diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec index acbf07b..7e79587 100644 --- a/java-latest-openjdk.spec +++ b/java-latest-openjdk.spec @@ -298,7 +298,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 33 -%global rpmrelease 1 +%global rpmrelease 2 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -751,6 +751,7 @@ exit 0 %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security %config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access # these are config templates, thus not config-noreplace %config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template @@ -966,6 +967,8 @@ OrderWithRequires: copy-jdk-configs %endif # for printing support Requires: cups-libs +# for FIPS PKCS11 provider +Requires: nss # Post requires alternatives to install tool alternatives Requires(post): %{alternatives_requires} # Postun requires alternatives to uninstall tool alternatives @@ -1136,6 +1139,9 @@ Source14: TestECDSA.java # Verify system crypto (policy) can be disabled via a property Source15: TestSecurityProperties.java +# nss fips configuration file +Source17: nss.fips.cfg.in + ############################################ # # RPM/distribution specific patches @@ -1160,6 +1166,16 @@ Patch5: pr3695-toggle_system_crypto_policy.patch # Depend on pcs-lite-libs instead of pcs-lite-devel as this is only in optional repo Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch +# FIPS support patches +# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider +Patch1001: rh1655466-global_crypto_and_fips.patch +# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode +Patch1002: rh1818909-fips_default_keystore_type.patch +# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available +Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch +# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess +Patch1007: rh1915071-always_initialise_configurator_access.patch + ############################################# # # OpenJDK patches in need of upstreaming @@ -1516,6 +1532,10 @@ popd # openjdk %patch1000 %patch600 +%patch1001 +%patch1002 +%patch1004 +%patch1007 # Extract systemtap tapsets %if %{with_systemtap} @@ -1564,6 +1584,9 @@ done # Setup nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg +# Setup nss.fips.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg +sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg %build # How many CPU's do we have? @@ -1717,6 +1740,9 @@ export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} # Install nss.cfg right away as we will be using the JRE above install -m 644 nss.cfg $JAVA_HOME/conf/security/ +# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) +install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/ + # Use system-wide tzdata rm $JAVA_HOME/lib/tzdb.dat ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat @@ -2235,6 +2261,21 @@ cjc.mainProgram(args) %endif %changelog +* Mon Sep 06 2021 Andrew Hughes - 1:17.0.0.0.33-0.2.ea.rolling +- Update RH1655466 FIPS patch with changes in OpenJDK 8 version. +- SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. +- Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. +- No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable. +- Disable FIPS mode support unless com.redhat.fips is set to "true". +- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). +- Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode +- Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071) + +* Mon Sep 06 2021 Martin Balao - 1:17.0.0.0.33-0.2.ea.rolling +- Support the FIPS mode crypto policy (RH1655466) +- Use appropriate keystore types when in FIPS mode (RH1818909) +- Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986) + * Mon Aug 30 2021 Jiri Vanek - 1:17.0.0.0.33-0.1.ea.rolling - alternatives creation moved to posttrans - Thus fixing the old reisntall issue: diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in new file mode 100644 index 0000000..ead27be --- /dev/null +++ b/nss.fips.cfg.in @@ -0,0 +1,6 @@ +name = NSS-FIPS +nssLibraryDirectory = @NSS_LIBDIR@ +nssSecmodDirectory = @NSS_SECMOD@ +nssDbMode = readOnly +nssModule = fips + diff --git a/rh1655466-global_crypto_and_fips.patch b/rh1655466-global_crypto_and_fips.patch new file mode 100644 index 0000000..80cd91c --- /dev/null +++ b/rh1655466-global_crypto_and_fips.patch @@ -0,0 +1,205 @@ +diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java +--- openjdk.orig/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -196,26 +196,8 @@ + if (disableSystemProps == null && + "true".equalsIgnoreCase(props.getProperty + ("security.useSystemPropertiesFile"))) { +- +- // now load the system file, if it exists, so its values +- // will win if they conflict with the earlier values +- try (BufferedInputStream bis = +- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { +- props.load(bis); ++ if (SystemConfigurator.configure(props)) { + loadedProps = true; +- +- if (sdebug != null) { +- sdebug.println("reading system security properties file " + +- SYSTEM_PROPERTIES); +- sdebug.println(props.toString()); +- } +- } catch (IOException e) { +- if (sdebug != null) { +- sdebug.println +- ("unable to load security properties from " + +- SYSTEM_PROPERTIES); +- e.printStackTrace(); +- } + } + } + +diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +--- /dev/null ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,151 @@ ++/* ++ * Copyright (c) 2019, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.nio.file.Files; ++import java.nio.file.Path; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++import java.util.function.Consumer; ++import java.util.regex.Matcher; ++import java.util.regex.Pattern; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static final String CRYPTO_POLICIES_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/config"; ++ ++ private static final class SecurityProviderInfo { ++ int number; ++ String key; ++ String value; ++ SecurityProviderInfo(int number, String key, String value) { ++ this.number = number; ++ this.key = key; ++ this.value = value; ++ } ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configure(Properties props) { ++ boolean loadedProps = false; ++ ++ try (BufferedInputStream bis = ++ new BufferedInputStream( ++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { ++ props.load(bis); ++ loadedProps = true; ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties from " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ e.printStackTrace(); ++ } ++ } ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ loadedProps = false; ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ loadedProps = true; ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /* ++ * FIPS is enabled only if crypto-policies are set to "FIPS" ++ * and the com.redhat.fips property is true. ++ */ ++ private static boolean enableFips() throws Exception { ++ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); ++ if (fipsEnabled) { ++ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); ++ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } ++ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); ++ return pattern.matcher(cryptoPoliciesConfig).find(); ++ } else { ++ return false; ++ } ++ } ++} +diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security +--- openjdk.orig/src/java.base/share/conf/security/java.security ++++ openjdk/src/java.base/share/conf/security/java.security +@@ -87,6 +87,14 @@ + #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg + + # ++# Security providers used when global crypto-policies are set to FIPS. ++# ++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg ++fips.provider.2=SUN ++fips.provider.3=SunEC ++fips.provider.4=SunJSSE ++ ++# + # A list of preferred providers for specific algorithms. These providers will + # be searched for matching algorithms before the list of registered providers. + # Entries containing errors (parsing, etc) will be ignored. Use the diff --git a/rh1818909-fips_default_keystore_type.patch b/rh1818909-fips_default_keystore_type.patch new file mode 100644 index 0000000..ff34f3e --- /dev/null +++ b/rh1818909-fips_default_keystore_type.patch @@ -0,0 +1,52 @@ +diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300 +@@ -123,6 +123,33 @@ + } + props.put(fipsProviderKey, fipsProviderValue); + } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } + loadedProps = true; + } + } catch (Exception e) { +diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux +--- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300 +@@ -299,6 +299,11 @@ + keystore.type=pkcs12 + + # ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=PKCS11 ++ ++# + # Controls compatibility mode for JKS and PKCS12 keystore types. + # + # When set to 'true', both JKS and PKCS12 keystore types support loading diff --git a/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/rh1860986-disable_tlsv1.3_in_fips_mode.patch new file mode 100644 index 0000000..8dcd9a8 --- /dev/null +++ b/rh1860986-disable_tlsv1.3_in_fips_mode.patch @@ -0,0 +1,318 @@ +diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +index f9baf8c9742..60fa75cab45 100644 +--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -1,11 +1,13 @@ + /* +- * Copyright (c) 2019, Red Hat, Inc. ++ * Copyright (c) 2019, 2020, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as +- * published by the Free Software Foundation. ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +@@ -34,10 +36,10 @@ import java.nio.file.Path; + import java.util.Iterator; + import java.util.Map.Entry; + import java.util.Properties; +-import java.util.function.Consumer; +-import java.util.regex.Matcher; + import java.util.regex.Pattern; + ++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; ++import jdk.internal.access.SharedSecrets; + import sun.security.util.Debug; + + /** +@@ -47,7 +49,7 @@ import sun.security.util.Debug; + * + */ + +-class SystemConfigurator { ++final class SystemConfigurator { + + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -61,15 +63,16 @@ class SystemConfigurator { + private static final String CRYPTO_POLICIES_CONFIG = + CRYPTO_POLICIES_BASE_DIR + "/config"; + +- private static final class SecurityProviderInfo { +- int number; +- String key; +- String value; +- SecurityProviderInfo(int number, String key, String value) { +- this.number = number; +- this.key = key; +- this.value = value; +- } ++ private static boolean systemFipsEnabled = false; ++ ++ static { ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ }); + } + + /* +@@ -128,9 +131,9 @@ class SystemConfigurator { + String nonFipsKeystoreType = props.getProperty("keystore.type"); + props.put("keystore.type", keystoreTypeValue); + if (keystoreTypeValue.equals("PKCS11")) { +- // If keystore.type is PKCS11, javax.net.ssl.keyStore +- // must be "NONE". See JDK-8238264. +- System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); + } + if (System.getProperty("javax.net.ssl.trustStoreType") == null) { + // If no trustStoreType has been set, use the +@@ -144,12 +147,13 @@ class SystemConfigurator { + sdebug.println("FIPS mode default keystore.type = " + + keystoreTypeValue); + sdebug.println("FIPS mode javax.net.ssl.keyStore = " + +- System.getProperty("javax.net.ssl.keyStore", "")); ++ System.getProperty("javax.net.ssl.keyStore", "")); + sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + + System.getProperty("javax.net.ssl.trustStoreType", "")); + } + } + loadedProps = true; ++ systemFipsEnabled = true; + } + } catch (Exception e) { + if (sdebug != null) { +@@ -160,13 +164,30 @@ class SystemConfigurator { + return loadedProps; + } + ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ + /* + * FIPS is enabled only if crypto-policies are set to "FIPS" + * and the com.redhat.fips property is true. + */ + private static boolean enableFips() throws Exception { +- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); +- if (fipsEnabled) { ++ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); ++ if (shouldEnable) { + String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); + if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } + Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); +diff --git openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +new file mode 100644 +index 00000000000..a31e93ec02e +--- /dev/null ++++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +@@ -0,0 +1,30 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package jdk.internal.access; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++} +diff --git openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +index f6d3638c3dd..5a2c9eb0c46 100644 +--- openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java ++++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +@@ -81,6 +81,7 @@ public class SharedSecrets { + private static JavaSecuritySpecAccess javaSecuritySpecAccess; + private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; + private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { + javaUtilCollectionAccess = juca; +@@ -442,4 +443,12 @@ public class SharedSecrets { + MethodHandles.lookup().ensureInitialized(c); + } catch (IllegalAccessException e) {} + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +index 6ffdfeda18d..775b185fb06 100644 +--- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java ++++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +@@ -32,6 +32,7 @@ import java.security.cert.*; + import java.util.*; + import java.util.concurrent.locks.ReentrantLock; + import javax.net.ssl.*; ++import jdk.internal.access.SharedSecrets; + import sun.security.action.GetPropertyAction; + import sun.security.provider.certpath.AlgorithmChecker; + import sun.security.validator.Validator; +@@ -536,22 +537,40 @@ public abstract class SSLContextImpl extends SSLContextSpi { + private static final List serverDefaultCipherSuites; + + static { +- supportedProtocols = Arrays.asList( +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10, +- ProtocolVersion.SSL30, +- ProtocolVersion.SSL20Hello +- ); +- +- serverDefaultProtocols = getAvailableProtocols( +- new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }); ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } else { ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10, ++ ProtocolVersion.SSL30, ++ ProtocolVersion.SSL20Hello ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } + + supportedCipherSuites = getApplicableSupportedCipherSuites( + supportedProtocols); +@@ -842,12 +861,23 @@ public abstract class SSLContextImpl extends SSLContextSpi { + ProtocolVersion[] candidates; + if (refactored.isEmpty()) { + // Client and server use the same default protocols. +- candidates = new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }; ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } else { ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + } else { + // Use the customized TLS protocols. + candidates = +diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java +index 894e26dfad8..8b16378b96b 100644 +--- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java ++++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java +@@ -27,6 +27,8 @@ package sun.security.ssl; + + import java.security.*; + import java.util.*; ++ ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + + /** +@@ -102,8 +104,13 @@ public class SunJSSE extends java.security.Provider { + "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); + ps("SSLContext", "TLSv1.2", + "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); +- ps("SSLContext", "TLSv1.3", +- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ ps("SSLContext", "TLSv1.3", ++ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ } + ps("SSLContext", "TLS", + "sun.security.ssl.SSLContextImpl$TLSContext", + List.of("SSL"), null); diff --git a/rh1915071-always_initialise_configurator_access.patch b/rh1915071-always_initialise_configurator_access.patch new file mode 100644 index 0000000..513fbbf --- /dev/null +++ b/rh1915071-always_initialise_configurator_access.patch @@ -0,0 +1,70 @@ +diff --git openjdk/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java +index f1633afb627..ce32c939253 100644 +--- openjdk/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -32,6 +32,7 @@ import java.net.URL; + + import jdk.internal.event.EventHelper; + import jdk.internal.event.SecurityPropertyModificationEvent; ++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; + import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.util.Debug; +@@ -74,6 +75,15 @@ public final class Security { + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -194,9 +204,8 @@ public final class Security { + } + + String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); +- if (disableSystemProps == null && +- "true".equalsIgnoreCase(props.getProperty +- ("security.useSystemPropertiesFile"))) { ++ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && ++ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { + if (SystemConfigurator.configure(props)) { + loadedProps = true; + } +diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +index 60fa75cab45..10b54aa4ce4 100644 +--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -38,8 +38,6 @@ import java.util.Map.Entry; + import java.util.Properties; + import java.util.regex.Pattern; + +-import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; +-import jdk.internal.access.SharedSecrets; + import sun.security.util.Debug; + + /** +@@ -65,16 +63,6 @@ final class SystemConfigurator { + + private static boolean systemFipsEnabled = false; + +- static { +- SharedSecrets.setJavaSecuritySystemConfiguratorAccess( +- new JavaSecuritySystemConfiguratorAccess() { +- @Override +- public boolean isSystemFipsEnabled() { +- return SystemConfigurator.isSystemFipsEnabled(); +- } +- }); +- } +- + /* + * Invoked when java.security.Security class is initialized, if + * java.security.disableSystemPropertiesFile property is not set and