Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openjdk-8: build with SunPKCS11 provider enabled #24059

Merged
merged 1 commit into from
Jul 17, 2024
Merged

openjdk-8: build with SunPKCS11 provider enabled #24059

merged 1 commit into from
Jul 17, 2024

Conversation

xnox
Copy link
Contributor

@xnox xnox commented Jul 16, 2024
edited

Currently SunPKCS11 provider is enabled in jdk 11..22, but not 8.

Pass configure option to include SunPKCS11 on jdk 8 as well.

2024/07/17 00:58:15 INFO checking whether to enable the PKCS11 crypto provider using NSS... enabled by default (edit java.security to disable)
2024/07/17 00:58:15 INFO checking for nss... yes
# diff -u /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/java.security /work/packages/x86_64/java.security 
--- /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/java.security
+++ /work/packages/x86_64/java.security
@@ -74,10 +74,7 @@
 security.provider.7=com.sun.security.sasl.Provider
 security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
 security.provider.9=sun.security.smartcardio.SunPCSC
-# the NSS security provider was not enabled for this build; it can be enabled
-# if NSS (libnss3) is available on the machine. The nss.cfg file may need
-# editing to reflect the location of the NSS installation.
-#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
+security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
 
 #
 # Sun Provider SecureRandom seed source.
# diff /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/nss.cfg /work/packages/x86_64/nss.cfg 
--- /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/nss.cfg
+++ /work/packages/x86_64/nss.cfg
@@ -1,5 +1,5 @@
 name = NSS
-nssLibraryDirectory = 
+nssLibraryDirectory = /usr/lib
 nssDbMode = noDb
 attributes = compatibility
 handleStartupErrors = ignoreMultipleInitialisation

This corrects java.security & nss.cfg files.

@xnox xnox force-pushed the openjdk-nss branch 3 times, most recently from f688fdd to dc9e441 Compare July 16, 2024 22:12
@xnox
Copy link
Contributor Author

xnox commented Jul 17, 2024 

$ for i in 8 11 17 21 22; do docker run -ti --entrypoint sh cgr.dev/chainguard-private/jdk:openjdk-$i-dev -c "echo jdk-$i; find /usr/lib -name java.security 2>/dev/null| xargs grep SunPKCS11"; done
jdk-8
#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
jdk-11
security.provider.12=SunPKCS11
jdk-17
security.provider.12=SunPKCS11
jdk-21
security.provider.12=SunPKCS11
jdk-22
security.provider.12=SunPKCS11

Actually only jdk-8 is out of line.

@xnox xnox changed the title openjdk: build with SunPKCS11 provider enabled openjdk-8: build with SunPKCS11 provider enabled Jul 17, 2024
@xnox xnox force-pushed the openjdk-nss branch 2 times, most recently from 2e0afd4 to 3619756 Compare July 17, 2024 00:38
@xnox
openjdk-8: build with SunPKCS11 provider enabled
9a4cc33 
Currently SunPKCS11 provider is available in jdk 11..22, but not 8.

Add build-time dependenices and configure options to turn on SunPKCS11
provider by default.
@xnox xnox marked this pull request as ready for review July 17, 2024 01:19
@xnox xnox merged commit c5ec61e into wolfi-dev:main Jul 17, 2024
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshrwolf joshrwolf joshrwolf approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@xnox @joshrwolf