From bed2ea1420833862f19966be08f376ec5123277a Mon Sep 17 00:00:00 2001 From: Jiri Vanek Date: Thu, 2 Sep 2021 12:48:12 +0200 Subject: [PATCH] Revert "Adapted patches to jdk16" This reverts commit c7fa66aed4f257de6fc607ffcd29dd5eec5bcc8f. --- java-latest-openjdk.spec | 12 +- pr3695-toggle_system_crypto_policy.patch | 78 ------ rh1655466-global_crypto_and_fips.patch | 2 +- rh1842572-rsa_default_for_keytool.patch | 12 + rh1860986-disable_tlsv1.3_in_fips_mode.patch | 233 +++++++----------- ...lways_initialise_configurator_access.patch | 2 +- 6 files changed, 113 insertions(+), 226 deletions(-) delete mode 100644 pr3695-toggle_system_crypto_policy.patch create mode 100644 rh1842572-rsa_default_for_keytool.patch diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec index 57e30d0..ef90def 100644 --- a/java-latest-openjdk.spec +++ b/java-latest-openjdk.spec @@ -1171,7 +1171,8 @@ Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1 Patch4: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch # Depend on pcs-lite-libs instead of pcs-lite-devel as this is only in optional repo Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch -Patch7: pr3695-toggle_system_crypto_policy.patch +# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY +Patch1003: rh1842572-rsa_default_for_keytool.patch # FIPS support patches # RH1655466: Support RHEL FIPS mode using SunPKCS11 provider @@ -1538,13 +1539,13 @@ pushd %{top_level_dir_name} %patch3 -p1 %patch4 -p1 %patch6 -p1 -%patch7 -p1 popd # openjdk %patch1000 %patch600 %patch1001 %patch1002 +%patch1003 %patch1004 %patch1007 @@ -2258,12 +2259,7 @@ cjc.mainProgram(args) %changelog * Tue Jun 29 2021 Jiri Vanek -1:16.0.1.0.9-5.rolling - renamed source15 to source17 to match el8 -- added fips support: -- added pr3695-toggle_system_crypto_policy.patch ; missing prerequisity -- removed rh1655466-global_crypto_and_fips.patch; jdk16 do not have default algorithm, it throws exception -- adapted rh1655466-global_crypto_and_fips.patch -- adapted rh1860986-disable_tlsv1.3_in_fips_mode.patch (?) -- adapted rh1915071-always_initialise_configurator_access.patch +- added fips support * Thu Jun 17 2021 Petra Alice Mikova - 1:16.0.1.0.9-4.rolling - fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch which made the SunPKCS provider show up again diff --git a/pr3695-toggle_system_crypto_policy.patch b/pr3695-toggle_system_crypto_policy.patch deleted file mode 100644 index 3799237..0000000 --- a/pr3695-toggle_system_crypto_policy.patch +++ /dev/null @@ -1,78 +0,0 @@ -# HG changeset patch -# User andrew -# Date 1545198926 0 -# Wed Dec 19 05:55:26 2018 +0000 -# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776 -# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c -PR3695: Allow use of system crypto policy to be disabled by the user -Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile - -diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java ---- a/src/java.base/share/classes/java/security/Security.java -+++ b/src/java.base/share/classes/java/security/Security.java -@@ -125,31 +125,6 @@ - } - - if ("true".equalsIgnoreCase(props.getProperty -- ("security.useSystemPropertiesFile"))) { -- -- // now load the system file, if it exists, so its values -- // will win if they conflict with the earlier values -- try (BufferedInputStream bis = -- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { -- props.load(bis); -- loadedProps = true; -- -- if (sdebug != null) { -- sdebug.println("reading system security properties file " + -- SYSTEM_PROPERTIES); -- sdebug.println(props.toString()); -- } -- } catch (IOException e) { -- if (sdebug != null) { -- sdebug.println -- ("unable to load security properties from " + -- SYSTEM_PROPERTIES); -- e.printStackTrace(); -- } -- } -- } -- -- if ("true".equalsIgnoreCase(props.getProperty - ("security.overridePropertiesFile"))) { - - String extraPropFile = System.getProperty -@@ -215,6 +190,33 @@ - } - } - -+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); -+ if (disableSystemProps == null && -+ "true".equalsIgnoreCase(props.getProperty -+ ("security.useSystemPropertiesFile"))) { -+ -+ // now load the system file, if it exists, so its values -+ // will win if they conflict with the earlier values -+ try (BufferedInputStream bis = -+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { -+ props.load(bis); -+ loadedProps = true; -+ -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ SYSTEM_PROPERTIES); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println -+ ("unable to load security properties from " + -+ SYSTEM_PROPERTIES); -+ e.printStackTrace(); -+ } -+ } -+ } -+ - if (!loadedProps) { - initializeStatic(); - if (sdebug != null) { diff --git a/rh1655466-global_crypto_and_fips.patch b/rh1655466-global_crypto_and_fips.patch index 684c4c4..8bf1ced 100644 --- a/rh1655466-global_crypto_and_fips.patch +++ b/rh1655466-global_crypto_and_fips.patch @@ -197,7 +197,7 @@ diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjd +fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg +fips.provider.2=SUN +fips.provider.3=SunEC -+fips.provider.4=SunJSSE SunPKCS11-NSS-FIPS ++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS + +# # A list of preferred providers for specific algorithms. These providers will diff --git a/rh1842572-rsa_default_for_keytool.patch b/rh1842572-rsa_default_for_keytool.patch new file mode 100644 index 0000000..9f1dabc --- /dev/null +++ b/rh1842572-rsa_default_for_keytool.patch @@ -0,0 +1,12 @@ +diff --git openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java +--- openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java ++++ openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java +@@ -1135,7 +1135,7 @@ + } + } else if (command == GENKEYPAIR) { + if (keyAlgName == null) { +- keyAlgName = "DSA"; ++ keyAlgName = "RSA"; + } + doGenKeyPair(alias, dname, keyAlgName, keysize, groupName, sigAlgName); + kssave = true; diff --git a/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/rh1860986-disable_tlsv1.3_in_fips_mode.patch index b1bf3d6..0a76cad 100644 --- a/rh1860986-disable_tlsv1.3_in_fips_mode.patch +++ b/rh1860986-disable_tlsv1.3_in_fips_mode.patch @@ -160,28 +160,20 @@ diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/JavaSecurityS +public interface JavaSecuritySystemConfiguratorAccess { + boolean isSystemFipsEnabled(); +} -diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/access/SharedSecrets.java ---- openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java Thu Jan 23 18:22:31 2020 -0300 -+++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java Sat Aug 01 23:16:51 2020 -0300 -@@ -38,6 +38,7 @@ - import java.io.RandomAccessFile; - import java.security.ProtectionDomain; - import java.security.Signature; -+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; - - /** A repository of "shared secrets", which are a mechanism for - calling implementation-private methods in another package without +diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +--- openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Sat Aug 01 23:16:51 2020 -0300 @@ -76,6 +76,7 @@ - private static JavaSecurityAccess javaSecurityAccess; + private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess; private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; + private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; - public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { - javaUtilCollectionAccess = juca; + public static JavaUtilJarAccess javaUtilJarAccess() { + if (javaUtilJarAccess == null) { @@ -361,4 +362,12 @@ - MethodHandles.lookup().ensureInitialized(c); - } catch (IllegalAccessException e) {} + } + return javaxCryptoSealedObjectAccess; } + + public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { @@ -196,134 +188,99 @@ diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SSLContextImpl --- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Thu Jan 23 18:22:31 2020 -0300 +++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Sat Aug 01 23:16:51 2020 -0300 @@ -31,6 +31,7 @@ + import java.security.cert.*; import java.util.*; - import java.util.concurrent.locks.ReentrantLock; import javax.net.ssl.*; -+import jdk.internal.access.SharedSecrets; ++import jdk.internal.misc.SharedSecrets; import sun.security.action.GetPropertyAction; import sun.security.provider.certpath.AlgorithmChecker; import sun.security.validator.Validator; -@@ -536,22 +536,42 @@ - private static final List serverDefaultCipherSuites; +@@ -542,20 +543,38 @@ static { -- supportedProtocols = Arrays.asList( -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10, -- ProtocolVersion.SSL30, -- ProtocolVersion.SSL20Hello -- ); -- -- serverDefaultProtocols = getAvailableProtocols( -- new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }); -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10, -+ ProtocolVersion.SSL30, -+ ProtocolVersion.SSL20Hello -+ ); -+ -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); + if (SunJSSE.isFIPS()) { +- supportedProtocols = Arrays.asList( +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- ); ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); + +- serverDefaultProtocols = getAvailableProtocols( +- new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }); ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); + } else { -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10, -+ ProtocolVersion.SSL30, -+ ProtocolVersion.SSL20Hello -+ ); ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); + -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } - - supportedCipherSuites = getApplicableSupportedCipherSuites( - supportedProtocols); -@@ -699,13 +719,26 @@ - private static final List clientDefaultCipherSuites; - - static { -- clientDefaultProtocols = getAvailableProtocols( -- new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }); -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ clientDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } else { -+ clientDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } -+ - - clientDefaultCipherSuites = getApplicableEnabledCipherSuites( - clientDefaultProtocols, true); -@@ -842,12 +875,21 @@ - ProtocolVersion[] candidates; - if (refactored.isEmpty()) { - // Client and server use the same default protocols. -- candidates = new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }; -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ candidates = new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } else { -+ candidates = new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } } else { - // Use the customized TLS protocols. - candidates = + supportedProtocols = Arrays.asList( + ProtocolVersion.TLS13, +@@ -620,6 +639,16 @@ + + static ProtocolVersion[] getSupportedProtocols() { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ return new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + return new ProtocolVersion[] { + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, +@@ -949,6 +978,16 @@ + + static ProtocolVersion[] getProtocols() { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ return new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + return new ProtocolVersion[]{ + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java --- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Thu Jan 23 18:22:31 2020 -0300 +++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Sat Aug 01 23:16:51 2020 -0300 @@ -332,10 +289,10 @@ diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java import java.security.*; import java.util.*; + -+import jdk.internal.access.SharedSecrets; ++import jdk.internal.misc.SharedSecrets; + import sun.security.rsa.SunRsaSignEntries; import static sun.security.util.SecurityConstants.PROVIDER_VER; - - /** + import static sun.security.provider.SunEntries.createAliases; @@ -195,8 +197,13 @@ "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); ps("SSLContext", "TLSv1.2", @@ -351,4 +308,4 @@ diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java + } ps("SSLContext", "TLS", "sun.security.ssl.SSLContextImpl$TLSContext", - List.of("SSL"), null); + (isfips? null : createAliases("SSL")), null); diff --git a/rh1915071-always_initialise_configurator_access.patch b/rh1915071-always_initialise_configurator_access.patch index 36a0b92..21ced06 100644 --- a/rh1915071-always_initialise_configurator_access.patch +++ b/rh1915071-always_initialise_configurator_access.patch @@ -6,7 +6,7 @@ diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java import jdk.internal.event.EventHelper; import jdk.internal.event.SecurityPropertyModificationEvent; +import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; - import jdk.internal.access.SharedSecrets; + import jdk.internal.misc.SharedSecrets; import jdk.internal.util.StaticProperty; import sun.security.util.Debug; @@ -74,6 +75,15 @@