[Bug 229329] java/openjdk8: allow user to trust extra local certificates

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 06 Feb 2023 19:29:09 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229329

Michael Osipov <michael.osipov@siemens.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |michael.osipov@siemens.com

--- Comment #10 from Michael Osipov <michael.osipov@siemens.com> ---
Created attachment 239958
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=239958&action=edit
Git-formatted patch

Here is a patch against main which basically adds an option to use a custom
cacerts from LOCALBASE. This is the easiest approach to solve this problem now
until openssl can directly creata Java-compatible PKCS#12 truststores:
https://github.com/openssl/openssl/issues/6684

Works in production and poudriere. Can provide a patch for 11 and 17+ as well,
of course.

Simple port used at work:
=========================
PORTNAME=       nss-siemens-cacerts-java
PORTVERSION=    20221107
CATEGORIES=     security
DISTFILES=

MAINTAINER=     michael.osipov@siemens.com
COMMENT=        Collection of CA certificates trusted by NSS and Siemens for
Java

NO_ARCH=        yes
NO_BUILD=       yes
NO_TEST=        yes

WRKSRC=         ${FILESDIR}
SSLDIR=         ${PREFIX}/etc/ssl

PLIST_SUB=      SSLDIR=${SSLDIR}

do-install:
        @${MKDIR} ${STAGEDIR}${SSLDIR}
        @${INSTALL_DATA} ${WRKSRC}/cacerts.jks ${STAGEDIR}${SSLDIR}/cacerts

.include <bsd.port.mk>
==================

cacerts.jks is generated with a custom Java application.

-- 
You are receiving this mail because:
You are the assignee for the bug.