#!/bin/bash set -e # Disable a critically buggy hook script during upgrade; to be removed # after oneiric release if [ "$2" = 20110912ubuntu1 ] && [ -e /etc/ca-certificates/update.d/jks-keystore ] then chmod +x /etc/ca-certificates/update.d/jks-keystore fi storepass='changeit' if [ -f /etc/default/cacerts ]; then . /etc/default/cacerts fi setup_path() { for jvm in java-6-openjdk java-7-openjdk java-6-sun; do if [ -x /usr/lib/jvm/$jvm/bin/java ]; then break fi done export JAVA_HOME=/usr/lib/jvm/$jvm PATH=$JAVA_HOME/bin:$PATH CLASSPATH=/usr/share/ca-certificates-java export CLASSPATH } first_install() { if which dpkg-query --version >/dev/null; then nsspkg=$(dpkg-query -L libnss3 | sed -n 's,\(.*\)/libnss3\.so$,\1,p') nssjdk=$(sed -n '/nssLibraryDirectory/s/.*= *\(.*\)/\1/p' /etc/$jvm/security/nss.cfg) if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]; then ln -sf $nsspkg/libnss3.so $nssjdk/libnss3.so fi fi find /etc/ssl/certs -name \*.pem | \ while read filename; do alias=$(basename $filename .pem | tr A-Z a-z | tr -cs a-z0-9 _) alias=${alias%*_} if [ -n "$FIXOLD" ]; then echo "-${alias}" echo "-${alias}_pem" fi echo "+${filename}" done | \ java UpdateCertificates -storepass "$storepass" echo "done." } remove_certs() { if which dpkg-query --version >/dev/null; then nsspkg=$(dpkg-query -L libnss3 | sed -n 's,\(.*\)/libnss3\.so$,\1,p') nssjdk=$(sed -n '/nssLibraryDirectory/s/.*= *\(.*\)/\1/p' /etc/$jvm/security/nss.cfg) if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]; then ln -sf $nsspkg/libnss3.so $nssjdk/libnss3.so fi fi # Forcibly remove diginotar cert (LP: #920758) echo -e "-diginotar_root_ca\n-diginotar_root_ca_pem" | \ java UpdateCertificates -storepass "$storepass" echo "done." } do_cleanup() { [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ] then rm -f $nssjdk/libnss3.so fi } case "$1" in configure) if dpkg --compare-versions "$2" lt "20110912ubuntu3"; then FIXOLD="true" if [ -e /etc/ssl/certs/java/cacerts ]; then cp -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old fi fi if dpkg --compare-versions "$2" lt "20110912ubuntu3.1"; then CLEANOLD="true" fi if [ -z "$2" -o -n "$FIXOLD" -o -n "$CLEANOLD" ]; then setup_path if ! mountpoint -q /proc; then echo >&2 "the keytool command requires a mounted proc fs (/proc)." exit 1 fi if [ ! -f /etc/$jvm/jvm.cfg ]; then # the jre is not yet configured, but jvm.cfg is needed to run it temp_jvm_cfg=/etc/$jvm/jvm.cfg mkdir -p /etc/$jvm printf -- "-server KNOWN\n" > $temp_jvm_cfg fi if [ -z "$2" -o -n "$FIXOLD" ]; then if first_install; then do_cleanup else do_cleanup exit 1 fi fi if [ -n "$2" ]; then echo "removing untrusted certificates..." if remove_certs; then do_cleanup else do_cleanup exit 1 fi fi fi chmod 600 /etc/default/cacerts || true ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac exit 0