Skip to content

Commit 43fcefc

Browse files
rassierassie
authored
Address comments on the "rootless CA certs" patch (#572)
Address the following problems with #538: 1. Correct the shell selection for entrypoint, Ubuntu flavours still need explicit `bash` for variables with dots in their names 2. Change unhelpful exported variable name (changed from `CACERT` to `JRE_CACERTS_PATH`) 3. Change `which` to more-POSIX-compatible `command -v` 4. More cleanup 5. Explicitely use `TMPDIR` when available instead of hard-coded `/tmp` 6. Support multi-certificate files (again) 7. Make output less verbose
1 parent bbda8cc commit 43fcefc

File tree

100 files changed

+2030
-832
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

100 files changed

+2030
-832
lines changed

.test/tests/java-ca-certificates-update/certs/dockerbuilder.crt .test/tests/java-ca-certificates-update/certs/.dockerbuilder.crt

File renamed without changes.

.test/tests/java-ca-certificates-update/certs/dockerbuilder.key .test/tests/java-ca-certificates-update/certs/.dockerbuilder.key

File renamed without changes.

.test/tests/java-ca-certificates-update/certs/.dockerbuilder2.crt

+20
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIDRzCCAi+gAwIBAgIUZuRSLr7riMCDUFHVQKYQh/abmZQwDQYJKoZIhvcNAQEL
3+
BQAwMjEXMBUGCgmSJomT8ixkARkWB1RlbXVyaW4xFzAVBgNVBAMMDkRvY2tlckJ1
4+
aWxkZXIyMCAXDTI0MDcyNDIxMDk0NloYDzMwMDQwOTI1MjEwOTQ2WjAyMRcwFQYK
5+
CZImiZPyLGQBGRYHVGVtdXJpbjEXMBUGA1UEAwwORG9ja2VyQnVpbGRlcjIwggEi
6+
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSs004yyVW4dEREZgTGbN1Dzbc
7+
+VcRXUCfVCuiWFeT8a8oHZrbtNxCXD6whcGvLHsjszJKUCseDLCnSlHIpU6Ax7tP
8+
WGsUhY6Zl8I+JzeB/8tYpyNRCLlm2Rp5Iv4oOX2btKYoUy+oFkWP+N8d1taRSrhR
9+
vbPz+FwFSrtQwuT+grQP9yWO0qFrHL5Vjckg0BjELMYZ4rUx4KsV+JsmCf6oPDt4
10+
b+gnMoZebumKTJ53Ej/Kh0Z30s+UHR9WlbZ9KEyuBifgErw/USqpibaQbG1UTX1f
11+
5LealeITduNWcXIAkQYHddCyt8YRtO9oVrxxVdFmCtU4qUHlov7kxAdOC/KTAgMB
12+
AAGjUzBRMB0GA1UdDgQWBBQ1oKojBf5qgkezUk6axrz3CjdHmzAfBgNVHSMEGDAW
13+
gBQ1oKojBf5qgkezUk6axrz3CjdHmzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
14+
DQEBCwUAA4IBAQCDUUOV23QzoqeGs7CKHXg+Mvxn6E4Tm395c0RKJRiHXEueQ2JD
15+
e7ywfb11f/vGyudWVKe1wiRuMP4U8G6V3m6C/CSJrz1J3N9fvN23iPaZIh1O0vSr
16+
xOz5UmiSsRW8BEQYCvF8CoWim1fG+KjtRhO6QqKLtK11j6TwZaUBIvSwK+OZKSuw
17+
q8SuBRXNrIJvH0bonOXcuivOkruU0aRdizIG5Ed0OV2PVfbw2gu7Om83ADbVuSOV
18+
noMwGjDVzVRAs8lu4ijuAryshVQK0LkImrwp+YkhRkFus0HWJqi/Ox+BHZt3BiFs
19+
ATt9J3LCLazvP6LGr4rlZixJqM2ZC7dP0lOl
20+
-----END CERTIFICATE-----

.test/tests/java-ca-certificates-update/certs/.dockerbuilder2.key

+28
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
-----BEGIN PRIVATE KEY-----
2+
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDSs004yyVW4dER
3+
EZgTGbN1Dzbc+VcRXUCfVCuiWFeT8a8oHZrbtNxCXD6whcGvLHsjszJKUCseDLCn
4+
SlHIpU6Ax7tPWGsUhY6Zl8I+JzeB/8tYpyNRCLlm2Rp5Iv4oOX2btKYoUy+oFkWP
5+
+N8d1taRSrhRvbPz+FwFSrtQwuT+grQP9yWO0qFrHL5Vjckg0BjELMYZ4rUx4KsV
6+
+JsmCf6oPDt4b+gnMoZebumKTJ53Ej/Kh0Z30s+UHR9WlbZ9KEyuBifgErw/USqp
7+
ibaQbG1UTX1f5LealeITduNWcXIAkQYHddCyt8YRtO9oVrxxVdFmCtU4qUHlov7k
8+
xAdOC/KTAgMBAAECggEAANIrB8nVtFbjVrmdnEqVs8drnITzVmYN+gxhaSTiQwuq
9+
9dWyjY6+omPYVma94GKADlR7oXd+7cyLks65rrXRCdi0PaKw6vox9WdkMCY803zr
10+
BWrouq0Hq1W0y3x3WOjrSyjOiTgdwhBDlLH1Vk/tV/VwybOa4dMeRKveFkNmbXKU
11+
ZeR62r95vob4F5Ui6CWqSDRXFSml8VvBkU+6RAm697Lm5JQKoOuUueR9/L5z2Y0Z
12+
rpGeBQ2tbbRIAvQWG3PhQirDqduL2e8aUs/RG8jGmbAnB9LoWJtaBEgLoza6221F
13+
vboRWDLG5yZorXeGHT169+LQQ84rtwyjbQkvKjcP1QKBgQD632J17fWqK5cBaU2c
14+
2bxAwS8aoqzPgBkAD2E8/VBEmJfjUAH5KVNuF9oeO/ho6JUOHoAWxMeu9v0ikynb
15+
wnznQXlgieJCockJaTx1fkE/+W38uRXLK1TBSHFB7QdhPJbdeOh0jbsxNoX3wCAW
16+
jQDUf2CoVdt+326II71IhDnnbQKBgQDXAbpkEWMYnWbl+WmSwGGud2AO7Uaw6ZQK
17+
e83/zKQYcLsGHVMEJ41i2Lrd+VGJjK1eHUyOxHYg4Cel4cG5P7sU45yhehHVAeau
18+
Z8KzQbB8BGcyMUoQFMIK5AXIiVdgTvt+aoKMEfXSAuZi1g5ATSS6zBoXWxlJyQ4b
19+
R1MqOvMB/wKBgAw/3A7mD5i/iCAJhECkYQzIYgRq7QU0vAPEvHq94611xfTTc0U3
20+
P1ugzoWrZ/W3ZY/K7XYvJZDlfnaxuNmCJZclG0gbc3DNdYOAH/OctpLpGvW8E9RX
21+
yUumveD6MeINk1A9FxyZzwoYH3J5bxeqyt+VWKLfjlgjkMIU/KkNy8YBAoGAbU2G
22+
mTqxmyDh38YE4sMEpbIwVkZP6r5EMXQxDHrXbUlZ+sjLnFATM44kqZYG2pt2w2K3
23+
udisiRgLb+wuFOQOUpdH2Ft7V0NpJ36+X2zksJd4cu7VzQkQgILdYc5YajCc7+5r
24+
wZOb2ZD52IMjqZLOOlxqYzc/yt/4WOvQnqZrRbcCgYBQopNwh9Hx9SBIHkkZkq1Z
25+
iiPZl05khB/Vw76hABwjMillQd+nOJNf4kymIiOzfThEw/a4kam1zWvN0kq9Guu/
26+
YMvd73sqcudB5IWIjdqq0lKML2rcoBGqKGj5dFZt6Un/jqbi5nHeoMubrZkXUdG8
27+
PDtV2BTZDwmo+btPF//U5Q==
28+
-----END PRIVATE KEY-----

.test/tests/java-ca-certificates-update/certs/README.md

+9-1
Original file line numberDiff line numberDiff line change
@@ -1 +1,9 @@
1-
This certificate/key pair has been generated with `openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder" -keyout certs/dockerbuilder.key -out certs/dockerbuilder.crt` and is only used for testing
1+
These certificate/key pairs has been generated with
2+
3+
``` shell
4+
$ openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder" -keyout certs/dockerbuilder.key -out certs/dockerbuilder.crt
5+
$ openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder2" -keyout certs/dockerbuilder2.key -out certs/dockerbuilder2.crt
6+
$ cat certs/dockerbuilder.crt certs/dockerbuilder2.crt > certs/multi-cert.crt
7+
```
8+
9+
and are only used for testing

.test/tests/java-ca-certificates-update/certs/multi-cert.crt

+40
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIDRTCCAi2gAwIBAgIUIfl8I/yasxlsTEc30PLLRuleiCswDQYJKoZIhvcNAQEL
3+
BQAwMTEXMBUGCgmSJomT8ixkARkWB1RlbXVyaW4xFjAUBgNVBAMMDURvY2tlckJ1
4+
aWxkZXIwIBcNMjMwNjEyMTgyNDE1WhgPMzAwMzA4MTQxODI0MTVaMDExFzAVBgoJ
5+
kiaJk/IsZAEZFgdUZW11cmluMRYwFAYDVQQDDA1Eb2NrZXJCdWlsZGVyMIIBIjAN
6+
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArfOgmluNXEIE7BWvt7jGgdZW/y5s
7+
N78FcpZdM8Z2FatvjJKvNmJ9OkkkOSNBhGKAWpHn19JMNdQ2nEmTHMetg0hiSqRI
8+
hBceAY4lDfOzxAyZGGpVzL9U1B9mOrX5O3EedF5AVvl0NZVjEwswuGaUa3zZBAKy
9+
Z5Vv/z8Lw2uYIs/dtw8lcpEAb78BZ8bAhhhl+X+tTGK8agibLGQJT9l/JxS3pXyw
10+
me4YaKQQRgvuqOTEt+x+0aA5E2EUTOGq0Li+i1ranf6ou5Dz/Y6LtXwT/j2bf4ZR
11+
w2YHpYZL54UEtMWES2KAjsZ3u4DCxUIEfW8EgxUIhcepIDP1h05A3fSiWQIDAQAB
12+
o1MwUTAdBgNVHQ4EFgQUr0VirSzDQTuNgGjDxRkxPFrjUKcwHwYDVR0jBBgwFoAU
13+
r0VirSzDQTuNgGjDxRkxPFrjUKcwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
14+
AQsFAAOCAQEAlo6ZSAIKSUWqRygyNg9oWuLGfWMW//dZjU1MKBYVpM4Mry/aMD5d
15+
kMQj9hm+zXhNYN01yLh/cdPKCQ/r1KP6lmCtZHp50Xe8HEnIymRYx0KMAcqYLjnT
16+
DXwCPqtWvJ1do65vVJRN70CuF8T1JNFhPdirrAiuU7bhGPABfnbek7yNkTYgUSdb
17+
WpV/WOFPh9Dl24vNl1/Cti+pQThlCgHF/+dVndFHN9FOOG8k8ohYkLwL+ZzKfOiZ
18+
CVWn2mWk2EhcuTlg/3zkXmwjfzFTdXMhS1sdfJNReaY/omJ91euxB0c8iYZV4wuU
19+
ghx+GJ14nO7RJNHNX4k+BBPxy3f56+cYrg==
20+
-----END CERTIFICATE-----
21+
-----BEGIN CERTIFICATE-----
22+
MIIDRzCCAi+gAwIBAgIUZuRSLr7riMCDUFHVQKYQh/abmZQwDQYJKoZIhvcNAQEL
23+
BQAwMjEXMBUGCgmSJomT8ixkARkWB1RlbXVyaW4xFzAVBgNVBAMMDkRvY2tlckJ1
24+
aWxkZXIyMCAXDTI0MDcyNDIxMDk0NloYDzMwMDQwOTI1MjEwOTQ2WjAyMRcwFQYK
25+
CZImiZPyLGQBGRYHVGVtdXJpbjEXMBUGA1UEAwwORG9ja2VyQnVpbGRlcjIwggEi
26+
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSs004yyVW4dEREZgTGbN1Dzbc
27+
+VcRXUCfVCuiWFeT8a8oHZrbtNxCXD6whcGvLHsjszJKUCseDLCnSlHIpU6Ax7tP
28+
WGsUhY6Zl8I+JzeB/8tYpyNRCLlm2Rp5Iv4oOX2btKYoUy+oFkWP+N8d1taRSrhR
29+
vbPz+FwFSrtQwuT+grQP9yWO0qFrHL5Vjckg0BjELMYZ4rUx4KsV+JsmCf6oPDt4
30+
b+gnMoZebumKTJ53Ej/Kh0Z30s+UHR9WlbZ9KEyuBifgErw/USqpibaQbG1UTX1f
31+
5LealeITduNWcXIAkQYHddCyt8YRtO9oVrxxVdFmCtU4qUHlov7kxAdOC/KTAgMB
32+
AAGjUzBRMB0GA1UdDgQWBBQ1oKojBf5qgkezUk6axrz3CjdHmzAfBgNVHSMEGDAW
33+
gBQ1oKojBf5qgkezUk6axrz3CjdHmzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
34+
DQEBCwUAA4IBAQCDUUOV23QzoqeGs7CKHXg+Mvxn6E4Tm395c0RKJRiHXEueQ2JD
35+
e7ywfb11f/vGyudWVKe1wiRuMP4U8G6V3m6C/CSJrz1J3N9fvN23iPaZIh1O0vSr
36+
xOz5UmiSsRW8BEQYCvF8CoWim1fG+KjtRhO6QqKLtK11j6TwZaUBIvSwK+OZKSuw
37+
q8SuBRXNrIJvH0bonOXcuivOkruU0aRdizIG5Ed0OV2PVfbw2gu7Om83ADbVuSOV
38+
noMwGjDVzVRAs8lu4ijuAryshVQK0LkImrwp+YkhRkFus0HWJqi/Ox+BHZt3BiFs
39+
ATt9J3LCLazvP6LGr4rlZixJqM2ZC7dP0lOl
40+
-----END CERTIFICATE-----

.test/tests/java-ca-certificates-update/certs_symlink/.dockerbuilder2.crt

+20
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIDRzCCAi+gAwIBAgIUZuRSLr7riMCDUFHVQKYQh/abmZQwDQYJKoZIhvcNAQEL
3+
BQAwMjEXMBUGCgmSJomT8ixkARkWB1RlbXVyaW4xFzAVBgNVBAMMDkRvY2tlckJ1
4+
aWxkZXIyMCAXDTI0MDcyNDIxMDk0NloYDzMwMDQwOTI1MjEwOTQ2WjAyMRcwFQYK
5+
CZImiZPyLGQBGRYHVGVtdXJpbjEXMBUGA1UEAwwORG9ja2VyQnVpbGRlcjIwggEi
6+
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSs004yyVW4dEREZgTGbN1Dzbc
7+
+VcRXUCfVCuiWFeT8a8oHZrbtNxCXD6whcGvLHsjszJKUCseDLCnSlHIpU6Ax7tP
8+
WGsUhY6Zl8I+JzeB/8tYpyNRCLlm2Rp5Iv4oOX2btKYoUy+oFkWP+N8d1taRSrhR
9+
vbPz+FwFSrtQwuT+grQP9yWO0qFrHL5Vjckg0BjELMYZ4rUx4KsV+JsmCf6oPDt4
10+
b+gnMoZebumKTJ53Ej/Kh0Z30s+UHR9WlbZ9KEyuBifgErw/USqpibaQbG1UTX1f
11+
5LealeITduNWcXIAkQYHddCyt8YRtO9oVrxxVdFmCtU4qUHlov7kxAdOC/KTAgMB
12+
AAGjUzBRMB0GA1UdDgQWBBQ1oKojBf5qgkezUk6axrz3CjdHmzAfBgNVHSMEGDAW
13+
gBQ1oKojBf5qgkezUk6axrz3CjdHmzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
14+
DQEBCwUAA4IBAQCDUUOV23QzoqeGs7CKHXg+Mvxn6E4Tm395c0RKJRiHXEueQ2JD
15+
e7ywfb11f/vGyudWVKe1wiRuMP4U8G6V3m6C/CSJrz1J3N9fvN23iPaZIh1O0vSr
16+
xOz5UmiSsRW8BEQYCvF8CoWim1fG+KjtRhO6QqKLtK11j6TwZaUBIvSwK+OZKSuw
17+
q8SuBRXNrIJvH0bonOXcuivOkruU0aRdizIG5Ed0OV2PVfbw2gu7Om83ADbVuSOV
18+
noMwGjDVzVRAs8lu4ijuAryshVQK0LkImrwp+YkhRkFus0HWJqi/Ox+BHZt3BiFs
19+
ATt9J3LCLazvP6LGr4rlZixJqM2ZC7dP0lOl
20+
-----END CERTIFICATE-----

.test/tests/java-ca-certificates-update/certs_symlink/.dockerbuilder2.key

+28
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
-----BEGIN PRIVATE KEY-----
2+
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDSs004yyVW4dER
3+
EZgTGbN1Dzbc+VcRXUCfVCuiWFeT8a8oHZrbtNxCXD6whcGvLHsjszJKUCseDLCn
4+
SlHIpU6Ax7tPWGsUhY6Zl8I+JzeB/8tYpyNRCLlm2Rp5Iv4oOX2btKYoUy+oFkWP
5+
+N8d1taRSrhRvbPz+FwFSrtQwuT+grQP9yWO0qFrHL5Vjckg0BjELMYZ4rUx4KsV
6+
+JsmCf6oPDt4b+gnMoZebumKTJ53Ej/Kh0Z30s+UHR9WlbZ9KEyuBifgErw/USqp
7+
ibaQbG1UTX1f5LealeITduNWcXIAkQYHddCyt8YRtO9oVrxxVdFmCtU4qUHlov7k
8+
xAdOC/KTAgMBAAECggEAANIrB8nVtFbjVrmdnEqVs8drnITzVmYN+gxhaSTiQwuq
9+
9dWyjY6+omPYVma94GKADlR7oXd+7cyLks65rrXRCdi0PaKw6vox9WdkMCY803zr
10+
BWrouq0Hq1W0y3x3WOjrSyjOiTgdwhBDlLH1Vk/tV/VwybOa4dMeRKveFkNmbXKU
11+
ZeR62r95vob4F5Ui6CWqSDRXFSml8VvBkU+6RAm697Lm5JQKoOuUueR9/L5z2Y0Z
12+
rpGeBQ2tbbRIAvQWG3PhQirDqduL2e8aUs/RG8jGmbAnB9LoWJtaBEgLoza6221F
13+
vboRWDLG5yZorXeGHT169+LQQ84rtwyjbQkvKjcP1QKBgQD632J17fWqK5cBaU2c
14+
2bxAwS8aoqzPgBkAD2E8/VBEmJfjUAH5KVNuF9oeO/ho6JUOHoAWxMeu9v0ikynb
15+
wnznQXlgieJCockJaTx1fkE/+W38uRXLK1TBSHFB7QdhPJbdeOh0jbsxNoX3wCAW
16+
jQDUf2CoVdt+326II71IhDnnbQKBgQDXAbpkEWMYnWbl+WmSwGGud2AO7Uaw6ZQK
17+
e83/zKQYcLsGHVMEJ41i2Lrd+VGJjK1eHUyOxHYg4Cel4cG5P7sU45yhehHVAeau
18+
Z8KzQbB8BGcyMUoQFMIK5AXIiVdgTvt+aoKMEfXSAuZi1g5ATSS6zBoXWxlJyQ4b
19+
R1MqOvMB/wKBgAw/3A7mD5i/iCAJhECkYQzIYgRq7QU0vAPEvHq94611xfTTc0U3
20+
P1ugzoWrZ/W3ZY/K7XYvJZDlfnaxuNmCJZclG0gbc3DNdYOAH/OctpLpGvW8E9RX
21+
yUumveD6MeINk1A9FxyZzwoYH3J5bxeqyt+VWKLfjlgjkMIU/KkNy8YBAoGAbU2G
22+
mTqxmyDh38YE4sMEpbIwVkZP6r5EMXQxDHrXbUlZ+sjLnFATM44kqZYG2pt2w2K3
23+
udisiRgLb+wuFOQOUpdH2Ft7V0NpJ36+X2zksJd4cu7VzQkQgILdYc5YajCc7+5r
24+
wZOb2ZD52IMjqZLOOlxqYzc/yt/4WOvQnqZrRbcCgYBQopNwh9Hx9SBIHkkZkq1Z
25+
iiPZl05khB/Vw76hABwjMillQd+nOJNf4kymIiOzfThEw/a4kam1zWvN0kq9Guu/
26+
YMvd73sqcudB5IWIjdqq0lKML2rcoBGqKGj5dFZt6Un/jqbi5nHeoMubrZkXUdG8
27+
PDtV2BTZDwmo+btPF//U5Q==
28+
-----END PRIVATE KEY-----

.test/tests/java-ca-certificates-update/certs_symlink/.multi-cert.crt

+40
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIDRTCCAi2gAwIBAgIUIfl8I/yasxlsTEc30PLLRuleiCswDQYJKoZIhvcNAQEL
3+
BQAwMTEXMBUGCgmSJomT8ixkARkWB1RlbXVyaW4xFjAUBgNVBAMMDURvY2tlckJ1
4+
aWxkZXIwIBcNMjMwNjEyMTgyNDE1WhgPMzAwMzA4MTQxODI0MTVaMDExFzAVBgoJ
5+
kiaJk/IsZAEZFgdUZW11cmluMRYwFAYDVQQDDA1Eb2NrZXJCdWlsZGVyMIIBIjAN
6+
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArfOgmluNXEIE7BWvt7jGgdZW/y5s
7+
N78FcpZdM8Z2FatvjJKvNmJ9OkkkOSNBhGKAWpHn19JMNdQ2nEmTHMetg0hiSqRI
8+
hBceAY4lDfOzxAyZGGpVzL9U1B9mOrX5O3EedF5AVvl0NZVjEwswuGaUa3zZBAKy
9+
Z5Vv/z8Lw2uYIs/dtw8lcpEAb78BZ8bAhhhl+X+tTGK8agibLGQJT9l/JxS3pXyw
10+
me4YaKQQRgvuqOTEt+x+0aA5E2EUTOGq0Li+i1ranf6ou5Dz/Y6LtXwT/j2bf4ZR
11+
w2YHpYZL54UEtMWES2KAjsZ3u4DCxUIEfW8EgxUIhcepIDP1h05A3fSiWQIDAQAB
12+
o1MwUTAdBgNVHQ4EFgQUr0VirSzDQTuNgGjDxRkxPFrjUKcwHwYDVR0jBBgwFoAU
13+
r0VirSzDQTuNgGjDxRkxPFrjUKcwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
14+
AQsFAAOCAQEAlo6ZSAIKSUWqRygyNg9oWuLGfWMW//dZjU1MKBYVpM4Mry/aMD5d
15+
kMQj9hm+zXhNYN01yLh/cdPKCQ/r1KP6lmCtZHp50Xe8HEnIymRYx0KMAcqYLjnT
16+
DXwCPqtWvJ1do65vVJRN70CuF8T1JNFhPdirrAiuU7bhGPABfnbek7yNkTYgUSdb
17+
WpV/WOFPh9Dl24vNl1/Cti+pQThlCgHF/+dVndFHN9FOOG8k8ohYkLwL+ZzKfOiZ
18+
CVWn2mWk2EhcuTlg/3zkXmwjfzFTdXMhS1sdfJNReaY/omJ91euxB0c8iYZV4wuU
19+
ghx+GJ14nO7RJNHNX4k+BBPxy3f56+cYrg==
20+
-----END CERTIFICATE-----
21+
-----BEGIN CERTIFICATE-----
22+
MIIDRzCCAi+gAwIBAgIUZuRSLr7riMCDUFHVQKYQh/abmZQwDQYJKoZIhvcNAQEL
23+
BQAwMjEXMBUGCgmSJomT8ixkARkWB1RlbXVyaW4xFzAVBgNVBAMMDkRvY2tlckJ1
24+
aWxkZXIyMCAXDTI0MDcyNDIxMDk0NloYDzMwMDQwOTI1MjEwOTQ2WjAyMRcwFQYK
25+
CZImiZPyLGQBGRYHVGVtdXJpbjEXMBUGA1UEAwwORG9ja2VyQnVpbGRlcjIwggEi
26+
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSs004yyVW4dEREZgTGbN1Dzbc
27+
+VcRXUCfVCuiWFeT8a8oHZrbtNxCXD6whcGvLHsjszJKUCseDLCnSlHIpU6Ax7tP
28+
WGsUhY6Zl8I+JzeB/8tYpyNRCLlm2Rp5Iv4oOX2btKYoUy+oFkWP+N8d1taRSrhR
29+
vbPz+FwFSrtQwuT+grQP9yWO0qFrHL5Vjckg0BjELMYZ4rUx4KsV+JsmCf6oPDt4
30+
b+gnMoZebumKTJ53Ej/Kh0Z30s+UHR9WlbZ9KEyuBifgErw/USqpibaQbG1UTX1f
31+
5LealeITduNWcXIAkQYHddCyt8YRtO9oVrxxVdFmCtU4qUHlov7kxAdOC/KTAgMB
32+
AAGjUzBRMB0GA1UdDgQWBBQ1oKojBf5qgkezUk6axrz3CjdHmzAfBgNVHSMEGDAW
33+
gBQ1oKojBf5qgkezUk6axrz3CjdHmzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
34+
DQEBCwUAA4IBAQCDUUOV23QzoqeGs7CKHXg+Mvxn6E4Tm395c0RKJRiHXEueQ2JD
35+
e7ywfb11f/vGyudWVKe1wiRuMP4U8G6V3m6C/CSJrz1J3N9fvN23iPaZIh1O0vSr
36+
xOz5UmiSsRW8BEQYCvF8CoWim1fG+KjtRhO6QqKLtK11j6TwZaUBIvSwK+OZKSuw
37+
q8SuBRXNrIJvH0bonOXcuivOkruU0aRdizIG5Ed0OV2PVfbw2gu7Om83ADbVuSOV
38+
noMwGjDVzVRAs8lu4ijuAryshVQK0LkImrwp+YkhRkFus0HWJqi/Ox+BHZt3BiFs
39+
ATt9J3LCLazvP6LGr4rlZixJqM2ZC7dP0lOl
40+
-----END CERTIFICATE-----

.test/tests/java-ca-certificates-update/certs_symlink/README.md

+9-1
Original file line numberDiff line numberDiff line change
@@ -1 +1,9 @@
1-
This certificate/key pair has been generated with `openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder" -keyout certs/dockerbuilder.key -out certs/dockerbuilder.crt` and is only used for testing
1+
These certificate/key pairs has been generated with
2+
3+
``` shell
4+
$ openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder" -keyout certs/dockerbuilder.key -out certs/dockerbuilder.crt
5+
$ openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder2" -keyout certs/dockerbuilder2.key -out certs/dockerbuilder2.crt
6+
$ cat certs/dockerbuilder.crt certs/dockerbuilder2.crt > certs/multi-cert.crt
7+
```
8+
9+
and are only used for testing

.test/tests/java-ca-certificates-update/certs_symlink/dockerbuilder.crt

-1
This file was deleted.

.test/tests/java-ca-certificates-update/certs_symlink/multi-cert.crt

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
.multi-cert.crt

.test/tests/java-ca-certificates-update/run.sh

+1-1
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ CMD1=date
1010

1111
# CMD2 in each run is to check for the `dockerbuilder` certificate in the Java keystore. Entrypoint export $CACERT to
1212
# point to the Java keystore.
13-
CMD2=(sh -c "keytool -list -keystore \$CACERT -storepass changeit -alias dockerbuilder")
13+
CMD2=(sh -c "keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder && keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder2")
1414

1515
# For a custom entrypoint test, we need to create a new image. This image will get cleaned up at the end of the script
1616
# by the `finish` trap function.

11/jdk/alpine/Dockerfile

+5
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,11 @@ RUN set -eux; \
3737
# locales ensures proper character encoding and locale-specific behaviors using en_US.UTF-8
3838
musl-locales musl-locales-lang \
3939
tzdata \
40+
# Contains `csplit` used for splitting multiple certificates in one file to multiple files, since keytool can
41+
# only import one at a time.
42+
coreutils \
43+
# Needed to extract CN and generate aliases for certificates
44+
openssl \
4045
; \
4146
rm -rf /var/cache/apk/*
4247

11/jdk/alpine/entrypoint.sh

+37-17
Original file line numberDiff line numberDiff line change
@@ -1,50 +1,70 @@
11
#!/usr/bin/env sh
2-
# Converted to POSIX shell to avoid the need for bash in the image
2+
# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get
3+
# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but
4+
# are supported by `sh` in some Linux flavours.
35

46
set -e
57

8+
TMPDIR=${TMPDIR:-/tmp}
9+
610
# JDK truststore location
7-
CACERT=$JAVA_HOME/lib/security/cacerts
11+
JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts
812

913
# JDK8 puts its JRE in a subdirectory
1014
if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
11-
CACERT=$JAVA_HOME/jre/lib/security/cacerts
15+
JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts
1216
fi
1317

1418
# Opt-in is only activated if the environment variable is set
1519
if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
1620

17-
if [ ! -w /tmp ]; then
18-
echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore."
21+
if [ ! -w "$TMPDIR" ]; then
22+
echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore."
1923
exit 1
2024
fi
2125

2226
# Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not,
2327
# we'll use a temporary truststore.
24-
if [ ! -w "$CACERT" ]; then
28+
if [ ! -w "$JRE_CACERTS_PATH" ]; then
2529
# We cannot write to the JVM truststore, so we create a temporary one
26-
CACERT_NEW=$(mktemp)
27-
echo "Using a temporary truststore at $CACERT_NEW"
28-
cp $CACERT $CACERT_NEW
29-
CACERT=$CACERT_NEW
30+
JRE_CACERTS_PATH_NEW=$(mktemp)
31+
echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW"
32+
cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW"
33+
JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW
3034
# If we use a custom truststore, we need to make sure that the JVM uses it
31-
export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit"
35+
export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit"
3236
fi
3337

3438
tmp_store=$(mktemp)
3539

3640
# Copy full system CA store to a temporary location
37-
trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store"
41+
trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" > /dev/null
3842

3943
# Add the system CA certificates to the JVM truststore.
40-
keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null
44+
keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt > /dev/null
45+
46+
# Clean up the temporary truststore
47+
rm -f "$tmp_store"
4148

4249
# Import the additional certificate into JVM truststore
4350
for i in /certificates/*crt; do
4451
if [ ! -f "$i" ]; then
4552
continue
4653
fi
47-
keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null
54+
tmp_dir=$(mktemp -d)
55+
BASENAME=$(basename "$i" .crt)
56+
57+
# We might have multiple certificates in the file. Split this file into single files. The reason is that
58+
# `keytool` does not accept multi-certificate files
59+
csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}'
60+
61+
for crt in "$tmp_dir/$BASENAME"-*; do
62+
# Create an alias for the certificate
63+
ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
64+
65+
# Add the certificate to the JVM truststore
66+
keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null
67+
done
4868
done
4969

5070
# Add additional certificates to the system CA store. This requires write permissions to several system
@@ -68,12 +88,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
6888
fi
6989

7090
# UBI
71-
if which update-ca-trust >/dev/null; then
91+
if command -v update-ca-trust >/dev/null; then
7292
update-ca-trust
7393
fi
7494

7595
# Ubuntu/Alpine
76-
if which update-ca-certificates >/dev/null; then
96+
if command -v update-ca-certificates >/dev/null; then
7797
update-ca-certificates
7898
fi
7999
else
@@ -84,6 +104,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
84104
fi
85105

86106
# Let's provide a variable with the correct path for tools that want or need to use it
87-
export CACERT
107+
export JRE_CACERTS_PATH
88108

89109
exec "$@"

0 commit comments

Comments
 (0)