Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add export for sun.security.provider to allow BC-FIPS on Java17 #26533

Merged
merged 2 commits into from Jul 4, 2022
Merged

Add export for sun.security.provider to allow BC-FIPS on Java17 #26533

merged 2 commits into from Jul 4, 2022

Conversation

zakkak
Copy link
Contributor

@zakkak zakkak commented Jul 4, 2022

Java17-based builder-images require sun.security.provider to be exported in order to compile Bouncycastle FIPS. Otherwise they fail with:

Caused by: com.oracle.graal.pointsto.constraints.UnresolvedElementException: Discovered unresolved type during parsing: sun.security.provider.SecureRandom. This error is reported at image build time because class org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom is registered for linking at image build time by command line
	at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.phases.SharedGraphBuilderPhase$SharedBytecodeParser.reportUnresolvedElement(SharedGraphBuilderPhase.java:298)
	at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.phases.SharedGraphBuilderPhase$SharedBytecodeParser.handleUnresolvedType(SharedGraphBuilderPhase.java:253)
	at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.phases.SharedGraphBuilderPhase$SharedBytecodeParser.handleUnresolvedNewInstance(SharedGraphBuilderPhase.java:199)
	at jdk.internal.vm.compiler/org.graalvm.compiler.java.BytecodeParser.genNewInstance(BytecodeParser.java:4453)
	at jdk.internal.vm.compiler/org.graalvm.compiler.java.BytecodeParser.genNewInstance(BytecodeParser.java:4446)
	at jdk.internal.vm.compiler/org.graalvm.compiler.java.BytecodeParser.processBytecode(BytecodeParser.java:5227)
	at jdk.internal.vm.compiler/org.graalvm.compiler.java.BytecodeParser.iterateBytecodesForBlock(BytecodeParser.java:3359)
	... 28 more

@zakkak
Add export for sun.security.provider to allow BC-FIPS on Java17
12b4ee4 
Java17-based builder-images require sun.security.provider to be exported
in order to compile Bouncycastle FIPS. Otherwise they fail with:

```
Caused by: com.oracle.graal.pointsto.constraints.UnresolvedElementException: Discovered unresolved type during parsing: sun.security.provider.SecureRandom. This error is reported at image build time because class org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom is registered for linking at image build time by command line
	at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.phases.SharedGraphBuilderPhase$SharedBytecodeParser.reportUnresolvedElement(SharedGraphBuilderPhase.java:298)
	at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.phases.SharedGraphBuilderPhase$SharedBytecodeParser.handleUnresolvedType(SharedGraphBuilderPhase.java:253)
	at org.graalvm.nativeimage.builder/com.oracle.svm.hosted.phases.SharedGraphBuilderPhase$SharedBytecodeParser.handleUnresolvedNewInstance(SharedGraphBuilderPhase.java:199)
	at jdk.internal.vm.compiler/org.graalvm.compiler.java.BytecodeParser.genNewInstance(BytecodeParser.java:4453)
	at jdk.internal.vm.compiler/org.graalvm.compiler.java.BytecodeParser.genNewInstance(BytecodeParser.java:4446)
	at jdk.internal.vm.compiler/org.graalvm.compiler.java.BytecodeParser.processBytecode(BytecodeParser.java:5227)
	at jdk.internal.vm.compiler/org.graalvm.compiler.java.BytecodeParser.iterateBytecodesForBlock(BytecodeParser.java:3359)
	... 28 more
```
@zakkak
Refactor SecurityProcessor#addBouncyCastleExportsToNativeImage
a849783
@zakkak zakkak requested a review from sberyozkin July 4, 2022 07:40
@zakkak zakkak added env/graalvm-java17 Relating to using GraalVM native generation Java 11 area/native-image labels Jul 4, 2022
sberyozkin
sberyozkin approved these changes Jul 4, 2022
View reviewed changes
Copy link
Member

@sberyozkin sberyozkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @zakkak for taking care of it

@quarkus-bot
Copy link

quarkus-bot bot commented Jul 4, 2022

Failing Jobs - Building a849783

Status Name Step Failures Logs Raw logs
Native Tests - Data5 Build Failures Logs Raw logs
Native Tests - Main Build Failures Logs Raw logs

Failures

⚙️ Native Tests - Data5 #

- Failing: integration-tests/hibernate-reactive-postgresql

📦 integration-tests/hibernate-reactive-postgresql

Failed to execute goal io.fabric8:docker-maven-plugin:0.40.1:start (docker-start) on project quarkus-integration-test-hibernate-reactive-postgresql: I/O Error

⚙️ Native Tests - Main #

- Failing: integration-tests/main

📦 integration-tests/main

Failed to execute goal io.fabric8:docker-maven-plugin:0.40.1:start (docker-start) on project quarkus-integration-test-main: I/O Error

@sberyozkin
Copy link
Member

I think these failures are not related, BouncyCastle libraries are not explicitly added during the integration-tests/main

@sberyozkin sberyozkin merged commit 01f32bd into quarkusio:main Jul 4, 2022
@quarkus-bot quarkus-bot bot added this to the 2.11 - main milestone Jul 4, 2022
@zakkak zakkak deleted the fix-bouncycastle-fips-native-on-java17 branch July 4, 2022 10:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sberyozkin sberyozkin sberyozkin approved these changes

Assignees
No one assigned
Labels
area/native-image area/security env/graalvm-java17 Relating to using GraalVM native generation Java 11
Projects
None yet
Milestone
2.11.0.CR1
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@zakkak @sberyozkin