Update the Java cacert file with updates from Mozilla which include a…

…dditional trusted CAs.
mendix · May 2, 2019 · 5df6804 · 5df6804
1 parent 3eaec80
commit 5df6804
Show file tree

Hide file tree

Showing 9 changed files with 3,481 additions and 3 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -15,7 +15,10 @@ before_script:
   - sudo update-ca-certificates
 
 script:
-  - travis_wait 45 make test
+  - make test &
+  - MAKE_PID=$!
+  - while [ -e /proc/$MAKE_PID ]; do echo -n "."  && sleep 60; done
+  - wait $MAKE_PID && sleep 15
 
 notifications:
   email: false
diff --git a/bin/compile.py b/bin/compile.py
@@ -125,6 +125,8 @@ def set_up_java():
         ),
         os.path.join(DOT_LOCAL_LOCATION, "bin", "java"),
     )
+    # update cacert file
+    buildpackutil.update_java_cacert(BUILDPACK_DIR, jvm_location)
     logging.debug("end download and install java")
 
 

diff --git a/lib/buildpackutil.py b/lib/buildpackutil.py
@@ -209,7 +209,7 @@ def ensure_mxbuild_in_directory(directory, mx_version, cache_dir):
 
     url = os.environ.get("FORCED_MXBUILD_URL")
     if url:
-        # don't ever cache with a FORCED_MXBUILD_URL
+        # don"t ever cache with a FORCED_MXBUILD_URL
         download_and_unpack(url, directory, cache_dir="/tmp/downloads")
     else:
         try:
@@ -389,6 +389,56 @@ def ensure_and_get_jvm(
     )
 
 
+def update_java_cacert(buildpack_dir, jvm_location):
+    logging.debug("Applying Mozilla CA certificates update to JVM cacerts...")
+    cacerts_file = os.path.join(jvm_location, "lib", "security", "cacerts")
+    if not os.path.exists(cacerts_file):
+        logging.warning(
+            "Cannot locate cacerts file {}. Skippiung update of CA certiticates.".format(
+                cacerts_file
+            )
+        )
+        return
+
+    update_cacert_path = os.path.join(buildpack_dir, "lib", "cacert")
+    if not os.path.exists(update_cacert_path):
+        logging.warning(
+            "Cannot locate cacert lib folder {}. Skipping  update of CA certificates.".format(
+                update_cacert_path
+            )
+        )
+        return
+
+    cacert_merged = "cacerts.merged"
+    env = dict(os.environ)
+
+    try:
+        subprocess.check_output(
+            (
+                os.path.join(jvm_location, "bin", "java"),
+                "-jar",
+                os.path.join(update_cacert_path, "keyutil-0.4.0.jar"),
+                "-i",
+                "--new-keystore",
+                cacert_merged,
+                "--password",
+                "changeit",
+                "--import-pem-file",
+                os.path.join(update_cacert_path, "cacert.pem"),
+                "--import-jks-file",
+                "{}:changeit".format(cacerts_file),
+            ),
+            env=env,
+            stderr=subprocess.STDOUT,
+        )
+    except Exception as ex:
+        logging.error("Error applying cacert update: {}".format(ex.output), ex)
+        raise ex
+
+    os.rename(cacert_merged, cacerts_file)
+    logging.debug("Update of cacerts file finished.")
+
+
 def i_am_primary_instance():
     return os.getenv("CF_INSTANCE_INDEX", "0") == "0"
 

diff --git a/lib/cacert/README.md b/lib/cacert/README.md
@@ -0,0 +1,6 @@
+This folder contains tooling to update the Java cacert file with the file provided by Mozilla. The Oracle and
+AdoptOpenJDK versions lack certificates like Staat der Nederlanden and Let's Encrypt. The Mozilla cacert is considered
+a save extension to the Java distibuted one.
+
+The original cacert.pem file is located at [https://curl.haxx.se/docs/caextract.html](https://curl.haxx.se/docs/caextract.html).
+
diff --git a/lib/cacert/cacert.pem b/lib/cacert/cacert.pem
diff --git a/lib/cacert/keyutil-0.4.0.jar b/lib/cacert/keyutil-0.4.0.jar
diff --git a/start.py b/start.py
@@ -78,7 +78,7 @@ def get_current_buildpack_commit():
 
 
 logger.info(
-    "Started Mendix Cloud Foundry Buildpack v3.2.0 [commit:%s]",
+    "Started Mendix Cloud Foundry Buildpack v3.2.1 [commit:%s]",
     get_current_buildpack_commit(),
 )
 logging.getLogger("m2ee").propagate = False

diff --git a/tests/usecase/basetest.py b/tests/usecase/basetest.py
@@ -215,3 +215,17 @@ def cmd(self, command, env=None):
         except subprocess.CalledProcessError as e:
             print(e.output.decode("utf-8"))
             raise
+
+    def assert_certificate_in_cacert(self, cert_alias):
+        env = dict(os.environ)
+        output = self.cmd(
+            (
+                "cf",
+                "ssh",
+                self.app_name,
+                "-c",
+                "app/.local/usr/lib/jvm/*/bin/keytool -list -storepass changeit -keystore app/.local/usr/lib/jvm/*/lib/security/cacerts",  # noqa: E501
+            ),
+            env=env,
+        )
+        self.assertIn(cert_alias, output)
diff --git a/tests/usecase/test_jdk_versions.py b/tests/usecase/test_jdk_versions.py
@@ -58,6 +58,7 @@ def test_oracle_jdk_8(self):
         assert target_dir == "usr/lib/jvm/jre-8u202-oracle-x64"
 
         self._check_java_presence(target_dir)
+        self.assert_certificate_in_cacert("staat der nederlanden root ca - g3")
 
     def test_adopt_jdk_8(self):
         self.setUpCF("AdoptOpenJDKTest_7.23.1.mda", health_timeout=60)
@@ -72,6 +73,7 @@ def test_adopt_jdk_8(self):
         )
 
         self._check_java_presence(target_dir)
+        self.assert_certificate_in_cacert("staat der nederlanden root ca - g3")
 
     def test_fast_deploy_7_23_1(self):
         self.setUpCF(