-
-
Notifications
You must be signed in to change notification settings - Fork 92
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add support for custom CA certificates (#392)
This adds the capability to add custom CA certificates for Java truststore. Fixes: #293 Signed-off-by: Nikolai Prokoschenko <nikolai.prokoschenko@kurzdigital.com>
- Loading branch information
Showing
85 changed files
with
1,373 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
#!/usr/bin/env bash | ||
|
||
imageTests[openjdk]+=' | ||
java-ca-certificates-update | ||
' | ||
|
||
globalExcludeTests+=( | ||
# nanoservcer/windowsservercore: updating local store with additional certificates is not implemented | ||
[openjdk:nanoserver_java-ca-certificates-update]=1 | ||
[openjdk:windowsservercore_java-ca-certificates-update]=1 | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
This certificate/key pair has been generated with `openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder" -keyout certs/server.key -out certs/server.crt` and is only used for testing |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
-----BEGIN CERTIFICATE----- | ||
MIIDRTCCAi2gAwIBAgIUIfl8I/yasxlsTEc30PLLRuleiCswDQYJKoZIhvcNAQEL | ||
BQAwMTEXMBUGCgmSJomT8ixkARkWB1RlbXVyaW4xFjAUBgNVBAMMDURvY2tlckJ1 | ||
aWxkZXIwIBcNMjMwNjEyMTgyNDE1WhgPMzAwMzA4MTQxODI0MTVaMDExFzAVBgoJ | ||
kiaJk/IsZAEZFgdUZW11cmluMRYwFAYDVQQDDA1Eb2NrZXJCdWlsZGVyMIIBIjAN | ||
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArfOgmluNXEIE7BWvt7jGgdZW/y5s | ||
N78FcpZdM8Z2FatvjJKvNmJ9OkkkOSNBhGKAWpHn19JMNdQ2nEmTHMetg0hiSqRI | ||
hBceAY4lDfOzxAyZGGpVzL9U1B9mOrX5O3EedF5AVvl0NZVjEwswuGaUa3zZBAKy | ||
Z5Vv/z8Lw2uYIs/dtw8lcpEAb78BZ8bAhhhl+X+tTGK8agibLGQJT9l/JxS3pXyw | ||
me4YaKQQRgvuqOTEt+x+0aA5E2EUTOGq0Li+i1ranf6ou5Dz/Y6LtXwT/j2bf4ZR | ||
w2YHpYZL54UEtMWES2KAjsZ3u4DCxUIEfW8EgxUIhcepIDP1h05A3fSiWQIDAQAB | ||
o1MwUTAdBgNVHQ4EFgQUr0VirSzDQTuNgGjDxRkxPFrjUKcwHwYDVR0jBBgwFoAU | ||
r0VirSzDQTuNgGjDxRkxPFrjUKcwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B | ||
AQsFAAOCAQEAlo6ZSAIKSUWqRygyNg9oWuLGfWMW//dZjU1MKBYVpM4Mry/aMD5d | ||
kMQj9hm+zXhNYN01yLh/cdPKCQ/r1KP6lmCtZHp50Xe8HEnIymRYx0KMAcqYLjnT | ||
DXwCPqtWvJ1do65vVJRN70CuF8T1JNFhPdirrAiuU7bhGPABfnbek7yNkTYgUSdb | ||
WpV/WOFPh9Dl24vNl1/Cti+pQThlCgHF/+dVndFHN9FOOG8k8ohYkLwL+ZzKfOiZ | ||
CVWn2mWk2EhcuTlg/3zkXmwjfzFTdXMhS1sdfJNReaY/omJ91euxB0c8iYZV4wuU | ||
ghx+GJ14nO7RJNHNX4k+BBPxy3f56+cYrg== | ||
-----END CERTIFICATE----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
-----BEGIN PRIVATE KEY----- | ||
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCt86CaW41cQgTs | ||
Fa+3uMaB1lb/Lmw3vwVyll0zxnYVq2+Mkq82Yn06SSQ5I0GEYoBakefX0kw11Dac | ||
SZMcx62DSGJKpEiEFx4BjiUN87PEDJkYalXMv1TUH2Y6tfk7cR50XkBW+XQ1lWMT | ||
CzC4ZpRrfNkEArJnlW//PwvDa5giz923DyVykQBvvwFnxsCGGGX5f61MYrxqCJss | ||
ZAlP2X8nFLelfLCZ7hhopBBGC+6o5MS37H7RoDkTYRRM4arQuL6LWtqd/qi7kPP9 | ||
jou1fBP+PZt/hlHDZgelhkvnhQS0xYRLYoCOxne7gMLFQgR9bwSDFQiFx6kgM/WH | ||
TkDd9KJZAgMBAAECggEAAi4knsKpKn/xAATZO2LaFBcGZ0ji64Od/cduMB+w67PG | ||
yxAsmNsnqX3GBzROq3+GOdG3LPCSastNNZduJq/HAuH69Ly15E1GNOvzQXHtmHZg | ||
SzAhVqwK6WS3sI0xgZdOSSmZl1glkXqyRPMV333OUZbn68GykD331c8UZpTi5tlx | ||
qdOSEWwXQyVXh2mTT8uWWvqJm8OVaSUEo0KPNhsfWliINAXaDvlFle18wb0sQvAK | ||
d/49VMmEoQMocHcXas5jVHZZzxwQ8gV+cA1nFOzOEOYX1IyHjJdfEUWT7Pa3LEjg | ||
rPjEe/KiA3X9mVmofRG0Gvl8YjMiUEOBF/p9hgUxfQKBgQDY3oBUpkwhy3lRw2nu | ||
PublbozVZi12hrEPIlqLSIda6i0hbCA2E5VBykuP7z0VnQOiHQWQPJ77BYEzR6xw | ||
Z/PoJJL8knxtqVg9FsQlcsseDNW2THp53vf/Fiy4t+GoJZ7yezVyYI7RzngDPnCw | ||
buiYUsd9+uKo8+Gs0fnZGSuRvQKBgQDNVrS2/A8NKRv/3cddNqEN4m16pVmAJg8G | ||
Ww7t40W9c/lPW2SBH7wpEUW37N3b8lv1A8L24nJSbqiMjIkFxWroeOeFFEzKWp9r | ||
BlFUu0kn5oAOI1NJOEOmjR9+SslDXetKDJpon60GYWJ8ke5jfaYUTEWIxUXRYOsX | ||
mg8+L2iGzQKBgQCrzWiAptU9GIJdoZ8znCUysKdlDvMJKJ7vzFlKagTAoy9pgMzr | ||
ygu9+NJvjikoDCEqti8IGt4fIjc+NpOG4PM6fm7rI+jqvvMmQfjVaeE7RxOuvVtx | ||
XI++RwTauOFNYbBPjAfFOnUqBJTSjQ6c1t/we/OJ+8y/56RqUlXKBMSdSQKBgQDD | ||
Wz2dZduwCq9/0/FL5qB9hDHiYJPxDsR2qIVgoDyGjWLhNDM/ggDTFYK+BNXi3wbL | ||
6aNAnZpkgLFM3puyaOtYd0bVXsXcMzG+cglI0tI76tlkGgmv/J6oQ1V2IxKuTBmB | ||
ntH8vgWwr1Ay8efasf0jDJmPERhmpo2kK8daw2Hv9QKBgAaxusMUdCSBu5YwI6u4 | ||
6d0nN6WdY2aVcgQXbhJEpsaxT9KqN+LP5wZNf08hyUiO4zSrfVOapOS+10Ng1EYi | ||
YQi8SjQd5deIc/jKKT5k9lCRcfhDq7YQo5pZbUgzDDuxod0WduvBnrf4zAl+K32V | ||
1HI3wrgh88qBEGASVY8y6rDH | ||
-----END PRIVATE KEY----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
#!/usr/bin/env sh | ||
|
||
exec "$@" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
0101010001 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
#!/bin/bash | ||
|
||
set -o pipefail | ||
|
||
testDir="$(readlink -f "$(dirname "$BASH_SOURCE")")" | ||
runDir="$(dirname "$(readlink -f "$BASH_SOURCE")")" | ||
|
||
# Find Java major/minor/build/patch version | ||
# | ||
# https://stackoverflow.com/a/74459237/6460 | ||
IFS='"' read -r _ java_version_string _ < <(docker run "$1" java -version 2>&1) | ||
IFS='._' read -r \ | ||
java_version_major \ | ||
java_version_minor \ | ||
java_version_build \ | ||
java_version_patch \ | ||
<<<"$java_version_string" | ||
|
||
# CMD1 in each run is just a `date` to make sure nothing is broken with or without the entrypoint | ||
CMD1=date | ||
|
||
# CMD2 in each run is to check for the `dockerbuilder` certificate in the Java keystore | ||
if [ "$java_version_major" -lt 11 ]; then | ||
# We are working with JDK/JRE 8 | ||
# | ||
# `keytool` from JDK/JRE 8 does not have the `-cacerts` option and also does not have standardized location for the | ||
# `cacerts` file between the JDK and JRE, so we'd want to check both possible locations. | ||
CACERTS=/opt/java/openjdk/lib/security/cacerts | ||
CACERTS2=/opt/java/openjdk/jre/lib/security/cacerts | ||
|
||
CMD2=(sh -c "keytool -list -keystore $CACERTS -storepass changeit -alias dockerbuilder || keytool -list -keystore $CACERTS2 -storepass changeit -alias dockerbuilder") | ||
else | ||
CMD2=(keytool -list -cacerts -storepass changeit -alias dockerbuilder) | ||
fi | ||
|
||
# | ||
# We need to use `docker run`, since `run-in-container.sh` overwrites the entrypoint | ||
# | ||
|
||
# Test run 1: No added certificates and environment variable is not set. We expect CMD1 to succeed and CMD2 to fail. | ||
docker run --rm "$1" $CMD1 >&/dev/null | ||
echo -n $? | ||
docker run --rm "$1" "${CMD2[@]}" >&/dev/null | ||
echo -n $? | ||
|
||
# Test run 2: No added certificates, but the environment variable is set. Since there are no certificates, we still | ||
# expect CMD1 to succeed and CMD2 to fail. | ||
docker run --rm -e USE_SYSTEM_CA_CERTS=1 "$1" $CMD1 >&/dev/null | ||
echo -n $? | ||
docker run --rm -e USE_SYSTEM_CA_CERTS=1 "$1" "${CMD2[@]}" >&/dev/null | ||
echo -n $? | ||
|
||
# Test run 3: Certificates are mounted, but the environment variable is not set, i.e. certificate importing should not | ||
# be activated. We expect CMD1 to succeed and CMD2 to fail. | ||
docker run --rm --volume=$testDir/certs:/certificates "$1" $CMD1 >&/dev/null | ||
echo -n $? | ||
docker run --rm --volume=$testDir/certs:/certificates "$1" "${CMD2[@]}" >&/dev/null | ||
echo -n $? | ||
|
||
# Test run 4: Certificates are mounted and the environment variable is set. We expect both CMD1 and CMD2 to succeed. | ||
docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$1" $CMD1 >&/dev/null | ||
echo -n $? | ||
docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$1" "${CMD2[@]}" >&/dev/null | ||
echo -n $? | ||
|
||
TESTIMAGE=$1.test | ||
|
||
function finish { | ||
docker rmi "$TESTIMAGE" >&/dev/null | ||
} | ||
trap finish EXIT HUP INT TERM | ||
|
||
# Test run 5: Certificates are mounted and the environment variable is set, but the entrypoint is overridden. We expect | ||
# CMD1 to succeed and CMD2 to fail. | ||
# | ||
# But first, we need to create an image with an overridden entrypoint | ||
docker build -t "$1.test" "$runDir" -f - <<EOF >&/dev/null | ||
FROM $1 | ||
COPY custom-entrypoint.sh / | ||
ENTRYPOINT ["/custom-entrypoint.sh"] | ||
EOF | ||
|
||
docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$TESTIMAGE" $CMD1 >&/dev/null | ||
echo -n $? | ||
docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$TESTIMAGE" "${CMD2[@]}" >&/dev/null | ||
echo -n $? |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
#!/usr/bin/env sh | ||
|
||
set -e | ||
|
||
# Opt-in is only activated if the environment variable is set | ||
if [ -n "$USE_SYSTEM_CA_CERTS" ]; then | ||
|
||
# Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. | ||
# The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the | ||
# system location, for whatever reason. | ||
if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then | ||
cp -a /certificates/* /usr/local/share/ca-certificates/ | ||
fi | ||
|
||
CACERT=$JAVA_HOME/lib/security/cacerts | ||
|
||
# JDK8 puts its JRE in a subdirectory | ||
if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then | ||
CACERT=$JAVA_HOME/jre/lib/security/cacerts | ||
fi | ||
|
||
# OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we | ||
# might as well just generate the truststore and skip the hooks. | ||
update-ca-certificates | ||
|
||
trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" | ||
fi | ||
|
||
exec "$@" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -e | ||
|
||
# Opt-in is only activated if the environment variable is set | ||
if [ -n "$USE_SYSTEM_CA_CERTS" ]; then | ||
|
||
# Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. | ||
# The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the | ||
# system location, for whatever reason. | ||
if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then | ||
cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ | ||
fi | ||
|
||
CACERT=$JAVA_HOME/lib/security/cacerts | ||
|
||
# JDK8 puts its JRE in a subdirectory | ||
if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then | ||
CACERT=$JAVA_HOME/jre/lib/security/cacerts | ||
fi | ||
|
||
# RHEL-based images already include a routine to update a java truststore from the system CA bundle within | ||
# `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. | ||
update-ca-trust | ||
|
||
ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" | ||
fi | ||
|
||
exec "$@" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -e | ||
|
||
# Opt-in is only activated if the environment variable is set | ||
if [ -n "$USE_SYSTEM_CA_CERTS" ]; then | ||
|
||
# Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. | ||
# The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the | ||
# system location, for whatever reason. | ||
if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then | ||
cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/ | ||
fi | ||
|
||
CACERT=$JAVA_HOME/lib/security/cacerts | ||
|
||
# JDK8 puts its JRE in a subdirectory | ||
if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then | ||
CACERT=$JAVA_HOME/jre/lib/security/cacerts | ||
fi | ||
|
||
# RHEL-based images already include a routine to update a java truststore from the system CA bundle within | ||
# `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore. | ||
update-ca-trust | ||
|
||
ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT" | ||
fi | ||
|
||
exec "$@" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
#!/usr/bin/env sh | ||
|
||
set -e | ||
|
||
# Opt-in is only activated if the environment variable is set | ||
if [ -n "$USE_SYSTEM_CA_CERTS" ]; then | ||
|
||
# Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. | ||
# The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the | ||
# system location, for whatever reason. | ||
if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then | ||
cp -a /certificates/* /usr/local/share/ca-certificates/ | ||
fi | ||
|
||
CACERT=$JAVA_HOME/lib/security/cacerts | ||
|
||
# JDK8 puts its JRE in a subdirectory | ||
if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then | ||
CACERT=$JAVA_HOME/jre/lib/security/cacerts | ||
fi | ||
|
||
# OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we | ||
# might as well just generate the truststore and skip the hooks. | ||
update-ca-certificates | ||
|
||
trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" | ||
fi | ||
|
||
exec "$@" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
#!/usr/bin/env sh | ||
|
||
set -e | ||
|
||
# Opt-in is only activated if the environment variable is set | ||
if [ -n "$USE_SYSTEM_CA_CERTS" ]; then | ||
|
||
# Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. | ||
# The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the | ||
# system location, for whatever reason. | ||
if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then | ||
cp -a /certificates/* /usr/local/share/ca-certificates/ | ||
fi | ||
|
||
CACERT=$JAVA_HOME/lib/security/cacerts | ||
|
||
# JDK8 puts its JRE in a subdirectory | ||
if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then | ||
CACERT=$JAVA_HOME/jre/lib/security/cacerts | ||
fi | ||
|
||
# OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we | ||
# might as well just generate the truststore and skip the hooks. | ||
update-ca-certificates | ||
|
||
trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" | ||
fi | ||
|
||
exec "$@" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.