openjdk: Introduce JAVAX_NET_SSL_TRUSTSTORE env

This small patch makes it possible to control java's truststore path through
the environment. This lets you add (system- or session-wide) CAs that should
be allowed by Java. Java users can still use -Djavax.net.ssl.truststore to
override the truststore set by JAVAX_NET_SSL_TRUSTSTORE.

Something like this can be used to build the truststore (in this example just
using the standard pkgs.cacert CA-bundle):

{
  environment.variables.JAVAX_NET_SSL_TRUSTSTORE = "${
    pkgs.runCommand "cacerts" {} ''
      ${pkgs.perl}/bin/perl \
        ${pkgs.path}/pkgs/development/compilers/openjdk/generate-cacerts.pl \
        ${pkgs.jre}/bin/keytool \
        ${pkgs.cacert}/etc/ca-bundle.crt
      mv cacerts $out
    ''
  }";
}

Ideally, the dependency on pkgs.cacert should also be removed from pkgs.openjdk
to avoid rebuilding java each time the standard CA-bundle changes. Something
along the example above must then be added to NixOS (however, it would be
nice to not depend on ${pkgs.jre}/bin/keytool to generate that environment
variable).

0 files changed, 0 insertions, 0 deletions