2 files changed, 107 insertions, 0 deletions
diff --git a/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch b/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch
new file mode 100644
index 0000000..ca052ab
--- /dev/null
+++ b/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch
@@ -0,0 +1,43 @@
+From 70cd9999d3c139230aa05816e98cdc3e50ead713 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <andre.draszik@jci.com>
+Date: Tue, 27 Mar 2018 16:50:39 +0100
+Subject: [PATCH] UpdateCertificates: handle SYSROOT environment variable for
+ cacerts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+We can now pass in the sysroot, so that the trustStore
+is written to /etc/ssl/certs/java/cacerts below $SYSROOT.
+Upstream-Status: Inappropriate [OE specific]
+Signed-off-by: André Draszik <andre.draszik@jci.com>
+---
+ src/main/java/org/debian/security/UpdateCertificates.java | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+diff --git a/src/main/java/org/debian/security/UpdateCertificates.java b/src/main/java/org/debian/security/UpdateCertificates.java
+index e4f8205..dba9a7b 100644
+--- a/src/main/java/org/debian/security/UpdateCertificates.java
+++ b/src/main/java/org/debian/security/UpdateCertificates.java
+@@ -40,15 +40,19 @@ public class UpdateCertificates {
+ 
+     public static void main(String[] args) throws IOException, GeneralSecurityException {
+         String passwordString = "changeit";
+        String sysroot;
+         if (args.length == 2 && args[0].equals("-storepass")) {
+             passwordString = args[1];
+         } else if (args.length > 0) {
+             System.err.println("Usage: java org.debian.security.UpdateCertificates [-storepass <password>]");
+             System.exit(1);
+         }
+        sysroot = System.getenv("SYSROOT");
+        if (sysroot == null)
+            sysroot = "";
+ 
+         try {
+-            UpdateCertificates uc = new UpdateCertificates("/etc/ssl/certs/java/cacerts", passwordString);
+            UpdateCertificates uc = new UpdateCertificates(sysroot + "/etc/ssl/certs/java/cacerts", passwordString);
+             // Force reading of inputstream in UTF-8
+             uc.processChanges(new InputStreamReader(System.in, "UTF8"));
+             uc.finish();
diff --git a/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in b/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in
new file mode 100755
index 0000000..f01fe36
--- /dev/null
+++ b/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in
@@ -0,0 +1,64 @@
+#!/bin/sh -eu
+# As per the debian package, three cases when we can be called:
+#   1) as part of update-ca-certificates -> add / remove certs as instructed
+#   2) if first time install -> add all certs
+#   3) package update -> do nothing
+# We have no way to easily distinguish between first time install
+# and package update in OE, so the distinction between cases 2)
+# and 3) isn't perfect.
+self=$(basename $0)
+jvm_libdir="@@libdir_jvm@@"
+if [ -n "${D:-}" ] ; then
+    # called from postinst as part of image build on host
+    if [ -z "${JVM_LIBDIR:-}" ] ; then
+        # should never happen, this is supposed to be passed in
+        echo "$0: no JVM_LIBDIR specified" >&2
+        false
+    fi
+fi
+if [ -n "${JVM_LIBDIR:-}" ] ; then
+    jvm_libdir="${JVM_LIBDIR}"
+fi
+for JAVA in icedtea7-native/bin/java \
+            openjdk-8-native/bin/java openjdk-8/bin/java openjre-8/bin/java \
+         ; do
+    if [ -x "${jvm_libdir}/${JAVA}" ] ; then
+        JAVA="${jvm_libdir}/${JAVA}"
+        break
+    fi
+done
+if [ ! -x "${JAVA}" ] ; then
+    # shouldn't really happen, as we RDEPEND on java
+    echo "$0: JAVA not found" >&2
+    false
+fi
+if [ "${self}" = "ca-certificates-java-hook" ] ; then
+    # case 1) from above
+    # the list of (changed) files is passed via stdin
+    while read input ; do
+        echo "${input}"
+    done
+elif [ -s $D${sysconfdir}/ssl/certs/java/cacerts ] ; then
+    # we were executed explicitly (not via ca-cacertificates hook)
+    # case 3) from above
+    # do nothing, as the trustStore exists already
+    return
+else
+    # we were executed explicitly (not via ca-cacertificates hook)
+    # case 2) from above
+    # the trustStore doesn't exist yet, create it as this is
+    # a first time install (e.g. during image build)
+    find $D${sysconfdir}/ssl/certs -name '*.pem' | \
+    while read filename ; do
+        echo "+${filename}"
+    done
+fi | SYSROOT="${D:-}" ${JAVA} -Xmx64m \
+                              -jar ${D:-}@@datadir_java@@/@@JARFILENAME@@ \
+                              -storepass changeit

diff --git a/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch b/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch new file mode 100644 index 0000000..ca052ab --- /dev/null +++ b/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch
@@ -0,0 +1,43 @@
	1	From 70cd9999d3c139230aa05816e98cdc3e50ead713 Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <andre.draszik@jci.com>
	3	Date: Tue, 27 Mar 2018 16:50:39 +0100
	4	Subject: [PATCH] UpdateCertificates: handle SYSROOT environment variable for
	5	cacerts
	6	MIME-Version: 1.0
	7	Content-Type: text/plain; charset=UTF-8
	8	Content-Transfer-Encoding: 8bit
	9
	10	We can now pass in the sysroot, so that the trustStore
	11	is written to /etc/ssl/certs/java/cacerts below $SYSROOT.
	12
	13	Upstream-Status: Inappropriate [OE specific]
	14	Signed-off-by: André Draszik <andre.draszik@jci.com>
	15	---
	16	src/main/java/org/debian/security/UpdateCertificates.java \| 6 +++++-
	17	1 file changed, 5 insertions(+), 1 deletion(-)
	18
	19	diff --git a/src/main/java/org/debian/security/UpdateCertificates.java b/src/main/java/org/debian/security/UpdateCertificates.java
	20	index e4f8205..dba9a7b 100644
	21	--- a/src/main/java/org/debian/security/UpdateCertificates.java
	22	+++ b/src/main/java/org/debian/security/UpdateCertificates.java
	23	@@ -40,15 +40,19 @@ public class UpdateCertificates {
	24
	25	public static void main(String[] args) throws IOException, GeneralSecurityException {
	26	String passwordString = "changeit";
	27	+ String sysroot;
	28	if (args.length == 2 && args[0].equals("-storepass")) {
	29	passwordString = args[1];
	30	} else if (args.length > 0) {
	31	System.err.println("Usage: java org.debian.security.UpdateCertificates [-storepass <password>]");
	32	System.exit(1);
	33	}
	34	+ sysroot = System.getenv("SYSROOT");
	35	+ if (sysroot == null)
	36	+ sysroot = "";
	37
	38	try {
	39	- UpdateCertificates uc = new UpdateCertificates("/etc/ssl/certs/java/cacerts", passwordString);
	40	+ UpdateCertificates uc = new UpdateCertificates(sysroot + "/etc/ssl/certs/java/cacerts", passwordString);
	41	// Force reading of inputstream in UTF-8
	42	uc.processChanges(new InputStreamReader(System.in, "UTF8"));
	43	uc.finish();


diff --git a/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in b/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in new file mode 100755 index 0000000..f01fe36 --- /dev/null +++ b/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in
@@ -0,0 +1,64 @@
	1	#!/bin/sh -eu
	2
	3	# As per the debian package, three cases when we can be called:
	4	# 1) as part of update-ca-certificates -> add / remove certs as instructed
	5	# 2) if first time install -> add all certs
	6	# 3) package update -> do nothing
	7	# We have no way to easily distinguish between first time install
	8	# and package update in OE, so the distinction between cases 2)
	9	# and 3) isn't perfect.
	10
	11	self=$(basename $0)
	12	jvm_libdir="@@libdir_jvm@@"
	13
	14	if [ -n "${D:-}" ] ; then
	15	# called from postinst as part of image build on host
	16	if [ -z "${JVM_LIBDIR:-}" ] ; then
	17	# should never happen, this is supposed to be passed in
	18	echo "$0: no JVM_LIBDIR specified" >&2
	19	false
	20	fi
	21	fi
	22	if [ -n "${JVM_LIBDIR:-}" ] ; then
	23	jvm_libdir="${JVM_LIBDIR}"
	24	fi
	25
	26	for JAVA in icedtea7-native/bin/java \
	27	openjdk-8-native/bin/java openjdk-8/bin/java openjre-8/bin/java \
	28	; do
	29	if [ -x "${jvm_libdir}/${JAVA}" ] ; then
	30	JAVA="${jvm_libdir}/${JAVA}"
	31	break
	32	fi
	33	done
	34
	35	if [ ! -x "${JAVA}" ] ; then
	36	# shouldn't really happen, as we RDEPEND on java
	37	echo "$0: JAVA not found" >&2
	38	false
	39	fi
	40
	41	if [ "${self}" = "ca-certificates-java-hook" ] ; then
	42	# case 1) from above
	43	# the list of (changed) files is passed via stdin
	44	while read input ; do
	45	echo "${input}"
	46	done
	47	elif [ -s $D${sysconfdir}/ssl/certs/java/cacerts ] ; then
	48	# we were executed explicitly (not via ca-cacertificates hook)
	49	# case 3) from above
	50	# do nothing, as the trustStore exists already
	51	return
	52	else
	53	# we were executed explicitly (not via ca-cacertificates hook)
	54	# case 2) from above
	55	# the trustStore doesn't exist yet, create it as this is
	56	# a first time install (e.g. during image build)
	57	find $D${sysconfdir}/ssl/certs -name '*.pem' \| \
	58	while read filename ; do
	59	echo "+${filename}"
	60	done
	61	fi \| SYSROOT="${D:-}" ${JAVA} -Xmx64m \
	62	-jar ${D:-}@@datadir_java@@/@@JARFILENAME@@ \
	63	-storepass changeit
	64