1 # 2 # Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved. 3 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 # 5 # This code is free software; you can redistribute it and/or modify it 6 # under the terms of the GNU General Public License version 2 only, as 7 # published by the Free Software Foundation. Oracle designates this 8 # particular file as subject to the "Classpath" exception as provided 9 # by Oracle in the LICENSE file that accompanied this code. 10 # 11 # This code is distributed in the hope that it will be useful, but WITHOUT 12 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 # version 2 for more details (a copy is included in the LICENSE file that 15 # accompanied this code). 16 # 17 # You should have received a copy of the GNU General Public License version 18 # 2 along with this work; if not, write to the Free Software Foundation, 19 # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 # 21 # Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 # or visit www.oracle.com if you need additional information or have any 23 # questions. 24 # 25 26 include $(SPEC) 27 include MakeBase.gmk 28 29 # (The terms "OpenJDK" and "JDK" below refer to OpenJDK and Oracle JDK 30 # builds respectively.) 31 # 32 # JCE builds are very different between OpenJDK and JDK. The OpenJDK JCE 33 # jar files do not require signing, but those for JDK do. If an unsigned 34 # jar file is installed into JDK, things will break when the crypto 35 # routines are called. 36 # 37 # All jars are created in CreateJars.gmk. This Makefile does the signing 38 # of the jars for JDK. 39 # 40 # For JDK, the binaries use pre-built/pre-signed binary files stored in 41 # the closed workspace that are not shipped in the OpenJDK workspaces. 42 # We still build the JDK files to verify the files compile, and in 43 # preparation for possible signing. Developers working on JCE in JDK 44 # must sign the JCE files before testing. The JCE signing key is kept 45 # separate from the JDK workspace to prevent its disclosure. 46 # 47 # SPECIAL NOTE TO JCE/JDK developers: The source files must eventually 48 # be built, signed, and then the resulting jar files MUST BE CHECKED 49 # INTO THE CLOSED PART OF THE WORKSPACE*. This separate step *MUST NOT 50 # BE FORGOTTEN*, otherwise a bug fixed in the source code will not be 51 # reflected in the shipped binaries. 52 # 53 # Please consult with Release Engineering, which is responsible for 54 # creating the final JCE builds suitable for checkin. 55 # 56 57 # Default target 58 all: 59 60 ifndef OPENJDK 61 62 README-MAKEFILE_WARNING := \ 63 "\nPlease read jdk/make/SignJars.gmk for further build instructions.\n" 64 65 # 66 # Location for JCE codesigning key. 67 # 68 SIGNING_KEY_DIR := /security/ws/JCE-signing/src 69 SIGNING_KEYSTORE := $(SIGNING_KEY_DIR)/KeyStore.jks 70 SIGNING_PASSPHRASE := $(SIGNING_KEY_DIR)/passphrase.txt 71 SIGNING_ALIAS := oracle_jce_rsa 72 73 # 74 # Defines for signing the various jar files. 75 # 76 check-keystore: 77 @if [ ! -f $(SIGNING_KEYSTORE) -o ! -f $(SIGNING_PASSPHRASE) ]; then \ 78 $(PRINTF) "\n$(SIGNING_KEYSTORE): Signing mechanism *NOT* available..."; \ 79 $(PRINTF) $(README-MAKEFILE_WARNING); \ 80 exit 2; \ 81 fi 82 83 $(JDK_OUTPUTDIR)/jce/signed/%: $(JDK_OUTPUTDIR)/jce/unsigned/% 84 $(call install-file) 85 $(JARSIGNER) -keystore $(SIGNING_KEYSTORE) \ 86 $@ $(SIGNING_ALIAS) < $(SIGNING_PASSPHRASE) 87 @$(PRINTF) "\nJar codesigning finished.\n" 88 89 JAR_LIST := \ 90 jce.jar \ 91 policy/limited/local_policy.jar \ 92 policy/limited/US_export_policy.jar \ 93 policy/unlimited/local_policy.jar \ 94 policy/unlimited/US_export_policy.jar \ 95 sunec.jar \ 96 sunjce_provider.jar \ 97 sunpkcs11.jar \ 98 sunmscapi.jar \ 99 ucrypto.jar \ 100 # 101 102 UNSIGNED_JARS := $(wildcard $(addprefix $(JDK_OUTPUTDIR)/jce/unsigned/, $(JAR_LIST))) 103 104 ifeq ($(UNSIGNED_JARS), ) 105 $(error No jars found in $(JDK_OUTPUTDIR)/jce/unsigned/) 106 endif 107 108 SIGNED_JARS := $(patsubst $(JDK_OUTPUTDIR)/jce/unsigned/%,$(JDK_OUTPUTDIR)/jce/signed/%, \ 109 $(UNSIGNED_JARS)) 110 111 $(SIGNED_JARS): check-keystore 112 113 $(JDK_OUTPUTDIR)/jce/signed/policy/unlimited/README.txt: \ 114 $(JDK_OUTPUTDIR)/jce/unsigned/policy/unlimited/README.txt 115 $(install-file) 116 117 all: $(SIGNED_JARS) $(JDK_OUTPUTDIR)/jce/signed/policy/unlimited/README.txt 118 @$(PRINTF) "\n*** The jar files built by the 'sign-jars' target are developer ***" 119 @$(PRINTF) "\n*** builds only and *MUST NOT* be checked into the closed workspace. ***" 120 @$(PRINTF) "\n*** ***" 121 @$(PRINTF) "\n*** Please consult with Release Engineering: they will generate ***" 122 @$(PRINTF) "\n*** the proper binaries for the closed workspace. ***" 123 @$(PRINTF) "\n" 124 @$(PRINTF) $(README-MAKEFILE_WARNING) 125 126 endif # !OPENJDK