Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:GA
java-11-openjdk.21230
fips.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File fips.patch of Package java-11-openjdk.21230
--- jdk11u/make/autoconf/libraries.m4 2021-09-15 11:08:06.759855569 +0200 +++ jdk11u/make/autoconf/libraries.m4 2021-09-15 11:49:53.573054021 +0200 @@ -101,6 +101,7 @@ LIB_SETUP_LIBFFI LIB_SETUP_BUNDLED_LIBS LIB_SETUP_MISC_LIBS + LIB_SETUP_SYSCONF_LIBS LIB_SETUP_SOLARIS_STLPORT LIB_TESTS_SETUP_GRAALUNIT @@ -223,3 +224,62 @@ fi ]) +################################################################################ +# Setup system configuration libraries +################################################################################ +AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], +[ + ############################################################################### + # + # Check for the NSS library + # + + AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) + + # default is not available + DEFAULT_SYSCONF_NSS=no + + AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], + [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], + [ + case "${enableval}" in + yes) + sysconf_nss=yes + ;; + *) + sysconf_nss=no + ;; + esac + ], + [ + sysconf_nss=${DEFAULT_SYSCONF_NSS} + ]) + AC_MSG_RESULT([$sysconf_nss]) + + USE_SYSCONF_NSS=false + if test "x${sysconf_nss}" = "xyes"; then + PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) + if test "x${NSS_FOUND}" = "xyes"; then + AC_MSG_CHECKING([for system FIPS support in NSS]) + saved_libs="${LIBS}" + saved_cflags="${CFLAGS}" + CFLAGS="${CFLAGS} ${NSS_CFLAGS}" + LIBS="${LIBS} ${NSS_LIBS}" + AC_LANG_PUSH([C]) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]], + [[SECMOD_GetSystemFIPSEnabled()]])], + [AC_MSG_RESULT([yes])], + [AC_MSG_RESULT([no]) + AC_MSG_ERROR([System NSS FIPS detection unavailable])]) + AC_LANG_POP([C]) + CFLAGS="${saved_cflags}" + LIBS="${saved_libs}" + USE_SYSCONF_NSS=true + else + dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API + dnl in nss3/pk11pub.h. + AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) + fi + fi + AC_SUBST(USE_SYSCONF_NSS) +]) --- jdk11u/make/autoconf/spec.gmk.in 2021-09-15 11:08:06.759855569 +0200 +++ jdk11u/make/autoconf/spec.gmk.in 2021-09-15 11:49:53.573054021 +0200 @@ -828,6 +828,10 @@ # Libraries # +USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ +NSS_LIBS:=@NSS_LIBS@ +NSS_CFLAGS:=@NSS_CFLAGS@ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ LCMS_CFLAGS:=@LCMS_CFLAGS@ LCMS_LIBS:=@LCMS_LIBS@ --- jdk11u/make/lib/Lib-java.base.gmk 2021-09-15 11:08:06.807855901 +0200 +++ jdk11u/make/lib/Lib-java.base.gmk 2021-09-15 11:49:53.573054021 +0200 @@ -179,6 +179,31 @@ endif ################################################################################ +# Create the systemconf library + +LIBSYSTEMCONF_CFLAGS := +LIBSYSTEMCONF_CXXFLAGS := + +ifeq ($(USE_SYSCONF_NSS), true) + LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS + LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS +endif + +ifeq ($(OPENJDK_BUILD_OS), linux) + $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ + NAME := systemconf, \ + OPTIMIZATION := LOW, \ + CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ + CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ + LDFLAGS := $(LDFLAGS_JDKLIB) \ + $(call SET_SHARED_LIBRARY_ORIGIN), \ + LIBS_unix := $(LIBDL) $(NSS_LIBS), \ + )) + + TARGETS += $(BUILD_LIBSYSTEMCONF) +endif + +################################################################################ # Create the symbols file for static builds. ifeq ($(STATIC_BUILD), true) --- jdk11u/make/nb_native/nbproject/configurations.xml 2021-09-15 11:08:06.811855929 +0200 +++ jdk11u/make/nb_native/nbproject/configurations.xml 2021-09-15 11:49:53.581054074 +0200 @@ -2950,6 +2950,9 @@ <in>LinuxWatchService.c</in> </df> </df> + <df name="libsystemconf"> + <in>systemconf.c</in> + </df> </df> </df> <df name="macosx"> @@ -29300,6 +29303,11 @@ ex="false" tool="0" flavor2="0"> + </item> + <item path="../../src/java.base/linux/native/libsystemconf/systemconf.c" + ex="false" + tool="0" + flavor2="0"> </item> <item path="../../src/java.base/macosx/native/include/jni_md.h" ex="false" --- jdk11u/make/scripts/compare_exceptions.sh.incl 2021-09-15 11:08:06.811855929 +0200 +++ jdk11u/make/scripts/compare_exceptions.sh.incl 2021-09-15 11:49:53.581054074 +0200 @@ -179,6 +179,7 @@ ./lib/libsplashscreen.so ./lib/libsunec.so ./lib/libsunwjdga.so + ./lib/libsystemconf.so ./lib/libunpack.so ./lib/libverify.so ./lib/libzip.so @@ -289,6 +290,7 @@ ./lib/libsplashscreen.so ./lib/libsunec.so ./lib/libsunwjdga.so + ./lib/libsystemconf.so ./lib/libunpack.so ./lib/libverify.so ./lib/libzip.so --- jdk11u/src/java.base/linux/native/libsystemconf/systemconf.c 1970-01-01 01:00:00.000000000 +0100 +++ jdk11u/src/java.base/linux/native/libsystemconf/systemconf.c 2021-09-15 11:49:53.585054101 +0200 @@ -0,0 +1,168 @@ +/* + * Copyright (c) 2021, Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +#include <dlfcn.h> +#include <jni.h> +#include <jni_util.h> +#include <stdio.h> + +#ifdef SYSCONF_NSS +#include <nss3/pk11pub.h> +#endif //SYSCONF_NSS + +#include "java_security_SystemConfigurator.h" + +#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" +#define MSG_MAX_SIZE 96 + +static jmethodID debugPrintlnMethodID = NULL; +static jobject debugObj = NULL; + +static void throwIOException(JNIEnv *env, const char *msg); +static void dbgPrint(JNIEnv *env, const char* msg); + +/* + * Class: java_security_SystemConfigurator + * Method: JNI_OnLoad + */ +JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) +{ + JNIEnv *env; + jclass sysConfCls, debugCls; + jfieldID sdebugFld; + + if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { + return JNI_EVERSION; /* JNI version not supported */ + } + + sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); + if (sysConfCls == NULL) { + printf("libsystemconf: SystemConfigurator class not found\n"); + return JNI_ERR; + } + sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, + "sdebug", "Lsun/security/util/Debug;"); + if (sdebugFld == NULL) { + printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); + return JNI_ERR; + } + debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); + if (debugObj != NULL) { + debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); + if (debugCls == NULL) { + printf("libsystemconf: Debug class not found\n"); + return JNI_ERR; + } + debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, + "println", "(Ljava/lang/String;)V"); + if (debugPrintlnMethodID == NULL) { + printf("libsystemconf: Debug::println(String) method not found\n"); + return JNI_ERR; + } + debugObj = (*env)->NewGlobalRef(env, debugObj); + } + + return (*env)->GetVersion(env); +} + +/* + * Class: java_security_SystemConfigurator + * Method: JNI_OnUnload + */ +JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) +{ + JNIEnv *env; + + if (debugObj != NULL) { + if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { + return; /* Should not happen */ + } + (*env)->DeleteGlobalRef(env, debugObj); + } +} + +JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled + (JNIEnv *env, jclass cls) +{ + int fips_enabled; + char msg[MSG_MAX_SIZE]; + int msg_bytes; + +#ifdef SYSCONF_NSS + + dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); + fips_enabled = SECMOD_GetSystemFIPSEnabled(); + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ + " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); + if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { + dbgPrint(env, msg); + } else { + dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ + " SECMOD_GetSystemFIPSEnabled return value"); + } + return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); + +#else // SYSCONF_NSS + + FILE *fe; + + dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); + if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { + throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); + } + fips_enabled = fgetc(fe); + fclose(fe); + if (fips_enabled == EOF) { + throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); + } + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ + " read character is '%c'", fips_enabled); + if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { + dbgPrint(env, msg); + } else { + dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ + " read character"); + } + return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); + +#endif // SYSCONF_NSS +} + +static void throwIOException(JNIEnv *env, const char *msg) +{ + jclass cls = (*env)->FindClass(env, "java/io/IOException"); + if (cls != 0) + (*env)->ThrowNew(env, cls, msg); +} + +static void dbgPrint(JNIEnv *env, const char* msg) +{ + jstring jMsg; + if (debugObj != NULL) { + jMsg = (*env)->NewStringUTF(env, msg); + CHECK_NULL(jMsg); + (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); + } +} --- jdk11u/src/java.base/share/classes/java/security/Security.java 2021-09-15 11:08:06.951856897 +0200 +++ jdk11u/src/java.base/share/classes/java/security/Security.java 2021-09-15 11:15:47.591040330 +0200 @@ -32,6 +32,7 @@ import jdk.internal.event.EventHelper; import jdk.internal.event.SecurityPropertyModificationEvent; +import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; import jdk.internal.misc.SharedSecrets; import jdk.internal.util.StaticProperty; import sun.security.util.Debug; @@ -74,6 +75,15 @@ } static { + // Initialise here as used by code with system properties disabled + SharedSecrets.setJavaSecuritySystemConfiguratorAccess( + new JavaSecuritySystemConfiguratorAccess() { + @Override + public boolean isSystemFipsEnabled() { + return SystemConfigurator.isSystemFipsEnabled(); + } + }); + // doPrivileged here because there are multiple // things in initialize that might require privs. // (the FileInputStream call and the File.exists call, @@ -193,29 +203,10 @@ } String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); - if (disableSystemProps == null && - "true".equalsIgnoreCase(props.getProperty - ("security.useSystemPropertiesFile"))) { - - // now load the system file, if it exists, so its values - // will win if they conflict with the earlier values - try (BufferedInputStream bis = - new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { - props.load(bis); + if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && + "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { + if (SystemConfigurator.configure(props)) { loadedProps = true; - - if (sdebug != null) { - sdebug.println("reading system security properties file " + - SYSTEM_PROPERTIES); - sdebug.println(props.toString()); - } - } catch (IOException e) { - if (sdebug != null) { - sdebug.println - ("unable to load security properties from " + - SYSTEM_PROPERTIES); - e.printStackTrace(); - } } } --- jdk11u/src/java.base/share/classes/java/security/SystemConfigurator.java 1970-01-01 01:00:00.000000000 +0100 +++ jdk11u/src/java.base/share/classes/java/security/SystemConfigurator.java 2021-09-15 11:51:11.289578677 +0200 @@ -0,0 +1,212 @@ +/* + * Copyright (c) 2019, 2021, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package java.security; + +import java.io.BufferedInputStream; +import java.io.FileInputStream; +import java.io.IOException; + +import java.util.Iterator; +import java.util.Map.Entry; +import java.util.Properties; + +import sun.security.util.Debug; + +/** + * Internal class to align OpenJDK with global crypto-policies. + * Called from java.security.Security class initialization, + * during startup. + * + */ + +final class SystemConfigurator { + + private static final Debug sdebug = + Debug.getInstance("properties"); + + private static final String CRYPTO_POLICIES_BASE_DIR = + "/etc/crypto-policies"; + + private static final String CRYPTO_POLICIES_JAVA_CONFIG = + CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; + + private static boolean systemFipsEnabled = false; + + private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; + + private static native boolean getSystemFIPSEnabled() + throws IOException; + + static { + AccessController.doPrivileged(new PrivilegedAction<Void>() { + public Void run() { + System.loadLibrary(SYSTEMCONF_NATIVE_LIB); + return null; + } + }); + } + + /* + * Invoked when java.security.Security class is initialized, if + * java.security.disableSystemPropertiesFile property is not set and + * security.useSystemPropertiesFile is true. + */ + static boolean configure(Properties props) { + boolean loadedProps = false; + + try (BufferedInputStream bis = + new BufferedInputStream( + new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { + props.load(bis); + loadedProps = true; + if (sdebug != null) { + sdebug.println("reading system security properties file " + + CRYPTO_POLICIES_JAVA_CONFIG); + sdebug.println(props.toString()); + } + } catch (IOException e) { + if (sdebug != null) { + sdebug.println("unable to load security properties from " + + CRYPTO_POLICIES_JAVA_CONFIG); + e.printStackTrace(); + } + } + + try { + if (enableFips()) { + if (sdebug != null) { sdebug.println("FIPS mode detected"); } + loadedProps = false; + // Remove all security providers + Iterator<Entry<Object, Object>> i = props.entrySet().iterator(); + while (i.hasNext()) { + Entry<Object, Object> e = i.next(); + if (((String) e.getKey()).startsWith("security.provider")) { + if (sdebug != null) { sdebug.println("Removing provider: " + e); } + i.remove(); + } + } + // Add FIPS security providers + String fipsProviderValue = null; + for (int n = 1; + (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { + String fipsProviderKey = "security.provider." + n; + if (sdebug != null) { + sdebug.println("Adding provider " + n + ": " + + fipsProviderKey + "=" + fipsProviderValue); + } + props.put(fipsProviderKey, fipsProviderValue); + } + // Add other security properties + String keystoreTypeValue = (String) props.get("fips.keystore.type"); + if (keystoreTypeValue != null) { + String nonFipsKeystoreType = props.getProperty("keystore.type"); + props.put("keystore.type", keystoreTypeValue); + if (keystoreTypeValue.equals("PKCS11")) { + // If keystore.type is PKCS11, javax.net.ssl.keyStore + // must be "NONE". See JDK-8238264. + System.setProperty("javax.net.ssl.keyStore", "NONE"); + } + if (System.getProperty("javax.net.ssl.trustStoreType") == null) { + // If no trustStoreType has been set, use the + // previous keystore.type under FIPS mode. In + // a default configuration, the Trust Store will + // be 'cacerts' (JKS type). + System.setProperty("javax.net.ssl.trustStoreType", + nonFipsKeystoreType); + } + if (sdebug != null) { + sdebug.println("FIPS mode default keystore.type = " + + keystoreTypeValue); + sdebug.println("FIPS mode javax.net.ssl.keyStore = " + + System.getProperty("javax.net.ssl.keyStore", "")); + sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + + System.getProperty("javax.net.ssl.trustStoreType", "")); + } + } + loadedProps = true; + systemFipsEnabled = true; + } + } catch (Exception e) { + if (sdebug != null) { + sdebug.println("unable to load FIPS configuration"); + e.printStackTrace(); + } + } + return loadedProps; + } + + /** + * Returns whether or not global system FIPS alignment is enabled. + * + * Value is always 'false' before java.security.Security class is + * initialized. + * + * Call from out of this package through SharedSecrets: + * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() + * .isSystemFipsEnabled(); + * + * @return a boolean value indicating whether or not global + * system FIPS alignment is enabled. + */ + static boolean isSystemFipsEnabled() { + return systemFipsEnabled; + } + + /* + * OpenJDK FIPS mode will be enabled only if the com.suse.fips + * system property is true (default) and the system is in FIPS mode. + * + * There are 2 possible ways in which OpenJDK detects that the system + * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is + * available at OpenJDK's built-time, it is called; 2) otherwise, the + * /proc/sys/crypto/fips_enabled file is read. + */ + private static boolean enableFips() throws Exception { + boolean shouldEnable = Boolean.valueOf(System.getProperty("com.suse.fips", "true")); + if (shouldEnable) { + if (sdebug != null) { + sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); + } + try { + shouldEnable = getSystemFIPSEnabled(); + if (sdebug != null) { + sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " + + shouldEnable); + } + return shouldEnable; + } catch (IOException e) { + if (sdebug != null) { + sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); + sdebug.println(e.getMessage()); + } + throw e; + } + } else { + return false; + } + } +} --- jdk11u/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java 1970-01-01 01:00:00.000000000 +0100 +++ jdk11u/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java 2021-09-15 11:09:32.636449814 +0200 @@ -0,0 +1,30 @@ +/* + * Copyright (c) 2020, Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package jdk.internal.misc; + +public interface JavaSecuritySystemConfiguratorAccess { + boolean isSystemFipsEnabled(); +} --- jdk11u/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java 2021-09-15 11:08:06.975857064 +0200 +++ jdk11u/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java 2021-09-15 11:09:32.636449814 +0200 @@ -76,6 +76,7 @@ private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess; private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; + private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; public static JavaUtilJarAccess javaUtilJarAccess() { if (javaUtilJarAccess == null) { @@ -361,4 +362,12 @@ } return javaxCryptoSealedObjectAccess; } + + public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { + javaSecuritySystemConfiguratorAccess = jssca; + } + + public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { + return javaSecuritySystemConfiguratorAccess; + } } --- jdk11u/src/java.base/share/classes/module-info.java 2021-09-15 11:08:06.927856732 +0200 +++ jdk11u/src/java.base/share/classes/module-info.java 2021-09-15 11:45:17.663191392 +0200 @@ -182,6 +182,7 @@ java.security.jgss, java.sql, java.xml, + jdk.crypto.cryptoki, jdk.jartool, jdk.attach, jdk.charsets, --- jdk11u/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java 2021-09-15 11:08:06.995857202 +0200 +++ jdk11u/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java 2021-09-15 11:09:32.640449841 +0200 @@ -31,6 +31,7 @@ import java.security.cert.*; import java.util.*; import javax.net.ssl.*; +import jdk.internal.misc.SharedSecrets; import sun.security.action.GetPropertyAction; import sun.security.provider.certpath.AlgorithmChecker; import sun.security.validator.Validator; @@ -542,6 +543,23 @@ static { if (SunJSSE.isFIPS()) { + if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() + .isSystemFipsEnabled()) { + // RH1860986: TLSv1.3 key derivation not supported with + // the Security Providers available in system FIPS mode. + supportedProtocols = Arrays.asList( + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + ); + + serverDefaultProtocols = getAvailableProtocols( + new ProtocolVersion[] { + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + }); + } else { supportedProtocols = Arrays.asList( ProtocolVersion.TLS13, ProtocolVersion.TLS12, @@ -556,6 +574,7 @@ ProtocolVersion.TLS11, ProtocolVersion.TLS10 }); + } } else { supportedProtocols = Arrays.asList( ProtocolVersion.TLS13, @@ -620,6 +639,16 @@ static ProtocolVersion[] getSupportedProtocols() { if (SunJSSE.isFIPS()) { + if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() + .isSystemFipsEnabled()) { + // RH1860986: TLSv1.3 key derivation not supported with + // the Security Providers available in system FIPS mode. + return new ProtocolVersion[] { + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + }; + } return new ProtocolVersion[] { ProtocolVersion.TLS13, ProtocolVersion.TLS12, @@ -949,6 +978,16 @@ static ProtocolVersion[] getProtocols() { if (SunJSSE.isFIPS()) { + if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() + .isSystemFipsEnabled()) { + // RH1860986: TLSv1.3 key derivation not supported with + // the Security Providers available in system FIPS mode. + return new ProtocolVersion[] { + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + }; + } return new ProtocolVersion[]{ ProtocolVersion.TLS13, ProtocolVersion.TLS12, --- jdk11u/src/java.base/share/classes/sun/security/ssl/SunJSSE.java 2021-09-15 11:08:06.999857230 +0200 +++ jdk11u/src/java.base/share/classes/sun/security/ssl/SunJSSE.java 2021-09-15 11:09:32.640449841 +0200 @@ -27,6 +27,8 @@ import java.security.*; import java.util.*; + +import jdk.internal.misc.SharedSecrets; import sun.security.rsa.SunRsaSignEntries; import static sun.security.util.SecurityConstants.PROVIDER_VER; import static sun.security.provider.SunEntries.createAliases; @@ -195,8 +197,13 @@ "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); ps("SSLContext", "TLSv1.2", "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); + if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() + .isSystemFipsEnabled()) { + // RH1860986: TLSv1.3 key derivation not supported with + // the Security Providers available in system FIPS mode. ps("SSLContext", "TLSv1.3", "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); + } ps("SSLContext", "TLS", "sun.security.ssl.SSLContextImpl$TLSContext", (isfips? null : createAliases("SSL")), null); --- jdk11u/src/java.base/share/conf/security/java.security 2021-09-15 11:08:07.007857286 +0200 +++ jdk11u/src/java.base/share/conf/security/java.security 2021-09-15 11:09:01.628235280 +0200 @@ -86,6 +86,14 @@ #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg # +# Security providers used when global crypto-policies are set to FIPS. +# +fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg +fips.provider.2=SUN +fips.provider.3=SunEC +fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS + +# # A list of preferred providers for specific algorithms. These providers will # be searched for matching algorithms before the list of registered providers. # Entries containing errors (parsing, etc) will be ignored. Use the @@ -299,6 +307,11 @@ keystore.type=pkcs12 # +# Default keystore type used when global crypto-policies are set to FIPS. +# +fips.keystore.type=PKCS11 + +# # Controls compatibility mode for JKS and PKCS12 keystore types. # # When set to 'true', both JKS and PKCS12 keystore types support loading --- jdk11u/src/java.base/share/lib/security/default.policy 2021-09-15 11:08:07.007857286 +0200 +++ jdk11u/src/java.base/share/lib/security/default.policy 2021-09-15 11:44:48.782996436 +0200 @@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" { permission java.lang.RuntimePermission "accessClassInPackage.com.sun.crypto.provider"; + permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*"; permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; --- jdk11u/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java 2021-09-15 11:08:07.307859361 +0200 +++ jdk11u/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java 2021-09-15 11:45:17.663191392 +0200 @@ -42,6 +42,8 @@ import javax.security.auth.callback.PasswordCallback; import javax.security.auth.callback.TextOutputCallback; +import jdk.internal.misc.SharedSecrets; + import sun.security.util.Debug; import sun.security.util.ResourcesMgr; import static sun.security.util.SecurityConstants.PROVIDER_VER; @@ -59,6 +61,9 @@ */ public final class SunPKCS11 extends AuthProvider { + private static final boolean systemFipsEnabled = SharedSecrets + .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); + private static final long serialVersionUID = -1354835039035306505L; static final Debug debug = Debug.getInstance("sunpkcs11"); @@ -373,6 +378,24 @@ if (nssModule != null) { nssModule.setProvider(this); } + if (systemFipsEnabled) { + // The NSS Software Token in FIPS 140-2 mode requires a user + // login for most operations. See sftk_fipsCheck. The NSS DB + // (/etc/pki/nssdb) PIN is empty. + Session session = null; + try { + session = token.getOpSession(); + p11.C_Login(session.id(), CKU_USER, new char[] {}); + } catch (PKCS11Exception p11e) { + if (debug != null) { + debug.println("Error during token login: " + + p11e.getMessage()); + } + throw p11e; + } finally { + token.releaseSession(session); + } + } } catch (Exception e) { if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { throw new UnsupportedOperationException
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
