Add support for custom CA certificates (#392)

This adds the capability to add custom CA certificates for Java truststore.

Fixes: #293

Signed-off-by: Nikolai Prokoschenko <nikolai.prokoschenko@kurzdigital.com>

.test/config.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+imageTests[openjdk]+='
+	java-ca-certificates-update
+'
+
+globalExcludeTests+=(
+	# nanoservcer/windowsservercore: updating local store with additional certificates is not implemented
+	[openjdk:nanoserver_java-ca-certificates-update]=1
+	[openjdk:windowsservercore_java-ca-certificates-update]=1
+)

.test/tests/java-ca-certificates-update/certs/README.md

@@ -0,0 +1 @@
+This certificate/key pair has been generated with `openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder" -keyout certs/server.key -out certs/server.crt` and is only used for testing

.test/tests/java-ca-certificates-update/certs/server.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRTCCAi2gAwIBAgIUIfl8I/yasxlsTEc30PLLRuleiCswDQYJKoZIhvcNAQEL
+BQAwMTEXMBUGCgmSJomT8ixkARkWB1RlbXVyaW4xFjAUBgNVBAMMDURvY2tlckJ1
+aWxkZXIwIBcNMjMwNjEyMTgyNDE1WhgPMzAwMzA4MTQxODI0MTVaMDExFzAVBgoJ
+kiaJk/IsZAEZFgdUZW11cmluMRYwFAYDVQQDDA1Eb2NrZXJCdWlsZGVyMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArfOgmluNXEIE7BWvt7jGgdZW/y5s
+N78FcpZdM8Z2FatvjJKvNmJ9OkkkOSNBhGKAWpHn19JMNdQ2nEmTHMetg0hiSqRI
+hBceAY4lDfOzxAyZGGpVzL9U1B9mOrX5O3EedF5AVvl0NZVjEwswuGaUa3zZBAKy
+Z5Vv/z8Lw2uYIs/dtw8lcpEAb78BZ8bAhhhl+X+tTGK8agibLGQJT9l/JxS3pXyw
+me4YaKQQRgvuqOTEt+x+0aA5E2EUTOGq0Li+i1ranf6ou5Dz/Y6LtXwT/j2bf4ZR
+w2YHpYZL54UEtMWES2KAjsZ3u4DCxUIEfW8EgxUIhcepIDP1h05A3fSiWQIDAQAB
+o1MwUTAdBgNVHQ4EFgQUr0VirSzDQTuNgGjDxRkxPFrjUKcwHwYDVR0jBBgwFoAU
+r0VirSzDQTuNgGjDxRkxPFrjUKcwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
+AQsFAAOCAQEAlo6ZSAIKSUWqRygyNg9oWuLGfWMW//dZjU1MKBYVpM4Mry/aMD5d
+kMQj9hm+zXhNYN01yLh/cdPKCQ/r1KP6lmCtZHp50Xe8HEnIymRYx0KMAcqYLjnT
+DXwCPqtWvJ1do65vVJRN70CuF8T1JNFhPdirrAiuU7bhGPABfnbek7yNkTYgUSdb
+WpV/WOFPh9Dl24vNl1/Cti+pQThlCgHF/+dVndFHN9FOOG8k8ohYkLwL+ZzKfOiZ
+CVWn2mWk2EhcuTlg/3zkXmwjfzFTdXMhS1sdfJNReaY/omJ91euxB0c8iYZV4wuU
+ghx+GJ14nO7RJNHNX4k+BBPxy3f56+cYrg==
+-----END CERTIFICATE-----

.test/tests/java-ca-certificates-update/certs/server.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCt86CaW41cQgTs
+Fa+3uMaB1lb/Lmw3vwVyll0zxnYVq2+Mkq82Yn06SSQ5I0GEYoBakefX0kw11Dac
+SZMcx62DSGJKpEiEFx4BjiUN87PEDJkYalXMv1TUH2Y6tfk7cR50XkBW+XQ1lWMT
+CzC4ZpRrfNkEArJnlW//PwvDa5giz923DyVykQBvvwFnxsCGGGX5f61MYrxqCJss
+ZAlP2X8nFLelfLCZ7hhopBBGC+6o5MS37H7RoDkTYRRM4arQuL6LWtqd/qi7kPP9
+jou1fBP+PZt/hlHDZgelhkvnhQS0xYRLYoCOxne7gMLFQgR9bwSDFQiFx6kgM/WH
+TkDd9KJZAgMBAAECggEAAi4knsKpKn/xAATZO2LaFBcGZ0ji64Od/cduMB+w67PG
+yxAsmNsnqX3GBzROq3+GOdG3LPCSastNNZduJq/HAuH69Ly15E1GNOvzQXHtmHZg
+SzAhVqwK6WS3sI0xgZdOSSmZl1glkXqyRPMV333OUZbn68GykD331c8UZpTi5tlx
+qdOSEWwXQyVXh2mTT8uWWvqJm8OVaSUEo0KPNhsfWliINAXaDvlFle18wb0sQvAK
+d/49VMmEoQMocHcXas5jVHZZzxwQ8gV+cA1nFOzOEOYX1IyHjJdfEUWT7Pa3LEjg
+rPjEe/KiA3X9mVmofRG0Gvl8YjMiUEOBF/p9hgUxfQKBgQDY3oBUpkwhy3lRw2nu
+PublbozVZi12hrEPIlqLSIda6i0hbCA2E5VBykuP7z0VnQOiHQWQPJ77BYEzR6xw
+Z/PoJJL8knxtqVg9FsQlcsseDNW2THp53vf/Fiy4t+GoJZ7yezVyYI7RzngDPnCw
+buiYUsd9+uKo8+Gs0fnZGSuRvQKBgQDNVrS2/A8NKRv/3cddNqEN4m16pVmAJg8G
+Ww7t40W9c/lPW2SBH7wpEUW37N3b8lv1A8L24nJSbqiMjIkFxWroeOeFFEzKWp9r
+BlFUu0kn5oAOI1NJOEOmjR9+SslDXetKDJpon60GYWJ8ke5jfaYUTEWIxUXRYOsX
+mg8+L2iGzQKBgQCrzWiAptU9GIJdoZ8znCUysKdlDvMJKJ7vzFlKagTAoy9pgMzr
+ygu9+NJvjikoDCEqti8IGt4fIjc+NpOG4PM6fm7rI+jqvvMmQfjVaeE7RxOuvVtx
+XI++RwTauOFNYbBPjAfFOnUqBJTSjQ6c1t/we/OJ+8y/56RqUlXKBMSdSQKBgQDD
+Wz2dZduwCq9/0/FL5qB9hDHiYJPxDsR2qIVgoDyGjWLhNDM/ggDTFYK+BNXi3wbL
+6aNAnZpkgLFM3puyaOtYd0bVXsXcMzG+cglI0tI76tlkGgmv/J6oQ1V2IxKuTBmB
+ntH8vgWwr1Ay8efasf0jDJmPERhmpo2kK8daw2Hv9QKBgAaxusMUdCSBu5YwI6u4
+6d0nN6WdY2aVcgQXbhJEpsaxT9KqN+LP5wZNf08hyUiO4zSrfVOapOS+10Ng1EYi
+YQi8SjQd5deIc/jKKT5k9lCRcfhDq7YQo5pZbUgzDDuxod0WduvBnrf4zAl+K32V
+1HI3wrgh88qBEGASVY8y6rDH
+-----END PRIVATE KEY-----

.test/tests/java-ca-certificates-update/custom-entrypoint.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/env sh
+
+exec "$@"

.test/tests/java-ca-certificates-update/expected-std-out.txt

@@ -0,0 +1 @@
+0101010001

.test/tests/java-ca-certificates-update/run.sh

@@ -0,0 +1,86 @@
+#!/bin/bash
+
+set -o pipefail 
+
+testDir="$(readlink -f "$(dirname "$BASH_SOURCE")")"
+runDir="$(dirname "$(readlink -f "$BASH_SOURCE")")"
+
+# Find Java major/minor/build/patch version
+# 
+# https://stackoverflow.com/a/74459237/6460
+IFS='"' read -r _ java_version_string _ < <(docker run "$1" java -version 2>&1)
+IFS='._' read -r \
+    java_version_major \
+    java_version_minor \
+    java_version_build \
+    java_version_patch \
+    <<<"$java_version_string"
+
+# CMD1 in each run is just a `date` to make sure nothing is broken with or without the entrypoint
+CMD1=date
+
+# CMD2 in each run is to check for the `dockerbuilder` certificate in the Java keystore
+if [ "$java_version_major" -lt 11 ]; then
+    # We are working with JDK/JRE 8
+    #
+    # `keytool` from JDK/JRE 8 does not have the `-cacerts` option and also does not have standardized location for the
+    # `cacerts` file between the JDK and JRE, so we'd want to check both possible locations.
+    CACERTS=/opt/java/openjdk/lib/security/cacerts
+    CACERTS2=/opt/java/openjdk/jre/lib/security/cacerts
+
+    CMD2=(sh -c "keytool -list -keystore $CACERTS -storepass changeit -alias dockerbuilder || keytool -list -keystore $CACERTS2 -storepass changeit -alias dockerbuilder")
+else
+    CMD2=(keytool -list -cacerts -storepass changeit -alias dockerbuilder)
+fi
+
+# 
+# We need to use `docker run`, since `run-in-container.sh` overwrites the entrypoint
+#
+
+# Test run 1: No added certificates and environment variable is not set. We expect CMD1 to succeed and CMD2 to fail.
+docker run --rm "$1" $CMD1 >&/dev/null
+echo -n $?
+docker run --rm "$1" "${CMD2[@]}" >&/dev/null
+echo -n $?
+
+# Test run 2: No added certificates, but the environment variable is set. Since there are no certificates, we still
+# expect CMD1 to succeed and CMD2 to fail.
+docker run --rm -e USE_SYSTEM_CA_CERTS=1 "$1" $CMD1 >&/dev/null
+echo -n $?
+docker run --rm -e USE_SYSTEM_CA_CERTS=1 "$1" "${CMD2[@]}" >&/dev/null
+echo -n $?
+
+# Test run 3: Certificates are mounted, but the environment variable is not set, i.e. certificate importing should not
+# be activated. We expect CMD1 to succeed and CMD2 to fail.
+docker run --rm --volume=$testDir/certs:/certificates "$1" $CMD1 >&/dev/null
+echo -n $?
+docker run --rm --volume=$testDir/certs:/certificates "$1" "${CMD2[@]}" >&/dev/null
+echo -n $?
+
+# Test run 4: Certificates are mounted and the environment variable is set. We expect both CMD1 and CMD2 to succeed.
+docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$1" $CMD1 >&/dev/null
+echo -n $?
+docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$1" "${CMD2[@]}" >&/dev/null
+echo -n $?
+
+TESTIMAGE=$1.test
+
+function finish {
+    docker rmi "$TESTIMAGE" >&/dev/null
+}
+trap finish EXIT HUP INT TERM
+
+# Test run 5: Certificates are mounted and the environment variable is set, but the entrypoint is overridden. We expect
+# CMD1 to succeed and CMD2 to fail.
+#
+# But first, we need to create an image with an overridden entrypoint
+docker build -t "$1.test" "$runDir" -f - <<EOF >&/dev/null 
+FROM $1
+COPY custom-entrypoint.sh /
+ENTRYPOINT ["/custom-entrypoint.sh"]
+EOF
+
+docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$TESTIMAGE" $CMD1 >&/dev/null
+echo -n $?
+docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$TESTIMAGE" "${CMD2[@]}" >&/dev/null
+echo -n $?

11/jdk/alpine/Dockerfile.releases.full

@@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH
 ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
 
 # fontconfig and ttf-dejavu added to support serverside image generation by Java programs
-RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \
+# java-cacerts added to support adding CA certificates to the Java keystore
+RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \
     && rm -rf /var/cache/apk/*
 
 ENV JAVA_VERSION jdk-11.0.20+8
@@ -59,5 +60,7 @@ RUN echo Verifying install ... \
     && echo javac --version && javac --version \
     && echo java --version && java --version \
     && echo Complete.
+COPY entrypoint.sh /
+ENTRYPOINT ["/entrypoint.sh"]
 
 CMD ["jshell"]

11/jdk/alpine/entrypoint.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env sh
+
+set -e
+
+# Opt-in is only activated if the environment variable is set
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+
+    # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty.
+    # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the
+    # system location, for whatever reason.
+    if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then
+        cp -a /certificates/* /usr/local/share/ca-certificates/
+    fi
+
+    CACERT=$JAVA_HOME/lib/security/cacerts
+
+    # JDK8 puts its JRE in a subdirectory
+    if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+        CACERT=$JAVA_HOME/jre/lib/security/cacerts
+    fi
+
+    # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we
+    # might as well just generate the truststore and skip the hooks.
+    update-ca-certificates
+
+    trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT"
+fi
+
+exec "$@"

11/jdk/centos/Dockerfile.releases.full

@@ -66,5 +66,7 @@ RUN echo Verifying install ... \
     && echo javac --version && javac --version \
     && echo java --version && java --version \
     && echo Complete.
+COPY entrypoint.sh /
+ENTRYPOINT ["/entrypoint.sh"]
 
 CMD ["jshell"]

11/jdk/centos/entrypoint.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+set -e
+
+# Opt-in is only activated if the environment variable is set
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+
+    # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty.
+    # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the
+    # system location, for whatever reason.
+    if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then
+        cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+    fi
+
+    CACERT=$JAVA_HOME/lib/security/cacerts
+
+    # JDK8 puts its JRE in a subdirectory
+    if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+        CACERT=$JAVA_HOME/jre/lib/security/cacerts
+    fi
+
+    # RHEL-based images already include a routine to update a java truststore from the system CA bundle within
+    # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore.
+    update-ca-trust
+
+    ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT"
+fi
+
+exec "$@"

11/jdk/ubi/ubi9-minimal/Dockerfile.releases.full

@@ -70,5 +70,7 @@ RUN echo Verifying install ... \
     && echo javac --version && javac --version \
     && echo java --version && java --version \
     && echo Complete.
+COPY entrypoint.sh /
+ENTRYPOINT ["/entrypoint.sh"]
 
 CMD ["jshell"]

11/jdk/ubi/ubi9-minimal/entrypoint.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+set -e
+
+# Opt-in is only activated if the environment variable is set
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+
+    # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty.
+    # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the
+    # system location, for whatever reason.
+    if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then
+        cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+    fi
+
+    CACERT=$JAVA_HOME/lib/security/cacerts
+
+    # JDK8 puts its JRE in a subdirectory
+    if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+        CACERT=$JAVA_HOME/jre/lib/security/cacerts
+    fi
+
+    # RHEL-based images already include a routine to update a java truststore from the system CA bundle within
+    # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore.
+    update-ca-trust
+
+    ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT"
+fi
+
+exec "$@"

11/jdk/ubuntu/focal/Dockerfile.releases.full

@@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH
 ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
 
 RUN apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \
     && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \
     && locale-gen en_US.UTF-8 \
     && rm -rf /var/lib/apt/lists/*
@@ -83,5 +83,7 @@ RUN echo Verifying install ... \
     && echo javac --version && javac --version \
     && echo java --version && java --version \
     && echo Complete.
+COPY entrypoint.sh /
+ENTRYPOINT ["/entrypoint.sh"]
 
 CMD ["jshell"]

11/jdk/ubuntu/focal/entrypoint.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env sh
+
+set -e
+
+# Opt-in is only activated if the environment variable is set
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+
+    # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty.
+    # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the
+    # system location, for whatever reason.
+    if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then
+        cp -a /certificates/* /usr/local/share/ca-certificates/
+    fi
+
+    CACERT=$JAVA_HOME/lib/security/cacerts
+
+    # JDK8 puts its JRE in a subdirectory
+    if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+        CACERT=$JAVA_HOME/jre/lib/security/cacerts
+    fi
+
+    # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we
+    # might as well just generate the truststore and skip the hooks.
+    update-ca-certificates
+
+    trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT"
+fi
+
+exec "$@"

11/jdk/ubuntu/jammy/Dockerfile.releases.full

@@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH
 ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
 
 RUN apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \
     && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \
     && locale-gen en_US.UTF-8 \
     && rm -rf /var/lib/apt/lists/*
@@ -83,5 +83,7 @@ RUN echo Verifying install ... \
     && echo javac --version && javac --version \
     && echo java --version && java --version \
     && echo Complete.
+COPY entrypoint.sh /
+ENTRYPOINT ["/entrypoint.sh"]
 
 CMD ["jshell"]

11/jdk/ubuntu/jammy/entrypoint.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env sh
+
+set -e
+
+# Opt-in is only activated if the environment variable is set
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+
+    # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty.
+    # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the
+    # system location, for whatever reason.
+    if [ -d /certificates ] && [ "$(ls -A /certificates)" ]; then
+        cp -a /certificates/* /usr/local/share/ca-certificates/
+    fi
+
+    CACERT=$JAVA_HOME/lib/security/cacerts
+
+    # JDK8 puts its JRE in a subdirectory
+    if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+        CACERT=$JAVA_HOME/jre/lib/security/cacerts
+    fi
+
+    # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we
+    # might as well just generate the truststore and skip the hooks.
+    update-ca-certificates
+
+    trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT"
+fi
+
+exec "$@"

11/jre/alpine/Dockerfile.releases.full

@@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH
 ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
 
 # fontconfig and ttf-dejavu added to support serverside image generation by Java programs
-RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \
+# java-cacerts added to support adding CA certificates to the Java keystore
+RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \
     && rm -rf /var/cache/apk/*
 
 ENV JAVA_VERSION jdk-11.0.20+8
@@ -58,3 +59,5 @@ RUN echo Verifying install ... \
     && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \
     && echo java --version && java --version \
     && echo Complete.
+COPY entrypoint.sh /
+ENTRYPOINT ["/entrypoint.sh"]