ca-certificates-java-20130815ubuntu1/0000775000000000000000000000000012312556533014145 5ustar ca-certificates-java-20130815ubuntu1/UpdateCertificatesTest.java0000664000000000000000000001541612312556533021427 0ustar /* * Copyright (C) 2012 Damien Raude-Morvan * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. * */ import java.io.File; import java.io.IOException; import java.security.GeneralSecurityException; import junit.framework.Assert; import org.junit.Before; import org.junit.Test; /** * Tests for {@link UpdateCertificates}. * * @author Damien Raude-Morvan */ public class UpdateCertificatesTest { private static final String ALIAS_CACERT = "debian:thawte_Primary_Root_CA_-_G3.crt"; private static final String INVALID_CACERT = "x/usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G3.crt"; private static final String REMOVE_CACERT = "-/usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G3.crt"; private static final String ADD_CACERT = "+/usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G3.crt"; private String ksFilename = null; private String ksPassword = null; @Before public void start() { this.ksFilename = "./tests-cacerts"; this.ksPassword = "changeit"; // Delete any previous file File keystore = new File(this.ksFilename); keystore.delete(); } /** * Test a simple open then write without any modification. */ @Test public void testNoop() throws IOException, GeneralSecurityException, Exceptions.InvalidKeystorePassword, Exceptions.UnableToSaveKeystore { UpdateCertificates uc = new UpdateCertificates(this.ksPassword, this.ksFilename); uc.writeKeyStore(); } /** * Test a to open a keystore and write without any modification * and then try to open it again with wrong password : will throw a * InvalidKeystorePassword */ @Test public void testWriteThenOpenWrongPwd() throws IOException, GeneralSecurityException, Exceptions.UnableToSaveKeystore { try { UpdateCertificates uc = new UpdateCertificates(this.ksPassword, this.ksFilename); uc.writeKeyStore(); } catch (Exceptions.InvalidKeystorePassword e) { Assert.fail(); } try { UpdateCertificates uc = new UpdateCertificates("wrongpassword", this.ksFilename); Assert.fail(); uc.writeKeyStore(); } catch (Exceptions.InvalidKeystorePassword e) { Assert.assertEquals( "Cannot open Java keystore. Is the password correct?", e.getMessage()); } } /** * Test a to open a keystore then remove its backing File (and replace it * with a directory with the same name) and try to write in to disk : * will throw an UnableToSaveKeystore */ @Test public void testDeleteThenWrite() throws IOException, GeneralSecurityException, Exceptions.InvalidKeystorePassword { try { UpdateCertificates uc = new UpdateCertificates(this.ksPassword, this.ksFilename); // Replace actual file by a directory ! File keystore = new File(this.ksFilename); keystore.delete(); keystore.mkdir(); // Will fail with some IOException uc.writeKeyStore(); Assert.fail(); } catch (Exceptions.UnableToSaveKeystore e) { Assert.assertEquals( "There was a problem saving the new Java keystore.", e.getMessage()); } } /** * Try to send an invalid command ("x") in parseLine : throw UnknownInput */ @Test public void testWrongCommand() throws IOException, GeneralSecurityException, Exceptions.InvalidKeystorePassword { UpdateCertificates uc = new UpdateCertificates(this.ksPassword, this.ksFilename); try { uc.parseLine(INVALID_CACERT); Assert.fail(); } catch (Exceptions.UnknownInput e) { Assert.assertEquals(INVALID_CACERT, e.getMessage()); } } /** * Test to insert a valid certificate and then check if it's really in KS. */ @Test public void testAdd() throws IOException, GeneralSecurityException, Exceptions.UnknownInput, Exceptions.InvalidKeystorePassword, Exceptions.UnableToSaveKeystore { UpdateCertificates uc = new UpdateCertificates(this.ksPassword, this.ksFilename); uc.parseLine(ADD_CACERT); uc.writeKeyStore(); Assert.assertEquals(true, uc.contains(ALIAS_CACERT)); } /** * Test to insert a invalide certificate : no exception, but check there * is no alias created with that name */ @Test public void testAddInvalidCert() throws IOException, GeneralSecurityException, Exceptions.UnknownInput, Exceptions.InvalidKeystorePassword, Exceptions.UnableToSaveKeystore { UpdateCertificates uc = new UpdateCertificates(this.ksPassword, this.ksFilename); uc.parseLine("+/usr/share/ca-certificates/null.crt"); uc.writeKeyStore(); Assert.assertEquals(false, uc.contains("debian:null.crt")); } /** * Try to add same certificate multiple time : we replace it and * there is only one alias. */ @Test public void testReplace() throws IOException, GeneralSecurityException, Exceptions.UnknownInput, Exceptions.InvalidKeystorePassword, Exceptions.UnableToSaveKeystore { UpdateCertificates uc = new UpdateCertificates(this.ksPassword, this.ksFilename); uc.parseLine(ADD_CACERT); uc.parseLine(ADD_CACERT); uc.writeKeyStore(); Assert.assertEquals(true, uc.contains(ALIAS_CACERT)); } /** * Try to remove a non-existant certificate : it's a no-op. */ @Test public void testRemove() throws IOException, GeneralSecurityException, Exceptions.UnknownInput, Exceptions.InvalidKeystorePassword, Exceptions.UnableToSaveKeystore { UpdateCertificates uc = new UpdateCertificates(this.ksPassword, this.ksFilename); uc.parseLine(REMOVE_CACERT); uc.writeKeyStore(); // We start with empty KS, so it shouldn't do anything Assert.assertEquals(false, uc.contains(ALIAS_CACERT)); } /** * Try to add cert, write to disk, then open keystore again and remove. */ @Test public void testAddThenRemove() throws IOException, GeneralSecurityException, Exceptions.UnknownInput, Exceptions.InvalidKeystorePassword, Exceptions.UnableToSaveKeystore { UpdateCertificates ucAdd = new UpdateCertificates(this.ksPassword, this.ksFilename); ucAdd.parseLine(ADD_CACERT); ucAdd.writeKeyStore(); Assert.assertEquals(true, ucAdd.contains(ALIAS_CACERT)); UpdateCertificates ucRemove = new UpdateCertificates(this.ksPassword, this.ksFilename); ucRemove.parseLine(REMOVE_CACERT); ucRemove.writeKeyStore(); Assert.assertEquals(false, ucRemove.contains(ALIAS_CACERT)); } } ca-certificates-java-20130815ubuntu1/Exceptions.java0000664000000000000000000000350112203140325017113 0ustar /* * Copyright (C) 2012 Damien Raude-Morvan * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. * */ /** * Custom exceptions used by {@link UpdateCertificates} * * @author Damien Raude-Morvan */ public class Exceptions { /** * Data send in stdin is invalid (neither "+" or "-" command). */ public static class UnknownInput extends Exception { private static final long serialVersionUID = 5698253678856993527L; public UnknownInput(final String message) { super(message); } } /** * Unable to save keystore to provided location. */ public static class UnableToSaveKeystore extends Exception { private static final long serialVersionUID = 3632154306237688490L; public UnableToSaveKeystore(final String message, final Exception e) { super(message, e); } } /** * Unable to open keystore from provided location (might be an invalid password * or IO error). */ public static class InvalidKeystorePassword extends Exception { private static final long serialVersionUID = 7004201816889107694L; public InvalidKeystorePassword(final String message, final Exception e) { super(message, e); } } } ca-certificates-java-20130815ubuntu1/UpdateCertificates.java0000664000000000000000000001662612203140325020556 0ustar /* * Copyright (C) 2011 Torsten Werner * Copyright (C) 2012 Damien Raude-Morvan * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. * */ import java.io.BufferedReader; import java.io.File; import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStreamReader; import java.io.Reader; import java.security.GeneralSecurityException; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.cert.Certificate; import java.security.cert.CertificateFactory; /** * This code is a re-implementation of the idea from Ludwig Nussel found in * http://gitorious.org/opensuse/ca-certificates/blobs/master/keystore.java * for the Debian operating system. It updates the global JVM keystore. * * @author Torsten Werner * @author Damien Raude-Morvan */ public class UpdateCertificates { private char[] password = null; private String ksFilename = null; private KeyStore ks = null; private CertificateFactory certFactory = null; public static void main(String[] args) throws IOException, GeneralSecurityException { String passwordString = "changeit"; if (args.length == 2 && args[0].equals("-storepass")) { passwordString = args[1]; } else if (args.length > 0) { System.err.println("Usage: java UpdateCertificates [-storepass ]"); System.exit(1); } try { UpdateCertificates uc = new UpdateCertificates(passwordString, "/etc/ssl/certs/java/cacerts"); // Force reading of inputstream in UTF-8 uc.processChanges(new InputStreamReader(System.in, "UTF8")); uc.writeKeyStore(); } catch (Exceptions.InvalidKeystorePassword e) { e.printStackTrace(System.err); System.exit(1); } catch (Exceptions.UnableToSaveKeystore e) { e.printStackTrace(System.err); System.exit(1); } } public UpdateCertificates(final String passwordString, final String keystoreFile) throws IOException, GeneralSecurityException, Exceptions.InvalidKeystorePassword { this.password = passwordString.toCharArray(); this.ksFilename = keystoreFile; this.ks = openKeyStore(); this.certFactory = CertificateFactory.getInstance("X.509"); } /** * Try to open a existing keystore or create an new one. */ private KeyStore openKeyStore() throws GeneralSecurityException, IOException, Exceptions.InvalidKeystorePassword { KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); File certInputFile = new File(this.ksFilename); FileInputStream certInputStream = null; if (certInputFile.canRead()) { certInputStream = new FileInputStream(certInputFile); } try { ks.load(certInputStream, this.password); } catch (IOException e) { throw new Exceptions.InvalidKeystorePassword("Cannot open Java keystore. Is the password correct?", e); } if (certInputStream != null) { certInputStream.close(); } return ks; } /** * Until reader EOF, try to read changes and send each to {@link #parseLine(String)}. */ protected void processChanges(final Reader reader) throws IOException, GeneralSecurityException { String line; BufferedReader bufferedStdinReader = new BufferedReader(reader); while((line = bufferedStdinReader.readLine()) != null) { try { parseLine(line); } catch (Exceptions.UnknownInput e) { System.err.println("Unknown input: " + line); // Keep processing for others lines } } } /** * Parse given line to choose between {@link #addAlias(String, Certificate)} * or {@link #deleteAlias(String)}. */ protected void parseLine(final String line) throws GeneralSecurityException, IOException, Exceptions.UnknownInput { assert this.ks != null; String path = line.substring(1); String filename = path.substring(path.lastIndexOf("/") + 1); String alias = "debian:" + filename; if(line.startsWith("+")) { Certificate cert = loadCertificate(path); if (cert == null) { return; } addAlias(alias, cert); } else if (line.startsWith("-")) { deleteAlias(alias); // Remove old non-prefixed aliases, too. This code should be // removed after the release of Wheezy. deleteAlias(filename); } else { throw new Exceptions.UnknownInput(line); } } /** * Delete cert in keystore at given alias. */ private void deleteAlias(final String alias) throws GeneralSecurityException { assert this.ks != null; if (contains(alias)) { System.out.println("Removing " + alias); this.ks.deleteEntry(alias); } } /** * Add or replace existing cert in keystore with given alias. */ private void addAlias(final String alias, final Certificate cert) throws KeyStoreException { assert this.ks != null; if(contains(alias)) { System.out.println("Replacing " + alias); this.ks.deleteEntry(alias); } else { System.out.println("Adding " + alias); } this.ks.setCertificateEntry(alias, cert); } /** * Returns true when alias exist in keystore. */ protected boolean contains(String alias) throws KeyStoreException { assert this.ks != null; return this.ks.containsAlias(alias); } /** * Try to load a certificate instance from given path. */ private Certificate loadCertificate(final String path) { assert this.certFactory != null; Certificate cert = null; try { FileInputStream certFile = new FileInputStream(path); cert = this.certFactory.generateCertificate(certFile); certFile.close(); } catch (Exception e) { System.err.println("Warning: there was a problem reading the certificate file " + path + ". Message:\n " + e.getMessage()); } return cert; } /** * Write actual keystore content to disk. */ protected void writeKeyStore() throws GeneralSecurityException, Exceptions.UnableToSaveKeystore { assert this.ks != null; try { FileOutputStream certOutputFile = new FileOutputStream(this.ksFilename); this.ks.store(certOutputFile, this.password); certOutputFile.close(); } catch (IOException e) { throw new Exceptions.UnableToSaveKeystore("There was a problem saving the new Java keystore.", e); } } } ca-certificates-java-20130815ubuntu1/debian/0000775000000000000000000000000012312552064015362 5ustar ca-certificates-java-20130815ubuntu1/debian/control0000664000000000000000000000213712312552115016765 0ustar Source: ca-certificates-java Section: java Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Debian Java Maintainers Uploaders: Matthias Klose , Torsten Werner , Damien Raude-Morvan , James Page Build-Depends: debhelper (>= 6), default-jdk, javahelper, junit4 Standards-Version: 3.9.4 Vcs-Svn: svn://anonscm.debian.org/pkg-java/trunk/ca-certificates-java Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-java/trunk/ca-certificates-java/ Package: ca-certificates-java Architecture: all Multi-Arch: foreign Depends: ca-certificates (>= 20121114), ${jre:Depends} | java6-runtime-headless, ${misc:Depends}, ${nss:Depends} # We need a versioned Depends due to multiarch changes (bug #635571). Description: Common CA certificates (JKS keystore) This package uses the hooks of the ca-certificates package to update the cacerts JKS keystore used for many java runtimes. ca-certificates-java-20130815ubuntu1/debian/changelog0000664000000000000000000002534612312552064017246 0ustar ca-certificates-java (20130815ubuntu1) trusty; urgency=medium * UpdatesCertificatesTest.java: Fix ftbfs by swapping out the no longer shipped cacert.org certificate with a Thawte one. (LP: #1258286) -- Marc Deslauriers Thu, 20 Mar 2014 07:41:31 -0400 ca-certificates-java (20130815) unstable; urgency=low * Acknowledge NMU done by Don Armstrong and Andreas Beckmann. * Fix tests to works with new cacert certificates names (Closes: #713138). * d/control: Use canonical value for Vcs-* fields. * d/control: Remove deprecated DMUA flag. * d/control: Bump Standards-Version to 3.9.4 (no changes needed). -- Damien Raude-Morvan Thu, 15 Aug 2013 13:52:46 +0200 ca-certificates-java (20121112+nmu2) unstable; urgency=medium * Non-maintainer upload. * postinst, jks-keystore.hook: Do not fail if nss.cfg does not (yet) exist, i.e. if openjdk-?-jre-headless is unpacked but not yet configured. (Closes: #694888) * Set urgency to medium for RC bugfix. -- Andreas Beckmann Sun, 27 Jan 2013 14:19:41 +0100 ca-certificates-java (20121112+nmu1) unstable; urgency=low * Non-maintainer upload * Fix test for dpkg-query in postinst; there was an extraneous --version here. [Probably don't even need to bother to check for dpkg-query, but why not.] (Closes: #690204) * Library path for softokn3pkg and nsspkg is potentially wrong if there are multiple different paths; fix it. * Do not run the hook if ca-certificates-java has been removed but not purged. * Use the new trigger support provided by ca-certificates (>=20121114). -- Don Armstrong Mon, 12 Nov 2012 15:45:50 -0800 ca-certificates-java (20120721) unstable; urgency=low * Fix jks-keystore and postinst to work on multi-arch system. Use dpkg-query -L package:arch. (Closes: #680618). * As libnss3-1d is a transitional package on both Debian and Ubuntu, upgrade Depends to use libnss3. -- Damien Raude-Morvan Sat, 21 Jul 2012 01:06:32 +0200 ca-certificates-java (20120608) unstable; urgency=low [ James Page ] * Switch primary JRE dependency from openjdk-6 to openjdk-7 to support demotion of openjdk-6 to universe in Ubuntu: - d/control, rules: Generate primary JRE dependency at build time to allow differentiation between Ubuntu and Debian. * Added myself to uploaders. [ Damien Raude-Morvan ] * Update to unstable. * Set DMUA flag for James Page. -- James Page Fri, 08 Jun 2012 09:44:58 +0100 ca-certificates-java (20120603) unstable; urgency=low * Use javahelper as buildsystem: - d/control: Add Build-Depends on javahelper. - d/rules: Use jh_build to call javac. * Create a testsuite for this package: - Refactor UpdateCertificates code to send exceptions instead of System.exit(1). - New testsuite: UpdateCertificatesTest. - d/control: Build-Depends on junit4. - d/rules: Launch junit after build and handle "nocheck" option in DEB_BUILD_OPTIONS. -- Damien Raude-Morvan Sun, 03 Jun 2012 12:10:26 +0200 ca-certificates-java (20120524) unstable; urgency=low [ Marc Deslauriers ] * debian/preinst, debian/postinst: remove the 20110912ubuntu1 work-around since it is no longer needed. * debian/postinst: don't put a symlink in / if jvm doesn't contain nss configuration. (Closes: #665754, #665749). * debian/postinst: force migration to new alias names again. The migration was supposed to occur on upgrades to Oneiric, but failed because of an NSS error. * debian/postinst: forcibly remove diginotar cert. It could be left behind under certain circumstances. (LP: #920758) * debian/postinst: also look for jvm in multiarch locations (LP: #962378) * debian/postinst: retrigger first_install to properly get cert store. [ James Page ] * d/rules: Ensure java is built with source/target == 1.6 for backwards compatibility with openjdk-6. [ Damien Raude-Morvan ] * Sync handling of nss.cfg between debian/jks-keystore.hook.in and debian/postinst.in. * Merge changes from Ubuntu (Thanks to James Page and Marc Deslauriers). * Improve handling of certificate with UTF-8 filenames: - UpdateCertificates: Force read System.in with UTF-8 - debian/postinst: Set LC_CTYPE to C.UTF-8 -- Damien Raude-Morvan Tue, 22 May 2012 23:41:41 +0200 ca-certificates-java (20120225) unstable; urgency=low [ Steve Langasek ] * debian/jks-keystore.hook: If we *don't* find libnss3 / libnss3-1d, don't remove files from the filesystem in do_cleanup(), since this has a nasty tendency of nuking system libraries. LP: #855171. * debian/preinst, debian/postinst: when upgrading from version 20110912ubuntu1, disable the buggy hook script early to prevent it from being run before our new version is configured; and re-enable the script in the postinst. LP: #855246. [ Matthias Klose ] * Mark as Multi-Arch: foreign. * Adjust the libnss3-1d versioned dependency. [ Damien Raude-Morvan ] * Add myself to Uploaders. * Use dh_gencontrol and dpkg-vendor to allow: - New substvar ${nss:Depends} for libnss3-1d versionning. - New @NSS_LIB@ parameter for debian/*.in files. * Bump Standards-Version to 3.9.3: - Add recommended build-arch / build-indep targets. -- Damien Raude-Morvan Sat, 25 Feb 2012 15:06:32 +0100 ca-certificates-java (20111223) unstable; urgency=low * Support new multiarch JRE packages in postinst. -- Torsten Werner Fri, 23 Dec 2011 13:46:15 +0100 ca-certificates-java (20110912) unstable; urgency=low * Support new multiarch JRE packages in jks-keystore. (Closes: #641306) * Support OpenJDK 7. (Closes: #641305) -- Torsten Werner Mon, 12 Sep 2011 21:23:22 +0200 ca-certificates-java (20110816) unstable; urgency=low * Upgrade Recommends: libnss3-1d to a versioned Depends due to multiarch changes. (Closes: #635571) * Use the locale C.UTF-8 for the hook script to be more robust. -- Torsten Werner Tue, 16 Aug 2011 11:00:33 +0200 ca-certificates-java (20110531) unstable; urgency=low * Prepare for multiarch libnss3 update. -- Matthias Klose Tue, 31 May 2011 15:20:52 +0200 ca-certificates-java (20110426) unstable; urgency=low * Test for existing file in postinst before copying it. (Closes: #624152) * Add Vcs headers to debian/control. -- Torsten Werner Tue, 26 Apr 2011 09:23:03 +0200 ca-certificates-java (20110425) unstable; urgency=low * Add Java code to update the keystore and support UTF-8 encoded filenames. (Closes: #607245, #623671) * Change Maintainer to Debian Java Maintainers and add myself to Uploaders. * Update Build-Depends. * Replace old inconsistent keystore aliases. (Closes: #623888) * Add support for openjdk-7 and remove support for old cacao VM. * Add a NEWS file explaining the update. * Update README.Debian. -- Torsten Werner Mon, 25 Apr 2011 15:28:55 +0200 ca-certificates-java (20100412) unstable; urgency=low * Upload to unstable. -- Matthias Klose Mon, 12 Apr 2010 03:15:47 +0200 ca-certificates-java (20100406ubuntu1) lucid; urgency=low * Make the installation and import of certificates more robust, if the NSS based security provider is disabled or not built. -- Matthias Klose Sun, 11 Apr 2010 20:54:43 +0200 ca-certificates-java (20100406) unstable; urgency=low * Explicitely fail the installation, if /proc is not mounted. Currently required by the java tools, changed in OpenJDK7. Closes: #576453. LP: #556044. * Print name of JVM in case of errors. * Set priority to optional, set section to java. Closes: #566855. * Remove /etc/ssl/certs on package purge, if empty. Closes: #566853. -- Matthias Klose Tue, 06 Apr 2010 21:41:39 +0200 ca-certificates-java (20091021) unstable; urgency=low * Clarify output for keytool errors (although it shouldnn't be necessary anymore). Closes: #540490. -- Matthias Klose Wed, 21 Oct 2009 22:00:53 +0200 ca-certificates-java (20090928) karmic; urgency=low * Rebuild with OpenJDK supporting PKCS11 cryptography, rebuild with ca-certificates 20090814. -- Matthias Klose Mon, 28 Sep 2009 16:47:09 +0200 ca-certificates-java (20090629) unstable; urgency=low * debian/rules, debian/postinst, debian/jks-keystore.hook: Filter out SHA384withECDSA certificates since keytool won't support them. LP: #392104, closes: #534520. * Fix typo in hook. Closes: #534533. * Use java6-runtime-headless as alternative dependency. Closes: #512293. -- Matthias Klose Mon, 29 Jun 2009 11:27:59 +0200 ca-certificates-java (20081028) unstable; urgency=low * Ignore LANG and LC_ALL setting when running keytool. LP: #289934. -- Matthias Klose Tue, 28 Oct 2008 07:20:16 +0100 ca-certificates-java (20081027) unstable; urgency=medium * Merge from Ubuntu: - Don't try to import certificates, which are listed in /etc/ca-certificates.conf, but not available on the system. Just warn about those. LP: #289091. - Need to run keytool, when the jre is unpacked, but not yet configured. Create a temporary jvm.cfg for the time in that postinst and the jks-keystore.hook are run, and remove it afterwards. LP: #289199. -- Matthias Klose Mon, 27 Oct 2008 13:58:14 +0100 ca-certificates-java (20081024) unstable; urgency=low * Install /etc/default/cacerts with mode 600. -- Matthias Klose Fri, 24 Oct 2008 15:10:48 +0200 ca-certificates-java (20081022) unstable; urgency=low * debian/jks-keystore.hook: - Don't stop after first error during the update. LP: #244412. Closes: #489748. - Call keytool with -noprompt. * On initial install, add locally added certificates. LP: #244410. Closes: #489748. * Install /etc/default/cacerts to set options: - storepass, holding the password for the keystore. - updates, to enable/disable updates of the keystore. * Only use the keytool command from OpenJDK or Sun Java. Closes: #496587. -- Matthias Klose Wed, 22 Oct 2008 20:51:24 +0200 ca-certificates-java (20080712) unstable; urgency=low * Upload to main. -- Matthias Klose Sat, 12 Jul 2008 12:19:00 +0200 ca-certificates-java (20080711) unstable; urgency=low * debian/jks-keystore.hook: Fix typo. Closes: #489747, LP: #244408. -- Matthias Klose Fri, 11 Jul 2008 20:38:04 +0200 ca-certificates-java (20080514) unstable; urgency=low * Initial release. -- Matthias Klose Mon, 02 Jun 2008 14:52:46 +0000 ca-certificates-java-20130815ubuntu1/debian/source/0000775000000000000000000000000012203146063016657 5ustar ca-certificates-java-20130815ubuntu1/debian/source/format0000664000000000000000000000001512203140325020061 0ustar 3.0 (native) ca-certificates-java-20130815ubuntu1/debian/compat0000664000000000000000000000000212203140325016550 0ustar 6 ca-certificates-java-20130815ubuntu1/debian/default0000664000000000000000000000060012203140325016715 0ustar # defaults for ca-certificates-java # The password which is used to protect the integrity of the keystore. # storepass must be at least 6 characters long. It must be provided to # all commands that access the keystore contents. # Only change this if adding private certificates. #storepass='' # enable/disable updates of the keystore /etc/ssl/certs/java/cacerts cacerts_updates=yes ca-certificates-java-20130815ubuntu1/debian/jks-keystore.hook.in0000664000000000000000000000443412203140715021303 0ustar #!/bin/sh set -e # use the locale C.UTF-8 unset LC_ALL LC_CTYPE=C.UTF-8 export LC_CTYPE storepass='changeit' if [ -f /etc/default/cacerts ]; then . /etc/default/cacerts fi arch=`dpkg --print-architecture` JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar nsslib_name() { if dpkg --assert-multi-arch 2>/dev/null; then echo "@NSS_LIB@:${arch}" else echo "@NSS_LIB@" fi } echo "" if [ "$cacerts_updates" != yes ] || [ "$CACERT_UPDATES" = disabled ] || [ ! -e $JAR ]; then echo "updates of cacerts keystore disabled." exit 0 fi if ! mountpoint -q /proc; then echo >&2 "the keytool command requires a mounted proc fs (/proc)." exit 1 fi for jvm in java-6-openjdk-$arch java-6-openjdk \ java-7-openjdk-$arch java-7-openjdk java-6-sun; do if [ -x /usr/lib/jvm/$jvm/bin/java ]; then break fi done export JAVA_HOME=/usr/lib/jvm/$jvm PATH=$JAVA_HOME/bin:$PATH temp_jvm_cfg= if [ ! -f /etc/${jvm%-$arch}/jvm-$arch.cfg ]; then # the jre is not yet configured, but jvm.cfg is needed to run it temp_jvm_cfg=/etc/${jvm%-$arch}/jvm-$arch.cfg mkdir -p /etc/${jvm%-$arch} printf -- "-server KNOWN\n" > $temp_jvm_cfg fi if dpkg-query --version >/dev/null; then nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libnss3\.so$,\1,p'|head -n 1) nsscfg=/etc/${jvm%-$arch}/security/nss.cfg nssjdk=$(test ! -f $nsscfg || sed -n '/nssLibraryDirectory/s/.*= *\(.*\)/\1/p' $nsscfg) if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]; then ln -sf $nsspkg/libnss3.so $nssjdk/libnss3.so fi softokn3pkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libsoftokn3\.so$,\1,p'|head -n 1) if [ -n "$softokn3pkg" ] && [ -n "$nssjdk" ] && [ "$softokn3pkg" != "$nssjdk" ]; then ln -sf $softokn3pkg/libsoftokn3.so $nssjdk/libsoftokn3.so fi fi do_cleanup() { [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ] then rm -f $nssjdk/libnss3.so fi if [ -n "$softokn3pkg" ] && [ -n "$nssjdk" ] \ && [ "$softokn3pkg" != "$nssjdk" ] then rm -f $nssjdk/libsoftokn3.so fi } if java -jar $JAR -storepass "$storepass"; then do_cleanup else do_cleanup exit 1 fi echo "done." ca-certificates-java-20130815ubuntu1/debian/NEWS0000664000000000000000000000060412203140325016051 0ustar ca-certificates-java (20110425) unstable; urgency=low The package will add a prefix 'debian:' to the aliases in the keystore from now on. Old entries will be removed during the update but other local changes will be kept. A backup of the old keystore can be found in /etc/ssl/certs/java/cacerts.dpkg-old. -- Torsten Werner Mon, 25 Apr 2011 15:18:22 +0200 ca-certificates-java-20130815ubuntu1/debian/copyright0000664000000000000000000000073112203140325017306 0ustar This package was debianized by Matthias Klose on Mon, 02 Jun 2008 14:52:46 +0000. Authors: Matthias Klose Torsten Werner Copyright: Copyright (C) 2008 Canonical Ltd Copyright (C) 2011 Torsten Werner License: The Debian package is (C) 2008, Canonical Ltd and (C) 2011, Torsten Werner and is licensed under the GPL, see `/usr/share/common-licenses/GPL'. ca-certificates-java-20130815ubuntu1/debian/postrm0000664000000000000000000000055312203140325016624 0ustar #!/bin/sh set -e case "$1" in purge) rm -f /etc/ca-certificates/update.d/jks-keystore rm -rf /etc/ssl/certs/java rmdir /etc/ssl/certs 2>/dev/null || true ;; remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ;; *) echo "postrm called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 ca-certificates-java-20130815ubuntu1/debian/README.Debian0000664000000000000000000000122212203140325017410 0ustar ca-certificates-java for Debian ------------------------------- This package uses the hooks of the ca-certificates package to update the JKS keystore /etc/ssl/certs/java/cacerts used for many java runtimes. The alias used to store the certificate is the basename prefixed with 'debian:'. It will import all *.pem files found in /etc/ssl/certs during its first installation. ca-certificates-java doesn't automagically handle local certificates, although these are not overwritten on updates. A full re-import can be triggered with the command 'update-ca-certificates -f' if needed. -- Torsten Werner Mon, 25 Apr 2011 15:18:22 +0200 ca-certificates-java-20130815ubuntu1/debian/ca-certificates-java.triggers0000664000000000000000000000004012050325212023061 0ustar activate update-ca-certificates ca-certificates-java-20130815ubuntu1/debian/postinst.in0000664000000000000000000000600012203140723017563 0ustar #!/bin/bash set -e # use the locale C.UTF-8 unset LC_ALL LC_CTYPE=C.UTF-8 export LC_CTYPE storepass='changeit' if [ -f /etc/default/cacerts ]; then . /etc/default/cacerts fi arch=`dpkg --print-architecture` JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar nsslib_name() { if dpkg --assert-multi-arch 2>/dev/null; then echo "@NSS_LIB@:${arch}" else echo "@NSS_LIB@" fi } setup_path() { for jvm in java-6-openjdk-$arch java-6-openjdk \ java-7-openjdk-$arch java-7-openjdk java-6-sun; do if [ -x /usr/lib/jvm/$jvm/bin/java ]; then break fi done export JAVA_HOME=/usr/lib/jvm/$jvm PATH=$JAVA_HOME/bin:$PATH } first_install() { if which dpkg-query >/dev/null; then nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libnss3\.so$,\1,p'|head -n 1) nsscfg=/etc/${jvm%-$arch}/security/nss.cfg nssjdk=$(test ! -f $nsscfg || sed -n '/nssLibraryDirectory/s/.*= *\(.*\)/\1/p' $nsscfg) if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]; then ln -sf $nsspkg/libnss3.so $nssjdk/libnss3.so fi fi # Forcibly remove diginotar cert (LP: #920758) if [ -n "$FIXOLD" ]; then echo -e "-diginotar_root_ca\n-diginotar_root_ca_pem" | \ java -jar $JAR -storepass "$storepass" fi find /etc/ssl/certs -name \*.pem | \ while read filename; do alias=$(basename $filename .pem | tr A-Z a-z | tr -cs a-z0-9 _) alias=${alias%*_} if [ -n "$FIXOLD" ]; then echo "-${alias}" echo "-${alias}_pem" fi echo "+${filename}" done | \ java -jar $JAR -storepass "$storepass" echo "done." } do_cleanup() { [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ] then rm -f $nssjdk/libnss3.so fi } case "$1" in configure) if dpkg --compare-versions "$2" lt "20110912ubuntu6"; then FIXOLD="true" if [ -e /etc/ssl/certs/java/cacerts ]; then cp -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old fi fi if [ -z "$2" -o -n "$FIXOLD" ]; then setup_path if ! mountpoint -q /proc; then echo >&2 "the keytool command requires a mounted proc fs (/proc)." exit 1 fi temp_jvm_cfg= if [ ! -f /etc/${jvm%-$arch}/jvm-$arch.cfg ]; then # the jre is not yet configured, but jvm.cfg is needed to run it temp_jvm_cfg=/etc/${jvm%-$arch}/jvm-$arch.cfg mkdir -p /etc/${jvm%-$arch} printf -- "-server KNOWN\n" > $temp_jvm_cfg fi if first_install; then do_cleanup else do_cleanup exit 1 fi fi chmod 600 /etc/default/cacerts || true ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 ca-certificates-java-20130815ubuntu1/debian/rules0000775000000000000000000000423712203140325016440 0ustar #!/usr/bin/make -f # -*- makefile -*- # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes),yes) SUBSTVARS = -Vnss:Depends="libnss3 (>= 3.12.9+ckbi-1.82-0ubuntu3~)" \ -Vjre:Depends="openjdk-7-jre-headless (>= 7~u3-2.1.1~pre1-1)" nss_lib = libnss3 else SUBSTVARS = -Vnss:Depends="libnss3 (>= 3.12.10-2~)" \ -Vjre:Depends="openjdk-6-jre-headless (>= 6b16-1.6.1-2)" nss_lib = libnss3 endif JAVA_HOME := /usr/lib/jvm/default-java export JAVA_HOME OPTS := --no-javadoc --main=UpdateCertificates --javacopts="-source 1.6 -target 1.6" CLASSPATH := /usr/share/java/junit4.jar export CLASSPATH do_junit = $(if $(findstring nocheck,$(DEB_BUILD_OPTIONS)),,yes) d = debian/ca-certificates-java build-arch: build build-indep: build build: build-stamp build-stamp: dh_testdir jh_build $(OPTS) ca-certificates-java.jar . ifeq ($(do_junit),yes) $(JAVA_HOME)/bin/java -cp /usr/share/java/junit4.jar:./ca-certificates-java.jar \ org.junit.runner.JUnitCore \ UpdateCertificatesTest endif touch $@ clean: dh_testdir dh_testroot jh_build --clean $(RM) build-stamp dh_clean for f in debian/*.in; do \ f2=$$(echo $$f | sed ';s/\.in$$//'); \ rm -f $$f2; \ done install: build dh_testdir dh_testroot dh_prep dh_installdirs \ usr/share/ca-certificates-java \ etc/default \ etc/ssl/certs/java \ etc/ca-certificates/update.d for f in debian/*.in; do \ f2=$$(echo $$f | sed 's/\.in$$//'); \ sed -e 's/@NSS_LIB@/$(nss_lib)/g' \ $$f > $$f2; \ done install -m755 debian/jks-keystore.hook \ $(d)/etc/ca-certificates/update.d/jks-keystore install -m600 debian/default \ $(d)/etc/default/cacerts dh_install ca-certificates-java.jar /usr/share/ca-certificates-java/ # Build architecture-independent files here. binary-indep: build install dh_testdir dh_testroot dh_installchangelogs dh_installdocs dh_compress dh_fixperms dh_installdeb dh_gencontrol -- $(SUBSTVARS) dh_md5sums dh_builddeb # Build architecture-dependent files here. binary-arch: build install # We have nothing to do by default. binary: binary-indep binary-arch .PHONY: build clean binary-indep binary-arch binary install