Skip to content

Commit

Permalink
Build the provider using JDK 17
Browse files Browse the repository at this point in the history
  • Loading branch information
pushkarnk committed Dec 16, 2024
1 parent 1b27b5b commit bf2f4e3
Show file tree
Hide file tree
Showing 7 changed files with 26 additions and 19 deletions.
8 changes: 7 additions & 1 deletion .github/workflows/maven.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ jobs:

steps:
- uses: actions/checkout@v4
- name: Set up JDK 17
run: sudo apt-get update && sudo apt-get install -y openjdk-17-jdk-headless
- name: Set up JDK 21
run: sudo apt-get update && sudo apt-get install -y openjdk-21-jdk-headless
- name: Install OpenSSL FIPS
Expand All @@ -38,7 +40,11 @@ jobs:
sudo openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib64/ossl-modules/fips.so
sudo cat /usr/local/ssl/fipsmodule.cnf
sudo cp ${{ github.workspace }}/src/test/conf/openssl.cnf /usr/local/ssl/openssl.cnf
- name: Build with Maven
- name: Build with Maven/JDK 17
env:
JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64/
eun: mvn -B package --file pom.xml
- name: Build with Maven/JDK 21
env:
JAVA_HOME: /usr/lib/jvm/java-21-openjdk-amd64/
run: mvn -B package --file pom.xml
Expand Down
1 change: 0 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@
#
#

JAVA_HOME := /usr/lib/jvm/java-21-openjdk-amd64/
TOPDIR := $(shell pwd)
BUILD := ${TOPDIR}/build

Expand Down
10 changes: 5 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
### Introduction
The OpenSSL FIPS Java project is a Java FIPS security provider module layered on top of the [OpenSSL library and its FIPS module](https://docs.openssl.org/3.0/man7/OSSL_PROVIDER-FIPS/). Complying with the [Java Cryptography Architecture](https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html), it implements the Java security SPI classes for security functions including [Deterministic Random Bit Generators](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/SecureRandomSpi.html), [Ciphers](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/javax/crypto/CipherSpi.html), [Key Agreements](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/javax/crypto/KeyAgreementSpi.html), [Key Derivations](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/javax/crypto/SecretKeyFactorySpi.html), [Key Encapsulation](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/javax/crypto/KEMSpi.html), [Message Digests](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/MessageDigest.html#:~:text=Message%20digests%20are%20secure%20one,called%20to%20reset%20the%20digest.), [Message Authentication Codes](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/javax/crypto/Mac.html) and [Signatures](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/Signature.html?source=%3Aso%3Atw%3Aor%3Aawr%3Aosec%3A%2C%3Aso%3Atw%3Aor%3Aawr%3Aosec%3A).
The OpenSSL FIPS Java project is a Java FIPS security provider module layered on top of the [OpenSSL library and its FIPS module](https://docs.openssl.org/3.0/man7/OSSL_PROVIDER-FIPS/). Complying with the [Java Cryptography Architecture](https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html), it implements the Java security SPI classes for security functions including [Deterministic Random Bit Generators](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/security/SecureRandomSpi.html), [Ciphers](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/javax/crypto/CipherSpi.html), [Key Agreements](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/javax/crypto/KeyAgreementSpi.html), [Key Derivations](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/javax/crypto/SecretKeyFactorySpi.html), [Key Encapsulation](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/javax/crypto/KEMSpi.html), [Message Digests](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/security/MessageDigest.html#:~:text=Message%20digests%20are%20secure%20one,called%20to%20reset%20the%20digest.), [Message Authentication Codes](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/javax/crypto/Mac.html) and [Signatures](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/security/Signature.html?source=%3Aso%3Atw%3Aor%3Aawr%3Aosec%3A%2C%3Aso%3Atw%3Aor%3Aawr%3Aosec%3A).

Under the covers, OpenSSL FIPS Java is quite tightly coupled with OpenSSL through the [Java Native Interface](https://docs.oracle.com/javase/8/docs/technotes/guides/jni/spec/intro.html) and the [OpenSSL EVP API](https://docs.openssl.org/3.3/man7/evp/). Only FIPS-approved algorithms, offered by the OpenSSL FIPS module are registered with this provider. The binaries produced from this source should be generally considered FIPS-compliant if the underlying OpenSSL module is FIPS 140-2/140-3 certified.

Expand Down Expand Up @@ -48,17 +48,17 @@ base = base_sect
[algorithm_sect]
default_properties = fips=yes
```
#### Install OpenJDK v21
This project needs OpenJDK 21 or a later release of it. On Ubuntu/Debian systems, you may install the OpenJDK from the archive.
#### Install OpenJDK v17
This project needs OpenJDK 17 or a later release of it. On Ubuntu/Debian systems, you may install the OpenJDK from the archive.
```
sudo apt update
sudo apt install openjdk-21-jdk-headless
sudo apt install openjdk-17-jdk-headless
```
#### Clone the project, build and test
This set of commands may be used on Ubuntu/Debian systems.
```
git clone https://github.com/canonical/openssl-fips-java && cd openssl-fips-java
export JAVA_HOME=/usr/lib/jvm/java-21-openjdk-amd64/
export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64/
export OPENSSL_MODULES=/usr/local/lib64/ossl-modules
mvn -B package --file pom.xml
```
Expand Down
10 changes: 5 additions & 5 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@
<version>0.0.1</version>

<properties>
<maven.compiler.source>21</maven.compiler.source>
<maven.compiler.target>21</maven.compiler.target>
<maven.compiler.source>17</maven.compiler.source>
<maven.compiler.target>17</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>

Expand Down Expand Up @@ -58,9 +58,9 @@
<artifactId>maven-compiler-plugin</artifactId>
<version>3.13.0</version>
<configuration>
<source>21</source>
<target>21</target>
<release>21</release>
<source>17</source>
<target>17</target>
<release>17</release>
</configuration>
</plugin>
<!-- Jar Plugin -->
Expand Down
2 changes: 1 addition & 1 deletion snapcraft.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ parts:
maven-parameters:
- -DskipTests=true -DskipGenerateTestResources=true -B package --file pom.xml
build-packages:
- openjdk-21-jdk
- openjdk-17-jdk-headless
- maven
- libssl-dev

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,6 @@ public static synchronized void load() {
InputStream in = NativeLibraryLoader.class.getResourceAsStream(location + libFileName);

File tempFile = Files.createFile(Paths.get("/tmp/" + libFileName)).toFile();
tempFile.deleteOnExit();

try (FileOutputStream out = new FileOutputStream(tempFile)) {
byte[] buffer = new byte[1024];
Expand All @@ -48,6 +47,8 @@ public static synchronized void load() {

System.load(tempFile.getAbsolutePath());
loaded = true;

tempFile.delete();
} catch (Exception e) {
throw new RuntimeException("Failed to load native libary " + libFileName + ": " + e);
}
Expand Down
11 changes: 6 additions & 5 deletions src/main/native/c/init.c
Original file line number Diff line number Diff line change
Expand Up @@ -66,10 +66,11 @@ OSSL_LIB_CTX* load_openssl_base_provider(const char* conf_file_path) {

int JNI_OnLoad(JavaVM* vm, void *reserved) {
const char *default_cnf = "/usr/local/ssl/openssl.cnf";
char *cnf = getenv("OPENSSL_CUSTOM_CONF");
if (cnf == NULL) {
cnf = default_cnf;
const char *custom_cnf = getenv("OPENSSL_CUSTOM_CONF");
if (custom_cnf != NULL) {
global_libctx = load_openssl_fips_provider(custom_cnf);
} else {
global_libctx = load_openssl_fips_provider(default_cnf);
}
global_libctx = load_openssl_fips_provider(cnf);
return JNI_VERSION_21;
return JNI_VERSION_10;
}

0 comments on commit bf2f4e3

Please sign in to comment.