Refactor CertUtils. Support ECDSA and PrivateKey. by KostyaSha · Pull Request #529 · docker-java/docker-java

KostyaSha · 2016-03-27T21:41:28Z

Fix from docker-java 2.1.1 bug PrivateKeyInfo cannot be cast to PEMKeyPair #441 without tests.
My Ecdsa fix that is covered with tests, but they neet to be ported from https://github.com/KostyaSha/yet-another-docker-plugin/tree/master/yet-another-docker-its
methods more flexible for other use cases
try-with-resources

This change is

codecov-io · 2016-03-27T21:44:36Z

Current coverage is `23.11%`

Merging #529 into master will decrease coverage by -0.02% as of 64f1176

@@            master    #529   diff @@
======================================
  Files          295     295       
  Stmts         6102    6112    +10
  Branches       530     537     +7
  Methods          0       0       
======================================
+ Hit           1412    1413     +1
  Partial         83      83       
- Missed        4607    4616     +9

Review entire Coverage Diff as of 64f1176

Powered by Codecov. Updated on successful CI builds.

KostyaSha · 2016-03-29T19:32:40Z

@marcuslinke could you review?

marcuslinke · 2016-03-30T05:13:39Z

@KostyaSha LGTM 👍

KostyaSha · 2016-03-30T11:12:30Z

@marcuslinke how do you handle certs? I have shell scripts that generates server/client certs, but they should be tied to some hostname/address. I used 192.168.99.100 for my docker-machine but it not ideal.
It should be possible generate certs during container build and then attach volume to DIND + fetch client file from this DND and then try execute connection. Would it be right way?

marcuslinke · 2016-03-30T20:40:43Z

@KostyaSha Currently I manage IP/certs manually in my local ~/.docker-java.properties. So when IP of docker-machine VM changes I have to modify it. So it looks something like this currently:

DOCKER_HOST=tcp://192.168.99.102:2376
DOCKER_CERT_PATH=/Users/marcus/.docker/machine/machines/docker-1.10.2

#DOCKER_HOST=tcp://192.168.99.105:2376
#DOCKER_CERT_PATH=/Users/marcus/.docker/machine/machines/docker-1.8.1

#DOCKER_HOST=tcp://192.168.99.106:2376
#DOCKER_CERT_PATH=/Users/marcus/.docker/machine/machines/docker-1.9.1

However when working with DIND we need to generate certs that are tied to the current DOCKER_HOST ip, right? This could be done when starting the DIND container I think. After that we could copy them via https://docs.docker.com/engine/reference/api/docker_remote_api_v1.22/#get-an-archive-of-a-filesystem-resource-in-a-container to our local java env. WDYT?

KostyaSha · 2016-03-30T20:44:30Z

First of all i found that openssl tool may differ, so we should run generation in reproducible env.
Host would be hostname from outer dockerClient connection (i like @JunitRule/@ExternalResource instead of abstract subclasses).

dind easily runs, but i don't remember about port in cert validability... I could tre reimplement my tests.

KostyaSha · 2016-05-26T15:05:28Z

And this wouldn't work because netty uses sslcontext now?

KostyaSha · 2016-05-26T15:24:13Z

Found, it wrapped now.. Maybe let's merge without tests? Too much time left...

KostyaSha · 2016-06-06T21:54:42Z

@marcuslinke let's merge? This should fix user issues.

marcuslinke · 2016-06-07T20:38:53Z

src/main/java/com/github/dockerjava/core/util/CertificateUtils.java

            InvalidKeySpecException, IOException, CertificateException, KeyStoreException {
-        KeyPair keyPair = loadPrivateKey(dockerCertPath);
-        List<Certificate> privateCertificates = loadCertificates(dockerCertPath);
+        return createKeyStore("key.pem", "cert.pem");


dockerCertPath is ignored completely here.

Trying to fix locally

Smells like i missed this wrapper when refactored methods to be reusable for non-file based usage.
Could you fix or should i?

i guess it should just load files into string, or pass streams and everything would work

Tried to load into strings but I ended with a javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed

maybe ca.cert is missing?

call to createTrustStore...

Right, had a typo there. Now it seems to work.

Refactor CertUtils. Support ECDSA and PrivateKey.

9639cb7

marcuslinke reviewed Jun 7, 2016
View reviewed changes

marcuslinke merged commit 9639cb7 into docker-java:master Jun 7, 2016

marcuslinke mentioned this pull request Jun 9, 2016

Issues with Elliptic Curve (ECDSA) TLS client keys. #440

Closed

KostyaSha added the type/enhancement label Jun 13, 2016

KostyaSha added this to the 3.0.1 milestone Jun 13, 2016

KostyaSha self-assigned this Jun 13, 2016

Conversation

KostyaSha commented Mar 27, 2016

Uh oh!

codecov-io commented Mar 27, 2016

Current coverage is 23.11%

Uh oh!

KostyaSha commented Mar 29, 2016

Uh oh!

marcuslinke commented Mar 30, 2016

Uh oh!

KostyaSha commented Mar 30, 2016

Uh oh!

marcuslinke commented Mar 30, 2016

Uh oh!

KostyaSha commented Mar 30, 2016

Uh oh!

KostyaSha commented May 26, 2016

Uh oh!

KostyaSha commented May 26, 2016

Uh oh!

KostyaSha commented Jun 6, 2016

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Current coverage is `23.11%`