1 #
   2 # Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
   3 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4 #
   5 # This code is free software; you can redistribute it and/or modify it
   6 # under the terms of the GNU General Public License version 2 only, as
   7 # published by the Free Software Foundation.  Oracle designates this
   8 # particular file as subject to the "Classpath" exception as provided
   9 # by Oracle in the LICENSE file that accompanied this code.
  10 #
  11 # This code is distributed in the hope that it will be useful, but WITHOUT
  12 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13 # FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14 # version 2 for more details (a copy is included in the LICENSE file that
  15 # accompanied this code).
  16 #
  17 # You should have received a copy of the GNU General Public License version
  18 # 2 along with this work; if not, write to the Free Software Foundation,
  19 # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20 #
  21 # Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22 # or visit www.oracle.com if you need additional information or have any
  23 # questions.
  24 #
  25 
  26 include $(SPEC)
  27 include MakeBase.gmk
  28 
  29 # (The terms "OpenJDK" and "JDK" below refer to OpenJDK and Oracle JDK
  30 # builds respectively.)
  31 #
  32 # JCE builds are very different between OpenJDK and JDK. The OpenJDK JCE
  33 # jar files do not require signing, but those for JDK do. If an unsigned
  34 # jar file is installed into JDK, things will break when the crypto
  35 # routines are called.
  36 #
  37 # All jars are created in CreateJars.gmk. This Makefile does the signing
  38 # of the jars for JDK.
  39 #
  40 # For JDK, the binaries use pre-built/pre-signed binary files stored in
  41 # the closed workspace that are not shipped in the OpenJDK workspaces.
  42 # We still build the JDK files to verify the files compile, and in
  43 # preparation for possible signing. Developers working on JCE in JDK
  44 # must sign the JCE files before testing. The JCE signing key is kept
  45 # separate from the JDK workspace to prevent its disclosure.
  46 #
  47 # SPECIAL NOTE TO JCE/JDK developers: The source files must eventually
  48 # be built, signed, and then the resulting jar files MUST BE CHECKED
  49 # INTO THE CLOSED PART OF THE WORKSPACE*. This separate step *MUST NOT
  50 # BE FORGOTTEN*, otherwise a bug fixed in the source code will not be
  51 # reflected in the shipped binaries.
  52 #
  53 # Please consult with Release Engineering, which is responsible for
  54 # creating the final JCE builds suitable for checkin.
  55 #
  56 
  57 # Default target
  58 all:
  59 
  60 ifndef OPENJDK
  61 
  62 README-MAKEFILE_WARNING := \
  63     "\nPlease read jdk/make/SignJars.gmk for further build instructions.\n"
  64 
  65 #
  66 # Location for JCE codesigning key.
  67 #
  68 SIGNING_KEY_DIR := /security/ws/JCE-signing/src
  69 SIGNING_KEYSTORE := $(SIGNING_KEY_DIR)/KeyStore.jks
  70 SIGNING_PASSPHRASE := $(SIGNING_KEY_DIR)/passphrase.txt
  71 SIGNING_ALIAS := oracle_jce_rsa
  72 
  73 #
  74 # Defines for signing the various jar files.
  75 #
  76 check-keystore:
  77         @if [ ! -f $(SIGNING_KEYSTORE) -o ! -f $(SIGNING_PASSPHRASE) ]; then \
  78           $(PRINTF) "\n$(SIGNING_KEYSTORE): Signing mechanism *NOT* available..."; \
  79           $(PRINTF) $(README-MAKEFILE_WARNING); \
  80           exit 2; \
  81         fi
  82 
  83 $(JDK_OUTPUTDIR)/jce/signed/%: $(JDK_OUTPUTDIR)/jce/unsigned/%
  84         $(call install-file)
  85         $(JARSIGNER) -keystore $(SIGNING_KEYSTORE) \
  86             $@ $(SIGNING_ALIAS) < $(SIGNING_PASSPHRASE)
  87         @$(PRINTF) "\nJar codesigning finished.\n"
  88 
  89 JAR_LIST := \
  90     jce.jar \
  91     policy/limited/local_policy.jar \
  92     policy/limited/US_export_policy.jar \
  93     policy/unlimited/local_policy.jar \
  94     policy/unlimited/US_export_policy.jar \
  95     sunec.jar \
  96     sunjce_provider.jar \
  97     sunpkcs11.jar \
  98     sunmscapi.jar \
  99     ucrypto.jar \
 100     #
 101 
 102 UNSIGNED_JARS := $(wildcard $(addprefix $(JDK_OUTPUTDIR)/jce/unsigned/, $(JAR_LIST)))
 103 
 104 ifeq ($(UNSIGNED_JARS), )
 105   $(error No jars found in $(JDK_OUTPUTDIR)/jce/unsigned/)
 106 endif
 107 
 108 SIGNED_JARS := $(patsubst $(JDK_OUTPUTDIR)/jce/unsigned/%,$(JDK_OUTPUTDIR)/jce/signed/%, \
 109     $(UNSIGNED_JARS))
 110 
 111 $(SIGNED_JARS): check-keystore
 112 
 113 $(JDK_OUTPUTDIR)/jce/signed/policy/unlimited/README.txt: \
 114     $(JDK_OUTPUTDIR)/jce/unsigned/policy/unlimited/README.txt
 115         $(install-file)
 116 
 117 all: $(SIGNED_JARS) $(JDK_OUTPUTDIR)/jce/signed/policy/unlimited/README.txt
 118         @$(PRINTF) "\n*** The jar files built by the 'sign-jars' target are developer      ***"
 119         @$(PRINTF) "\n*** builds only and *MUST NOT* be checked into the closed workspace. ***"
 120         @$(PRINTF) "\n***                                                                  ***"
 121         @$(PRINTF) "\n*** Please consult with Release Engineering: they will generate      ***"
 122         @$(PRINTF) "\n*** the proper binaries for the closed workspace.                    ***"
 123         @$(PRINTF) "\n"
 124         @$(PRINTF) $(README-MAKEFILE_WARNING)
 125 
 126 endif # !OPENJDK