Merge rawhide into f36
This commit is contained in:
commit
7a7671f9fa
@ -9,35 +9,59 @@ public class TestSecurityProperties {
|
|||||||
// JDK 8
|
// JDK 8
|
||||||
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
|
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
|
||||||
|
|
||||||
|
private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
|
||||||
|
|
||||||
|
private static final String MSG_PREFIX = "DEBUG: ";
|
||||||
|
|
||||||
public static void main(String[] args) {
|
public static void main(String[] args) {
|
||||||
|
if (args.length == 0) {
|
||||||
|
System.err.println("TestSecurityProperties <true|false>");
|
||||||
|
System.err.println("Invoke with 'true' if system security properties should be enabled.");
|
||||||
|
System.err.println("Invoke with 'false' if system security properties should be disabled.");
|
||||||
|
System.exit(1);
|
||||||
|
}
|
||||||
|
boolean enabled = Boolean.valueOf(args[0]);
|
||||||
|
System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
|
||||||
Properties jdkProps = new Properties();
|
Properties jdkProps = new Properties();
|
||||||
loadProperties(jdkProps);
|
loadProperties(jdkProps);
|
||||||
|
if (enabled) {
|
||||||
|
loadPolicy(jdkProps);
|
||||||
|
}
|
||||||
for (Object key: jdkProps.keySet()) {
|
for (Object key: jdkProps.keySet()) {
|
||||||
String sKey = (String)key;
|
String sKey = (String)key;
|
||||||
String securityVal = Security.getProperty(sKey);
|
String securityVal = Security.getProperty(sKey);
|
||||||
String jdkSecVal = jdkProps.getProperty(sKey);
|
String jdkSecVal = jdkProps.getProperty(sKey);
|
||||||
if (!securityVal.equals(jdkSecVal)) {
|
if (!securityVal.equals(jdkSecVal)) {
|
||||||
String msg = "Expected value '" + jdkSecVal + "' for key '" +
|
String msg = "Expected value '" + jdkSecVal + "' for key '" +
|
||||||
sKey + "'" + " but got value '" + securityVal + "'";
|
sKey + "'" + " but got value '" + securityVal + "'";
|
||||||
throw new RuntimeException("Test failed! " + msg);
|
throw new RuntimeException("Test failed! " + msg);
|
||||||
} else {
|
} else {
|
||||||
System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
|
System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
System.out.println("TestSecurityProperties PASSED!");
|
System.out.println("TestSecurityProperties PASSED!");
|
||||||
}
|
}
|
||||||
|
|
||||||
private static void loadProperties(Properties props) {
|
private static void loadProperties(Properties props) {
|
||||||
String javaVersion = System.getProperty("java.version");
|
String javaVersion = System.getProperty("java.version");
|
||||||
System.out.println("Debug: Java version is " + javaVersion);
|
System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
|
||||||
String propsFile = JDK_PROPS_FILE_JDK_11;
|
String propsFile = JDK_PROPS_FILE_JDK_11;
|
||||||
if (javaVersion.startsWith("1.8.0")) {
|
if (javaVersion.startsWith("1.8.0")) {
|
||||||
propsFile = JDK_PROPS_FILE_JDK_8;
|
propsFile = JDK_PROPS_FILE_JDK_8;
|
||||||
}
|
}
|
||||||
try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
|
try (FileInputStream fin = new FileInputStream(propsFile)) {
|
||||||
props.load(fin);
|
props.load(fin);
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
throw new RuntimeException("Test failed!", e);
|
throw new RuntimeException("Test failed!", e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static void loadPolicy(Properties props) {
|
||||||
|
try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
|
||||||
|
props.load(fin);
|
||||||
|
} catch (Exception e) {
|
||||||
|
throw new RuntimeException("Test failed!", e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -1398,7 +1398,7 @@ index a020e1c15d8..6d459fdec01 100644
|
|||||||
|
|
||||||
// Return the instance of this class or create one if needed.
|
// Return the instance of this class or create one if needed.
|
||||||
diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
|
diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
|
||||||
index ff2bc942c03..d303ae5c8f3 100644
|
index ff2bc942c03..96a3ba4040c 100644
|
||||||
--- a/src/java.base/share/classes/java/security/Security.java
|
--- a/src/java.base/share/classes/java/security/Security.java
|
||||||
+++ b/src/java.base/share/classes/java/security/Security.java
|
+++ b/src/java.base/share/classes/java/security/Security.java
|
||||||
@@ -32,6 +32,7 @@ import java.net.URL;
|
@@ -32,6 +32,7 @@ import java.net.URL;
|
||||||
@ -1409,7 +1409,7 @@ index ff2bc942c03..d303ae5c8f3 100644
|
|||||||
import jdk.internal.access.SharedSecrets;
|
import jdk.internal.access.SharedSecrets;
|
||||||
import jdk.internal.util.StaticProperty;
|
import jdk.internal.util.StaticProperty;
|
||||||
import sun.security.util.Debug;
|
import sun.security.util.Debug;
|
||||||
@@ -47,6 +48,9 @@ import sun.security.jca.*;
|
@@ -47,12 +48,20 @@ import sun.security.jca.*;
|
||||||
* implementation-specific location, which is typically the properties file
|
* implementation-specific location, which is typically the properties file
|
||||||
* {@code conf/security/java.security} in the Java installation directory.
|
* {@code conf/security/java.security} in the Java installation directory.
|
||||||
*
|
*
|
||||||
@ -1419,7 +1419,18 @@ index ff2bc942c03..d303ae5c8f3 100644
|
|||||||
* @author Benjamin Renaud
|
* @author Benjamin Renaud
|
||||||
* @since 1.1
|
* @since 1.1
|
||||||
*/
|
*/
|
||||||
@@ -67,6 +71,19 @@ public final class Security {
|
|
||||||
|
public final class Security {
|
||||||
|
|
||||||
|
+ private static final String SYS_PROP_SWITCH =
|
||||||
|
+ "java.security.disableSystemPropertiesFile";
|
||||||
|
+ private static final String SEC_PROP_SWITCH =
|
||||||
|
+ "security.useSystemPropertiesFile";
|
||||||
|
+
|
||||||
|
/* Are we debugging? -- for developers */
|
||||||
|
private static final Debug sdebug =
|
||||||
|
Debug.getInstance("properties");
|
||||||
|
@@ -67,6 +76,19 @@ public final class Security {
|
||||||
}
|
}
|
||||||
|
|
||||||
static {
|
static {
|
||||||
@ -1439,7 +1450,15 @@ index ff2bc942c03..d303ae5c8f3 100644
|
|||||||
// doPrivileged here because there are multiple
|
// doPrivileged here because there are multiple
|
||||||
// things in initialize that might require privs.
|
// things in initialize that might require privs.
|
||||||
// (the FileInputStream call and the File.exists call,
|
// (the FileInputStream call and the File.exists call,
|
||||||
@@ -99,6 +116,7 @@ public final class Security {
|
@@ -84,6 +106,7 @@ public final class Security {
|
||||||
|
props = new Properties();
|
||||||
|
boolean loadedProps = false;
|
||||||
|
boolean overrideAll = false;
|
||||||
|
+ boolean systemSecPropsEnabled = false;
|
||||||
|
|
||||||
|
// first load the system properties file
|
||||||
|
// to determine the value of security.overridePropertiesFile
|
||||||
|
@@ -99,6 +122,7 @@ public final class Security {
|
||||||
if (sdebug != null) {
|
if (sdebug != null) {
|
||||||
sdebug.println("reading security properties file: " +
|
sdebug.println("reading security properties file: " +
|
||||||
propFile);
|
propFile);
|
||||||
@ -1447,30 +1466,63 @@ index ff2bc942c03..d303ae5c8f3 100644
|
|||||||
}
|
}
|
||||||
} catch (IOException e) {
|
} catch (IOException e) {
|
||||||
if (sdebug != null) {
|
if (sdebug != null) {
|
||||||
@@ -193,6 +211,28 @@ public final class Security {
|
@@ -193,6 +217,61 @@ public final class Security {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
|
+ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
|
||||||
+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
|
+ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
|
||||||
+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
|
+ if (sdebug != null) {
|
||||||
+ if (!SystemConfigurator.configureSysProps(props)) {
|
+ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps);
|
||||||
|
+ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps);
|
||||||
|
+ }
|
||||||
|
+ if (!sysUseProps && secUseProps) {
|
||||||
|
+ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props);
|
||||||
|
+ if (!systemSecPropsEnabled) {
|
||||||
+ if (sdebug != null) {
|
+ if (sdebug != null) {
|
||||||
+ sdebug.println("WARNING: System properties could not be loaded.");
|
+ sdebug.println("WARNING: System security properties could not be loaded.");
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ if (sdebug != null) {
|
||||||
|
+ sdebug.println("System security property support disabled by user.");
|
||||||
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ // FIPS support depends on the contents of java.security so
|
+ // FIPS support depends on the contents of java.security so
|
||||||
+ // ensure it has loaded first
|
+ // ensure it has loaded first
|
||||||
+ if (loadedProps) {
|
+ if (loadedProps && systemSecPropsEnabled) {
|
||||||
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
|
+ boolean shouldEnable;
|
||||||
+ if (sdebug != null) {
|
+ String sysProp = System.getProperty("com.redhat.fips");
|
||||||
+ if (fipsEnabled) {
|
+ if (sysProp == null) {
|
||||||
+ sdebug.println("FIPS support enabled.");
|
+ shouldEnable = true;
|
||||||
+ } else {
|
+ if (sdebug != null) {
|
||||||
+ sdebug.println("FIPS support disabled.");
|
+ sdebug.println("com.redhat.fips unset, using default value of true");
|
||||||
+ }
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ shouldEnable = Boolean.valueOf(sysProp);
|
||||||
|
+ if (sdebug != null) {
|
||||||
|
+ sdebug.println("com.redhat.fips set, using its value " + shouldEnable);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (shouldEnable) {
|
||||||
|
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
|
||||||
|
+ if (sdebug != null) {
|
||||||
|
+ if (fipsEnabled) {
|
||||||
|
+ sdebug.println("FIPS mode support configured and enabled.");
|
||||||
|
+ } else {
|
||||||
|
+ sdebug.println("FIPS mode support disabled.");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ if (sdebug != null ) {
|
||||||
|
+ sdebug.println("FIPS mode support disabled by user.");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ if (sdebug != null) {
|
||||||
|
+ sdebug.println("WARNING: FIPS mode support can not be enabled without " +
|
||||||
|
+ "system security properties being enabled.");
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
}
|
}
|
||||||
@ -1478,10 +1530,10 @@ index ff2bc942c03..d303ae5c8f3 100644
|
|||||||
/*
|
/*
|
||||||
diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java
|
diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 00000000000..da2af5defda
|
index 00000000000..98ffced455b
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/src/java.base/share/classes/java/security/SystemConfigurator.java
|
+++ b/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||||
@@ -0,0 +1,245 @@
|
@@ -0,0 +1,249 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
|
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
|
||||||
+ *
|
+ *
|
||||||
@ -1562,13 +1614,13 @@ index 00000000000..da2af5defda
|
|||||||
+ * security.useSystemPropertiesFile is true.
|
+ * security.useSystemPropertiesFile is true.
|
||||||
+ */
|
+ */
|
||||||
+ static boolean configureSysProps(Properties props) {
|
+ static boolean configureSysProps(Properties props) {
|
||||||
+ boolean loadedProps = false;
|
+ boolean systemSecPropsLoaded = false;
|
||||||
+
|
+
|
||||||
+ try (BufferedInputStream bis =
|
+ try (BufferedInputStream bis =
|
||||||
+ new BufferedInputStream(
|
+ new BufferedInputStream(
|
||||||
+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
|
+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
|
||||||
+ props.load(bis);
|
+ props.load(bis);
|
||||||
+ loadedProps = true;
|
+ systemSecPropsLoaded = true;
|
||||||
+ if (sdebug != null) {
|
+ if (sdebug != null) {
|
||||||
+ sdebug.println("reading system security properties file " +
|
+ sdebug.println("reading system security properties file " +
|
||||||
+ CRYPTO_POLICIES_JAVA_CONFIG);
|
+ CRYPTO_POLICIES_JAVA_CONFIG);
|
||||||
@ -1581,7 +1633,7 @@ index 00000000000..da2af5defda
|
|||||||
+ e.printStackTrace();
|
+ e.printStackTrace();
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ return loadedProps;
|
+ return systemSecPropsLoaded;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ /*
|
+ /*
|
||||||
@ -1653,6 +1705,8 @@ index 00000000000..da2af5defda
|
|||||||
+ sdebug.println("FIPS support enabled without plain key support");
|
+ sdebug.println("FIPS support enabled without plain key support");
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ if (sdebug != null) { sdebug.println("FIPS mode not detected"); }
|
||||||
+ }
|
+ }
|
||||||
+ } catch (Exception e) {
|
+ } catch (Exception e) {
|
||||||
+ if (sdebug != null) {
|
+ if (sdebug != null) {
|
||||||
@ -1693,37 +1747,39 @@ index 00000000000..da2af5defda
|
|||||||
+ return plainKeySupportEnabled;
|
+ return plainKeySupportEnabled;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ /*
|
+ /**
|
||||||
+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
|
+ * Determines whether FIPS mode should be enabled.
|
||||||
+ * system property is true (default) and the system is in FIPS mode.
|
+ *
|
||||||
|
+ * OpenJDK FIPS mode will be enabled only if the system is in
|
||||||
|
+ * FIPS mode.
|
||||||
|
+ *
|
||||||
|
+ * Calls to this method only occur if the system property
|
||||||
|
+ * com.redhat.fips is not set to false.
|
||||||
+ *
|
+ *
|
||||||
+ * There are 2 possible ways in which OpenJDK detects that the system
|
+ * There are 2 possible ways in which OpenJDK detects that the system
|
||||||
+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
|
+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
|
||||||
+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
|
+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
|
||||||
+ * /proc/sys/crypto/fips_enabled file is read.
|
+ * /proc/sys/crypto/fips_enabled file is read.
|
||||||
|
+ *
|
||||||
|
+ * @return true if the system is in FIPS mode
|
||||||
+ */
|
+ */
|
||||||
+ private static boolean enableFips() throws Exception {
|
+ private static boolean enableFips() throws Exception {
|
||||||
+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
|
+ if (sdebug != null) {
|
||||||
+ if (shouldEnable) {
|
+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
|
||||||
|
+ }
|
||||||
|
+ try {
|
||||||
|
+ boolean fipsEnabled = getSystemFIPSEnabled();
|
||||||
+ if (sdebug != null) {
|
+ if (sdebug != null) {
|
||||||
+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
|
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
|
||||||
|
+ + fipsEnabled);
|
||||||
+ }
|
+ }
|
||||||
+ try {
|
+ return fipsEnabled;
|
||||||
+ shouldEnable = getSystemFIPSEnabled();
|
+ } catch (IOException e) {
|
||||||
+ if (sdebug != null) {
|
+ if (sdebug != null) {
|
||||||
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
|
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
|
||||||
+ + shouldEnable);
|
+ sdebug.println(e.getMessage());
|
||||||
+ }
|
|
||||||
+ return shouldEnable;
|
|
||||||
+ } catch (IOException e) {
|
|
||||||
+ if (sdebug != null) {
|
|
||||||
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
|
|
||||||
+ sdebug.println(e.getMessage());
|
|
||||||
+ }
|
|
||||||
+ throw e;
|
|
||||||
+ }
|
+ }
|
||||||
+ } else {
|
+ throw e;
|
||||||
+ return false;
|
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+}
|
+}
|
||||||
@ -2352,7 +2408,7 @@ index 894e26dfad8..8b16378b96b 100644
|
|||||||
"sun.security.ssl.SSLContextImpl$TLSContext",
|
"sun.security.ssl.SSLContextImpl$TLSContext",
|
||||||
List.of("SSL"), null);
|
List.of("SSL"), null);
|
||||||
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
|
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
|
||||||
index 6d91e3f8e4e..5a355e70cae 100644
|
index 6d91e3f8e4e..adfaf57d29e 100644
|
||||||
--- a/src/java.base/share/conf/security/java.security
|
--- a/src/java.base/share/conf/security/java.security
|
||||||
+++ b/src/java.base/share/conf/security/java.security
|
+++ b/src/java.base/share/conf/security/java.security
|
||||||
@@ -79,6 +79,16 @@ security.provider.tbd=Apple
|
@@ -79,6 +79,16 @@ security.provider.tbd=Apple
|
||||||
@ -2360,7 +2416,7 @@ index 6d91e3f8e4e..5a355e70cae 100644
|
|||||||
security.provider.tbd=SunPKCS11
|
security.provider.tbd=SunPKCS11
|
||||||
|
|
||||||
+#
|
+#
|
||||||
+# Security providers used when global crypto-policies are set to FIPS.
|
+# Security providers used when FIPS mode support is active
|
||||||
+#
|
+#
|
||||||
+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
|
+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
|
||||||
+fips.provider.2=SUN
|
+fips.provider.2=SUN
|
||||||
@ -2393,7 +2449,7 @@ index 6d91e3f8e4e..5a355e70cae 100644
|
|||||||
+# using the system properties file stored at
|
+# using the system properties file stored at
|
||||||
+# /etc/crypto-policies/back-ends/java.config
|
+# /etc/crypto-policies/back-ends/java.config
|
||||||
+#
|
+#
|
||||||
+security.useSystemPropertiesFile=true
|
+security.useSystemPropertiesFile=false
|
||||||
+
|
+
|
||||||
#
|
#
|
||||||
# Determines the default key and trust manager factory algorithms for
|
# Determines the default key and trust manager factory algorithms for
|
||||||
@ -3074,7 +3130,7 @@ index 112b639aa96..5549cd9ed4e 100644
|
|||||||
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
|
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
|
||||||
throw new UnsupportedOperationException
|
throw new UnsupportedOperationException
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
|
||||||
index 5c0aacd1a67..372a50dd587 100644
|
index 5c0aacd1a67..1e98ce2e280 100644
|
||||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
|
||||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
|
||||||
@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
|
@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
|
||||||
@ -3087,8 +3143,21 @@ index 5c0aacd1a67..372a50dd587 100644
|
|||||||
import java.util.*;
|
import java.util.*;
|
||||||
|
|
||||||
import java.security.AccessController;
|
import java.security.AccessController;
|
||||||
@@ -152,16 +155,30 @@ public class PKCS11 {
|
@@ -150,18 +153,43 @@ public class PKCS11 {
|
||||||
|
this.pkcs11ModulePath = pkcs11ModulePath;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * Compatibility wrapper to allow this method to work as before
|
||||||
|
+ * when FIPS mode support is not active.
|
||||||
|
+ */
|
||||||
|
+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
|
||||||
|
+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
|
||||||
|
+ boolean omitInitialize) throws IOException, PKCS11Exception {
|
||||||
|
+ return getInstance(pkcs11ModulePath, functionList,
|
||||||
|
+ pInitArgs, omitInitialize, null, null);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
|
public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
|
||||||
String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
|
String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
|
||||||
- boolean omitInitialize) throws IOException, PKCS11Exception {
|
- boolean omitInitialize) throws IOException, PKCS11Exception {
|
||||||
@ -3121,7 +3190,7 @@ index 5c0aacd1a67..372a50dd587 100644
|
|||||||
}
|
}
|
||||||
if (omitInitialize == false) {
|
if (omitInitialize == false) {
|
||||||
try {
|
try {
|
||||||
@@ -1911,4 +1928,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
|
@@ -1911,4 +1939,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
|
||||||
super.C_GenerateRandom(hSession, randomData);
|
super.C_GenerateRandom(hSession, randomData);
|
||||||
}
|
}
|
||||||
}
|
}
|
@ -190,11 +190,15 @@
|
|||||||
%global staticlibs_loop %{nil}
|
%global staticlibs_loop %{nil}
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
%if 0%{?flatpak}
|
||||||
|
%global bootstrap_build false
|
||||||
|
%else
|
||||||
%ifarch %{bootstrap_arches}
|
%ifarch %{bootstrap_arches}
|
||||||
%global bootstrap_build true
|
%global bootstrap_build true
|
||||||
%else
|
%else
|
||||||
%global bootstrap_build false
|
%global bootstrap_build false
|
||||||
%endif
|
%endif
|
||||||
|
%endif
|
||||||
|
|
||||||
%if %{include_staticlibs}
|
%if %{include_staticlibs}
|
||||||
# Extra target for producing the static-libraries. Separate from
|
# Extra target for producing the static-libraries. Separate from
|
||||||
@ -328,7 +332,7 @@
|
|||||||
# Define IcedTea version used for SystemTap tapsets and desktop file
|
# Define IcedTea version used for SystemTap tapsets and desktop file
|
||||||
%global icedteaver 6.0.0pre00-c848b93a8598
|
%global icedteaver 6.0.0pre00-c848b93a8598
|
||||||
# Define current Git revision for the FIPS support patches
|
# Define current Git revision for the FIPS support patches
|
||||||
%global fipsver 3625385b13d
|
%global fipsver f8142a23d0a
|
||||||
|
|
||||||
# Standard JPackage naming and versioning defines
|
# Standard JPackage naming and versioning defines
|
||||||
%global origin openjdk
|
%global origin openjdk
|
||||||
@ -336,7 +340,7 @@
|
|||||||
%global top_level_dir_name %{origin}
|
%global top_level_dir_name %{origin}
|
||||||
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
||||||
%global buildver 7
|
%global buildver 7
|
||||||
%global rpmrelease 2
|
%global rpmrelease 6
|
||||||
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
|
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
|
||||||
%if %is_system_jdk
|
%if %is_system_jdk
|
||||||
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
|
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
|
||||||
@ -933,7 +937,7 @@ exit 0
|
|||||||
%ifarch %{sa_arches}
|
%ifarch %{sa_arches}
|
||||||
%ifnarch %{zero_arches}
|
%ifnarch %{zero_arches}
|
||||||
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
|
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
|
||||||
%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz
|
%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1*
|
||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
|
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
|
||||||
@ -972,11 +976,11 @@ exit 0
|
|||||||
%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
|
%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
|
||||||
%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
|
%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
|
||||||
%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
|
%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
|
||||||
%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz
|
%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1*
|
||||||
%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz
|
%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1*
|
||||||
%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz
|
%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1*
|
||||||
%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz
|
%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1*
|
||||||
%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz
|
%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1*
|
||||||
|
|
||||||
%if %{with_systemtap}
|
%if %{with_systemtap}
|
||||||
%dir %{tapsetroot}
|
%dir %{tapsetroot}
|
||||||
@ -1327,6 +1331,8 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
|
|||||||
# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
|
# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
|
||||||
# RH2023467: Enable FIPS keys export
|
# RH2023467: Enable FIPS keys export
|
||||||
# RH2094027: SunEC runtime permission for FIPS
|
# RH2094027: SunEC runtime permission for FIPS
|
||||||
|
# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
|
||||||
|
# RH2090378: Revert to disabling system security properties and FIPS mode support together
|
||||||
Patch1001: fips-17u-%{fipsver}.patch
|
Patch1001: fips-17u-%{fipsver}.patch
|
||||||
|
|
||||||
#############################################
|
#############################################
|
||||||
@ -2035,6 +2041,12 @@ top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticli
|
|||||||
|
|
||||||
export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
|
export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
|
||||||
|
|
||||||
|
# Pre-test setup
|
||||||
|
|
||||||
|
# Turn on system security properties
|
||||||
|
sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
|
||||||
|
${JAVA_HOME}/conf/security/java.security
|
||||||
|
|
||||||
#check Shenandoah is enabled
|
#check Shenandoah is enabled
|
||||||
%if %{use_shenandoah_hotspot}
|
%if %{use_shenandoah_hotspot}
|
||||||
$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
|
$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
|
||||||
@ -2048,9 +2060,14 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev
|
|||||||
$JAVA_HOME/bin/javac -d . %{SOURCE14}
|
$JAVA_HOME/bin/javac -d . %{SOURCE14}
|
||||||
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
|
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
|
||||||
|
|
||||||
# Check system crypto (policy) can be disabled
|
# Check system crypto (policy) is active and can be disabled
|
||||||
|
# Test takes a single argument - true or false - to state whether system
|
||||||
|
# security properties are enabled or not.
|
||||||
$JAVA_HOME/bin/javac -d . %{SOURCE15}
|
$JAVA_HOME/bin/javac -d . %{SOURCE15}
|
||||||
$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
|
export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
|
||||||
|
export SEC_DEBUG="-Djava.security.debug=properties"
|
||||||
|
$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
|
||||||
|
$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
|
||||||
|
|
||||||
# Check java launcher has no SSB mitigation
|
# Check java launcher has no SSB mitigation
|
||||||
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
|
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
|
||||||
@ -2517,6 +2534,24 @@ cjc.mainProgram(args)
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jul 01 2022 Stephan Bergmann <sbergman@redhat.com> - 1:17.0.3.0.7-6
|
||||||
|
- Fix flatpak builds by exempting them from bootstrap
|
||||||
|
|
||||||
|
* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:17.0.3.0.7-5
|
||||||
|
- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
|
||||||
|
|
||||||
|
* Mon Jun 27 2022 Stephan Bergmann <sbergman@redhat.com> - 1:17.0.3.0.7-4
|
||||||
|
- Fix flatpak builds (catering for their uncompressed manual pages)
|
||||||
|
|
||||||
|
* Wed Jun 22 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-3
|
||||||
|
- Update FIPS support to bring in latest changes
|
||||||
|
- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
|
||||||
|
- * RH2090378: Revert to disabling system security properties and FIPS mode support together
|
||||||
|
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
|
||||||
|
- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
|
||||||
|
- Improve security properties test to check both enabled and disabled behaviour
|
||||||
|
- Run security properties test with property debugging on
|
||||||
|
|
||||||
* Sun Jun 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-2
|
* Sun Jun 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-2
|
||||||
- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
|
- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
|
||||||
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
|
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
|
||||||
|
@ -4,3 +4,5 @@ nssSecmodDirectory = sql:/etc/pki/nssdb
|
|||||||
nssDbMode = readOnly
|
nssDbMode = readOnly
|
||||||
nssModule = fips
|
nssModule = fips
|
||||||
|
|
||||||
|
attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
|
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
|
||||||
index 5a355e70cae..c730ea26ea2 100644
|
index adfaf57d29e..abf89bbf327 100644
|
||||||
--- a/src/java.base/share/conf/security/java.security
|
--- a/src/java.base/share/conf/security/java.security
|
||||||
+++ b/src/java.base/share/conf/security/java.security
|
+++ b/src/java.base/share/conf/security/java.security
|
||||||
@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
|
@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
|
||||||
@ -9,4 +9,4 @@ index 5a355e70cae..c730ea26ea2 100644
|
|||||||
+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
|
+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
|
||||||
|
|
||||||
#
|
#
|
||||||
# Security providers used when global crypto-policies are set to FIPS.
|
# Security providers used when FIPS mode support is active
|
||||||
|
Loading…
Reference in New Issue
Block a user