diff --git a/.bazelrc b/.bazelrc index 8eb97f0..baf0214 100644 --- a/.bazelrc +++ b/.bazelrc @@ -10,6 +10,10 @@ common --enable_bzlmod # https://bazelbuild.slack.com/archives/C014RARENH0/p1691158021917459?thread_ts=1691156601.420349&cid=C014RARENH0 common --check_direct_dependencies=off + +# Use a hermetic Java version +build --java_runtime_version=remotejdk_17 + # Load any settings specific to the current user. # .bazelrc.user should appear in .gitignore so that settings are not shared with team members # This needs to be last statement in this diff --git a/distroless/private/java_keystore.bzl b/distroless/private/java_keystore.bzl index df67a7b..aeaea97 100644 --- a/distroless/private/java_keystore.bzl +++ b/distroless/private/java_keystore.bzl @@ -7,17 +7,17 @@ _DOC = """Create a java keystore (database) of cryptographic keys, X.509 certifi Currently only public X.509 are supported as part of the PUBLIC API contract. """ -def _find_keytool(java_runtime): - for f in java_runtime.files.to_list(): +def _find_keytool(java): + for f in java.java_runtime.files.to_list(): if f.basename == "keytool": return f fail("java toolchain does not contain `keytool`.") def _java_keystore_impl(ctx): - jdk = ctx.toolchains["@bazel_tools//tools/jdk:runtime_toolchain_type"] + jdk = ctx.toolchains["@bazel_tools//tools/jdk:toolchain_type"] coreutils = ctx.toolchains["@aspect_bazel_lib//lib:coreutils_toolchain_type"] bsdtar = ctx.toolchains[tar_lib.TOOLCHAIN_TYPE] - keytool = _find_keytool(jdk.java_runtime) + keytool = _find_keytool(jdk.java) jks = ctx.actions.declare_file(ctx.attr.name + ".jks") @@ -70,7 +70,7 @@ java_keystore = rule( implementation = _java_keystore_impl, toolchains = [ tar_lib.TOOLCHAIN_TYPE, - "@bazel_tools//tools/jdk:runtime_toolchain_type", + "@bazel_tools//tools/jdk:toolchain_type", "@aspect_bazel_lib//lib:coreutils_toolchain_type", ], ) diff --git a/distroless/tests/asserts.bzl b/distroless/tests/asserts.bzl index 23259d3..2b019b4 100644 --- a/distroless/tests/asserts.bzl +++ b/distroless/tests/asserts.bzl @@ -44,7 +44,7 @@ def assert_jks_listing(name, actual, expected): cmd = """ BINS=($(locations @rules_java//toolchains:current_java_runtime)) KEYTOOL=$$(dirname $${BINS[1]})/keytool -$$KEYTOOL -list -v -keystore $(location %s) -storepass changeit > $@ +TZ="UTC" $$KEYTOOL -list -keystore $(location %s) -storepass changeit > $@ """ % actual, ) diff --git a/examples/java_keystore/BUILD.bazel b/examples/java_keystore/BUILD.bazel index 7186d63..c7c2fe0 100644 --- a/examples/java_keystore/BUILD.bazel +++ b/examples/java_keystore/BUILD.bazel @@ -32,6 +32,6 @@ assert_tar_listing( ./etc/ssl time=1672560000.0 mode=755 gid=0 uid=0 type=dir ./etc/ssl/certs time=1672560000.0 mode=755 gid=0 uid=0 type=dir ./etc/ssl/certs/java time=1672560000.0 mode=755 gid=0 uid=0 type=dir -./etc/ssl/certs/java/cacerts nlink=0 time=1672560000.0 mode=755 gid=0 uid=0 type=file size=6230 cksum=2439835119 sha1digest=525ab823d4735763050000c0d85d00b401f6ce7f +./etc/ssl/certs/java/cacerts nlink=0 time=1672560000.0 mode=755 gid=0 uid=0 type=file size=6230 cksum=1520748722 sha1digest=fa7c324a0b750e87dd8c8631be005184fb46e915 """, ) diff --git a/examples/java_keystore/expected.jks.output b/examples/java_keystore/expected.jks.output index 8e68cb2..2c74123 100644 --- a/examples/java_keystore/expected.jks.output +++ b/examples/java_keystore/expected.jks.output @@ -3,252 +3,13 @@ Keystore provider: SUN Your keystore contains 5 entries -Alias name: /c=us/o=amazon/cn=amazonrootca1 -Creation date: Nov. 17, 2023 -Entry type: trustedCertEntry - -Owner: CN=Amazon Root CA 1, O=Amazon, C=US -Issuer: CN=Amazon Root CA 1, O=Amazon, C=US -Serial number: 66c9fcf99bf8c0a39e2f0788a43e696365bca -Valid from: Mon May 25 17:00:00 PDT 2015 until: Sat Jan 16 16:00:00 PST 2038 -Certificate fingerprints: - SHA1: 8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16 - SHA256: 8E:CD:E6:88:4F:3D:87:B1:12:5B:A3:1A:C3:FC:B1:3D:70:16:DE:7F:57:CC:90:4F:E1:CB:97:C6:AE:98:19:6E -Signature algorithm name: SHA256withRSA -Subject Public Key Algorithm: 2048-bit RSA key -Version: 3 - -Extensions: - -#1: ObjectId: 2.5.29.19 Criticality=true -BasicConstraints:[ - CA:true - PathLen: no limit -] - -#2: ObjectId: 2.5.29.15 Criticality=true -KeyUsage [ - DigitalSignature - Key_CertSign - Crl_Sign -] - -#3: ObjectId: 2.5.29.14 Criticality=false -SubjectKeyIdentifier [ -KeyIdentifier [ -0000: 84 18 CC 85 34 EC BC 0C 94 94 2E 08 59 9C C7 B2 ....4.......Y... -0010: 10 4E 0A 08 .N.. -] -] - - - -******************************************* -******************************************* - - -Alias name: /c=us/o=digicertinc/ou=www.digicert.com/cn=digicertassuredidrootca -Creation date: Nov. 17, 2023 -Entry type: trustedCertEntry - -Owner: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US -Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US -Serial number: ce7e0e517d846fe8fe560fc1bf03039 -Valid from: Thu Nov 09 16:00:00 PST 2006 until: Sun Nov 09 16:00:00 PST 2031 -Certificate fingerprints: - SHA1: 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43 - SHA256: 3E:90:99:B5:01:5E:8F:48:6C:00:BC:EA:9D:11:1E:E7:21:FA:BA:35:5A:89:BC:F1:DF:69:56:1E:3D:C6:32:5C -Signature algorithm name: SHA1withRSA -Subject Public Key Algorithm: 2048-bit RSA key -Version: 3 - -Extensions: - -#1: ObjectId: 2.5.29.35 Criticality=false -AuthorityKeyIdentifier [ -KeyIdentifier [ -0000: 45 EB A2 AF F4 92 CB 82 31 2D 51 8B A7 A7 21 9D E.......1-Q...!. -0010: F3 6D C8 0F .m.. -] -] - -#2: ObjectId: 2.5.29.19 Criticality=true -BasicConstraints:[ - CA:true - PathLen: no limit -] - -#3: ObjectId: 2.5.29.15 Criticality=true -KeyUsage [ - DigitalSignature - Key_CertSign - Crl_Sign -] - -#4: ObjectId: 2.5.29.14 Criticality=false -SubjectKeyIdentifier [ -KeyIdentifier [ -0000: 45 EB A2 AF F4 92 CB 82 31 2D 51 8B A7 A7 21 9D E.......1-Q...!. -0010: F3 6D C8 0F .m.. -] -] - - - -******************************************* -******************************************* - - -Alias name: /c=us/o=verisign,inc./ou=verisigntrustnetwork/ou=(c)2008verisign,inc.-forauthorizeduseonly/cn=verisignuniversalrootcertificationauthority -Creation date: Nov. 17, 2023 -Entry type: trustedCertEntry - -Owner: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US -Issuer: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US -Serial number: 401ac46421b31321030ebbe4121ac51d -Valid from: Tue Apr 01 17:00:00 PDT 2008 until: Tue Dec 01 15:59:59 PST 2037 -Certificate fingerprints: - SHA1: 36:79:CA:35:66:87:72:30:4D:30:A5:FB:87:3B:0F:A7:7B:B7:0D:54 - SHA256: 23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5:C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C -Signature algorithm name: SHA256withRSA -Subject Public Key Algorithm: 2048-bit RSA key -Version: 3 - -Extensions: - -#1: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false -0000: 30 5F A1 5D A0 5B 30 59 30 57 30 55 16 09 69 6D 0_.].[0Y0W0U..im -0010: 61 67 65 2F 67 69 66 30 21 30 1F 30 07 06 05 2B age/gif0!0.0...+ -0020: 0E 03 02 1A 04 14 8F E5 D3 1A 86 AC 8D 8E 6B C3 ..............k. -0030: CF 80 6A D4 48 18 2C 7B 19 2E 30 25 16 23 68 74 ..j.H.,...0%.#ht -0040: 74 70 3A 2F 2F 6C 6F 67 6F 2E 76 65 72 69 73 69 tp://logo.verisi -0050: 67 6E 2E 63 6F 6D 2F 76 73 6C 6F 67 6F 2E 67 69 gn.com/vslogo.gi -0060: 66 f - - -#2: ObjectId: 2.5.29.19 Criticality=true -BasicConstraints:[ - CA:true - PathLen: no limit -] - -#3: ObjectId: 2.5.29.15 Criticality=true -KeyUsage [ - Key_CertSign - Crl_Sign -] - -#4: ObjectId: 2.5.29.14 Criticality=false -SubjectKeyIdentifier [ -KeyIdentifier [ -0000: B6 77 FA 69 48 47 9F 53 12 D5 C2 EA 07 32 76 07 .w.iHG.S.....2v. -0010: D1 97 07 19 .... -] -] - - - -******************************************* -******************************************* - - -Alias name: /ou=globalsignrootca-r2/o=globalsign/cn=globalsign -Creation date: Nov. 17, 2023 -Entry type: trustedCertEntry - -Owner: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2 -Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2 -Serial number: 400000000010f8626e60d -Valid from: Fri Dec 15 00:00:00 PST 2006 until: Wed Dec 15 00:00:00 PST 2021 -Certificate fingerprints: - SHA1: 75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE - SHA256: CA:42:DD:41:74:5F:D0:B8:1E:B9:02:36:2C:F9:D8:BF:71:9D:A1:BD:1B:1E:FC:94:6F:5B:4C:99:F4:2C:1B:9E -Signature algorithm name: SHA1withRSA -Subject Public Key Algorithm: 2048-bit RSA key -Version: 3 - -Extensions: - -#1: ObjectId: 2.5.29.35 Criticality=false -AuthorityKeyIdentifier [ -KeyIdentifier [ -0000: 9B E2 07 57 67 1C 1E C0 6A 06 DE 59 B4 9A 2D DF ...Wg...j..Y..-. -0010: DC 19 86 2E .... -] -] - -#2: ObjectId: 2.5.29.19 Criticality=true -BasicConstraints:[ - CA:true - PathLen: no limit -] - -#3: ObjectId: 2.5.29.31 Criticality=false -CRLDistributionPoints [ - [DistributionPoint: - [URIName: http://crl.globalsign.net/root-r2.crl] -]] - -#4: ObjectId: 2.5.29.15 Criticality=true -KeyUsage [ - Key_CertSign - Crl_Sign -] - -#5: ObjectId: 2.5.29.14 Criticality=false -SubjectKeyIdentifier [ -KeyIdentifier [ -0000: 9B E2 07 57 67 1C 1E C0 6A 06 DE 59 B4 9A 2D DF ...Wg...j..Y..-. -0010: DC 19 86 2E .... -] -] - - - -******************************************* -******************************************* - - -Alias name: /ou=globalsignrootca-r3/o=globalsign/cn=globalsign -Creation date: Nov. 17, 2023 -Entry type: trustedCertEntry - -Owner: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3 -Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3 -Serial number: 4000000000121585308a2 -Valid from: Wed Mar 18 03:00:00 PDT 2009 until: Sun Mar 18 03:00:00 PDT 2029 -Certificate fingerprints: - SHA1: D6:9B:56:11:48:F0:1C:77:C5:45:78:C1:09:26:DF:5B:85:69:76:AD - SHA256: CB:B5:22:D7:B7:F1:27:AD:6A:01:13:86:5B:DF:1C:D4:10:2E:7D:07:59:AF:63:5A:7C:F4:72:0D:C9:63:C5:3B -Signature algorithm name: SHA256withRSA -Subject Public Key Algorithm: 2048-bit RSA key -Version: 3 - -Extensions: - -#1: ObjectId: 2.5.29.19 Criticality=true -BasicConstraints:[ - CA:true - PathLen: no limit -] - -#2: ObjectId: 2.5.29.15 Criticality=true -KeyUsage [ - Key_CertSign - Crl_Sign -] - -#3: ObjectId: 2.5.29.14 Criticality=false -SubjectKeyIdentifier [ -KeyIdentifier [ -0000: 8F F0 4B 7F A8 2E 45 24 AE 4D 50 FA 63 9A 8B DE ..K...E$.MP.c... -0010: E2 DD 1B BC .... -] -] - - - -******************************************* -******************************************* - - +/c=us/o=amazon/cn=amazonrootca1, Nov. 30, 2023, trustedCertEntry, +Certificate fingerprint (SHA-256): 8E:CD:E6:88:4F:3D:87:B1:12:5B:A3:1A:C3:FC:B1:3D:70:16:DE:7F:57:CC:90:4F:E1:CB:97:C6:AE:98:19:6E +/c=us/o=digicertinc/ou=www.digicert.com/cn=digicertassuredidrootca, Nov. 30, 2023, trustedCertEntry, +Certificate fingerprint (SHA-256): 3E:90:99:B5:01:5E:8F:48:6C:00:BC:EA:9D:11:1E:E7:21:FA:BA:35:5A:89:BC:F1:DF:69:56:1E:3D:C6:32:5C +/c=us/o=verisign,inc./ou=verisigntrustnetwork/ou=(c)2008verisign,inc.-forauthorizeduseonly/cn=verisignuniversalrootcertificationauthority, Nov. 30, 2023, trustedCertEntry, +Certificate fingerprint (SHA-256): 23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5:C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C +/ou=globalsignrootca-r2/o=globalsign/cn=globalsign, Nov. 30, 2023, trustedCertEntry, +Certificate fingerprint (SHA-256): CA:42:DD:41:74:5F:D0:B8:1E:B9:02:36:2C:F9:D8:BF:71:9D:A1:BD:1B:1E:FC:94:6F:5B:4C:99:F4:2C:1B:9E +/ou=globalsignrootca-r3/o=globalsign/cn=globalsign, Nov. 30, 2023, trustedCertEntry, +Certificate fingerprint (SHA-256): CB:B5:22:D7:B7:F1:27:AD:6A:01:13:86:5B:DF:1C:D4:10:2E:7D:07:59:AF:63:5A:7C:F4:72:0D:C9:63:C5:3B