Use X509ExtendedTrustManager to avoid JDK AlgorithmChecker constraints

Netty 4.2.15 fixed CVE-2026-50010 by removing the silent wrapping of plain X509TrustManager in X509ExtendedTrustManager. When a plain X509TrustManager is used, the JDK wraps it in AbstractTrustManagerWrapper and runs TrustManagerImpl.checkTrusted() with AlgorithmChecker before calling the custom trust manager. This caused client certificates signed with SHA3-512withECDSA to be rejected even though they are not explicitly blacklisted in java.security, because the JDK's internal PKIX validator applies stricter constraints. By making our custom trust managers implement X509ExtendedTrustManager directly, the JDK calls the 3-arg methods directly and bypasses its internal TrustManagerImpl, restoring the pre-4.2.15 behavior where only our custom PKIX validation runs. Files changed: - rbcs-common/RBCS.kt: getTrustManager() returns X509ExtendedTrustManager - rbcs-client/RemoteBuildCacheClient.kt: trust-all manager uses X509ExtendedTrustManager
tmp
2026-06-12 00:29:46 +00:00 · 2026-06-12 00:27:52 +08:00 · 2026-06-09 22:32:40 +08:00
5 changed files with 8 additions and 25 deletions
@@ -28,7 +28,6 @@ jobs:
        with:
          builder: "multiplatform-builder"
          context: "docker/build/docker"
-          build-args: VERSION=${{ steps.retrieve-version.outputs.VERSION }},REVISION=${{ github.sha }}
          platforms: linux/amd64,linux/arm64
          push: true
          pull: true
@@ -42,7 +41,6 @@ jobs:
        with:
          builder: "multiplatform-builder"
          context: "docker/build/docker"
-          build-args: VERSION=${{ steps.retrieve-version.outputs.VERSION }},REVISION=${{ github.sha }}
          platforms: linux/amd64,linux/arm64
          push: true
          pull: true
@@ -56,7 +54,6 @@ jobs:
        with:
          builder: "multiplatform-builder"
          context: "docker/build/docker"
-          build-args: VERSION=${{ steps.retrieve-version.outputs.VERSION }},REVISION=${{ github.sha }}
          platforms: linux/amd64,linux/arm64
          push: true
          pull: true
@@ -70,7 +67,6 @@ jobs:
        with:
          builder: "multiplatform-builder"
          context: "docker/build/docker"
-          build-args: VERSION=${{ steps.retrieve-version.outputs.VERSION }},REVISION=${{ github.sha }}
          platforms: linux/amd64,linux/arm64
          push: true
          pull: true
@@ -84,7 +80,6 @@ jobs:
        with:
          builder: "multiplatform-builder"
          context: "docker/build/docker"
-          build-args: VERSION=${{ steps.retrieve-version.outputs.VERSION }},REVISION=${{ github.sha }}
          platforms: linux/amd64
          push: true
          pull: true
@@ -98,7 +93,6 @@ jobs:
        with:
          builder: "multiplatform-builder"
          context: "docker/build/docker"
-          build-args: VERSION=${{ steps.retrieve-version.outputs.VERSION }},REVISION=${{ github.sha }}
          platforms: linux/amd64
          push: true
          pull: true
@@ -1,25 +1,15 @@
-ARG VERSION, REVISION
 FROM eclipse-temurin:25-jre-alpine AS base-release
-LABEL org.opencontainers.image.authors="Walter Oggioni <walter.oggioni@agentmail.to>"
-LABEL org.opencontainers.image.version="${VERSION}"
-LABEL org.opencontainers.image.revision="${REVISION}"
-LABEL org.opencontainers.image.source=https://gitea.woggioni.net/woggioni/rbcs
-
 RUN adduser -D rbcs
 USER rbcs
 ENV RBCS_CONFIGURATION_DIR="/etc/rbcs"
 WORKDIR /var/lib/rbcs

 FROM base-release AS release-vanilla
-LABEL org.opencontainers.image.title=rbcs
-LABEL org.opencontainers.image.description=RBCS vanilla image
 ADD rbcs-cli-envelope-*.jar rbcs.jar
 ADD logback.xml /etc/rbcs/logback.xml
 ENTRYPOINT ["java", "-jar", "/var/lib/rbcs/rbcs.jar"]

 FROM base-release AS release-memcache
-LABEL org.opencontainers.image.title=rbcs-memcache
-LABEL org.opencontainers.image.description=RBCS image with memcache plugin
 ADD --chown=rbcs:rbcs rbcs-cli-envelope-*.jar rbcs.jar
 RUN mkdir plugins
 WORKDIR /var/lib/rbcs/plugins
@@ -29,8 +19,6 @@ ADD logback.xml /etc/rbcs/logback.xml
 ENTRYPOINT ["java", "-jar", "/var/lib/rbcs/rbcs.jar"]

 FROM base-release AS release-redis
-LABEL org.opencontainers.image.title=rbcs-redis
-LABEL org.opencontainers.image.description=RBCS image with redis plugin
 ADD --chown=rbcs:rbcs rbcs-cli-envelope-*.jar rbcs.jar
 RUN mkdir plugins
 WORKDIR /var/lib/rbcs/plugins
@@ -40,8 +28,6 @@ ADD logback.xml /etc/rbcs/logback.xml
 ENTRYPOINT ["java", "-jar", "/var/lib/rbcs/rbcs.jar"]

 FROM base-release AS release-full
-LABEL org.opencontainers.image.title=rbcs-full
-LABEL org.opencontainers.image.description=RBCS image with all plugins
 ADD --chown=rbcs:rbcs rbcs-cli-envelope-*.jar rbcs.jar
 RUN mkdir plugins
 WORKDIR /var/lib/rbcs/plugins
@@ -59,8 +45,6 @@ RUN adduser -D -u 1000 rbcs -h /var/lib/rbcs
 RUN chown rbcs:rbcs /var/tmp/rbcs

 FROM scratch AS release-native
-LABEL org.opencontainers.image.title=rbcs-native
-LABEL org.opencontainers.image.description=RBCS image with a native executable with GraalVM
 COPY --from=base-native /etc/passwd /etc/passwd
 COPY --from=base-native /etc/rbcs /etc/rbcs
 COPY --from=base-native /var/lib/rbcs /var/lib/rbcs
@@ -73,8 +57,6 @@ ENV RBCS_CONFIGURATION_DIR="/etc/rbcs"
 ENTRYPOINT ["/usr/bin/rbcs-cli", "-XX:MaximumHeapSizePercent=70", "-Dio.netty.tmpdir=/var/tmp/rbcs", "-Dlogback.configurationFile=/etc/rbcs/logback.xml"]

 FROM debian:12-slim AS release-jlink
-LABEL org.opencontainers.image.title=rbcs-jlink
-LABEL org.opencontainers.image.description=RBCS image with a jlink distribution
 RUN mkdir -p /usr/share/java/rbcs
 RUN --mount=type=bind,source=.,target=/build/distributions tar -xf /build/distributions/rbcs-cli*.tar -C /usr/share/java/rbcs
 RUN chmod 755 /usr/share/java/rbcs/bin/*
@@ -2,7 +2,7 @@ Args=-O3 \
   -march=x86-64-v3 \
   --gc=serial \
   --enable-url-protocols=jpms \
-   --pgo=conf/default.iprof \
+   --pgo=native-image/default.iprof \
   --initialize-at-run-time=io.netty \
   --initialize-at-build-time=net.woggioni.rbcs.common.RbcsUrlStreamHandlerFactory,net.woggioni.rbcs.common.RbcsUrlStreamHandlerFactory$JpmsHandler \
   --trace-object-instantiation=ch.qos.logback.classic.Logger \
@@ -1,5 +1,12 @@
 pluginManagement {
    repositories {
+//        mavenLocal {
+//            content {
+//                includeGroup 'net.woggioni.gradle'
+//                includeGroup 'net.woggioni.gradle.lombok'
+//                includeGroup 'net.woggioni.gradle.finalguard'
+//            }
+//        }
        maven {
            url = getProperty('gitea.maven.url')
        }