keytool imports the only one certificate from the file

[tolusha]

Describe the bug

keytoo -importcertl is used to import certificate into java keystore. Accordingly to the doc [1] it can import only PKCS#7 formatted certificate otherwise it imports the first certificate from the given file.

Use the -importcert command to read the certificate or certificate chain (where the latter is supplied in a PKCS#7 formatted reply or in a sequence of X.509 certificates) from -file file, and store it in the keystore entry identified by -alias. If -file file is not specified, then the certificate or certificate chain is read from stdin.

The keytool command can import X.509 v1, v2, and v3 certificates, and PKCS#7 formatted certificate chains consisting of certificates of that type. The data to be imported must be provided either in binary encoding format or in printable encoding format (also known as Base64 encoding) as defined by the Internet RFC 1421 standard. In the latter case, the encoding must be bounded at the beginning by a string that starts with -----BEGIN, and bounded at the end by a string that starts with -----END.

[1] https://docs.oracle.com/en/java/javase/14/docs/specs/man/keytool.html

Where is keytool used to import certificates?

• identity provider server
• che server

Workaround

1. Create ca-certs configmap (if it is not created) and put every single certificate in a dedicated key ending with .crt (che-theia imports certificates ending with .crt)
2. Update CR with the name of the configmap: spec.server.serverTrustStoreConfigMapName: ca-certs

  cert1.crt: |
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
  cert2.crt: |
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----

Some useful commands to work with java keystore (che-server)

list certificates:

keytool -list -alias hostdomain-ca-bundle.crt -keystore /home/user/cacerts -storepass <>
keytool -list -alias hostdomain -keystore /home/user/cacerts -storepass <>
keytool -list -keystore /home/user/cacerts -storepass <>

export certificates:

keytool -export -alias hostdomain -keystore /home/user/cacerts -storepass <> -file /tmp/ca.crt -rfc
keytool -export -alias hostdomain-ca-bundle.crt -keystore /home/user/cacerts -storepass <> -file /tmp/ca-bundle.crt -rfc

Che version

• nightly

[tolusha]

Some additional tests.
I see provisioned certificates that were manually added to ca-certs configmap as new keys into all workspaces containers.

sh-4.4$ ls /public-certs/
ca-bundle.crt  ca-cert1.crt  ca-cert2.crt

[l0rd]

@tolusha are those certs imported in the jdk truststore of the vscode-java container?

[tolusha]

@l0rd
No.

Here is entrypoint of the Dockerfile
https://github.com/eclipse/che-plugin-registry/blob/master/sidecars/java/etc/entrypoint.sh
/public-certs aren't managed... they are just propagated into the container

command to list certificates:

keytool -list -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.272.b10-1.el8_2.x86_64/jre/lib/security/cacerts -storepass changeit

[l0rd]

Thanks @tolusha. So that's still a manual step as described in docs https://www.eclipse.org/che/docs/che-7/end-user-guide/using-maven-artifact-repositories/#using-self-signed-certificates-in-maven-projects_using-maven-artifact-repositories.

[mmorhun]

Here is the script to import a bundle into jks:

#!/bin/sh

function add_all_bundle_ca {
  CA_FILE=$1
  KEYSTORE_PATH=$2
  KEYSTORE_PASSWORD=$3

  if [ ! -f $CA_FILE ]; then
    # CA bundle file doesn't exist, skip it
    echo "Failed to import CA certificates from ${CA_FILE}. File doesn't exist"
    return
  fi

  bundle_name=$(basename $CA_FILE)
  cert_index=0
  tmp_file=/tmp/cert.pem
  is_cert=false
  while IFS= read -r line; do
    if [ "$line" == "-----BEGIN CERTIFICATE-----" ]; then
      # Start copying a new certificate
      is_cert=true
      cert_index=$((cert_index+1))
      # Reset destination file and add header line
      echo $line > ${tmp_file}
    elif [ "$line" == "-----END CERTIFICATE-----" ]; then
      # End of the certificate is reached, add it to trust store
      is_cert=false
      echo $line >> ${tmp_file}
      keytool -importcert -alias "${bundle_name}_${cert_index}" -keystore $KEYSTORE_PATH -file $tmp_file -storepass $KEYSTORE_PASSWORD -noprompt
    elif [ "$is_cert" == true ]; then
      # In the middle of a certificate, copy line to target file
      echo $line >> ${tmp_file}
    fi
  done < "$CA_FILE"
  # Clean up
  rm -f $tmp_file
}

add_all_bundle_ca $@

[nickboldt]

Followup work downstream tracked in https://issues.redhat.com/projects/CRW/issues/CRW-1413