/[packages]/backports/8/java-latest-openjdk/current/SOURCES/rh1655466-global_crypto_and_fips.patch
ViewVC logotype

Contents of /backports/8/java-latest-openjdk/current/SOURCES/rh1655466-global_crypto_and_fips.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1760752 - (show annotations) (download)
Sat Dec 4 23:35:46 2021 UTC (2 years, 10 months ago) by neoclust
File size: 8224 byte(s)
New version 16.0.2+7
1 diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java
2 --- openjdk.orig/src/java.base/share/classes/java/security/Security.java
3 +++ openjdk/src/java.base/share/classes/java/security/Security.java
4 @@ -196,26 +196,8 @@
5 if (disableSystemProps == null &&
6 "true".equalsIgnoreCase(props.getProperty
7 ("security.useSystemPropertiesFile"))) {
8 -
9 - // now load the system file, if it exists, so its values
10 - // will win if they conflict with the earlier values
11 - try (BufferedInputStream bis =
12 - new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
13 - props.load(bis);
14 + if (SystemConfigurator.configure(props)) {
15 loadedProps = true;
16 -
17 - if (sdebug != null) {
18 - sdebug.println("reading system security properties file " +
19 - SYSTEM_PROPERTIES);
20 - sdebug.println(props.toString());
21 - }
22 - } catch (IOException e) {
23 - if (sdebug != null) {
24 - sdebug.println
25 - ("unable to load security properties from " +
26 - SYSTEM_PROPERTIES);
27 - e.printStackTrace();
28 - }
29 }
30 }
31
32 diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
33 new file mode 100644
34 --- /dev/null
35 +++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
36 @@ -0,0 +1,151 @@
37 +/*
38 + * Copyright (c) 2019, Red Hat, Inc.
39 + *
40 + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
41 + *
42 + * This code is free software; you can redistribute it and/or modify it
43 + * under the terms of the GNU General Public License version 2 only, as
44 + * published by the Free Software Foundation.
45 + *
46 + * This code is distributed in the hope that it will be useful, but WITHOUT
47 + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
48 + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
49 + * version 2 for more details (a copy is included in the LICENSE file that
50 + * accompanied this code).
51 + *
52 + * You should have received a copy of the GNU General Public License version
53 + * 2 along with this work; if not, write to the Free Software Foundation,
54 + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
55 + *
56 + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
57 + * or visit www.oracle.com if you need additional information or have any
58 + * questions.
59 + */
60 +
61 +package java.security;
62 +
63 +import java.io.BufferedInputStream;
64 +import java.io.FileInputStream;
65 +import java.io.IOException;
66 +
67 +import java.nio.file.Files;
68 +import java.nio.file.Path;
69 +
70 +import java.util.Iterator;
71 +import java.util.Map.Entry;
72 +import java.util.Properties;
73 +import java.util.function.Consumer;
74 +import java.util.regex.Matcher;
75 +import java.util.regex.Pattern;
76 +
77 +import sun.security.util.Debug;
78 +
79 +/**
80 + * Internal class to align OpenJDK with global crypto-policies.
81 + * Called from java.security.Security class initialization,
82 + * during startup.
83 + *
84 + */
85 +
86 +class SystemConfigurator {
87 +
88 + private static final Debug sdebug =
89 + Debug.getInstance("properties");
90 +
91 + private static final String CRYPTO_POLICIES_BASE_DIR =
92 + "/etc/crypto-policies";
93 +
94 + private static final String CRYPTO_POLICIES_JAVA_CONFIG =
95 + CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
96 +
97 + private static final String CRYPTO_POLICIES_CONFIG =
98 + CRYPTO_POLICIES_BASE_DIR + "/config";
99 +
100 + private static final class SecurityProviderInfo {
101 + int number;
102 + String key;
103 + String value;
104 + SecurityProviderInfo(int number, String key, String value) {
105 + this.number = number;
106 + this.key = key;
107 + this.value = value;
108 + }
109 + }
110 +
111 + /*
112 + * Invoked when java.security.Security class is initialized, if
113 + * java.security.disableSystemPropertiesFile property is not set and
114 + * security.useSystemPropertiesFile is true.
115 + */
116 + static boolean configure(Properties props) {
117 + boolean loadedProps = false;
118 +
119 + try (BufferedInputStream bis =
120 + new BufferedInputStream(
121 + new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
122 + props.load(bis);
123 + loadedProps = true;
124 + if (sdebug != null) {
125 + sdebug.println("reading system security properties file " +
126 + CRYPTO_POLICIES_JAVA_CONFIG);
127 + sdebug.println(props.toString());
128 + }
129 + } catch (IOException e) {
130 + if (sdebug != null) {
131 + sdebug.println("unable to load security properties from " +
132 + CRYPTO_POLICIES_JAVA_CONFIG);
133 + e.printStackTrace();
134 + }
135 + }
136 +
137 + try {
138 + if (enableFips()) {
139 + if (sdebug != null) { sdebug.println("FIPS mode detected"); }
140 + loadedProps = false;
141 + // Remove all security providers
142 + Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
143 + while (i.hasNext()) {
144 + Entry<Object, Object> e = i.next();
145 + if (((String) e.getKey()).startsWith("security.provider")) {
146 + if (sdebug != null) { sdebug.println("Removing provider: " + e); }
147 + i.remove();
148 + }
149 + }
150 + // Add FIPS security providers
151 + String fipsProviderValue = null;
152 + for (int n = 1;
153 + (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
154 + String fipsProviderKey = "security.provider." + n;
155 + if (sdebug != null) {
156 + sdebug.println("Adding provider " + n + ": " +
157 + fipsProviderKey + "=" + fipsProviderValue);
158 + }
159 + props.put(fipsProviderKey, fipsProviderValue);
160 + }
161 + loadedProps = true;
162 + }
163 + } catch (Exception e) {
164 + if (sdebug != null) {
165 + sdebug.println("unable to load FIPS configuration");
166 + e.printStackTrace();
167 + }
168 + }
169 + return loadedProps;
170 + }
171 +
172 + /*
173 + * FIPS is enabled only if crypto-policies are set to "FIPS"
174 + * and the com.redhat.fips property is true.
175 + */
176 + private static boolean enableFips() throws Exception {
177 + boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
178 + if (fipsEnabled) {
179 + String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
180 + if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
181 + Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
182 + return pattern.matcher(cryptoPoliciesConfig).find();
183 + } else {
184 + return false;
185 + }
186 + }
187 +}
188 diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security
189 --- openjdk.orig/src/java.base/share/conf/security/java.security
190 +++ openjdk/src/java.base/share/conf/security/java.security
191 @@ -87,6 +87,14 @@
192 #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
193
194 #
195 +# Security providers used when global crypto-policies are set to FIPS.
196 +#
197 +fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
198 +fips.provider.2=SUN
199 +fips.provider.3=SunEC
200 +fips.provider.4=SunJSSE SunPKCS11-NSS-FIPS
201 +
202 +#
203 # A list of preferred providers for specific algorithms. These providers will
204 # be searched for matching algorithms before the list of registered providers.
205 # Entries containing errors (parsing, etc) will be ignored. Use the

  ViewVC Help
Powered by ViewVC 1.1.30