search

oracle / graal

GraalVM compiles Java applications into native executables that start instantly, scale fast, and use fewer compute resources 🚀
https://www.graalvm.org
Other
20.21k stars 1.62k forks source link

gu install native-image - Specify path to trustStore #4048

Open aleqsss opened 2 years ago

aleqsss commented 2 years ago

Describe the issue When I run the command gu install native-image, it defaults to use the TrustStore from the build-time host environment. In my case this TrustStore is created from the root certificate file provided within the graalvm-ce-java11-21.3.0 JDK (/lib/security/cacerts).

This makes my gu install native-image fail with the following error: I/O error occurred: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

In order to get it to work in our corporate environment, I need to add an additional certificate to this /graalvm-ce-java11-21.3.0/lib/security/cacerts. I do this with the keytool: keytool -importcert -alias cert01 -keystore "/graalvm-ce-java11-21.3.0/lib/security/cacerts" -file "/path/cert01.pem" -storepass "changeit" -noprompt

After this is done, the gu install native-image completes successfully.

Now to the actual issue, I need this to not be in the JDK folder (graalvm-ce-java11-21.3.0/lib/security/cacerts). I need to be able to point to a cacerts file, located outside of the JDK.

To be able to do this, I've tried to use the --jvm switch for the install to pick up the JAVA_TOOL_OPTIONS which I've populated as follows: -Djavax.net.ssl.trustStore=/path/to/cacerts

When I run gu install native-image I get the following error: _Picked up JAVA_TOOLOPTIONS: -Djavax.net.ssl.trustStore=/cacerts/java/cacerts Downloading: Release index file from oca.opensource.oracle.com Downloading: Component catalog from www.graalvm.org Processing Component: Native Image Downloading: Component native-image: Native Image from github.com I/O error occurred: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Am I missing something here? Both of my examples above use the exact same cacerts file, but only one of them works. Am I specifing the JAVA_TOOL_OPTIONS wrong? In the second example it says that it Picked up JAVA_TOOL_OPTIONS: -Djavax.net.ssl.trustStore=/cacerts/java/cacerts but it doesn't, for some reason, seem to be using it. Instead it seems like it's using the included default cacerts from /graalvm-ce-java11-21.3.0/lib/security/, which in this case hasn't been populated with, by our corporate required, certificate.

I've also tried to run the following command: gu --vm.Djavax.net.ssl.trustStore=/path/to/cacerts install native-image

Same error here: I/O error occurred: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Again, am I using this one wrong?

Is there any other way to get it to look at another path to cacerts? Perhaps I'm missing for instance another environment variable or some other global configuration? What can I do to make it look at specific cacerts path from a global configuration of sorts?

Steps to reproduce the issue Please include both build steps as well as run steps

  1. Download graalvm-ce-java11-21.3.0
  2. Execute gu install native-image in any of the above ways, to try to get it to point to a different cacerts than the default one.

Describe GraalVM and your environment: IMPLEMENTOR="GraalVM Community" JAVA_VERSION="11.0.13" JAVA_VERSION_DATE="2021-10-19" LIBC="gnu" MODULES="java.base java.logging jdk.internal.vm.ci jdk.unsupported org.graalvm.sdk java.datatransfer java.xml java.prefs java.desktop java.management java.transaction.xa java.sql org.graalvm.truffle jdk.internal.vm.compiler com.oracle.graal.graal_enterprise com.oracle.svm.svm_enterprise com.oracle.truffle.regex com.oracle.truffle.truffle_nfi com.oracle.truffle.truffle_nfi_libffi java.compiler java.instrument java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.jvmstat jdk.attach jdk.charsets jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.hotspot.agent jdk.httpserver jdk.internal.le jdk.internal.opt jdk.management jdk.internal.vm.compiler.management jdk.jfr jdk.internal.vm.compiler.truffle.jfr jdk.jartool jdk.javadoc jdk.jcmd jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jlink jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.ldap jdk.naming.rmi jdk.net jdk.pack jdk.rmic jdk.scripting.nashorn jdk.scripting.nashorn.shell jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported.desktop jdk.xml.dom jdk.zipfs org.graalvm.js.scriptengine org.graalvm.locator" OS_ARCH="x86_64" OS_NAME="Linux" SOURCE=".:git:818477aca665+ labsjdk-builder:486b4262f89a40a1795775a1da8fbc82d3f3fc21 compiler:84541b16ae8a8726a0e7d76c7179d94a57ed84ee graal-js:ede7e2b88260ac8b1ec0d856f0263e56cb4dfed2 java-benchmarks:84541b16ae8a8726a0e7d76c7179d94a57ed84ee regex:84541b16ae8a8726a0e7d76c7179d94a57ed84ee sdk:84541b16ae8a8726a0e7d76c7179d94a57ed84ee substratevm:84541b16ae8a8726a0e7d76c7179d94a57ed84ee sulong:84541b16ae8a8726a0e7d76c7179d94a57ed84ee tools:84541b16ae8a8726a0e7d76c7179d94a57ed84ee truffle:84541b16ae8a8726a0e7d76c7179d94a57ed84ee vm:84541b16ae8a8726a0e7d76c7179d94a57ed84ee" GRAALVM_VERSION="21.3.0" COMMIT_INFO={"compiler": {"commit.committer": "Gilles Duboscq gilles.m.duboscq@oracle.com", "commit.committer-ts": 1634421704, "commit.rev": "84541b16ae8a8726a0e7d76c7179d94a57ed84ee"}, "graal-js": {"commit.committer": "Gilles Duboscq gilles.m.duboscq@oracle.com", "commit.committer-ts": 1634421631, "commit.rev": "ede7e2b88260ac8b1ec0d856f0263e56cb4dfed2"}, "java-benchmarks": {"commit.committer": "Gilles Duboscq gilles.m.duboscq@oracle.com", "commit.committer-ts": 1634421704, "commit.rev": "84541b16ae8a8726a0e7d76c7179d94a57ed84ee"}, "regex": {"commit.committer": "Gilles Duboscq gilles.m.duboscq@oracle.com", "commit.committer-ts": 1634421704, "commit.rev": "84541b16ae8a8726a0e7d76c7179d94a57ed84ee"}, "sdk": {"commit.committer": "Gilles Duboscq gilles.m.duboscq@oracle.com", "commit.committer-ts": 1634421704, "commit.rev": "84541b16ae8a8726a0e7d76c7179d94a57ed84ee"}, "substratevm": {"commit.committer": "Gilles Duboscq gilles.m.duboscq@oracle.com", "commit.committer-ts": 1634421704, "commit.rev": "84541b16ae8a8726a0e7d76c7179d94a57ed84ee"}, "sulong": {"commit.committer": "Gilles Duboscq gilles.m.duboscq@oracle.com", "commit.committer-ts": 1634421704, "commit.rev": "84541b16ae8a8726a0e7d76c7179d94a57ed84ee"}, "tools": {"commit.committer": "Gilles Duboscq gilles.m.duboscq@oracle.com", "commit.committer-ts": 1634421704, "commit.rev": "84541b16ae8a8726a0e7d76c7179d94a57ed84ee"}, "truffle": {"commit.committer": "Gilles Duboscq gilles.m.duboscq@oracle.com", "commit.committer-ts": 1634421704, "commit.rev": "84541b16ae8a8726a0e7d76c7179d94a57ed84ee"}, "vm": {"commit.committer": "Gilles Duboscq gilles.m.duboscq@oracle.com", "commit.committer-ts": 1634421704, "commit.rev": "84541b16ae8a8726a0e7d76c7179d94a57ed84ee"}} component_catalog="gds://oca.opensource.oracle.com/gds/meta-data.json|https://www.graalvm.org/component-catalog/v2/graal-updater-component-catalog-java11.properties"

More details I've read through this Certificate Management in Native Image documentation, which directs you to Using System Properties in Native Images, if you'd like to change to a different certificate file by setting the javax.net.ssl.trustStore property. Inside there they tell you the following:

Does this mean that you can use this exact command gu install native-image -Djavax.net.ssl.trustStore=/path/to/cacerts? If I try this I get the following error: Unrecognized argument: '-j'. Use --help for usage instructions.

MartinBalin commented 2 years ago

When you run with --jvm (not as native image binary) does it work and picks up the options?

aleqsss commented 2 years ago

Could you please give me an example? Would be appreciated! Would be great if I could get the "--jvm" switch to work.

Have you been able to replicate the issue? 🙂

Also, do you have any input to my other questions? Is there any other way to get it to look at another path to cacerts? Perhaps I'm missing for instance another environment variable or some other global configuration? What can I do to make it look at specific cacerts path, from any kind of global configuration? What are the options to achieve this?

Regarding gu --vm.Djavax.net.ssl.trustStore=/path/to/cacerts install native-image not working, is this not supported? I can see it listed under Runtime options (https://www.graalvm.org/reference-manual/graalvm-updater/), so perhaps it doesn't work for gu install? Or does the Runtime options apply there as well?

What is meant by this documentation: https://www.graalvm.org/reference-manual/native-image/Properties/? Is there something there that can be added to gu install native-image to make it work in the desired way, if so, how? Or is it for antoher purpose? The same is also stated under Options to Native Image Builder:

-D<name>=<value>: set a system property.

But if I run gu install native-image -Djavax.net.ssl.trustStore=/path/to/cacerts, I get the following error: Unrecognized argument: '-j'. Use --help for usage instructions.

Am I using it wrong? How am I supposed to use this?

Are these the only options that is supported by gu install native-image?: https://www.graalvm.org/reference-manual/graalvm-updater/#graalvm-updater-commands-overview

Again, what can be done to make the gu install native-image to look at a specified path for a cacerts file, either environment variable (or any other global configuration), or by adding an option to the actual command? Am I missing something or doing it wrong?

Thanks!

MartinBalin commented 2 years ago

It is e.g. gu available --jvm We will look for the rest, but knowing it works at least in JVM mode is the start.

aleqsss commented 2 years ago

Running gu available --jvm results in the following output:

Picked up JAVA_TOOL_OPTIONS: -Djavax.net.ssl.trustStore=/cacerts/java/cacerts
Downloading: Release index file from oca.opensource.oracle.com
Downloading: Component catalog from www.graalvm.org
ComponentId  Version Component nameStability Origin
---------------------------------------------------------------------------------------------------------------------------------
espresso 21.3.0  Java on Truffle   Experimental  github.com
llvm-toolchain   21.3.0  LLVM.org toolchainSupported github.com
native-image 21.3.0  Native Image  Early adopter github.com
nodejs   21.3.0  Graal.nodejs  Supported github.com
python   21.3.0  Graal.Python  Experimental  github.com
R21.3.0  FastR Experimental  github.com
ruby 21.3.0  TruffleRuby   Experimental  github.com
wasm 21.3.0  GraalWasm Experimental  github.com
MartinBalin commented 2 years ago

Seems like you can work with GraalVM GU at least workaround exists. We will look at the rest of problems reported.

aleqsss commented 2 years ago

Seems like you can work with GraalVM GU at least workaround exists. Which workaround are you referring to? The "keytool" of the (in JDK included) default cacerts, which I mentioned in the OP? 🙂

We will look at the rest of problems reported. Including the "--jvm" switch/environment variable issue in conjuction with gu install native-image, right?

Sorry for me being confused. 😁

aleqsss commented 2 years ago

Want to make it clear that running gu --jvm install native-image doesn't work, even if it says that it picks up the JAVA_TOOL_OPTIONS. Here is what the log looks like when running gu --jvm install native-image:

_Picked up JAVA_TOOLOPTIONS: -Djavax.net.ssl.trustStore=/etc/cacerts/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=jks Downloading: Release index file from oca.opensource.oracle.com Downloading: Component catalog from www.graalvm.org Processing Component: Native Image Downloading: Component native-image: Native Image from github.com I/O error occurred: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Where the /etc/cacerts/java/cacerts file is the exact same file which works, if I place it here: /graalvm-ce-java11-21.3.0/lib/security/cacerts

So if I put it in the above JDK folder it works. If I don't put it in the above JDK folder and point to it via JAVA_TOOL_OPTIONS as in the example above (and as stated, using the --jvm option), it doesn't work.

So it seems like it's skipping the JAVA_TOOL_OPTIONS even if it says that it picked them up, and defaults to use the JDK included cacerts file (/graalvm-ce-java11-21.3.0/lib/security/cacerts). Because if I remove the default included cacerts file from the /graalvm-ce-java11-21.3.0/lib/security/ path, and run gu --jvm install native-image, I get the following in the log:

_Picked up JAVA_TOOLOPTIONS: -Djavax.net.ssl.trustStore=/etc/cacerts/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=jks Downloading: Release index file from oca.opensource.oracle.com Error: Error reading component list: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

aleqsss commented 2 years ago

@MartinBalin, any news in regards of this? 🙂

abetobing commented 1 year ago

i'm having the same issue here, is there any updates?

aleqsss commented 1 year ago

Over a year later, one could only hope! 🙂