Feature Request: Handle Java (and possibly other platforms) which has its own cert store

chainguard-dev / incert

Add CA certificates into containers

Apache License 2.0

128 stars 13 forks source link

Feature Request: Handle Java (and possibly other platforms) which has its own cert store #18

Open amouat opened 3 months ago

amouat commented 3 months ago

To add certificates to a Java image you need to use "keytool" e.g:

keytool -import -alias $filename -file $filename -keystore /etc/ssl/certs/java/cacerts -storepass changeit -noprompt

There are probably other platforms with similar bespoke solutions. In these cases we could add a flag (e.g. --add-java-cert) or try to detect if a Java image was being used.

xnox commented 2 months ago

I know of 4 keystores:

single certificate bundle
optional by-cert-hash symlinks (for speed of lookup, see cert rehash tool)
java keystore
mono (C#) keystore

See

$ curl -s http://archive.ubuntu.com/ubuntu/dists/oracular/Contents-amd64.gz | gzip -d | grep etc/ca-certificates/update.d
etc/ca-certificates/update.d/jks-keystore           misc/ca-certificates-java
etc/ca-certificates/update.d/mono-keystore          universe/cli-mono/ca-certificates-mono

For the java & mono keystores, and ca-certificates itself handles the mega bundle & symlinks.

Wildcards:

web-browsers (firefox & chromium-based) have different ways to create user-profile, and import certs into them. Not sure if we need to support that too for some of our images that have those engines used.

amouat commented 2 months ago

Thanks @xnox !

hslatman commented 2 months ago

At Smallstep we have a package for interacting with (some of) those stores: https://github.com/smallstep/truststore. It's based on mkcert, but adapted for use as a library. It might be useful for this use case. If you miss functionality, we can likely add it 🙂

amouat commented 2 months ago

Oh, nice! Thanks @hslatman.

Just to be clear, this is a "backlog" issue, I'm not sure when we'll be able to prioritise it. That being said, if anyone reads this and needs this functionality, please comment or leave an emoji.

anoncam commented 2 months ago

+1 this feature.

xnox commented 2 months ago

@amouat @pnasrat also for java, i think we may need more that one type of java keystore. As I think jdk & jdk-fips images expect keytool certs in different store types possibly?

I.e. keytool -importcert -v -trustcacerts -file "cacert.pem" -alias ca -keystore "mySrvTruststore.bks" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "bcprov-jdk16-145.jar" -storetype BKS -storepass testtest

Possibly nss-db certs too in the future, to basically have equivalent of cert store procedures that others do by hand for other container types.

xnox commented 2 months ago

https://github.com/docker-library/docs/blob/master/eclipse-temurin/README.md#can-i-add-my-internal-ca-certificates-to-the-truststore

Note that eclipse-temurin java image has hooks to allow on-the-fly creation of the java truststore with injected certs.

See implementation at

https://github.com/adoptium/containers/blob/0062d7960c45bb5a7f35f831ea43e0b4b894a5c7/8/jre/alpine/entrypoint.sh#L15

I guess we could do something similar in our images entrypoint too, to be compatible.

amouat commented 2 months ago

Also note this issue on adoptium about handling certs: https://github.com/adoptium/containers/issues/573