Build the provider using JDK 17

.github/workflows/maven.yml

@@ -24,8 +24,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
-    - name: Set up JDK 21
-      run: sudo apt-get update && sudo apt-get install -y openjdk-21-jdk-headless
+    - name: Set up JDK 17
+      run: sudo apt-get update && sudo apt-get install -y openjdk-17-jdk-headless
     - name: Install OpenSSL FIPS
       run: |
         git clone https://github.com/openssl/openssl && cd openssl
@@ -38,9 +38,9 @@ jobs:
         sudo openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib64/ossl-modules/fips.so
         sudo cat /usr/local/ssl/fipsmodule.cnf
         sudo cp ${{ github.workspace }}/src/test/conf/openssl.cnf /usr/local/ssl/openssl.cnf
-    - name: Build with Maven
+    - name: Build with Maven/JDK 17
       env:
-        JAVA_HOME: /usr/lib/jvm/java-21-openjdk-amd64/
+        JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64/
       run: mvn -B package --file pom.xml
     - name: Upload logfile
       uses: actions/upload-artifact@v4

Makefile

@@ -15,7 +15,6 @@
 #
 #
 
-JAVA_HOME := /usr/lib/jvm/java-21-openjdk-amd64/
 TOPDIR    := $(shell pwd)
 BUILD     := ${TOPDIR}/build
 

README.md

@@ -1,5 +1,5 @@
 ### Introduction
-The OpenSSL FIPS Java project is a Java FIPS security provider module layered on top of the [OpenSSL library and its FIPS module](https://docs.openssl.org/3.0/man7/OSSL_PROVIDER-FIPS/). Complying with the [Java Cryptography Architecture](https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html), it implements the Java security SPI classes for security functions including [Deterministic Random Bit Generators](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/SecureRandomSpi.html), [Ciphers](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/javax/crypto/CipherSpi.html), [Key Agreements](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/javax/crypto/KeyAgreementSpi.html), [Key Derivations](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/javax/crypto/SecretKeyFactorySpi.html), [Key Encapsulation](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/javax/crypto/KEMSpi.html), [Message Digests](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/MessageDigest.html#:~:text=Message%20digests%20are%20secure%20one,called%20to%20reset%20the%20digest.), [Message Authentication Codes](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/javax/crypto/Mac.html) and [Signatures](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/Signature.html?source=%3Aso%3Atw%3Aor%3Aawr%3Aosec%3A%2C%3Aso%3Atw%3Aor%3Aawr%3Aosec%3A).
+The OpenSSL FIPS Java project is a Java FIPS security provider module layered on top of the [OpenSSL library and its FIPS module](https://docs.openssl.org/3.0/man7/OSSL_PROVIDER-FIPS/). Complying with the [Java Cryptography Architecture](https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html), it implements the Java security SPI classes for security functions including [Deterministic Random Bit Generators](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/security/SecureRandomSpi.html), [Ciphers](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/javax/crypto/CipherSpi.html), [Key Agreements](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/javax/crypto/KeyAgreementSpi.html), [Key Derivations](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/javax/crypto/SecretKeyFactorySpi.html), [Key Encapsulation](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/javax/crypto/KEMSpi.html), [Message Digests](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/security/MessageDigest.html#:~:text=Message%20digests%20are%20secure%20one,called%20to%20reset%20the%20digest.), [Message Authentication Codes](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/javax/crypto/Mac.html) and [Signatures](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/security/Signature.html?source=%3Aso%3Atw%3Aor%3Aawr%3Aosec%3A%2C%3Aso%3Atw%3Aor%3Aawr%3Aosec%3A).
 
 Under the covers, OpenSSL FIPS Java is quite tightly coupled with OpenSSL through the [Java Native Interface](https://docs.oracle.com/javase/8/docs/technotes/guides/jni/spec/intro.html) and the [OpenSSL EVP API](https://docs.openssl.org/3.3/man7/evp/). Only FIPS-approved algorithms, offered by the OpenSSL FIPS module are registered with this provider. The binaries produced from this source should be generally considered FIPS-compliant if the underlying OpenSSL module is FIPS 140-2/140-3 certified.
 
@@ -48,17 +48,17 @@ base = base_sect
 [algorithm_sect]
 default_properties = fips=yes
 ```
-#### Install OpenJDK v21
-This project needs OpenJDK 21 or a later release of it. On Ubuntu/Debian systems, you may install the OpenJDK from the archive.
+#### Install OpenJDK v17
+This project needs OpenJDK 17 or a later release of it. On Ubuntu/Debian systems, you may install the OpenJDK from the archive.
 ```
 sudo apt update
-sudo apt install openjdk-21-jdk-headless
+sudo apt install openjdk-17-jdk-headless
 ```
 #### Clone the project, build and test
 This set of commands may be used on Ubuntu/Debian systems.
 ```
 git clone https://github.com/canonical/openssl-fips-java && cd openssl-fips-java
-export JAVA_HOME=/usr/lib/jvm/java-21-openjdk-amd64/
+export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64/
 export OPENSSL_MODULES=/usr/local/lib64/ossl-modules
 mvn -B package --file pom.xml
 ```

pom.xml

@@ -26,8 +26,8 @@
     <version>0.0.1</version>
 
     <properties>
-        <maven.compiler.source>21</maven.compiler.source>
-        <maven.compiler.target>21</maven.compiler.target>
+        <maven.compiler.source>17</maven.compiler.source>
+        <maven.compiler.target>17</maven.compiler.target>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>
 
@@ -58,9 +58,9 @@
                 <artifactId>maven-compiler-plugin</artifactId>
                 <version>3.13.0</version>
                 <configuration>
-                    <source>21</source>
-                    <target>21</target>
-                    <release>21</release>
+                    <source>17</source>
+                    <target>17</target>
+                    <release>17</release>
                 </configuration>
             </plugin>
             <!-- Jar Plugin -->

snapcraft.yaml

@@ -15,8 +15,10 @@ parts:
     source: .
     maven-parameters:
       - -DskipTests=true -DskipGenerateTestResources=true -B package --file pom.xml
+    build-environment:
+      - JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
     build-packages:
-      - openjdk-21-jdk
+      - openjdk-17-jdk-headless
       - maven
       - libssl-dev
 

src/main/java/com/canonical/openssl/util/NativeLibraryLoader.java

@@ -36,7 +36,6 @@ public static synchronized void load() {
             InputStream in = NativeLibraryLoader.class.getResourceAsStream(location + libFileName);
 
             File tempFile = Files.createFile(Paths.get("/tmp/" + libFileName)).toFile();
-            tempFile.deleteOnExit();
 
             try (FileOutputStream out = new FileOutputStream(tempFile)) {
                 byte[] buffer = new byte[1024];
@@ -48,6 +47,8 @@ public static synchronized void load() {
 
             System.load(tempFile.getAbsolutePath());
             loaded = true;
+
+            tempFile.delete();
         } catch (Exception e) {
             throw new RuntimeException("Failed to load native libary " + libFileName + ": " + e);
         }

src/main/native/c/init.c

@@ -66,10 +66,11 @@ OSSL_LIB_CTX* load_openssl_base_provider(const char* conf_file_path) {
 
 int JNI_OnLoad(JavaVM* vm, void *reserved) {
     const char *default_cnf = "/usr/local/ssl/openssl.cnf";
-    char *cnf = getenv("OPENSSL_CUSTOM_CONF");
-    if (cnf == NULL) {
-        cnf = default_cnf;
+    const char *custom_cnf = getenv("OPENSSL_CUSTOM_CONF");
+    if (custom_cnf != NULL) {
+        global_libctx = load_openssl_fips_provider(custom_cnf);
+    } else {
+        global_libctx = load_openssl_fips_provider(default_cnf);
     }
-    global_libctx = load_openssl_fips_provider(cnf);
-    return JNI_VERSION_21;
+    return JNI_VERSION_10;
 }