An OpenJDK 21 JRE FIPS image providing the Java 21 runtime environment for running Java applications with FIPS support
Getting Started
To pull the image:
docker pull registry.hardened.eu/library/openjdk21-jre-fips:latest
Example: Running a Pre-compiled Application
Here’s how to run a simple Java application using the Hardened B.V. openjdk21-jre-fips image:
cat >HelloWorld.java <<EOL
class HelloWorld {
public static void main(String args[]) {
System.out.println("Hello Hardened B.V. users!");
}
}
EOL
Create a multi-stage Dockerfile, compile with the JDK-image:
cat >Dockerfile <<EOL
FROM registry.hardened.eu/library/openjdk21-jdk-fips:latest as dev
COPY HelloWorld.java HelloWorld.java
RUN javac HelloWorld.java
FROM registry.hardened.eu/library/openjdk21-jre-fips:latest
COPY --from=dev /home/hardenedeu/HelloWorld.class .
CMD ["java", "HelloWorld"]
EOL
Build and run the image:
docker build -t my-java-app .
docker run my-java-app
Expected output:
Hello Hardened B.V. users!
Verifying Image Signatures
All Hardened B.V. images are signed using cosign. You can verify the signature using the following steps:
Save the public key:
cat >hardened.pub <<EOL
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbxhUFlXkIIbDzdRAR9rc6kDPNb+k
J48lhqqlOMyiq3jkbKXNj2sEFMduFlNh63MrZA59PKf4TjS1AiCrvaFXNA==
-----END PUBLIC KEY-----
EOL
Verify the image signature:
cosign verify --key hardened.pub registry.hardened.eu/library/openjdk21-jre-fips:latest
The verification will show the signature details and confirm the image’s authenticity.
To verify the SBOM, run the following command:
cosign verify-attestation --type spdxjson --key hardened.pub registry.hardened.eu/library/openjdk21-jre-fips:latest
To download the SBOM, run the same command and decode it:
cosign verify-attestation --type spdxjson --key hardened.pub registry.hardened.eu/library/openjdk21-jre-fips:latest | jq -r .payload | base64 -d | jq -r .predicate > openjdk21-jre-fips-spdx.json
Trademarks
This software is packaged by Hardened B.V. All trademarks are property of their respective owners. Use of these images does not imply any affiliation or endorsement.
The latest tag is only public. Contact us for detailed information.
| Hash | Tag | Size (compressed) | Last updated | Actions |
|---|---|---|---|---|
| sha256:628c6f354a590... |
latest
x86_64
|
78.15 MB | 14:08:06 19/08/2025 UTC (Calculating...) | |
| •••••••••••• | •••••••••••• | •••••••••••• | •••••••••••• | Contact Hardened |
| Package | Version | License |
|---|---|---|
| alpine-os-release | 3.22-r2 | MIT |
| alsa-lib | 1.2.14-r0 | LGPL-2.1-or-later |
| bc-fips | 2.1.0 | - |
| bcpkix-fips | 2.1.9 | - |
| bctls-fips | 2.1.20 | - |
| bcutil-fips | 2.1.4 | - |
| bouncycastle-fja | 2.1.0.0-r0 | MIT |
| brotli-libs | 1.1.0-r2 | MIT |
| busybox | 10.0.0-r0 | GPL-2.0-only |
| ca-certificates | 20250619-r0 | (MPL-2.0 AND MIT) |
| dash | 0.5.12-r3 | (BSD-3-Clause AND GPL-2.0-or-later) |
| dash-binsh | 0.5.12-r3 | (BSD-3-Clause AND GPL-2.0-or-later) |
| freetype | 2.13.3-r0 | (FTL OR GPL-2.0-or-later) |
| giflib | 5.2.2-r1 | MIT |
| java-cacerts | 1.1-r0 | MIT |
| java-common | 1.0-r0 | GPL-2.0-or-later |
| jrt-fs | 21.0.8 | - |
| lcms2 | 2.16-r0 | MIT |
| libbsd | 0.12.2-r0 | BSD-3-Clause |
| libbz2 | 1.0.8-r6 | bzip2-1.0.6 |
| libcrypto3 | 3.5.2-r0 | Apache-2.0 |
| libffi | 3.4.8-r0 | MIT |
| libjpeg-turbo | 3.1.0-r0 | (BSD-3-Clause AND IJG AND Zlib) |
| libmd | 1.1.0-r0 | LicenseRef-AND AND BSD-2-Clause AND BSD-3-Clause AND Beerware AND LicenseRef-Domain AND ISC AND LicenseRef-Public |
| libpng | 1.6.47-r0 | Libpng |
| libssl3 | 3.5.2-r0 | Apache-2.0 |
| libtasn1 | 4.20.0-r0 | LGPL-2.1-or-later |
| libx11 | 1.8.11-r0 | X11 |
| libxau | 1.0.12-r0 | MIT |
| libxcb | 1.17.0-r0 | MIT |
| libxdmcp | 1.1.5-r1 | MIT |
| libxext | 1.3.6-r2 | MIT |
| libxi | 1.8.2-r0 | (MIT AND X11) |
| libxrender | 0.9.12-r0 | MIT |
| libxtst | 1.2.5-r0 | MIT |
| musl | 1.2.5-r10 | MIT |
| openjdk21-jre | 21.0.8_p9-r0 | GPL-2.0-with-classpath-exception |
| openjdk21-jre-headless | 21.0.8_p9-r0 | GPL-2.0-with-classpath-exception |
| openssl | 3.5.2-r0 | Apache-2.0 |
| openssl-fips-provider | 3.1.2-r0 | Apache-2.0 |
| p11-kit | 0.25.5-r2 | BSD-3-Clause |
| p11-kit-trust | 0.25.5-r2 | BSD-3-Clause |
| zlib | 1.3.1-r2 | Zlib |
APACHE-2.0 (permissive)
The Apache License 2.0 is also a permissive license, similar to the MIT License, but with additional protections related... Show more
BEERWARE (permissive)
The Beerware License is a very permissive license that allows users to do whatever they want with the code, with the onl... Show more
BSD-2-CLAUSE (permissive)
The BSD 2-Clause License is a permissive license originating from the Berkeley Software Distribution (BSD). It allows fo... Show more
BSD-3-CLAUSE (permissive)
The BSD 3-Clause License is another permissive license originating from the Berkeley Software Distribution (BSD). It all... Show more
BZIP2-1.0.6 (permissive)
The bzip2 and libbzip2 licenses are permissive open source licenses, allowing use, modification, and distribution with m... Show more
GPL-2.0 (strong-copyleft)
The GNU General Public License version 2 (GPL-2.0) is a strict copyleft license. If you modify and distribute software l... Show more
ISC (permissive)
The ISC License is functionally similar to the MIT and BSD licenses but written in simpler language. It's favored for it... Show more
LGPL-2.1 (copyleft)
The LGPL is a more permissive variant of the GPL. It allows developers to link to (use) the LGPL-licensed library in the... Show more
LIBPNG (permissive)
The libpng license is a permissive free software license, similar to the zlib License, allowing use, modification, and d... Show more
MIT (permissive)
The MIT License is a highly permissive open-source license. It allows users to do almost anything with a project, includ... Show more
X11 (permissive)
The X11 License (also known as the MIT/X11 License) is a permissive license that allows users to use, modify, and distri... Show more
ZLIB (permissive)
The zlib License is a permissive license that allows users to use, modify, and distribute the software freely. It's simi... Show more
| CVE | Severity | Package | Version | Fixed In | |
|---|---|---|---|---|---|
| GHSA-jfcv-jv9g-2vx2 | Medium | bc-fips | 2.1.0 | 2.1.1 | |
|
Bouncy Castle for Java has Uncontrolled Resource Consumption Vulnerability
|
|||||
| GHSA-g6rx-6wfx-gj74 | Low | bc-fips | 2.1.0 | 2.1.1 | |
|
Bouncy Castle for Java has Out-of-Bounds Write Vulnerability
|
|||||
| GHSA-v6cf-mv9h-c8mc | Low | bc-fips | 2.1.0 | 2.1.1 | |
|
Bouncy Castle for Java Uncontrolled Resource Consumption Vulnerability
|
|||||
Compare Images
Image comparison functionality will be implemented in a future release.