parent
66aaf933ed
commit
bed2ea1420
@ -1171,7 +1171,8 @@ Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1
|
||||
Patch4: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
|
||||
# Depend on pcs-lite-libs instead of pcs-lite-devel as this is only in optional repo
|
||||
Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
|
||||
Patch7: pr3695-toggle_system_crypto_policy.patch
|
||||
# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY
|
||||
Patch1003: rh1842572-rsa_default_for_keytool.patch
|
||||
|
||||
# FIPS support patches
|
||||
# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
|
||||
@ -1538,13 +1539,13 @@ pushd %{top_level_dir_name}
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
popd # openjdk
|
||||
|
||||
%patch1000
|
||||
%patch600
|
||||
%patch1001
|
||||
%patch1002
|
||||
%patch1003
|
||||
%patch1004
|
||||
%patch1007
|
||||
|
||||
@ -2258,12 +2259,7 @@ cjc.mainProgram(args)
|
||||
%changelog
|
||||
* Tue Jun 29 2021 Jiri Vanek <jvanek@redhat.com> -1:16.0.1.0.9-5.rolling
|
||||
- renamed source15 to source17 to match el8
|
||||
- added fips support:
|
||||
- added pr3695-toggle_system_crypto_policy.patch ; missing prerequisity
|
||||
- removed rh1655466-global_crypto_and_fips.patch; jdk16 do not have default algorithm, it throws exception
|
||||
- adapted rh1655466-global_crypto_and_fips.patch
|
||||
- adapted rh1860986-disable_tlsv1.3_in_fips_mode.patch (?)
|
||||
- adapted rh1915071-always_initialise_configurator_access.patch
|
||||
- added fips support
|
||||
|
||||
* Thu Jun 17 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:16.0.1.0.9-4.rolling
|
||||
- fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch which made the SunPKCS provider show up again
|
||||
|
@ -1,78 +0,0 @@
|
||||
# HG changeset patch
|
||||
# User andrew
|
||||
# Date 1545198926 0
|
||||
# Wed Dec 19 05:55:26 2018 +0000
|
||||
# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776
|
||||
# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c
|
||||
PR3695: Allow use of system crypto policy to be disabled by the user
|
||||
Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile
|
||||
|
||||
diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
|
||||
--- a/src/java.base/share/classes/java/security/Security.java
|
||||
+++ b/src/java.base/share/classes/java/security/Security.java
|
||||
@@ -125,31 +125,6 @@
|
||||
}
|
||||
|
||||
if ("true".equalsIgnoreCase(props.getProperty
|
||||
- ("security.useSystemPropertiesFile"))) {
|
||||
-
|
||||
- // now load the system file, if it exists, so its values
|
||||
- // will win if they conflict with the earlier values
|
||||
- try (BufferedInputStream bis =
|
||||
- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
|
||||
- props.load(bis);
|
||||
- loadedProps = true;
|
||||
-
|
||||
- if (sdebug != null) {
|
||||
- sdebug.println("reading system security properties file " +
|
||||
- SYSTEM_PROPERTIES);
|
||||
- sdebug.println(props.toString());
|
||||
- }
|
||||
- } catch (IOException e) {
|
||||
- if (sdebug != null) {
|
||||
- sdebug.println
|
||||
- ("unable to load security properties from " +
|
||||
- SYSTEM_PROPERTIES);
|
||||
- e.printStackTrace();
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- if ("true".equalsIgnoreCase(props.getProperty
|
||||
("security.overridePropertiesFile"))) {
|
||||
|
||||
String extraPropFile = System.getProperty
|
||||
@@ -215,6 +190,33 @@
|
||||
}
|
||||
}
|
||||
|
||||
+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
|
||||
+ if (disableSystemProps == null &&
|
||||
+ "true".equalsIgnoreCase(props.getProperty
|
||||
+ ("security.useSystemPropertiesFile"))) {
|
||||
+
|
||||
+ // now load the system file, if it exists, so its values
|
||||
+ // will win if they conflict with the earlier values
|
||||
+ try (BufferedInputStream bis =
|
||||
+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
|
||||
+ props.load(bis);
|
||||
+ loadedProps = true;
|
||||
+
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("reading system security properties file " +
|
||||
+ SYSTEM_PROPERTIES);
|
||||
+ sdebug.println(props.toString());
|
||||
+ }
|
||||
+ } catch (IOException e) {
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println
|
||||
+ ("unable to load security properties from " +
|
||||
+ SYSTEM_PROPERTIES);
|
||||
+ e.printStackTrace();
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (!loadedProps) {
|
||||
initializeStatic();
|
||||
if (sdebug != null) {
|
@ -197,7 +197,7 @@ diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjd
|
||||
+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
|
||||
+fips.provider.2=SUN
|
||||
+fips.provider.3=SunEC
|
||||
+fips.provider.4=SunJSSE SunPKCS11-NSS-FIPS
|
||||
+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
|
||||
+
|
||||
+#
|
||||
# A list of preferred providers for specific algorithms. These providers will
|
||||
|
12
rh1842572-rsa_default_for_keytool.patch
Normal file
12
rh1842572-rsa_default_for_keytool.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff --git openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
|
||||
--- openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java
|
||||
+++ openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
|
||||
@@ -1135,7 +1135,7 @@
|
||||
}
|
||||
} else if (command == GENKEYPAIR) {
|
||||
if (keyAlgName == null) {
|
||||
- keyAlgName = "DSA";
|
||||
+ keyAlgName = "RSA";
|
||||
}
|
||||
doGenKeyPair(alias, dname, keyAlgName, keysize, groupName, sigAlgName);
|
||||
kssave = true;
|
@ -160,28 +160,20 @@ diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/JavaSecurityS
|
||||
+public interface JavaSecuritySystemConfiguratorAccess {
|
||||
+ boolean isSystemFipsEnabled();
|
||||
+}
|
||||
diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
|
||||
--- openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java Thu Jan 23 18:22:31 2020 -0300
|
||||
+++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java Sat Aug 01 23:16:51 2020 -0300
|
||||
@@ -38,6 +38,7 @@
|
||||
import java.io.RandomAccessFile;
|
||||
import java.security.ProtectionDomain;
|
||||
import java.security.Signature;
|
||||
+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
|
||||
|
||||
/** A repository of "shared secrets", which are a mechanism for
|
||||
calling implementation-private methods in another package without
|
||||
diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
|
||||
--- openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Thu Jan 23 18:22:31 2020 -0300
|
||||
+++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Sat Aug 01 23:16:51 2020 -0300
|
||||
@@ -76,6 +76,7 @@
|
||||
private static JavaSecurityAccess javaSecurityAccess;
|
||||
private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess;
|
||||
private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
|
||||
private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
|
||||
+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
|
||||
|
||||
public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) {
|
||||
javaUtilCollectionAccess = juca;
|
||||
public static JavaUtilJarAccess javaUtilJarAccess() {
|
||||
if (javaUtilJarAccess == null) {
|
||||
@@ -361,4 +362,12 @@
|
||||
MethodHandles.lookup().ensureInitialized(c);
|
||||
} catch (IllegalAccessException e) {}
|
||||
}
|
||||
return javaxCryptoSealedObjectAccess;
|
||||
}
|
||||
+
|
||||
+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
|
||||
@ -196,134 +188,99 @@ diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SSLContextImpl
|
||||
--- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Thu Jan 23 18:22:31 2020 -0300
|
||||
+++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Sat Aug 01 23:16:51 2020 -0300
|
||||
@@ -31,6 +31,7 @@
|
||||
import java.security.cert.*;
|
||||
import java.util.*;
|
||||
import java.util.concurrent.locks.ReentrantLock;
|
||||
import javax.net.ssl.*;
|
||||
+import jdk.internal.access.SharedSecrets;
|
||||
+import jdk.internal.misc.SharedSecrets;
|
||||
import sun.security.action.GetPropertyAction;
|
||||
import sun.security.provider.certpath.AlgorithmChecker;
|
||||
import sun.security.validator.Validator;
|
||||
@@ -536,22 +536,42 @@
|
||||
private static final List<CipherSuite> serverDefaultCipherSuites;
|
||||
@@ -542,20 +543,38 @@
|
||||
|
||||
static {
|
||||
- supportedProtocols = Arrays.asList(
|
||||
- ProtocolVersion.TLS13,
|
||||
- ProtocolVersion.TLS12,
|
||||
- ProtocolVersion.TLS11,
|
||||
- ProtocolVersion.TLS10,
|
||||
- ProtocolVersion.SSL30,
|
||||
- ProtocolVersion.SSL20Hello
|
||||
- );
|
||||
-
|
||||
- serverDefaultProtocols = getAvailableProtocols(
|
||||
- new ProtocolVersion[] {
|
||||
- ProtocolVersion.TLS13,
|
||||
- ProtocolVersion.TLS12,
|
||||
- ProtocolVersion.TLS11,
|
||||
- ProtocolVersion.TLS10
|
||||
- });
|
||||
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
|
||||
+ .isSystemFipsEnabled()) {
|
||||
+ // RH1860986: TLSv1.3 key derivation not supported with
|
||||
+ // the Security Providers available in system FIPS mode.
|
||||
+ supportedProtocols = Arrays.asList(
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10,
|
||||
+ ProtocolVersion.SSL30,
|
||||
+ ProtocolVersion.SSL20Hello
|
||||
+ );
|
||||
+
|
||||
+ serverDefaultProtocols = getAvailableProtocols(
|
||||
+ new ProtocolVersion[] {
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ });
|
||||
if (SunJSSE.isFIPS()) {
|
||||
- supportedProtocols = Arrays.asList(
|
||||
- ProtocolVersion.TLS13,
|
||||
- ProtocolVersion.TLS12,
|
||||
- ProtocolVersion.TLS11,
|
||||
- ProtocolVersion.TLS10
|
||||
- );
|
||||
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
|
||||
+ .isSystemFipsEnabled()) {
|
||||
+ // RH1860986: TLSv1.3 key derivation not supported with
|
||||
+ // the Security Providers available in system FIPS mode.
|
||||
+ supportedProtocols = Arrays.asList(
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ );
|
||||
|
||||
- serverDefaultProtocols = getAvailableProtocols(
|
||||
- new ProtocolVersion[] {
|
||||
- ProtocolVersion.TLS13,
|
||||
- ProtocolVersion.TLS12,
|
||||
- ProtocolVersion.TLS11,
|
||||
- ProtocolVersion.TLS10
|
||||
- });
|
||||
+ serverDefaultProtocols = getAvailableProtocols(
|
||||
+ new ProtocolVersion[] {
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ });
|
||||
+ } else {
|
||||
+ supportedProtocols = Arrays.asList(
|
||||
+ ProtocolVersion.TLS13,
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10,
|
||||
+ ProtocolVersion.SSL30,
|
||||
+ ProtocolVersion.SSL20Hello
|
||||
+ );
|
||||
+ supportedProtocols = Arrays.asList(
|
||||
+ ProtocolVersion.TLS13,
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ );
|
||||
+
|
||||
+ serverDefaultProtocols = getAvailableProtocols(
|
||||
+ new ProtocolVersion[] {
|
||||
+ ProtocolVersion.TLS13,
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ });
|
||||
+ }
|
||||
|
||||
supportedCipherSuites = getApplicableSupportedCipherSuites(
|
||||
supportedProtocols);
|
||||
@@ -699,13 +719,26 @@
|
||||
private static final List<CipherSuite> clientDefaultCipherSuites;
|
||||
|
||||
static {
|
||||
- clientDefaultProtocols = getAvailableProtocols(
|
||||
- new ProtocolVersion[] {
|
||||
- ProtocolVersion.TLS13,
|
||||
- ProtocolVersion.TLS12,
|
||||
- ProtocolVersion.TLS11,
|
||||
- ProtocolVersion.TLS10
|
||||
- });
|
||||
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
|
||||
+ .isSystemFipsEnabled()) {
|
||||
+ // RH1860986: TLSv1.3 key derivation not supported with
|
||||
+ // the Security Providers available in system FIPS mode.
|
||||
+ clientDefaultProtocols = getAvailableProtocols(
|
||||
+ new ProtocolVersion[] {
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ });
|
||||
+ } else {
|
||||
+ clientDefaultProtocols = getAvailableProtocols(
|
||||
+ new ProtocolVersion[] {
|
||||
+ ProtocolVersion.TLS13,
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ });
|
||||
+ }
|
||||
+
|
||||
|
||||
clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
|
||||
clientDefaultProtocols, true);
|
||||
@@ -842,12 +875,21 @@
|
||||
ProtocolVersion[] candidates;
|
||||
if (refactored.isEmpty()) {
|
||||
// Client and server use the same default protocols.
|
||||
- candidates = new ProtocolVersion[] {
|
||||
- ProtocolVersion.TLS13,
|
||||
- ProtocolVersion.TLS12,
|
||||
- ProtocolVersion.TLS11,
|
||||
- ProtocolVersion.TLS10
|
||||
- };
|
||||
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
|
||||
+ .isSystemFipsEnabled()) {
|
||||
+ candidates = new ProtocolVersion[] {
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ };
|
||||
+ } else {
|
||||
+ candidates = new ProtocolVersion[] {
|
||||
+ ProtocolVersion.TLS13,
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ };
|
||||
+ }
|
||||
+ serverDefaultProtocols = getAvailableProtocols(
|
||||
+ new ProtocolVersion[] {
|
||||
+ ProtocolVersion.TLS13,
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ });
|
||||
+ }
|
||||
} else {
|
||||
// Use the customized TLS protocols.
|
||||
candidates =
|
||||
supportedProtocols = Arrays.asList(
|
||||
ProtocolVersion.TLS13,
|
||||
@@ -620,6 +639,16 @@
|
||||
|
||||
static ProtocolVersion[] getSupportedProtocols() {
|
||||
if (SunJSSE.isFIPS()) {
|
||||
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
|
||||
+ .isSystemFipsEnabled()) {
|
||||
+ // RH1860986: TLSv1.3 key derivation not supported with
|
||||
+ // the Security Providers available in system FIPS mode.
|
||||
+ return new ProtocolVersion[] {
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ };
|
||||
+ }
|
||||
return new ProtocolVersion[] {
|
||||
ProtocolVersion.TLS13,
|
||||
ProtocolVersion.TLS12,
|
||||
@@ -949,6 +978,16 @@
|
||||
|
||||
static ProtocolVersion[] getProtocols() {
|
||||
if (SunJSSE.isFIPS()) {
|
||||
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
|
||||
+ .isSystemFipsEnabled()) {
|
||||
+ // RH1860986: TLSv1.3 key derivation not supported with
|
||||
+ // the Security Providers available in system FIPS mode.
|
||||
+ return new ProtocolVersion[] {
|
||||
+ ProtocolVersion.TLS12,
|
||||
+ ProtocolVersion.TLS11,
|
||||
+ ProtocolVersion.TLS10
|
||||
+ };
|
||||
+ }
|
||||
return new ProtocolVersion[]{
|
||||
ProtocolVersion.TLS13,
|
||||
ProtocolVersion.TLS12,
|
||||
diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java
|
||||
--- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Thu Jan 23 18:22:31 2020 -0300
|
||||
+++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Sat Aug 01 23:16:51 2020 -0300
|
||||
@ -332,10 +289,10 @@ diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java
|
||||
import java.security.*;
|
||||
import java.util.*;
|
||||
+
|
||||
+import jdk.internal.access.SharedSecrets;
|
||||
+import jdk.internal.misc.SharedSecrets;
|
||||
import sun.security.rsa.SunRsaSignEntries;
|
||||
import static sun.security.util.SecurityConstants.PROVIDER_VER;
|
||||
|
||||
/**
|
||||
import static sun.security.provider.SunEntries.createAliases;
|
||||
@@ -195,8 +197,13 @@
|
||||
"sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
|
||||
ps("SSLContext", "TLSv1.2",
|
||||
@ -351,4 +308,4 @@ diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java
|
||||
+ }
|
||||
ps("SSLContext", "TLS",
|
||||
"sun.security.ssl.SSLContextImpl$TLSContext",
|
||||
List.of("SSL"), null);
|
||||
(isfips? null : createAliases("SSL")), null);
|
||||
|
@ -6,7 +6,7 @@ diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java
|
||||
import jdk.internal.event.EventHelper;
|
||||
import jdk.internal.event.SecurityPropertyModificationEvent;
|
||||
+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
|
||||
import jdk.internal.access.SharedSecrets;
|
||||
import jdk.internal.misc.SharedSecrets;
|
||||
import jdk.internal.util.StaticProperty;
|
||||
import sun.security.util.Debug;
|
||||
@@ -74,6 +75,15 @@
|
||||
|
Loading…
Reference in New Issue
Block a user