Merge rawhide into f36

This commit is contained in:
Andrew Hughes 2022-07-06 16:02:25 +01:00
commit 7a7671f9fa
5 changed files with 196 additions and 66 deletions

View File

@ -9,35 +9,59 @@ public class TestSecurityProperties {
// JDK 8
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
private static final String MSG_PREFIX = "DEBUG: ";
public static void main(String[] args) {
if (args.length == 0) {
System.err.println("TestSecurityProperties <true|false>");
System.err.println("Invoke with 'true' if system security properties should be enabled.");
System.err.println("Invoke with 'false' if system security properties should be disabled.");
System.exit(1);
}
boolean enabled = Boolean.valueOf(args[0]);
System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
Properties jdkProps = new Properties();
loadProperties(jdkProps);
if (enabled) {
loadPolicy(jdkProps);
}
for (Object key: jdkProps.keySet()) {
String sKey = (String)key;
String securityVal = Security.getProperty(sKey);
String jdkSecVal = jdkProps.getProperty(sKey);
if (!securityVal.equals(jdkSecVal)) {
String msg = "Expected value '" + jdkSecVal + "' for key '" +
String msg = "Expected value '" + jdkSecVal + "' for key '" +
sKey + "'" + " but got value '" + securityVal + "'";
throw new RuntimeException("Test failed! " + msg);
} else {
System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
}
}
System.out.println("TestSecurityProperties PASSED!");
}
private static void loadProperties(Properties props) {
String javaVersion = System.getProperty("java.version");
System.out.println("Debug: Java version is " + javaVersion);
System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
String propsFile = JDK_PROPS_FILE_JDK_11;
if (javaVersion.startsWith("1.8.0")) {
propsFile = JDK_PROPS_FILE_JDK_8;
}
try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
try (FileInputStream fin = new FileInputStream(propsFile)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
private static void loadPolicy(Properties props) {
try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
}

View File

@ -1398,7 +1398,7 @@ index a020e1c15d8..6d459fdec01 100644
// Return the instance of this class or create one if needed.
diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
index ff2bc942c03..d303ae5c8f3 100644
index ff2bc942c03..96a3ba4040c 100644
--- a/src/java.base/share/classes/java/security/Security.java
+++ b/src/java.base/share/classes/java/security/Security.java
@@ -32,6 +32,7 @@ import java.net.URL;
@ -1409,7 +1409,7 @@ index ff2bc942c03..d303ae5c8f3 100644
import jdk.internal.access.SharedSecrets;
import jdk.internal.util.StaticProperty;
import sun.security.util.Debug;
@@ -47,6 +48,9 @@ import sun.security.jca.*;
@@ -47,12 +48,20 @@ import sun.security.jca.*;
* implementation-specific location, which is typically the properties file
* {@code conf/security/java.security} in the Java installation directory.
*
@ -1419,7 +1419,18 @@ index ff2bc942c03..d303ae5c8f3 100644
* @author Benjamin Renaud
* @since 1.1
*/
@@ -67,6 +71,19 @@ public final class Security {
public final class Security {
+ private static final String SYS_PROP_SWITCH =
+ "java.security.disableSystemPropertiesFile";
+ private static final String SEC_PROP_SWITCH =
+ "security.useSystemPropertiesFile";
+
/* Are we debugging? -- for developers */
private static final Debug sdebug =
Debug.getInstance("properties");
@@ -67,6 +76,19 @@ public final class Security {
}
static {
@ -1439,7 +1450,15 @@ index ff2bc942c03..d303ae5c8f3 100644
// doPrivileged here because there are multiple
// things in initialize that might require privs.
// (the FileInputStream call and the File.exists call,
@@ -99,6 +116,7 @@ public final class Security {
@@ -84,6 +106,7 @@ public final class Security {
props = new Properties();
boolean loadedProps = false;
boolean overrideAll = false;
+ boolean systemSecPropsEnabled = false;
// first load the system properties file
// to determine the value of security.overridePropertiesFile
@@ -99,6 +122,7 @@ public final class Security {
if (sdebug != null) {
sdebug.println("reading security properties file: " +
propFile);
@ -1447,30 +1466,63 @@ index ff2bc942c03..d303ae5c8f3 100644
}
} catch (IOException e) {
if (sdebug != null) {
@@ -193,6 +211,28 @@ public final class Security {
@@ -193,6 +217,61 @@ public final class Security {
}
}
+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
+ if (!SystemConfigurator.configureSysProps(props)) {
+ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
+ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
+ if (sdebug != null) {
+ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps);
+ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps);
+ }
+ if (!sysUseProps && secUseProps) {
+ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props);
+ if (!systemSecPropsEnabled) {
+ if (sdebug != null) {
+ sdebug.println("WARNING: System properties could not be loaded.");
+ sdebug.println("WARNING: System security properties could not be loaded.");
+ }
+ }
+ } else {
+ if (sdebug != null) {
+ sdebug.println("System security property support disabled by user.");
+ }
+ }
+
+ // FIPS support depends on the contents of java.security so
+ // ensure it has loaded first
+ if (loadedProps) {
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
+ if (sdebug != null) {
+ if (fipsEnabled) {
+ sdebug.println("FIPS support enabled.");
+ } else {
+ sdebug.println("FIPS support disabled.");
+ if (loadedProps && systemSecPropsEnabled) {
+ boolean shouldEnable;
+ String sysProp = System.getProperty("com.redhat.fips");
+ if (sysProp == null) {
+ shouldEnable = true;
+ if (sdebug != null) {
+ sdebug.println("com.redhat.fips unset, using default value of true");
+ }
+ } else {
+ shouldEnable = Boolean.valueOf(sysProp);
+ if (sdebug != null) {
+ sdebug.println("com.redhat.fips set, using its value " + shouldEnable);
+ }
+ }
+ if (shouldEnable) {
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
+ if (sdebug != null) {
+ if (fipsEnabled) {
+ sdebug.println("FIPS mode support configured and enabled.");
+ } else {
+ sdebug.println("FIPS mode support disabled.");
+ }
+ }
+ } else {
+ if (sdebug != null ) {
+ sdebug.println("FIPS mode support disabled by user.");
+ }
+ }
+ } else {
+ if (sdebug != null) {
+ sdebug.println("WARNING: FIPS mode support can not be enabled without " +
+ "system security properties being enabled.");
+ }
+ }
}
@ -1478,10 +1530,10 @@ index ff2bc942c03..d303ae5c8f3 100644
/*
diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java
new file mode 100644
index 00000000000..da2af5defda
index 00000000000..98ffced455b
--- /dev/null
+++ b/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -0,0 +1,245 @@
@@ -0,0 +1,249 @@
+/*
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
+ *
@ -1562,13 +1614,13 @@ index 00000000000..da2af5defda
+ * security.useSystemPropertiesFile is true.
+ */
+ static boolean configureSysProps(Properties props) {
+ boolean loadedProps = false;
+ boolean systemSecPropsLoaded = false;
+
+ try (BufferedInputStream bis =
+ new BufferedInputStream(
+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
+ props.load(bis);
+ loadedProps = true;
+ systemSecPropsLoaded = true;
+ if (sdebug != null) {
+ sdebug.println("reading system security properties file " +
+ CRYPTO_POLICIES_JAVA_CONFIG);
@ -1581,7 +1633,7 @@ index 00000000000..da2af5defda
+ e.printStackTrace();
+ }
+ }
+ return loadedProps;
+ return systemSecPropsLoaded;
+ }
+
+ /*
@ -1653,6 +1705,8 @@ index 00000000000..da2af5defda
+ sdebug.println("FIPS support enabled without plain key support");
+ }
+ }
+ } else {
+ if (sdebug != null) { sdebug.println("FIPS mode not detected"); }
+ }
+ } catch (Exception e) {
+ if (sdebug != null) {
@ -1693,37 +1747,39 @@ index 00000000000..da2af5defda
+ return plainKeySupportEnabled;
+ }
+
+ /*
+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
+ * system property is true (default) and the system is in FIPS mode.
+ /**
+ * Determines whether FIPS mode should be enabled.
+ *
+ * OpenJDK FIPS mode will be enabled only if the system is in
+ * FIPS mode.
+ *
+ * Calls to this method only occur if the system property
+ * com.redhat.fips is not set to false.
+ *
+ * There are 2 possible ways in which OpenJDK detects that the system
+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
+ * /proc/sys/crypto/fips_enabled file is read.
+ *
+ * @return true if the system is in FIPS mode
+ */
+ private static boolean enableFips() throws Exception {
+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+ if (shouldEnable) {
+ if (sdebug != null) {
+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
+ }
+ try {
+ boolean fipsEnabled = getSystemFIPSEnabled();
+ if (sdebug != null) {
+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
+ + fipsEnabled);
+ }
+ try {
+ shouldEnable = getSystemFIPSEnabled();
+ if (sdebug != null) {
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
+ + shouldEnable);
+ }
+ return shouldEnable;
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
+ sdebug.println(e.getMessage());
+ }
+ throw e;
+ return fipsEnabled;
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
+ sdebug.println(e.getMessage());
+ }
+ } else {
+ return false;
+ throw e;
+ }
+ }
+}
@ -2352,7 +2408,7 @@ index 894e26dfad8..8b16378b96b 100644
"sun.security.ssl.SSLContextImpl$TLSContext",
List.of("SSL"), null);
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
index 6d91e3f8e4e..5a355e70cae 100644
index 6d91e3f8e4e..adfaf57d29e 100644
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -79,6 +79,16 @@ security.provider.tbd=Apple
@ -2360,7 +2416,7 @@ index 6d91e3f8e4e..5a355e70cae 100644
security.provider.tbd=SunPKCS11
+#
+# Security providers used when global crypto-policies are set to FIPS.
+# Security providers used when FIPS mode support is active
+#
+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
+fips.provider.2=SUN
@ -2393,7 +2449,7 @@ index 6d91e3f8e4e..5a355e70cae 100644
+# using the system properties file stored at
+# /etc/crypto-policies/back-ends/java.config
+#
+security.useSystemPropertiesFile=true
+security.useSystemPropertiesFile=false
+
#
# Determines the default key and trust manager factory algorithms for
@ -3074,7 +3130,7 @@ index 112b639aa96..5549cd9ed4e 100644
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
throw new UnsupportedOperationException
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
index 5c0aacd1a67..372a50dd587 100644
index 5c0aacd1a67..1e98ce2e280 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
@ -3087,8 +3143,21 @@ index 5c0aacd1a67..372a50dd587 100644
import java.util.*;
import java.security.AccessController;
@@ -152,16 +155,30 @@ public class PKCS11 {
@@ -150,18 +153,43 @@ public class PKCS11 {
this.pkcs11ModulePath = pkcs11ModulePath;
}
+ /*
+ * Compatibility wrapper to allow this method to work as before
+ * when FIPS mode support is not active.
+ */
+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
+ boolean omitInitialize) throws IOException, PKCS11Exception {
+ return getInstance(pkcs11ModulePath, functionList,
+ pInitArgs, omitInitialize, null, null);
+ }
+
public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
- boolean omitInitialize) throws IOException, PKCS11Exception {
@ -3121,7 +3190,7 @@ index 5c0aacd1a67..372a50dd587 100644
}
if (omitInitialize == false) {
try {
@@ -1911,4 +1928,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
@@ -1911,4 +1939,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
super.C_GenerateRandom(hSession, randomData);
}
}

View File

@ -190,11 +190,15 @@
%global staticlibs_loop %{nil}
%endif
%if 0%{?flatpak}
%global bootstrap_build false
%else
%ifarch %{bootstrap_arches}
%global bootstrap_build true
%else
%global bootstrap_build false
%endif
%endif
%if %{include_staticlibs}
# Extra target for producing the static-libraries. Separate from
@ -328,7 +332,7 @@
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the FIPS support patches
%global fipsver 3625385b13d
%global fipsver f8142a23d0a
# Standard JPackage naming and versioning defines
%global origin openjdk
@ -336,7 +340,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 7
%global rpmrelease 2
%global rpmrelease 6
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@ -933,7 +937,7 @@ exit 0
%ifarch %{sa_arches}
%ifnarch %{zero_arches}
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz
%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1*
%endif
%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
@ -972,11 +976,11 @@ exit 0
%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz
%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz
%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz
%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz
%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz
%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1*
%if %{with_systemtap}
%dir %{tapsetroot}
@ -1327,6 +1331,8 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
# RH2023467: Enable FIPS keys export
# RH2094027: SunEC runtime permission for FIPS
# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
# RH2090378: Revert to disabling system security properties and FIPS mode support together
Patch1001: fips-17u-%{fipsver}.patch
#############################################
@ -2035,6 +2041,12 @@ top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticli
export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Pre-test setup
# Turn on system security properties
sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
${JAVA_HOME}/conf/security/java.security
#check Shenandoah is enabled
%if %{use_shenandoah_hotspot}
$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
@ -2048,9 +2060,14 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev
$JAVA_HOME/bin/javac -d . %{SOURCE14}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
# Check system crypto (policy) can be disabled
# Check system crypto (policy) is active and can be disabled
# Test takes a single argument - true or false - to state whether system
# security properties are enabled or not.
$JAVA_HOME/bin/javac -d . %{SOURCE15}
$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
export SEC_DEBUG="-Djava.security.debug=properties"
$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
# Check java launcher has no SSB mitigation
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
@ -2517,6 +2534,24 @@ cjc.mainProgram(args)
%endif
%changelog
* Fri Jul 01 2022 Stephan Bergmann <sbergman@redhat.com> - 1:17.0.3.0.7-6
- Fix flatpak builds by exempting them from bootstrap
* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:17.0.3.0.7-5
- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
* Mon Jun 27 2022 Stephan Bergmann <sbergman@redhat.com> - 1:17.0.3.0.7-4
- Fix flatpak builds (catering for their uncompressed manual pages)
* Wed Jun 22 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-3
- Update FIPS support to bring in latest changes
- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
- * RH2090378: Revert to disabling system security properties and FIPS mode support together
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
- Improve security properties test to check both enabled and disabled behaviour
- Run security properties test with property debugging on
* Sun Jun 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-2
- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch

View File

@ -4,3 +4,5 @@ nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips
attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }

View File

@ -1,5 +1,5 @@
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
index 5a355e70cae..c730ea26ea2 100644
index adfaf57d29e..abf89bbf327 100644
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
@ -9,4 +9,4 @@ index 5a355e70cae..c730ea26ea2 100644
+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
#
# Security providers used when global crypto-policies are set to FIPS.
# Security providers used when FIPS mode support is active