1 #
   2 # Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
   3 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4 #
   5 # This code is free software; you can redistribute it and/or modify it
   6 # under the terms of the GNU General Public License version 2 only, as
   7 # published by the Free Software Foundation.  Oracle designates this
   8 # particular file as subject to the "Classpath" exception as provided
   9 # by Oracle in the LICENSE file that accompanied this code.
  10 #
  11 # This code is distributed in the hope that it will be useful, but WITHOUT
  12 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13 # FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14 # version 2 for more details (a copy is included in the LICENSE file that
  15 # accompanied this code).
  16 #
  17 # You should have received a copy of the GNU General Public License version
  18 # 2 along with this work; if not, write to the Free Software Foundation,
  19 # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20 #
  21 # Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22 # or visit www.oracle.com if you need additional information or have any
  23 # questions.
  24 #
  25 
  26 include $(SPEC)
  27 include MakeBase.gmk
  28 
  29 # (The terms "OpenJDK" and "JDK" below refer to OpenJDK and Oracle JDK 
  30 # builds respectively.)
  31 #
  32 # JCE builds are very different between OpenJDK and JDK.  The OpenJDK JCE
  33 # jar files do not require signing, but those for JDK do.  If an unsigned
  34 # jar file is installed into JDK, things will break when the crypto
  35 # routines are called.
  36 #
  37 # All jars are created in CreateJars.gmk. This Makefile does the signing
  38 # of the jars for JDK.
  39 #
  40 # For JDK, the binaries use pre-built/pre-signed binary files stored in
  41 # the closed workspace that are not shipped in the OpenJDK workspaces.
  42 # We still build the JDK files to verify the files compile, and in
  43 # preparation for possible signing.  Developers working on JCE in JDK
  44 # must sign the JCE files before testing.  The JCE signing key is kept
  45 # separate from the JDK workspace to prevent its disclosure.
  46 #
  47 # SPECIAL NOTE TO JCE/JDK developers:  The source files must eventually
  48 # be built, signed, and then the resulting jar files MUST BE CHECKED
  49 # INTO THE CLOSED PART OF THE WORKSPACE*.  This separate step *MUST NOT
  50 # BE FORGOTTEN*, otherwise a bug fixed in the source code will not be
  51 # reflected in the shipped binaries.  The "sign-jars" target in the top
  52 # level Makefile should be used to generate the required files.
  53 #
  54 
  55 # Default target
  56 all:
  57 
  58 ifndef OPENJDK
  59 
  60 README-MAKEFILE_WARNING := \
  61     "\nPlease read makefiles/SignJars.gmk for further build instructions.\n"
  62 
  63 #
  64 # Location for JCE codesigning key.
  65 #
  66 SIGNING_KEY_DIR    := /security/ws/JCE-signing/src
  67 SIGNING_KEYSTORE   := $(SIGNING_KEY_DIR)/KeyStore.jks
  68 SIGNING_PASSPHRASE := $(SIGNING_KEY_DIR)/passphrase.txt
  69 SIGNING_ALIAS      := oracle_jce_rsa
  70 
  71 #
  72 # Defines for signing the various jar files.
  73 #
  74 check-keystore:
  75         @if [ ! -f $(SIGNING_KEYSTORE) -o ! -f $(SIGNING_PASSPHRASE) ]; then \
  76             $(PRINTF) "\n$(SIGNING_KEYSTORE): Signing mechanism *NOT* available..."; \
  77             $(PRINTF) $(README-MAKEFILE_WARNING); \
  78             exit 2; \
  79         fi
  80 
  81 $(JCE_OUTPUTDIR)/%: $(IMAGES_OUTPUTDIR)/unsigned/%
  82         $(call install-file)
  83         $(JARSIGNER) -keystore $(SIGNING_KEYSTORE) \
  84             $@ $(SIGNING_ALIAS) < $(SIGNING_PASSPHRASE)
  85         @$(PRINTF) "\nJar codesigning finished.\n"
  86 
  87 JAR_LIST := jce.jar \
  88             local_policy.jar \
  89             sunec.jar \
  90             sunjce_provider.jar \
  91             sunpkcs11.jar \
  92             US_export_policy.jar
  93 
  94 SIGNED_JARS := $(addprefix $(JCE_OUTPUTDIR)/,$(JAR_LIST))
  95 
  96 $(SIGNED_JARS): check-keystore
  97 
  98 all: $(SIGNED_JARS)
  99         @$(PRINTF) "\n***The jar files built by the 'jar-sign' target must***"
 100         @$(PRINTF) "\n***still be checked into the closed workspace!     ***"
 101         @$(PRINTF)  $(README-MAKEFILE_WARNING)
 102 
 103 endif  # !OPENJDK