[Bug 596177] New: generate java cacerts at runtime
http://bugzilla.novell.com/show_bug.cgi?id=596177 http://bugzilla.novell.com/show_bug.cgi?id=596177#c0 Summary: generate java cacerts at runtime Classification: openSUSE Product: openSUSE 11.3 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Java AssignedTo: bnc-team-java@forge.provo.novell.com ReportedBy: lnussel@novell.com QAContact: qa@suse.de CC: mvyskocil@novell.com Found By: --- Blocker: --- It's now possible to generate bundle files for CA certificates at run time. See man update-ca-certificates. Java currently generates it's file at build time, therefore it's not easy for administrators to add custom certificates. A script that calls keytool on each pem file is way too slow so some java code could could be used to speed this up. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=596177 http://bugzilla.novell.com/show_bug.cgi?id=596177#c Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC|mvyskocil@novell.com | AssignedTo|bnc-team-java@forge.provo.n |mvyskocil@novell.com |ovell.com | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=596177 http://bugzilla.novell.com/show_bug.cgi?id=596177#c1 --- Comment #1 from Ludwig Nussel <lnussel@novell.com> 2010-04-14 16:28:13 CEST --- There it is, my first (hopefully) useful java program :-) http://gitorious.org/opensuse/ca-certificates/blobs/master/keystore.java -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=596177 http://bugzilla.novell.com/show_bug.cgi?id=596177#c2 Michal Vyskocil <mvyskocil@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |ASSIGNED --- Comment #2 from Michal Vyskocil <mvyskocil@novell.com> 2010-04-15 14:00:42 UTC --- Cool, and its working - I generated a cacerts file using it and the then run the test from icedtea project [1]. I'll revork the openjdk packages next week. Thanks for your help. [1] http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2010-March/008774.html -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=596177 http://bugzilla.novell.com/show_bug.cgi?id=596177#c3 --- Comment #3 from Michal Vyskocil <mvyskocil@novell.com> 2010-04-21 13:59:46 UTC --- Seems that icedtea developers are not interested. So what's next - what might I changed in openjdk/gcj packages? Some notes: 1.) I recommend remove -cadir argument - let this tool reads certificates from command line or stdin - with it you'll not need implement blacklist (sended a patch) 2.) Build this tool using java-1_5_0-gcj-compat-devel, so it'll be available for openjdk asap -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=596177 http://bugzilla.novell.com/show_bug.cgi?id=596177#c Michal Vyskocil <mvyskocil@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |lnussel@novell.com -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=596177 http://bugzilla.novell.com/show_bug.cgi?id=596177#c4 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|lnussel@novell.com | --- Comment #4 from Ludwig Nussel <lnussel@novell.com> 2010-04-27 15:44:27 CEST --- oops, forgot about the needinfo. I think we clarified via email, did we? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=596177 http://bugzilla.novell.com/show_bug.cgi?id=596177#c5 Michal Vyskocil <mvyskocil@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |lnussel@novell.com --- Comment #5 from Michal Vyskocil <mvyskocil@novell.com> 2010-05-13 12:19:52 UTC --- well, so on the end - what needs to be changed in openjdk package? Will be the keystore.java a part of ca-certificates (or subpackage)? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=596177 http://bugzilla.novell.com/show_bug.cgi?id=596177#c6 --- Comment #6 from Michal Vyskocil <mvyskocil@novell.com> 2010-05-19 07:57:15 UTC --- ping -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=596177 http://bugzilla.novell.com/show_bug.cgi?id=596177#c7 --- Comment #7 from Ludwig Nussel <lnussel@novell.com> 2010-05-19 10:45:07 CEST --- oops, overlooked. I'd rather not include keystore.java in ca-certificates to avoid the java dependency. If including in in openjdk directly isn't an option either we have to create a new subpackage. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=596177 http://bugzilla.novell.com/show_bug.cgi?id=596177#c8 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|lnussel@novell.com | --- Comment #8 from Ludwig Nussel <lnussel@novell.com> 2010-05-21 10:03:09 CEST --- I have modified Base:System/ca-certificates to produce gcj-compat-ca-certificates and java-ca-certificates sub packages. Please review them. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=596177 http://bugzilla.novell.com/show_bug.cgi?id=596177#c9 Michal Vyskocil <mvyskocil@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |lnussel@novell.com --- Comment #9 from Michal Vyskocil <mvyskocil@novell.com> 2010-05-21 08:20:46 UTC --- Hi, I don't see any changes, my checkouted copy of Base:System/ca-certificates is still in a newest revision - dd65c0a93764686d5c13f16f05700e05 Anyway please review my changes I did in home:mvyskocil:branches:Base:System/ca-certificates - the biggest one is merge both cacerts into the one package. java.run is able to detect if gcj or one of openjdk,icedtea,sun is installed and create the appropriate file. Also I produce regular keystore.class using gcj, so package can be noarch and there's no need to have two binary versions of keystore. The class file generated by gcj is fully compatible with openjdk/sun. * Use the gcc-java and fastjar for build to avoid dependency problems * Also Provide openssl-certs * merge the both cacerts files into java-ca-certificates * build keystore.class only, so package is noarch * restrict java.run only for vendors: openjdk,icedtea,sun and gcj Diff can be generated via osc: osc rdiff Base:System ca-certificates home:mvyskocil:branches:Base:System ca-certificates Please comment, I'll create a sr, if you will be OK. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=596177 http://bugzilla.novell.com/show_bug.cgi?id=596177#c10 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|lnussel@novell.com | --- Comment #10 from Ludwig Nussel <lnussel@novell.com> 2010-05-21 10:33:26 CEST --- It's ok except for the openssl-certs provides. That's intentionally provided by ca-certificates-mozilla instead as ca-certificates itself doesn't contain any certificates. Also, that ls -1 stuff looks weird. What about hardcoding /usr/bin/{java,gij} instead? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=596177 http://bugzilla.novell.com/show_bug.cgi?id=596177#c11 --- Comment #11 from Michal Vyskocil <mvyskocil@novell.com> 2010-05-21 09:21:17 UTC --- (In reply to comment #10)
It's ok except for the openssl-certs provides. That's intentionally provided by ca-certificates-mozilla instead as ca-certificates itself doesn't contain any certificates.
OK
Also, that ls -1 stuff looks weird. What about hardcoding /usr/bin/{java,gij} instead?
Yes, it looks. Well, for /usr/bin/java we will need to check if it is not a gcj. So the diff against your current version looks like: --- ../../java.run 2010-05-19 12:03:53.000000000 +0200 +++ java.run 2010-05-21 11:18:38.864872316 +0200 @@ -38,7 +38,11 @@ java=`which java` fi -if [ ! -e "$libexecdir"/keystore.jar -a ! -x "$libexecdir"/keystore ]; then +if [[ $(readlink -f "${java}") =~ gij ]]; then + java="" +fi + +if [ ! -e "$libexecdir"/keystore.jar ]; then # nothing to do exit 0 fi @@ -50,9 +54,6 @@ if [ -e "$libexecdir"/keystore.jar -a "$cadir" -nt "$cafile" ]; then mustrun=1 fi -if [ -e "$libexecdir"/keystore -a "$cadir" -nt "$cafile_gcj" ]; then - mustrun=1 -fi [ -n "$mustrun" ] || exit 0 @@ -76,9 +77,9 @@ echo "creating $cafile ..." $java -jar $libexecdir/keystore.jar -keystore "$cafile" -cadir "$cadir" "$@" fi -if [ -x "$libexecdir"/keystore ]; then +if [ -x "/usr/bin/gij" ]; then echo "creating $cafile_gcj ..." - $libexecdir/keystore -keystore "$cafile_gcj" -cadir "$cadir" "$@" + /usr/bin/gij -jar $libexecdir/keystore.jar -keystore "$cafile_gcj" -cadir "$cadir" "$@" fi # vim: syntax=sh We normally try to fill $java, but then I'll test if it is not a gij, if so, variable is removed. Then gcj part is triggered by existence of executable /usr/bin/gij -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=596177 http://bugzilla.novell.com/show_bug.cgi?id=596177#c12 --- Comment #12 from Ludwig Nussel <lnussel@novell.com> 2010-05-21 13:36:42 CEST --- looks good, please submit :) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=596177 http://bugzilla.novell.com/show_bug.cgi?id=596177#c13 Michal Vyskocil <mvyskocil@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P3 - Medium |P2 - High --- Comment #13 from Michal Vyskocil <mvyskocil@novell.com> 2010-05-21 12:48:57 UTC --- submitted - sr40475 I'll improve openjdk/sun/gcj next week. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=596177 http://bugzilla.novell.com/show_bug.cgi?id=596177#c14 Michal Vyskocil <mvyskocil@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |lnussel@novell.com --- Comment #14 from Michal Vyskocil <mvyskocil@novell.com> 2010-07-28 12:06:35 UTC --- Hi Ludwig, I don't have any idea how to implement it correctly. What's the preferred way? 1.) install a symlink in %install section to /var/lib/ca-certificates/java-certs 2.) or handle it in %post script? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=596177 http://bugzilla.novell.com/show_bug.cgi?id=596177#c15 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|lnussel@novell.com | --- Comment #15 from Ludwig Nussel <lnussel@novell.com> 2010-08-02 11:58:02 CEST --- via symlink in %install IMO -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=596177 https://bugzilla.novell.com/show_bug.cgi?id=596177#c16 Michal Vyskocil <mvyskocil@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #16 from Michal Vyskocil <mvyskocil@novell.com> 2011-04-19 08:54:54 UTC --- This is going to be fixed in Factory (at will be backported to openSUSEs as well) - sr:67852. On the end I have to use this %posttrans script, because there were some corner cases * openjdk requires java-ca-certificates, but when they are installed without /usr/bin/java, no certificates are generated * one of Java:openjdk6:Factory updates installs default empty cacert file * user can use his own cacerts, so let it behaves like config noreplace. %if %{suse_version} >= 1130 %posttrans # if there's no java, certificates are not generated if [ ! -f /var/lib/ca-certificates/java-cacerts ]; then /usr/lib/ca-certificates/update.d/java.run fi # remove the default empty cacert file, if it's installed if [ `stat -c "%s" %{cacerts} 2>/dev/null` = "32" ] ; then rm -f %{cacerts} fi if [ ! -e %{cacerts} ]; then ln -s /var/lib/ca-certificates/java-cacerts %{cacerts} %endif -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=596177 https://bugzilla.novell.com/show_bug.cgi?id=596177#c17 --- Comment #17 from Bernhard Wiedemann <bwiedemann@novell.com> 2011-04-28 13:49:03 CEST --- This is an autogenerated message for OBS integration: This bug (596177) was mentioned in https://build.opensuse.org/request/show/67852 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=596177 https://bugzilla.novell.com/show_bug.cgi?id=596177#c18 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:released:11.3:41847 | |maint:released:11.4:41847 --- Comment #18 from Swamp Workflow Management <swamp@suse.com> 2011-06-28 07:20:02 UTC --- Update released for: icedtea-web, icedtea-web-debuginfo, icedtea-web-debugsource, icedtea-web-javadoc, java-1_6_0-openjdk, java-1_6_0-openjdk-debuginfo, java-1_6_0-openjdk-debugsource, java-1_6_0-openjdk-demo, java-1_6_0-openjdk-devel, java-1_6_0-openjdk-devel-debuginfo, java-1_6_0-openjdk-javadoc, java-1_6_0-openjdk-plugin, java-1_6_0-openjdk-plugin-debuginfo, java-1_6_0-openjdk-src Products: openSUSE 11.3 (debug, i586, x86_64) openSUSE 11.4 (debug, i586, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=596177 http://bugzilla.novell.com/show_bug.cgi?id=596177#c19 --- Comment #19 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (596177) was mentioned in https://build.opensuse.org/request/show/73260 11.4:Test / java-1_6_0-openjdk https://build.opensuse.org/request/show/73262 11.3:Test / java-1_6_0-openjdk -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com