Add patch to login to the NSS software token when in FIPS mode.

Fix unused function compiler warning found in systemconf.c
Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access.
This commit is contained in:
Andrew John Hughes 2021-09-30 20:39:20 +01:00
parent 37b7b79aff
commit f2132d86ba
4 changed files with 167 additions and 1 deletions

View File

@ -298,7 +298,7 @@
%global top_level_dir_name %{origin} %global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup %global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 35 %global buildver 35
%global rpmrelease 3 %global rpmrelease 4
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk %if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@ -1176,8 +1176,12 @@ Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
Patch1007: rh1915071-always_initialise_configurator_access.patch Patch1007: rh1915071-always_initialise_configurator_access.patch
# RH1929465: Improve system FIPS detection # RH1929465: Improve system FIPS detection
Patch1008: rh1929465-improve_system_FIPS_detection.patch Patch1008: rh1929465-improve_system_FIPS_detection.patch
Patch1011: rh1929465-dont_define_unused_throwioexception.patch
# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers # RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
Patch1009: rh1995150-disable_non-fips_crypto.patch Patch1009: rh1995150-disable_non-fips_crypto.patch
# RH1996182: Login to the NSS software token in FIPS mode
Patch1010: rh1996182-login_to_nss_software_token.patch
Patch1012: rh1996182-extend_security_policy.patch
############################################# #############################################
# #
@ -1541,6 +1545,9 @@ popd # openjdk
%patch1007 %patch1007
%patch1008 %patch1008
%patch1009 %patch1009
%patch1010
%patch1011
%patch1012
# Extract systemtap tapsets # Extract systemtap tapsets
%if %{with_systemtap} %if %{with_systemtap}
@ -2267,6 +2274,13 @@ cjc.mainProgram(args)
%endif %endif
%changelog %changelog
* Thu Sep 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-4.rolling
- Fix unused function compiler warning found in systemconf.c
- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access.
* Thu Sep 30 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.35-4.rolling
- Add patch to login to the NSS software token when in FIPS mode.
* Mon Sep 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-3.rolling * Mon Sep 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-3.rolling
- Update release notes to document the major changes between OpenJDK 11 & 17. - Update release notes to document the major changes between OpenJDK 11 & 17.

View File

@ -0,0 +1,69 @@
commit 90e344e7d4987af610fa0054c92d18fe1c2edd41
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Sat Aug 28 01:15:28 2021 +0100
RH1929465: Don't define unused throwIOException function when using NSS detection
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
index 6f4656bfcb6..38919d6bb0f 100644
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -34,14 +34,34 @@
#include "java_security_SystemConfigurator.h"
-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
#define MSG_MAX_SIZE 96
static jmethodID debugPrintlnMethodID = NULL;
static jobject debugObj = NULL;
-static void throwIOException(JNIEnv *env, const char *msg);
-static void dbgPrint(JNIEnv *env, const char* msg);
+// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read
+#ifndef SYSCONF_NSS
+
+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+
+static void throwIOException(JNIEnv *env, const char *msg)
+{
+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
+ if (cls != 0)
+ (*env)->ThrowNew(env, cls, msg);
+}
+
+#endif
+
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+ jstring jMsg;
+ if (debugObj != NULL) {
+ jMsg = (*env)->NewStringUTF(env, msg);
+ CHECK_NULL(jMsg);
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+}
/*
* Class: java_security_SystemConfigurator
@@ -149,20 +169,3 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
#endif // SYSCONF_NSS
}
-
-static void throwIOException(JNIEnv *env, const char *msg)
-{
- jclass cls = (*env)->FindClass(env, "java/io/IOException");
- if (cls != 0)
- (*env)->ThrowNew(env, cls, msg);
-}
-
-static void dbgPrint(JNIEnv *env, const char* msg)
-{
- jstring jMsg;
- if (debugObj != NULL) {
- jMsg = (*env)->NewStringUTF(env, msg);
- CHECK_NULL(jMsg);
- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
- }
-}

View File

@ -0,0 +1,18 @@
commit bfd7c5dae9c15266799cb885b8c60199217b65b9
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Mon Aug 30 16:14:14 2021 +0100
RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access
diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy
index 8356e56367b..23925f048be 100644
--- openjdk.orig/src/java.base/share/lib/security/default.policy
+++ openjdk/src/java.base/share/lib/security/default.policy
@@ -128,6 +128,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
grant codeBase "jrt:/jdk.crypto.cryptoki" {
permission java.lang.RuntimePermission
"accessClassInPackage.com.sun.crypto.provider";
+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access";
permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.*";

View File

@ -0,0 +1,65 @@
commit 93c9f6330bf2b4405c789bf893a5256c3f4a4923
Author: Martin Balao <mbalao@redhat.com>
Date: Sat Aug 28 00:35:44 2021 +0100
RH1996182: Login to the NSS Software Token in FIPS Mode
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
index 39e69362458..aeb5fc2eb46 100644
--- openjdk.orig/src/java.base/share/classes/module-info.java
+++ openjdk/src/java.base/share/classes/module-info.java
@@ -151,6 +151,7 @@ module java.base {
java.management,
java.naming,
java.rmi,
+ jdk.crypto.cryptoki,
jdk.crypto.ec,
jdk.jartool,
jdk.jlink,
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index 112b639aa96..5d3963ea893 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -42,6 +42,7 @@ import javax.security.auth.callback.PasswordCallback;
import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
+import jdk.internal.access.SharedSecrets;
import jdk.internal.misc.InnocuousThread;
import sun.security.util.Debug;
import sun.security.util.ResourcesMgr;
@@ -62,6 +63,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
*/
public final class SunPKCS11 extends AuthProvider {
+ private static final boolean systemFipsEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -379,6 +383,24 @@ public final class SunPKCS11 extends AuthProvider {
if (nssModule != null) {
nssModule.setProvider(this);
}
+ if (systemFipsEnabled) {
+ // The NSS Software Token in FIPS 140-2 mode requires a user
+ // login for most operations. See sftk_fipsCheck. The NSS DB
+ // (/etc/pki/nssdb) PIN is empty.
+ Session session = null;
+ try {
+ session = token.getOpSession();
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
+ } catch (PKCS11Exception p11e) {
+ if (debug != null) {
+ debug.println("Error during token login: " +
+ p11e.getMessage());
+ }
+ throw p11e;
+ } finally {
+ token.releaseSession(session);
+ }
+ }
} catch (Exception e) {
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
throw new UnsupportedOperationException