From fb7ceb1d513e62e6eec8024cba620a726025bd79 Mon Sep 17 00:00:00 2001 From: George Adams Date: Mon, 21 Oct 2024 17:54:17 +0100 Subject: [PATCH] Fix Certificate Import Issue by Generating Unique Aliases in cacert script (#642) * Fix Certificate Import Issue by Generating Unique Aliases in cacert script * add test --- .../certs_duplicate_cn/cert1.crt | 17 +++++++++++++++++ .../certs_duplicate_cn/cert2.crt | 17 +++++++++++++++++ .../expected-std-out.txt | 2 +- .test/tests/java-ca-certificates-update/run.sh | 18 +++++++++++++++++- 11/jdk/alpine/entrypoint.sh | 14 ++++++++++++-- 11/jdk/ubi/ubi9-minimal/entrypoint.sh | 14 ++++++++++++-- 11/jdk/ubuntu/focal/entrypoint.sh | 14 ++++++++++++-- 11/jdk/ubuntu/jammy/entrypoint.sh | 14 ++++++++++++-- 11/jdk/ubuntu/noble/entrypoint.sh | 14 ++++++++++++-- 11/jre/alpine/entrypoint.sh | 14 ++++++++++++-- 11/jre/ubi/ubi9-minimal/entrypoint.sh | 14 ++++++++++++-- 11/jre/ubuntu/focal/entrypoint.sh | 14 ++++++++++++-- 11/jre/ubuntu/jammy/entrypoint.sh | 14 ++++++++++++-- 11/jre/ubuntu/noble/entrypoint.sh | 14 ++++++++++++-- 17/jdk/alpine/entrypoint.sh | 14 ++++++++++++-- 17/jdk/ubi/ubi9-minimal/entrypoint.sh | 14 ++++++++++++-- 17/jdk/ubuntu/focal/entrypoint.sh | 14 ++++++++++++-- 17/jdk/ubuntu/jammy/entrypoint.sh | 14 ++++++++++++-- 17/jdk/ubuntu/noble/entrypoint.sh | 14 ++++++++++++-- 17/jre/alpine/entrypoint.sh | 14 ++++++++++++-- 17/jre/ubi/ubi9-minimal/entrypoint.sh | 14 ++++++++++++-- 17/jre/ubuntu/focal/entrypoint.sh | 14 ++++++++++++-- 17/jre/ubuntu/jammy/entrypoint.sh | 14 ++++++++++++-- 17/jre/ubuntu/noble/entrypoint.sh | 14 ++++++++++++-- 21/jdk/alpine/entrypoint.sh | 14 ++++++++++++-- 21/jdk/ubi/ubi9-minimal/entrypoint.sh | 14 ++++++++++++-- 21/jdk/ubuntu/jammy/entrypoint.sh | 14 ++++++++++++-- 21/jdk/ubuntu/noble/entrypoint.sh | 14 ++++++++++++-- 21/jre/alpine/entrypoint.sh | 14 ++++++++++++-- 21/jre/ubi/ubi9-minimal/entrypoint.sh | 14 ++++++++++++-- 21/jre/ubuntu/jammy/entrypoint.sh | 14 ++++++++++++-- 21/jre/ubuntu/noble/entrypoint.sh | 14 ++++++++++++-- 23/jdk/alpine/entrypoint.sh | 14 ++++++++++++-- 23/jdk/ubi/ubi9-minimal/entrypoint.sh | 14 ++++++++++++-- 23/jdk/ubuntu/noble/entrypoint.sh | 14 ++++++++++++-- 23/jre/alpine/entrypoint.sh | 14 ++++++++++++-- 23/jre/ubi/ubi9-minimal/entrypoint.sh | 14 ++++++++++++-- 23/jre/ubuntu/noble/entrypoint.sh | 14 ++++++++++++-- 8/jdk/alpine/entrypoint.sh | 14 ++++++++++++-- 8/jdk/ubi/ubi9-minimal/entrypoint.sh | 14 ++++++++++++-- 8/jdk/ubuntu/focal/entrypoint.sh | 14 ++++++++++++-- 8/jdk/ubuntu/jammy/entrypoint.sh | 14 ++++++++++++-- 8/jdk/ubuntu/noble/entrypoint.sh | 14 ++++++++++++-- 8/jre/alpine/entrypoint.sh | 14 ++++++++++++-- 8/jre/ubi/ubi9-minimal/entrypoint.sh | 14 ++++++++++++-- 8/jre/ubuntu/focal/entrypoint.sh | 14 ++++++++++++-- 8/jre/ubuntu/jammy/entrypoint.sh | 14 ++++++++++++-- 8/jre/ubuntu/noble/entrypoint.sh | 14 ++++++++++++-- docker_templates/entrypoint.sh.j2 | 14 ++++++++++++-- 49 files changed, 592 insertions(+), 92 deletions(-) create mode 100644 .test/tests/java-ca-certificates-update/certs_duplicate_cn/cert1.crt create mode 100644 .test/tests/java-ca-certificates-update/certs_duplicate_cn/cert2.crt diff --git a/.test/tests/java-ca-certificates-update/certs_duplicate_cn/cert1.crt b/.test/tests/java-ca-certificates-update/certs_duplicate_cn/cert1.crt new file mode 100644 index 000000000..50e111da9 --- /dev/null +++ b/.test/tests/java-ca-certificates-update/certs_duplicate_cn/cert1.crt @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICzDCCAbSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA1kb2Nr +ZXJidWlsZGVyMB4XDTI0MDgyNzA5MDIwMFoXDTI1MDgyNzA5MDIwMFowGDEWMBQG +A1UEAwwNZG9ja2VyYnVpbGRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBANIIAbZXdD1qOy/cdaLN0p7emnRUMgMhhL91F7/GA3LBCyURSBTNuaI2ibq+ +BxUjldsv8HOaesLG0Au4iaggnMK6YPHThDOqOw6ME4ghAD/10l6lHf+kTRvN4eC9 +bv3H1jieejVFIgienFfuFKcsNCFKPp4Rh7+D5HHJ3wtBVfaLT4K4q46Qlvkow7s8 +cQ3WSdvpsLDZo7cN1fRWMNHhDFbIs/DGkbhZUAxxUkUoUPyn+zvpRTY6QXoAQe57 +ed9qhhXQcpbHtHN8ecTenC2KEXQuGC0/KaqEJgTqE5W7Ihg0EvGeYpzdSt6ELSFx +WL3COwk/xTCcIqBPSiYmwPMKmd0CAwEAAaMhMB8wHQYDVR0OBBYEFCspyA0xL4b+ +2/cDj4tGqxI9L0/KMA0GCSqGSIb3DQEBCwUAA4IBAQC/UmqrbRfvmK5YX6uCBVA0 +SczwSuQRM7Zgi8PMCKLH4NvoeP6cYnAc46uaO3sp9iAv/LCw7Rw7A/LvZWmVCYPp +AstB6kI7nTDHULRGEk3aUar7B8uAVbMNF9V8iOnlk2G2qTvHMW9I4rGtQKqK6YXd +0m2XZ6UOEzNBPKDHqFfNOYpo1qts5CDLynGIX0tFTSlks5BMrV13xn/4giRj4UHY +bmElscCTfR/anNxGIBUp7dqGsv4zOeCE6kac4vsENyS+x+a8W0yveTY+TQnfKalT +KjZXCkPsZp2vZY6eCv2/09L94nXGMB40NDVOaDD/d2fZuQPadRTsF4AqEt9CsN5n +-----END CERTIFICATE----- diff --git a/.test/tests/java-ca-certificates-update/certs_duplicate_cn/cert2.crt b/.test/tests/java-ca-certificates-update/certs_duplicate_cn/cert2.crt new file mode 100644 index 000000000..c4cb6c73e --- /dev/null +++ b/.test/tests/java-ca-certificates-update/certs_duplicate_cn/cert2.crt @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICzDCCAbSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA1kb2Nr +ZXJidWlsZGVyMB4XDTI0MDgyNzA5MDIwNFoXDTI1MDgyNzA5MDIwNFowGDEWMBQG +A1UEAwwNZG9ja2VyYnVpbGRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBANIIAbZXdD1qOy/cdaLN0p7emnRUMgMhhL91F7/GA3LBCyURSBTNuaI2ibq+ +BxUjldsv8HOaesLG0Au4iaggnMK6YPHThDOqOw6ME4ghAD/10l6lHf+kTRvN4eC9 +bv3H1jieejVFIgienFfuFKcsNCFKPp4Rh7+D5HHJ3wtBVfaLT4K4q46Qlvkow7s8 +cQ3WSdvpsLDZo7cN1fRWMNHhDFbIs/DGkbhZUAxxUkUoUPyn+zvpRTY6QXoAQe57 +ed9qhhXQcpbHtHN8ecTenC2KEXQuGC0/KaqEJgTqE5W7Ihg0EvGeYpzdSt6ELSFx +WL3COwk/xTCcIqBPSiYmwPMKmd0CAwEAAaMhMB8wHQYDVR0OBBYEFCspyA0xL4b+ +2/cDj4tGqxI9L0/KMA0GCSqGSIb3DQEBCwUAA4IBAQAbEOXj4VHl3BvmoLEw3ykk +5c4CZwTuKOm7gh6MJB6iPZIord/LyjLoMh/Mbhy5uNNKxyA53aeZzsc3q35Uks9K +Tm02Pz6LQ3gMBvXQ/FfFu1+RXHbDOD5I9enrEsXTx4PGylFv8/9LqBfGiFGxPy6a +C8s8d22AZsL1P6iwxNoQgfBSSqZhH/mKJyYqFwlqBmo/PQTVt2noWP6afBOfUs4W +AGaeJUexLAem487MlPuzaSAr397zhvCVt7GNAkMwzU2KxH9auJ/5NFy1YyDSgsa0 +9rcy1gZGzJdOR2AbOZ1FXXqsw91S5SAzb+qR54KIusJ4ON+bPaQc7ZtnNKvbnBxG +-----END CERTIFICATE----- diff --git a/.test/tests/java-ca-certificates-update/expected-std-out.txt b/.test/tests/java-ca-certificates-update/expected-std-out.txt index ba9d1a89e..125c0b6d4 100644 --- a/.test/tests/java-ca-certificates-update/expected-std-out.txt +++ b/.test/tests/java-ca-certificates-update/expected-std-out.txt @@ -1 +1 @@ -010101000001010101000001 +0101010000010001010100000100 diff --git a/.test/tests/java-ca-certificates-update/run.sh b/.test/tests/java-ca-certificates-update/run.sh index ca7f72d87..fec848d98 100755 --- a/.test/tests/java-ca-certificates-update/run.sh +++ b/.test/tests/java-ca-certificates-update/run.sh @@ -10,7 +10,7 @@ CMD1=date # CMD2 in each run is to check for the `dockerbuilder` certificate in the Java keystore. Entrypoint export $CACERT to # point to the Java keystore. -CMD2=(sh -c "keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder && keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder2") +CMD2=(sh -c "keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder && keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder2") # For a custom entrypoint test, we need to create a new image. This image will get cleaned up at the end of the script # by the `finish` trap function. @@ -75,6 +75,14 @@ echo -n $? docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$TESTIMAGE" "${CMD2[@]}" >&/dev/null echo -n $? +# Test run 7: Two certificates with the same CN are mounted and the environment variable is set. +# We expect both CMD1 to succeed and CMD2 to find both certificates. +docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs_duplicate_cn:/certificates "$1" $CMD1 >&/dev/null +echo -n $? +CMD3=(sh -c "keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder && keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder_02") +docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs_duplicate_cn:/certificates "$1" "${CMD3[@]}" >&/dev/null +echo -n $? + # # PHASE 2: Non-root containers # @@ -119,3 +127,11 @@ docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 -- echo -n $? docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$TESTIMAGE" "${CMD2[@]}" >&/dev/null echo -n $? + +# Test run 7: Two certificates with the same CN are mounted and the environment variable is set. +# We expect both CMD1 to succeed and CMD2 to find both certificates. +docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs_duplicate_cn:/certificates "$1" $CMD1 >&/dev/null +echo -n $? +CMD3=(sh -c "keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder && keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder_02") +docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs_duplicate_cn:/certificates "$1" "${CMD3[@]}" >&/dev/null +echo -n $? diff --git a/11/jdk/alpine/entrypoint.sh b/11/jdk/alpine/entrypoint.sh index 306dd4c34..7822fe589 100644 --- a/11/jdk/alpine/entrypoint.sh +++ b/11/jdk/alpine/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/11/jdk/ubi/ubi9-minimal/entrypoint.sh b/11/jdk/ubi/ubi9-minimal/entrypoint.sh index c00c03280..9735e1932 100644 --- a/11/jdk/ubi/ubi9-minimal/entrypoint.sh +++ b/11/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/11/jdk/ubuntu/focal/entrypoint.sh b/11/jdk/ubuntu/focal/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/11/jdk/ubuntu/focal/entrypoint.sh +++ b/11/jdk/ubuntu/focal/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/11/jdk/ubuntu/jammy/entrypoint.sh b/11/jdk/ubuntu/jammy/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/11/jdk/ubuntu/jammy/entrypoint.sh +++ b/11/jdk/ubuntu/jammy/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/11/jdk/ubuntu/noble/entrypoint.sh b/11/jdk/ubuntu/noble/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/11/jdk/ubuntu/noble/entrypoint.sh +++ b/11/jdk/ubuntu/noble/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/11/jre/alpine/entrypoint.sh b/11/jre/alpine/entrypoint.sh index 306dd4c34..7822fe589 100644 --- a/11/jre/alpine/entrypoint.sh +++ b/11/jre/alpine/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/11/jre/ubi/ubi9-minimal/entrypoint.sh b/11/jre/ubi/ubi9-minimal/entrypoint.sh index c00c03280..9735e1932 100644 --- a/11/jre/ubi/ubi9-minimal/entrypoint.sh +++ b/11/jre/ubi/ubi9-minimal/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/11/jre/ubuntu/focal/entrypoint.sh b/11/jre/ubuntu/focal/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/11/jre/ubuntu/focal/entrypoint.sh +++ b/11/jre/ubuntu/focal/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/11/jre/ubuntu/jammy/entrypoint.sh b/11/jre/ubuntu/jammy/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/11/jre/ubuntu/jammy/entrypoint.sh +++ b/11/jre/ubuntu/jammy/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/11/jre/ubuntu/noble/entrypoint.sh b/11/jre/ubuntu/noble/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/11/jre/ubuntu/noble/entrypoint.sh +++ b/11/jre/ubuntu/noble/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/17/jdk/alpine/entrypoint.sh b/17/jdk/alpine/entrypoint.sh index 306dd4c34..7822fe589 100644 --- a/17/jdk/alpine/entrypoint.sh +++ b/17/jdk/alpine/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/17/jdk/ubi/ubi9-minimal/entrypoint.sh b/17/jdk/ubi/ubi9-minimal/entrypoint.sh index c00c03280..9735e1932 100644 --- a/17/jdk/ubi/ubi9-minimal/entrypoint.sh +++ b/17/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/17/jdk/ubuntu/focal/entrypoint.sh b/17/jdk/ubuntu/focal/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/17/jdk/ubuntu/focal/entrypoint.sh +++ b/17/jdk/ubuntu/focal/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/17/jdk/ubuntu/jammy/entrypoint.sh b/17/jdk/ubuntu/jammy/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/17/jdk/ubuntu/jammy/entrypoint.sh +++ b/17/jdk/ubuntu/jammy/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/17/jdk/ubuntu/noble/entrypoint.sh b/17/jdk/ubuntu/noble/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/17/jdk/ubuntu/noble/entrypoint.sh +++ b/17/jdk/ubuntu/noble/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/17/jre/alpine/entrypoint.sh b/17/jre/alpine/entrypoint.sh index 306dd4c34..7822fe589 100644 --- a/17/jre/alpine/entrypoint.sh +++ b/17/jre/alpine/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/17/jre/ubi/ubi9-minimal/entrypoint.sh b/17/jre/ubi/ubi9-minimal/entrypoint.sh index c00c03280..9735e1932 100644 --- a/17/jre/ubi/ubi9-minimal/entrypoint.sh +++ b/17/jre/ubi/ubi9-minimal/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/17/jre/ubuntu/focal/entrypoint.sh b/17/jre/ubuntu/focal/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/17/jre/ubuntu/focal/entrypoint.sh +++ b/17/jre/ubuntu/focal/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/17/jre/ubuntu/jammy/entrypoint.sh b/17/jre/ubuntu/jammy/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/17/jre/ubuntu/jammy/entrypoint.sh +++ b/17/jre/ubuntu/jammy/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/17/jre/ubuntu/noble/entrypoint.sh b/17/jre/ubuntu/noble/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/17/jre/ubuntu/noble/entrypoint.sh +++ b/17/jre/ubuntu/noble/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/21/jdk/alpine/entrypoint.sh b/21/jdk/alpine/entrypoint.sh index 306dd4c34..7822fe589 100644 --- a/21/jdk/alpine/entrypoint.sh +++ b/21/jdk/alpine/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/21/jdk/ubi/ubi9-minimal/entrypoint.sh b/21/jdk/ubi/ubi9-minimal/entrypoint.sh index c00c03280..9735e1932 100644 --- a/21/jdk/ubi/ubi9-minimal/entrypoint.sh +++ b/21/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/21/jdk/ubuntu/jammy/entrypoint.sh b/21/jdk/ubuntu/jammy/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/21/jdk/ubuntu/jammy/entrypoint.sh +++ b/21/jdk/ubuntu/jammy/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/21/jdk/ubuntu/noble/entrypoint.sh b/21/jdk/ubuntu/noble/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/21/jdk/ubuntu/noble/entrypoint.sh +++ b/21/jdk/ubuntu/noble/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/21/jre/alpine/entrypoint.sh b/21/jre/alpine/entrypoint.sh index 306dd4c34..7822fe589 100644 --- a/21/jre/alpine/entrypoint.sh +++ b/21/jre/alpine/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/21/jre/ubi/ubi9-minimal/entrypoint.sh b/21/jre/ubi/ubi9-minimal/entrypoint.sh index c00c03280..9735e1932 100644 --- a/21/jre/ubi/ubi9-minimal/entrypoint.sh +++ b/21/jre/ubi/ubi9-minimal/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/21/jre/ubuntu/jammy/entrypoint.sh b/21/jre/ubuntu/jammy/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/21/jre/ubuntu/jammy/entrypoint.sh +++ b/21/jre/ubuntu/jammy/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/21/jre/ubuntu/noble/entrypoint.sh b/21/jre/ubuntu/noble/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/21/jre/ubuntu/noble/entrypoint.sh +++ b/21/jre/ubuntu/noble/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/23/jdk/alpine/entrypoint.sh b/23/jdk/alpine/entrypoint.sh index 306dd4c34..7822fe589 100644 --- a/23/jdk/alpine/entrypoint.sh +++ b/23/jdk/alpine/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/23/jdk/ubi/ubi9-minimal/entrypoint.sh b/23/jdk/ubi/ubi9-minimal/entrypoint.sh index c00c03280..9735e1932 100644 --- a/23/jdk/ubi/ubi9-minimal/entrypoint.sh +++ b/23/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/23/jdk/ubuntu/noble/entrypoint.sh b/23/jdk/ubuntu/noble/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/23/jdk/ubuntu/noble/entrypoint.sh +++ b/23/jdk/ubuntu/noble/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/23/jre/alpine/entrypoint.sh b/23/jre/alpine/entrypoint.sh index 306dd4c34..7822fe589 100644 --- a/23/jre/alpine/entrypoint.sh +++ b/23/jre/alpine/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/23/jre/ubi/ubi9-minimal/entrypoint.sh b/23/jre/ubi/ubi9-minimal/entrypoint.sh index c00c03280..9735e1932 100644 --- a/23/jre/ubi/ubi9-minimal/entrypoint.sh +++ b/23/jre/ubi/ubi9-minimal/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/23/jre/ubuntu/noble/entrypoint.sh b/23/jre/ubuntu/noble/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/23/jre/ubuntu/noble/entrypoint.sh +++ b/23/jre/ubuntu/noble/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/8/jdk/alpine/entrypoint.sh b/8/jdk/alpine/entrypoint.sh index 25253b7d2..59c24f493 100644 --- a/8/jdk/alpine/entrypoint.sh +++ b/8/jdk/alpine/entrypoint.sh @@ -73,8 +73,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/8/jdk/ubi/ubi9-minimal/entrypoint.sh b/8/jdk/ubi/ubi9-minimal/entrypoint.sh index 9e4443332..160c7fe00 100644 --- a/8/jdk/ubi/ubi9-minimal/entrypoint.sh +++ b/8/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -73,8 +73,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/8/jdk/ubuntu/focal/entrypoint.sh b/8/jdk/ubuntu/focal/entrypoint.sh index 129e5cccb..5ef8b651e 100644 --- a/8/jdk/ubuntu/focal/entrypoint.sh +++ b/8/jdk/ubuntu/focal/entrypoint.sh @@ -73,8 +73,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/8/jdk/ubuntu/jammy/entrypoint.sh b/8/jdk/ubuntu/jammy/entrypoint.sh index 129e5cccb..5ef8b651e 100644 --- a/8/jdk/ubuntu/jammy/entrypoint.sh +++ b/8/jdk/ubuntu/jammy/entrypoint.sh @@ -73,8 +73,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/8/jdk/ubuntu/noble/entrypoint.sh b/8/jdk/ubuntu/noble/entrypoint.sh index 129e5cccb..5ef8b651e 100644 --- a/8/jdk/ubuntu/noble/entrypoint.sh +++ b/8/jdk/ubuntu/noble/entrypoint.sh @@ -73,8 +73,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/8/jre/alpine/entrypoint.sh b/8/jre/alpine/entrypoint.sh index 306dd4c34..7822fe589 100644 --- a/8/jre/alpine/entrypoint.sh +++ b/8/jre/alpine/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/8/jre/ubi/ubi9-minimal/entrypoint.sh b/8/jre/ubi/ubi9-minimal/entrypoint.sh index c00c03280..9735e1932 100644 --- a/8/jre/ubi/ubi9-minimal/entrypoint.sh +++ b/8/jre/ubi/ubi9-minimal/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/8/jre/ubuntu/focal/entrypoint.sh b/8/jre/ubuntu/focal/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/8/jre/ubuntu/focal/entrypoint.sh +++ b/8/jre/ubuntu/focal/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/8/jre/ubuntu/jammy/entrypoint.sh b/8/jre/ubuntu/jammy/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/8/jre/ubuntu/jammy/entrypoint.sh +++ b/8/jre/ubuntu/jammy/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/8/jre/ubuntu/noble/entrypoint.sh b/8/jre/ubuntu/noble/entrypoint.sh index d51059c11..8093ab1ee 100644 --- a/8/jre/ubuntu/noble/entrypoint.sh +++ b/8/jre/ubuntu/noble/entrypoint.sh @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null diff --git a/docker_templates/entrypoint.sh.j2 b/docker_templates/entrypoint.sh.j2 index 6825f5a9e..ffbb555f0 100755 --- a/docker_templates/entrypoint.sh.j2 +++ b/docker_templates/entrypoint.sh.j2 @@ -64,8 +64,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}' for crt in "$tmp_dir/$BASENAME"-*; do - # Create an alias for the certificate - ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + # Extract the Common Name (CN) and Serial Number from the certificate + CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p') + + # Check if an alias with the CN already exists in the keystore + ALIAS=$CN + if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then + # If the CN already exists, append the serial number to the alias + ALIAS="${CN}_${SERIAL}" + fi + + echo "Adding certificate with alias $ALIAS to the JVM truststore" # Add the certificate to the JVM truststore keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null