From patchwork Mon Jul 18 11:59:41 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de>
X-Patchwork-Id: 13841
Received: (qmail 93143 invoked by uid 89); 18 Jul 2016 12:01:49 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Checked: by ClamAV 0.99.1 on sourceware.org
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-3.2 required=5.0 tests=AWL, BAYES_00,
	RP_MATCHES_RCVD,
	SPF_PASS autolearn=ham version=3.3.2 spammy=sk:install,
	compression
X-Spam-Status: No, score=-3.2 required=5.0 tests=AWL, BAYES_00,
	RP_MATCHES_RCVD, SPF_PASS autolearn=ham version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org
X-Spam-Level: 
X-HELO: lists.gnu.org
Received: from lists.gnu.org (HELO lists.gnu.org) (208.118.235.17)
	by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-SHA
	encrypted) ESMTPS; Mon, 18 Jul 2016 12:01:39 +0000
Received: from localhost ([::1]:46262 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <guix-devel-bounces+patchwork=sourceware.org@gnu.org>)
	id 1bP7Eu-0000ml-Se
	for patchwork@sourceware.org; Mon, 18 Jul 2016 08:01:36 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:35963)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Ricardo.Wurmus@mdc-berlin.de>) id 1bP7Ej-0000hF-I3
	for guix-devel@gnu.org; Mon, 18 Jul 2016 08:01:31 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Ricardo.Wurmus@mdc-berlin.de>) id 1bP7Ef-0004EZ-FT
	for guix-devel@gnu.org; Mon, 18 Jul 2016 08:01:25 -0400
Received: from sinope02.bbbm.mdc-berlin.de ([141.80.25.24]:47754)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Ricardo.Wurmus@mdc-berlin.de>) id 1bP7Ef-0004EB-5C
	for guix-devel@gnu.org; Mon, 18 Jul 2016 08:01:21 -0400
Received: from localhost (localhost [127.0.0.1])
	by sinope02.bbbm.mdc-berlin.de (Postfix) with ESMTP id 8B8B313F51C;
	Mon, 18 Jul 2016 14:01:20 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mdc-berlin.de; h=
	content-type:content-type:mime-version:references:in-reply-to
	:x-mailer:message-id:date:date:subject:subject:from:from
	:received:received:received; s=mdc; t=1468843275; x=1470657676;
	bh=a0yAfx/FgqILT5bAqu2I4WNTgo37EA6ry9C4xl2c0+U=; b=FB4zvcLxVtJn
	IsN2r8N4gJNnnNNXBe6AVR5Fkb7m2rfDoRHVhAs343/xkDRStAaifokAjf8Mymzu
	rkYGGtLaXJTqWW1QwoLfLghSA74mtT9eJmInws5hHD0Ij+bE0UZ4RcJqNYOYk5pY
	bpdxSZ8kma/eggVPpqQWwOkFEEueqYw=
X-Virus-Scanned: amavisd-new at mdc-berlin.de
Received: from sinope02.bbbm.mdc-berlin.de ([127.0.0.1])
	by localhost (sinope02.bbbm.mdc-berlin.de [127.0.0.1]) (amavisd-new,
	port 10024)
	with ESMTP id rwj-L7CKYo7l; Mon, 18 Jul 2016 14:01:15 +0200 (CEST)
Received: from HTCATWO.mdc-berlin.net (puck.citx.mdc-berlin.de
	[141.80.36.101])
	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by sinope02.bbbm.mdc-berlin.de (Postfix) with ESMTPS;
	Mon, 18 Jul 2016 14:01:15 +0200 (CEST)
Received: from localhost (141.80.180.135) by HTCATWO.mdc-berlin.net
	(141.80.180.125) with Microsoft SMTP Server (TLS) id 14.3.294.0;
	Mon, 18 Jul 2016 14:01:10 +0200
From: Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de>
To: <guix-devel@gnu.org>
Subject: [PATCH 3/3] gnu: icedtea-6: Generate keystore.
Date: Mon, 18 Jul 2016 13:59:41 +0200
Message-ID: <20160718115941.17707-4-ricardo.wurmus@mdc-berlin.de>
X-Mailer: git-send-email 2.9.0
In-Reply-To: <20160718115941.17707-1-ricardo.wurmus@mdc-berlin.de>
References: <20160718115941.17707-1-ricardo.wurmus@mdc-berlin.de>
MIME-Version: 1.0
X-Originating-IP: [141.80.180.135]
X-TM-AS-Product-Ver: SMEX-11.0.0.4283-8.000.1202-22458.006
X-TM-AS-Result: No--9.092700-0.000000-31
X-TM-AS-MatchedID: 700486-703786-704421-303277-121523-188019-702358-700918-8
	63263-702791-701762-701021-188198-700040-702106-105040-709251-706569-137717
	-824651-700398-700788-703788-700059-862883-702113-703366-105630-706891-7021
	26-148004-148036-29997-42000-42003
X-TM-AS-User-Approved-Sender: Yes
X-TM-AS-User-Blocked-Sender: No
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 141.80.25.24
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+patchwork=sourceware.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+patchwork=sourceware.org@gnu.org>

From: Ricardo Wurmus <rekado@elephly.net>

* gnu/packages/java.scm (icedtea-6)[arguments]: Add phase
"install-keystore".
[native-inputs]: Add nss-certs and openssl.
---
 gnu/packages/java.scm | 63 +++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 61 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index faa6e5b..95e273e 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -30,6 +30,7 @@
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages base)
   #:use-module (gnu packages bash)
+  #:use-module (gnu packages certs)
   #:use-module (gnu packages cpio)
   #:use-module (gnu packages cups)
   #:use-module (gnu packages compression)
@@ -47,6 +48,7 @@
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages mit-krb5)
+  #:use-module (gnu packages tls)
   #:use-module (gnu packages xml)
   #:use-module (gnu packages xorg)
   #:use-module (gnu packages zip)
@@ -262,7 +264,8 @@ build process and its dependencies, whereas Make uses Makefile format.")
        #:modules ((guix build utils)
                   (guix build gnu-build-system)
                   (ice-9 popen)
-                  (ice-9 rdelim))
+                  (ice-9 rdelim)
+                  (srfi srfi-19))
 
        #:configure-flags
        (let* ((gcjdir (assoc-ref %build-inputs "gcj"))
@@ -521,7 +524,58 @@ build process and its dependencies, whereas Make uses Makefile format.")
                    (jdk (assoc-ref outputs "jdk")))
                (copy-recursively "openjdk.build/docs" doc)
                (copy-recursively "openjdk.build/j2re-image" jre)
-               (copy-recursively "openjdk.build/j2sdk-image" jdk)))))))
+               (copy-recursively "openjdk.build/j2sdk-image" jdk))))
+         (add-after 'install 'install-keystore
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (let* ((keystore  "cacerts")
+                    (certs-dir (string-append (assoc-ref inputs "nss-certs")
+                                              "/etc/ssl/certs"))
+                    (keytool   (string-append (assoc-ref outputs "jdk")
+                                              "/bin/keytool"))
+                    (openssl   (which "openssl"))
+                    (recent    (date->time-utc (string->date "2016-1-1"
+                                                             "~Y-~m-~d"))))
+               (define (valid? cert)
+                 (let* ((port (open-pipe* OPEN_READ openssl
+                                          "x509" "-enddate" "-in" cert "-noout"))
+                        (str  (read-line port))
+                        (end  (begin (close-pipe port)
+                                     ;; TODO: use match?
+                                     (cadr (string-split str #\=)))))
+                   (time>? (date->time-utc
+                            (string->date end "~b ~d ~H:~M:~S ~Y")) recent)))
+
+               (define (import-cert cert)
+                 (format #t "Importing certificate ~a\n" (basename cert))
+                 (let* ((port (open-pipe* OPEN_WRITE keytool
+                                          "-import"
+                                          "-alias" (basename cert)
+                                          "-keystore" keystore
+                                          "-storepass" "changeit"
+                                          "-file" cert)))
+                   (display "yes\n" port)
+                   (when (not (eqv? 0 (status:exit-val (close-pipe port))))
+                     (format (current-error-port)
+                             "Failed to import certificate.\n"))))
+
+               ;; This is necessary because the certificate directory contains
+               ;; files with non-ASCII characters in their names.
+               (setlocale LC_ALL "en_US.utf8")
+               (setenv "LC_ALL" "en_US.utf8")
+
+               (for-each import-cert
+                         (filter valid? (find-files certs-dir "\\.pem$")))
+               (mkdir-p (string-append (assoc-ref outputs "out")
+                                       "/lib/security"))
+               (mkdir-p (string-append (assoc-ref outputs "jdk")
+                                       "/jre/lib/security"))
+               (install-file keystore
+                             (string-append (assoc-ref outputs "out")
+                                            "/lib/security"))
+               (install-file keystore
+                             (string-append (assoc-ref outputs "jdk")
+                                            "/jre/lib/security"))
+               #t))))))
     (native-inputs
      `(("ant" ,ant)
        ("alsa-lib" ,alsa-lib)
@@ -544,6 +598,7 @@ build process and its dependencies, whereas Make uses Makefile format.")
        ("libxslt" ,libxslt) ;for xsltproc
        ("mit-krb5" ,mit-krb5)
        ("nss" ,nss)
+       ("nss-certs" ,nss-certs)
        ("libx11" ,libx11)
        ("libxcomposite" ,libxcomposite)
        ("libxt" ,libxt)
@@ -554,6 +609,7 @@ build process and its dependencies, whereas Make uses Makefile format.")
        ("libjpeg" ,libjpeg)
        ("libpng" ,libpng)
        ("giflib" ,giflib)
+       ("openssl" ,openssl)
        ("perl" ,perl)
        ("procps" ,procps) ;for "free", even though I'm not sure we should use it
        ("openjdk6-src"
@@ -789,6 +845,9 @@ build process and its dependencies, whereas Make uses Makefile format.")
              (delete 'patch-paths)
              (delete 'set-additional-paths)
              (delete 'patch-patches)
+             ;; FIXME: This phase is needed but fails with this version of
+             ;; IcedTea.
+             (delete 'install-keystore)
              (replace 'install
                (lambda* (#:key outputs #:allow-other-keys)
                  (let ((doc (string-append (assoc-ref outputs "doc")