Support the FIPS mode crypto policy (RH1655466)
Update RH1655466 FIPS patch with changes in OpenJDK 8 version. SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable. Disable FIPS mode support unless com.redhat.fips is set to "true". Use appropriate keystore types when in FIPS mode (RH1818909) Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986) Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)
This commit is contained in:
parent
e16ee29c24
commit
e426a3c6f9
@ -298,7 +298,7 @@
|
||||
%global top_level_dir_name %{origin}
|
||||
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
||||
%global buildver 33
|
||||
%global rpmrelease 1
|
||||
%global rpmrelease 2
|
||||
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
|
||||
%if %is_system_jdk
|
||||
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
|
||||
@ -751,6 +751,7 @@ exit 0
|
||||
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security
|
||||
%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties
|
||||
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg
|
||||
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg
|
||||
%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access
|
||||
# these are config templates, thus not config-noreplace
|
||||
%config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template
|
||||
@ -966,6 +967,8 @@ OrderWithRequires: copy-jdk-configs
|
||||
%endif
|
||||
# for printing support
|
||||
Requires: cups-libs
|
||||
# for FIPS PKCS11 provider
|
||||
Requires: nss
|
||||
# Post requires alternatives to install tool alternatives
|
||||
Requires(post): %{alternatives_requires}
|
||||
# Postun requires alternatives to uninstall tool alternatives
|
||||
@ -1136,6 +1139,9 @@ Source14: TestECDSA.java
|
||||
# Verify system crypto (policy) can be disabled via a property
|
||||
Source15: TestSecurityProperties.java
|
||||
|
||||
# nss fips configuration file
|
||||
Source17: nss.fips.cfg.in
|
||||
|
||||
############################################
|
||||
#
|
||||
# RPM/distribution specific patches
|
||||
@ -1160,6 +1166,16 @@ Patch5: pr3695-toggle_system_crypto_policy.patch
|
||||
# Depend on pcs-lite-libs instead of pcs-lite-devel as this is only in optional repo
|
||||
Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
|
||||
|
||||
# FIPS support patches
|
||||
# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
|
||||
Patch1001: rh1655466-global_crypto_and_fips.patch
|
||||
# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
|
||||
Patch1002: rh1818909-fips_default_keystore_type.patch
|
||||
# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
|
||||
Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
|
||||
# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
|
||||
Patch1007: rh1915071-always_initialise_configurator_access.patch
|
||||
|
||||
#############################################
|
||||
#
|
||||
# OpenJDK patches in need of upstreaming
|
||||
@ -1516,6 +1532,10 @@ popd # openjdk
|
||||
|
||||
%patch1000
|
||||
%patch600
|
||||
%patch1001
|
||||
%patch1002
|
||||
%patch1004
|
||||
%patch1007
|
||||
|
||||
# Extract systemtap tapsets
|
||||
%if %{with_systemtap}
|
||||
@ -1564,6 +1584,9 @@ done
|
||||
# Setup nss.cfg
|
||||
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
|
||||
|
||||
# Setup nss.fips.cfg
|
||||
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
|
||||
sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg
|
||||
|
||||
%build
|
||||
# How many CPU's do we have?
|
||||
@ -1717,6 +1740,9 @@ export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
|
||||
# Install nss.cfg right away as we will be using the JRE above
|
||||
install -m 644 nss.cfg $JAVA_HOME/conf/security/
|
||||
|
||||
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
|
||||
install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/
|
||||
|
||||
# Use system-wide tzdata
|
||||
rm $JAVA_HOME/lib/tzdb.dat
|
||||
ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat
|
||||
@ -2235,6 +2261,21 @@ cjc.mainProgram(args)
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Sep 06 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.2.ea.rolling
|
||||
- Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
|
||||
- SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.
|
||||
- Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg.
|
||||
- No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable.
|
||||
- Disable FIPS mode support unless com.redhat.fips is set to "true".
|
||||
- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
|
||||
- Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
|
||||
- Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)
|
||||
|
||||
* Mon Sep 06 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.2.ea.rolling
|
||||
- Support the FIPS mode crypto policy (RH1655466)
|
||||
- Use appropriate keystore types when in FIPS mode (RH1818909)
|
||||
- Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
|
||||
|
||||
* Mon Aug 30 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.0.0.33-0.1.ea.rolling
|
||||
- alternatives creation moved to posttrans
|
||||
- Thus fixing the old reisntall issue:
|
||||
|
6
nss.fips.cfg.in
Normal file
6
nss.fips.cfg.in
Normal file
@ -0,0 +1,6 @@
|
||||
name = NSS-FIPS
|
||||
nssLibraryDirectory = @NSS_LIBDIR@
|
||||
nssSecmodDirectory = @NSS_SECMOD@
|
||||
nssDbMode = readOnly
|
||||
nssModule = fips
|
||||
|
205
rh1655466-global_crypto_and_fips.patch
Normal file
205
rh1655466-global_crypto_and_fips.patch
Normal file
@ -0,0 +1,205 @@
|
||||
diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java
|
||||
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
|
||||
+++ openjdk/src/java.base/share/classes/java/security/Security.java
|
||||
@@ -196,26 +196,8 @@
|
||||
if (disableSystemProps == null &&
|
||||
"true".equalsIgnoreCase(props.getProperty
|
||||
("security.useSystemPropertiesFile"))) {
|
||||
-
|
||||
- // now load the system file, if it exists, so its values
|
||||
- // will win if they conflict with the earlier values
|
||||
- try (BufferedInputStream bis =
|
||||
- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
|
||||
- props.load(bis);
|
||||
+ if (SystemConfigurator.configure(props)) {
|
||||
loadedProps = true;
|
||||
-
|
||||
- if (sdebug != null) {
|
||||
- sdebug.println("reading system security properties file " +
|
||||
- SYSTEM_PROPERTIES);
|
||||
- sdebug.println(props.toString());
|
||||
- }
|
||||
- } catch (IOException e) {
|
||||
- if (sdebug != null) {
|
||||
- sdebug.println
|
||||
- ("unable to load security properties from " +
|
||||
- SYSTEM_PROPERTIES);
|
||||
- e.printStackTrace();
|
||||
- }
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
@@ -0,0 +1,151 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2019, Red Hat, Inc.
|
||||
+ *
|
||||
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
+ *
|
||||
+ * This code is free software; you can redistribute it and/or modify it
|
||||
+ * under the terms of the GNU General Public License version 2 only, as
|
||||
+ * published by the Free Software Foundation.
|
||||
+ *
|
||||
+ * This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
+ * version 2 for more details (a copy is included in the LICENSE file that
|
||||
+ * accompanied this code).
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License version
|
||||
+ * 2 along with this work; if not, write to the Free Software Foundation,
|
||||
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
+ *
|
||||
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||
+ * or visit www.oracle.com if you need additional information or have any
|
||||
+ * questions.
|
||||
+ */
|
||||
+
|
||||
+package java.security;
|
||||
+
|
||||
+import java.io.BufferedInputStream;
|
||||
+import java.io.FileInputStream;
|
||||
+import java.io.IOException;
|
||||
+
|
||||
+import java.nio.file.Files;
|
||||
+import java.nio.file.Path;
|
||||
+
|
||||
+import java.util.Iterator;
|
||||
+import java.util.Map.Entry;
|
||||
+import java.util.Properties;
|
||||
+import java.util.function.Consumer;
|
||||
+import java.util.regex.Matcher;
|
||||
+import java.util.regex.Pattern;
|
||||
+
|
||||
+import sun.security.util.Debug;
|
||||
+
|
||||
+/**
|
||||
+ * Internal class to align OpenJDK with global crypto-policies.
|
||||
+ * Called from java.security.Security class initialization,
|
||||
+ * during startup.
|
||||
+ *
|
||||
+ */
|
||||
+
|
||||
+class SystemConfigurator {
|
||||
+
|
||||
+ private static final Debug sdebug =
|
||||
+ Debug.getInstance("properties");
|
||||
+
|
||||
+ private static final String CRYPTO_POLICIES_BASE_DIR =
|
||||
+ "/etc/crypto-policies";
|
||||
+
|
||||
+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
|
||||
+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
|
||||
+
|
||||
+ private static final String CRYPTO_POLICIES_CONFIG =
|
||||
+ CRYPTO_POLICIES_BASE_DIR + "/config";
|
||||
+
|
||||
+ private static final class SecurityProviderInfo {
|
||||
+ int number;
|
||||
+ String key;
|
||||
+ String value;
|
||||
+ SecurityProviderInfo(int number, String key, String value) {
|
||||
+ this.number = number;
|
||||
+ this.key = key;
|
||||
+ this.value = value;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Invoked when java.security.Security class is initialized, if
|
||||
+ * java.security.disableSystemPropertiesFile property is not set and
|
||||
+ * security.useSystemPropertiesFile is true.
|
||||
+ */
|
||||
+ static boolean configure(Properties props) {
|
||||
+ boolean loadedProps = false;
|
||||
+
|
||||
+ try (BufferedInputStream bis =
|
||||
+ new BufferedInputStream(
|
||||
+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
|
||||
+ props.load(bis);
|
||||
+ loadedProps = true;
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("reading system security properties file " +
|
||||
+ CRYPTO_POLICIES_JAVA_CONFIG);
|
||||
+ sdebug.println(props.toString());
|
||||
+ }
|
||||
+ } catch (IOException e) {
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("unable to load security properties from " +
|
||||
+ CRYPTO_POLICIES_JAVA_CONFIG);
|
||||
+ e.printStackTrace();
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ try {
|
||||
+ if (enableFips()) {
|
||||
+ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
|
||||
+ loadedProps = false;
|
||||
+ // Remove all security providers
|
||||
+ Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
|
||||
+ while (i.hasNext()) {
|
||||
+ Entry<Object, Object> e = i.next();
|
||||
+ if (((String) e.getKey()).startsWith("security.provider")) {
|
||||
+ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
|
||||
+ i.remove();
|
||||
+ }
|
||||
+ }
|
||||
+ // Add FIPS security providers
|
||||
+ String fipsProviderValue = null;
|
||||
+ for (int n = 1;
|
||||
+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
|
||||
+ String fipsProviderKey = "security.provider." + n;
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("Adding provider " + n + ": " +
|
||||
+ fipsProviderKey + "=" + fipsProviderValue);
|
||||
+ }
|
||||
+ props.put(fipsProviderKey, fipsProviderValue);
|
||||
+ }
|
||||
+ loadedProps = true;
|
||||
+ }
|
||||
+ } catch (Exception e) {
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("unable to load FIPS configuration");
|
||||
+ e.printStackTrace();
|
||||
+ }
|
||||
+ }
|
||||
+ return loadedProps;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * FIPS is enabled only if crypto-policies are set to "FIPS"
|
||||
+ * and the com.redhat.fips property is true.
|
||||
+ */
|
||||
+ private static boolean enableFips() throws Exception {
|
||||
+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
|
||||
+ if (fipsEnabled) {
|
||||
+ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
|
||||
+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
|
||||
+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
|
||||
+ return pattern.matcher(cryptoPoliciesConfig).find();
|
||||
+ } else {
|
||||
+ return false;
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security
|
||||
--- openjdk.orig/src/java.base/share/conf/security/java.security
|
||||
+++ openjdk/src/java.base/share/conf/security/java.security
|
||||
@@ -87,6 +87,14 @@
|
||||
#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
|
||||
|
||||
#
|
||||
+# Security providers used when global crypto-policies are set to FIPS.
|
||||
+#
|
||||
+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
|
||||
+fips.provider.2=SUN
|
||||
+fips.provider.3=SunEC
|
||||
+fips.provider.4=SunJSSE
|
||||
+
|
||||
+#
|
||||
# A list of preferred providers for specific algorithms. These providers will
|
||||
# be searched for matching algorithms before the list of registered providers.
|
||||
# Entries containing errors (parsing, etc) will be ignored. Use the
|
52
rh1818909-fips_default_keystore_type.patch
Normal file
52
rh1818909-fips_default_keystore_type.patch
Normal file
@ -0,0 +1,52 @@
|
||||
diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
|
||||
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
|
||||
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300
|
||||
@@ -123,6 +123,33 @@
|
||||
}
|
||||
props.put(fipsProviderKey, fipsProviderValue);
|
||||
}
|
||||
+ // Add other security properties
|
||||
+ String keystoreTypeValue = (String) props.get("fips.keystore.type");
|
||||
+ if (keystoreTypeValue != null) {
|
||||
+ String nonFipsKeystoreType = props.getProperty("keystore.type");
|
||||
+ props.put("keystore.type", keystoreTypeValue);
|
||||
+ if (keystoreTypeValue.equals("PKCS11")) {
|
||||
+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
|
||||
+ // must be "NONE". See JDK-8238264.
|
||||
+ System.setProperty("javax.net.ssl.keyStore", "NONE");
|
||||
+ }
|
||||
+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
|
||||
+ // If no trustStoreType has been set, use the
|
||||
+ // previous keystore.type under FIPS mode. In
|
||||
+ // a default configuration, the Trust Store will
|
||||
+ // be 'cacerts' (JKS type).
|
||||
+ System.setProperty("javax.net.ssl.trustStoreType",
|
||||
+ nonFipsKeystoreType);
|
||||
+ }
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("FIPS mode default keystore.type = " +
|
||||
+ keystoreTypeValue);
|
||||
+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
|
||||
+ System.getProperty("javax.net.ssl.keyStore", ""));
|
||||
+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
|
||||
+ System.getProperty("javax.net.ssl.trustStoreType", ""));
|
||||
+ }
|
||||
+ }
|
||||
loadedProps = true;
|
||||
}
|
||||
} catch (Exception e) {
|
||||
diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
|
||||
--- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300
|
||||
+++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300
|
||||
@@ -299,6 +299,11 @@
|
||||
keystore.type=pkcs12
|
||||
|
||||
#
|
||||
+# Default keystore type used when global crypto-policies are set to FIPS.
|
||||
+#
|
||||
+fips.keystore.type=PKCS11
|
||||
+
|
||||
+#
|
||||
# Controls compatibility mode for JKS and PKCS12 keystore types.
|
||||
#
|
||||
# When set to 'true', both JKS and PKCS12 keystore types support loading
|
318
rh1860986-disable_tlsv1.3_in_fips_mode.patch
Normal file
318
rh1860986-disable_tlsv1.3_in_fips_mode.patch
Normal file
@ -0,0 +1,318 @@
|
||||
diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
index f9baf8c9742..60fa75cab45 100644
|
||||
--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
@@ -1,11 +1,13 @@
|
||||
/*
|
||||
- * Copyright (c) 2019, Red Hat, Inc.
|
||||
+ * Copyright (c) 2019, 2020, Red Hat, Inc.
|
||||
*
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License version 2 only, as
|
||||
- * published by the Free Software Foundation.
|
||||
+ * published by the Free Software Foundation. Oracle designates this
|
||||
+ * particular file as subject to the "Classpath" exception as provided
|
||||
+ * by Oracle in the LICENSE file that accompanied this code.
|
||||
*
|
||||
* This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
@@ -34,10 +36,10 @@ import java.nio.file.Path;
|
||||
import java.util.Iterator;
|
||||
import java.util.Map.Entry;
|
||||
import java.util.Properties;
|
||||
-import java.util.function.Consumer;
|
||||
-import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
+import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
|
||||
+import jdk.internal.access.SharedSecrets;
|
||||
import sun.security.util.Debug;
|
||||
|
||||
/**
|
||||
@@ -47,7 +49,7 @@ import sun.security.util.Debug;
|
||||
*
|
||||
*/
|
||||
|
||||
-class SystemConfigurator {
|
||||
+final class SystemConfigurator {
|
||||
|
||||
private static final Debug sdebug =
|
||||
Debug.getInstance("properties");
|
||||
@@ -61,15 +63,16 @@ class SystemConfigurator {
|
||||
private static final String CRYPTO_POLICIES_CONFIG =
|
||||
CRYPTO_POLICIES_BASE_DIR + "/config";
|
||||
|
||||
- private static final class SecurityProviderInfo {
|
||||
- int number;
|
||||
- String key;
|
||||
- String value;
|
||||
- SecurityProviderInfo(int number, String key, String value) {
|
||||
- this.number = number;
|
||||
- this.key = key;
|
||||
- this.value = value;
|
||||
- }
|
||||
+ private static boolean systemFipsEnabled = false;
|
||||
+
|
||||
+ static {
|
||||
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
|
||||
+ new JavaSecuritySystemConfiguratorAccess() {
|
||||
+ @Override
|
||||
+ public boolean isSystemFipsEnabled() {
|
||||
+ return SystemConfigurator.isSystemFipsEnabled();
|
||||
+ }
|
||||
+ });
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -128,9 +131,9 @@ class SystemConfigurator {
|
||||
String nonFipsKeystoreType = props.getProperty("keystore.type");
|
||||
props.put("keystore.type", keystoreTypeValue);
|
||||
if (keystoreTypeValue.equals("PKCS11")) {
|
||||
- // If keystore.type is PKCS11, javax.net.ssl.keyStore
|
||||
- // must be "NONE". See JDK-8238264.
|
||||
- System.setProperty("javax.net.ssl.keyStore", "NONE");
|
||||
+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
|
||||
+ // must be "NONE". See JDK-8238264.
|
||||
+ System.setProperty("javax.net.ssl.keyStore", "NONE");
|
||||
}
|
||||
if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
|
||||
// If no trustStoreType has been set, use the
|
||||
@@ -144,12 +147,13 @@ class SystemConfigurator {
|
||||
sdebug.println("FIPS mode default keystore.type = " +
|
||||
keystoreTypeValue);
|
||||
sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
|
||||
- System.getProperty("javax.net.ssl.keyStore", ""));
|
||||
+ System.getProperty("javax.net.ssl.keyStore", ""));
|
||||
sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
|
||||
System.getProperty("javax.net.ssl.trustStoreType", ""));
|
||||
}
|
||||
}
|
||||
loadedProps = true;
|
||||
+ systemFipsEnabled = true;
|
||||
}
|
||||
} catch (Exception e) {
|
||||
if (sdebug != null) {
|
||||
@@ -160,13 +164,30 @@ class SystemConfigurator {
|
||||
return loadedProps;
|
||||
}
|
||||
|
||||
+ /**
|
||||
+ * Returns whether or not global system FIPS alignment is enabled.
|
||||
+ *
|
||||
+ * Value is always 'false' before java.security.Security class is
|
||||
+ * initialized.
|
||||
+ *
|
||||
+ * Call from out of this package through SharedSecrets:
|
||||
+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
|
||||
+ * .isSystemFipsEnabled();
|
||||
+ *
|
||||
+ * @return a boolean value indicating whether or not global
|
||||
+ * system FIPS alignment is enabled.
|
||||
+ */
|
||||
+ static boolean isSystemFipsEnabled() {
|
||||
+ return systemFipsEnabled;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* FIPS is enabled only if crypto-policies are set to "FIPS"
|
||||
* and the com.redhat.fips property is true.
|
||||
*/
|
||||
private static boolean enableFips() throws Exception {
|
||||
- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
|
||||
- if (fipsEnabled) {
|
||||
+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
|
||||
+ if (shouldEnable) {
|
||||
String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
|
||||
if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
|
||||
Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
|
||||
diff --git openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
|
||||
new file mode 100644
|
||||
index 00000000000..a31e93ec02e
|
||||
--- /dev/null
|
||||
+++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
|
||||
@@ -0,0 +1,30 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2020, Red Hat, Inc.
|
||||
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
+ *
|
||||
+ * This code is free software; you can redistribute it and/or modify it
|
||||
+ * under the terms of the GNU General Public License version 2 only, as
|
||||
+ * published by the Free Software Foundation. Oracle designates this
|
||||
+ * particular file as subject to the "Classpath" exception as provided
|
||||
+ * by Oracle in the LICENSE file that accompanied this code.
|
||||
+ *
|
||||
+ * This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
+ * version 2 for more details (a copy is included in the LICENSE file that
|
||||
+ * accompanied this code).
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License version
|
||||
+ * 2 along with this work; if not, write to the Free Software Foundation,
|
||||
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
+ *
|
||||
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||
+ * or visit www.oracle.com if you need additional information or have any
|
||||
+ * questions.
|
||||
+ */
|
||||
+
|
||||
+package jdk.internal.access;
|
||||
+
|
||||
+public interface JavaSecuritySystemConfiguratorAccess {
|
||||
+ boolean isSystemFipsEnabled();
|
||||
+}
|
||||
diff --git openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
|
||||
index f6d3638c3dd..5a2c9eb0c46 100644
|
||||
--- openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
|
||||
+++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
|
||||
@@ -81,6 +81,7 @@ public class SharedSecrets {
|
||||
private static JavaSecuritySpecAccess javaSecuritySpecAccess;
|
||||
private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
|
||||
private static JavaxCryptoSpecAccess javaxCryptoSpecAccess;
|
||||
+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
|
||||
|
||||
public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) {
|
||||
javaUtilCollectionAccess = juca;
|
||||
@@ -442,4 +443,12 @@ public class SharedSecrets {
|
||||
MethodHandles.lookup().ensureInitialized(c);
|
||||
} catch (IllegalAccessException e) {}
|
||||
}
|
||||
+
|
||||
+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
|
||||
+ javaSecuritySystemConfiguratorAccess = jssca;
|
||||
+ }
|
||||
+
|
||||
+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
|
||||
+ return javaSecuritySystemConfiguratorAccess;
|
||||
+ }
|
||||
}
|
||||
diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
|
||||
index 6ffdfeda18d..775b185fb06 100644
|
||||
--- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
|
||||
+++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
|
||||
@@ -32,6 +32,7 @@ import java.security.cert.*;
|
||||
import java.util.*;
|
||||
import java.util.concurrent.locks.ReentrantLock;
|
||||
import javax.net.ssl.*;
|
||||
+import jdk.internal.access.SharedSecrets;
|
||||
import sun.security.action.GetPropertyAction;
|
||||
import sun.security.provider.certpath.AlgorithmChecker;
|
||||
import sun.security.validator.Validator;
|
||||
@@ -536,22 +537,40 @@ public abstract class SSLContextImpl extends SSLContextSpi {
|
||||
private static final List<CipherSuite> serverDefaultCipherSuites;
|
||||
|
||||
static {
|
||||
- supportedProtocols = Arrays.asList(
|
||||
- ProtocolVersion.TLS13,
|
||||
- ProtocolVersion.TLS12,
|
||||
- ProtocolVersion.TLS11,
|
||||
- ProtocolVersion.TLS10,
|
||||
- ProtocolVersion.SSL30,
|
||||
- ProtocolVersion.SSL20Hello
|
||||
- );
|
||||
-
|
||||
- serverDefaultProtocols = getAvailableProtocols(
|
||||
- new ProtocolVersion[] {
|
||||
- ProtocolVersion.TLS13,
|
||||
- ProtocolVersion.TLS12,
|
||||
- ProtocolVersion.TLS11,
|
||||
- ProtocolVersion.TLS10
|
||||
- });
|
||||
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
|
||||
+ .isSystemFipsEnabled()) {
|
||||
+ // RH1860986: TLSv1.3 key derivation not supported with
|
||||
+ // the Security Providers available in system FIPS mode.
|
||||
+ supportedProtocols = Arrays.asList(
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ );
|
||||
+
|
||||
+ serverDefaultProtocols = getAvailableProtocols(
|
||||
+ new ProtocolVersion[] {
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ });
|
||||
+ } else {
|
||||
+ supportedProtocols = Arrays.asList(
|
||||
+ ProtocolVersion.TLS13,
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10,
|
||||
+ ProtocolVersion.SSL30,
|
||||
+ ProtocolVersion.SSL20Hello
|
||||
+ );
|
||||
+
|
||||
+ serverDefaultProtocols = getAvailableProtocols(
|
||||
+ new ProtocolVersion[] {
|
||||
+ ProtocolVersion.TLS13,
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ });
|
||||
+ }
|
||||
|
||||
supportedCipherSuites = getApplicableSupportedCipherSuites(
|
||||
supportedProtocols);
|
||||
@@ -842,12 +861,23 @@ public abstract class SSLContextImpl extends SSLContextSpi {
|
||||
ProtocolVersion[] candidates;
|
||||
if (refactored.isEmpty()) {
|
||||
// Client and server use the same default protocols.
|
||||
- candidates = new ProtocolVersion[] {
|
||||
- ProtocolVersion.TLS13,
|
||||
- ProtocolVersion.TLS12,
|
||||
- ProtocolVersion.TLS11,
|
||||
- ProtocolVersion.TLS10
|
||||
- };
|
||||
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
|
||||
+ .isSystemFipsEnabled()) {
|
||||
+ // RH1860986: TLSv1.3 key derivation not supported with
|
||||
+ // the Security Providers available in system FIPS mode.
|
||||
+ candidates = new ProtocolVersion[] {
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ };
|
||||
+ } else {
|
||||
+ candidates = new ProtocolVersion[] {
|
||||
+ ProtocolVersion.TLS13,
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ };
|
||||
+ }
|
||||
} else {
|
||||
// Use the customized TLS protocols.
|
||||
candidates =
|
||||
diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
|
||||
index 894e26dfad8..8b16378b96b 100644
|
||||
--- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
|
||||
+++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
|
||||
@@ -27,6 +27,8 @@ package sun.security.ssl;
|
||||
|
||||
import java.security.*;
|
||||
import java.util.*;
|
||||
+
|
||||
+import jdk.internal.access.SharedSecrets;
|
||||
import static sun.security.util.SecurityConstants.PROVIDER_VER;
|
||||
|
||||
/**
|
||||
@@ -102,8 +104,13 @@ public class SunJSSE extends java.security.Provider {
|
||||
"sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
|
||||
ps("SSLContext", "TLSv1.2",
|
||||
"sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
|
||||
- ps("SSLContext", "TLSv1.3",
|
||||
- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
|
||||
+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
|
||||
+ .isSystemFipsEnabled()) {
|
||||
+ // RH1860986: TLSv1.3 key derivation not supported with
|
||||
+ // the Security Providers available in system FIPS mode.
|
||||
+ ps("SSLContext", "TLSv1.3",
|
||||
+ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
|
||||
+ }
|
||||
ps("SSLContext", "TLS",
|
||||
"sun.security.ssl.SSLContextImpl$TLSContext",
|
||||
List.of("SSL"), null);
|
70
rh1915071-always_initialise_configurator_access.patch
Normal file
70
rh1915071-always_initialise_configurator_access.patch
Normal file
@ -0,0 +1,70 @@
|
||||
diff --git openjdk/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
|
||||
index f1633afb627..ce32c939253 100644
|
||||
--- openjdk/src/java.base/share/classes/java/security/Security.java
|
||||
+++ openjdk/src/java.base/share/classes/java/security/Security.java
|
||||
@@ -32,6 +32,7 @@ import java.net.URL;
|
||||
|
||||
import jdk.internal.event.EventHelper;
|
||||
import jdk.internal.event.SecurityPropertyModificationEvent;
|
||||
+import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
|
||||
import jdk.internal.access.SharedSecrets;
|
||||
import jdk.internal.util.StaticProperty;
|
||||
import sun.security.util.Debug;
|
||||
@@ -74,6 +75,15 @@ public final class Security {
|
||||
}
|
||||
|
||||
static {
|
||||
+ // Initialise here as used by code with system properties disabled
|
||||
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
|
||||
+ new JavaSecuritySystemConfiguratorAccess() {
|
||||
+ @Override
|
||||
+ public boolean isSystemFipsEnabled() {
|
||||
+ return SystemConfigurator.isSystemFipsEnabled();
|
||||
+ }
|
||||
+ });
|
||||
+
|
||||
// doPrivileged here because there are multiple
|
||||
// things in initialize that might require privs.
|
||||
// (the FileInputStream call and the File.exists call,
|
||||
@@ -194,9 +204,8 @@ public final class Security {
|
||||
}
|
||||
|
||||
String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
|
||||
- if (disableSystemProps == null &&
|
||||
- "true".equalsIgnoreCase(props.getProperty
|
||||
- ("security.useSystemPropertiesFile"))) {
|
||||
+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
|
||||
+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
|
||||
if (SystemConfigurator.configure(props)) {
|
||||
loadedProps = true;
|
||||
}
|
||||
diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
index 60fa75cab45..10b54aa4ce4 100644
|
||||
--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
@@ -38,8 +38,6 @@ import java.util.Map.Entry;
|
||||
import java.util.Properties;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
-import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
|
||||
-import jdk.internal.access.SharedSecrets;
|
||||
import sun.security.util.Debug;
|
||||
|
||||
/**
|
||||
@@ -65,16 +63,6 @@ final class SystemConfigurator {
|
||||
|
||||
private static boolean systemFipsEnabled = false;
|
||||
|
||||
- static {
|
||||
- SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
|
||||
- new JavaSecuritySystemConfiguratorAccess() {
|
||||
- @Override
|
||||
- public boolean isSystemFipsEnabled() {
|
||||
- return SystemConfigurator.isSystemFipsEnabled();
|
||||
- }
|
||||
- });
|
||||
- }
|
||||
-
|
||||
/*
|
||||
* Invoked when java.security.Security class is initialized, if
|
||||
* java.security.disableSystemPropertiesFile property is not set and
|
Loading…
Reference in New Issue
Block a user