Static libs and jar artifact for boringssl

boringssl/boringssl_jni/Makefile

@@ -7,12 +7,16 @@ ifeq ($(UNAME_S),Darwin)
     LIB_EXT = dylib
     JNI_OS_DIR = darwin
     CC ?= clang
-    LDFLAGS = -dynamiclib -undefined dynamic_lookup
+    # Use MACOSX_DEPLOYMENT_TARGET from environment or default to 11.0 (first Apple Silicon support)
+    MACOSX_DEPLOYMENT_TARGET ?= 11.0
+    LDFLAGS = -dynamiclib -undefined dynamic_lookup -mmacosx-version-min=$(MACOSX_DEPLOYMENT_TARGET)
+    CFLAGS_EXTRA = -mmacosx-version-min=$(MACOSX_DEPLOYMENT_TARGET)
 else
     LIB_EXT = so
     JNI_OS_DIR = linux
     CC ?= gcc
     LDFLAGS = -shared
+    CFLAGS_EXTRA =
 endif
 
 # Directories
@@ -22,25 +26,35 @@ BSSL_BUILD_DIR = $(BSSL_DIR)/build
 INCLUDES = -I$(BSSL_DIR)/include -I$(JAVA_HOME)/include -I$(JAVA_HOME)/include/$(JNI_OS_DIR)
 
 # Flags
-CFLAGS = -O2 -fPIC $(INCLUDES)
+CFLAGS = -O2 -fPIC $(INCLUDES) $(CFLAGS_EXTRA)
 LIBS = $(BSSL_BUILD_DIR)/libcrypto.a
 
 # Files
 LIB_NAME = libboringssl_precompiles.$(LIB_EXT)
+STATIC_LIB_NAME = libboringssl_precompiles.a
 SRCS = p256_verify.c ecrecover.c
 OBJS = $(SRCS:.c=.o)
 BUILD_OBJS = $(addprefix $(BUILD_DIR)/, $(OBJS))
 BUILD_LIB = $(BUILD_DIR)/$(LIB_NAME)
+BUILD_STATIC_LIB = $(BUILD_DIR)/$(STATIC_LIB_NAME)
 
 # Default target
-all: $(BUILD_DIR) $(BUILD_LIB)
+all: $(BUILD_DIR) $(BUILD_LIB) $(BUILD_STATIC_LIB)
 
 $(BUILD_DIR):
 	mkdir -p $@
 
+# Dynamic library
 $(BUILD_LIB): $(BUILD_OBJS)
 	$(CC) $(LDFLAGS) -o $@ $^ $(LIBS)
 
+# Static library - properly merge libcrypto.a object files instead of nesting
+$(BUILD_STATIC_LIB): $(BUILD_OBJS)
+	@mkdir -p $(BUILD_DIR)/merge_tmp
+	@cd $(BUILD_DIR)/merge_tmp && ar x ../../$(BSSL_BUILD_DIR)/libcrypto.a
+	ar rcs $@ $^ $(BUILD_DIR)/merge_tmp/*.o
+	@rm -rf $(BUILD_DIR)/merge_tmp
+
 $(BUILD_DIR)/%.o: %.c | $(BUILD_DIR)
 	$(CC) $(CFLAGS) -c $< -o $@
 

boringssl/build.gradle

@@ -19,9 +19,31 @@ plugins {
     id 'com.jfrog.artifactory' version '5.2.3'
 }
 
+// Configure source sets - separate GraalVM classes from main JAR
+sourceSets {
+  graal {
+    java {
+      srcDir 'src/main/java'
+      include '**/*Graal*.java'
+      include '**/BoringSSLPrecompilesCommon.java'
+    }
+    // Graal source set needs access to main source set classes
+    compileClasspath += sourceSets.main.output
+  }
+  main {
+    java {
+      exclude '**/*Graal*.java'
+    }
+  }
+}
+
 dependencies {
     implementation 'net.java.dev.jna:jna:5.12.1'
     implementation project(':common')
+
+    // GraalVM SDK only for graal source set
+    graalImplementation 'org.graalvm.sdk:graal-sdk:24.0.2'
+    graalImplementation project(':common')
     testImplementation 'com.google.guava:guava:31.1-jre'
     testImplementation 'net.java.dev.jna:jna:5.12.1'
     testImplementation 'io.consensys.tuweni:tuweni-bytes:2.7.1'
@@ -61,6 +83,43 @@ task linuxRiscv64LibCopy(type: Copy) {
 }
 processResources.dependsOn linuxRiscv64LibCopy
 
+// Static library copy tasks (for GraalVM native-image)
+task macArmStaticLibCopy(type: Copy) {
+    from 'build/darwin-aarch64/lib/libboringssl_precompiles.a'
+    from 'boringssl_jni/p256_verify.h'
+    into 'build/resources-static/lib/aarch64'
+}
+
+task macStaticLibCopy(type: Copy) {
+    from 'build/darwin-x86-64/lib/libboringssl_precompiles.a'
+    from 'boringssl_jni/p256_verify.h'
+    into 'build/resources-static/lib/x86-64'
+}
+
+task linuxStaticLibCopy(type: Copy) {
+    from 'build/linux-gnu-x86_64/lib/libboringssl_precompiles.a'
+    from 'boringssl_jni/p256_verify.h'
+    into 'build/resources-static/lib/x86-64'
+}
+
+task linuxArm64StaticLibCopy(type: Copy) {
+    from 'build/linux-gnu-aarch64/lib/libboringssl_precompiles.a'
+    from 'boringssl_jni/p256_verify.h'
+    into 'build/resources-static/lib/aarch64'
+}
+
+task linuxRiscv64StaticLibCopy(type: Copy) {
+    from 'build/linux-gnu-riscv64/lib/libboringssl_precompiles.a'
+    from 'boringssl_jni/p256_verify.h'
+    into 'build/resources-static/lib/riscv64'
+}
+
+// Task to prepare static resources
+task prepareStaticResources {
+    dependsOn macArmStaticLibCopy, macStaticLibCopy, linuxStaticLibCopy,
+              linuxArm64StaticLibCopy, linuxRiscv64StaticLibCopy
+}
+
 
 
 jar {
@@ -89,6 +148,14 @@ task javadocJar(type: Jar, dependsOn: javadoc) {
     from javadoc.destinationDir
 }
 
+task staticJar(type: Jar, dependsOn: [prepareStaticResources, graalClasses]) {
+    archiveBaseName = 'besu-native-boringssl'
+    archiveClassifier = 'static'
+    from 'build/resources-static'
+    from sourceSets.graal.output
+    includeEmptyDirs = false
+}
+
 
 publishing {
     publications {
@@ -100,6 +167,7 @@ publishing {
             from components.java
             artifact sourcesJar
             artifact javadocJar
+            artifact staticJar
 
             pom {
                 name = "Besu Native - ${project.name}"

boringssl/src/main/java/org/hyperledger/besu/nativelib/boringssl/BoringSSLPrecompiles.java

@@ -17,18 +17,16 @@
 
 import org.hyperledger.besu.nativelib.common.BesuNativeLibraryLoader;
 
-import java.math.BigInteger;
-import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 import java.util.Optional;
 
 public class BoringSSLPrecompiles {
 
   public static final boolean ENABLED;
 
-  public static final int STATUS_SUCCESS = 0;
-  public static final int STATUS_FAIL = 1;
-  public static final int STATUS_ERROR = 2;
+  public static final int STATUS_SUCCESS = BoringSSLPrecompilesCommon.STATUS_SUCCESS;
+  public static final int STATUS_FAIL = BoringSSLPrecompilesCommon.STATUS_FAIL;
+  public static final int STATUS_ERROR = BoringSSLPrecompilesCommon.STATUS_ERROR;
 
 
   static {
@@ -62,26 +60,21 @@
 
 
 
-  // Wrapper result classes
-  public static class P256VerifyResult {
-    public final int status;
-    public final String error;
-
+  // Wrapper result classes - use common implementations
+  public static class P256VerifyResult extends BoringSSLPrecompilesCommon.P256VerifyResult {
     public P256VerifyResult(final int status, final String message) {
-      this.status = status;
-      this.error = message;
+      super(status, message);
     }
   }
 
-
   public record ECRecoverResult(
       int status,
       Optional<byte[]> publicKey,
       Optional<String> error) {}
 
 
   // Safe, wrapped version of the native calls
-  final static int ERROR_BUF_SIZE = 256;
+  final static int ERROR_BUF_SIZE = BoringSSLPrecompilesCommon.ERROR_BUF_SIZE;
 
   public static P256VerifyResult p256Verify(final byte[] input, final int inputLength) {
 
@@ -107,71 +100,32 @@
             uncompressedPubKey, uncompressedPubKey.length,
             errorBuf, ERROR_BUF_SIZE);
 
-    return new P256VerifyResult(status, bytesToNullTermString(errorBuf));
+    return new P256VerifyResult(status, BoringSSLPrecompilesCommon.bytesToNullTermString(errorBuf));
   }
 
-  // secp256r1 curve order
-  private static final BigInteger SECP256R1_ORDER =
-      new BigInteger("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551", 16);
-
   public static ECRecoverResult ecrecover(final byte[] hash, final byte[] sig,
       final int recovery_id) {
-    // Validate signature length
-    if (sig == null || sig.length != 64) {
-      return new ECRecoverResult(STATUS_ERROR, Optional.empty(),
-          Optional.of("invalid signature length"));
-    }
-
-    if (hash == null || hash.length != 32) {
-      return new ECRecoverResult(STATUS_ERROR, Optional.empty(),
-          Optional.of("invalid hash length"));
-    }
-    byte[] errorBuf = new byte[ERROR_BUF_SIZE];
-
-    // Extract r and s values
-    byte[] rBytes = new byte[32];
-    byte[] sBytes = new byte[32];
-    System.arraycopy(sig, 0, rBytes, 0, 32);
-    System.arraycopy(sig, 32, sBytes, 0, 32);
-
-    BigInteger r = new BigInteger(1, rBytes);
-    BigInteger s = new BigInteger(1, sBytes);
 
-    // Validate r and s are in range [1, n-1] before calling native method
-    if (r.equals(BigInteger.ZERO) || r.compareTo(SECP256R1_ORDER) >= 0) {
-      return new ECRecoverResult(STATUS_ERROR, Optional.empty(),
-          Optional.of("invalid signature r value"));
+    // Validate input using common validation logic
+    Optional<BoringSSLPrecompilesCommon.ECRecoverResult> validationError =
+        BoringSSLPrecompilesCommon.validateEcrecoverInput(hash, sig, recovery_id);
+    if (validationError.isPresent()) {
+      BoringSSLPrecompilesCommon.ECRecoverResult err = validationError.get();
+      return new ECRecoverResult(err.status(), err.publicKey(), err.error());
     }
 
-    if (s.equals(BigInteger.ZERO) || s.compareTo(SECP256R1_ORDER) >= 0) {
-      return new ECRecoverResult(STATUS_ERROR, Optional.empty(),
-          Optional.of("invalid signature s value"));
-    }
-
-    if (recovery_id < 0 || recovery_id > 1) {
-      return new ECRecoverResult(STATUS_ERROR, Optional.empty(),
-          Optional.of("invalid recovery id " + recovery_id + " is not 0 or 1"));
-    }
+    byte[] errorBuf = new byte[ERROR_BUF_SIZE];
 
     byte[] output = new byte[65];
     byte[] error_buf = new byte[ERROR_BUF_SIZE];
     int status = ecrecover_r1(hash, hash.length, sig, sig.length, recovery_id, output, output.length,
         errorBuf, ERROR_BUF_SIZE);
 
-    if (status == 0) {
+    if (status == STATUS_SUCCESS) {
       return new ECRecoverResult(status, Optional.of(output), Optional.empty());
     } else {
-      String errorMessage = bytesToNullTermString(error_buf);
+      String errorMessage = BoringSSLPrecompilesCommon.bytesToNullTermString(error_buf);
       return new ECRecoverResult(status, Optional.empty(), Optional.of(errorMessage));
     }
   }
-
-  static String bytesToNullTermString(final byte[] buffer) {
-    int nullTerminator = 0;
-    while (nullTerminator < buffer.length && buffer[nullTerminator] != 0) {
-      nullTerminator++;
-    }
-    return new String(buffer, 0, nullTerminator, StandardCharsets.UTF_8);
-  }
-
 }

boringssl/src/main/java/org/hyperledger/besu/nativelib/boringssl/BoringSSLPrecompilesCommon.java

@@ -0,0 +1,109 @@
+/*
+ * Copyright contributors to Besu.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ */
+package org.hyperledger.besu.nativelib.boringssl;
+
+import java.math.BigInteger;
+import java.nio.charset.StandardCharsets;
+import java.util.Optional;
+
+/**
+ * Common logic shared between JNA and GraalVM implementations of BoringSSL precompiles
+ */
+public class BoringSSLPrecompilesCommon {
+
+    public static final int STATUS_SUCCESS = 0;
+    public static final int STATUS_FAIL = 1;
+    public static final int STATUS_ERROR = 2;
+
+    public static final int ERROR_BUF_SIZE = 256;
+
+    // secp256r1 curve order
+    public static final BigInteger SECP256R1_ORDER =
+            new BigInteger("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551", 16);
+
+    // Wrapper result classes
+    public static class P256VerifyResult {
+        public final int status;
+        public final String error;
+
+        public P256VerifyResult(final int status, final String message) {
+            this.status = status;
+            this.error = message;
+        }
+    }
+
+    public record ECRecoverResult(
+            int status,
+            Optional<byte[]> publicKey,
+            Optional<String> error) {}
+
+    /**
+     * Validates ecrecover input parameters
+     * @return Optional containing error result if validation fails, empty if valid
+     */
+    public static Optional<ECRecoverResult> validateEcrecoverInput(
+            final byte[] hash, final byte[] sig, final int recovery_id) {
+
+        // Validate signature length
+        if (sig == null || sig.length != 64) {
+            return Optional.of(new ECRecoverResult(STATUS_ERROR, Optional.empty(),
+                    Optional.of("invalid signature length")));
+        }
+
+        if (hash == null || hash.length != 32) {
+            return Optional.of(new ECRecoverResult(STATUS_ERROR, Optional.empty(),
+                    Optional.of("invalid hash length")));
+        }
+
+        // Extract r and s values
+        byte[] rBytes = new byte[32];
+        byte[] sBytes = new byte[32];
+        System.arraycopy(sig, 0, rBytes, 0, 32);
+        System.arraycopy(sig, 32, sBytes, 0, 32);
+
+        BigInteger r = new BigInteger(1, rBytes);
+        BigInteger s = new BigInteger(1, sBytes);
+
+        // Validate r and s are in range [1, n-1] before calling native method
+        if (r.equals(BigInteger.ZERO) || r.compareTo(SECP256R1_ORDER) >= 0) {
+            return Optional.of(new ECRecoverResult(STATUS_ERROR, Optional.empty(),
+                    Optional.of("invalid signature r value")));
+        }
+
+        if (s.equals(BigInteger.ZERO) || s.compareTo(SECP256R1_ORDER) >= 0) {
+            return Optional.of(new ECRecoverResult(STATUS_ERROR, Optional.empty(),
+                    Optional.of("invalid signature s value")));
+        }
+
+        if (recovery_id < 0 || recovery_id > 1) {
+            return Optional.of(new ECRecoverResult(STATUS_ERROR, Optional.empty(),
+                    Optional.of("invalid recovery id " + recovery_id + " is not 0 or 1")));
+        }
+
+        return Optional.empty();
+    }
+
+    /**
+     * Converts a null-terminated byte buffer to a Java String
+     */
+    public static String bytesToNullTermString(final byte[] buffer) {
+        int nullTerminator = 0;
+        while (nullTerminator < buffer.length && buffer[nullTerminator] != 0) {
+            nullTerminator++;
+        }
+        return new String(buffer, 0, nullTerminator, StandardCharsets.UTF_8);
+    }
+}