Skip to content

Commit

Permalink
Address comments on the "rootless CA certs" patch (#572)
Browse files Browse the repository at this point in the history
Address the following problems with #538:

1. Correct the shell selection for entrypoint, Ubuntu flavours still need explicit `bash` for variables with dots in
their names
2. Change unhelpful exported variable name (changed from `CACERT` to `JRE_CACERTS_PATH`)
3. Change `which` to more-POSIX-compatible `command -v`
4. More cleanup
5. Explicitely use `TMPDIR` when available instead of hard-coded `/tmp`
6. Support multi-certificate files (again)
7. Make output less verbose
  • Loading branch information
rassie authored Jul 24, 2024
1 parent bbda8cc commit 43fcefc
Show file tree
Hide file tree
Showing 100 changed files with 2,030 additions and 832 deletions.
20 changes: 20 additions & 0 deletions .test/tests/java-ca-certificates-update/certs/.dockerbuilder2.crt
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDRzCCAi+gAwIBAgIUZuRSLr7riMCDUFHVQKYQh/abmZQwDQYJKoZIhvcNAQEL
BQAwMjEXMBUGCgmSJomT8ixkARkWB1RlbXVyaW4xFzAVBgNVBAMMDkRvY2tlckJ1
aWxkZXIyMCAXDTI0MDcyNDIxMDk0NloYDzMwMDQwOTI1MjEwOTQ2WjAyMRcwFQYK
CZImiZPyLGQBGRYHVGVtdXJpbjEXMBUGA1UEAwwORG9ja2VyQnVpbGRlcjIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSs004yyVW4dEREZgTGbN1Dzbc
+VcRXUCfVCuiWFeT8a8oHZrbtNxCXD6whcGvLHsjszJKUCseDLCnSlHIpU6Ax7tP
WGsUhY6Zl8I+JzeB/8tYpyNRCLlm2Rp5Iv4oOX2btKYoUy+oFkWP+N8d1taRSrhR
vbPz+FwFSrtQwuT+grQP9yWO0qFrHL5Vjckg0BjELMYZ4rUx4KsV+JsmCf6oPDt4
b+gnMoZebumKTJ53Ej/Kh0Z30s+UHR9WlbZ9KEyuBifgErw/USqpibaQbG1UTX1f
5LealeITduNWcXIAkQYHddCyt8YRtO9oVrxxVdFmCtU4qUHlov7kxAdOC/KTAgMB
AAGjUzBRMB0GA1UdDgQWBBQ1oKojBf5qgkezUk6axrz3CjdHmzAfBgNVHSMEGDAW
gBQ1oKojBf5qgkezUk6axrz3CjdHmzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQCDUUOV23QzoqeGs7CKHXg+Mvxn6E4Tm395c0RKJRiHXEueQ2JD
e7ywfb11f/vGyudWVKe1wiRuMP4U8G6V3m6C/CSJrz1J3N9fvN23iPaZIh1O0vSr
xOz5UmiSsRW8BEQYCvF8CoWim1fG+KjtRhO6QqKLtK11j6TwZaUBIvSwK+OZKSuw
q8SuBRXNrIJvH0bonOXcuivOkruU0aRdizIG5Ed0OV2PVfbw2gu7Om83ADbVuSOV
noMwGjDVzVRAs8lu4ijuAryshVQK0LkImrwp+YkhRkFus0HWJqi/Ox+BHZt3BiFs
ATt9J3LCLazvP6LGr4rlZixJqM2ZC7dP0lOl
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions .test/tests/java-ca-certificates-update/certs/.dockerbuilder2.key
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDSs004yyVW4dER
EZgTGbN1Dzbc+VcRXUCfVCuiWFeT8a8oHZrbtNxCXD6whcGvLHsjszJKUCseDLCn
SlHIpU6Ax7tPWGsUhY6Zl8I+JzeB/8tYpyNRCLlm2Rp5Iv4oOX2btKYoUy+oFkWP
+N8d1taRSrhRvbPz+FwFSrtQwuT+grQP9yWO0qFrHL5Vjckg0BjELMYZ4rUx4KsV
+JsmCf6oPDt4b+gnMoZebumKTJ53Ej/Kh0Z30s+UHR9WlbZ9KEyuBifgErw/USqp
ibaQbG1UTX1f5LealeITduNWcXIAkQYHddCyt8YRtO9oVrxxVdFmCtU4qUHlov7k
xAdOC/KTAgMBAAECggEAANIrB8nVtFbjVrmdnEqVs8drnITzVmYN+gxhaSTiQwuq
9dWyjY6+omPYVma94GKADlR7oXd+7cyLks65rrXRCdi0PaKw6vox9WdkMCY803zr
BWrouq0Hq1W0y3x3WOjrSyjOiTgdwhBDlLH1Vk/tV/VwybOa4dMeRKveFkNmbXKU
ZeR62r95vob4F5Ui6CWqSDRXFSml8VvBkU+6RAm697Lm5JQKoOuUueR9/L5z2Y0Z
rpGeBQ2tbbRIAvQWG3PhQirDqduL2e8aUs/RG8jGmbAnB9LoWJtaBEgLoza6221F
vboRWDLG5yZorXeGHT169+LQQ84rtwyjbQkvKjcP1QKBgQD632J17fWqK5cBaU2c
2bxAwS8aoqzPgBkAD2E8/VBEmJfjUAH5KVNuF9oeO/ho6JUOHoAWxMeu9v0ikynb
wnznQXlgieJCockJaTx1fkE/+W38uRXLK1TBSHFB7QdhPJbdeOh0jbsxNoX3wCAW
jQDUf2CoVdt+326II71IhDnnbQKBgQDXAbpkEWMYnWbl+WmSwGGud2AO7Uaw6ZQK
e83/zKQYcLsGHVMEJ41i2Lrd+VGJjK1eHUyOxHYg4Cel4cG5P7sU45yhehHVAeau
Z8KzQbB8BGcyMUoQFMIK5AXIiVdgTvt+aoKMEfXSAuZi1g5ATSS6zBoXWxlJyQ4b
R1MqOvMB/wKBgAw/3A7mD5i/iCAJhECkYQzIYgRq7QU0vAPEvHq94611xfTTc0U3
P1ugzoWrZ/W3ZY/K7XYvJZDlfnaxuNmCJZclG0gbc3DNdYOAH/OctpLpGvW8E9RX
yUumveD6MeINk1A9FxyZzwoYH3J5bxeqyt+VWKLfjlgjkMIU/KkNy8YBAoGAbU2G
mTqxmyDh38YE4sMEpbIwVkZP6r5EMXQxDHrXbUlZ+sjLnFATM44kqZYG2pt2w2K3
udisiRgLb+wuFOQOUpdH2Ft7V0NpJ36+X2zksJd4cu7VzQkQgILdYc5YajCc7+5r
wZOb2ZD52IMjqZLOOlxqYzc/yt/4WOvQnqZrRbcCgYBQopNwh9Hx9SBIHkkZkq1Z
iiPZl05khB/Vw76hABwjMillQd+nOJNf4kymIiOzfThEw/a4kam1zWvN0kq9Guu/
YMvd73sqcudB5IWIjdqq0lKML2rcoBGqKGj5dFZt6Un/jqbi5nHeoMubrZkXUdG8
PDtV2BTZDwmo+btPF//U5Q==
-----END PRIVATE KEY-----
10 changes: 9 additions & 1 deletion .test/tests/java-ca-certificates-update/certs/README.md
Original file line number Diff line number Diff line change
@@ -1 +1,9 @@
This certificate/key pair has been generated with `openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder" -keyout certs/dockerbuilder.key -out certs/dockerbuilder.crt` and is only used for testing
These certificate/key pairs has been generated with

``` shell
$ openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder" -keyout certs/dockerbuilder.key -out certs/dockerbuilder.crt
$ openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder2" -keyout certs/dockerbuilder2.key -out certs/dockerbuilder2.crt
$ cat certs/dockerbuilder.crt certs/dockerbuilder2.crt > certs/multi-cert.crt
```

and are only used for testing
40 changes: 40 additions & 0 deletions .test/tests/java-ca-certificates-update/certs/multi-cert.crt
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
-----BEGIN CERTIFICATE-----
MIIDRTCCAi2gAwIBAgIUIfl8I/yasxlsTEc30PLLRuleiCswDQYJKoZIhvcNAQEL
BQAwMTEXMBUGCgmSJomT8ixkARkWB1RlbXVyaW4xFjAUBgNVBAMMDURvY2tlckJ1
aWxkZXIwIBcNMjMwNjEyMTgyNDE1WhgPMzAwMzA4MTQxODI0MTVaMDExFzAVBgoJ
kiaJk/IsZAEZFgdUZW11cmluMRYwFAYDVQQDDA1Eb2NrZXJCdWlsZGVyMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArfOgmluNXEIE7BWvt7jGgdZW/y5s
N78FcpZdM8Z2FatvjJKvNmJ9OkkkOSNBhGKAWpHn19JMNdQ2nEmTHMetg0hiSqRI
hBceAY4lDfOzxAyZGGpVzL9U1B9mOrX5O3EedF5AVvl0NZVjEwswuGaUa3zZBAKy
Z5Vv/z8Lw2uYIs/dtw8lcpEAb78BZ8bAhhhl+X+tTGK8agibLGQJT9l/JxS3pXyw
me4YaKQQRgvuqOTEt+x+0aA5E2EUTOGq0Li+i1ranf6ou5Dz/Y6LtXwT/j2bf4ZR
w2YHpYZL54UEtMWES2KAjsZ3u4DCxUIEfW8EgxUIhcepIDP1h05A3fSiWQIDAQAB
o1MwUTAdBgNVHQ4EFgQUr0VirSzDQTuNgGjDxRkxPFrjUKcwHwYDVR0jBBgwFoAU
r0VirSzDQTuNgGjDxRkxPFrjUKcwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
AQsFAAOCAQEAlo6ZSAIKSUWqRygyNg9oWuLGfWMW//dZjU1MKBYVpM4Mry/aMD5d
kMQj9hm+zXhNYN01yLh/cdPKCQ/r1KP6lmCtZHp50Xe8HEnIymRYx0KMAcqYLjnT
DXwCPqtWvJ1do65vVJRN70CuF8T1JNFhPdirrAiuU7bhGPABfnbek7yNkTYgUSdb
WpV/WOFPh9Dl24vNl1/Cti+pQThlCgHF/+dVndFHN9FOOG8k8ohYkLwL+ZzKfOiZ
CVWn2mWk2EhcuTlg/3zkXmwjfzFTdXMhS1sdfJNReaY/omJ91euxB0c8iYZV4wuU
ghx+GJ14nO7RJNHNX4k+BBPxy3f56+cYrg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDRzCCAi+gAwIBAgIUZuRSLr7riMCDUFHVQKYQh/abmZQwDQYJKoZIhvcNAQEL
BQAwMjEXMBUGCgmSJomT8ixkARkWB1RlbXVyaW4xFzAVBgNVBAMMDkRvY2tlckJ1
aWxkZXIyMCAXDTI0MDcyNDIxMDk0NloYDzMwMDQwOTI1MjEwOTQ2WjAyMRcwFQYK
CZImiZPyLGQBGRYHVGVtdXJpbjEXMBUGA1UEAwwORG9ja2VyQnVpbGRlcjIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSs004yyVW4dEREZgTGbN1Dzbc
+VcRXUCfVCuiWFeT8a8oHZrbtNxCXD6whcGvLHsjszJKUCseDLCnSlHIpU6Ax7tP
WGsUhY6Zl8I+JzeB/8tYpyNRCLlm2Rp5Iv4oOX2btKYoUy+oFkWP+N8d1taRSrhR
vbPz+FwFSrtQwuT+grQP9yWO0qFrHL5Vjckg0BjELMYZ4rUx4KsV+JsmCf6oPDt4
b+gnMoZebumKTJ53Ej/Kh0Z30s+UHR9WlbZ9KEyuBifgErw/USqpibaQbG1UTX1f
5LealeITduNWcXIAkQYHddCyt8YRtO9oVrxxVdFmCtU4qUHlov7kxAdOC/KTAgMB
AAGjUzBRMB0GA1UdDgQWBBQ1oKojBf5qgkezUk6axrz3CjdHmzAfBgNVHSMEGDAW
gBQ1oKojBf5qgkezUk6axrz3CjdHmzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQCDUUOV23QzoqeGs7CKHXg+Mvxn6E4Tm395c0RKJRiHXEueQ2JD
e7ywfb11f/vGyudWVKe1wiRuMP4U8G6V3m6C/CSJrz1J3N9fvN23iPaZIh1O0vSr
xOz5UmiSsRW8BEQYCvF8CoWim1fG+KjtRhO6QqKLtK11j6TwZaUBIvSwK+OZKSuw
q8SuBRXNrIJvH0bonOXcuivOkruU0aRdizIG5Ed0OV2PVfbw2gu7Om83ADbVuSOV
noMwGjDVzVRAs8lu4ijuAryshVQK0LkImrwp+YkhRkFus0HWJqi/Ox+BHZt3BiFs
ATt9J3LCLazvP6LGr4rlZixJqM2ZC7dP0lOl
-----END CERTIFICATE-----
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDRzCCAi+gAwIBAgIUZuRSLr7riMCDUFHVQKYQh/abmZQwDQYJKoZIhvcNAQEL
BQAwMjEXMBUGCgmSJomT8ixkARkWB1RlbXVyaW4xFzAVBgNVBAMMDkRvY2tlckJ1
aWxkZXIyMCAXDTI0MDcyNDIxMDk0NloYDzMwMDQwOTI1MjEwOTQ2WjAyMRcwFQYK
CZImiZPyLGQBGRYHVGVtdXJpbjEXMBUGA1UEAwwORG9ja2VyQnVpbGRlcjIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSs004yyVW4dEREZgTGbN1Dzbc
+VcRXUCfVCuiWFeT8a8oHZrbtNxCXD6whcGvLHsjszJKUCseDLCnSlHIpU6Ax7tP
WGsUhY6Zl8I+JzeB/8tYpyNRCLlm2Rp5Iv4oOX2btKYoUy+oFkWP+N8d1taRSrhR
vbPz+FwFSrtQwuT+grQP9yWO0qFrHL5Vjckg0BjELMYZ4rUx4KsV+JsmCf6oPDt4
b+gnMoZebumKTJ53Ej/Kh0Z30s+UHR9WlbZ9KEyuBifgErw/USqpibaQbG1UTX1f
5LealeITduNWcXIAkQYHddCyt8YRtO9oVrxxVdFmCtU4qUHlov7kxAdOC/KTAgMB
AAGjUzBRMB0GA1UdDgQWBBQ1oKojBf5qgkezUk6axrz3CjdHmzAfBgNVHSMEGDAW
gBQ1oKojBf5qgkezUk6axrz3CjdHmzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQCDUUOV23QzoqeGs7CKHXg+Mvxn6E4Tm395c0RKJRiHXEueQ2JD
e7ywfb11f/vGyudWVKe1wiRuMP4U8G6V3m6C/CSJrz1J3N9fvN23iPaZIh1O0vSr
xOz5UmiSsRW8BEQYCvF8CoWim1fG+KjtRhO6QqKLtK11j6TwZaUBIvSwK+OZKSuw
q8SuBRXNrIJvH0bonOXcuivOkruU0aRdizIG5Ed0OV2PVfbw2gu7Om83ADbVuSOV
noMwGjDVzVRAs8lu4ijuAryshVQK0LkImrwp+YkhRkFus0HWJqi/Ox+BHZt3BiFs
ATt9J3LCLazvP6LGr4rlZixJqM2ZC7dP0lOl
-----END CERTIFICATE-----
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDSs004yyVW4dER
EZgTGbN1Dzbc+VcRXUCfVCuiWFeT8a8oHZrbtNxCXD6whcGvLHsjszJKUCseDLCn
SlHIpU6Ax7tPWGsUhY6Zl8I+JzeB/8tYpyNRCLlm2Rp5Iv4oOX2btKYoUy+oFkWP
+N8d1taRSrhRvbPz+FwFSrtQwuT+grQP9yWO0qFrHL5Vjckg0BjELMYZ4rUx4KsV
+JsmCf6oPDt4b+gnMoZebumKTJ53Ej/Kh0Z30s+UHR9WlbZ9KEyuBifgErw/USqp
ibaQbG1UTX1f5LealeITduNWcXIAkQYHddCyt8YRtO9oVrxxVdFmCtU4qUHlov7k
xAdOC/KTAgMBAAECggEAANIrB8nVtFbjVrmdnEqVs8drnITzVmYN+gxhaSTiQwuq
9dWyjY6+omPYVma94GKADlR7oXd+7cyLks65rrXRCdi0PaKw6vox9WdkMCY803zr
BWrouq0Hq1W0y3x3WOjrSyjOiTgdwhBDlLH1Vk/tV/VwybOa4dMeRKveFkNmbXKU
ZeR62r95vob4F5Ui6CWqSDRXFSml8VvBkU+6RAm697Lm5JQKoOuUueR9/L5z2Y0Z
rpGeBQ2tbbRIAvQWG3PhQirDqduL2e8aUs/RG8jGmbAnB9LoWJtaBEgLoza6221F
vboRWDLG5yZorXeGHT169+LQQ84rtwyjbQkvKjcP1QKBgQD632J17fWqK5cBaU2c
2bxAwS8aoqzPgBkAD2E8/VBEmJfjUAH5KVNuF9oeO/ho6JUOHoAWxMeu9v0ikynb
wnznQXlgieJCockJaTx1fkE/+W38uRXLK1TBSHFB7QdhPJbdeOh0jbsxNoX3wCAW
jQDUf2CoVdt+326II71IhDnnbQKBgQDXAbpkEWMYnWbl+WmSwGGud2AO7Uaw6ZQK
e83/zKQYcLsGHVMEJ41i2Lrd+VGJjK1eHUyOxHYg4Cel4cG5P7sU45yhehHVAeau
Z8KzQbB8BGcyMUoQFMIK5AXIiVdgTvt+aoKMEfXSAuZi1g5ATSS6zBoXWxlJyQ4b
R1MqOvMB/wKBgAw/3A7mD5i/iCAJhECkYQzIYgRq7QU0vAPEvHq94611xfTTc0U3
P1ugzoWrZ/W3ZY/K7XYvJZDlfnaxuNmCJZclG0gbc3DNdYOAH/OctpLpGvW8E9RX
yUumveD6MeINk1A9FxyZzwoYH3J5bxeqyt+VWKLfjlgjkMIU/KkNy8YBAoGAbU2G
mTqxmyDh38YE4sMEpbIwVkZP6r5EMXQxDHrXbUlZ+sjLnFATM44kqZYG2pt2w2K3
udisiRgLb+wuFOQOUpdH2Ft7V0NpJ36+X2zksJd4cu7VzQkQgILdYc5YajCc7+5r
wZOb2ZD52IMjqZLOOlxqYzc/yt/4WOvQnqZrRbcCgYBQopNwh9Hx9SBIHkkZkq1Z
iiPZl05khB/Vw76hABwjMillQd+nOJNf4kymIiOzfThEw/a4kam1zWvN0kq9Guu/
YMvd73sqcudB5IWIjdqq0lKML2rcoBGqKGj5dFZt6Un/jqbi5nHeoMubrZkXUdG8
PDtV2BTZDwmo+btPF//U5Q==
-----END PRIVATE KEY-----
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
-----BEGIN CERTIFICATE-----
MIIDRTCCAi2gAwIBAgIUIfl8I/yasxlsTEc30PLLRuleiCswDQYJKoZIhvcNAQEL
BQAwMTEXMBUGCgmSJomT8ixkARkWB1RlbXVyaW4xFjAUBgNVBAMMDURvY2tlckJ1
aWxkZXIwIBcNMjMwNjEyMTgyNDE1WhgPMzAwMzA4MTQxODI0MTVaMDExFzAVBgoJ
kiaJk/IsZAEZFgdUZW11cmluMRYwFAYDVQQDDA1Eb2NrZXJCdWlsZGVyMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArfOgmluNXEIE7BWvt7jGgdZW/y5s
N78FcpZdM8Z2FatvjJKvNmJ9OkkkOSNBhGKAWpHn19JMNdQ2nEmTHMetg0hiSqRI
hBceAY4lDfOzxAyZGGpVzL9U1B9mOrX5O3EedF5AVvl0NZVjEwswuGaUa3zZBAKy
Z5Vv/z8Lw2uYIs/dtw8lcpEAb78BZ8bAhhhl+X+tTGK8agibLGQJT9l/JxS3pXyw
me4YaKQQRgvuqOTEt+x+0aA5E2EUTOGq0Li+i1ranf6ou5Dz/Y6LtXwT/j2bf4ZR
w2YHpYZL54UEtMWES2KAjsZ3u4DCxUIEfW8EgxUIhcepIDP1h05A3fSiWQIDAQAB
o1MwUTAdBgNVHQ4EFgQUr0VirSzDQTuNgGjDxRkxPFrjUKcwHwYDVR0jBBgwFoAU
r0VirSzDQTuNgGjDxRkxPFrjUKcwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
AQsFAAOCAQEAlo6ZSAIKSUWqRygyNg9oWuLGfWMW//dZjU1MKBYVpM4Mry/aMD5d
kMQj9hm+zXhNYN01yLh/cdPKCQ/r1KP6lmCtZHp50Xe8HEnIymRYx0KMAcqYLjnT
DXwCPqtWvJ1do65vVJRN70CuF8T1JNFhPdirrAiuU7bhGPABfnbek7yNkTYgUSdb
WpV/WOFPh9Dl24vNl1/Cti+pQThlCgHF/+dVndFHN9FOOG8k8ohYkLwL+ZzKfOiZ
CVWn2mWk2EhcuTlg/3zkXmwjfzFTdXMhS1sdfJNReaY/omJ91euxB0c8iYZV4wuU
ghx+GJ14nO7RJNHNX4k+BBPxy3f56+cYrg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDRzCCAi+gAwIBAgIUZuRSLr7riMCDUFHVQKYQh/abmZQwDQYJKoZIhvcNAQEL
BQAwMjEXMBUGCgmSJomT8ixkARkWB1RlbXVyaW4xFzAVBgNVBAMMDkRvY2tlckJ1
aWxkZXIyMCAXDTI0MDcyNDIxMDk0NloYDzMwMDQwOTI1MjEwOTQ2WjAyMRcwFQYK
CZImiZPyLGQBGRYHVGVtdXJpbjEXMBUGA1UEAwwORG9ja2VyQnVpbGRlcjIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSs004yyVW4dEREZgTGbN1Dzbc
+VcRXUCfVCuiWFeT8a8oHZrbtNxCXD6whcGvLHsjszJKUCseDLCnSlHIpU6Ax7tP
WGsUhY6Zl8I+JzeB/8tYpyNRCLlm2Rp5Iv4oOX2btKYoUy+oFkWP+N8d1taRSrhR
vbPz+FwFSrtQwuT+grQP9yWO0qFrHL5Vjckg0BjELMYZ4rUx4KsV+JsmCf6oPDt4
b+gnMoZebumKTJ53Ej/Kh0Z30s+UHR9WlbZ9KEyuBifgErw/USqpibaQbG1UTX1f
5LealeITduNWcXIAkQYHddCyt8YRtO9oVrxxVdFmCtU4qUHlov7kxAdOC/KTAgMB
AAGjUzBRMB0GA1UdDgQWBBQ1oKojBf5qgkezUk6axrz3CjdHmzAfBgNVHSMEGDAW
gBQ1oKojBf5qgkezUk6axrz3CjdHmzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQCDUUOV23QzoqeGs7CKHXg+Mvxn6E4Tm395c0RKJRiHXEueQ2JD
e7ywfb11f/vGyudWVKe1wiRuMP4U8G6V3m6C/CSJrz1J3N9fvN23iPaZIh1O0vSr
xOz5UmiSsRW8BEQYCvF8CoWim1fG+KjtRhO6QqKLtK11j6TwZaUBIvSwK+OZKSuw
q8SuBRXNrIJvH0bonOXcuivOkruU0aRdizIG5Ed0OV2PVfbw2gu7Om83ADbVuSOV
noMwGjDVzVRAs8lu4ijuAryshVQK0LkImrwp+YkhRkFus0HWJqi/Ox+BHZt3BiFs
ATt9J3LCLazvP6LGr4rlZixJqM2ZC7dP0lOl
-----END CERTIFICATE-----
10 changes: 9 additions & 1 deletion .test/tests/java-ca-certificates-update/certs_symlink/README.md
Original file line number Diff line number Diff line change
@@ -1 +1,9 @@
This certificate/key pair has been generated with `openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder" -keyout certs/dockerbuilder.key -out certs/dockerbuilder.crt` and is only used for testing
These certificate/key pairs has been generated with

``` shell
$ openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder" -keyout certs/dockerbuilder.key -out certs/dockerbuilder.crt
$ openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder2" -keyout certs/dockerbuilder2.key -out certs/dockerbuilder2.crt
$ cat certs/dockerbuilder.crt certs/dockerbuilder2.crt > certs/multi-cert.crt
```

and are only used for testing

This file was deleted.

2 changes: 1 addition & 1 deletion .test/tests/java-ca-certificates-update/run.sh
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ CMD1=date

# CMD2 in each run is to check for the `dockerbuilder` certificate in the Java keystore. Entrypoint export $CACERT to
# point to the Java keystore.
CMD2=(sh -c "keytool -list -keystore \$CACERT -storepass changeit -alias dockerbuilder")
CMD2=(sh -c "keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder && keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder2")

# For a custom entrypoint test, we need to create a new image. This image will get cleaned up at the end of the script
# by the `finish` trap function.
Expand Down
5 changes: 5 additions & 0 deletions 11/jdk/alpine/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,11 @@ RUN set -eux; \
# locales ensures proper character encoding and locale-specific behaviors using en_US.UTF-8
musl-locales musl-locales-lang \
tzdata \
# Contains `csplit` used for splitting multiple certificates in one file to multiple files, since keytool can
# only import one at a time.
coreutils \
# Needed to extract CN and generate aliases for certificates
openssl \
; \
rm -rf /var/cache/apk/*

Expand Down
54 changes: 37 additions & 17 deletions 11/jdk/alpine/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -1,50 +1,70 @@
#!/usr/bin/env sh
# Converted to POSIX shell to avoid the need for bash in the image
# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get
# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but
# are supported by `sh` in some Linux flavours.

set -e

TMPDIR=${TMPDIR:-/tmp}

# JDK truststore location
CACERT=$JAVA_HOME/lib/security/cacerts
JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts

# JDK8 puts its JRE in a subdirectory
if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
CACERT=$JAVA_HOME/jre/lib/security/cacerts
JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts
fi

# Opt-in is only activated if the environment variable is set
if [ -n "$USE_SYSTEM_CA_CERTS" ]; then

if [ ! -w /tmp ]; then
echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore."
if [ ! -w "$TMPDIR" ]; then
echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore."
exit 1
fi

# Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not,
# we'll use a temporary truststore.
if [ ! -w "$CACERT" ]; then
if [ ! -w "$JRE_CACERTS_PATH" ]; then
# We cannot write to the JVM truststore, so we create a temporary one
CACERT_NEW=$(mktemp)
echo "Using a temporary truststore at $CACERT_NEW"
cp $CACERT $CACERT_NEW
CACERT=$CACERT_NEW
JRE_CACERTS_PATH_NEW=$(mktemp)
echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW"
cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW"
JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW
# If we use a custom truststore, we need to make sure that the JVM uses it
export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit"
export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit"
fi

tmp_store=$(mktemp)

# Copy full system CA store to a temporary location
trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store"
trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" > /dev/null

# Add the system CA certificates to the JVM truststore.
keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null
keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt > /dev/null

# Clean up the temporary truststore
rm -f "$tmp_store"

# Import the additional certificate into JVM truststore
for i in /certificates/*crt; do
if [ ! -f "$i" ]; then
continue
fi
keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null
tmp_dir=$(mktemp -d)
BASENAME=$(basename "$i" .crt)

# We might have multiple certificates in the file. Split this file into single files. The reason is that
# `keytool` does not accept multi-certificate files
csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}'

for crt in "$tmp_dir/$BASENAME"-*; do
# Create an alias for the certificate
ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')

# Add the certificate to the JVM truststore
keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null
done
done

# Add additional certificates to the system CA store. This requires write permissions to several system
Expand All @@ -68,12 +88,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
fi

# UBI
if which update-ca-trust >/dev/null; then
if command -v update-ca-trust >/dev/null; then
update-ca-trust
fi

# Ubuntu/Alpine
if which update-ca-certificates >/dev/null; then
if command -v update-ca-certificates >/dev/null; then
update-ca-certificates
fi
else
Expand All @@ -84,6 +104,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
fi

# Let's provide a variable with the correct path for tools that want or need to use it
export CACERT
export JRE_CACERTS_PATH

exec "$@"
Loading

0 comments on commit 43fcefc

Please sign in to comment.