Skip to content

Commit

Permalink
Merge branch 'main' into gpg
Browse files Browse the repository at this point in the history
  • Loading branch information
gdams authored Oct 21, 2024
2 parents 37b2bc0 + 2c95820 commit 796c685
Show file tree
Hide file tree
Showing 49 changed files with 592 additions and 92 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICzDCCAbSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA1kb2Nr
ZXJidWlsZGVyMB4XDTI0MDgyNzA5MDIwMFoXDTI1MDgyNzA5MDIwMFowGDEWMBQG
A1UEAwwNZG9ja2VyYnVpbGRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBANIIAbZXdD1qOy/cdaLN0p7emnRUMgMhhL91F7/GA3LBCyURSBTNuaI2ibq+
BxUjldsv8HOaesLG0Au4iaggnMK6YPHThDOqOw6ME4ghAD/10l6lHf+kTRvN4eC9
bv3H1jieejVFIgienFfuFKcsNCFKPp4Rh7+D5HHJ3wtBVfaLT4K4q46Qlvkow7s8
cQ3WSdvpsLDZo7cN1fRWMNHhDFbIs/DGkbhZUAxxUkUoUPyn+zvpRTY6QXoAQe57
ed9qhhXQcpbHtHN8ecTenC2KEXQuGC0/KaqEJgTqE5W7Ihg0EvGeYpzdSt6ELSFx
WL3COwk/xTCcIqBPSiYmwPMKmd0CAwEAAaMhMB8wHQYDVR0OBBYEFCspyA0xL4b+
2/cDj4tGqxI9L0/KMA0GCSqGSIb3DQEBCwUAA4IBAQC/UmqrbRfvmK5YX6uCBVA0
SczwSuQRM7Zgi8PMCKLH4NvoeP6cYnAc46uaO3sp9iAv/LCw7Rw7A/LvZWmVCYPp
AstB6kI7nTDHULRGEk3aUar7B8uAVbMNF9V8iOnlk2G2qTvHMW9I4rGtQKqK6YXd
0m2XZ6UOEzNBPKDHqFfNOYpo1qts5CDLynGIX0tFTSlks5BMrV13xn/4giRj4UHY
bmElscCTfR/anNxGIBUp7dqGsv4zOeCE6kac4vsENyS+x+a8W0yveTY+TQnfKalT
KjZXCkPsZp2vZY6eCv2/09L94nXGMB40NDVOaDD/d2fZuQPadRTsF4AqEt9CsN5n
-----END CERTIFICATE-----
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICzDCCAbSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA1kb2Nr
ZXJidWlsZGVyMB4XDTI0MDgyNzA5MDIwNFoXDTI1MDgyNzA5MDIwNFowGDEWMBQG
A1UEAwwNZG9ja2VyYnVpbGRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBANIIAbZXdD1qOy/cdaLN0p7emnRUMgMhhL91F7/GA3LBCyURSBTNuaI2ibq+
BxUjldsv8HOaesLG0Au4iaggnMK6YPHThDOqOw6ME4ghAD/10l6lHf+kTRvN4eC9
bv3H1jieejVFIgienFfuFKcsNCFKPp4Rh7+D5HHJ3wtBVfaLT4K4q46Qlvkow7s8
cQ3WSdvpsLDZo7cN1fRWMNHhDFbIs/DGkbhZUAxxUkUoUPyn+zvpRTY6QXoAQe57
ed9qhhXQcpbHtHN8ecTenC2KEXQuGC0/KaqEJgTqE5W7Ihg0EvGeYpzdSt6ELSFx
WL3COwk/xTCcIqBPSiYmwPMKmd0CAwEAAaMhMB8wHQYDVR0OBBYEFCspyA0xL4b+
2/cDj4tGqxI9L0/KMA0GCSqGSIb3DQEBCwUAA4IBAQAbEOXj4VHl3BvmoLEw3ykk
5c4CZwTuKOm7gh6MJB6iPZIord/LyjLoMh/Mbhy5uNNKxyA53aeZzsc3q35Uks9K
Tm02Pz6LQ3gMBvXQ/FfFu1+RXHbDOD5I9enrEsXTx4PGylFv8/9LqBfGiFGxPy6a
C8s8d22AZsL1P6iwxNoQgfBSSqZhH/mKJyYqFwlqBmo/PQTVt2noWP6afBOfUs4W
AGaeJUexLAem487MlPuzaSAr397zhvCVt7GNAkMwzU2KxH9auJ/5NFy1YyDSgsa0
9rcy1gZGzJdOR2AbOZ1FXXqsw91S5SAzb+qR54KIusJ4ON+bPaQc7ZtnNKvbnBxG
-----END CERTIFICATE-----
Original file line number Diff line number Diff line change
@@ -1 +1 @@
010101000001010101000001
0101010000010001010100000100
18 changes: 17 additions & 1 deletion .test/tests/java-ca-certificates-update/run.sh
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ CMD1=date

# CMD2 in each run is to check for the `dockerbuilder` certificate in the Java keystore. Entrypoint export $CACERT to
# point to the Java keystore.
CMD2=(sh -c "keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder && keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder2")
CMD2=(sh -c "keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder && keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder2")

# For a custom entrypoint test, we need to create a new image. This image will get cleaned up at the end of the script
# by the `finish` trap function.
Expand Down Expand Up @@ -75,6 +75,14 @@ echo -n $?
docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$TESTIMAGE" "${CMD2[@]}" >&/dev/null
echo -n $?

# Test run 7: Two certificates with the same CN are mounted and the environment variable is set.
# We expect both CMD1 to succeed and CMD2 to find both certificates.
docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs_duplicate_cn:/certificates "$1" $CMD1 >&/dev/null
echo -n $?
CMD3=(sh -c "keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder && keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder_02")
docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs_duplicate_cn:/certificates "$1" "${CMD3[@]}" >&/dev/null
echo -n $?

#
# PHASE 2: Non-root containers
#
Expand Down Expand Up @@ -119,3 +127,11 @@ docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --
echo -n $?
docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$TESTIMAGE" "${CMD2[@]}" >&/dev/null
echo -n $?

# Test run 7: Two certificates with the same CN are mounted and the environment variable is set.
# We expect both CMD1 to succeed and CMD2 to find both certificates.
docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs_duplicate_cn:/certificates "$1" $CMD1 >&/dev/null
echo -n $?
CMD3=(sh -c "keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder && keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder_02")
docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs_duplicate_cn:/certificates "$1" "${CMD3[@]}" >&/dev/null
echo -n $?
14 changes: 12 additions & 2 deletions 11/jdk/alpine/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}'

for crt in "$tmp_dir/$BASENAME"-*; do
# Create an alias for the certificate
ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
# Extract the Common Name (CN) and Serial Number from the certificate
CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p')

# Check if an alias with the CN already exists in the keystore
ALIAS=$CN
if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then
# If the CN already exists, append the serial number to the alias
ALIAS="${CN}_${SERIAL}"
fi

echo "Adding certificate with alias $ALIAS to the JVM truststore"

# Add the certificate to the JVM truststore
keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null
Expand Down
14 changes: 12 additions & 2 deletions 11/jdk/ubi/ubi9-minimal/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}'

for crt in "$tmp_dir/$BASENAME"-*; do
# Create an alias for the certificate
ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
# Extract the Common Name (CN) and Serial Number from the certificate
CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p')

# Check if an alias with the CN already exists in the keystore
ALIAS=$CN
if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then
# If the CN already exists, append the serial number to the alias
ALIAS="${CN}_${SERIAL}"
fi

echo "Adding certificate with alias $ALIAS to the JVM truststore"

# Add the certificate to the JVM truststore
keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null
Expand Down
14 changes: 12 additions & 2 deletions 11/jdk/ubuntu/focal/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}'

for crt in "$tmp_dir/$BASENAME"-*; do
# Create an alias for the certificate
ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
# Extract the Common Name (CN) and Serial Number from the certificate
CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p')

# Check if an alias with the CN already exists in the keystore
ALIAS=$CN
if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then
# If the CN already exists, append the serial number to the alias
ALIAS="${CN}_${SERIAL}"
fi

echo "Adding certificate with alias $ALIAS to the JVM truststore"

# Add the certificate to the JVM truststore
keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null
Expand Down
14 changes: 12 additions & 2 deletions 11/jdk/ubuntu/jammy/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}'

for crt in "$tmp_dir/$BASENAME"-*; do
# Create an alias for the certificate
ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
# Extract the Common Name (CN) and Serial Number from the certificate
CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p')

# Check if an alias with the CN already exists in the keystore
ALIAS=$CN
if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then
# If the CN already exists, append the serial number to the alias
ALIAS="${CN}_${SERIAL}"
fi

echo "Adding certificate with alias $ALIAS to the JVM truststore"

# Add the certificate to the JVM truststore
keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null
Expand Down
14 changes: 12 additions & 2 deletions 11/jdk/ubuntu/noble/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}'

for crt in "$tmp_dir/$BASENAME"-*; do
# Create an alias for the certificate
ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
# Extract the Common Name (CN) and Serial Number from the certificate
CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p')

# Check if an alias with the CN already exists in the keystore
ALIAS=$CN
if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then
# If the CN already exists, append the serial number to the alias
ALIAS="${CN}_${SERIAL}"
fi

echo "Adding certificate with alias $ALIAS to the JVM truststore"

# Add the certificate to the JVM truststore
keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null
Expand Down
14 changes: 12 additions & 2 deletions 11/jre/alpine/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}'

for crt in "$tmp_dir/$BASENAME"-*; do
# Create an alias for the certificate
ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
# Extract the Common Name (CN) and Serial Number from the certificate
CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p')

# Check if an alias with the CN already exists in the keystore
ALIAS=$CN
if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then
# If the CN already exists, append the serial number to the alias
ALIAS="${CN}_${SERIAL}"
fi

echo "Adding certificate with alias $ALIAS to the JVM truststore"

# Add the certificate to the JVM truststore
keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null
Expand Down
14 changes: 12 additions & 2 deletions 11/jre/ubi/ubi9-minimal/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}'

for crt in "$tmp_dir/$BASENAME"-*; do
# Create an alias for the certificate
ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
# Extract the Common Name (CN) and Serial Number from the certificate
CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p')

# Check if an alias with the CN already exists in the keystore
ALIAS=$CN
if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then
# If the CN already exists, append the serial number to the alias
ALIAS="${CN}_${SERIAL}"
fi

echo "Adding certificate with alias $ALIAS to the JVM truststore"

# Add the certificate to the JVM truststore
keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null
Expand Down
14 changes: 12 additions & 2 deletions 11/jre/ubuntu/focal/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}'

for crt in "$tmp_dir/$BASENAME"-*; do
# Create an alias for the certificate
ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
# Extract the Common Name (CN) and Serial Number from the certificate
CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p')

# Check if an alias with the CN already exists in the keystore
ALIAS=$CN
if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then
# If the CN already exists, append the serial number to the alias
ALIAS="${CN}_${SERIAL}"
fi

echo "Adding certificate with alias $ALIAS to the JVM truststore"

# Add the certificate to the JVM truststore
keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null
Expand Down
14 changes: 12 additions & 2 deletions 11/jre/ubuntu/jammy/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}'

for crt in "$tmp_dir/$BASENAME"-*; do
# Create an alias for the certificate
ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
# Extract the Common Name (CN) and Serial Number from the certificate
CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p')

# Check if an alias with the CN already exists in the keystore
ALIAS=$CN
if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then
# If the CN already exists, append the serial number to the alias
ALIAS="${CN}_${SERIAL}"
fi

echo "Adding certificate with alias $ALIAS to the JVM truststore"

# Add the certificate to the JVM truststore
keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null
Expand Down
14 changes: 12 additions & 2 deletions 11/jre/ubuntu/noble/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}'

for crt in "$tmp_dir/$BASENAME"-*; do
# Create an alias for the certificate
ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
# Extract the Common Name (CN) and Serial Number from the certificate
CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p')

# Check if an alias with the CN already exists in the keystore
ALIAS=$CN
if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then
# If the CN already exists, append the serial number to the alias
ALIAS="${CN}_${SERIAL}"
fi

echo "Adding certificate with alias $ALIAS to the JVM truststore"

# Add the certificate to the JVM truststore
keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null
Expand Down
14 changes: 12 additions & 2 deletions 17/jdk/alpine/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,18 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}'

for crt in "$tmp_dir/$BASENAME"-*; do
# Create an alias for the certificate
ALIAS=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
# Extract the Common Name (CN) and Serial Number from the certificate
CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p')

# Check if an alias with the CN already exists in the keystore
ALIAS=$CN
if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then
# If the CN already exists, append the serial number to the alias
ALIAS="${CN}_${SERIAL}"
fi

echo "Adding certificate with alias $ALIAS to the JVM truststore"

# Add the certificate to the JVM truststore
keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null
Expand Down
Loading

0 comments on commit 796c685

Please sign in to comment.