diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec index ef90def..57e30d0 100644 --- a/java-latest-openjdk.spec +++ b/java-latest-openjdk.spec @@ -1171,8 +1171,7 @@ Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1 Patch4: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch # Depend on pcs-lite-libs instead of pcs-lite-devel as this is only in optional repo Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch -# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY -Patch1003: rh1842572-rsa_default_for_keytool.patch +Patch7: pr3695-toggle_system_crypto_policy.patch # FIPS support patches # RH1655466: Support RHEL FIPS mode using SunPKCS11 provider @@ -1539,13 +1538,13 @@ pushd %{top_level_dir_name} %patch3 -p1 %patch4 -p1 %patch6 -p1 +%patch7 -p1 popd # openjdk %patch1000 %patch600 %patch1001 %patch1002 -%patch1003 %patch1004 %patch1007 @@ -2259,7 +2258,12 @@ cjc.mainProgram(args) %changelog * Tue Jun 29 2021 Jiri Vanek -1:16.0.1.0.9-5.rolling - renamed source15 to source17 to match el8 -- added fips support +- added fips support: +- added pr3695-toggle_system_crypto_policy.patch ; missing prerequisity +- removed rh1655466-global_crypto_and_fips.patch; jdk16 do not have default algorithm, it throws exception +- adapted rh1655466-global_crypto_and_fips.patch +- adapted rh1860986-disable_tlsv1.3_in_fips_mode.patch (?) +- adapted rh1915071-always_initialise_configurator_access.patch * Thu Jun 17 2021 Petra Alice Mikova - 1:16.0.1.0.9-4.rolling - fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch which made the SunPKCS provider show up again diff --git a/pr3695-toggle_system_crypto_policy.patch b/pr3695-toggle_system_crypto_policy.patch new file mode 100644 index 0000000..3799237 --- /dev/null +++ b/pr3695-toggle_system_crypto_policy.patch @@ -0,0 +1,78 @@ +# HG changeset patch +# User andrew +# Date 1545198926 0 +# Wed Dec 19 05:55:26 2018 +0000 +# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776 +# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c +PR3695: Allow use of system crypto policy to be disabled by the user +Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile + +diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java +--- a/src/java.base/share/classes/java/security/Security.java ++++ b/src/java.base/share/classes/java/security/Security.java +@@ -125,31 +125,6 @@ + } + + if ("true".equalsIgnoreCase(props.getProperty +- ("security.useSystemPropertiesFile"))) { +- +- // now load the system file, if it exists, so its values +- // will win if they conflict with the earlier values +- try (BufferedInputStream bis = +- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { +- props.load(bis); +- loadedProps = true; +- +- if (sdebug != null) { +- sdebug.println("reading system security properties file " + +- SYSTEM_PROPERTIES); +- sdebug.println(props.toString()); +- } +- } catch (IOException e) { +- if (sdebug != null) { +- sdebug.println +- ("unable to load security properties from " + +- SYSTEM_PROPERTIES); +- e.printStackTrace(); +- } +- } +- } +- +- if ("true".equalsIgnoreCase(props.getProperty + ("security.overridePropertiesFile"))) { + + String extraPropFile = System.getProperty +@@ -215,6 +190,33 @@ + } + } + ++ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); ++ if (disableSystemProps == null && ++ "true".equalsIgnoreCase(props.getProperty ++ ("security.useSystemPropertiesFile"))) { ++ ++ // now load the system file, if it exists, so its values ++ // will win if they conflict with the earlier values ++ try (BufferedInputStream bis = ++ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { ++ props.load(bis); ++ loadedProps = true; ++ ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ SYSTEM_PROPERTIES); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println ++ ("unable to load security properties from " + ++ SYSTEM_PROPERTIES); ++ e.printStackTrace(); ++ } ++ } ++ } ++ + if (!loadedProps) { + initializeStatic(); + if (sdebug != null) { diff --git a/rh1655466-global_crypto_and_fips.patch b/rh1655466-global_crypto_and_fips.patch index 8bf1ced..684c4c4 100644 --- a/rh1655466-global_crypto_and_fips.patch +++ b/rh1655466-global_crypto_and_fips.patch @@ -197,7 +197,7 @@ diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjd +fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg +fips.provider.2=SUN +fips.provider.3=SunEC -+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS ++fips.provider.4=SunJSSE SunPKCS11-NSS-FIPS + +# # A list of preferred providers for specific algorithms. These providers will diff --git a/rh1842572-rsa_default_for_keytool.patch b/rh1842572-rsa_default_for_keytool.patch deleted file mode 100644 index 9f1dabc..0000000 --- a/rh1842572-rsa_default_for_keytool.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java ---- openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java -+++ openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java -@@ -1135,7 +1135,7 @@ - } - } else if (command == GENKEYPAIR) { - if (keyAlgName == null) { -- keyAlgName = "DSA"; -+ keyAlgName = "RSA"; - } - doGenKeyPair(alias, dname, keyAlgName, keysize, groupName, sigAlgName); - kssave = true; diff --git a/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/rh1860986-disable_tlsv1.3_in_fips_mode.patch index 0a76cad..b1bf3d6 100644 --- a/rh1860986-disable_tlsv1.3_in_fips_mode.patch +++ b/rh1860986-disable_tlsv1.3_in_fips_mode.patch @@ -160,20 +160,28 @@ diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/JavaSecurityS +public interface JavaSecuritySystemConfiguratorAccess { + boolean isSystemFipsEnabled(); +} -diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java ---- openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Thu Jan 23 18:22:31 2020 -0300 -+++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Sat Aug 01 23:16:51 2020 -0300 +diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +--- openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java Sat Aug 01 23:16:51 2020 -0300 +@@ -38,6 +38,7 @@ + import java.io.RandomAccessFile; + import java.security.ProtectionDomain; + import java.security.Signature; ++import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; + + /** A repository of "shared secrets", which are a mechanism for + calling implementation-private methods in another package without @@ -76,6 +76,7 @@ - private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess; + private static JavaSecurityAccess javaSecurityAccess; private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; + private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; - public static JavaUtilJarAccess javaUtilJarAccess() { - if (javaUtilJarAccess == null) { + public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { + javaUtilCollectionAccess = juca; @@ -361,4 +362,12 @@ - } - return javaxCryptoSealedObjectAccess; + MethodHandles.lookup().ensureInitialized(c); + } catch (IllegalAccessException e) {} } + + public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { @@ -188,99 +196,134 @@ diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SSLContextImpl --- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Thu Jan 23 18:22:31 2020 -0300 +++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Sat Aug 01 23:16:51 2020 -0300 @@ -31,6 +31,7 @@ - import java.security.cert.*; import java.util.*; + import java.util.concurrent.locks.ReentrantLock; import javax.net.ssl.*; -+import jdk.internal.misc.SharedSecrets; ++import jdk.internal.access.SharedSecrets; import sun.security.action.GetPropertyAction; import sun.security.provider.certpath.AlgorithmChecker; import sun.security.validator.Validator; -@@ -542,20 +543,38 @@ +@@ -536,22 +536,42 @@ + private static final List serverDefaultCipherSuites; static { - if (SunJSSE.isFIPS()) { -- supportedProtocols = Arrays.asList( -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- ); -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ ); - -- serverDefaultProtocols = getAvailableProtocols( -- new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }); -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } else { -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ ); +- supportedProtocols = Arrays.asList( +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10, +- ProtocolVersion.SSL30, +- ProtocolVersion.SSL20Hello +- ); +- +- serverDefaultProtocols = getAvailableProtocols( +- new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }); ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10, ++ ProtocolVersion.SSL30, ++ ProtocolVersion.SSL20Hello ++ ); + -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } else { ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10, ++ ProtocolVersion.SSL30, ++ ProtocolVersion.SSL20Hello ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } + + supportedCipherSuites = getApplicableSupportedCipherSuites( + supportedProtocols); +@@ -699,13 +719,26 @@ + private static final List clientDefaultCipherSuites; + + static { +- clientDefaultProtocols = getAvailableProtocols( +- new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }); ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ clientDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } else { ++ clientDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } ++ + + clientDefaultCipherSuites = getApplicableEnabledCipherSuites( + clientDefaultProtocols, true); +@@ -842,12 +875,21 @@ + ProtocolVersion[] candidates; + if (refactored.isEmpty()) { + // Client and server use the same default protocols. +- candidates = new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }; ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } else { ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } } else { - supportedProtocols = Arrays.asList( - ProtocolVersion.TLS13, -@@ -620,6 +639,16 @@ - - static ProtocolVersion[] getSupportedProtocols() { - if (SunJSSE.isFIPS()) { -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ return new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } - return new ProtocolVersion[] { - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, -@@ -949,6 +978,16 @@ - - static ProtocolVersion[] getProtocols() { - if (SunJSSE.isFIPS()) { -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ return new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } - return new ProtocolVersion[]{ - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, + // Use the customized TLS protocols. + candidates = diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java --- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Thu Jan 23 18:22:31 2020 -0300 +++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Sat Aug 01 23:16:51 2020 -0300 @@ -289,10 +332,10 @@ diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java import java.security.*; import java.util.*; + -+import jdk.internal.misc.SharedSecrets; - import sun.security.rsa.SunRsaSignEntries; ++import jdk.internal.access.SharedSecrets; import static sun.security.util.SecurityConstants.PROVIDER_VER; - import static sun.security.provider.SunEntries.createAliases; + + /** @@ -195,8 +197,13 @@ "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); ps("SSLContext", "TLSv1.2", @@ -308,4 +351,4 @@ diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java + } ps("SSLContext", "TLS", "sun.security.ssl.SSLContextImpl$TLSContext", - (isfips? null : createAliases("SSL")), null); + List.of("SSL"), null); diff --git a/rh1915071-always_initialise_configurator_access.patch b/rh1915071-always_initialise_configurator_access.patch index 21ced06..36a0b92 100644 --- a/rh1915071-always_initialise_configurator_access.patch +++ b/rh1915071-always_initialise_configurator_access.patch @@ -6,7 +6,7 @@ diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java import jdk.internal.event.EventHelper; import jdk.internal.event.SecurityPropertyModificationEvent; +import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; - import jdk.internal.misc.SharedSecrets; + import jdk.internal.access.SharedSecrets; import jdk.internal.util.StaticProperty; import sun.security.util.Debug; @@ -74,6 +75,15 @@