mirror of
https://github.com/Zeckmathederg/glfs.git
synced 2025-02-04 07:17:15 +08:00
Add instructions to create caceerts for Open JDK.
git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@11820 af4574ff-66df-0310-9fd7-8a98e5e911e0
This commit is contained in:
Bruce Dubbs
parent
eec1fd725a
commit
8b9034a23e
@ -1,12 +1,12 @@
|
||||
<!-- $LastChangedBy$ $Date$ -->
|
||||
|
||||
<!ENTITY day "10"> <!-- Always 2 digits -->
|
||||
<!ENTITY day "11"> <!-- Always 2 digits -->
|
||||
<!ENTITY month "09"> <!-- Always 2 digits -->
|
||||
<!ENTITY year "2013">
|
||||
<!ENTITY copyrightdate "2001-&year;">
|
||||
<!ENTITY copyholder "The BLFS Development Team">
|
||||
<!ENTITY version "&year;-&month;-&day;">
|
||||
<!ENTITY releasedate "September 10th, &year;">
|
||||
<!ENTITY releasedate "September 11th, &year;">
|
||||
<!ENTITY pubdate "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
|
||||
<!ENTITY blfs-version "svn"> <!-- svn|[release #] -->
|
||||
<!ENTITY lfs-version "development"> <!-- version|testing|unstable|development] -->
|
||||
|
||||
@ -462,6 +462,255 @@ mandb -c /opt/jdk/man</userinput></screen>
|
||||
|
||||
</sect3>
|
||||
|
||||
<sect3 id='ojdk-certs'>
|
||||
<title>Install or update the JRE Certificate Authority Certificates (cacerts) file</title>
|
||||
|
||||
<para>Use the following procedure to check if the cacerts file was
|
||||
successfully installed during the OpenJDK installation or if the <xref
|
||||
linkend="cacerts"/> have been updated, the following instructions will
|
||||
generate a new JRE <filename>cacerts</filename> file. First, check if the
|
||||
<filename>cacerts</filename> have been successfully installed: </para>
|
||||
|
||||
<screen role="root"><userinput>cd /opt/jdk
|
||||
bin/keytool -list -keystore jre/lib/security/cacerts</userinput></screen>
|
||||
|
||||
<para>At the prompt "Enter keystore password:", press the "Enter" key if
|
||||
there is no keystore password defined. If the
|
||||
<filename>cacerts</filename> was installed correctly, you will see a
|
||||
list of the certificates with related information for each one. If not,
|
||||
you need to manually install them. First, generate the
|
||||
<command>mkcacerts</command> script as the
|
||||
<systemitem class="username">root</systemitem> user:</para>
|
||||
|
||||
<screen role="root"><userinput>cat > /opt/jdk/bin/mkcacerts << "EOF"
|
||||
<literal>#!/bin/sh
|
||||
# Simple script to extract x509 certificates and create a JRE cacerts file.
|
||||
|
||||
function get_args()
|
||||
{
|
||||
if test -z "${1}" ; then
|
||||
showhelp
|
||||
exit 1
|
||||
fi
|
||||
|
||||
while test -n "${1}" ; do
|
||||
case "${1}" in
|
||||
-f | --cafile)
|
||||
check_arg $1 $2
|
||||
CAFILE="${2}"
|
||||
shift 2
|
||||
;;
|
||||
-d | --cadir)
|
||||
check_arg $1 $2
|
||||
CADIR="${2}"
|
||||
shift 2
|
||||
;;
|
||||
-o | --outfile)
|
||||
check_arg $1 $2
|
||||
OUTFILE="${2}"
|
||||
shift 2
|
||||
;;
|
||||
-k | --keytool)
|
||||
check_arg $1 $2
|
||||
KEYTOOL="${2}"
|
||||
shift 2
|
||||
;;
|
||||
-s | --openssl)
|
||||
check_arg $1 $2
|
||||
OPENSSL="${2}"
|
||||
shift 2
|
||||
;;
|
||||
-h | --help)
|
||||
showhelp
|
||||
exit 0
|
||||
;;
|
||||
*)
|
||||
showhelp
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
function check_arg()
|
||||
{
|
||||
echo "${2}" | grep -v "^-" > /dev/null
|
||||
if [ -z "$?" -o ! -n "$2" ]; then
|
||||
echo "Error: $1 requires a valid argument."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
# The date binary is not reliable on 32bit systems for dates after 2038
|
||||
function mydate()
|
||||
{
|
||||
local y=$( echo $1 | cut -d" " -f4 )
|
||||
local M=$( echo $1 | cut -d" " -f1 )
|
||||
local d=$( echo $1 | cut -d" " -f2 )
|
||||
local m
|
||||
|
||||
if [ ${d} -lt 10 ]; then d="0${d}"; fi
|
||||
|
||||
case $M in
|
||||
Jan) m="01";;
|
||||
Feb) m="02";;
|
||||
Mar) m="03";;
|
||||
Apr) m="04";;
|
||||
May) m="05";;
|
||||
Jun) m="06";;
|
||||
Jul) m="07";;
|
||||
Aug) m="08";;
|
||||
Sep) m="09";;
|
||||
Oct) m="10";;
|
||||
Nov) m="11";;
|
||||
Dec) m="12";;
|
||||
esac
|
||||
|
||||
certdate="${y}${m}${d}"
|
||||
}
|
||||
|
||||
function showhelp()
|
||||
{
|
||||
echo "`basename ${0}` creates a valid cacerts file for use with IcedTea."
|
||||
echo ""
|
||||
echo " -f --cafile The path to a file containing PEM formated CA"
|
||||
echo " certificates. May not be used with -d/--cadir."
|
||||
echo " -d --cadir The path to a diectory of PEM formatted CA"
|
||||
echo " certificates. May not be used with -f/--cafile."
|
||||
echo " -o --outfile The path to the output file."
|
||||
echo ""
|
||||
echo " -k --keytool The path to the java keytool utility."
|
||||
echo ""
|
||||
echo " -s --openssl The path to the openssl utility."
|
||||
echo ""
|
||||
echo " -h --help Show this help message and exit."
|
||||
echo ""
|
||||
echo ""
|
||||
}
|
||||
|
||||
# Initialize empty variables so that the shell does not polute the script
|
||||
CAFILE=""
|
||||
CADIR=""
|
||||
OUTFILE=""
|
||||
OPENSSL=""
|
||||
KEYTOOL=""
|
||||
certdate=""
|
||||
date=""
|
||||
today=$( date +%Y%m%d )
|
||||
|
||||
# Process command line arguments
|
||||
get_args ${@}
|
||||
|
||||
# Handle common errors
|
||||
if test "${CAFILE}x" == "x" -a "${CADIR}x" == "x" ; then
|
||||
echo "ERROR! You must provide an x509 certificate store!"
|
||||
echo "\'$(basename ${0}) --help\' for more info."
|
||||
echo ""
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test "${CAFILE}x" != "x" -a "${CADIR}x" != "x" ; then
|
||||
echo "ERROR! You cannot provide two x509 certificate stores!"
|
||||
echo "\'$(basename ${0}) --help\' for more info."
|
||||
echo ""
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test "${KEYTOOL}x" == "x" ; then
|
||||
echo "ERROR! You must provide a valid keytool program!"
|
||||
echo "\'$(basename ${0}) --help\' for more info."
|
||||
echo ""
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test "${OPENSSL}x" == "x" ; then
|
||||
echo "ERROR! You must provide a valid path to openssl!"
|
||||
echo "\'$(basename ${0}) --help\' for more info."
|
||||
echo ""
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test "${OUTFILE}x" == "x" ; then
|
||||
echo "ERROR! You must provide a valid output file!"
|
||||
echo "\'$(basename ${0}) --help\' for more info."
|
||||
echo ""
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Get on with the work
|
||||
|
||||
# If using a CAFILE, split it into individual files in a temp directory
|
||||
if test "${CAFILE}x" != "x" ; then
|
||||
TEMPDIR=`mktemp -d`
|
||||
CADIR="${TEMPDIR}"
|
||||
|
||||
# Get a list of staring lines for each cert
|
||||
CERTLIST=`grep -n "^-----BEGIN" "${CAFILE}" | cut -d ":" -f 1`
|
||||
|
||||
# Get a list of ending lines for each cert
|
||||
ENDCERTLIST=`grep -n "^-----END" "${CAFILE}" | cut -d ":" -f 1`
|
||||
|
||||
# Start a loop
|
||||
for certbegin in `echo "${CERTLIST}"` ; do
|
||||
for certend in `echo "${ENDCERTLIST}"` ; do
|
||||
if test "${certend}" -gt "${certbegin}"; then
|
||||
break
|
||||
fi
|
||||
done
|
||||
sed -n "${certbegin},${certend}p" "${CAFILE}" > "${CADIR}/${certbegin}.pem"
|
||||
keyhash=`${OPENSSL} x509 -noout -in "${CADIR}/${certbegin}.pem" -hash`
|
||||
echo "Generated PEM file with hash: ${keyhash}."
|
||||
done
|
||||
fi
|
||||
|
||||
# Write the output file
|
||||
for cert in `find "${CADIR}" -type f -name "*.pem" -o -name "*.crt"`
|
||||
do
|
||||
|
||||
# Make sure the certificate date is valid...
|
||||
date=$( ${OPENSSL} x509 -enddate -in "${cert}" -noout | sed 's/^notAfter=//' )
|
||||
mydate "${date}"
|
||||
if test "${certdate}" -lt "${today}" ; then
|
||||
echo "${cert} expired on ${certdate}! Skipping..."
|
||||
unset date certdate
|
||||
continue
|
||||
fi
|
||||
unset date certdate
|
||||
ls "${cert}"
|
||||
tempfile=`mktemp`
|
||||
certbegin=`grep -n "^-----BEGIN" "${cert}" | cut -d ":" -f 1`
|
||||
certend=`grep -n "^-----END" "${cert}" | cut -d ":" -f 1`
|
||||
sed -n "${certbegin},${certend}p" "${cert}" > "${tempfile}"
|
||||
echo yes | env LC_ALL=C "${KEYTOOL}" -import -alias `basename "${cert}"` -keystore \
|
||||
"${OUTFILE}" -storepass 'changeit' -file "${tempfile}"
|
||||
rm "${tempfile}"
|
||||
done
|
||||
|
||||
if test "${TEMPDIR}x" != "x" ; then
|
||||
rm -rf "${TEMPDIR}"
|
||||
fi
|
||||
exit 0</literal>
|
||||
EOF
|
||||
|
||||
chmod -c 0755 /opt/jdk/bin/mkcacerts</userinput></screen>
|
||||
|
||||
<note>
|
||||
<para>
|
||||
Doing a very large copy/paste directly to a terminal may result in a
|
||||
corrupted file. Copying to an editor may overcome this issue.
|
||||
</para>
|
||||
</note>
|
||||
|
||||
<para>After making a backup of the
|
||||
<filename>/opt/jdk/jre/lib/security/cacerts</filename> file, if there is
|
||||
any. To create a new one, as the
|
||||
<systemitem class="username">root</systemitem> user:</para>
|
||||
|
||||
<screen><userinput>/opt/jdk/bin/mkcacerts -d "/etc/ssl/certs/" -k "/opt/jdk/bin/keytool" \
|
||||
-s "/usr/bin/openssl" -o "/opt/jdk/jre/lib/security/cacerts"</userinput></screen>
|
||||
|
||||
</sect3>
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2 role="content">
|
||||
|
||||
@ -43,6 +43,17 @@
|
||||
</listitem>
|
||||
|
||||
-->
|
||||
<listitem>
|
||||
<para>September 11th, 2013</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>[fernando] - Update to OJDK to add procedures to
|
||||
check/update Certificate Authority Certificates. Fixes
|
||||
<ulink url="&blfs-ticket-root;3997">#3997</ulink>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>September 10th, 2013</para>
|
||||
<itemizedlist>
|
||||
|
||||
@ -325,6 +325,10 @@ unset SSLDIR</userinput></screen>
|
||||
|
||||
<screen><userinput>rm -r certs BLFS-ca-bundle*</userinput></screen>
|
||||
|
||||
<para>After installing or updating certificates, if OpenJDK is installed,
|
||||
update the certificates for Java using the procedures at <xref linkend='ojdk-certs'/>.</para>
|
||||
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2 role="content">
|
||||
|
||||
Loading…
Reference in New Issue
Block a user