blob: 99caa99cc22450ce8687309434a1f1f4f7b749a2 [file] [log] [blame]
#
# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation. Oracle designates this
# particular file as subject to the "Classpath" exception as provided
# by Oracle in the LICENSE file that accompanied this code.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
# or visit www.oracle.com if you need additional information or have any
# questions.
#
include $(SPEC)
include MakeBase.gmk
# (The terms "OpenJDK" and "JDK" below refer to OpenJDK and Oracle JDK
# builds respectively.)
#
# JCE builds are very different between OpenJDK and JDK. The OpenJDK JCE
# jar files do not require signing, but those for JDK do. If an unsigned
# jar file is installed into JDK, things will break when the crypto
# routines are called.
#
# All jars are created in CreateJars.gmk. This Makefile does the signing
# of the jars for JDK.
#
# For JDK, the binaries use pre-built/pre-signed binary files stored in
# the closed workspace that are not shipped in the OpenJDK workspaces.
# We still build the JDK files to verify the files compile, and in
# preparation for possible signing. Developers working on JCE in JDK
# must sign the JCE files before testing. The JCE signing key is kept
# separate from the JDK workspace to prevent its disclosure.
#
# SPECIAL NOTE TO JCE/JDK developers: The source files must eventually
# be built, signed, and then the resulting jar files MUST BE CHECKED
# INTO THE CLOSED PART OF THE WORKSPACE*. This separate step *MUST NOT
# BE FORGOTTEN*, otherwise a bug fixed in the source code will not be
# reflected in the shipped binaries. The "sign-jars" target in the top
# level Makefile should be used to generate the required files.
#
# Default target
all:
ifndef OPENJDK
README-MAKEFILE_WARNING := \
"\nPlease read makefiles/SignJars.gmk for further build instructions.\n"
#
# Location for JCE codesigning key.
#
SIGNING_KEY_DIR := /security/ws/JCE-signing/src
SIGNING_KEYSTORE := $(SIGNING_KEY_DIR)/KeyStore.jks
SIGNING_PASSPHRASE := $(SIGNING_KEY_DIR)/passphrase.txt
SIGNING_ALIAS := oracle_jce_rsa
#
# Defines for signing the various jar files.
#
check-keystore:
@if [ ! -f $(SIGNING_KEYSTORE) -o ! -f $(SIGNING_PASSPHRASE) ]; then \
$(PRINTF) "\n$(SIGNING_KEYSTORE): Signing mechanism *NOT* available..."; \
$(PRINTF) $(README-MAKEFILE_WARNING); \
exit 2; \
fi
$(JCE_OUTPUTDIR)/%: $(IMAGES_OUTPUTDIR)/unsigned/%
$(MKDIR) -p $(@D)
$(CP) $< $@
$(JARSIGNER) -keystore $(SIGNING_KEYSTORE) \
$@ $(SIGNING_ALIAS) < $(SIGNING_PASSPHRASE)
@$(PRINTF) "\nJar codesigning finished.\n"
JAR_LIST := jce.jar \
local_policy.jar \
sunec.jar \
sunjce_provider.jar \
sunpkcs11.jar \
US_export_policy.jar
SIGNED_JARS := $(addprefix $(JCE_OUTPUTDIR)/,$(JAR_LIST))
$(SIGNED_JARS): check-keystore
all: $(SIGNED_JARS)
@$(PRINTF) "\n***The jar files built by the 'jar-sign' target must***"
@$(PRINTF) "\n***still be checked into the closed workspace! ***"
@$(PRINTF) $(README-MAKEFILE_WARNING)
endif # !OPENJDK