Tolerate OpenJCEPlus FIPS binaries with jlink

When using `jlink` to create a JRE a user may make use of the `jlink` argument `--strip-debug`. This argument executes a strip to remove unnecessary symbols and information from a library to provide for a minimal footprint size of the runtime being created. This update skips performing any strip commands against the FIPS libraries contained in the `openjceplus` module. This is required since any changes to the FIPS libraries will cause a failure when loading the library since a self verification process is done when the FIPS library is loaded. Signed-off-by: Jason Katonica <katonica@us.ibm.com>
ibmruntimes · Aug 22, 2024 · c242df0 · c242df0
1 parent eb870f1
commit c242df0
Showing 1 changed file with 35 additions and 3 deletions.
diff --git a/...k.jlink/linux/classes/jdk/tools/jlink/internal/plugins/StripNativeDebugSymbolsPlugin.java b/...k.jlink/linux/classes/jdk/tools/jlink/internal/plugins/StripNativeDebugSymbolsPlugin.java
@@ -22,6 +22,11 @@
  * or visit www.oracle.com if you need additional information or have any
  * questions.
  */
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved
+ * ===========================================================================
+ */
 package jdk.tools.jlink.internal.plugins;
 
 import java.io.InputStream;
@@ -104,9 +109,7 @@ public ResourcePool transform(ResourcePool in, ResourcePoolBuilder out) {
  stripBin);
  in.transformAndCopy((resource) -> {
  ResourcePoolEntry res = resource;
- if ((resource.type() == ResourcePoolEntry.Type.NATIVE_LIB &&
- resource.path().endsWith(SHARED_LIBS_EXT)) ||
- resource.type() == ResourcePoolEntry.Type.NATIVE_CMD) {
+ if (shouldStrip(resource)) {
  Optional<StrippedDebugInfoBinary> strippedBin = builder.build(resource);
  if (strippedBin.isPresent()) {
  StrippedDebugInfoBinary sb = strippedBin.get();
@@ -131,6 +134,35 @@ public ResourcePool transform(ResourcePool in, ResourcePoolBuilder out) {
  return out.build();
  }
 
+ /**
+ * Method to determine if a particular resource should be stripped.
+ *
+ * Particular paths are added here to handle libraries within the openjceplus module.
+ * The FIPS certified library located in the C/icc directory is sensitive to
+ * any modifications to the native library. Performing any modifications to the library
+ * in any way, causes the FIPS library to fail to load due to a self verification check made.
+ *
+ * @param resource the resource to examine for stripping eligibility
+ * @return return true if stripping should be done on a particular resource, false otherwise
+ */
+ private static boolean shouldStrip(ResourcePoolEntry resource) {
+ switch (resource.type()) {
+ case NATIVE_CMD:
+ return true;
+ case NATIVE_LIB:
+ String path = resource.path();
+ if (path.endsWith(SHARED_LIBS_EXT)) {
+ if (!(resource.moduleName().equals("openjceplus") && path.contains("/C/icc/"))) {
+ return true;
+ }
+ }
+ break;
+ default:
+ break;
+ }
+ return false;
+ }
+
  private void logError(ResourcePoolEntry resource, String msgKey) {
  String msg = getMessage(msgKey,
  NAME,