#!/bin/bash set -e KEYSTORE=/etc/ssl/certs/java/cacerts storepass='changeit' if [ -f /etc/default/cacerts ]; then . /etc/default/cacerts fi setup_path() { for jvm in java-6-openjdk java-6-sun; do if [ -x /usr/lib/jvm/$jvm/bin/keytool ]; then break fi done export JAVA_HOME=/usr/lib/jvm/$jvm PATH=$JAVA_HOME/bin:$PATH } first_install() { cacertdir=/usr/share/ca-certificates log=$(tempfile) # aliases of pregenerated files pregenerated=$(tempfile) LANG=C LC_ALL=C keytool -list -keystore $KEYSTORE -storepass "$storepass" \ | awk -F, '/^Certificate fingerprint/ { print s } { s=$1 } ' \ | sort > $pregenerated grep -v -E '^ *$|^#' /etc/ca-certificates.conf | ( \ errors=0 while read line; do pem=${line#!*} alias=$(basename $pem .crt | tr A-Z a-z | tr -cs a-z0-9 _) alias=${alias%*_} case "$line" in !*) # remove untrusted certificate if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \ -storepass "$storepass" -alias "$alias" >/dev/null then echo " removed untrusted certificate $pem" else # not (anymore) in keystore : fi;; *) # add certificate not yet in keystore if [ ! -f "$cacertdir/$pem" ]; then echo >&2 "warning: /etc/ca-certificates.conf lists $pem," echo >&2 "warning: but $cacertdir/$pem does not exist." continue fi if ! grep -q "^${alias}$" $pregenerated; then if LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \ -noprompt -storepass "$storepass" \ -alias "$alias" -file "$cacertdir/$pem" > $log 2>&1 then echo " added certificate $pem" elif LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \ -providerClass sun.security.pkcs11.SunPKCS11 \ -providerArg '${java.home}/lib/security/nss.cfg' \ -noprompt -storepass "$storepass" \ -alias "$alias" -file "$cacertdir/$pem" > $log 2>&1 then echo " added certificate $pem (using NSS provider)" elif grep -q 'Signature not available' $log; then echo " ignored import, signature not available: ${line#+*}" sed -e 's/^/ -> /' $log else echo >&2 " error adding ${line#+*}" errors=$(expr $errors + 1) fi fi esac done rm -f $log rm -f $pregenerated if [ $errors -gt 0 ]; then echo >&2 "failed (VM used: $jvm)." [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg exit 1 fi echo "done." ) } remove_certs() { UNTRUSTED="diginotar_root_ca diginotar_root_ca_pem" # remove untrusted certificates for alias in $UNTRUSTED do if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \ -storepass "$storepass" -alias "$alias" >/dev/null then echo " removed untrusted certificate $alias" fi done } case "$1" in configure) if dpkg --compare-versions "$2" lt "20100406ubuntu1.1"; then CLEANOLD="true" fi if [ -z "$2" -o -n "$CLEANOLD" ]; then setup_path if ! mountpoint -q /proc; then echo >&2 "the keytool command requires a mounted proc fs (/proc)." exit 1 fi if [ ! -f /etc/$jvm/jvm.cfg ]; then # the jre is not yet configured, but jvm.cfg is needed to run it temp_jvm_cfg=/etc/$jvm/jvm.cfg mkdir -p /etc/$jvm printf -- "-server KNOWN\n" > $temp_jvm_cfg fi if [ -z "$2" ]; then # on first install, remove certs untrusted by the # user/admininstrator, add locally added certs echo "creating $KEYSTORE..." cp /usr/share/ca-certificates-java/cacerts $KEYSTORE first_install elif [ -n "$CLEANOLD" ]; then echo "removing untrusted certificates..." remove_certs fi [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg fi chmod 600 /etc/default/cacerts || true ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac exit 0