boxen / puppet-java

Install Java
http://boxen.github.com
MIT License
13 stars 55 forks source link

Install unlimited key strength policy files for JDK 7 #22

Closed zk closed 10 years ago

zk commented 11 years ago

I was getting the following stacktrace when trying to generate 'large' crypto keys:

java.security.InvalidKeyException: Illegal key size
    at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1024)
    at javax.crypto.Cipher.init(Cipher.java:1345)
    at javax.crypto.Cipher.init(Cipher.java:1282)
    at ring.middleware.session.cookie$encrypt.invoke(cookie.clj:49)
    at ring.middleware.session.cookie$seal.invoke(cookie.clj:77)
    at ring.middleware.session.cookie.CookieStore.write_session(cookie.clj:99)

The background on this is that due to US export laws, the JDK (by default) dosen't allow you to use key sizes greater than some specified limit: http://docs.oracle.com/javase/1.4.2/docs/guide/security/jce/JCERefGuide.html#AppE

You can remove this limitation by installing certain jar files at certain JDK-aware paths, like so: http://www.ngs.ac.uk/tools/jcepolicyfiles

Essentially, this PR adds the following steps to the puppet-java module:

  1. Download file http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
  2. Create directory /Library/Java/JavaVirtualMachines/jdk1.7.0_21.jdk/Contents/Home/jre/lib/security (if it dosen't exist)
  3. Put localpolicy.jar and US_export_policy.jar in /Library/Java/JavaVirtualMachines/jdk1.7.0_21.jdk/Contents/Home/jre/lib/security

I've included the two required jar files in the source tree, due to Puppet not allowing remote files to be specified as File sources (i.e. the following fails):

  file { '/some/path':
    source  => 'https://some/remote/file',
    mode    => 0664
  }

I had also considered using this workaround, but decided to start here as the jar files are ~5k combined. Let me know if you think the workaround is more appropriate and I'll switch.

Also, the path at which these files are installed is hardcoded, I had tried using /usr/libexec/java_home to establish the install path after jdk7 was installed using something like

inline_template("<%= `/usr/libexec/java_home`.strip %>")

but I wasn't able to figure out how to affect when that gets evaluated. Ultimately, I didn't think it was a huge deal since the JRE / JDK versions are hardcoded as well.

Thanks, and lmk if you have any questions.

zk commented 11 years ago

@fromonesrc any thoughts on this guy?

ocxo commented 11 years ago

@zk This approach seems pretty valid to me. Mind rebasing against master to get in sync?

wfarr commented 10 years ago

/cc @dgoodlad

dgoodlad commented 10 years ago

@zk happy to consider this one asap, can you get this mergeable again?

zk commented 10 years ago

@dgoodlad pulled the alias & rebased, let me know if you need anything else.

zk commented 10 years ago

@dgoodlad I can squash this down to one commit if needed as well.

dgoodlad commented 10 years ago

@zk no worries about squashing, just fix up the requires and we should be good to go

zk commented 10 years ago

@dgoodlad updated, much appreciated!

dgoodlad commented 10 years ago

Seems legit. Thanks @zk!

dgoodlad commented 10 years ago

@zk released as 1.2.0: https://github.com/boxen/puppet-java/releases/tag/1.2.0

zk commented 10 years ago

@dgoodlad @wfarr @fromonesrc related: