Package as a content-snap

canonical · Sep 21, 2024 · 3a45446 · 3a45446
1 parent 6e78a57
commit 3a45446
Show file tree

Hide file tree

Showing 7 changed files with 582 additions and 1 deletion.
diff --git a/.github/workflows/snaptest.yml b/.github/workflows/snaptest.yml
@@ -0,0 +1,47 @@
+name: Content snap test 
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "**" ]
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+    steps:
+    - uses: actions/checkout@v4
+    - name: Install and init lxd
+      run: |
+        sudo lxd init --auto 
+    - name: Install snapcraft
+      run: sudo snap install snapcraft --classic
+    - name: Re-ensure connectivity in LXD containers
+      run: |
+        for ipt in iptables iptables-legacy ip6tables ip6tables-legacy; do \
+          sudo $ipt --flush; \
+          sudo $ipt --flush -t nat; \
+          sudo $ipt --delete-chain; \
+          sudo $ipt --delete-chain -t nat; \
+          sudo $ipt -P FORWARD ACCEPT; \
+          sudo $ipt -P INPUT ACCEPT; \
+          sudo $ipt -P OUTPUT ACCEPT; \
+        done
+        sudo systemctl reload snap.lxd.daemon
+    - name: Build openssl-fips-java snap
+      run: sudo snapcraft
+    - name: Install openssl-fips-java snap
+      run: sudo snap install --dangerous ./openssl-fips-java_0.0.1_amd64.snap
+    - name: Build sample consumer snap
+      run: |
+        cd ${{ github.workspace }}/src/test/consumer-snap
+        sudo snapcraft
+        sudo snap install --dangerous ./kem-test_1.0_amd64.snap 
+        cd ${{ github.workspace }}
+    - name: Connect snaps
+      run: sudo snap connect kem-test:openssl-fips-provider-jar openssl-fips-java:openssl-fips-provider-jar
+    - name: Run kem-test
+      run: kem-test
+
+
+
diff --git a/pom.xml b/pom.xml
@@ -114,6 +114,9 @@
                             <arguments>
                                 <argument>test-solib</argument>
                             </arguments>
+                            <skip>
+                                ${skipGenerateTestResources}
+                            </skip>
                         </configuration>
                     </execution>
                     <execution>

diff --git a/snapcraft.yaml b/snapcraft.yaml
@@ -0,0 +1,29 @@
+name: openssl-fips-java
+base: core22
+version: "0.0.1"
+summary: OpenSSL-based Java FIPS Provider
+description: |
+  This content-snap contains the OpenSSL Java FIPS provider JAR.
+
+
+grade: stable
+confinement: strict
+
+parts:
+  openssl-fips-provider-jar:
+    plugin: maven
+    source: .
+    maven-parameters:
+      - -DskipTests=true -DskipGenerateTestResources=true -B package --file pom.xml
+    build-packages:
+      - openjdk-21-jdk
+      - maven
+      - libssl-dev
+
+slots:
+  openssl-fips-provider-jar:
+    interface: content
+    content: openssl-fips-provider-jar
+    source:
+      read:
+        - $SNAP/jar
diff --git a/src/main/native/c/init.c b/src/main/native/c/init.c
@@ -18,6 +18,7 @@
 #include <openssl/crypto.h>
 #include <openssl/err.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include "jni.h"
 
 /* Global libctx handle. Will be initializaed in JNI_OnLoad */
@@ -64,6 +65,11 @@ OSSL_LIB_CTX* load_openssl_base_provider(const char* conf_file_path) {
 }
 
 int JNI_OnLoad(JavaVM* vm, void *reserved) {
-    global_libctx = load_openssl_fips_provider("/usr/local/ssl/openssl.cnf");
+    const char *default_cnf = "/usr/local/ssl/openssl.cnf";
+    char *cnf = getenv("OPENSSL_CUSTOM_CONF");
+    if (cnf == NULL) {
+        cnf = default_cnf;
+    }
+    global_libctx = load_openssl_fips_provider(cnf);
     return JNI_VERSION_21;
 }
diff --git a/src/test/consumer-snap/KEMTest.java b/src/test/consumer-snap/KEMTest.java
@@ -0,0 +1,43 @@
+import java.security.KeyPair;
+import java.security.PublicKey;
+import java.security.PrivateKey;
+import java.util.Arrays;
+import java.security.KeyPairGenerator;
+import javax.crypto.KEM;
+import javax.crypto.KEM.Encapsulated;
+import javax.crypto.KEM.Encapsulator;
+import javax.crypto.KEM.Decapsulator;
+import javax.crypto.SecretKey;
+import java.security.Security;
+
+
+public class KEMTest {
+    public static void main(String[] args) throws Exception {
+        String cname = "com.canonical.openssl.provider.OpenSSLFIPSProvider";
+        Security.addProvider((java.security.Provider) Class.forName(cname).newInstance());
+
+        KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
+        kpg.initialize(4096);
+
+        // Alice creates a key pair and shares the public key with Bob
+        KeyPair aliceKeys = kpg.generateKeyPair();
+        PublicKey alicePublicKey = aliceKeys.getPublic();
+        PrivateKey alicePrivateKey = aliceKeys.getPrivate();
+
+        // Bob generates a shared secret and wraps it using Alice's public key
+        KEM bobKem = KEM.getInstance("RSA", "OpenSSLFIPSProvider");
+        Encapsulator encapsulator = bobKem.newEncapsulator(alicePublicKey, null, null);
+        int secretSize = encapsulator.secretSize();
+        KEM.Encapsulated encapsulated = encapsulator.encapsulate(0, secretSize, "AES");
+        SecretKey bobSecret = encapsulated.key();
+
+        // Bob sends the encapsulated secret to Alice
+        // Alice uses her RSA private key to unwrap the shared secret
+        KEM aliceKem = KEM.getInstance("RSA", "OpenSSLFIPSProvider");
+        Decapsulator decapsulator = aliceKem.newDecapsulator(alicePrivateKey, null);
+        byte[] encapsulationBytes = encapsulated.encapsulation();
+        SecretKey aliceSecret = decapsulator.decapsulate(encapsulationBytes, 0, encapsulationBytes.length, "AES");
+
+        System.out.println(aliceSecret.equals(bobSecret));
+    }
+}