Include JRE Certificates

nebhale · nebhale · commit c912c9969d1f · 2017-01-25T12:00:20.000-08:00
Previously, the Trust Store Builder only added certificates from the container. This would break compatibility for anyone currently using the JRE's built in trust store to get certificates into the system. This change adds support for getting certificates out of the JRE's cacerts as well. [resolves cloudfoundry#372]
diff --git a/.idea/dictionaries/bhale.xml b/.idea/dictionaries/bhale.xml
diff --git a/config/container_certificate_trust_store.yml b/config/container_certificate_trust_store.yml
@@ -15,6 +15,6 @@
 
 # Container certificate truststore configuration
 ---
-version: 1.+
+version: 2.+
 repository_root: "{default.repository.root}/container-certificate-trust-store"
 enabled: true
diff --git a/lib/java_buildpack/framework/container_certificate_trust_store.rb b/lib/java_buildpack/framework/container_certificate_trust_store.rb
@@ -31,7 +31,9 @@ def compile
         with_timing("Adding certificates to #{trust_store.relative_path_from(@droplet.root)}") do
           FileUtils.mkdir_p trust_store.parent
 
-          shell "#{java} -jar #{@droplet.sandbox + jar_name} #{ca_certificates} #{trust_store} #{password}"
+          shell "#{java} -jar #{@droplet.sandbox + jar_name} --container-source #{ca_certificates} --destination " \
+                "#{trust_store} --destination-password #{password} --jre-source #{cacerts} --jre-source-password " \
+                'changeit'
         end
       end
 
@@ -66,6 +68,10 @@ def ca_certificates
         end
       end
 
+      def cacerts
+        @droplet.java_home.root + 'lib/security/cacerts'
+      end
+
       def java
         @droplet.java_home.root + 'bin/java'
       end
diff --git a/spec/java_buildpack/framework/container_certificate_trust_store_spec.rb b/spec/java_buildpack/framework/container_certificate_trust_store_spec.rb
@@ -47,8 +47,11 @@
     allow(component).to receive(:ca_certificates).and_return(ca_certificates)
     allow(component).to receive(:shell).with("#{java_home.root}/bin/java -jar " \
                                              "#{sandbox}/container_certificate_trust_store-0.0.0.jar " \
-                                             "#{ca_certificates} #{sandbox}/truststore.jks " \
-                                             'java-buildpack-trust-store-password')
+                                             "--container-source #{ca_certificates} " \
+                                             "--destination #{sandbox}/truststore.jks " \
+                                             '--destination-password java-buildpack-trust-store-password ' \
+                                             "--jre-source #{java_home.root}/lib/security/cacerts " \
+                                             '--jre-source-password changeit')
 
     component.compile
   end
