Commit 55ef7dad authored by Florian Klink's avatar Florian Klink
Browse files

buildMavenPackage: use generate-cacerts.pl to populate trust store 

In some cases, NIX_SSL_CERT_FILE may point to variation of cacerts,
see https://github.com/NixOS/nixpkgs/issues/435467 for examples.

`keytool` is not happy with all certs in there, and requires some
special care.

Re-use the tooling we have to populate openjdk 8 with its
trust store, instead of our naïve approach.

The nixpkgs linter doesn't allow us to simply refer to the .pl file from
inside the openjdk directory, and re-exposing it only from the openjdk8
derivation as a passthru is also a bit annoying.

As suggested in PR review, expose the perl script via pkgs and use it
both for build-maven-package and the openjdk8 build.

Fixes #435467.
parent 8a1999ec

pkgs/by-name/jr/jre-generate-cacerts/package.nix

0 → 100644
+5 −0
Original line number Diff line number Diff line 
{

  writers,

}:



writers.writePerl "jre-generate-cacerts" { } ./generate-cacerts.pl

pkgs/by-name/ma/maven/build-maven-package.nix

+6 −4
Original line number Diff line number Diff line
@@ -2,7 +2,9 @@ 
  lib,

  stdenv,

  jdk,

  jre-generate-cacerts,

  maven,

  perl,

  writers,

}:
@@ -60,10 +62,10 @@ let 


        # handle cacert by populating a trust store on the fly

        if [[ -n "''${NIX_SSL_CERT_FILE-}" ]] && [[ "''${NIX_SSL_CERT_FILE-}" != "/no-cert-file.crt" ]];then

          keyStoreFile="$(mktemp -d)/keystore"

          keyStorePwd="$(head -c10 /dev/random | base32)"

          echo y | ${jdk}/bin/keytool -importcert -file "$NIX_SSL_CERT_FILE" -alias alias -keystore "$keyStoreFile" -storepass "$keyStorePwd"

          MAVEN_EXTRA_ARGS="$MAVEN_EXTRA_ARGS -Djavax.net.ssl.trustStore=$keyStoreFile -Djavax.net.ssl.trustStorePassword=$keyStorePwd"

          echo "using ''${NIX_SSL_CERT_FILE-} as trust store"

          ${jre-generate-cacerts} ${jdk}/lib/openjdk/bin/keytool $NIX_SSL_CERT_FILE



          MAVEN_EXTRA_ARGS="$MAVEN_EXTRA_ARGS -Djavax.net.ssl.trustStore=cacerts -Djavax.net.ssl.trustStorePassword=changeit"

        fi

      ''

      + lib.optionalString buildOffline ''

pkgs/development/compilers/openjdk/generic.nix

+2 −4
Original line number Diff line number Diff line
@@ -20,7 +20,6 @@ 
  file,

  which,

  zip,

  perl,

  zlib,

  cups,

  freetype,
@@ -48,6 +47,7 @@ 


  liberation_ttf,

  cacert,

  jre-generate-cacerts,



  nixpkgs-openjdk-updater,
@@ -255,8 +255,6 @@ stdenv.mkDerivation (finalAttrs: { 
  ]

  ++ lib.optionals (!atLeast11) [

    lndir

    # Certificates generated using perl in `installPhase`

    perl

  ]

  ++ lib.optionals (!atLeast11 && !stdenv.buildPlatform.canExecute stdenv.hostPlatform) [

    # Certificates generated using keytool in `installPhase`
@@ -555,7 +553,7 @@ stdenv.mkDerivation (finalAttrs: { 
    + ''

      cd $jre/lib/openjdk/jre/lib/security

      rm cacerts

      perl ${./8/generate-cacerts.pl} ${

      ${jre-generate-cacerts} ${

        if stdenv.buildPlatform.canExecute stdenv.hostPlatform then

          "$jre/lib/openjdk/jre/bin/keytool"

        else