# # Copyright 2007-2008 Sun Microsystems, Inc. All Rights Reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License version 2 only, as # published by the Free Software Foundation. Sun designates this # particular file as subject to the "Classpath" exception as provided # by Sun in the LICENSE file that accompanied this code. # # This code is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # version 2 for more details (a copy is included in the LICENSE file that # accompanied this code). # # You should have received a copy of the GNU General Public License version # 2 along with this work; if not, write to the Free Software Foundation, # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. # # Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, # CA 95054 USA or visit www.sun.com if you need additional information or # have any questions. # # # Makefile for building jce.jar and the various cryptographic strength # policy jar files. # # # (The terms "OpenJDK" and "JDK" below refer to OpenJDK and Sun JDK builds # respectively.) # # JCE builds are very different between OpenJDK and JDK. The OpenJDK JCE # jar files do not require signing, but those for JDK do. If an unsigned # jar file is installed into JDK, things will break when the crypto # routines are called. # # This Makefile does the "real" build of the JCE files. There are some # javac options currently specific to JCE, so we recompile now to make # sure any implicit compilations didn't use any incorrect flags. # # For OpenJDK, the jar files built here are installed directly into the # OpenJDK. # # For JDK, the binaries use pre-built/pre-signed/pre-obfuscated binary # files stored in the closed workspace that are not shipped in the # OpenJDK workspaces. We still build the JDK files here to verify the # files compile, and in preparation for possible signing and # obfuscation. Developers working on JCE in JDK must sign the JCE files # before testing: obfuscation is optional during development. The JCE # signing key is kept separate from the JDK workspace to prevent its # disclosure. The obfuscation tool has not been licensed for general # usage. # # SPECIAL NOTE TO JCE/JDK developers: The source files must eventually # be built, obfuscated, signed, and the resulting jar files *MUST BE # CHECKED INTO THE CLOSED PART OF THE WORKSPACE*. This separate step # *MUST NOT BE FORGOTTEN*, otherwise a bug fixed in the source code will # not be reflected in the shipped binaries. The "release" target should # be used to generate the required files. # # There are a number of targets to help both JDK/OpenJDK developers. # # Main Targets (JDK/OPENJDK): # # all/clobber/clean The usual. # If OpenJDK, installs # jce.jar/limited policy files. # If JDK, installs prebuilt # jce.jar/limited policy files. # # jar Builds/installs jce.jar # If OpenJDK, does not sign # If JDK, tries to sign # # Other lesser-used Targets (JDK/OPENJDK): # # build-jar Builds jce.jar (does not sign/install) # # build-policy Builds policy files (does not sign/install) # # install-jar Alias for "jar" above # # install-limited Builds/installs limited policy files # If OpenJDK, does not sign # If JDK, tries to sign # install-unlimited Builds/nstalls unlimited policy files # If OpenJDK, does not sign # If JDK, tries to sign # # Other targets (JDK only): # # sign Alias for sign-jar and sign-policy # sign-jar Builds/signs jce.jar file (no install) # sign-policy Builds/signs policy files (no install) # # obfus Builds/obfuscates/signs jce.jar # # release Builds all targets in preparation # for workspace integration. # # install-prebuilt Installs the pre-built jar files # # This makefile was written to support parallel target execution. # BUILDDIR = ../.. PACKAGE = javax.crypto PRODUCT = sun # # The following is for when we need to do postprocessing # (signing/obfuscation) against a read-only build. If the OUTPUTDIR # isn't writable, the build currently crashes out. # ifndef OPENJDK ifdef ALT_JCE_BUILD_DIR # ===================================================== # Where to place the output, in case we're building from a read-only # build area. (e.g. a release engineering build.) JCE_BUILD_DIR=${ALT_JCE_BUILD_DIR} IGNORE_WRITABLE_OUTPUTDIR_TEST=true else JCE_BUILD_DIR=${TEMPDIR} endif endif include $(BUILDDIR)/common/Defs.gmk # # Location for the newly built classfiles. # CLASSDESTDIR = $(TEMPDIR)/classes # # Subdirectories of these are automatically included. # AUTO_FILES_JAVA_DIRS = \ javax/crypto \ sun/security/internal/interfaces \ sun/security/internal/spec include $(BUILDDIR)/common/Classes.gmk # # Rules # # # Some licensees do not get the security sources, but we still need to # be able to build "all" for them. Check here to see if the sources were # available. If not, then we don't need to continue this rule. # ifdef OPENJDK all: build-jar install-jar build-policy install-limited else # OPENJDK ifeq ($(strip $(FILES_java)),) all: $(no-source-warning) else # FILES_java/policy files available all: build-jar build-policy $(build-warning) endif # $(FILES_java)/policy files available endif # OPENJDK # # We use a variety of subdirectories in the $(TEMPDIR) depending on what # part of the build we're doing. Both OPENJDK/JDK builds are initially # done in the unsigned area. When files are signed or obfuscated in JDK, # they will be placed in the appropriate areas. # UNSIGNED_DIR = $(TEMPDIR)/unsigned include Defs-jce.gmk # ===================================================== # Build the unsigned jce.jar file. Signing/obfuscation comes later. # JAR_DESTFILE = $(LIBDIR)/jce.jar # # JCE building is somewhat involved. # # OpenJDK: Since we do not ship prebuilt JCE files, previous compiles # in the build may have needed JCE class signatures. There were then # implicitly built by javac (likely using the boot javac). While using # those class files was fine for signatures, we need to rebuild using # the right compiler. # # JDK: Even through the jce.jar was previously installed, since the # source files are accessible in the source directories, they will # always be "newer" than the prebuilt files inside the jar, and thus # make will always rebuild them. (We could "hide" the JCE source in a # separate directory, but that would make the build logic for JDK and # OpenJDK more complicated.) # # Thus in either situation, we shouldn't use these files. # # To make sure the classes were built with the right compiler options, # delete the existing files in $(CLASSBINDIR), rebuild the right way in a # directory under $(TEMPDIR), then copy the files back to # $(CLASSBINDIR). Building in $(TEMPDIR) allows us to use our make # infrastructure without modification: .classes.list, macros, etc. # # # The list of directories that will be remade from scratch, using the # right compilers/options. # DELETE_DIRS = $(patsubst %, $(CLASSBINDIR)/%, $(AUTO_FILES_JAVA_DIRS)) # # Since the -C option to jar is used below, each directory entry must be # preceded with the appropriate directory to "cd" into. # JAR_DIRS = $(patsubst %, -C $(CLASSDESTDIR) %, $(AUTO_FILES_JAVA_DIRS)) build-jar: $(UNSIGNED_DIR)/jce.jar # # Build jce.jar, then replace the previously built JCE files in the # classes directory with these. This ensures we have consistently built # files throughout the workspaces. # $(UNSIGNED_DIR)/jce.jar: prebuild build $(JCE_MANIFEST_FILE) $(prep-target) $(BOOT_JAR_CMD) cmf $(JCE_MANIFEST_FILE) $@ $(JAR_DIRS) \ $(BOOT_JAR_JFLAGS) $(CP) -r $(CLASSDESTDIR)/* $(CLASSBINDIR) @$(java-vm-cleanup) build: prebuild prebuild: $(RM) -r $(DELETE_DIRS) # ===================================================== # Build the unsigned policy files. # # Given the current state of world export/import policies, # these settings work for Sun's situation. This note is not # legal guidance, you must still resolve any export/import issues # applicable for your situation. Contact your export/import # counsel for more information. # POLICY_DESTDIR = $(LIBDIR)/security UNSIGNED_POLICY_BUILDDIR = $(UNSIGNED_DIR)/policy build-policy: unlimited limited # # Build the unsigned unlimited policy files. # unlimited: \ $(UNSIGNED_POLICY_BUILDDIR)/unlimited/US_export_policy.jar \ $(UNSIGNED_POLICY_BUILDDIR)/unlimited/local_policy.jar $(UNSIGNED_POLICY_BUILDDIR)/unlimited/US_export_policy.jar: \ policy/unlimited/default_US_export.policy \ policy/unlimited/UNLIMITED $(prep-target) $(BOOT_JAR_CMD) cmf policy/unlimited/UNLIMITED $@ \ -C policy/unlimited default_US_export.policy \ $(BOOT_JAR_JFLAGS) @$(java-vm-cleanup) $(UNSIGNED_POLICY_BUILDDIR)/unlimited/local_policy.jar: \ policy/unlimited/default_local.policy \ policy/unlimited/UNLIMITED $(prep-target) $(BOOT_JAR_CMD) cmf policy/unlimited/UNLIMITED $@ \ -C policy/unlimited default_local.policy \ $(BOOT_JAR_JFLAGS) @$(java-vm-cleanup) # # Build the unsigned limited policy files. # # NOTE: We currently do not place restrictions on our limited export # policy. This was not a typo. # limited: \ $(UNSIGNED_POLICY_BUILDDIR)/limited/US_export_policy.jar \ $(UNSIGNED_POLICY_BUILDDIR)/limited/local_policy.jar $(UNSIGNED_POLICY_BUILDDIR)/limited/US_export_policy.jar: \ $(UNSIGNED_POLICY_BUILDDIR)/unlimited/US_export_policy.jar $(install-file) $(UNSIGNED_POLICY_BUILDDIR)/limited/local_policy.jar: \ policy/limited/default_local.policy \ policy/limited/exempt_local.policy \ policy/limited/LIMITED $(prep-target) $(BOOT_JAR_CMD) cmf policy/limited/LIMITED $@ \ -C policy/limited default_local.policy \ -C policy/limited exempt_local.policy \ $(BOOT_JAR_JFLAGS) @$(java-vm-cleanup) UNSIGNED_POLICY_FILES = \ $(UNSIGNED_POLICY_BUILDDIR)/unlimited/US_export_policy.jar \ $(UNSIGNED_POLICY_BUILDDIR)/unlimited/local_policy.jar \ $(UNSIGNED_POLICY_BUILDDIR)/limited/US_export_policy.jar \ $(UNSIGNED_POLICY_BUILDDIR)/limited/local_policy.jar \ ifndef OPENJDK # ===================================================== # Sign the various jar files. Not needed for OpenJDK. # SIGNED_DIR = $(JCE_BUILD_DIR)/signed SIGNED_POLICY_BUILDDIR = $(SIGNED_DIR)/policy SIGNED_POLICY_FILES = \ $(patsubst $(UNSIGNED_POLICY_BUILDDIR)/%,$(SIGNED_POLICY_BUILDDIR)/%, \ $(UNSIGNED_POLICY_FILES)) sign: sign-jar sign-policy sign-jar: $(SIGNED_DIR)/jce.jar sign-policy: $(SIGNED_POLICY_FILES) ifndef ALT_JCE_BUILD_DIR $(SIGNED_DIR)/jce.jar: $(UNSIGNED_DIR)/jce.jar else # # We have to remove the build dependency, otherwise, we'll try to rebuild it # which we can't do on a read-only filesystem. # $(SIGNED_DIR)/jce.jar: @if [ ! -r $(UNSIGNED_DIR)/jce.jar ] ; then \ $(ECHO) "Couldn't find $(UNSIGNED_DIR)/jce.jar"; \ exit 1; \ fi endif $(call sign-file, $(UNSIGNED_DIR)/jce.jar) $(SIGNED_POLICY_BUILDDIR)/unlimited/US_export_policy.jar: \ $(UNSIGNED_POLICY_BUILDDIR)/unlimited/US_export_policy.jar $(call sign-file, $<) $(SIGNED_POLICY_BUILDDIR)/unlimited/local_policy.jar: \ $(UNSIGNED_POLICY_BUILDDIR)/unlimited/local_policy.jar $(call sign-file, $<) $(SIGNED_POLICY_BUILDDIR)/limited/US_export_policy.jar: \ $(UNSIGNED_POLICY_BUILDDIR)/limited/US_export_policy.jar $(call sign-file, $<) $(SIGNED_POLICY_BUILDDIR)/limited/local_policy.jar: \ $(UNSIGNED_POLICY_BUILDDIR)/limited/local_policy.jar $(call sign-file, $<) # ===================================================== # Obfuscate/sign/install the JDK build. Not needed for OpenJDK. # OBFUS_DIR = $(JCE_BUILD_DIR)/obfus/jce CLOSED_DIR = $(BUILDDIR)/closed/javax/crypto obfus: $(OBFUS_DIR)/jce.jar $(release-warning) ifndef ALT_JCE_BUILD_DIR $(OBFUS_DIR)/jce.jar: build-jar $(JCE_MANIFEST_FILE) $(OBFUS_DIR)/framework.dox else # # We have to remove the build dependency, otherwise, we'll try to rebuild it # which we can't do on a read-only filesystem. # $(OBFUS_DIR)/jce.jar: $(JCE_MANIFEST_FILE) $(OBFUS_DIR)/framework.dox @if [ ! -d $(CLASSDESTDIR) ] ; then \ $(ECHO) "Couldn't find $(CLASSDESTDIR)"; \ exit 1; \ fi endif @$(ECHO) ">>>Obfuscating JCE framework..." $(presign) $(preobfus) $(prep-target) $(CD) $(OBFUS_DIR); \ $(OBFUSCATOR) -fv framework.dox @$(CD) $(OBFUS_DIR); $(java-vm-cleanup) @# @# The sun.security.internal classes are currently not obfuscated @# due to an obfus problem. Manually copy them to the build directory @# so that they are included in the jce.jar file. @# $(CP) -r $(CLASSDESTDIR)/sun $(OBFUS_DIR)/build $(BOOT_JAR_CMD) cmf $(JCE_MANIFEST_FILE) $@ \ -C $(OBFUS_DIR)/build javax \ -C $(OBFUS_DIR)/build sun \ $(BOOT_JAR_JFLAGS) $(sign-target) @$(java-vm-cleanup) $(OBFUS_DIR)/framework.dox: $(CLOSED_DIR)/obfus/framework.dox @$(ECHO) ">>>Creating framework.dox" $(prep-target) $(SED) "s:@@TEMPDIR@@:$(ABS_TEMPDIR):" $< > $@ # # The current obfuscator has a limitation in that it currently only # supports up to v49 class file format. Force v49 classfiles in our # builds for now. # TARGET_CLASS_VERSION = 5 # ===================================================== # Create the Release Engineering files. Obfuscated builds, # unlimited policy file distribution, etc. # release: $(OBFUS_DIR)/jce.jar sign-policy $(CLOSED_DIR)/doc/COPYRIGHT.html \ $(CLOSED_DIR)/doc/README.txt $(RM) -r \ $(JCE_BUILD_DIR)/release/UnlimitedJCEPolicy \ $(JCE_BUILD_DIR)/release/jce.jar \ $(JCE_BUILD_DIR)/release/US_export_policy.jar \ $(JCE_BUILD_DIR)/release/local_policy.jar \ $(JCE_BUILD_DIR)/release/UnlimitedJCEPolicy.zip $(MKDIR) -p $(JCE_BUILD_DIR)/release/UnlimitedJCEPolicy $(CP) $(OBFUS_DIR)/jce.jar $(JCE_BUILD_DIR)/release $(CP) \ $(SIGNED_POLICY_BUILDDIR)/limited/US_export_policy.jar \ $(SIGNED_POLICY_BUILDDIR)/limited/local_policy.jar \ $(JCE_BUILD_DIR)/release $(CP) \ $(SIGNED_POLICY_BUILDDIR)/unlimited/US_export_policy.jar \ $(SIGNED_POLICY_BUILDDIR)/unlimited/local_policy.jar \ $(CLOSED_DIR)/doc/COPYRIGHT.html \ $(CLOSED_DIR)/doc/README.txt \ $(JCE_BUILD_DIR)/release/UnlimitedJCEPolicy cd $(JCE_BUILD_DIR)/release ; \ $(ZIPEXE) -qr UnlimitedJCEPolicy.zip UnlimitedJCEPolicy $(release-warning) endif # OPENJDK # ===================================================== # Install routines. # # # Install jce.jar, depending on which type is requested. # install-jar jar: $(JAR_DESTFILE) ifndef OPENJDK $(release-warning) endif ifdef OPENJDK $(JAR_DESTFILE): $(UNSIGNED_DIR)/jce.jar else $(JAR_DESTFILE): $(SIGNED_DIR)/jce.jar endif $(install-file) # # Install the appropriate policy file, depending on the type of build. # ifdef OPENJDK INSTALL_POLICYDIR = $(UNSIGNED_POLICY_BUILDDIR) else INSTALL_POLICYDIR = $(SIGNED_POLICY_BUILDDIR) endif install-limited: \ $(INSTALL_POLICYDIR)/limited/US_export_policy.jar \ $(INSTALL_POLICYDIR)/limited/local_policy.jar $(MKDIR) -p $(POLICY_DESTDIR) $(RM) \ $(POLICY_DESTDIR)/US_export_policy.jar \ $(POLICY_DESTDIR)/local_policy.jar $(CP) $^ $(POLICY_DESTDIR) ifndef OPENJDK $(release-warning) endif install-unlimited: \ $(INSTALL_POLICYDIR)/unlimited/US_export_policy.jar \ $(INSTALL_POLICYDIR)/unlimited/local_policy.jar $(MKDIR) -p $(POLICY_DESTDIR) $(RM) \ $(POLICY_DESTDIR)/US_export_policy.jar \ $(POLICY_DESTDIR)/local_policy.jar $(CP) $^ $(POLICY_DESTDIR) ifndef OPENJDK $(release-warning) endif ifndef OPENJDK install-prebuilt: @$(ECHO) "\n>>>Installing prebuilt JCE framework..." $(RM) $(JAR_DESTFILE) \ $(POLICY_DESTDIR)/US_export_policy.jar \ $(POLICY_DESTDIR)/local_policy.jar $(CP) $(PREBUILT_DIR)/jce/jce.jar $(JAR_DESTFILE) $(CP) \ $(PREBUILT_DIR)/jce/US_export_policy.jar \ $(PREBUILT_DIR)/jce/local_policy.jar \ $(POLICY_DESTDIR) endif # ===================================================== # Support routines. # clobber clean:: $(RM) -r $(JAR_DESTFILE) $(POLICY_DESTDIR)/US_export_policy.jar \ $(POLICY_DESTDIR)/local_policy.jar $(DELETE_DIRS) $(TEMPDIR) \ $(JCE_BUILD_DIR) .PHONY: build-jar jar build-policy unlimited limited install-jar \ install-limited install-unlimited ifndef OPENJDK .PHONY: sign sign-jar sign-policy obfus release install-prebuilt endif