Re: [PATCH 3/3] gnu: icedtea-6: Generate keystore.

[Ludovic Courtès]

Ricardo Wurmus <address@hidden> skribis:

> From: Ricardo Wurmus <address@hidden>
>
> * gnu/packages/java.scm (icedtea-6)[arguments]: Add phase
> "install-keystore".
> [native-inputs]: Add nss-certs and openssl.

[...]

> +         (add-after 'install 'install-keystore
> +           (lambda* (#:key inputs outputs #:allow-other-keys)

Could you add a comment to explain what’s going on here?

Too bad IceTea’s build system doesn’t take care of that.

> +             (let* ((keystore  "cacerts")
> +                    (certs-dir (string-append (assoc-ref inputs "nss-certs")
> +                                              "/etc/ssl/certs"))
> +                    (keytool   (string-append (assoc-ref outputs "jdk")
> +                                              "/bin/keytool"))
> +                    (openssl   (which "openssl"))
> +                    (recent    (date->time-utc (string->date "2016-1-1"
> +                                                             "~Y-~m-~d"))))
> +               (define (valid? cert)
> +                 (let* ((port (open-pipe* OPEN_READ openssl
> +                                          "x509" "-enddate" "-in" cert 
> "-noout"))
> +                        (str  (read-line port))
> +                        (end  (begin (close-pipe port)
> +                                     ;; TODO: use match?
> +                                     (cadr (string-split str #\=)))))

Why not use ‘match’, indeed.  :-)  No big deal though.

> +                   (time>? (date->time-utc
> +                            (string->date end "~b ~d ~H:~M:~S ~Y")) recent)))
> +
> +               (define (import-cert cert)
> +                 (format #t "Importing certificate ~a\n" (basename cert))
> +                 (let* ((port (open-pipe* OPEN_WRITE keytool
> +                                          "-import"
> +                                          "-alias" (basename cert)
> +                                          "-keystore" keystore
> +                                          "-storepass" "changeit"
> +                                          "-file" cert)))
> +                   (display "yes\n" port)
> +                   (when (not (eqv? 0 (status:exit-val (close-pipe port))))

Maybe (zero? (status:exit-val …)).

> +                     (format (current-error-port)
> +                             "Failed to import certificate.\n"))))

Rather (error "failed to import" cert) so the process stops here.

> +               ;; This is necessary because the certificate directory 
> contains
> +               ;; files with non-ASCII characters in their names.
> +               (setlocale LC_ALL "en_US.utf8")
> +               (setenv "LC_ALL" "en_US.utf8")
> +
> +               (for-each import-cert
> +                         (filter valid? (find-files certs-dir "\\.pem$")))

Why do we need to filter out invalid certificates?

The problem I see is that the result of ‘valid?’, and thus the output of
the build process, depends on the build time, which isn’t great.

I would prefer to unconditionally install all the certificates if that
doesn’t cause any problems.  WDYT?

Thank you for working on it!

Ludo’.