diff options
| author | Brian P. Hinz <bphinz@users.sf.net> | 2024-06-15 16:55:27 -0400 |
|---|---|---|
| committer | Brian P. Hinz <bphinz@users.sf.net> | 2024-06-15 16:55:27 -0400 |
| commit | 78510b981b211e29a06a30fa091b08070429b829 (patch) | |
| tree | e367331e52f43720af8877a5806a4c7ecf1d6c33 | |
| parent | fb7b956cf6c6cf2d2550c25a7112999983dea96e (diff) | |
| download | tigervnc-78510b981b211e29a06a30fa091b08070429b829.tar.gz tigervnc-78510b981b211e29a06a30fa091b08070429b829.zip | |
Add support for PKCS11 jar signing
| -rw-r--r-- | java/CMakeLists.txt | 6 | ||||
| -rw-r--r-- | java/cmake/SignJar.cmake | 41 |
2 files changed, 37 insertions, 10 deletions
diff --git a/java/CMakeLists.txt b/java/CMakeLists.txt index 7627a2c5..2fd348f7 100644 --- a/java/CMakeLists.txt +++ b/java/CMakeLists.txt @@ -20,7 +20,10 @@ set(JAVA_KEYSTORE_TYPE "jks" CACHE STRING "Type of keystore (Default: \"jks\")") set(JAVA_KEY_ALIAS NOTFOUND CACHE STRING "Alias for the keystore entry used to generate the signature") set(JAVA_STOREPASS NOTFOUND CACHE STRING "Password required to access the keystore") set(JAVA_KEYPASS NOTFOUND CACHE STRING "Password used to protect the private key of the specified keystore entry") +set(JAVA_PKCS11_PROVIDER_CLASS "sun.security.pkcs11.SunPKCS11" CACHE STRING "PKCS11 SecurityProvider class name") +set(JAVA_PKCS11_PROVIDER_ARG NOTFOUND CACHE STRING "Path to the PKCS11 security provider class config file") set(JAVA_TSA_URL NOTFOUND CACHE STRING "URL of Time Stamping Authority (TSA)") +set(JAVA_CERT_CHAIN NOTFOUND CACHE STRING "Path to CA certificate chain file") if(NOT BUILD) STRING(TIMESTAMP BUILD "%Y%m%d" UTC) @@ -166,9 +169,12 @@ add_custom_command(OUTPUT VncViewer.jar -DJAVA_KEYSTORE=${JAVA_KEYSTORE} -DJAVA_KEYSTORE_TYPE=${JAVA_KEYSTORE_TYPE} -DJAVA_STOREPASS=${JAVA_STOREPASS} + -DJAVA_PKCS11_PROVIDER_CLASS=${JAVA_PKCS11_PROVIDER_CLASS} + -DJAVA_PKCS11_PROVIDER_ARG=${JAVA_PKCS11_PROVIDER_ARG} -DJAVA_KEYPASS=${JAVA_KEYPASS} -DJAVA_KEY_ALIAS=${JAVA_KEY_ALIAS} -DJAVA_TSA_URL=${JAVA_TSA_URL} + -DJAVA_CERT_CHAIN=${JAVA_CERT_CHAIN} -P ${SRCDIR}/cmake/SignJar.cmake) add_custom_target(java ALL DEPENDS VncViewer.jar) diff --git a/java/cmake/SignJar.cmake b/java/cmake/SignJar.cmake index 067116d4..cfca1ba2 100644 --- a/java/cmake/SignJar.cmake +++ b/java/cmake/SignJar.cmake @@ -10,8 +10,20 @@ set(KEYTOOL "${Java_PATH}/keytool") set(JARSIGNER "${Java_PATH}/jarsigner") if(JAVA_KEYSTORE) - if((NOT JAVA_STOREPASS) OR (NOT JAVA_KEYPASS) OR (NOT JAVA_KEY_ALIAS)) - message(FATAL_ERROR "When JAVA_KEYSTORE is specified, JAVA_KEY_ALIAS, JAVA_STOREPASS, and JAVA_KEYPASS must also be specified:\n${ERROR}") + if((NOT JAVA_KEYSTORE_TYPE)) + message(FATAL_ERROR "When JAVA_KEYSTORE is specified, JAVA_KEYSTORE_TYPE must also be specified:\n${ERROR}") + endif() + string(TOUPPER "${JAVA_KEYSTORE_TYPE}" JAVA_KEYSTORE_TYPE_STRING) + if(${JAVA_KEYSTORE_TYPE_STRING} MATCHES "PKCS11") + if((NOT JAVA_PKCS11_PROVIDER_ARG) OR (NOT JAVA_STOREPASS) OR (NOT JAVA_KEY_ALIAS)) + message(FATAL_ERROR "When JAVA_KEYSTORE_TYPE is PKCS11, JAVA_STOREPASS, JAVA_PKCS11_PROVIDER_ARG, and JAVA_KEY_ALIAS must also be specified:\n${ERROR}") + endif() + elseif((${JAVA_KEYSTORE_TYPE_STRING} MATCHES "JKS") OR (${JAVA_KEYSTORE_TYPE_STRING} MATCHES "PKCS12")) + if((NOT JAVA_STOREPASS) OR (NOT JAVA_KEYPASS) OR (NOT JAVA_KEY_ALIAS)) + message(FATAL_ERROR "When JAVA_KEYSTORE_TYPE is JKS or PKCS12, JAVA_STOREPASS, JAVA_KEYPASS, and JAVA_KEY_ALIAS must also be specified:\n${ERROR}") + endif() + else() + message(FATAL_ERROR "Unsupported keystore type:\n${ERROR}") endif() else() message(STATUS "Generating self-signed certificate") @@ -44,14 +56,23 @@ else() set(ARGS ${ARGS} -storepass ${JAVA_STOREPASS}) endif() -if(${JAVA_KEYPASS} MATCHES "^:env") - string(REGEX REPLACE "^:env[\t ]+(.*)$" "\\1" JAVA_KEYPASS "${JAVA_KEYPASS}") - set(ARGS ${ARGS} -keypass:env ${JAVA_KEYPASS}) -elseif("${JAVA_KEYPASS}" MATCHES "^:file") - string(REGEX REPLACE "^:file[\t ]+(.*)$" "\\1" JAVA_KEYPASS "${JAVA_KEYPASS}") - set(ARGS ${ARGS} -keypass:file ${JAVA_KEYPASS}) -else() - set(ARGS ${ARGS} -keypass ${JAVA_KEYPASS}) +if(${JAVA_KEYSTORE_TYPE_STRING} MATCHES "PKCS11") + set(ARGS ${ARGS} -providerClass ${JAVA_PKCS11_PROVIDER_CLASS}) + set(ARGS ${ARGS} -providerArg ${JAVA_PKCS11_PROVIDER_ARG}) +elseif((${JAVA_KEYSTORE_TYPE_STRING} MATCHES "JKS") OR (${JAVA_KEYSTORE_TYPE_STRING} MATCHES "PKCS12")) + if(${JAVA_KEYPASS} MATCHES "^:env") + string(REGEX REPLACE "^:env[\t ]+(.*)$" "\\1" JAVA_KEYPASS "${JAVA_KEYPASS}") + set(ARGS ${ARGS} -keypass:env ${JAVA_KEYPASS}) + elseif("${JAVA_KEYPASS}" MATCHES "^:file") + string(REGEX REPLACE "^:file[\t ]+(.*)$" "\\1" JAVA_KEYPASS "${JAVA_KEYPASS}") + set(ARGS ${ARGS} -keypass:file ${JAVA_KEYPASS}) + else() + set(ARGS ${ARGS} -keypass ${JAVA_KEYPASS}) + endif() +endif() + +if(JAVA_CERT_CHAIN) + set(ARGS ${ARGS} -certchain ${JAVA_CERT_CHAIN}) endif() if(JAVA_TSA_URL) |