Skip to content

Commit

Permalink
refactor: move default truststore passwords to API
Browse files Browse the repository at this point in the history
Signed-off-by: Erik Godding Boye <[email protected]>
  • Loading branch information
erikgb committed Jul 18, 2024
1 parent fb6516a commit a4b8e56
Show file tree
Hide file tree
Showing 6 changed files with 29 additions and 22 deletions.
11 changes: 10 additions & 1 deletion docs/api/api.md
Original file line number Diff line number Diff line change
Expand Up @@ -58,10 +58,19 @@ import "github.com/cert-manager/trust-manager/pkg/apis/trust/v1alpha1"

## Constants

<a name="BundleConditionSynced"></a>
<a name="DefaultJKSPassword"></a>

```go
const (
// DefaultJKSPassword is the default password that Java uses; it's a Java convention to use this exact password.
// Since we're not storing anything secret in the JKS files we generate, this password is not a meaningful security measure
// but seems often to be expected by applications consuming JKS files
DefaultJKSPassword = "changeit"
// DefaultPKCS12Password is the empty string, that will create a password-less PKCS12 truststore.
// Password-less PKCS is the new default Java truststore from Java 18.
// By password-less, it means the certificates are not encrypted, and it contains no MacData for integrity check.
DefaultPKCS12Password = ""

// BundleConditionSynced indicates that the Bundle has successfully synced
// all source bundle data to the Bundle target in all Namespaces.
BundleConditionSynced string = "Synced"
Expand Down
9 changes: 9 additions & 0 deletions pkg/apis/trust/v1alpha1/types_bundle.go
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,15 @@ type BundleCondition struct {
}

const (
// DefaultJKSPassword is the default password that Java uses; it's a Java convention to use this exact password.
// Since we're not storing anything secret in the JKS files we generate, this password is not a meaningful security measure
// but seems often to be expected by applications consuming JKS files
DefaultJKSPassword = "changeit"
// DefaultPKCS12Password is the empty string, that will create a password-less PKCS12 truststore.
// Password-less PKCS is the new default Java truststore from Java 18.
// By password-less, it means the certificates are not encrypted, and it contains no MacData for integrity check.
DefaultPKCS12Password = ""

// BundleConditionSynced indicates that the Bundle has successfully synced
// all source bundle data to the Bundle target in all Namespaces.
BundleConditionSynced string = "Synced"
Expand Down
6 changes: 3 additions & 3 deletions pkg/bundle/bundle_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ import (
func testEncodeJKS(t *testing.T, data string) []byte {
t.Helper()

encoded, err := jksEncoder{password: DefaultJKSPassword}.encode(data)
encoded, err := jksEncoder{password: trustapi.DefaultJKSPassword}.encode(data)
if err != nil {
t.Error(err)
}
Expand Down Expand Up @@ -493,7 +493,7 @@ func Test_Reconcile(t *testing.T) {
KeySelector: trustapi.KeySelector{
Key: "target.jks",
},
Password: ptr.To(DefaultJKSPassword),
Password: ptr.To(trustapi.DefaultJKSPassword),
},
}),
)},
Expand Down Expand Up @@ -566,7 +566,7 @@ func Test_Reconcile(t *testing.T) {
KeySelector: trustapi.KeySelector{
Key: "target.jks",
},
Password: ptr.To(DefaultJKSPassword),
Password: ptr.To(trustapi.DefaultJKSPassword),
},
}),
),
Expand Down
11 changes: 0 additions & 11 deletions pkg/bundle/source.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,17 +37,6 @@ import (
"github.com/cert-manager/trust-manager/pkg/util"
)

const (
// DefaultJKSPassword is the default password that Java uses; it's a Java convention to use this exact password.
// Since we're not storing anything secret in the JKS files we generate, this password is not a meaningful security measure
// but seems often to be expected by applications consuming JKS files
DefaultJKSPassword = "changeit"
// DefaultPKCS12Password is the empty string, that will create a password-less PKCS12 truststore.
// Password-less PKCS is the new default Java truststore from Java 18.
// By password-less, it means the certificates are not encrypted, and it contains no MacData for integrity check.
DefaultPKCS12Password = ""
)

type notFoundError struct{ error }

// bundleData holds the result of a call to buildSourceBundle. It contains the resulting PEM-encoded
Expand Down
12 changes: 6 additions & 6 deletions pkg/bundle/source_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -230,7 +230,7 @@ func Test_buildSourceBundle(t *testing.T) {
KeySelector: trustapi.KeySelector{
Key: jksKey,
},
Password: ptr.To(DefaultJKSPassword),
Password: ptr.To(trustapi.DefaultJKSPassword),
},
},
objects: []runtime.Object{&corev1.ConfigMap{
Expand Down Expand Up @@ -269,7 +269,7 @@ func Test_buildSourceBundle(t *testing.T) {
KeySelector: trustapi.KeySelector{
Key: pkcs12Key,
},
Password: ptr.To(DefaultPKCS12Password),
Password: ptr.To(trustapi.DefaultPKCS12Password),
},
},
objects: []runtime.Object{&corev1.ConfigMap{
Expand Down Expand Up @@ -326,14 +326,14 @@ func Test_buildSourceBundle(t *testing.T) {
if test.expPassword != nil {
password = *test.expPassword
} else {
password = DefaultJKSPassword
password = trustapi.DefaultJKSPassword
}
}
if test.expPKCS12 {
if test.expPassword != nil {
password = *test.expPassword
} else {
password = DefaultPKCS12Password
password = trustapi.DefaultPKCS12Password
}
}

Expand Down Expand Up @@ -398,7 +398,7 @@ func Test_encodeJKSAliases(t *testing.T) {
// Using different dummy certs would allow this test to pass but wouldn't actually test anything useful!
bundle := dummy.JoinCerts(dummy.TestCertificate1, dummy.TestCertificate2)

jksFile, err := jksEncoder{password: DefaultJKSPassword}.encode(bundle)
jksFile, err := jksEncoder{password: trustapi.DefaultJKSPassword}.encode(bundle)
if err != nil {
t.Fatalf("didn't expect an error but got: %s", err)
}
Expand All @@ -407,7 +407,7 @@ func Test_encodeJKSAliases(t *testing.T) {

ks := jks.New()

err = ks.Load(reader, []byte(DefaultJKSPassword))
err = ks.Load(reader, []byte(trustapi.DefaultJKSPassword))
if err != nil {
t.Fatalf("failed to parse generated JKS file: %s", err)
}
Expand Down
2 changes: 1 addition & 1 deletion test/integration/bundle/suite.go
Original file line number Diff line number Diff line change
Expand Up @@ -352,7 +352,7 @@ var _ = Describe("Integration", func() {
jksData, exists := configMap.BinaryData["myfile.jks"]
Expect(exists).To(BeTrue(), "should find an entry called myfile.jks")

Expect(testenv.CheckJKSFileSynced(jksData, bundle.DefaultJKSPassword, dummy.DefaultJoinedCerts())).ToNot(HaveOccurred())
Expect(testenv.CheckJKSFileSynced(jksData, trustapi.DefaultJKSPassword, dummy.DefaultJoinedCerts())).ToNot(HaveOccurred())
}
})

Expand Down

0 comments on commit a4b8e56

Please sign in to comment.