biemond / biemond-jdk7

Puppet JDK7 module optimized for Oracle
Apache License 2.0
2 stars 15 forks source link

JCE Policy not extracting #9

Open adamjk-dev opened 9 years ago

adamjk-dev commented 9 years ago

So, it seems like if a JDK version already has a US_export_policy.jar, then the JCE will not be updated.

The problem is in this line: https://github.com/biemond/biemond-jdk7/blob/master/manifests/config/javaexec.pp#L57

We installed some flavors of Oracle JDK, and they already come with this file, so the untar never occurs.

adamjk-dev commented 9 years ago

So, the file is a .zip file as well, so it requires the 'unzip' command if I am not mistaken. I also changed the creates => attribute to look for the README.txt since all the JCE policy ZIP files I found (6,7,8) had a README.txt file in them, and it wasn't in the base JDKs I installed from Oracle (for 1.7 and 1.8).

I ended up using this for a quick solution... but need to do more testing...

# extract the crypto extention if provided
  if ( $cryptographyExtensionFile != undef ) {

    # Handle correct unzip command based on file type (for crypto extension)
    case $cryptographyExtensionFile {
      /.tar$/: {
        $command = 'tar xf'
      }
      /(.tgz|.tar.gz)$/: {
        $command = 'tar xzf'
      }
      /.tar.bz2$/: {
        $command = 'tar xjf'
      }
      /.zip$/: {
        $command = 'unzip -jo'
      }
      /(.war|.jar)$/: {
        $command = 'jar xf'
      }
      default: {
        fail("unsupported file format in crypto extension file: ${cryptographyExtensionFile}.")
      }
    }

    exec { "extract jce ${fullVersion}":
      cwd       => "${javaHomes}/${fullVersion}/jre/lib/security",
      command   => "${command} ${path}/${cryptographyExtensionFile}",
      creates   => "${javaHomes}/${fullVersion}/jre/lib/security/README.txt",
      require   => [File[$javaHomes],Exec["extract java ${fullVersion}"]],
      before    => Exec["chown -R ${owner}:${group} ${javaHomes}/${fullVersion}"],
      logoutput => true,
      user      => $exec_user,
      group     => $group,
    }
  }
biemond commented 9 years ago

thanks

So it depends on where you download it from but it looks like the file is already there, maybe this was different with JSE 6

Unlimited Strength Java Cryptography Extension Due to import control restrictions for some countries, the Java Cryptography Extension (JCE) policy files shipped with the JDK and the JRE allow strong but limited cryptography to be used. These files are located at

/lib/security/local_policy.jar /lib/security/US_export_policy.jar where is the jre directory of the JDK or the top-level directory of the JRE. An unlimited strength version of these files indicating no restrictions on cryptographic strengths is available on the JDK web site for those living in eligible countries. Those living in eligible countries may download the unlimited strength version and replace the strong cryptography jar files with the unlimited strength files. So the question is, how can I check this if it is already installed.
adamjk-dev commented 9 years ago

Yeah, so we wrote a quick test App that we deploy with Tomcat/WebLogic etc. and it outputs the Max Key Length something like in these examples:

https://jsosic.wordpress.com/2014/02/01/check-if-jce-is-installed/ https://gist.github.com/evaryont/6786915

Basically, if the JCE is not installed, the Max Key Length will be 128. If it is installed, you will see 2147483647.

Our little Java Test App has:

try {
    int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
    resp.getOutputStream().write("<br>".getBytes());
    resp.getOutputStream().write(("Max AES Key Size: " + maxKeyLen + "").getBytes());
} catch (Exception e) { e.printStackTrace(); }
adamjk-dev commented 9 years ago

I ended up updating my code since I can enforce that the JCE file is just a .zip:

# extract the crypto extension if provided
  if ( $cryptographyExtensionFile != undef ) {
    exec { "extract jce ${fullVersion}":
      cwd       => "${javaHomes}/${fullVersion}/jre/lib/security",
      command   => "unzip -jo ${path}/${cryptographyExtensionFile}",
      creates   => "${javaHomes}/${fullVersion}/jre/lib/security/README.txt",
      require   => [File[$javaHomes],Exec["extract java ${fullVersion}"]],
      before    => Exec["chown -R ${owner}:${group} ${javaHomes}/${fullVersion}"],
      logoutput => true,
      user      => $exec_user,
      group     => $group,
    }
  }
BobVincentatNCRdotcom commented 8 years ago

Since the master branch code still assumes the JCE file may be extracted via tar, I've submitted a patch that modifies the documentation to match the code.

biemond commented 8 years ago

Ok let's change the code of https://github.com/biemond/biemond-jdk7/blob/master/manifests/config/javaexec.pp#L58

when it is a zip we should use zip and not use tar in the exec. Asking for converting to tgz is crazy, (probably had a blackout or drink too much ), it would expect some error in the exec

@rvincentatprokarmadotcom can you update your pull request and fix this in javaexec.pp

thanks all.

BobVincentatNCRdotcom commented 8 years ago

Updated #14

BobVincentatNCRdotcom commented 8 years ago

14 now passes puppet-lint and travis-ci tests. Probably should write an additional test, but I gotta get back to paid work.