = true; + } else if (args[i].equals("-f")) { + fresh = true; + } else if (args[i].equals("-h") || args[i].equals("--help")) { + usage(); + System.exit(1); + } else { + System.err.println("invalid argument: " + args[i]); + System.err.println("type -h/--help for help"); + System.exit(1); + } + } + + if (ksfilename == null) { + System.err.println("must specify -keystore"); + return; + } + + if (cadirname == null) { + System.err.println("must specify -cadir"); + return; + } + + File cadir = new File(cadirname); + if (!cadir.isDirectory()) { + System.err.println("cadir is not a directory"); + return; + } + + blacklist = new HashSet(); + // XXX: make a file +// blacklist.add("foo"); + + String certs[] = cadir.list(new FilenameFilter(){ + public boolean accept(File dir, String name) + { + if (!name.endsWith(".pem")) { + return false; + } + if (blacklist.contains(name)) { + return false; + } + return true; + } + }); + + KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); + + FileInputStream storein = null; + try { + File f = new File(ksfilename); + if (!fresh && f.exists()) { + storein = new FileInputStream(ksfilename); + } + ks.load(storein, password); + } finally { + if (storein != null) { + storein.close(); + } + } + + HashSet known = new HashSet(); + for (Enumeration a = ks.aliases(); a.hasMoreElements();) { + known.add(a.nextElement()); + } + + CertificateFactory cf = CertificateFactory.getInstance("X509"); + int added = 0; + int removed = 0; + + for (int i = 0; i < certs.length; ++i) { + BufferedInputStream f = new BufferedInputStream(new FileInputStream(cadirname+"/"+certs[i])); + String marker = "-----BEGIN CERTIFICATE-----"; + boolean found = false; + + f.mark(80); + String line; + String alias = null; + // we need to parse and skip the "header" + while((line = readline(f)) != null) { + if (line.equals(marker)) { + f.reset(); + found = true; + break; + } else if (line.startsWith("# alias=")) { + // FIXME: somehow UTF-8 encoding must be enforced here + alias = line.substring(8); + } + f.mark(80); + } + if (found) { + if (alias == null) { + alias = certs[i].substring(0, certs[i].length()-4); // without .pem + } + alias = alias.toLowerCase(); + try { + X509Certificate cert = (X509Certificate)cf.generateCertificate(f); + if (known.contains(alias)) { + if (verbose) + System.out.println("already known: " + alias); + known.remove(alias); + } else { + if (verbose) + System.out.println("adding " + alias); + ks.setCertificateEntry(alias, cert); + ++added; + } + } catch (java.security.cert.CertificateException ex) { + System.err.println("imporing " + certs[i] + " failed: " + ex.getCause()); + } + } else { + System.out.println("skipping file with unrecognized format: " + certs[i]); + } + } + + if (!known.isEmpty()) { + for (Iterator it = known.iterator(); it.hasNext();) { + String alias = it.next(); + if (verbose) + System.out.println("removing " + alias); + ks.deleteEntry(alias); + ++removed; + } + } + + if (added != 0 || removed != 0) { + FileOutputStream storeout = new FileOutputStream(ksfilename); + ks.store(storeout, password); + storeout.close(); + } + + System.out.println(added + " added, " + removed + " removed."); + } + + public static String readline(BufferedInputStream in) + throws java.io.IOException + { + StringBuffer buf = new StringBuffer(80); + int c = in.read(); + while(c != -1 && c != '\n' && c != '\r') { + buf.append((char)c); + c = in.read(); + } + if (c == '\r') { + in.mark(1); + c = in.read(); + if (c != '\n') + in.reset(); + } + if (buf.length() == 0) + return null; + + return buf.toString(); + } +} diff --git a/update-ca-certificates b/update-ca-certificates index 2279c2a..76b0091 100644 --- a/update-ca-certificates +++ b/update-ca-certificates @@ -107,8 +107,6 @@ if (open(F, '<', $certsconf)) { close F; } -print "Updating certificates in $etccertsdir...\n"; - if ($opt_fresh || %whitelist) { for my $f (glob "$etccertsdir/*" ) { next unless -l $f; @@ -160,19 +158,20 @@ for my $f (glob "$etccertsdir/*.pem") { } } +chdir $etccertsdir || die "$!"; if (%added || %removed || $opt_fresh) { - chdir $etccertsdir || die "$!"; + print "Updating certificates in $etccertsdir...\n"; my $redir = ($opt_verbose?'':'> /dev/null'); system("c_rehash . $redir"); - my @args; - push @args, '-f' if $opt_fresh; - push @args, '-v' if $opt_verbose; - for my $f (glob("$hooksdir2/*.run"), glob("$hooksdir1/*.run")) { - system($f, @args); - } + printf("%d added, %d removed.\n", + (%added?(scalar keys %added):0), + (%removed?(scalar keys %removed):0)); } -printf("%d added, %d removed.\n", - (%added?(scalar keys %added):0), - (%removed?(scalar keys %removed):0)); +my @args; +push @args, '-f' if $opt_fresh; +push @args, '-v' if $opt_verbose; +for my $f (glob("$hooksdir2/*.run"), glob("$hooksdir1/*.run")) { + system($f, @args); +} From 766ed7db1a36ddd30abf22ae3839baaa2817ce1061b5806ee6529f3cc6e3ea89 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Tue, 25 May 2010 11:02:20 +0000 Subject: [PATCH 2/9] Accepting request 40475 from home:mvyskocil:branches:Base:System Copy from home:mvyskocil:branches:Base:System/ca-certificates via accept of submit request 40475 revision 4. Request was accepted with message: ok OBS-URL: https://build.opensuse.org/request/show/40475 OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates?expand=0&rev=15 --- ca-certificates.changes | 6 ++++++ ca-certificates.spec | 42 ++++++++++++++--------------------------- java.run | 13 +++++++------ 3 files changed, 27 insertions(+), 34 deletions(-) diff --git a/ca-certificates.changes b/ca-certificates.changes index fab4fe2..75e3ca7 100644 --- a/ca-certificates.changes +++ b/ca-certificates.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri May 21 12:46:55 UTC 2010 - mvyskocil@suse.cz + +* Use the gcc-java and fastjar for build to avoid dependency problems +* build keystore.class only to allow noarch package + ------------------------------------------------------------------- Wed May 19 09:57:41 UTC 2010 - lnussel@suse.de diff --git a/ca-certificates.spec b/ca-certificates.spec index 45869b5..62496a7 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -21,8 +21,8 @@ BuildRequires: openssl %if %{with java} -BuildRequires: java-devel BuildRequires: gcc-java +BuildRequires: fastjar %endif Name: ca-certificates @@ -50,33 +50,24 @@ Recommends: ca-certificates-mozilla # gone when a package providing actual certificates gets # installed (bnc#594434). Obsoletes: openssl-certs < 0.9.9 +BuildArch: noarch %if %{with java} -%package -n gcj-compat-ca-certificates +%package -n java-ca-certificates Group: Productivity/Networking/Security Summary: Utilities CA certificate import to gcj Requires(post): ca-certificates Supplements: packageand(gcj-compat:ca-certificates) - -%package -n java-ca-certificates -Group: Productivity/Networking/Security -Summary: Utilities CA certificate import to java -Requires(post): ca-certificates -Supplements: packageand(java-1_6_0-sun:ca-certificates) Supplements: packageand(java-1_6_0-openjdk:ca-certificates) - +Supplements: packageand(java-1_6_0-sun:ca-certificates) %endif %description Utilities for system wide CA certificate installation %if %{with java} -%description -n gcj-compat-ca-certificates -Utilities CA certificate import to gcj - %description -n java-ca-certificates -Utilities CA certificate import to java - +Utilities for CA certificate installation for gcj and openjdk Java %endif %prep @@ -87,9 +78,14 @@ install -m 644 %{SOURCE2} COPYING %build %if %{with java} -javac -d . %SOURCE4 -jar cfe keystore.jar keystore keystore*.class -gcj %SOURCE4 --main=keystore -o keystore +gcj -C %SOURCE4 -d . +# emulate -e option of jar for fastjar +cat < MANIFEST.MF +Manifest-Version: 1.0 +Created-By: 0.98 +Main-Class: keystore +EOF +fastjar cfm keystore.jar MANIFEST.MF keystore*.class %endif %install @@ -111,7 +107,6 @@ install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/ca-bundle.pem %if %{with java} mkdir -p %{buildroot}%{_prefix}/lib/ca-certificates/java install -m 644 keystore.jar %{buildroot}%{_prefix}/lib/ca-certificates/java -install -m 755 keystore %{buildroot}%{_prefix}/lib/ca-certificates/java install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/java-cacerts install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/gcj-cacerts %endif @@ -128,9 +123,6 @@ fi update-ca-certificates -f || true %if %{with java} -%post -n gcj-compat-ca-certificates -update-ca-certificates || true - %post -n java-ca-certificates update-ca-certificates || true %endif @@ -157,18 +149,12 @@ rm -rf %{buildroot} %ghost /var/lib/ca-certificates/ca-bundle.pem %if %{with java} -%files -n gcj-compat-ca-certificates -%defattr(-, root, root) -%dir %{_prefix}/lib/ca-certificates/java -%{_prefix}/lib/ca-certificates/java/keystore -%ghost /var/lib/ca-certificates/gcj-cacerts - %files -n java-ca-certificates %defattr(-, root, root) %dir %{_prefix}/lib/ca-certificates/java %{_prefix}/lib/ca-certificates/java/keystore.jar %ghost /var/lib/ca-certificates/java-cacerts - +%ghost /var/lib/ca-certificates/gcj-cacerts %endif %changelog diff --git a/java.run b/java.run index 022be5b..29f6963 100644 --- a/java.run +++ b/java.run @@ -38,7 +38,11 @@ else java=`which java` fi -if [ ! -e "$libexecdir"/keystore.jar -a ! -x "$libexecdir"/keystore ]; then +if [[ $(readlink -f "${java}") =~ gij ]]; then + java="" +fi + +if [ ! -e "$libexecdir"/keystore.jar ]; then # nothing to do exit 0 fi @@ -50,9 +54,6 @@ fi if [ -e "$libexecdir"/keystore.jar -a "$cadir" -nt "$cafile" ]; then mustrun=1 fi -if [ -e "$libexecdir"/keystore -a "$cadir" -nt "$cafile_gcj" ]; then - mustrun=1 -fi [ -n "$mustrun" ] || exit 0 @@ -76,9 +77,9 @@ if [ -x "$java" ]; then echo "creating $cafile ..." $java -jar $libexecdir/keystore.jar -keystore "$cafile" -cadir "$cadir" "$@" fi -if [ -x "$libexecdir"/keystore ]; then +if [ -x "/usr/bin/gij" ]; then echo "creating $cafile_gcj ..." - $libexecdir/keystore -keystore "$cafile_gcj" -cadir "$cadir" "$@" + /usr/bin/gij -jar $libexecdir/keystore.jar -keystore "$cafile_gcj" -cadir "$cadir" "$@" fi # vim: syntax=sh From 61c123a8c215c68bb54199970862a7430bd05b030a179de768b4ad403875ef00 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Fri, 28 May 2010 15:02:25 +0000 Subject: [PATCH 3/9] Accepting request 40676 from Base:System checked in (request 40676) OBS-URL: https://build.opensuse.org/request/show/40676 OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates?expand=0&rev=16 --- ca-certificates.changes | 11 -- ca-certificates.spec | 58 +--------- java.run | 85 --------------- keystore.java | 235 ---------------------------------------- update-ca-certificates | 23 ++-- 5 files changed, 13 insertions(+), 399 deletions(-) delete mode 100644 java.run delete mode 100644 keystore.java diff --git a/ca-certificates.changes b/ca-certificates.changes index 75e3ca7..a1bdbb3 100644 --- a/ca-certificates.changes +++ b/ca-certificates.changes @@ -1,14 +1,3 @@ -------------------------------------------------------------------- -Fri May 21 12:46:55 UTC 2010 - mvyskocil@suse.cz - -* Use the gcc-java and fastjar for build to avoid dependency problems -* build keystore.class only to allow noarch package - -------------------------------------------------------------------- -Wed May 19 09:57:41 UTC 2010 - lnussel@suse.de - -- create java bundles - ------------------------------------------------------------------- Tue Apr 27 14:17:24 UTC 2010 - lnussel@suse.de diff --git a/ca-certificates.spec b/ca-certificates.spec index 62496a7..62490c0 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -17,13 +17,7 @@ # norootforbuild -%bcond_without java - BuildRequires: openssl -%if %{with java} -BuildRequires: gcc-java -BuildRequires: fastjar -%endif Name: ca-certificates %define ssletcdir %{_sysconfdir}/ssl @@ -39,9 +33,8 @@ Source0: update-ca-certificates Source1: update-ca-certificates.8 Source2: GPL-2.0.txt Source3: certbundle.run -Source4: keystore.java -Source5: java.run BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildArch: noarch Url: http://gitorious.org/opensuse/ca-certificates # Requires: openssl @@ -50,26 +43,10 @@ Recommends: ca-certificates-mozilla # gone when a package providing actual certificates gets # installed (bnc#594434). Obsoletes: openssl-certs < 0.9.9 -BuildArch: noarch - -%if %{with java} -%package -n java-ca-certificates -Group: Productivity/Networking/Security -Summary: Utilities CA certificate import to gcj -Requires(post): ca-certificates -Supplements: packageand(gcj-compat:ca-certificates) -Supplements: packageand(java-1_6_0-openjdk:ca-certificates) -Supplements: packageand(java-1_6_0-sun:ca-certificates) -%endif %description Utilities for system wide CA certificate installation -%if %{with java} -%description -n java-ca-certificates -Utilities for CA certificate installation for gcj and openjdk Java -%endif - %prep %setup -qcT install -m 755 %{SOURCE0} . @@ -77,16 +54,6 @@ install -m 644 %{SOURCE1} . install -m 644 %{SOURCE2} COPYING %build -%if %{with java} -gcj -C %SOURCE4 -d . -# emulate -e option of jar for fastjar -cat < MANIFEST.MF -Manifest-Version: 1.0 -Created-By: 0.98 -Main-Class: keystore -EOF -fastjar cfm keystore.jar MANIFEST.MF keystore*.class -%endif %install mkdir -p %{buildroot}/%{etccadir} @@ -98,18 +65,10 @@ mkdir -p %{buildroot}%{_prefix}/lib/ca-certificates/update.d install -D -m 644 /dev/null %{buildroot}/%{cabundle} install -m 644 /dev/null %{buildroot}/etc/ca-certificates.conf install -m 755 %{SOURCE3} %{buildroot}%{_prefix}/lib/ca-certificates/update.d -install -m 755 %{SOURCE5} %{buildroot}%{_prefix}/lib/ca-certificates/update.d ln -s %{cabundle} %{buildroot}%{ssletcdir}/ca-bundle.pem install -m 755 update-ca-certificates %{buildroot}/%{_sbindir} install -m 644 update-ca-certificates.8 %{buildroot}/%{_mandir}/man8 -install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/ca-bundle.pem -%if %{with java} -mkdir -p %{buildroot}%{_prefix}/lib/ca-certificates/java -install -m 644 keystore.jar %{buildroot}%{_prefix}/lib/ca-certificates/java -install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/java-cacerts -install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/gcj-cacerts -%endif %post # this is just needed for those updating Factory, @@ -122,11 +81,6 @@ fi # as openssl changed the hash format between 0.9.8 and 1.0 update-ca-certificates -f || true -%if %{with java} -%post -n java-ca-certificates -update-ca-certificates || true -%endif - %clean rm -rf %{buildroot} @@ -146,15 +100,5 @@ rm -rf %{buildroot} %{_prefix}/lib/ca-certificates/update.d/* %{_sbindir}/update-ca-certificates %{_mandir}/man8/update-ca-certificates.8* -%ghost /var/lib/ca-certificates/ca-bundle.pem - -%if %{with java} -%files -n java-ca-certificates -%defattr(-, root, root) -%dir %{_prefix}/lib/ca-certificates/java -%{_prefix}/lib/ca-certificates/java/keystore.jar -%ghost /var/lib/ca-certificates/java-cacerts -%ghost /var/lib/ca-certificates/gcj-cacerts -%endif %changelog diff --git a/java.run b/java.run deleted file mode 100644 index 29f6963..0000000 --- a/java.run +++ /dev/null @@ -1,85 +0,0 @@ -#!/bin/bash - -unset ${!LC_*} ${!RC_LC_*} LANGUAGE RC_LANG -export LANG=en_US - -set -e - -libexecdir="/usr/lib/ca-certificates/java/" -cafile="/var/lib/ca-certificates/java-cacerts" -cafile_gcj="/var/lib/ca-certificates/gcj-cacerts" -cadir="/etc/ssl/certs" - -tmppem="$cafile.tmp" - -cleanup() -{ - rm -rf "$tmppem" -} -trap cleanup EXIT - -for i in "$@"; do - if [ "$i" = "-f" ]; then - fresh=1 - elif [ "$i" = "-v" ]; then - verbose=1 - fi -done - -umask 0022 - -if [ -z "$JAVA_HOME" -a -r /etc/profile.d/alljava.sh ]; then - . /etc/profile.d/alljava.sh -fi - -if [ -n "$JAVA_HOME" ]; then - java="$JAVA_HOME/bin/java" -else - java=`which java` -fi - -if [[ $(readlink -f "${java}") =~ gij ]]; then - java="" -fi - -if [ ! -e "$libexecdir"/keystore.jar ]; then - # nothing to do - exit 0 -fi - -mustrun= -if [ -n "$fresh" ]; then - mustrun=1 -fi -if [ -e "$libexecdir"/keystore.jar -a "$cadir" -nt "$cafile" ]; then - mustrun=1 -fi - -[ -n "$mustrun" ] || exit 0 - -mkdir -p ${cafile%/*} -mkdir -p "$tmppem" -for i in "$cadir"/*.pem; do - # only include certificates trusted for server auth - if grep -q "BEGIN TRUSTED CERTIFICATE" "$i"; then - trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"` - case "$trust" in - *serverAuth*) ;; - *) [ -z "$verbose" ] || echo "skipping $i" >&2; continue ;; - esac - openssl x509 -in "$i" -out "$tmppem/${i##*/}" - else - ln -s "$i" "$tmppem" - fi -done - -if [ -x "$java" ]; then - echo "creating $cafile ..." - $java -jar $libexecdir/keystore.jar -keystore "$cafile" -cadir "$cadir" "$@" -fi -if [ -x "/usr/bin/gij" ]; then - echo "creating $cafile_gcj ..." - /usr/bin/gij -jar $libexecdir/keystore.jar -keystore "$cafile_gcj" -cadir "$cadir" "$@" -fi - -# vim: syntax=sh diff --git a/keystore.java b/keystore.java deleted file mode 100644 index 34ca526..0000000 --- a/keystore.java +++ /dev/null @@ -1,235 +0,0 @@ -/* - * Import system SSL certificates to java keystore - * Copyright (C) 2010 SUSE LINUX Products GmbH - * - * Author: Ludwig Nussel - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * version 2 as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - * - */ - -import java.security.KeyStore; -import java.io.File; -import java.io.FileInputStream; -import java.io.FileOutputStream; -import java.io.BufferedInputStream; -import java.io.FilenameFilter; -import java.util.HashSet; -import java.util.Enumeration; -import java.util.Iterator; - -import java.security.cert.CertificateFactory; -import java.security.cert.X509Certificate; - -public class keystore -{ - static HashSet blacklist; - - public static void usage() { - System.err.println("Usage: java keystore -keystore -cadir [-storepass |-f|-v]"); - System.err.println(""); - System.err.println(" -keystore \tname of final keystore (required)"); - System.err.println(" -cadir \t\tdirectory contains certificates (required)"); - System.err.println(" -storepass \tthe password"); - System.err.println(" -f\t\t\t\tfresh existing keystore"); - System.err.println(" -v\t\t\t\tbe verbose"); - System.err.println(" -h/--help\t\t\tshow this help"); - } - - public static void main(String[] args) - throws java.security.KeyStoreException, - java.security.NoSuchAlgorithmException, - java.security.cert.CertificateException, - java.io.FileNotFoundException, - java.io.IOException - { - char[] password = null; - String ksfilename = null; - String cadirname = null; - boolean verbose = false; - boolean fresh = false; - - if (args.length == 0) { - usage(); - System.exit(1); - } - - - if (!System.getProperty("java.vendor").equals("Free Software Foundation, Inc.")) { - password = "changeit".toCharArray(); - } - - for (int i = 0; i < args.length; ++i) { - if (args[i].equals("-keystore")) { - ksfilename = args[++i]; - } else if (args[i].equals("-cadir")) { - cadirname = args[++i]; - } else if (args[i].equals("-storepass")) { - password = args[++i].toCharArray(); - } else if (args[i].equals("-v")) { - verbose = true; - } else if (args[i].equals("-f")) { - fresh = true; - } else if (args[i].equals("-h") || args[i].equals("--help")) { - usage(); - System.exit(1); - } else { - System.err.println("invalid argument: " + args[i]); - System.err.println("type -h/--help for help"); - System.exit(1); - } - } - - if (ksfilename == null) { - System.err.println("must specify -keystore"); - return; - } - - if (cadirname == null) { - System.err.println("must specify -cadir"); - return; - } - - File cadir = new File(cadirname); - if (!cadir.isDirectory()) { - System.err.println("cadir is not a directory"); - return; - } - - blacklist = new HashSet(); - // XXX: make a file -// blacklist.add("foo"); - - String certs[] = cadir.list(new FilenameFilter(){ - public boolean accept(File dir, String name) - { - if (!name.endsWith(".pem")) { - return false; - } - if (blacklist.contains(name)) { - return false; - } - return true; - } - }); - - KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); - - FileInputStream storein = null; - try { - File f = new File(ksfilename); - if (!fresh && f.exists()) { - storein = new FileInputStream(ksfilename); - } - ks.load(storein, password); - } finally { - if (storein != null) { - storein.close(); - } - } - - HashSet known = new HashSet(); - for (Enumeration a = ks.aliases(); a.hasMoreElements();) { - known.add(a.nextElement()); - } - - CertificateFactory cf = CertificateFactory.getInstance("X509"); - int added = 0; - int removed = 0; - - for (int i = 0; i < certs.length; ++i) { - BufferedInputStream f = new BufferedInputStream(new FileInputStream(cadirname+"/"+certs[i])); - String marker = "-----BEGIN CERTIFICATE-----"; - boolean found = false; - - f.mark(80); - String line; - String alias = null; - // we need to parse and skip the "header" - while((line = readline(f)) != null) { - if (line.equals(marker)) { - f.reset(); - found = true; - break; - } else if (line.startsWith("# alias=")) { - // FIXME: somehow UTF-8 encoding must be enforced here - alias = line.substring(8); - } - f.mark(80); - } - if (found) { - if (alias == null) { - alias = certs[i].substring(0, certs[i].length()-4); // without .pem - } - alias = alias.toLowerCase(); - try { - X509Certificate cert = (X509Certificate)cf.generateCertificate(f); - if (known.contains(alias)) { - if (verbose) - System.out.println("already known: " + alias); - known.remove(alias); - } else { - if (verbose) - System.out.println("adding " + alias); - ks.setCertificateEntry(alias, cert); - ++added; - } - } catch (java.security.cert.CertificateException ex) { - System.err.println("imporing " + certs[i] + " failed: " + ex.getCause()); - } - } else { - System.out.println("skipping file with unrecognized format: " + certs[i]); - } - } - - if (!known.isEmpty()) { - for (Iterator it = known.iterator(); it.hasNext();) { - String alias = it.next(); - if (verbose) - System.out.println("removing " + alias); - ks.deleteEntry(alias); - ++removed; - } - } - - if (added != 0 || removed != 0) { - FileOutputStream storeout = new FileOutputStream(ksfilename); - ks.store(storeout, password); - storeout.close(); - } - - System.out.println(added + " added, " + removed + " removed."); - } - - public static String readline(BufferedInputStream in) - throws java.io.IOException - { - StringBuffer buf = new StringBuffer(80); - int c = in.read(); - while(c != -1 && c != '\n' && c != '\r') { - buf.append((char)c); - c = in.read(); - } - if (c == '\r') { - in.mark(1); - c = in.read(); - if (c != '\n') - in.reset(); - } - if (buf.length() == 0) - return null; - - return buf.toString(); - } -} diff --git a/update-ca-certificates b/update-ca-certificates index 76b0091..2279c2a 100644 --- a/update-ca-certificates +++ b/update-ca-certificates @@ -107,6 +107,8 @@ if (open(F, '<', $certsconf)) { close F; } +print "Updating certificates in $etccertsdir...\n"; + if ($opt_fresh || %whitelist) { for my $f (glob "$etccertsdir/*" ) { next unless -l $f; @@ -158,20 +160,19 @@ for my $f (glob "$etccertsdir/*.pem") { } } -chdir $etccertsdir || die "$!"; if (%added || %removed || $opt_fresh) { - print "Updating certificates in $etccertsdir...\n"; + chdir $etccertsdir || die "$!"; my $redir = ($opt_verbose?'':'> /dev/null'); system("c_rehash . $redir"); - printf("%d added, %d removed.\n", - (%added?(scalar keys %added):0), - (%removed?(scalar keys %removed):0)); + my @args; + push @args, '-f' if $opt_fresh; + push @args, '-v' if $opt_verbose; + for my $f (glob("$hooksdir2/*.run"), glob("$hooksdir1/*.run")) { + system($f, @args); + } } -my @args; -push @args, '-f' if $opt_fresh; -push @args, '-v' if $opt_verbose; -for my $f (glob("$hooksdir2/*.run"), glob("$hooksdir1/*.run")) { - system($f, @args); -} +printf("%d added, %d removed.\n", + (%added?(scalar keys %added):0), + (%removed?(scalar keys %removed):0)); From 3432b108f15257f937279dd33cbb3e18e469e0d44085159c9370eca200668123 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Thu, 16 Sep 2010 10:18:50 +0000 Subject: [PATCH 4/9] OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates?expand=0&rev=17 --- ca-certificates.changes | 11 ++ ca-certificates.spec | 65 ++++++++++- java.run | 85 +++++++++++++++ keystore.java | 235 ++++++++++++++++++++++++++++++++++++++++ update-ca-certificates | 23 ++-- 5 files changed, 405 insertions(+), 14 deletions(-) create mode 100644 java.run create mode 100644 keystore.java diff --git a/ca-certificates.changes b/ca-certificates.changes index a1bdbb3..75e3ca7 100644 --- a/ca-certificates.changes +++ b/ca-certificates.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Fri May 21 12:46:55 UTC 2010 - mvyskocil@suse.cz + +* Use the gcc-java and fastjar for build to avoid dependency problems +* build keystore.class only to allow noarch package + +------------------------------------------------------------------- +Wed May 19 09:57:41 UTC 2010 - lnussel@suse.de + +- create java bundles + ------------------------------------------------------------------- Tue Apr 27 14:17:24 UTC 2010 - lnussel@suse.de diff --git a/ca-certificates.spec b/ca-certificates.spec index 62490c0..f00b532 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -17,7 +17,13 @@ # norootforbuild +%bcond_without java + BuildRequires: openssl +%if %{with java} +BuildRequires: gcc-java +BuildRequires: fastjar +%endif Name: ca-certificates %define ssletcdir %{_sysconfdir}/ssl @@ -27,14 +33,15 @@ Name: ca-certificates License: GPLv2+ Group: Productivity/Networking/Security Version: 1 -Release: 4 +Release: 5 Summary: Utilities for system wide CA certificate installation Source0: update-ca-certificates Source1: update-ca-certificates.8 Source2: GPL-2.0.txt Source3: certbundle.run +Source4: keystore.java +Source5: java.run BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildArch: noarch Url: http://gitorious.org/opensuse/ca-certificates # Requires: openssl @@ -43,10 +50,29 @@ Recommends: ca-certificates-mozilla # gone when a package providing actual certificates gets # installed (bnc#594434). Obsoletes: openssl-certs < 0.9.9 +BuildArch: noarch + +%if %{with java} + +%package -n java-ca-certificates +License: GPLv2+ +Group: Productivity/Networking/Security +Summary: Utilities CA certificate import to gcj +Requires(post): ca-certificates +Supplements: packageand(gcj-compat:ca-certificates) +Supplements: packageand(java-1_6_0-openjdk:ca-certificates) +Supplements: packageand(java-1_6_0-sun:ca-certificates) +%endif %description Utilities for system wide CA certificate installation +%if %{with java} + +%description -n java-ca-certificates +Utilities for CA certificate installation for gcj and openjdk Java +%endif + %prep %setup -qcT install -m 755 %{SOURCE0} . @@ -54,6 +80,16 @@ install -m 644 %{SOURCE1} . install -m 644 %{SOURCE2} COPYING %build +%if %{with java} +gcj -C %SOURCE4 -d . +# emulate -e option of jar for fastjar +cat < MANIFEST.MF +Manifest-Version: 1.0 +Created-By: 0.98 +Main-Class: keystore +EOF +fastjar cfm keystore.jar MANIFEST.MF keystore*.class +%endif %install mkdir -p %{buildroot}/%{etccadir} @@ -65,10 +101,18 @@ mkdir -p %{buildroot}%{_prefix}/lib/ca-certificates/update.d install -D -m 644 /dev/null %{buildroot}/%{cabundle} install -m 644 /dev/null %{buildroot}/etc/ca-certificates.conf install -m 755 %{SOURCE3} %{buildroot}%{_prefix}/lib/ca-certificates/update.d +install -m 755 %{SOURCE5} %{buildroot}%{_prefix}/lib/ca-certificates/update.d ln -s %{cabundle} %{buildroot}%{ssletcdir}/ca-bundle.pem install -m 755 update-ca-certificates %{buildroot}/%{_sbindir} install -m 644 update-ca-certificates.8 %{buildroot}/%{_mandir}/man8 +install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/ca-bundle.pem +%if %{with java} +mkdir -p %{buildroot}%{_prefix}/lib/ca-certificates/java +install -m 644 keystore.jar %{buildroot}%{_prefix}/lib/ca-certificates/java +install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/java-cacerts +install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/gcj-cacerts +%endif %post # this is just needed for those updating Factory, @@ -81,6 +125,12 @@ fi # as openssl changed the hash format between 0.9.8 and 1.0 update-ca-certificates -f || true +%if %{with java} + +%post -n java-ca-certificates +update-ca-certificates || true +%endif + %clean rm -rf %{buildroot} @@ -100,5 +150,16 @@ rm -rf %{buildroot} %{_prefix}/lib/ca-certificates/update.d/* %{_sbindir}/update-ca-certificates %{_mandir}/man8/update-ca-certificates.8* +%ghost /var/lib/ca-certificates/ca-bundle.pem + +%if %{with java} + +%files -n java-ca-certificates +%defattr(-, root, root) +%dir %{_prefix}/lib/ca-certificates/java +%{_prefix}/lib/ca-certificates/java/keystore.jar +%ghost /var/lib/ca-certificates/java-cacerts +%ghost /var/lib/ca-certificates/gcj-cacerts +%endif %changelog diff --git a/java.run b/java.run new file mode 100644 index 0000000..29f6963 --- /dev/null +++ b/java.run @@ -0,0 +1,85 @@ +#!/bin/bash + +unset ${!LC_*} ${!RC_LC_*} LANGUAGE RC_LANG +export LANG=en_US + +set -e + +libexecdir="/usr/lib/ca-certificates/java/" +cafile="/var/lib/ca-certificates/java-cacerts" +cafile_gcj="/var/lib/ca-certificates/gcj-cacerts" +cadir="/etc/ssl/certs" + +tmppem="$cafile.tmp" + +cleanup() +{ + rm -rf "$tmppem" +} +trap cleanup EXIT + +for i in "$@"; do + if [ "$i" = "-f" ]; then + fresh=1 + elif [ "$i" = "-v" ]; then + verbose=1 + fi +done + +umask 0022 + +if [ -z "$JAVA_HOME" -a -r /etc/profile.d/alljava.sh ]; then + . /etc/profile.d/alljava.sh +fi + +if [ -n "$JAVA_HOME" ]; then + java="$JAVA_HOME/bin/java" +else + java=`which java` +fi + +if [[ $(readlink -f "${java}") =~ gij ]]; then + java="" +fi + +if [ ! -e "$libexecdir"/keystore.jar ]; then + # nothing to do + exit 0 +fi + +mustrun= +if [ -n "$fresh" ]; then + mustrun=1 +fi +if [ -e "$libexecdir"/keystore.jar -a "$cadir" -nt "$cafile" ]; then + mustrun=1 +fi + +[ -n "$mustrun" ] || exit 0 + +mkdir -p ${cafile%/*} +mkdir -p "$tmppem" +for i in "$cadir"/*.pem; do + # only include certificates trusted for server auth + if grep -q "BEGIN TRUSTED CERTIFICATE" "$i"; then + trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"` + case "$trust" in + *serverAuth*) ;; + *) [ -z "$verbose" ] || echo "skipping $i" >&2; continue ;; + esac + openssl x509 -in "$i" -out "$tmppem/${i##*/}" + else + ln -s "$i" "$tmppem" + fi +done + +if [ -x "$java" ]; then + echo "creating $cafile ..." + $java -jar $libexecdir/keystore.jar -keystore "$cafile" -cadir "$cadir" "$@" +fi +if [ -x "/usr/bin/gij" ]; then + echo "creating $cafile_gcj ..." + /usr/bin/gij -jar $libexecdir/keystore.jar -keystore "$cafile_gcj" -cadir "$cadir" "$@" +fi + +# vim: syntax=sh diff --git a/keystore.java b/keystore.java new file mode 100644 index 0000000..34ca526 --- /dev/null +++ b/keystore.java @@ -0,0 +1,235 @@ +/* + * Import system SSL certificates to java keystore + * Copyright (C) 2010 SUSE LINUX Products GmbH + * + * Author: Ludwig Nussel + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * version 2 as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + */ + +import java.security.KeyStore; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.io.BufferedInputStream; +import java.io.FilenameFilter; +import java.util.HashSet; +import java.util.Enumeration; +import java.util.Iterator; + +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; + +public class keystore +{ + static HashSet blacklist; + + public static void usage() { + System.err.println("Usage: java keystore -keystore -cadir [-storepass |-f|-v]"); + System.err.println(""); + System.err.println(" -keystore \tname of final keystore (required)"); + System.err.println(" -cadir \t\tdirectory contains certificates (required)"); + System.err.println(" -storepass \tthe password"); + System.err.println(" -f\t\t\t\tfresh existing keystore"); + System.err.println(" -v\t\t\t\tbe verbose"); + System.err.println(" -h/--help\t\t\tshow this help"); + } + + public static void main(String[] args) + throws java.security.KeyStoreException, + java.security.NoSuchAlgorithmException, + java.security.cert.CertificateException, + java.io.FileNotFoundException, + java.io.IOException + { + char[] password = null; + String ksfilename = null; + String cadirname = null; + boolean verbose = false; + boolean fresh = false; + + if (args.length == 0) { + usage(); + System.exit(1); + } + + + if (!System.getProperty("java.vendor").equals("Free Software Foundation, Inc.")) { + password = "changeit".toCharArray(); + } + + for (int i = 0; i < args.length; ++i) { + if (args[i].equals("-keystore")) { + ksfilename = args[++i]; + } else if (args[i].equals("-cadir")) { + cadirname = args[++i]; + } else if (args[i].equals("-storepass")) { + password = args[++i].toCharArray(); + } else if (args[i].equals("-v")) { + verbose = true; + } else if (args[i].equals("-f")) { + fresh = true; + } else if (args[i].equals("-h") || args[i].equals("--help")) { + usage(); + System.exit(1); + } else { + System.err.println("invalid argument: " + args[i]); + System.err.println("type -h/--help for help"); + System.exit(1); + } + } + + if (ksfilename == null) { + System.err.println("must specify -keystore"); + return; + } + + if (cadirname == null) { + System.err.println("must specify -cadir"); + return; + } + + File cadir = new File(cadirname); + if (!cadir.isDirectory()) { + System.err.println("cadir is not a directory"); + return; + } + + blacklist = new HashSet(); + // XXX: make a file +// blacklist.add("foo"); + + String certs[] = cadir.list(new FilenameFilter(){ + public boolean accept(File dir, String name) + { + if (!name.endsWith(".pem")) { + return false; + } + if (blacklist.contains(name)) { + return false; + } + return true; + } + }); + + KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); + + FileInputStream storein = null; + try { + File f = new File(ksfilename); + if (!fresh && f.exists()) { + storein = new FileInputStream(ksfilename); + } + ks.load(storein, password); + } finally { + if (storein != null) { + storein.close(); + } + } + + HashSet known = new HashSet(); + for (Enumeration a = ks.aliases(); a.hasMoreElements();) { + known.add(a.nextElement()); + } + + CertificateFactory cf = CertificateFactory.getInstance("X509"); + int added = 0; + int removed = 0; + + for (int i = 0; i < certs.length; ++i) { + BufferedInputStream f = new BufferedInputStream(new FileInputStream(cadirname+"/"+certs[i])); + String marker = "-----BEGIN CERTIFICATE-----"; + boolean found = false; + + f.mark(80); + String line; + String alias = null; + // we need to parse and skip the "header" + while((line = readline(f)) != null) { + if (line.equals(marker)) { + f.reset(); + found = true; + break; + } else if (line.startsWith("# alias=")) { + // FIXME: somehow UTF-8 encoding must be enforced here + alias = line.substring(8); + } + f.mark(80); + } + if (found) { + if (alias == null) { + alias = certs[i].substring(0, certs[i].length()-4); // without .pem + } + alias = alias.toLowerCase(); + try { + X509Certificate cert = (X509Certificate)cf.generateCertificate(f); + if (known.contains(alias)) { + if (verbose) + System.out.println("already known: " + alias); + known.remove(alias); + } else { + if (verbose) + System.out.println("adding " + alias); + ks.setCertificateEntry(alias, cert); + ++added; + } + } catch (java.security.cert.CertificateException ex) { + System.err.println("imporing " + certs[i] + " failed: " + ex.getCause()); + } + } else { + System.out.println("skipping file with unrecognized format: " + certs[i]); + } + } + + if (!known.isEmpty()) { + for (Iterator it = known.iterator(); it.hasNext();) { + String alias = it.next(); + if (verbose) + System.out.println("removing " + alias); + ks.deleteEntry(alias); + ++removed; + } + } + + if (added != 0 || removed != 0) { + FileOutputStream storeout = new FileOutputStream(ksfilename); + ks.store(storeout, password); + storeout.close(); + } + + System.out.println(added + " added, " + removed + " removed."); + } + + public static String readline(BufferedInputStream in) + throws java.io.IOException + { + StringBuffer buf = new StringBuffer(80); + int c = in.read(); + while(c != -1 && c != '\n' && c != '\r') { + buf.append((char)c); + c = in.read(); + } + if (c == '\r') { + in.mark(1); + c = in.read(); + if (c != '\n') + in.reset(); + } + if (buf.length() == 0) + return null; + + return buf.toString(); + } +} diff --git a/update-ca-certificates b/update-ca-certificates index 2279c2a..76b0091 100644 --- a/update-ca-certificates +++ b/update-ca-certificates @@ -107,8 +107,6 @@ if (open(F, '<', $certsconf)) { close F; } -print "Updating certificates in $etccertsdir...\n"; - if ($opt_fresh || %whitelist) { for my $f (glob "$etccertsdir/*" ) { next unless -l $f; @@ -160,19 +158,20 @@ for my $f (glob "$etccertsdir/*.pem") { } } +chdir $etccertsdir || die "$!"; if (%added || %removed || $opt_fresh) { - chdir $etccertsdir || die "$!"; + print "Updating certificates in $etccertsdir...\n"; my $redir = ($opt_verbose?'':'> /dev/null'); system("c_rehash . $redir"); - my @args; - push @args, '-f' if $opt_fresh; - push @args, '-v' if $opt_verbose; - for my $f (glob("$hooksdir2/*.run"), glob("$hooksdir1/*.run")) { - system($f, @args); - } + printf("%d added, %d removed.\n", + (%added?(scalar keys %added):0), + (%removed?(scalar keys %removed):0)); } -printf("%d added, %d removed.\n", - (%added?(scalar keys %added):0), - (%removed?(scalar keys %removed):0)); +my @args; +push @args, '-f' if $opt_fresh; +push @args, '-v' if $opt_verbose; +for my $f (glob("$hooksdir2/*.run"), glob("$hooksdir1/*.run")) { + system($f, @args); +} From b6f9b628c7fd141624f7f1d2cff1e01c2d0fbdd8ffebaf863750df130cccae5b Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Mon, 27 Sep 2010 14:58:22 +0000 Subject: [PATCH 5/9] - catch FileNotFoundException (bnc#623365) OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates?expand=0&rev=18 --- ca-certificates.changes | 5 +++++ keystore.java | 9 +++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ca-certificates.changes b/ca-certificates.changes index 75e3ca7..dbfcbb3 100644 --- a/ca-certificates.changes +++ b/ca-certificates.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Sep 27 14:58:03 UTC 2010 - lnussel@suse.de + +- catch FileNotFoundException (bnc#623365) + ------------------------------------------------------------------- Fri May 21 12:46:55 UTC 2010 - mvyskocil@suse.cz diff --git a/keystore.java b/keystore.java index 34ca526..c60c491 100644 --- a/keystore.java +++ b/keystore.java @@ -51,7 +51,6 @@ public class keystore throws java.security.KeyStoreException, java.security.NoSuchAlgorithmException, java.security.cert.CertificateException, - java.io.FileNotFoundException, java.io.IOException { char[] password = null; @@ -149,7 +148,13 @@ public class keystore int removed = 0; for (int i = 0; i < certs.length; ++i) { - BufferedInputStream f = new BufferedInputStream(new FileInputStream(cadirname+"/"+certs[i])); + BufferedInputStream f; + try { + f = new BufferedInputStream(new FileInputStream(cadirname+"/"+certs[i])); + } catch (java.io.FileNotFoundException ex) { + System.err.println("skipping " + certs[i] + ": file not found"); + continue; + } String marker = "-----BEGIN CERTIFICATE-----"; boolean found = false; From e828c2043a5b0b785c54fe8ec5077d92865c3b95eed7b97a587bcb98a02d87cb Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Mon, 27 Sep 2010 15:33:42 +0000 Subject: [PATCH 6/9] Accepting request 49242 from Base:System checked in (request 49242) OBS-URL: https://build.opensuse.org/request/show/49242 OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates?expand=0&rev=19 --- ca-certificates.changes | 5 ----- keystore.java | 9 ++------- 2 files changed, 2 insertions(+), 12 deletions(-) diff --git a/ca-certificates.changes b/ca-certificates.changes index dbfcbb3..75e3ca7 100644 --- a/ca-certificates.changes +++ b/ca-certificates.changes @@ -1,8 +1,3 @@ -------------------------------------------------------------------- -Mon Sep 27 14:58:03 UTC 2010 - lnussel@suse.de - -- catch FileNotFoundException (bnc#623365) - ------------------------------------------------------------------- Fri May 21 12:46:55 UTC 2010 - mvyskocil@suse.cz diff --git a/keystore.java b/keystore.java index c60c491..34ca526 100644 --- a/keystore.java +++ b/keystore.java @@ -51,6 +51,7 @@ public class keystore throws java.security.KeyStoreException, java.security.NoSuchAlgorithmException, java.security.cert.CertificateException, + java.io.FileNotFoundException, java.io.IOException { char[] password = null; @@ -148,13 +149,7 @@ public class keystore int removed = 0; for (int i = 0; i < certs.length; ++i) { - BufferedInputStream f; - try { - f = new BufferedInputStream(new FileInputStream(cadirname+"/"+certs[i])); - } catch (java.io.FileNotFoundException ex) { - System.err.println("skipping " + certs[i] + ": file not found"); - continue; - } + BufferedInputStream f = new BufferedInputStream(new FileInputStream(cadirname+"/"+certs[i])); String marker = "-----BEGIN CERTIFICATE-----"; boolean found = false; From ac06b8d8c81d8de0dcd04961595571f7f0e0250961016432f4a4ea0f79330ff4 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Mon, 20 Jun 2011 12:44:42 +0000 Subject: [PATCH 7/9] - fix spurious rpm warning if no java exists (bnc#634793) OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates?expand=0&rev=20 --- ...vice:format_spec_file:ca-certificates.spec | 178 ++++++++++++++++++ ca-certificates.changes | 10 + ca-certificates.spec | 2 +- java.run | 14 +- keystore.java | 9 +- 5 files changed, 204 insertions(+), 9 deletions(-) create mode 100644 _service:format_spec_file:ca-certificates.spec diff --git a/_service:format_spec_file:ca-certificates.spec b/_service:format_spec_file:ca-certificates.spec new file mode 100644 index 0000000..e99d99d --- /dev/null +++ b/_service:format_spec_file:ca-certificates.spec @@ -0,0 +1,178 @@ +# +# spec file for package ca-certificates +# +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + +# norootforbuild + +%bcond_without java + +BuildRequires: openssl +%if %{with java} +BuildRequires: gcc-java +BuildRequires: fastjar +%endif + +Name: ca-certificates +%define ssletcdir %{_sysconfdir}/ssl +%define etccadir %{ssletcdir}/certs +%define cabundle /var/lib/ca-certificates/ca-bundle.pem +%define usrcadir %{_datadir}/ca-certificates +License: GPLv2+ +Group: Productivity/Networking/Security +Version: 1 +Release: 8 +Summary: Utilities for system wide CA certificate installation +Source0: update-ca-certificates +Source1: update-ca-certificates.8 +Source2: GPL-2.0.txt +Source3: certbundle.run +Source4: keystore.java +Source5: java.run +BuildRoot: %{_tmppath}/%{name}-%{version}-build +Url: http://gitorious.org/opensuse/ca-certificates +# +Requires: openssl +Recommends: ca-certificates-mozilla +# we need to obsolete openssl-certs to make sure it's files are +# gone when a package providing actual certificates gets +# installed (bnc#594434). +Obsoletes: openssl-certs < 0.9.9 +BuildArch: noarch + +%if %{with java} + + +%package -n java-ca-certificates +License: GPLv2+ +Group: Productivity/Networking/Security +Summary: Utilities CA certificate import to gcj +Requires(post): ca-certificates +Supplements: packageand(gcj-compat:ca-certificates) +Supplements: packageand(java-1_6_0-openjdk:ca-certificates) +Supplements: packageand(java-1_6_0-sun:ca-certificates) +%endif + + +%description +Utilities for system wide CA certificate installation + +%if %{with java} + + +%description -n java-ca-certificates +Utilities for CA certificate installation for gcj and openjdk Java +%endif + + +%prep +%setup -qcT +install -m 755 %{SOURCE0} . +install -m 644 %{SOURCE1} . +install -m 644 %{SOURCE2} COPYING + + +%build +%if %{with java} +gcj -C %SOURCE4 -d . +# emulate -e option of jar for fastjar +cat < MANIFEST.MF +Manifest-Version: 1.0 +Created-By: 0.98 +Main-Class: keystore +EOF +fastjar cfm keystore.jar MANIFEST.MF keystore*.class +%endif + + +%install +mkdir -p %{buildroot}/%{etccadir} +mkdir -p %{buildroot}/%{usrcadir} +mkdir -p %{buildroot}/%{_sbindir} +mkdir -p %{buildroot}/%{_mandir}/man8 +mkdir -p %{buildroot}/etc/ca-certificates/update.d +mkdir -p %{buildroot}%{_prefix}/lib/ca-certificates/update.d +install -D -m 644 /dev/null %{buildroot}/%{cabundle} +install -m 644 /dev/null %{buildroot}/etc/ca-certificates.conf +install -m 755 %{SOURCE3} %{buildroot}%{_prefix}/lib/ca-certificates/update.d +install -m 755 %{SOURCE5} %{buildroot}%{_prefix}/lib/ca-certificates/update.d +ln -s %{cabundle} %{buildroot}%{ssletcdir}/ca-bundle.pem + +install -m 755 update-ca-certificates %{buildroot}/%{_sbindir} +install -m 644 update-ca-certificates.8 %{buildroot}/%{_mandir}/man8 +install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/ca-bundle.pem +%if %{with java} +mkdir -p %{buildroot}%{_prefix}/lib/ca-certificates/java +install -m 644 keystore.jar %{buildroot}%{_prefix}/lib/ca-certificates/java +install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/java-cacerts +install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/gcj-cacerts +%endif + + +%post +# this is just needed for those updating Factory, +# can be removed before 11.3 +if [ "$1" -ge 1 ]; then + rm -f /etc/ca-certificates/update.d/certbundle.run +fi +# force rebuilding all certificate stores. +# This also makes sure we update the hash links in /etc/ssl/certs +# as openssl changed the hash format between 0.9.8 and 1.0 +update-ca-certificates -f || true + +%if %{with java} + + +%post -n java-ca-certificates +update-ca-certificates || true +%endif + + +%clean +rm -rf %{buildroot} + + +%files +%defattr(-, root, root) +%dir %{usrcadir} +%dir %{etccadir} +%doc COPYING +%ghost %config(noreplace) /etc/ca-certificates.conf +%{ssletcdir}/ca-bundle.pem +%ghost %{cabundle} +%dir /etc/ca-certificates +%dir /etc/ca-certificates/update.d +%dir %{_prefix}/lib/ca-certificates +%dir %{_prefix}/lib/ca-certificates/update.d +%dir /var/lib/ca-certificates +%{_prefix}/lib/ca-certificates/update.d/* +%{_sbindir}/update-ca-certificates +%{_mandir}/man8/update-ca-certificates.8* +%ghost /var/lib/ca-certificates/ca-bundle.pem + +%if %{with java} + + +%files -n java-ca-certificates +%defattr(-, root, root) +%dir %{_prefix}/lib/ca-certificates/java +%{_prefix}/lib/ca-certificates/java/keystore.jar +%ghost /var/lib/ca-certificates/java-cacerts +%ghost /var/lib/ca-certificates/gcj-cacerts +%endif + + + +%changelog diff --git a/ca-certificates.changes b/ca-certificates.changes index 75e3ca7..a195fd9 100644 --- a/ca-certificates.changes +++ b/ca-certificates.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon Jun 20 12:44:17 UTC 2011 - lnussel@suse.de + +- fix spurious rpm warning if no java exists (bnc#634793) + +------------------------------------------------------------------- +Mon Sep 27 14:58:03 UTC 2010 - lnussel@suse.de + +- catch FileNotFoundException (bnc#623365) + ------------------------------------------------------------------- Fri May 21 12:46:55 UTC 2010 - mvyskocil@suse.cz diff --git a/ca-certificates.spec b/ca-certificates.spec index f00b532..0c4e2ad 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -33,7 +33,7 @@ Name: ca-certificates License: GPLv2+ Group: Productivity/Networking/Security Version: 1 -Release: 5 +Release: 8 Summary: Utilities for system wide CA certificate installation Source0: update-ca-certificates Source1: update-ca-certificates.8 diff --git a/java.run b/java.run index 29f6963..6f703a9 100644 --- a/java.run +++ b/java.run @@ -35,11 +35,13 @@ fi if [ -n "$JAVA_HOME" ]; then java="$JAVA_HOME/bin/java" else - java=`which java` -fi - -if [[ $(readlink -f "${java}") =~ gij ]]; then - java="" + java=`type -P java` + if [ -n "$java" -a -L "$java" ]; then + java=`readlink -f "$java"` + if [ "${java//gij}" != "$java" ]; then + java= + fi + fi fi if [ ! -e "$libexecdir"/keystore.jar ]; then @@ -73,7 +75,7 @@ for i in "$cadir"/*.pem; do fi done -if [ -x "$java" ]; then +if [ -n "$java" -a -x "$java" ]; then echo "creating $cafile ..." $java -jar $libexecdir/keystore.jar -keystore "$cafile" -cadir "$cadir" "$@" fi diff --git a/keystore.java b/keystore.java index 34ca526..c60c491 100644 --- a/keystore.java +++ b/keystore.java @@ -51,7 +51,6 @@ public class keystore throws java.security.KeyStoreException, java.security.NoSuchAlgorithmException, java.security.cert.CertificateException, - java.io.FileNotFoundException, java.io.IOException { char[] password = null; @@ -149,7 +148,13 @@ public class keystore int removed = 0; for (int i = 0; i < certs.length; ++i) { - BufferedInputStream f = new BufferedInputStream(new FileInputStream(cadirname+"/"+certs[i])); + BufferedInputStream f; + try { + f = new BufferedInputStream(new FileInputStream(cadirname+"/"+certs[i])); + } catch (java.io.FileNotFoundException ex) { + System.err.println("skipping " + certs[i] + ": file not found"); + continue; + } String marker = "-----BEGIN CERTIFICATE-----"; boolean found = false; From 214558af3ee6522eb3cba8314aa4f9e45beac0a9efae9d8b6980fd2e963387cf Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Mon, 20 Jun 2011 12:54:54 +0000 Subject: [PATCH 8/9] - move java.run to java-ca-certificates OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates?expand=0&rev=21 --- _service:format_spec_file:ca-certificates.spec | 3 ++- ca-certificates.changes | 3 ++- ca-certificates.spec | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/_service:format_spec_file:ca-certificates.spec b/_service:format_spec_file:ca-certificates.spec index e99d99d..03ecfa8 100644 --- a/_service:format_spec_file:ca-certificates.spec +++ b/_service:format_spec_file:ca-certificates.spec @@ -157,7 +157,7 @@ rm -rf %{buildroot} %dir %{_prefix}/lib/ca-certificates %dir %{_prefix}/lib/ca-certificates/update.d %dir /var/lib/ca-certificates -%{_prefix}/lib/ca-certificates/update.d/* +%{_prefix}/lib/ca-certificates/update.d/certbundle.run %{_sbindir}/update-ca-certificates %{_mandir}/man8/update-ca-certificates.8* %ghost /var/lib/ca-certificates/ca-bundle.pem @@ -168,6 +168,7 @@ rm -rf %{buildroot} %files -n java-ca-certificates %defattr(-, root, root) %dir %{_prefix}/lib/ca-certificates/java +%{_prefix}/lib/ca-certificates/update.d/java.run %{_prefix}/lib/ca-certificates/java/keystore.jar %ghost /var/lib/ca-certificates/java-cacerts %ghost /var/lib/ca-certificates/gcj-cacerts diff --git a/ca-certificates.changes b/ca-certificates.changes index a195fd9..94028c1 100644 --- a/ca-certificates.changes +++ b/ca-certificates.changes @@ -1,7 +1,8 @@ ------------------------------------------------------------------- -Mon Jun 20 12:44:17 UTC 2011 - lnussel@suse.de +Mon Jun 20 12:49:51 UTC 2011 - lnussel@suse.de - fix spurious rpm warning if no java exists (bnc#634793) +- move java.run to java-ca-certificates ------------------------------------------------------------------- Mon Sep 27 14:58:03 UTC 2010 - lnussel@suse.de diff --git a/ca-certificates.spec b/ca-certificates.spec index 0c4e2ad..f436eba 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -147,7 +147,7 @@ rm -rf %{buildroot} %dir %{_prefix}/lib/ca-certificates %dir %{_prefix}/lib/ca-certificates/update.d %dir /var/lib/ca-certificates -%{_prefix}/lib/ca-certificates/update.d/* +%{_prefix}/lib/ca-certificates/update.d/certbundle.run %{_sbindir}/update-ca-certificates %{_mandir}/man8/update-ca-certificates.8* %ghost /var/lib/ca-certificates/ca-bundle.pem @@ -157,6 +157,7 @@ rm -rf %{buildroot} %files -n java-ca-certificates %defattr(-, root, root) %dir %{_prefix}/lib/ca-certificates/java +%{_prefix}/lib/ca-certificates/update.d/java.run %{_prefix}/lib/ca-certificates/java/keystore.jar %ghost /var/lib/ca-certificates/java-cacerts %ghost /var/lib/ca-certificates/gcj-cacerts From 07173a5ad64eed84c34bce51399d9ec018bd472a9c5ecd3a4c3e512d585be307 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Mon, 20 Jun 2011 13:24:05 +0000 Subject: [PATCH 9/9] dummy commit OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates?expand=0&rev=22 --- ...vice:format_spec_file:ca-certificates.spec | 179 ------------------ ca-certificates.changes | 2 +- ca-certificates.spec | 17 +- 3 files changed, 16 insertions(+), 182 deletions(-) delete mode 100644 _service:format_spec_file:ca-certificates.spec diff --git a/_service:format_spec_file:ca-certificates.spec b/_service:format_spec_file:ca-certificates.spec deleted file mode 100644 index 03ecfa8..0000000 --- a/_service:format_spec_file:ca-certificates.spec +++ /dev/null @@ -1,179 +0,0 @@ -# -# spec file for package ca-certificates -# -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. -# -# All modifications and additions to the file contributed by third parties -# remain the property of their copyright owners, unless otherwise agreed -# upon. The license for this file, and modifications and additions to the -# file, is the same license as for the pristine package itself (unless the -# license for the pristine package is not an Open Source License, in which -# case the license is the MIT License). An "Open Source License" is a -# license that conforms to the Open Source Definition (Version 1.9) -# published by the Open Source Initiative. - -# Please submit bugfixes or comments via http://bugs.opensuse.org/ -# - -# norootforbuild - -%bcond_without java - -BuildRequires: openssl -%if %{with java} -BuildRequires: gcc-java -BuildRequires: fastjar -%endif - -Name: ca-certificates -%define ssletcdir %{_sysconfdir}/ssl -%define etccadir %{ssletcdir}/certs -%define cabundle /var/lib/ca-certificates/ca-bundle.pem -%define usrcadir %{_datadir}/ca-certificates -License: GPLv2+ -Group: Productivity/Networking/Security -Version: 1 -Release: 8 -Summary: Utilities for system wide CA certificate installation -Source0: update-ca-certificates -Source1: update-ca-certificates.8 -Source2: GPL-2.0.txt -Source3: certbundle.run -Source4: keystore.java -Source5: java.run -BuildRoot: %{_tmppath}/%{name}-%{version}-build -Url: http://gitorious.org/opensuse/ca-certificates -# -Requires: openssl -Recommends: ca-certificates-mozilla -# we need to obsolete openssl-certs to make sure it's files are -# gone when a package providing actual certificates gets -# installed (bnc#594434). -Obsoletes: openssl-certs < 0.9.9 -BuildArch: noarch - -%if %{with java} - - -%package -n java-ca-certificates -License: GPLv2+ -Group: Productivity/Networking/Security -Summary: Utilities CA certificate import to gcj -Requires(post): ca-certificates -Supplements: packageand(gcj-compat:ca-certificates) -Supplements: packageand(java-1_6_0-openjdk:ca-certificates) -Supplements: packageand(java-1_6_0-sun:ca-certificates) -%endif - - -%description -Utilities for system wide CA certificate installation - -%if %{with java} - - -%description -n java-ca-certificates -Utilities for CA certificate installation for gcj and openjdk Java -%endif - - -%prep -%setup -qcT -install -m 755 %{SOURCE0} . -install -m 644 %{SOURCE1} . -install -m 644 %{SOURCE2} COPYING - - -%build -%if %{with java} -gcj -C %SOURCE4 -d . -# emulate -e option of jar for fastjar -cat < MANIFEST.MF -Manifest-Version: 1.0 -Created-By: 0.98 -Main-Class: keystore -EOF -fastjar cfm keystore.jar MANIFEST.MF keystore*.class -%endif - - -%install -mkdir -p %{buildroot}/%{etccadir} -mkdir -p %{buildroot}/%{usrcadir} -mkdir -p %{buildroot}/%{_sbindir} -mkdir -p %{buildroot}/%{_mandir}/man8 -mkdir -p %{buildroot}/etc/ca-certificates/update.d -mkdir -p %{buildroot}%{_prefix}/lib/ca-certificates/update.d -install -D -m 644 /dev/null %{buildroot}/%{cabundle} -install -m 644 /dev/null %{buildroot}/etc/ca-certificates.conf -install -m 755 %{SOURCE3} %{buildroot}%{_prefix}/lib/ca-certificates/update.d -install -m 755 %{SOURCE5} %{buildroot}%{_prefix}/lib/ca-certificates/update.d -ln -s %{cabundle} %{buildroot}%{ssletcdir}/ca-bundle.pem - -install -m 755 update-ca-certificates %{buildroot}/%{_sbindir} -install -m 644 update-ca-certificates.8 %{buildroot}/%{_mandir}/man8 -install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/ca-bundle.pem -%if %{with java} -mkdir -p %{buildroot}%{_prefix}/lib/ca-certificates/java -install -m 644 keystore.jar %{buildroot}%{_prefix}/lib/ca-certificates/java -install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/java-cacerts -install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/gcj-cacerts -%endif - - -%post -# this is just needed for those updating Factory, -# can be removed before 11.3 -if [ "$1" -ge 1 ]; then - rm -f /etc/ca-certificates/update.d/certbundle.run -fi -# force rebuilding all certificate stores. -# This also makes sure we update the hash links in /etc/ssl/certs -# as openssl changed the hash format between 0.9.8 and 1.0 -update-ca-certificates -f || true - -%if %{with java} - - -%post -n java-ca-certificates -update-ca-certificates || true -%endif - - -%clean -rm -rf %{buildroot} - - -%files -%defattr(-, root, root) -%dir %{usrcadir} -%dir %{etccadir} -%doc COPYING -%ghost %config(noreplace) /etc/ca-certificates.conf -%{ssletcdir}/ca-bundle.pem -%ghost %{cabundle} -%dir /etc/ca-certificates -%dir /etc/ca-certificates/update.d -%dir %{_prefix}/lib/ca-certificates -%dir %{_prefix}/lib/ca-certificates/update.d -%dir /var/lib/ca-certificates -%{_prefix}/lib/ca-certificates/update.d/certbundle.run -%{_sbindir}/update-ca-certificates -%{_mandir}/man8/update-ca-certificates.8* -%ghost /var/lib/ca-certificates/ca-bundle.pem - -%if %{with java} - - -%files -n java-ca-certificates -%defattr(-, root, root) -%dir %{_prefix}/lib/ca-certificates/java -%{_prefix}/lib/ca-certificates/update.d/java.run -%{_prefix}/lib/ca-certificates/java/keystore.jar -%ghost /var/lib/ca-certificates/java-cacerts -%ghost /var/lib/ca-certificates/gcj-cacerts -%endif - - - -%changelog diff --git a/ca-certificates.changes b/ca-certificates.changes index 94028c1..a4e7293 100644 --- a/ca-certificates.changes +++ b/ca-certificates.changes @@ -1,5 +1,5 @@ ------------------------------------------------------------------- -Mon Jun 20 12:49:51 UTC 2011 - lnussel@suse.de +Mon Jun 20 12:49:52 UTC 2011 - lnussel@suse.de - fix spurious rpm warning if no java exists (bnc#634793) - move java.run to java-ca-certificates diff --git a/ca-certificates.spec b/ca-certificates.spec index f436eba..03ecfa8 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -1,7 +1,7 @@ # -# spec file for package ca-certificates (Version 1) +# spec file for package ca-certificates # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -54,6 +54,7 @@ BuildArch: noarch %if %{with java} + %package -n java-ca-certificates License: GPLv2+ Group: Productivity/Networking/Security @@ -64,21 +65,25 @@ Supplements: packageand(java-1_6_0-openjdk:ca-certificates) Supplements: packageand(java-1_6_0-sun:ca-certificates) %endif + %description Utilities for system wide CA certificate installation %if %{with java} + %description -n java-ca-certificates Utilities for CA certificate installation for gcj and openjdk Java %endif + %prep %setup -qcT install -m 755 %{SOURCE0} . install -m 644 %{SOURCE1} . install -m 644 %{SOURCE2} COPYING + %build %if %{with java} gcj -C %SOURCE4 -d . @@ -91,6 +96,7 @@ EOF fastjar cfm keystore.jar MANIFEST.MF keystore*.class %endif + %install mkdir -p %{buildroot}/%{etccadir} mkdir -p %{buildroot}/%{usrcadir} @@ -114,6 +120,7 @@ install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/java-cacerts install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/gcj-cacerts %endif + %post # this is just needed for those updating Factory, # can be removed before 11.3 @@ -127,13 +134,16 @@ update-ca-certificates -f || true %if %{with java} + %post -n java-ca-certificates update-ca-certificates || true %endif + %clean rm -rf %{buildroot} + %files %defattr(-, root, root) %dir %{usrcadir} @@ -154,6 +164,7 @@ rm -rf %{buildroot} %if %{with java} + %files -n java-ca-certificates %defattr(-, root, root) %dir %{_prefix}/lib/ca-certificates/java @@ -163,4 +174,6 @@ rm -rf %{buildroot} %ghost /var/lib/ca-certificates/gcj-cacerts %endif + + %changelog