1 #

     2 # Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.

     3 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

     4 #

     5 # This code is free software; you can redistribute it and/or modify it

     6 # under the terms of the GNU General Public License version 2 only, as

     7 # published by the Free Software Foundation.  Oracle designates this

     8 # particular file as subject to the "Classpath" exception as provided

     9 # by Oracle in the LICENSE file that accompanied this code.

    10 #

    11 # This code is distributed in the hope that it will be useful, but WITHOUT

    12 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

    13 # FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

    14 # version 2 for more details (a copy is included in the LICENSE file that

    15 # accompanied this code).

    16 #

    17 # You should have received a copy of the GNU General Public License version

    18 # 2 along with this work; if not, write to the Free Software Foundation,

    19 # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

    20 #

    21 # Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

    22 # or visit www.oracle.com if you need additional information or have any

    23 # questions.

    24 #

    25 

    26 include $(SPEC)

    27 include MakeBase.gmk

    28 

    29 # (The terms "OpenJDK" and "JDK" below refer to OpenJDK and Oracle JDK

    30 # builds respectively.)

    31 #

    32 # JCE builds are very different between OpenJDK and JDK. The OpenJDK JCE

    33 # jar files do not require signing, but those for JDK do. If an unsigned

    34 # jar file is installed into JDK, things will break when the crypto

    35 # routines are called.

    36 #

    37 # All jars are created in CreateJars.gmk. This Makefile does the signing

    38 # of the jars for JDK.

    39 #

    40 # For JDK, the binaries use pre-built/pre-signed binary files stored in

    41 # the closed workspace that are not shipped in the OpenJDK workspaces.

    42 # We still build the JDK files to verify the files compile, and in

    43 # preparation for possible signing. Developers working on JCE in JDK

    44 # must sign the JCE files before testing. The JCE signing key is kept

    45 # separate from the JDK workspace to prevent its disclosure.

    46 #

    47 # SPECIAL NOTE TO JCE/JDK developers: The source files must eventually

    48 # be built, signed, and then the resulting jar files MUST BE CHECKED

    49 # INTO THE CLOSED PART OF THE WORKSPACE*. This separate step *MUST NOT

    50 # BE FORGOTTEN*, otherwise a bug fixed in the source code will not be

    51 # reflected in the shipped binaries.

    52 #

    53 # Please consult with Release Engineering, which is responsible for

    54 # creating the final JCE builds suitable for checkin.

    55 #

    56 

    57 # Default target

    58 all:

    59 

    60 ifndef OPENJDK

    61 

    62 README-MAKEFILE_WARNING := \

    63     "\nPlease read jdk/make/SignJars.gmk for further build instructions.\n"

    64 

    65 #

    66 # Location for JCE codesigning key.

    67 #

    68 SIGNING_KEY_DIR := /security/ws/JCE-signing/src

    69 SIGNING_KEYSTORE := $(SIGNING_KEY_DIR)/KeyStore.jks

    70 SIGNING_PASSPHRASE := $(SIGNING_KEY_DIR)/passphrase.txt

    71 SIGNING_ALIAS := oracle_jce_rsa

    72 

    73 #

    74 # Defines for signing the various jar files.

    75 #

    76 check-keystore:

    77 	@if [ ! -f $(SIGNING_KEYSTORE) -o ! -f $(SIGNING_PASSPHRASE) ]; then \

    78 	  $(PRINTF) "\n$(SIGNING_KEYSTORE): Signing mechanism *NOT* available..."; \

    79 	  $(PRINTF) $(README-MAKEFILE_WARNING); \

    80 	  exit 2; \

    81 	fi

    82 

    83 $(JDK_OUTPUTDIR)/jce/signed/%: $(JDK_OUTPUTDIR)/jce/unsigned/%

    84 	$(call install-file)

    85 	$(JARSIGNER) -keystore $(SIGNING_KEYSTORE) \

    86 	    $@ $(SIGNING_ALIAS) < $(SIGNING_PASSPHRASE)

    87 	@$(PRINTF) "\nJar codesigning finished.\n"

    88 

    89 JAR_LIST := \

    90     jce.jar \

    91     policy/limited/local_policy.jar \

    92     policy/limited/US_export_policy.jar \

    93     policy/unlimited/local_policy.jar \

    94     policy/unlimited/US_export_policy.jar \

    95     sunec.jar \

    96     sunjce_provider.jar \

    97     sunpkcs11.jar \

    98     sunmscapi.jar \

    99     ucrypto.jar \

   100     #

   101 

   102 UNSIGNED_JARS := $(wildcard $(addprefix $(JDK_OUTPUTDIR)/jce/unsigned/, $(JAR_LIST)))

   103 

   104 ifeq ($(UNSIGNED_JARS), )

   105   $(error No jars found in $(JDK_OUTPUTDIR)/jce/unsigned/)

   106 endif

   107 

   108 SIGNED_JARS := $(patsubst $(JDK_OUTPUTDIR)/jce/unsigned/%,$(JDK_OUTPUTDIR)/jce/signed/%, \

   109     $(UNSIGNED_JARS))

   110 

   111 $(SIGNED_JARS): check-keystore

   112 

   113 $(JDK_OUTPUTDIR)/jce/signed/policy/unlimited/README.txt: \

   114     $(JDK_OUTPUTDIR)/jce/unsigned/policy/unlimited/README.txt

   115 	$(install-file)

   116 

   117 all: $(SIGNED_JARS) $(JDK_OUTPUTDIR)/jce/signed/policy/unlimited/README.txt

   118 	@$(PRINTF) "\n*** The jar files built by the 'sign-jars' target are developer      ***"

   119 	@$(PRINTF) "\n*** builds only and *MUST NOT* be checked into the closed workspace. ***"

   120 	@$(PRINTF) "\n***                                                                  ***"

   121 	@$(PRINTF) "\n*** Please consult with Release Engineering: they will generate      ***"

   122 	@$(PRINTF) "\n*** the proper binaries for the closed workspace.                    ***"

   123 	@$(PRINTF) "\n"

   124 	@$(PRINTF) $(README-MAKEFILE_WARNING)

   125 

   126 endif # !OPENJDK