Add instructions to create caceerts for Open JDK.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@11820 af4574ff-66df-0310-9fd7-8a98e5e911e0

general.ent

@@ -1,12 +1,12 @@
 <!-- $LastChangedBy$ $Date$ -->
 
-<!ENTITY day          "10">                   <!-- Always 2 digits -->
+<!ENTITY day          "11">                   <!-- Always 2 digits -->
 <!ENTITY month        "09">                   <!-- Always 2 digits -->
 <!ENTITY year         "2013">
 <!ENTITY copyrightdate "2001-&year;">
 <!ENTITY copyholder   "The BLFS Development Team">
 <!ENTITY version      "&year;-&month;-&day;">
-<!ENTITY releasedate  "September 10th, &year;">
+<!ENTITY releasedate  "September 11th, &year;">
 <!ENTITY pubdate      "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
 <!ENTITY blfs-version "svn">                  <!-- svn|[release #] -->
 <!ENTITY lfs-version  "development">          <!-- version|testing|unstable|development] -->

general/prog/openjdk.xml

@@ -462,6 +462,255 @@ mandb -c /opt/jdk/man</userinput></screen>
 
     </sect3>
 
+    <sect3 id='ojdk-certs'>
+      <title>Install or update the JRE Certificate Authority Certificates (cacerts) file</title>
+
+      <para>Use the following procedure to check if the cacerts file was
+      successfully installed during the OpenJDK installation or if the <xref
+      linkend="cacerts"/> have been updated, the following instructions will
+      generate a new JRE <filename>cacerts</filename> file. First, check if the
+      <filename>cacerts</filename> have been successfully installed: </para>
+
+<screen role="root"><userinput>cd /opt/jdk
+bin/keytool -list -keystore jre/lib/security/cacerts</userinput></screen>
+
+      <para>At the prompt "Enter keystore password:", press the "Enter" key if
+      there is no keystore password defined. If the
+      <filename>cacerts</filename> was installed correctly, you will see a
+      list of the certificates with related information for each one. If not,
+      you need to manually install them. First, generate the
+      <command>mkcacerts</command> script as the
+      <systemitem class="username">root</systemitem> user:</para>
+
+<screen role="root"><userinput>cat &gt; /opt/jdk/bin/mkcacerts &lt;&lt; "EOF"
+<literal>#!/bin/sh
+# Simple script to extract x509 certificates and create a JRE cacerts file.
+
+function get_args()
+    {
+        if test -z "${1}" ; then
+            showhelp
+            exit 1
+        fi
+
+        while test -n "${1}" ; do
+            case "${1}" in
+                -f | --cafile)
+                    check_arg $1 $2
+                    CAFILE="${2}"
+                    shift 2
+                    ;;
+                -d | --cadir)
+                    check_arg $1 $2
+                    CADIR="${2}"
+                    shift 2
+                    ;;
+                -o | --outfile)
+                    check_arg $1 $2
+                    OUTFILE="${2}"
+                    shift 2
+                    ;;
+                -k | --keytool)
+                    check_arg $1 $2
+                    KEYTOOL="${2}"
+                    shift 2
+                    ;;
+                -s | --openssl)
+                    check_arg $1 $2
+                    OPENSSL="${2}"
+                    shift 2
+                    ;;
+                -h | --help)
+                    showhelp
+                    exit 0
+                    ;;
+                *)
+                    showhelp
+                    exit 1
+                    ;;
+            esac
+        done
+    }
+
+function check_arg()
+    {
+        echo "${2}" | grep -v "^-" > /dev/null
+        if [ -z "$?" -o ! -n "$2" ]; then
+            echo "Error:  $1 requires a valid argument."
+            exit 1
+        fi
+    }
+
+# The date binary is not reliable on 32bit systems for dates after 2038
+function mydate()
+    {
+        local y=$( echo $1 | cut -d" " -f4 )
+        local M=$( echo $1 | cut -d" " -f1 )
+        local d=$( echo $1 | cut -d" " -f2 )
+        local m
+
+        if [ ${d} -lt 10 ]; then d="0${d}"; fi
+
+        case $M in
+            Jan) m="01";;
+            Feb) m="02";;
+            Mar) m="03";;
+            Apr) m="04";;
+            May) m="05";;
+            Jun) m="06";;
+            Jul) m="07";;
+            Aug) m="08";;
+            Sep) m="09";;
+            Oct) m="10";;
+            Nov) m="11";;
+            Dec) m="12";;
+        esac
+
+        certdate="${y}${m}${d}"
+    }
+
+function showhelp()
+    {
+        echo "`basename ${0}` creates a valid cacerts file for use with IcedTea."
+        echo ""
+        echo "        -f  --cafile        The path to a file containing PEM formated CA"
+        echo "                            certificates.  May not be used with -d/--cadir."
+        echo "        -d  --cadir         The path to a diectory of PEM formatted CA"
+        echo "                            certificates.  May not be used with -f/--cafile."
+        echo "        -o  --outfile       The path to the output file."
+        echo ""
+        echo "        -k  --keytool       The path to the java keytool utility."
+        echo ""
+        echo "        -s  --openssl       The path to the openssl utility."
+        echo ""
+        echo "        -h  --help          Show this help message and exit."
+        echo ""
+        echo ""
+    }
+
+# Initialize empty variables so that the shell does not polute the script
+CAFILE=""
+CADIR=""
+OUTFILE=""
+OPENSSL=""
+KEYTOOL=""
+certdate=""
+date=""
+today=$( date +%Y%m%d )
+
+# Process command line arguments
+get_args ${@}
+
+# Handle common errors
+if test "${CAFILE}x" == "x" -a "${CADIR}x" == "x" ; then
+    echo "ERROR!  You must provide an x509 certificate store!"
+    echo "\'$(basename ${0}) --help\' for more info."
+    echo ""
+    exit 1
+fi
+
+if test "${CAFILE}x" != "x" -a "${CADIR}x" != "x" ; then
+    echo "ERROR!  You cannot provide two x509 certificate stores!"
+    echo "\'$(basename ${0}) --help\' for more info."
+    echo ""
+    exit 1
+fi
+
+if test "${KEYTOOL}x" == "x" ; then
+    echo "ERROR!  You must provide a valid keytool program!"
+    echo "\'$(basename ${0}) --help\' for more info."
+    echo ""
+    exit 1
+fi
+
+if test "${OPENSSL}x" == "x" ; then
+    echo "ERROR!  You must provide a valid path to openssl!"
+    echo "\'$(basename ${0}) --help\' for more info."
+    echo ""
+    exit 1
+fi
+
+if test "${OUTFILE}x" == "x" ; then
+    echo "ERROR!  You must provide a valid output file!"
+    echo "\'$(basename ${0}) --help\' for more info."
+    echo ""
+    exit 1
+fi
+
+# Get on with the work
+
+# If using a CAFILE, split it into individual files in a temp directory
+if test "${CAFILE}x" != "x" ; then
+    TEMPDIR=`mktemp -d`
+    CADIR="${TEMPDIR}"
+
+    # Get a list of staring lines for each cert
+    CERTLIST=`grep -n "^-----BEGIN" "${CAFILE}" | cut -d ":" -f 1`
+
+    # Get a list of ending lines for each cert
+    ENDCERTLIST=`grep -n "^-----END" "${CAFILE}" | cut -d ":" -f 1`
+
+    # Start a loop
+    for certbegin in `echo "${CERTLIST}"` ; do
+        for certend in `echo "${ENDCERTLIST}"` ; do
+            if test "${certend}" -gt "${certbegin}"; then
+                break
+            fi
+        done
+        sed -n "${certbegin},${certend}p" "${CAFILE}" > "${CADIR}/${certbegin}.pem"
+        keyhash=`${OPENSSL} x509 -noout -in "${CADIR}/${certbegin}.pem" -hash`
+        echo "Generated PEM file with hash:  ${keyhash}."
+    done
+fi
+
+# Write the output file
+for cert in `find "${CADIR}" -type f -name "*.pem" -o -name "*.crt"`
+do
+
+    # Make sure the certificate date is valid...
+    date=$( ${OPENSSL} x509 -enddate -in "${cert}" -noout | sed 's/^notAfter=//' )
+    mydate "${date}"
+    if test "${certdate}" -lt "${today}" ; then
+        echo "${cert} expired on ${certdate}! Skipping..."
+        unset date certdate
+        continue
+    fi
+    unset date certdate
+    ls "${cert}"
+    tempfile=`mktemp`
+    certbegin=`grep -n "^-----BEGIN" "${cert}" | cut -d ":" -f 1`
+    certend=`grep -n "^-----END" "${cert}" | cut -d ":" -f 1`
+    sed -n "${certbegin},${certend}p" "${cert}" > "${tempfile}"
+    echo yes | env LC_ALL=C "${KEYTOOL}" -import -alias `basename "${cert}"` -keystore \
+                   "${OUTFILE}" -storepass 'changeit' -file "${tempfile}"
+    rm "${tempfile}"
+done
+
+if test "${TEMPDIR}x" != "x" ; then
+    rm -rf "${TEMPDIR}"
+fi
+exit 0</literal>
+EOF
+
+chmod -c 0755 /opt/jdk/bin/mkcacerts</userinput></screen>
+ 
+  <note>
+    <para>
+      Doing a very large copy/paste directly to a terminal may result in a
+      corrupted file.  Copying to an editor may overcome this issue.
+    </para>
+  </note>
+
+    <para>After making a backup of the
+    <filename>/opt/jdk/jre/lib/security/cacerts</filename> file, if there is
+    any.  To create a new one, as the
+    <systemitem class="username">root</systemitem> user:</para>
+
+<screen><userinput>/opt/jdk/bin/mkcacerts -d "/etc/ssl/certs/"  -k "/opt/jdk/bin/keytool" \
+                       -s "/usr/bin/openssl" -o "/opt/jdk/jre/lib/security/cacerts"</userinput></screen>
+
+    </sect3>
+
   </sect2>
 
   <sect2 role="content">

introduction/welcome/changelog.xml

@@ -43,6 +43,17 @@
     </listitem>
 
 -->
+    <listitem>
+      <para>September 11th, 2013</para>
+      <itemizedlist>
+        <listitem>
+          <para>[fernando] - Update to OJDK to add procedures to
+          check/update Certificate Authority Certificates.  Fixes
+          <ulink url="&blfs-ticket-root;3997">#3997</ulink>.</para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+
     <listitem>
       <para>September 10th, 2013</para>
       <itemizedlist>

postlfs/security/cacerts.xml

@@ -325,6 +325,10 @@ unset SSLDIR</userinput></screen>
 
 <screen><userinput>rm -r certs BLFS-ca-bundle*</userinput></screen>
 
+   <para>After installing or updating certificates, if OpenJDK is installed, 
+   update the certificates for Java using the procedures at <xref linkend='ojdk-certs'/>.</para>
+
+
   </sect2>
 
   <sect2 role="content">