main/openjdk6: build java security certificates store from alpine ca-certificates package

2 files changed, 351 insertions, 4 deletions

diff --git a/main/openjdk6/APKBUILD b/main/openjdk6/APKBUILD
index e38f48cff5..f2bb026b2f 100644
--- a/main/openjdk6/APKBUILD
+++ b/main/openjdk6/APKBUILD
@@ -3,7 +3,7 @@
 pkgname=openjdk6
 pkgver=1.6.0_p22
 icedteaver=1.10.4
-pkgrel=2
+pkgrel=3
 pkgdesc="Sun OpenJDK 6 via IcedTea"
 url="http://icedtea.classpath.org/"
 arch="all"
@@ -13,7 +13,7 @@ makedepends="java-gcj-compat findutils tar zip paxctl gawk pkgconfig util-linux-
 	     autoconf automake nss-dev cups-dev jpeg-dev giflib-dev libpng-dev libxt-dev
 	     libxp-dev libxtst-dev libxinerama-dev libiconv-dev
 	     libxrender-dev alsa-lib-dev freetype-dev xulrunner-dev
-	     gtk+2.0-dev"
+	     gtk+2.0-dev ca-certificates"
 install=""
 subpackages="$pkgname-jre-lib:jrelib $pkgname-jre $pkgname-jre-base:jrebase
 	     $pkgname-doc:doc"
@@ -41,6 +41,7 @@ source="http://download.java.net/openjdk/jdk6/promoted/$OPENJDK_VERSION/openjdk-
 	icedtea-jdk-iconv-uclibc.patch
 	icedtea-jdk-execinfo.patch
 	icedtea-jdk-no-lib-nsl.patch
+	icedtea6-1.9.7-generate_cacerts-1.patch
 	"
 
 _builddir="$srcdir/icedtea6-$icedteaver"
@@ -69,6 +70,7 @@ prepare() {
 
 	cp ../icedtea-*.patch patches
 	patch -p0 < ../build-paxctl.patch
+	patch -p1 < ../icedtea6-1.9.7-generate_cacerts-1.patch
 }
 
 build() {
@@ -84,12 +86,15 @@ build() {
 	fi
 
 	cd "$_builddir"
+	sh autogen.sh
 	./configure --prefix=/usr \
 		--sysconfdir=/etc \
 		--mandir=/usr/share/man \
 		--infodir=/usr/share/info \
 		--localstatedir=/var \
 		--disable-dependency-tracking \
+		--enable-cacerts \
+		--with-ca-dir=/etc/ssl/certs \
 		--with-gcj $confjobs \
 		--with-openjdk-src-zip=$srcdir/openjdk-6-src-$OPENJDK_VERSION-$OPENJDK_DATE.tar.gz \
 		--with-jaxp-drop-zip=$srcdir/$JAXP_DROP_ZIP \
@@ -101,7 +106,7 @@ build() {
 		--with-xalan2-serializer-jar=$srcdir/xalan-j_$XALAN2_VER/serializer.jar \
 		--with-xerces2-jar=$srcdir/xerces-${XERCES_VER//./_}/xercesImpl.jar \
 		--with-rhino=$srcdir/rhino$RHINO_VER/js.jar \
-		--with-pkgversion=Alpine \
+		--with-pkgversion="Alpine ${pkgver}-r${pkgrel}" \
 		  || return 1
 
 	make || return 1
@@ -182,4 +187,5 @@ bc95c133620bd68c161cac9891592901  jdk6-jaf-b20.zip
 dc6a1e28a97d897d7a1057c11696727d  icedtea-hotspot-uclibc-fixes.patch
 7c0814181e5adc0763c5c0a24b01d4cb  icedtea-jdk-iconv-uclibc.patch
 dae2ba8b87e2106b53974ace07e4ca72  icedtea-jdk-execinfo.patch
-c4bb40d5b1ff690b27900c5cd06bc1e5  icedtea-jdk-no-lib-nsl.patch"
+c4bb40d5b1ff690b27900c5cd06bc1e5  icedtea-jdk-no-lib-nsl.patch
+01bdddb8adb0af0938bc9eeee79ba150  icedtea6-1.9.7-generate_cacerts-1.patch"
diff --git a/main/openjdk6/icedtea6-1.9.7-generate_cacerts-1.patch b/main/openjdk6/icedtea6-1.9.7-generate_cacerts-1.patch
new file mode 100644
index 0000000000..97b6ce522c
--- /dev/null
+++ b/main/openjdk6/icedtea6-1.9.7-generate_cacerts-1.patch
@@ -0,0 +1,341 @@
+--- icedtea6-1.10.4/Makefile.am
++++ icedtea6-1.10.4.mod/Makefile.am
+@@ -1376,6 +1376,19 @@
+ if ENABLE_JAMVM
+ 	printf -- '-jamvm ALIASED_TO -server\n' >> $(BUILD_JRE_ARCH_DIR)/jvm.cfg
+ endif
++if GENERATE_CACERTS
++	if test -n "${CADIR}"; then \
++	  sh scripts/mkcacerts.sh -d "${CADIR}" \
++	    -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
++	    -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
++	else \
++	  sh scripts/mkcacerts.sh -f "${CAFILE}" \
++	    -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
++	    -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
++	fi; \
++	cp -f $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts \
++	   $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts;
++endif
+ 	@echo "IcedTea is served:" $(BUILD_OUTPUT_DIR)
+ 	mkdir -p stamps
+ 	touch stamps/icedtea.stamp
+@@ -1407,6 +1420,19 @@
+ if ENABLE_JAMVM
+ 	printf -- '-jamvm ALIASED_TO -server\n' >> $(BUILD_DEBUG_JRE_ARCH_DIR)/jvm.cfg
+ endif
++if GENERATE_CACERTS
++	if test -n "${CADIR}"; then \
++	  sh scripts/mkcacerts.sh -d "${CADIR}" \
++	    -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
++	    -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
++	else \
++	  sh scripts/mkcacerts.sh -f "${CAFILE}" \
++	    -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
++	    -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
++	fi; \
++	cp -f $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts \
++	   $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts;
++endif
+ 	@echo "IcedTea (debug build) is served:" \
+ 	  $(DEBUG_BUILD_OUTPUT_DIR)
+ 	mkdir -p stamps
+@@ -1457,7 +1483,7 @@
+ 	    $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot_jni.stp; \
+ 	fi
+ 	cp $(abs_top_builddir)/tapset/jstack.stp \
+-	  $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp
++	  $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp;
+ endif
+ 	touch stamps/add-systemtap.stamp
+ 
+@@ -1483,7 +1509,7 @@
+ 	    $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot_jni.stp; \
+ 	fi
+ 	cp $(abs_top_builddir)/tapset/jstack.stp \
+-	  $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp
++	  $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp;
+ endif
+ 	touch stamps/add-systemtap-debug.stamp
+ 
+--- icedtea6-1.10.4/Makefile.in
++++ icedtea6-1.10.4.mod/Makefile.in
+@@ -175,6 +175,8 @@
+ BUILD_ARCH_DIR = @BUILD_ARCH_DIR@
+ BUILD_OS_DIR = @BUILD_OS_DIR@
+ CACAO_IMPORT_PATH = @CACAO_IMPORT_PATH@
++CADIR = @CADIR@
++CAFILE = @CAFILE@
+ CC = @CC@
+ CCDEPMODE = @CCDEPMODE@
+ CFLAGS = @CFLAGS@
+--- icedtea6-1.10.4/acinclude.m4
++++ icedtea6-1.10.4.mod/acinclude.m4
+@@ -1677,3 +1677,94 @@
+ AM_CONDITIONAL([CP40188_JAVAH], test x"${it_cv_cp40188_javah}" = "xyes")
+ AC_PROVIDE([$0])dnl
+ ])
++
++--- acinclude.m4	2011-01-22 21:34:29.000000000 -0600
+++++ acinclude.m4	2011-01-22 21:34:58.000000000 -0600
++@@ -316,6 +316,91 @@
++   AM_CONDITIONAL([SRC_DIR_HARDLINKABLE], test x"${it_cv_hardlink_src}" = "xyes")
++ ])
++ 
++AC_DEFUN([IT_GENERATE_CACERTS],
++[
++  AC_MSG_CHECKING([whether to generate a cacerts file for distribution])
++  AC_ARG_ENABLE([cacerts],
++              [AS_HELP_STRING(--enable-cacerts, generate a cacerts file for distribution [[default=no]])],
++  [
++    case "${enableval}" in
++      no)
++        generate_cacerts=no
++        ;;
++      *)
++        generate_cacerts=yes
++        ;;
++    esac
++  ],
++  [
++    generate_cacerts=no
++  ])
++  AC_MSG_RESULT([$generate_cacerts])
++  AM_CONDITIONAL([GENERATE_CACERTS], test x"${generate_cacerts}" = "xyes")
++])
++
++AC_DEFUN([IT_GET_LOCAL_CACERTS],
++[
++  AC_MSG_CHECKING([for a local x509 certificate directory])
++  AC_ARG_WITH([ca-dir],
++              [AS_HELP_STRING(--with-ca-dir=DIR, specify a top-level local x509 certificate directory)],
++  [
++    if test -d "${withval}"; then
++      CADIR="${withval}"
++    fi
++  ],
++  [
++    CADIR=
++  ])
++  if test -z "${CADIR}"; then
++    for dir in /etc/pki/tls/certs \
++      /usr/share/ca-certificates \
++      /etc/ssl/certs \
++      /etc/certs ; do
++        if test -d "${dir}"; then
++          CADIR="${dir}"
++          break
++        fi
++    done
++    if test -z "${CADIR}"; then
++      CADIR=no
++    fi
++  fi
++  AC_MSG_RESULT(${CADIR})
++  AC_SUBST(CADIR)
++
++  AC_MSG_CHECKING([for a local x509 certificate file])
++  AC_ARG_WITH([ca-file],
++              [AS_HELP_STRING(--with-ca-file=FILE, specify a local x509 certificate file)],
++  [
++    if test -f "${withval}"; then
++      CAFILE="${withval}"
++    fi
++  ],
++  [
++    CAFILE=
++  ])
++  if test -z "${CAFILE}"; then
++    for file in /etc/pki/tls/certs/ca-bundle.crt \
++      /etc/ssl/certs/ca-bundle.crt \
++      /etc/ssl/ca-bundle.crt \
++      /etc/ca-bundle.crt ; do
++        if test -e "${file}"; then
++          CAFILE=$file
++          break
++        fi
++    done
++    if test -z "${CAFILE}"; then
++      CAFILE=no
++    fi
++  fi
++  AC_MSG_RESULT(${CAFILE})
++  AC_SUBST(CAFILE)
++  if test "${CADIR}x" = "nox" -a "${CAFILE}x" = "nox"; then
++    AC_MSG_WARN([Could not find a suitable x509 certificate store.])
++    AC_MSG_ERROR([Supply a valid location using --with-ca-dir or --with-ca-file, or remove the --enable-cacerts switch.])
++  fi
++])
+--- icedtea6-1.10.4/configure.ac
++++ icedtea6-1.10.4.mod/configure.ac
+@@ -138,6 +138,13 @@
+   AC_MSG_RESULT([disabled by default (edit java.security to enable)])
+ fi
+ 
++IT_GENERATE_CACERTS
++
++if test "x${generate_cacerts}" = "xyes"
++then
++  IT_GET_LOCAL_CACERTS
++fi
++
+ IT_GET_PKGVERSION
+ IT_GET_LSB_DATA
+ 
+--- /dev/null
++++ icedtea6-1.10.4.mod/scripts/mkcacerts.sh
+@@ -0,0 +1,154 @@
++#!/bin/sh
++# Simple script to extract x509 certificates and create a JRE cacerts file.
++
++function get_args()
++    {
++        if test -z "${1}" ; then
++            showhelp
++            exit 1
++        fi
++
++        while test -n "${1}" ; do
++            case "${1}" in
++                -f | --cafile)
++                    check_arg $1 $2
++                    CAFILE="${2}"
++                    shift 2
++                ;;
++                -d | --cadir)
++                    check_arg $1 $2
++                    CADIR="${2}"
++                    shift 2
++                ;;
++                -o | --outfile)
++                    check_arg $1 $2
++                    OUTFILE="${2}"
++                    shift 2
++                ;;
++                -k | --keytool)
++                    check_arg $1 $2
++                    KEYTOOL="${2}"
++                    shift 2
++                ;;
++                -h | --help)
++                     showhelp
++                     exit 0
++                ;;
++                *)
++                   showhelp
++                   exit 1
++                ;;
++            esac
++        done
++    }
++
++function check_arg()
++    {
++        echo "${2}" | grep -v "^-" > /dev/null
++        if [ -z "$?" -o ! -n "$2" ]; then
++            echo "Error:  $1 requires a valid argument."
++            exit 1
++        fi
++    }
++
++
++function showhelp()
++    {
++        echo "`basename ${0}` creates a valid cacerts file for use with IcedTea."
++        echo ""
++        echo "        -f  --cafile        The path to a file containing PEM formated CA"
++        echo "                            certificates.  May not be used with -d/--cadir."
++        echo "        -d  --cadir         The path to a diectory of PEM formatted CA"
++        echo "                            certificates.  May not be used with -f/--cafile."
++        echo "        -o  --outfile       The path to the output file."
++        echo ""
++        echo "        -k  --keytool       The path to the java keytool utility."
++        echo ""
++        echo "        -h  --help          Show this help message and exit."
++        echo ""
++        echo ""
++    }
++
++# Initialize empty variables so that the shell does not polute the script
++CAFILE=""
++CADIR=""
++OUTFILE=""
++KEYTOOL=""
++
++# Process command line arguments
++get_args ${@}
++
++# Handle common errors
++if test "${CAFILE}x" == "x" -a "${CADIR}x" == "x" ; then
++    echo "ERROR!  You must provide an x509 certificate store!"
++    echo "\'$(basename ${0}) --help\' for more info."
++    echo ""
++    exit 1
++fi
++
++if test "${CAFILE}x" != "x" -a "${CADIR}x" != "x" ; then
++    echo "ERROR!  You cannot provide two x509 certificate stores!"
++    echo "\'$(basename ${0}) --help\' for more info."
++    echo ""
++    exit 1
++fi
++
++if test "${KEYTOOL}x" == "x" ; then
++    echo "ERROR!  You must provide a valid keytool program!"
++    echo "\'$(basename ${0}) --help\' for more info."
++    echo ""
++    exit 1
++fi
++
++if test "${OUTFILE}x" == "x" ; then
++    echo "ERROR!  You must provide a valid output file!"
++    echo "\'$(basename ${0}) --help\' for more info."
++    echo ""
++    exit 1
++fi
++
++# Get on with the work
++
++# If using a CAFILE, split it into individual files in a temp directory
++if test "${CAFILE}x" != "x" ; then
++    TEMPDIR=`mktemp -d`
++    CADIR="${TEMPDIR}"
++
++    # Get a list of staring lines for each cert
++    CERTLIST=`grep -n "^-----BEGIN" "${CAFILE}" | cut -d ":" -f 1`
++
++    # Get a list of ending lines for each cert
++    ENDCERTLIST=`grep -n "^-----END" "${CAFILE}" | cut -d ":" -f 1`
++
++    # Start a loop
++    for certbegin in `echo "${CERTLIST}"` ; do
++        for certend in `echo "${ENDCERTLIST}"` ; do
++            if test "${certend}" -gt "${certbegin}"; then
++                break
++            fi
++        done
++        sed -n "${certbegin},${certend}p" "${CAFILE}" > "${CADIR}/${certbegin}"
++        keyhash=`openssl x509 -noout -in "${CADIR}/${certbegin}" -hash`
++        echo "Generated PEM file with hash:  ${keyhash}."
++        mv "${CADIR}/${certbegin}" "${CADIR}/${keyhash}.pem"
++    done
++fi
++
++# Write the output file
++for cert in `find "${CADIR}" -type f -name "*.pem" -o -name "*.crt"`
++do
++    ls "${cert}"
++    tempfile=`mktemp`
++    certbegin=`grep -n "^-----BEGIN" "${cert}" | cut -d ":" -f 1`
++    certend=`grep -n "^-----END" "${cert}" | cut -d ":" -f 1`
++    sed -n "${certbegin},${certend}p" "${cert}" > "${tempfile}"
++    echo yes | "${KEYTOOL}" -import -alias `basename "${cert}"` -keystore \
++                   "${OUTFILE}" -storepass 'changeit' -file "${tempfile}"
++    rm "${tempfile}"
++done
++
++if test "${TEMPDIR}x" != "x" ; then
++    rm -rf "${TEMPDIR}"
++fi
++exit 0
++