Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent

This commit is contained in:
Andrew John Hughes 2022-01-18 02:31:53 +00:00
parent 82a565bf80
commit 1b7a9fc8f1
2 changed files with 106 additions and 2 deletions

View File

@ -308,7 +308,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 12
%global rpmrelease 15
%global rpmrelease 16
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@ -1182,7 +1182,7 @@ Version: %{newjavaver}.%{buildver}
# This package needs `.rolling` as part of Release so as to not conflict on install with
# java-X-openjdk. I.e. when latest rolling release is also an LTS release packaged as
# java-X-openjdk. See: https://bugzilla.redhat.com/show_bug.cgi?id=1647298
Release: %{?eaprefix}%{rpmrelease}%{?extraver}.rolling%{?dist}.1
Release: %{?eaprefix}%{rpmrelease}%{?extraver}.rolling%{?dist}
# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
# and this change was brought into RHEL-4. java-1.5.0-ibm packages
# also included the epoch in their virtual provides. This created a
@ -1297,6 +1297,7 @@ Patch1013: rh1991003-enable_fips_keys_import.patch
# RH2021263: Resolve outstanding FIPS issues
Patch1014: rh2021263-fips_ensure_security_initialised.patch
Patch1015: rh2021263-fips_missing_native_returns.patch
Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
#############################################
#
@ -1718,6 +1719,7 @@ popd # openjdk
%patch1013
%patch1014
%patch1015
%patch1016
%patch2000
@ -2475,6 +2477,9 @@ cjc.mainProgram(args)
%endif
%changelog
* Mon Jan 24 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-16.rolling
- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:17.0.1.0.12-15.rolling.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

View File

@ -0,0 +1,99 @@
commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Tue Jan 18 02:09:27 2022 +0000
RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
index 28ab1846173..f9726741afd 100644
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -61,10 +61,6 @@ public final class Security {
private static final Debug sdebug =
Debug.getInstance("properties");
- /* System property file*/
- private static final String SYSTEM_PROPERTIES =
- "/etc/crypto-policies/back-ends/java.config";
-
/* The java.security properties */
private static Properties props;
@@ -206,22 +202,36 @@ public final class Security {
}
}
+ if (!loadedProps) {
+ initializeStatic();
+ if (sdebug != null) {
+ sdebug.println("unable to load security properties " +
+ "-- using defaults");
+ }
+ }
+
String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
"true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
- if (SystemConfigurator.configure(props)) {
- loadedProps = true;
+ if (!SystemConfigurator.configureSysProps(props)) {
+ if (sdebug != null) {
+ sdebug.println("WARNING: System properties could not be loaded.");
+ }
}
}
- if (!loadedProps) {
- initializeStatic();
+ // FIPS support depends on the contents of java.security so
+ // ensure it has loaded first
+ if (loadedProps) {
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
if (sdebug != null) {
- sdebug.println("unable to load security properties " +
- "-- using defaults");
+ if (fipsEnabled) {
+ sdebug.println("FIPS support enabled.");
+ } else {
+ sdebug.println("FIPS support disabled.");
+ }
}
}
-
}
/*
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 874c6221ebe..b7ed41acf0f 100644
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -76,7 +76,7 @@ final class SystemConfigurator {
* java.security.disableSystemPropertiesFile property is not set and
* security.useSystemPropertiesFile is true.
*/
- static boolean configure(Properties props) {
+ static boolean configureSysProps(Properties props) {
boolean loadedProps = false;
try (BufferedInputStream bis =
@@ -96,11 +96,19 @@ final class SystemConfigurator {
e.printStackTrace();
}
}
+ return loadedProps;
+ }
+
+ /*
+ * Invoked at the end of java.security.Security initialisation
+ * if java.security properties have been loaded
+ */
+ static boolean configureFIPS(Properties props) {
+ boolean loadedProps = false;
try {
if (enableFips()) {
if (sdebug != null) { sdebug.println("FIPS mode detected"); }
- loadedProps = false;
// Remove all security providers
Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
while (i.hasNext()) {