ca-certificates-java: add recipe to generate trustStore

The OpenJDK-8 package currently comes with a trustStore that was generated at OpenJDK-8-native build time from *all* certificates available in the system, not just from those that are marked as trusted. This isn't right... So this recipe hooks into the ca-certificates package and (re-) creates the Java trustStore based on the certificates trusted by the system, whenever they are updated. This works both at image build time, as well as during runtime on the target. It works by installing a hook into ca-certificates' $SYSROOT/etc/ca-certificates/update.d/ that is passed the added/removed certificates as arguments. That hook is then updating the Java trustStore and storing it in $SYSROOT/etc/ssl/certs/java/cacerts. The whole idea as well as the implementation of the hook is borrowed from debian's ca-certificate-java package, version 20170930 (the latest as of this commit). Looking at the debian package, it appears like the same binary trustStore ($SYSROOT/etc/ssl/certs/java/cacerts) can be used by different versions of Java: * OpenJDK-7, 8, 9 * Oracle Java 7, 8, 9 The Java sources here can be compiled by any compatible Java compiler, but the resulting jar file should only be run by one of the compatible Java versions mentioned above, so as to create a trustStore that can be read by any of the Java versions mentioned above. We try to ensure this using PACKAGE_WRITE_DEPS during image build time, and by trying to find a compatible Java version inside ${libdir_jvm} at runtime both during image build time and on the target. Given there is nothing that we can RDEPENDS on that would satisfy any of the above Java versions (either JDK or JRE), we simply RDEPENDS on java2-runtime, and test PREFERRED_RPROVIDER_java2-runtime to be satisfactory. Given I can only test OpenJDK/OpenJRE 8 at the moment, only those are actually allowed at the moment, though. This can easily be extended upon confirmation. Final note - as per the debian package, there are three cases when we can be called: 1) as part of update-ca-certificates -> add / remove certs as instructed 2) if first time install -> add all certs 3) package update -> do nothing We have no way to easily distinguish between first time install and package update in OE, so the distinction between cases 2) and 3) isn't perfect. Signed-off-by: André Draszik <andre.draszik@jci.com> Signed-off-by: Maxin B. John <maxin.john@intel.com>
author: André Draszik <andre.draszik@jci.com> 2018-04-02 07:43:44 +0100
committer: Richard Leitner <richard.leitner@skidata.com> 2018-06-12 21:11:05 +0200
commit: 27e4ffb925cc60f18a4062098ed63d0826812249 (patch)
tree: 8f189a52328cde0ecde0cfca8c802e2aa080ffee
parent: 9f31b5f201ee4c08fec29bd0b91b8071e30a7d49 (diff)
download: meta-java-27e4ffb925cc60f18a4062098ed63d0826812249.tar.gz
3 files changed, 214 insertions, 0 deletions
diff --git a/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch b/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch
new file mode 100644
index 0000000..ca052ab
--- /dev/null
+++ b/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch
@@ -0,0 +1,43 @@
+From 70cd9999d3c139230aa05816e98cdc3e50ead713 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <andre.draszik@jci.com>
+Date: Tue, 27 Mar 2018 16:50:39 +0100
+Subject: [PATCH] UpdateCertificates: handle SYSROOT environment variable for
+ cacerts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+We can now pass in the sysroot, so that the trustStore
+is written to /etc/ssl/certs/java/cacerts below $SYSROOT.
+Upstream-Status: Inappropriate [OE specific]
+Signed-off-by: André Draszik <andre.draszik@jci.com>
+---
+ src/main/java/org/debian/security/UpdateCertificates.java | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+diff --git a/src/main/java/org/debian/security/UpdateCertificates.java b/src/main/java/org/debian/security/UpdateCertificates.java
+index e4f8205..dba9a7b 100644
+--- a/src/main/java/org/debian/security/UpdateCertificates.java
+++ b/src/main/java/org/debian/security/UpdateCertificates.java
+@@ -40,15 +40,19 @@ public class UpdateCertificates {
+ 
+     public static void main(String[] args) throws IOException, GeneralSecurityException {
+         String passwordString = "changeit";
+        String sysroot;
+         if (args.length == 2 && args[0].equals("-storepass")) {
+             passwordString = args[1];
+         } else if (args.length > 0) {
+             System.err.println("Usage: java org.debian.security.UpdateCertificates [-storepass <password>]");
+             System.exit(1);
+         }
+        sysroot = System.getenv("SYSROOT");
+        if (sysroot == null)
+            sysroot = "";
+ 
+         try {
+-            UpdateCertificates uc = new UpdateCertificates("/etc/ssl/certs/java/cacerts", passwordString);
+            UpdateCertificates uc = new UpdateCertificates(sysroot + "/etc/ssl/certs/java/cacerts", passwordString);
+             // Force reading of inputstream in UTF-8
+             uc.processChanges(new InputStreamReader(System.in, "UTF8"));
+             uc.finish();
diff --git a/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in b/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in
new file mode 100755
index 0000000..f01fe36
--- /dev/null
+++ b/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in
@@ -0,0 +1,64 @@
+#!/bin/sh -eu
+# As per the debian package, three cases when we can be called:
+#   1) as part of update-ca-certificates -> add / remove certs as instructed
+#   2) if first time install -> add all certs
+#   3) package update -> do nothing
+# We have no way to easily distinguish between first time install
+# and package update in OE, so the distinction between cases 2)
+# and 3) isn't perfect.
+self=$(basename $0)
+jvm_libdir="@@libdir_jvm@@"
+if [ -n "${D:-}" ] ; then
+    # called from postinst as part of image build on host
+    if [ -z "${JVM_LIBDIR:-}" ] ; then
+        # should never happen, this is supposed to be passed in
+        echo "$0: no JVM_LIBDIR specified" >&2
+        false
+    fi
+fi
+if [ -n "${JVM_LIBDIR:-}" ] ; then
+    jvm_libdir="${JVM_LIBDIR}"
+fi
+for JAVA in icedtea7-native/bin/java \
+            openjdk-8-native/bin/java openjdk-8/bin/java openjre-8/bin/java \
+         ; do
+    if [ -x "${jvm_libdir}/${JAVA}" ] ; then
+        JAVA="${jvm_libdir}/${JAVA}"
+        break
+    fi
+done
+if [ ! -x "${JAVA}" ] ; then
+    # shouldn't really happen, as we RDEPEND on java
+    echo "$0: JAVA not found" >&2
+    false
+fi
+if [ "${self}" = "ca-certificates-java-hook" ] ; then
+    # case 1) from above
+    # the list of (changed) files is passed via stdin
+    while read input ; do
+        echo "${input}"
+    done
+elif [ -s $D${sysconfdir}/ssl/certs/java/cacerts ] ; then
+    # we were executed explicitly (not via ca-cacertificates hook)
+    # case 3) from above
+    # do nothing, as the trustStore exists already
+    return
+else
+    # we were executed explicitly (not via ca-cacertificates hook)
+    # case 2) from above
+    # the trustStore doesn't exist yet, create it as this is
+    # a first time install (e.g. during image build)
+    find $D${sysconfdir}/ssl/certs -name '*.pem' | \
+    while read filename ; do
+        echo "+${filename}"
+    done
+fi | SYSROOT="${D:-}" ${JAVA} -Xmx64m \
+                              -jar ${D:-}@@datadir_java@@/@@JARFILENAME@@ \
+                              -storepass changeit
diff --git a/recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb b/recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb
new file mode 100644
index 0000000..0b149d2
--- /dev/null
+++ b/recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb
@@ -0,0 +1,107 @@
+SUMMARY = "Common CA certificates (JKS trustStore)"
+DESCRIPTION = "This package uses the hooks of the ca-certificates \
+package to update the cacerts JKS trustStore used for many java runtimes."
+LICENSE = "GPLv2+"
+LIC_FILES_CHKSUM = "\
+        file://debian/copyright;md5=ab0f6b6900f6564dc3e273dfa36fcc72 \
+        file://src/main/java/org/debian/security/InvalidKeystorePasswordException.java;endline=17;md5=f9150bf1ca3139a38ddb54f9e1c0eb9b \
+        file://src/main/java/org/debian/security/KeyStoreHandler.java;endline=18;md5=3fd0e26abbca2ec481cf3698431574ae \
+        file://src/main/java/org/debian/security/UnableToSaveKeystoreException.java;endline=17;md5=f9150bf1ca3139a38ddb54f9e1c0eb9b \
+        file://src/main/java/org/debian/security/UnknownInputException.java;endline=17;md5=f9150bf1ca3139a38ddb54f9e1c0eb9b \
+        file://src/main/java/org/debian/security/UpdateCertificates.java;endline=18;md5=3fd0e26abbca2ec481cf3698431574ae \
+"
+DEPENDS = "virtual/javac-native fastjar-native"
+# We can't use virtual/javac-native, because that would create a
+# keystore that can't be read on the target (as virtual/javac-native
+# usually is either too old, or plain incompatible with this)
+PACKAGE_WRITE_DEPS += "openjdk-8-native"
+SRC_URI = "\
+        git://anonscm.debian.org/pkg-java/ca-certificates-java.git \
+        file://0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch \
+        file://${BPN}.hook.in \
+"
+SRCREV = "53651f7939e6f35694ee31e5ef0376f1bfce7e55"
+inherit java allarch
+S = "${WORKDIR}/git"
+B = "${WORKDIR}/build"
+JARFILENAME = "${BPN}.jar"
+python () {
+    runtime = d.getVar("PREFERRED_RPROVIDER_java2-runtime") or ""
+    if not runtime in ("openjdk-8", "openjre-8"):
+        raise bb.parse.SkipRecipe("PREFERRED_RPROVIDER_java2-runtime '%s' unsupported" % runtime)
+}
+do_patch_append () {
+    bb.build.exec_func('do_fix_sysconfdir', d)
+}
+do_fix_sysconfdir () {
+        sed -e 's|/etc/ssl/certs/java|${sysconfdir}/ssl/certs/java|g' \
+            -i ${S}/src/main/java/org/debian/security/UpdateCertificates.java
+}
+do_compile () {
+        mkdir -p build # simplify in-tree builds (externalsrc)
+        javac -g \
+            -source 1.7 -target 1.7 -encoding ISO8859-1 \
+            -d build \
+            -sourcepath ${S}/src/main/java \
+            $(find ${S}/src/main/java -name '*.java' -type f)
+        # needs to end with two empty lines
+        cat << EOF > ${B}/manifest
+Manifest-Version: 1.0
+Main-Class: org.debian.security.UpdateCertificates
+EOF
+        fastjar -cfm ${JARFILENAME} ${B}/manifest -C build .
+}
+do_install () {
+        oe_jarinstall ${JARFILENAME}
+        mkdir -p ${D}${sysconfdir}/ssl/certs/java
+        install -Dm0755 ${WORKDIR}/${BPN}.hook.in ${D}${sysconfdir}/ca-certificates/update.d/${BPN}-hook
+        sed -e 's|@@datadir_java@@|${datadir_java}|' \
+            -e 's|@@libdir_jvm@@|${libdir_jvm}|' \
+            -e 's|@@JARFILENAME@@|${JARFILENAME}|' \
+            -i ${D}${sysconfdir}/ca-certificates/update.d/${BPN}-hook
+        install -d -m0755 ${D}${sbindir}
+        ln -s ${@os.path.relpath("${sysconfdir}/ca-certificates/update.d/${BPN}-hook", "${sbindir}")} \
+              ${D}${sbindir}/create-ca-certificates-java
+}
+pkg_postinst_${PN} () {
+        if [ -n "$D" ] ; then
+            # In this case we want to use the Java in the image recipe's
+            # native sysroot (native Java, not qemu target Java) to
+            # generate the trustStore.
+            # None of the supported Java versions are in PATH, though, so
+            # we have to find a satisfactory one ourselves below $libdir_jvm.
+            # We really need the $NATIVE_ROOT variable for that to work,
+            # as STAGING_LIBDIR_JVM_NATIVE resolves to this recipe's native
+            # sysroot during recipe build time, so it's of no use during
+            # image build time.
+            if [ -z $NATIVE_ROOT ] ; then
+                echo "$0: NATIVE_ROOT not known"
+                false
+            fi
+            JVM_LIBDIR=$NATIVE_ROOT${libdir_jvm}
+        fi
+        JVM_LIBDIR=$JVM_LIBDIR $D${sbindir}/create-ca-certificates-java
+}
+RDEPENDS_${PN} = "ca-certificates"
+RDEPENDS_${PN}_append_class-target = " java2-runtime"
+RDEPENDS_${PN}_append_class-native = " virtual/java-native"
+FILES_${PN} += "${datadir_java}"
+BBCLASSEXTEND = "native"
author	André Draszik <andre.draszik@jci.com>	2018-04-02 07:43:44 +0100
committer	Richard Leitner <richard.leitner@skidata.com>	2018-06-12 21:11:05 +0200
commit	27e4ffb925cc60f18a4062098ed63d0826812249 (patch)
tree	8f189a52328cde0ecde0cfca8c802e2aa080ffee
parent	9f31b5f201ee4c08fec29bd0b91b8071e30a7d49 (diff)
download	meta-java-27e4ffb925cc60f18a4062098ed63d0826812249.tar.gz

diff --git a/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch b/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch new file mode 100644 index 0000000..ca052ab --- /dev/null +++ b/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch
@@ -0,0 +1,43 @@
	1	From 70cd9999d3c139230aa05816e98cdc3e50ead713 Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <andre.draszik@jci.com>
	3	Date: Tue, 27 Mar 2018 16:50:39 +0100
	4	Subject: [PATCH] UpdateCertificates: handle SYSROOT environment variable for
	5	cacerts
	6	MIME-Version: 1.0
	7	Content-Type: text/plain; charset=UTF-8
	8	Content-Transfer-Encoding: 8bit
	9
	10	We can now pass in the sysroot, so that the trustStore
	11	is written to /etc/ssl/certs/java/cacerts below $SYSROOT.
	12
	13	Upstream-Status: Inappropriate [OE specific]
	14	Signed-off-by: André Draszik <andre.draszik@jci.com>
	15	---
	16	src/main/java/org/debian/security/UpdateCertificates.java \| 6 +++++-
	17	1 file changed, 5 insertions(+), 1 deletion(-)
	18
	19	diff --git a/src/main/java/org/debian/security/UpdateCertificates.java b/src/main/java/org/debian/security/UpdateCertificates.java
	20	index e4f8205..dba9a7b 100644
	21	--- a/src/main/java/org/debian/security/UpdateCertificates.java
	22	+++ b/src/main/java/org/debian/security/UpdateCertificates.java
	23	@@ -40,15 +40,19 @@ public class UpdateCertificates {
	24
	25	public static void main(String[] args) throws IOException, GeneralSecurityException {
	26	String passwordString = "changeit";
	27	+ String sysroot;
	28	if (args.length == 2 && args[0].equals("-storepass")) {
	29	passwordString = args[1];
	30	} else if (args.length > 0) {
	31	System.err.println("Usage: java org.debian.security.UpdateCertificates [-storepass <password>]");
	32	System.exit(1);
	33	}
	34	+ sysroot = System.getenv("SYSROOT");
	35	+ if (sysroot == null)
	36	+ sysroot = "";
	37
	38	try {
	39	- UpdateCertificates uc = new UpdateCertificates("/etc/ssl/certs/java/cacerts", passwordString);
	40	+ UpdateCertificates uc = new UpdateCertificates(sysroot + "/etc/ssl/certs/java/cacerts", passwordString);
	41	// Force reading of inputstream in UTF-8
	42	uc.processChanges(new InputStreamReader(System.in, "UTF8"));
	43	uc.finish();


diff --git a/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in b/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in new file mode 100755 index 0000000..f01fe36 --- /dev/null +++ b/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in
@@ -0,0 +1,64 @@
	1	#!/bin/sh -eu
	2
	3	# As per the debian package, three cases when we can be called:
	4	# 1) as part of update-ca-certificates -> add / remove certs as instructed
	5	# 2) if first time install -> add all certs
	6	# 3) package update -> do nothing
	7	# We have no way to easily distinguish between first time install
	8	# and package update in OE, so the distinction between cases 2)
	9	# and 3) isn't perfect.
	10
	11	self=$(basename $0)
	12	jvm_libdir="@@libdir_jvm@@"
	13
	14	if [ -n "${D:-}" ] ; then
	15	# called from postinst as part of image build on host
	16	if [ -z "${JVM_LIBDIR:-}" ] ; then
	17	# should never happen, this is supposed to be passed in
	18	echo "$0: no JVM_LIBDIR specified" >&2
	19	false
	20	fi
	21	fi
	22	if [ -n "${JVM_LIBDIR:-}" ] ; then
	23	jvm_libdir="${JVM_LIBDIR}"
	24	fi
	25
	26	for JAVA in icedtea7-native/bin/java \
	27	openjdk-8-native/bin/java openjdk-8/bin/java openjre-8/bin/java \
	28	; do
	29	if [ -x "${jvm_libdir}/${JAVA}" ] ; then
	30	JAVA="${jvm_libdir}/${JAVA}"
	31	break
	32	fi
	33	done
	34
	35	if [ ! -x "${JAVA}" ] ; then
	36	# shouldn't really happen, as we RDEPEND on java
	37	echo "$0: JAVA not found" >&2
	38	false
	39	fi
	40
	41	if [ "${self}" = "ca-certificates-java-hook" ] ; then
	42	# case 1) from above
	43	# the list of (changed) files is passed via stdin
	44	while read input ; do
	45	echo "${input}"
	46	done
	47	elif [ -s $D${sysconfdir}/ssl/certs/java/cacerts ] ; then
	48	# we were executed explicitly (not via ca-cacertificates hook)
	49	# case 3) from above
	50	# do nothing, as the trustStore exists already
	51	return
	52	else
	53	# we were executed explicitly (not via ca-cacertificates hook)
	54	# case 2) from above
	55	# the trustStore doesn't exist yet, create it as this is
	56	# a first time install (e.g. during image build)
	57	find $D${sysconfdir}/ssl/certs -name '*.pem' \| \
	58	while read filename ; do
	59	echo "+${filename}"
	60	done
	61	fi \| SYSROOT="${D:-}" ${JAVA} -Xmx64m \
	62	-jar ${D:-}@@datadir_java@@/@@JARFILENAME@@ \
	63	-storepass changeit
	64


diff --git a/recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb b/recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb new file mode 100644 index 0000000..0b149d2 --- /dev/null +++ b/recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb
@@ -0,0 +1,107 @@
	1	SUMMARY = "Common CA certificates (JKS trustStore)"
	2	DESCRIPTION = "This package uses the hooks of the ca-certificates \
	3	package to update the cacerts JKS trustStore used for many java runtimes."
	4	LICENSE = "GPLv2+"
	5	LIC_FILES_CHKSUM = "\
	6	file://debian/copyright;md5=ab0f6b6900f6564dc3e273dfa36fcc72 \
	7	file://src/main/java/org/debian/security/InvalidKeystorePasswordException.java;endline=17;md5=f9150bf1ca3139a38ddb54f9e1c0eb9b \
	8	file://src/main/java/org/debian/security/KeyStoreHandler.java;endline=18;md5=3fd0e26abbca2ec481cf3698431574ae \
	9	file://src/main/java/org/debian/security/UnableToSaveKeystoreException.java;endline=17;md5=f9150bf1ca3139a38ddb54f9e1c0eb9b \
	10	file://src/main/java/org/debian/security/UnknownInputException.java;endline=17;md5=f9150bf1ca3139a38ddb54f9e1c0eb9b \
	11	file://src/main/java/org/debian/security/UpdateCertificates.java;endline=18;md5=3fd0e26abbca2ec481cf3698431574ae \
	12	"
	13	DEPENDS = "virtual/javac-native fastjar-native"
	14	# We can't use virtual/javac-native, because that would create a
	15	# keystore that can't be read on the target (as virtual/javac-native
	16	# usually is either too old, or plain incompatible with this)
	17	PACKAGE_WRITE_DEPS += "openjdk-8-native"
	18
	19	SRC_URI = "\
	20	git://anonscm.debian.org/pkg-java/ca-certificates-java.git \
	21	file://0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch \
	22	file://${BPN}.hook.in \
	23	"
	24
	25	SRCREV = "53651f7939e6f35694ee31e5ef0376f1bfce7e55"
	26
	27	inherit java allarch
	28
	29	S = "${WORKDIR}/git"
	30	B = "${WORKDIR}/build"
	31
	32	JARFILENAME = "${BPN}.jar"
	33
	34	python () {
	35	runtime = d.getVar("PREFERRED_RPROVIDER_java2-runtime") or ""
	36	if not runtime in ("openjdk-8", "openjre-8"):
	37	raise bb.parse.SkipRecipe("PREFERRED_RPROVIDER_java2-runtime '%s' unsupported" % runtime)
	38	}
	39
	40	do_patch_append () {
	41	bb.build.exec_func('do_fix_sysconfdir', d)
	42	}
	43
	44	do_fix_sysconfdir () {
	45	sed -e 's\|/etc/ssl/certs/java\|${sysconfdir}/ssl/certs/java\|g' \
	46	-i ${S}/src/main/java/org/debian/security/UpdateCertificates.java
	47	}
	48
	49	do_compile () {
	50	mkdir -p build # simplify in-tree builds (externalsrc)
	51	javac -g \
	52	-source 1.7 -target 1.7 -encoding ISO8859-1 \
	53	-d build \
	54	-sourcepath ${S}/src/main/java \
	55	$(find ${S}/src/main/java -name '*.java' -type f)
	56
	57	# needs to end with two empty lines
	58	cat << EOF > ${B}/manifest
	59	Manifest-Version: 1.0
	60	Main-Class: org.debian.security.UpdateCertificates
	61
	62	EOF
	63	fastjar -cfm ${JARFILENAME} ${B}/manifest -C build .
	64	}
	65
	66	do_install () {
	67	oe_jarinstall ${JARFILENAME}
	68
	69	mkdir -p ${D}${sysconfdir}/ssl/certs/java
	70	install -Dm0755 ${WORKDIR}/${BPN}.hook.in ${D}${sysconfdir}/ca-certificates/update.d/${BPN}-hook
	71	sed -e 's\|@@datadir_java@@\|${datadir_java}\|' \
	72	-e 's\|@@libdir_jvm@@\|${libdir_jvm}\|' \
	73	-e 's\|@@JARFILENAME@@\|${JARFILENAME}\|' \
	74	-i ${D}${sysconfdir}/ca-certificates/update.d/${BPN}-hook
	75
	76	install -d -m0755 ${D}${sbindir}
	77	ln -s ${@os.path.relpath("${sysconfdir}/ca-certificates/update.d/${BPN}-hook", "${sbindir}")} \
	78	${D}${sbindir}/create-ca-certificates-java
	79	}
	80
	81	pkg_postinst_${PN} () {
	82	if [ -n "$D" ] ; then
	83	# In this case we want to use the Java in the image recipe's
	84	# native sysroot (native Java, not qemu target Java) to
	85	# generate the trustStore.
	86	# None of the supported Java versions are in PATH, though, so
	87	# we have to find a satisfactory one ourselves below $libdir_jvm.
	88	# We really need the $NATIVE_ROOT variable for that to work,
	89	# as STAGING_LIBDIR_JVM_NATIVE resolves to this recipe's native
	90	# sysroot during recipe build time, so it's of no use during
	91	# image build time.
	92	if [ -z $NATIVE_ROOT ] ; then
	93	echo "$0: NATIVE_ROOT not known"
	94	false
	95	fi
	96	JVM_LIBDIR=$NATIVE_ROOT${libdir_jvm}
	97	fi
	98	JVM_LIBDIR=$JVM_LIBDIR $D${sbindir}/create-ca-certificates-java
	99	}
	100
	101	RDEPENDS_${PN} = "ca-certificates"
	102	RDEPENDS_${PN}_append_class-target = " java2-runtime"
	103	RDEPENDS_${PN}_append_class-native = " virtual/java-native"
	104
	105	FILES_${PN} += "${datadir_java}"
	106
	107	BBCLASSEXTEND = "native"