Skip to content

Commit

Permalink
Add support for custom CA certificates
Browse files Browse the repository at this point in the history
This adds the capability to add custom CA certificates for Java truststore.

Fixes: #293
  • Loading branch information
rassie committed May 19, 2023
1 parent 920efae commit 50ef42c
Show file tree
Hide file tree
Showing 78 changed files with 971 additions and 24 deletions.
5 changes: 4 additions & 1 deletion 11/jdk/alpine/Dockerfile.releases.full
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH
ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'

# fontconfig and ttf-dejavu added to support serverside image generation by Java programs
RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \
# java-cacerts added to support adding CA certificates to the Java keystore
RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \
&& rm -rf /var/cache/apk/*

ENV JAVA_VERSION jdk-11.0.19+7
Expand Down Expand Up @@ -59,5 +60,7 @@ RUN echo Verifying install ... \
&& echo javac --version && javac --version \
&& echo java --version && java --version \
&& echo Complete.
COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]

CMD ["jshell"]
22 changes: 22 additions & 0 deletions 11/jdk/alpine/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
#!/usr/bin/env sh

set -e

if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
# OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we
# might as well just generate the truststore and skip the hooks.

cp -a /certificates/* /usr/local/share/ca-certificates/
update-ca-certificates

CACERT=$JAVA_HOME/lib/security/cacerts

# JDK8 puts its JRE in a subdirectory
if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
CACERT=$JAVA_HOME/jre/lib/security/cacerts
fi

trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT"
fi

exec "$@"
2 changes: 2 additions & 0 deletions 11/jdk/centos/Dockerfile.releases.full
Original file line number Diff line number Diff line change
Expand Up @@ -66,5 +66,7 @@ RUN echo Verifying install ... \
&& echo javac --version && javac --version \
&& echo java --version && java --version \
&& echo Complete.
COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]

CMD ["jshell"]
23 changes: 23 additions & 0 deletions 11/jdk/centos/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#!/usr/bin/env bash

set -e

if [ -n "$USE_SYSTEM_CA_CERTS" ]; then

# RHEL-based images already include a routine to update a java truststore from the system CA bundle within
# `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore.

cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
update-ca-trust

CACERT=$JAVA_HOME/lib/security/cacerts

# JDK8 puts its JRE in a subdirectory
if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
CACERT=$JAVA_HOME/jre/lib/security/cacerts
fi

ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT"
fi

exec "$@"
2 changes: 2 additions & 0 deletions 11/jdk/ubi/ubi9-minimal/Dockerfile.releases.full
Original file line number Diff line number Diff line change
Expand Up @@ -70,5 +70,7 @@ RUN echo Verifying install ... \
&& echo javac --version && javac --version \
&& echo java --version && java --version \
&& echo Complete.
COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]

CMD ["jshell"]
23 changes: 23 additions & 0 deletions 11/jdk/ubi/ubi9-minimal/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#!/usr/bin/env bash

set -e

if [ -n "$USE_SYSTEM_CA_CERTS" ]; then

# RHEL-based images already include a routine to update a java truststore from the system CA bundle within
# `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore.

cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
update-ca-trust

CACERT=$JAVA_HOME/lib/security/cacerts

# JDK8 puts its JRE in a subdirectory
if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
CACERT=$JAVA_HOME/jre/lib/security/cacerts
fi

ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT"
fi

exec "$@"
4 changes: 3 additions & 1 deletion 11/jdk/ubuntu/focal/Dockerfile.releases.full
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH
ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'

RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \
&& echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \
&& locale-gen en_US.UTF-8 \
&& rm -rf /var/lib/apt/lists/*
Expand Down Expand Up @@ -83,5 +83,7 @@ RUN echo Verifying install ... \
&& echo javac --version && javac --version \
&& echo java --version && java --version \
&& echo Complete.
COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]

CMD ["jshell"]
22 changes: 22 additions & 0 deletions 11/jdk/ubuntu/focal/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
#!/usr/bin/env sh

set -e

if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
# OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we
# might as well just generate the truststore and skip the hooks.

cp -a /certificates/* /usr/local/share/ca-certificates/
update-ca-certificates

CACERT=$JAVA_HOME/lib/security/cacerts

# JDK8 puts its JRE in a subdirectory
if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
CACERT=$JAVA_HOME/jre/lib/security/cacerts
fi

trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT"
fi

exec "$@"
4 changes: 3 additions & 1 deletion 11/jdk/ubuntu/jammy/Dockerfile.releases.full
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH
ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'

RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \
&& echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \
&& locale-gen en_US.UTF-8 \
&& rm -rf /var/lib/apt/lists/*
Expand Down Expand Up @@ -83,5 +83,7 @@ RUN echo Verifying install ... \
&& echo javac --version && javac --version \
&& echo java --version && java --version \
&& echo Complete.
COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]

CMD ["jshell"]
22 changes: 22 additions & 0 deletions 11/jdk/ubuntu/jammy/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
#!/usr/bin/env sh

set -e

if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
# OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we
# might as well just generate the truststore and skip the hooks.

cp -a /certificates/* /usr/local/share/ca-certificates/
update-ca-certificates

CACERT=$JAVA_HOME/lib/security/cacerts

# JDK8 puts its JRE in a subdirectory
if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
CACERT=$JAVA_HOME/jre/lib/security/cacerts
fi

trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT"
fi

exec "$@"
5 changes: 4 additions & 1 deletion 11/jre/alpine/Dockerfile.releases.full
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH
ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'

# fontconfig and ttf-dejavu added to support serverside image generation by Java programs
RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \
# java-cacerts added to support adding CA certificates to the Java keystore
RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \
&& rm -rf /var/cache/apk/*

ENV JAVA_VERSION jdk-11.0.19+7
Expand Down Expand Up @@ -58,3 +59,5 @@ RUN echo Verifying install ... \
&& fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \
&& echo java --version && java --version \
&& echo Complete.
COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]
22 changes: 22 additions & 0 deletions 11/jre/alpine/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
#!/usr/bin/env sh

set -e

if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
# OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we
# might as well just generate the truststore and skip the hooks.

cp -a /certificates/* /usr/local/share/ca-certificates/
update-ca-certificates

CACERT=$JAVA_HOME/lib/security/cacerts

# JDK8 puts its JRE in a subdirectory
if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
CACERT=$JAVA_HOME/jre/lib/security/cacerts
fi

trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT"
fi

exec "$@"
2 changes: 2 additions & 0 deletions 11/jre/centos/Dockerfile.releases.full
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,5 @@ RUN echo Verifying install ... \
&& fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \
&& echo java --version && java --version \
&& echo Complete.
COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]
23 changes: 23 additions & 0 deletions 11/jre/centos/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#!/usr/bin/env bash

set -e

if [ -n "$USE_SYSTEM_CA_CERTS" ]; then

# RHEL-based images already include a routine to update a java truststore from the system CA bundle within
# `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore.

cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
update-ca-trust

CACERT=$JAVA_HOME/lib/security/cacerts

# JDK8 puts its JRE in a subdirectory
if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
CACERT=$JAVA_HOME/jre/lib/security/cacerts
fi

ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT"
fi

exec "$@"
2 changes: 2 additions & 0 deletions 11/jre/ubi/ubi9-minimal/Dockerfile.releases.full
Original file line number Diff line number Diff line change
Expand Up @@ -69,3 +69,5 @@ RUN echo Verifying install ... \
&& fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \
&& echo java --version && java --version \
&& echo Complete.
COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]
23 changes: 23 additions & 0 deletions 11/jre/ubi/ubi9-minimal/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#!/usr/bin/env bash

set -e

if [ -n "$USE_SYSTEM_CA_CERTS" ]; then

# RHEL-based images already include a routine to update a java truststore from the system CA bundle within
# `update-ca-trust`. All we need to do is to link the system CA bundle to the java truststore.

cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
update-ca-trust

CACERT=$JAVA_HOME/lib/security/cacerts

# JDK8 puts its JRE in a subdirectory
if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
CACERT=$JAVA_HOME/jre/lib/security/cacerts
fi

ln -sf /etc/pki/ca-trust/extracted/java/cacerts "$CACERT"
fi

exec "$@"
4 changes: 3 additions & 1 deletion 11/jre/ubuntu/focal/Dockerfile.releases.full
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH
ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'

RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \
&& echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \
&& locale-gen en_US.UTF-8 \
&& rm -rf /var/lib/apt/lists/*
Expand Down Expand Up @@ -82,3 +82,5 @@ RUN echo Verifying install ... \
&& fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \
&& echo java --version && java --version \
&& echo Complete.
COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]
22 changes: 22 additions & 0 deletions 11/jre/ubuntu/focal/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
#!/usr/bin/env sh

set -e

if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
# OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we
# might as well just generate the truststore and skip the hooks.

cp -a /certificates/* /usr/local/share/ca-certificates/
update-ca-certificates

CACERT=$JAVA_HOME/lib/security/cacerts

# JDK8 puts its JRE in a subdirectory
if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
CACERT=$JAVA_HOME/jre/lib/security/cacerts
fi

trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT"
fi

exec "$@"
4 changes: 3 additions & 1 deletion 11/jre/ubuntu/jammy/Dockerfile.releases.full
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ ENV PATH $JAVA_HOME/bin:$PATH
ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'

RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata curl wget ca-certificates fontconfig locales p11-kit \
&& echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \
&& locale-gen en_US.UTF-8 \
&& rm -rf /var/lib/apt/lists/*
Expand Down Expand Up @@ -82,3 +82,5 @@ RUN echo Verifying install ... \
&& fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java \
&& echo java --version && java --version \
&& echo Complete.
COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]
22 changes: 22 additions & 0 deletions 11/jre/ubuntu/jammy/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
#!/usr/bin/env sh

set -e

if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
# OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we
# might as well just generate the truststore and skip the hooks.

cp -a /certificates/* /usr/local/share/ca-certificates/
update-ca-certificates

CACERT=$JAVA_HOME/lib/security/cacerts

# JDK8 puts its JRE in a subdirectory
if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
CACERT=$JAVA_HOME/jre/lib/security/cacerts
fi

trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT"
fi

exec "$@"
5 changes: 4 additions & 1 deletion 17/jdk/alpine/Dockerfile.releases.full
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@ ENV PATH $JAVA_HOME/bin:$PATH
ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'

# fontconfig and ttf-dejavu added to support serverside image generation by Java programs
RUN apk add --no-cache fontconfig libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \
# java-cacerts added to support adding CA certificates to the Java keystore
RUN apk add --no-cache fontconfig java-cacerts libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \
&& rm -rf /var/cache/apk/*

ENV JAVA_VERSION jdk-17.0.7+7
Expand Down Expand Up @@ -59,5 +60,7 @@ RUN echo Verifying install ... \
&& echo javac --version && javac --version \
&& echo java --version && java --version \
&& echo Complete.
COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]

CMD ["jshell"]
Loading

0 comments on commit 50ef42c

Please sign in to comment.