commit 95fdc8cf2970b1f94b33afb80bdec374ce237b0d

pyrox.dev / nixpkgs

lol

openjdk: Introduce JAVAX_NET_SSL_TRUSTSTORE env

This small patch makes it possible to control java's truststore path through
the environment. This lets you add (system- or session-wide) CAs that should
be allowed by Java. Java users can still use -Djavax.net.ssl.truststore to
override the truststore set by JAVAX_NET_SSL_TRUSTSTORE.

Something like this can be used to build the truststore (in this example just
using the standard pkgs.cacert CA-bundle):

{
environment.variables.JAVAX_NET_SSL_TRUSTSTORE = "${
pkgs.runCommand "cacerts" {} ''
${pkgs.perl}/bin/perl \
${pkgs.path}/pkgs/development/compilers/openjdk/generate-cacerts.pl \
${pkgs.jre}/bin/keytool \
${pkgs.cacert}/etc/ca-bundle.crt
mv cacerts $out
''
}";
}

Ideally, the dependency on pkgs.cacert should also be removed from pkgs.openjdk
to avoid rebuilding java each time the standard CA-bundle changes. Something
along the example above must then be added to NixOS (however, it would be
nice to not depend on ${pkgs.jre}/bin/keytool to generate that environment
variable).

Rickard Nilsson 11 years ago 95fdc8cf 5c523824

+27 -1

2 changed files

expand all

unified split

pkgs

development

compilers

openjdk

default.nix

read-truststore-from-env.patch

+6 -1

pkgs/development/compilers/openjdk/default.nix

··· 61 61 makeFlagsArray+=(CUPS_HEADERS_PATH=$cupsDir) 62 62 ''; 63 63 64 - patches = [ ./cppflags-include-fix.patch ./fix-java-home.patch ./paxctl.patch ]; 64 + patches = [ 65 + ./cppflags-include-fix.patch 66 + ./fix-java-home.patch 67 + ./paxctl.patch 68 + ./read-truststore-from-env.patch 69 + ]; 65 70 66 71 NIX_NO_SELF_RPATH = true; 67 72

+21

pkgs/development/compilers/openjdk/read-truststore-from-env.patch

··· 1 + diff -ur openjdk-7u65-b32/jdk/src/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java openjdk-7u65-b32.new/jdk/src/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java 2 + --- openjdk-7u65-b32/jdk/src/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java 2014-07-17 12:12:14.000000000 +0200 3 + +++ openjdk-7u65-b32.new/jdk/src/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java 2014-12-09 13:31:27.821960372 +0100 4 + @@ -158,6 +158,7 @@ 5 + /* 6 + * Try: 7 + * javax.net.ssl.trustStore (if this variable exists, stop) 8 + + * system environment variable JAVAX_NET_SSL_TRUSTSTORE 9 + * jssecacerts 10 + * cacerts 11 + * 12 + @@ -165,6 +166,9 @@ 13 + */ 14 + 15 + storeFileName = props.get("trustStore"); 16 + + if (storeFileName == null) { 17 + + storeFileName = System.getenv("JAVAX_NET_SSL_TRUSTSTORE"); 18 + + } 19 + if (!"NONE".equals(storeFileName)) { 20 + if (storeFileName != null) { 21 + storeFile = new File(storeFileName);