Skip to content

Address feedback: fix IMAGE_REVISION handling and improve SSL certificate validation #53

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
TimHess merged 4 commits into from
Jan 28, 2026
Merged

Address feedback: fix IMAGE_REVISION handling and improve SSL certificate validation #53

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1593183
Initial plan
Copilot Jan 28, 2026
bcae7f4
Update build.ps1 to trim/join IMAGE_REVISION and check for non-empty
Copilot Jan 28, 2026
8f883ed
Use cryptographic signature verification in SslTrustConfiguration
Copilot Jan 28, 2026
4814cf7
Address code review feedback
Copilot Jan 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions build.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,11 +112,11 @@ try {
if (!$Tag) {
if ($env:GITHUB_ACTIONS -eq "true") {
$ImageNameWithTag = "$DockerOrg/${Name}:$Version"
$Revision = Get-Content (Join-Path $ImageDirectory "metadata" "IMAGE_REVISION")
if ($Revision) {
$Revision = (Get-Content (Join-Path $ImageDirectory "metadata" "IMAGE_REVISION") -ErrorAction SilentlyContinue | ForEach-Object { $_.Trim() }) -join ""
if ($Revision -and $Revision -ne "") {
$ImageNameWithTag += "-$Revision"
}
$AdditionalTags = "$(Get-Content (Join-Path $ImageDirectory "metadata" "ADDITIONAL_TAGS") | ForEach-Object { $_.replace("$Name","$DockerOrg/$Name") })"
$AdditionalTags = "$(Get-Content (Join-Path $ImageDirectory "metadata" "ADDITIONAL_TAGS") -ErrorAction SilentlyContinue | ForEach-Object { $_.replace("$Name","$DockerOrg/$Name") })"
}
else {
$ImageNameWithTag = "$DockerOrg/${Name}:dev"
Expand Down
33 changes: 20 additions & 13 deletions shared/ssl-config/SslTrustConfiguration.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,27 +80,34 @@ public void checkServerTrusted(X509Certificate[] chain, String authType) throws
logger.debug("Default trust validation failed, checking development certificates...");
for (X509Certificate cert : chain) {
X500Principal certSubject = cert.getSubjectX500Principal();
X500Principal certIssuer = cert.getIssuerX500Principal();
logger.trace("Checking certificate: {}", certSubject);

// Check if this certificate matches or is signed by a dev cert
for (X509Certificate devCert : devCerts) {
X500Principal devCertSubject = devCert.getSubjectX500Principal();
X500Principal devCertIssuer = devCert.getIssuerX500Principal();

// Check if certificate matches dev cert (same serial/issuer or exact match)
if (cert.getSerialNumber().equals(devCert.getSerialNumber()) ||
certIssuer.equals(devCertIssuer) ||
cert.equals(devCert)) {
logger.debug("Trusting certificate signed by development CA: {}", certSubject);
return; // Trusted by development CA
// First check for exact match
if (cert.equals(devCert)) {
logger.debug("Trusting certificate (exact match with development cert): {}", certSubject);
return;
}

// Check if this certificate's issuer matches a dev cert's subject
// (meaning the dev cert is the CA that signed this cert)
if (certIssuer.equals(devCertSubject)) {
// Then verify cryptographic signature
// Only trust certs signed by dev CAs if the dev cert is actually a CA
try {
// Check if dev cert has CA basic constraints
boolean isCA = devCert.getBasicConstraints() != -1;
if (!isCA) {
logger.trace("Development cert is not a CA, skipping signature verification: {}", devCert.getSubjectX500Principal());
continue;
}

// Verify that the cert was signed by the dev cert
cert.verify(devCert.getPublicKey());
logger.debug("Trusting certificate signed by development CA: {}", certSubject);
return; // Trusted by development CA
} catch (Exception verifyException) {
// Signature verification failed, continue checking other dev certs
logger.trace("Signature verification failed for cert {} with dev cert {}: {}",
certSubject, devCert.getSubjectX500Principal(), verifyException.getMessage());
}
}
}
Expand Down
Loading