Add support for custom CA certificates

This adds the capability to add custom CA certificates for Java truststore.

Fixes: #293
Signed-off-by: Nikolai Prokoschenko <nikolai.prokoschenko@kurzdigital.com>

11/jdk/alpine/Dockerfile.releases.full

@@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH
 ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
 
 # fontconfig and ttf-dejavu added to support serverside image generation by Java programs
-RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \
+# java-cacerts added to support adding CA certificates to the Java keystore
+RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \
     && rm -rf /var/cache/apk/*
 
 ENV JAVA_VERSION jdk-11.0.19+7
@@ -59,5 +60,7 @@ RUN echo Verifying install ... \
     && echo javac --version && javac --version \
     && echo java --version && java --version \
     && echo Complete.
+COPY entrypoint.sh /
+ENTRYPOINT ["/entrypoint.sh"]
 
 CMD ["jshell"]

11/jdk/alpine/entrypoint.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env sh
+
+set -e
+
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+    # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we
+    # might as well just generate the truststore and skip the hooks.
+
+    cp -a /certificates/* /usr/local/share/ca-certificates/
+    update-ca-certificates
+
+    CACERT=$JAVA_HOME/lib/security/cacerts
+
+    # JDK8 puts its JRE in a subdirectory
+    if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+        CACERT=$JAVA_HOME/jre/lib/security/cacerts
+    fi
+
+    trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT"
+fi
+
+exec "$@"

11/jdk/centos/Dockerfile.releases.full

@@ -66,5 +66,7 @@ RUN echo Verifying install ... \
     && echo javac --version && javac --version \
     && echo java --version && java --version \
     && echo Complete.
+COPY entrypoint.sh /
+ENTRYPOINT ["/entrypoint.sh"]
 
 CMD ["jshell"]

11/jdk/centos/entrypoint.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+
+    # RHEL-based images already include a routine to update a java truststore from the system CA bundle within
+    # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore.
+
+    cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+    update-ca-trust
+
+    CACERT=$JAVA_HOME/lib/security/cacerts
+
+    # JDK8 puts its JRE in a subdirectory
+    if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+        CACERT=$JAVA_HOME/jre/lib/security/cacerts
+    fi
+
+    ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT"
+fi
+
+exec "$@"

11/jdk/ubi/ubi9-minimal/Dockerfile.releases.full

@@ -70,5 +70,7 @@ RUN echo Verifying install ... \
     && echo javac --version && javac --version \
     && echo java --version && java --version \
     && echo Complete.
+COPY entrypoint.sh /
+ENTRYPOINT ["/entrypoint.sh"]
 
 CMD ["jshell"]

11/jdk/ubi/ubi9-minimal/entrypoint.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+
+    # RHEL-based images already include a routine to update a java truststore from the system CA bundle within
+    # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore.
+
+    cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+    update-ca-trust
+
+    CACERT=$JAVA_HOME/lib/security/cacerts
+
+    # JDK8 puts its JRE in a subdirectory
+    if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+        CACERT=$JAVA_HOME/jre/lib/security/cacerts
+    fi
+
+    ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT"
+fi
+
+exec "$@"

11/jdk/ubuntu/focal/Dockerfile.releases.full

@@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH
 ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
 
 RUN apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \
     && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \
     && locale-gen en_US.UTF-8 \
     && rm -rf /var/lib/apt/lists/*
@@ -83,5 +83,7 @@ RUN echo Verifying install ... \
     && echo javac --version && javac --version \
     && echo java --version && java --version \
     && echo Complete.
+COPY entrypoint.sh /
+ENTRYPOINT ["/entrypoint.sh"]
 
 CMD ["jshell"]

11/jdk/ubuntu/focal/entrypoint.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env sh
+
+set -e
+
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+    # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we
+    # might as well just generate the truststore and skip the hooks.
+
+    cp -a /certificates/* /usr/local/share/ca-certificates/
+    update-ca-certificates
+
+    CACERT=$JAVA_HOME/lib/security/cacerts
+
+    # JDK8 puts its JRE in a subdirectory
+    if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+        CACERT=$JAVA_HOME/jre/lib/security/cacerts
+    fi
+
+    trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT"
+fi
+
+exec "$@"

11/jdk/ubuntu/jammy/Dockerfile.releases.full

@@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH
 ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
 
 RUN apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \
     && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \
     && locale-gen en_US.UTF-8 \
     && rm -rf /var/lib/apt/lists/*
@@ -83,5 +83,7 @@ RUN echo Verifying install ... \
     && echo javac --version && javac --version \
     && echo java --version && java --version \
     && echo Complete.
+COPY entrypoint.sh /
+ENTRYPOINT ["/entrypoint.sh"]
 
 CMD ["jshell"]

11/jdk/ubuntu/jammy/entrypoint.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env sh
+
+set -e
+
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+    # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we
+    # might as well just generate the truststore and skip the hooks.
+
+    cp -a /certificates/* /usr/local/share/ca-certificates/
+    update-ca-certificates
+
+    CACERT=$JAVA_HOME/lib/security/cacerts
+
+    # JDK8 puts its JRE in a subdirectory
+    if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+        CACERT=$JAVA_HOME/jre/lib/security/cacerts
+    fi
+
+    trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT"
+fi
+
+exec "$@"

11/jre/alpine/Dockerfile.releases.full

@@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH
 ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
 
 # fontconfig and ttf-dejavu added to support serverside image generation by Java programs
-RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \
+# java-cacerts added to support adding CA certificates to the Java keystore
+RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \
     && rm -rf /var/cache/apk/*
 
 ENV JAVA_VERSION jdk-11.0.19+7
@@ -58,3 +59,5 @@ RUN echo Verifying install ... \
     && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \
     && echo java --version && java --version \
     && echo Complete.
+COPY entrypoint.sh /
+ENTRYPOINT ["/entrypoint.sh"]

11/jre/alpine/entrypoint.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env sh
+
+set -e
+
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+    # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we
+    # might as well just generate the truststore and skip the hooks.
+
+    cp -a /certificates/* /usr/local/share/ca-certificates/
+    update-ca-certificates
+
+    CACERT=$JAVA_HOME/lib/security/cacerts
+
+    # JDK8 puts its JRE in a subdirectory
+    if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+        CACERT=$JAVA_HOME/jre/lib/security/cacerts
+    fi
+
+    trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT"
+fi
+
+exec "$@"

11/jre/centos/Dockerfile.releases.full

@@ -65,3 +65,5 @@ RUN echo Verifying install ... \
     && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \
     && echo java --version && java --version \
     && echo Complete.
+COPY entrypoint.sh /
+ENTRYPOINT ["/entrypoint.sh"]

11/jre/centos/entrypoint.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+
+    # RHEL-based images already include a routine to update a java truststore from the system CA bundle within
+    # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore.
+
+    cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+    update-ca-trust
+
+    CACERT=$JAVA_HOME/lib/security/cacerts
+
+    # JDK8 puts its JRE in a subdirectory
+    if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+        CACERT=$JAVA_HOME/jre/lib/security/cacerts
+    fi
+
+    ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT"
+fi
+
+exec "$@"

11/jre/ubi/ubi9-minimal/Dockerfile.releases.full

@@ -69,3 +69,5 @@ RUN echo Verifying install ... \
     && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \
     && echo java --version && java --version \
     && echo Complete.
+COPY entrypoint.sh /
+ENTRYPOINT ["/entrypoint.sh"]

11/jre/ubi/ubi9-minimal/entrypoint.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+
+    # RHEL-based images already include a routine to update a java truststore from the system CA bundle within
+    # `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore.
+
+    cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+    update-ca-trust
+
+    CACERT=$JAVA_HOME/lib/security/cacerts
+
+    # JDK8 puts its JRE in a subdirectory
+    if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+        CACERT=$JAVA_HOME/jre/lib/security/cacerts
+    fi
+
+    ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT"
+fi
+
+exec "$@"

11/jre/ubuntu/focal/Dockerfile.releases.full

@@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH
 ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
 
 RUN apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \
     && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \
     && locale-gen en_US.UTF-8 \
     && rm -rf /var/lib/apt/lists/*
@@ -82,3 +82,5 @@ RUN echo Verifying install ... \
     && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \
     && echo java --version && java --version \
     && echo Complete.
+COPY entrypoint.sh /
+ENTRYPOINT ["/entrypoint.sh"]

11/jre/ubuntu/focal/entrypoint.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env sh
+
+set -e
+
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+    # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we
+    # might as well just generate the truststore and skip the hooks.
+
+    cp -a /certificates/* /usr/local/share/ca-certificates/
+    update-ca-certificates
+
+    CACERT=$JAVA_HOME/lib/security/cacerts
+
+    # JDK8 puts its JRE in a subdirectory
+    if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+        CACERT=$JAVA_HOME/jre/lib/security/cacerts
+    fi
+
+    trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT"
+fi
+
+exec "$@"

11/jre/ubuntu/jammy/Dockerfile.releases.full

@@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH
 ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
 
 RUN apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \
     && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \
     && locale-gen en_US.UTF-8 \
     && rm -rf /var/lib/apt/lists/*
@@ -82,3 +82,5 @@ RUN echo Verifying install ... \
     && fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \
     && echo java --version && java --version \
     && echo Complete.
+COPY entrypoint.sh /
+ENTRYPOINT ["/entrypoint.sh"]

11/jre/ubuntu/jammy/entrypoint.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env sh
+
+set -e
+
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+    # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we
+    # might as well just generate the truststore and skip the hooks.
+
+    cp -a /certificates/* /usr/local/share/ca-certificates/
+    update-ca-certificates
+
+    CACERT=$JAVA_HOME/lib/security/cacerts
+
+    # JDK8 puts its JRE in a subdirectory
+    if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+        CACERT=$JAVA_HOME/jre/lib/security/cacerts
+    fi
+
+    trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT"
+fi
+
+exec "$@"

17/jdk/alpine/Dockerfile.releases.full

@@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH
 ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
 
 # fontconfig and ttf-dejavu added to support serverside image generation by Java programs
-RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \
+# java-cacerts added to support adding CA certificates to the Java keystore
+RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \
     && rm -rf /var/cache/apk/*
 
 ENV JAVA_VERSION jdk-17.0.7+7
@@ -59,5 +60,7 @@ RUN echo Verifying install ... \
     && echo javac --version && javac --version \
     && echo java --version && java --version \
     && echo Complete.
+COPY entrypoint.sh /
+ENTRYPOINT ["/entrypoint.sh"]
 
 CMD ["jshell"]