summaryrefslogtreecommitdiffstats
path: root/recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb
diff options
context:
space:
mode:
authorAndré Draszik <andre.draszik@jci.com>2018-04-02 07:43:44 +0100
committerRichard Leitner <richard.leitner@skidata.com>2018-06-12 21:11:05 +0200
commit27e4ffb925cc60f18a4062098ed63d0826812249 (patch)
tree8f189a52328cde0ecde0cfca8c802e2aa080ffee /recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb
parent9f31b5f201ee4c08fec29bd0b91b8071e30a7d49 (diff)
downloadmeta-java-27e4ffb925cc60f18a4062098ed63d0826812249.tar.gz
ca-certificates-java: add recipe to generate trustStore
The OpenJDK-8 package currently comes with a trustStore that was generated at OpenJDK-8-native build time from *all* certificates available in the system, not just from those that are marked as trusted. This isn't right... So this recipe hooks into the ca-certificates package and (re-) creates the Java trustStore based on the certificates trusted by the system, whenever they are updated. This works both at image build time, as well as during runtime on the target. It works by installing a hook into ca-certificates' $SYSROOT/etc/ca-certificates/update.d/ that is passed the added/removed certificates as arguments. That hook is then updating the Java trustStore and storing it in $SYSROOT/etc/ssl/certs/java/cacerts. The whole idea as well as the implementation of the hook is borrowed from debian's ca-certificate-java package, version 20170930 (the latest as of this commit). Looking at the debian package, it appears like the same binary trustStore ($SYSROOT/etc/ssl/certs/java/cacerts) can be used by different versions of Java: * OpenJDK-7, 8, 9 * Oracle Java 7, 8, 9 The Java sources here can be compiled by any compatible Java compiler, but the resulting jar file should only be run by one of the compatible Java versions mentioned above, so as to create a trustStore that can be read by any of the Java versions mentioned above. We try to ensure this using PACKAGE_WRITE_DEPS during image build time, and by trying to find a compatible Java version inside ${libdir_jvm} at runtime both during image build time and on the target. Given there is nothing that we can RDEPENDS on that would satisfy any of the above Java versions (either JDK or JRE), we simply RDEPENDS on java2-runtime, and test PREFERRED_RPROVIDER_java2-runtime to be satisfactory. Given I can only test OpenJDK/OpenJRE 8 at the moment, only those are actually allowed at the moment, though. This can easily be extended upon confirmation. Final note - as per the debian package, there are three cases when we can be called: 1) as part of update-ca-certificates -> add / remove certs as instructed 2) if first time install -> add all certs 3) package update -> do nothing We have no way to easily distinguish between first time install and package update in OE, so the distinction between cases 2) and 3) isn't perfect. Signed-off-by: André Draszik <andre.draszik@jci.com> Signed-off-by: Maxin B. John <maxin.john@intel.com>
Diffstat (limited to 'recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb')
-rw-r--r--recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb107
1 files changed, 107 insertions, 0 deletions
diff --git a/recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb b/recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb
new file mode 100644
index 0000000..0b149d2
--- /dev/null
+++ b/recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb
@@ -0,0 +1,107 @@
1SUMMARY = "Common CA certificates (JKS trustStore)"
2DESCRIPTION = "This package uses the hooks of the ca-certificates \
3package to update the cacerts JKS trustStore used for many java runtimes."
4LICENSE = "GPLv2+"
5LIC_FILES_CHKSUM = "\
6 file://debian/copyright;md5=ab0f6b6900f6564dc3e273dfa36fcc72 \
7 file://src/main/java/org/debian/security/InvalidKeystorePasswordException.java;endline=17;md5=f9150bf1ca3139a38ddb54f9e1c0eb9b \
8 file://src/main/java/org/debian/security/KeyStoreHandler.java;endline=18;md5=3fd0e26abbca2ec481cf3698431574ae \
9 file://src/main/java/org/debian/security/UnableToSaveKeystoreException.java;endline=17;md5=f9150bf1ca3139a38ddb54f9e1c0eb9b \
10 file://src/main/java/org/debian/security/UnknownInputException.java;endline=17;md5=f9150bf1ca3139a38ddb54f9e1c0eb9b \
11 file://src/main/java/org/debian/security/UpdateCertificates.java;endline=18;md5=3fd0e26abbca2ec481cf3698431574ae \
12"
13DEPENDS = "virtual/javac-native fastjar-native"
14# We can't use virtual/javac-native, because that would create a
15# keystore that can't be read on the target (as virtual/javac-native
16# usually is either too old, or plain incompatible with this)
17PACKAGE_WRITE_DEPS += "openjdk-8-native"
18
19SRC_URI = "\
20 git://anonscm.debian.org/pkg-java/ca-certificates-java.git \
21 file://0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch \
22 file://${BPN}.hook.in \
23"
24
25SRCREV = "53651f7939e6f35694ee31e5ef0376f1bfce7e55"
26
27inherit java allarch
28
29S = "${WORKDIR}/git"
30B = "${WORKDIR}/build"
31
32JARFILENAME = "${BPN}.jar"
33
34python () {
35 runtime = d.getVar("PREFERRED_RPROVIDER_java2-runtime") or ""
36 if not runtime in ("openjdk-8", "openjre-8"):
37 raise bb.parse.SkipRecipe("PREFERRED_RPROVIDER_java2-runtime '%s' unsupported" % runtime)
38}
39
40do_patch_append () {
41 bb.build.exec_func('do_fix_sysconfdir', d)
42}
43
44do_fix_sysconfdir () {
45 sed -e 's|/etc/ssl/certs/java|${sysconfdir}/ssl/certs/java|g' \
46 -i ${S}/src/main/java/org/debian/security/UpdateCertificates.java
47}
48
49do_compile () {
50 mkdir -p build # simplify in-tree builds (externalsrc)
51 javac -g \
52 -source 1.7 -target 1.7 -encoding ISO8859-1 \
53 -d build \
54 -sourcepath ${S}/src/main/java \
55 $(find ${S}/src/main/java -name '*.java' -type f)
56
57 # needs to end with two empty lines
58 cat << EOF > ${B}/manifest
59Manifest-Version: 1.0
60Main-Class: org.debian.security.UpdateCertificates
61
62EOF
63 fastjar -cfm ${JARFILENAME} ${B}/manifest -C build .
64}
65
66do_install () {
67 oe_jarinstall ${JARFILENAME}
68
69 mkdir -p ${D}${sysconfdir}/ssl/certs/java
70 install -Dm0755 ${WORKDIR}/${BPN}.hook.in ${D}${sysconfdir}/ca-certificates/update.d/${BPN}-hook
71 sed -e 's|@@datadir_java@@|${datadir_java}|' \
72 -e 's|@@libdir_jvm@@|${libdir_jvm}|' \
73 -e 's|@@JARFILENAME@@|${JARFILENAME}|' \
74 -i ${D}${sysconfdir}/ca-certificates/update.d/${BPN}-hook
75
76 install -d -m0755 ${D}${sbindir}
77 ln -s ${@os.path.relpath("${sysconfdir}/ca-certificates/update.d/${BPN}-hook", "${sbindir}")} \
78 ${D}${sbindir}/create-ca-certificates-java
79}
80
81pkg_postinst_${PN} () {
82 if [ -n "$D" ] ; then
83 # In this case we want to use the Java in the image recipe's
84 # native sysroot (native Java, not qemu target Java) to
85 # generate the trustStore.
86 # None of the supported Java versions are in PATH, though, so
87 # we have to find a satisfactory one ourselves below $libdir_jvm.
88 # We really need the $NATIVE_ROOT variable for that to work,
89 # as STAGING_LIBDIR_JVM_NATIVE resolves to this recipe's native
90 # sysroot during recipe build time, so it's of no use during
91 # image build time.
92 if [ -z $NATIVE_ROOT ] ; then
93 echo "$0: NATIVE_ROOT not known"
94 false
95 fi
96 JVM_LIBDIR=$NATIVE_ROOT${libdir_jvm}
97 fi
98 JVM_LIBDIR=$JVM_LIBDIR $D${sbindir}/create-ca-certificates-java
99}
100
101RDEPENDS_${PN} = "ca-certificates"
102RDEPENDS_${PN}_append_class-target = " java2-runtime"
103RDEPENDS_${PN}_append_class-native = " virtual/java-native"
104
105FILES_${PN} += "${datadir_java}"
106
107BBCLASSEXTEND = "native"