java-latest-openjdk

Commit Graph

Author	SHA1	Message	Date
Francisco Ferrari Bihurriet	742fc4c474	RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see: https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION	2022-07-01 02:05:02 +01:00
Severin Gehwolf	62ce7fecfc	Use 'sql:' prefix in nss.fips.cfg Fedora 35 and better no longer ship the legacy secmod.db file as part of the nss package. Explicitly tell OpenJDK to use sqlite-based sec mode. Resolves: RHBZ#2019555	2021-11-05 14:28:40 +01:00
Andrew John Hughes	e426a3c6f9	Support the FIPS mode crypto policy (RH1655466) Update RH1655466 FIPS patch with changes in OpenJDK 8 version. SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable. Disable FIPS mode support unless com.redhat.fips is set to "true". Use appropriate keystore types when in FIPS mode (RH1818909) Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986) Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)	2021-09-06 01:15:24 +01:00

Author

SHA1

Message

Date

Francisco Ferrari Bihurriet

742fc4c474

RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode

Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see:
https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION

2022-07-01 02:05:02 +01:00

Severin Gehwolf

62ce7fecfc

Use 'sql:' prefix in nss.fips.cfg

Fedora 35 and better no longer ship the legacy
secmod.db file as part of the nss package. Explicitly
tell OpenJDK to use sqlite-based sec mode.

Resolves: RHBZ#2019555

2021-11-05 14:28:40 +01:00

Andrew John Hughes

e426a3c6f9

Support the FIPS mode crypto policy (RH1655466)

Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.
Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg.
No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable.
Disable FIPS mode support unless com.redhat.fips is set to "true".
Use appropriate keystore types when in FIPS mode (RH1818909)
Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)

2021-09-06 01:15:24 +01:00

3 Commits