Skip to content

Commit

Permalink
Reproducible Certificates
Browse files Browse the repository at this point in the history 
Previously the way certificates were created was non-reproducible.  A
"current" timestamp was used when adding entries to the trust store which
would mean that the keystore would be unique each time it was created.  This
change uses our standard normalized timestamp during creation.

Signed-off-by: Ben Hale <bhale@vmware.com>
  • Loading branch information
@nebhale
nebhale committed Nov 10, 2020
1 parent e92d0d5 commit 427189e
Show file tree
Hide file tree
Showing 7 changed files with 57 additions and 43 deletions.
25 changes: 15 additions & 10 deletions certificate_loader.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,12 +29,14 @@ import (
"time"

"github.com/paketo-buildpacks/libpak/sherpa"
"github.com/pavel-v-chernykh/keystore-go"
"github.com/pavel-v-chernykh/keystore-go/v4"
"golang.org/x/sys/unix"
)

const DefaultCertFile = "/etc/ssl/certs/ca-certificates.crt"

var NormalizedDateTime = time.Date(1980, time.January, 1, 0, 0, 1, 0, time.UTC)

type CertificateLoader struct {
CertFile string
CertDirs []string
Expand Down Expand Up @@ -74,15 +76,18 @@ func (c *CertificateLoader) Load(path string, password string) error {
}

for i, b := range blocks {
ks[fmt.Sprintf("%s-%d", f, i)] = &keystore.TrustedCertificateEntry{
Entry: keystore.Entry{
CreationDate: time.Now(),
},
entry := keystore.TrustedCertificateEntry{
CreationTime: NormalizedDateTime,
Certificate: keystore.Certificate{
Type: "X.509",
Content: b.Bytes,
},
}

if err := ks.SetTrustedCertificateEntry(fmt.Sprintf("%s-%d", f, i), entry); err != nil {
return fmt.Errorf("unable to add trusted entry\n%w", err)
}

added++
}
}
Expand Down Expand Up @@ -176,13 +181,13 @@ func (c CertificateLoader) readBlocks(path string) ([]*pem.Block, error) {
func (CertificateLoader) readKeyStore(path string, password string) (keystore.KeyStore, error) {
in, err := os.Open(path)
if err != nil {
return nil, fmt.Errorf("unable to open %s\n%w", path, err)
return keystore.KeyStore{}, fmt.Errorf("unable to open %s\n%w", path, err)
}
defer in.Close()

ks, err := keystore.Decode(in, []byte(password))
if err != nil {
return nil, fmt.Errorf("unable to decode keystore\n %w", err)
ks := keystore.New()
if err := ks.Load(in, []byte(password)); err != nil {
return keystore.KeyStore{}, fmt.Errorf("unable to decode keystore\n %w", err)
}

return ks, nil
Expand All @@ -200,7 +205,7 @@ func (c CertificateLoader) writeKeyStore(ks keystore.KeyStore, path string, pass
}
defer out.Close()

if err := keystore.Encode(out, ks, []byte(password)); err != nil {
if err := ks.Store(out, []byte(password)); err != nil {
return fmt.Errorf("unable to encode keystore\n%w", err)
}

Expand Down
20 changes: 13 additions & 7 deletions certificate_loader_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ import (
"testing"

. "github.com/onsi/gomega"
"github.com/pavel-v-chernykh/keystore-go"
"github.com/pavel-v-chernykh/keystore-go/v4"
"github.com/sclevine/spec"

"github.com/paketo-buildpacks/libjvm"
Expand Down Expand Up @@ -135,8 +135,10 @@ func testCertificateLoader(t *testing.T, context spec.G, it spec.S) {
Expect(err).NotTo(HaveOccurred())
defer in.Close()

ks, err := keystore.Decode(in, []byte("changeit"))
Expect(ks).To(HaveLen(2))
ks := keystore.New()
err = ks.Load(in, []byte("changeit"))
Expect(err).NotTo(HaveOccurred())
Expect(ks.Aliases()).To(HaveLen(2))
})

it("loads additional certificates from directories", func() {
Expand All @@ -151,8 +153,10 @@ func testCertificateLoader(t *testing.T, context spec.G, it spec.S) {
Expect(err).NotTo(HaveOccurred())
defer in.Close()

ks, err := keystore.Decode(in, []byte("changeit"))
Expect(ks).To(HaveLen(3))
ks := keystore.New()
err = ks.Load(in, []byte("changeit"))
Expect(err).NotTo(HaveOccurred())
Expect(ks.Aliases()).To(HaveLen(3))
})

if internal.IsRoot() {
Expand All @@ -173,8 +177,10 @@ func testCertificateLoader(t *testing.T, context spec.G, it spec.S) {
Expect(err).NotTo(HaveOccurred())
defer in.Close()

ks, err := keystore.Decode(in, []byte("changeit"))
Expect(ks).To(HaveLen(1))
ks := keystore.New()
err = ks.Load(in, []byte("changeit"))
Expect(err).NotTo(HaveOccurred())
Expect(ks.Aliases()).To(HaveLen(1))
})
})
}
2 changes: 1 addition & 1 deletion go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ require (
github.com/miekg/dns v1.1.35
github.com/onsi/gomega v1.10.3
github.com/paketo-buildpacks/libpak v1.49.1
github.com/pavel-v-chernykh/keystore-go v2.1.0+incompatible
github.com/pavel-v-chernykh/keystore-go/v4 v4.0.0
github.com/sclevine/spec v1.4.0
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f
)
4 changes: 2 additions & 2 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,8 @@ github.com/onsi/gomega v1.10.3 h1:gph6h/qe9GSUw1NhH1gp+qb+h8rXD8Cy60Z32Qw3ELA=
github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc=
github.com/paketo-buildpacks/libpak v1.49.1 h1:G0aFzDcPf3BQXsBss+FN1buiNG7yQIzUvTKFsC72CqU=
github.com/paketo-buildpacks/libpak v1.49.1/go.mod h1:8vMe0mZNZj1vqngvtH6KCrs98mL+KW9mTymOb5PE6pw=
github.com/pavel-v-chernykh/keystore-go v2.1.0+incompatible h1:Jd6xfriVlJ6hWPvYOE0Ni0QWcNTLRehfGPFxr3eSL80=
github.com/pavel-v-chernykh/keystore-go v2.1.0+incompatible/go.mod h1:xlUlxe/2ItGlQyMTstqeDv9r3U4obH7xYd26TbDQutY=
github.com/pavel-v-chernykh/keystore-go/v4 v4.0.0 h1:4LEQ+RvYRMzofgd3iWjRFBQAJ1nQPUyy38QPCAbOsrY=
github.com/pavel-v-chernykh/keystore-go/v4 v4.0.0/go.mod h1:2ejgys4qY+iNVW1IittZhyRYA6MNv8TgM6VHqojbB9g=
github.com/pelletier/go-toml v1.8.1 h1:1Nf83orprkJyknT6h7zbuEGUEjcyVlCxSUGTENmNCRM=
github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
Expand Down
14 changes: 9 additions & 5 deletions helper/openssl_certificate_loader_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ import (

. "github.com/onsi/gomega"
"github.com/paketo-buildpacks/libpak/bard"
"github.com/pavel-v-chernykh/keystore-go"
"github.com/pavel-v-chernykh/keystore-go/v4"
"github.com/sclevine/spec"

"github.com/paketo-buildpacks/libjvm"
Expand Down Expand Up @@ -90,8 +90,10 @@ func testOpenSSLCertificateLoader(t *testing.T, context spec.G, it spec.S) {
Expect(err).NotTo(HaveOccurred())
defer in.Close()

ks, err := keystore.Decode(in, []byte("changeit"))
Expect(ks).To(HaveLen(3))
ks := keystore.New()
err = ks.Load(in, []byte("changeit"))
Expect(err).NotTo(HaveOccurred())
Expect(ks.Aliases()).To(HaveLen(3))
})

if internal.IsRoot() {
Expand All @@ -109,8 +111,10 @@ func testOpenSSLCertificateLoader(t *testing.T, context spec.G, it spec.S) {
Expect(err).NotTo(HaveOccurred())
defer in.Close()

ks, err := keystore.Decode(in, []byte("changeit"))
Expect(ks).To(HaveLen(1))
ks := keystore.New()
err = ks.Load(in, []byte("changeit"))
Expect(err).NotTo(HaveOccurred())
Expect(ks.Aliases()).To(HaveLen(1))
})
})

Expand Down
15 changes: 7 additions & 8 deletions jdk_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ import (
. "github.com/onsi/gomega"
"github.com/paketo-buildpacks/libpak"
"github.com/paketo-buildpacks/libpak/bard"
"github.com/pavel-v-chernykh/keystore-go"
"github.com/pavel-v-chernykh/keystore-go/v4"
"github.com/sclevine/spec"

"github.com/paketo-buildpacks/libjvm"
Expand Down Expand Up @@ -104,10 +104,10 @@ func testJDK(t *testing.T, context spec.G, it spec.S) {
Expect(err).NotTo(HaveOccurred())
defer in.Close()

ks, err := keystore.Decode(in, []byte("changeit"))
ks := keystore.New()
err = ks.Load(in, []byte("changeit"))
Expect(err).NotTo(HaveOccurred())

Expect(ks).To(HaveLen(3))
Expect(ks.Aliases()).To(HaveLen(3))
})

it("updates after Java 9 certificates", func() {
Expand All @@ -131,10 +131,9 @@ func testJDK(t *testing.T, context spec.G, it spec.S) {
in, err := os.Open(filepath.Join(layer.Path, "lib", "security", "cacerts"))
Expect(err).NotTo(HaveOccurred())
defer in.Close()

ks, err := keystore.Decode(in, []byte("changeit"))
ks := keystore.New()
err = ks.Load(in, []byte("changeit"))
Expect(err).NotTo(HaveOccurred())

Expect(ks).To(HaveLen(3))
Expect(ks.Aliases()).To(HaveLen(3))
})
}
20 changes: 10 additions & 10 deletions jre_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ import (
. "github.com/onsi/gomega"
"github.com/paketo-buildpacks/libpak"
"github.com/paketo-buildpacks/libpak/bard"
"github.com/pavel-v-chernykh/keystore-go"
"github.com/pavel-v-chernykh/keystore-go/v4"
"github.com/sclevine/spec"

"github.com/paketo-buildpacks/libjvm"
Expand Down Expand Up @@ -104,10 +104,10 @@ func testJRE(t *testing.T, context spec.G, it spec.S) {
Expect(err).NotTo(HaveOccurred())
defer in.Close()

ks, err := keystore.Decode(in, []byte("changeit"))
ks := keystore.New()
err = ks.Load(in, []byte("changeit"))
Expect(err).NotTo(HaveOccurred())

Expect(ks).To(HaveLen(3))
Expect(ks.Aliases()).To(HaveLen(3))
})

it("updates before Java 9 JDK certificates", func() {
Expand All @@ -132,10 +132,10 @@ func testJRE(t *testing.T, context spec.G, it spec.S) {
Expect(err).NotTo(HaveOccurred())
defer in.Close()

ks, err := keystore.Decode(in, []byte("changeit"))
ks := keystore.New()
err = ks.Load(in, []byte("changeit"))
Expect(err).NotTo(HaveOccurred())

Expect(ks).To(HaveLen(3))
Expect(ks.Aliases()).To(HaveLen(3))
})

it("updates after Java 9 JDK certificates", func() {
Expand All @@ -160,10 +160,10 @@ func testJRE(t *testing.T, context spec.G, it spec.S) {
Expect(err).NotTo(HaveOccurred())
defer in.Close()

ks, err := keystore.Decode(in, []byte("changeit"))
ks := keystore.New()
err = ks.Load(in, []byte("changeit"))
Expect(err).NotTo(HaveOccurred())

Expect(ks).To(HaveLen(3))
Expect(ks.Aliases()).To(HaveLen(3))
})

it("marks layer for build", func() {
Expand Down

0 comments on commit 427189e

Please sign in to comment.