current/SOURCES/rh1655466-global_crypto_and_fips.patch

diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -196,26 +196,8 @@
         if (disableSystemProps == null &&
             "true".equalsIgnoreCase(props.getProperty
                 ("security.useSystemPropertiesFile"))) {
-
-            // now load the system file, if it exists, so its values
-            // will win if they conflict with the earlier values
-            try (BufferedInputStream bis =
-                 new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
-                props.load(bis);
+            if (SystemConfigurator.configure(props)) {
                 loadedProps = true;
-
-                if (sdebug != null) {
-                    sdebug.println("reading system security properties file " +
-                                   SYSTEM_PROPERTIES);
-                    sdebug.println(props.toString());
-                }
-            } catch (IOException e) {
-                if (sdebug != null) {
-                    sdebug.println
-                        ("unable to load security properties from " +
-                         SYSTEM_PROPERTIES);
-                    e.printStackTrace();
-                }
             }
         }
 
diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
new file mode 100644
--- /dev/null
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 2019, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package java.security;
+
+import java.io.BufferedInputStream;
+import java.io.FileInputStream;
+import java.io.IOException;
+
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+import java.util.Iterator;
+import java.util.Map.Entry;
+import java.util.Properties;
+import java.util.function.Consumer;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import sun.security.util.Debug;
+
+/**
+ * Internal class to align OpenJDK with global crypto-policies.
+ * Called from java.security.Security class initialization,
+ * during startup.
+ *
+ */
+
+class SystemConfigurator {
+
+    private static final Debug sdebug =
+            Debug.getInstance("properties");
+
+    private static final String CRYPTO_POLICIES_BASE_DIR =
+            "/etc/crypto-policies";
+
+    private static final String CRYPTO_POLICIES_JAVA_CONFIG =
+            CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
+
+    private static final String CRYPTO_POLICIES_CONFIG =
+            CRYPTO_POLICIES_BASE_DIR + "/config";
+
+    private static final class SecurityProviderInfo {
+        int number;
+        String key;
+        String value;
+        SecurityProviderInfo(int number, String key, String value) {
+            this.number = number;
+            this.key = key;
+            this.value = value;
+        }
+    }
+
+    /*
+     * Invoked when java.security.Security class is initialized, if
+     * java.security.disableSystemPropertiesFile property is not set and
+     * security.useSystemPropertiesFile is true.
+     */
+    static boolean configure(Properties props) {
+        boolean loadedProps = false;
+
+        try (BufferedInputStream bis =
+                new BufferedInputStream(
+                        new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
+            props.load(bis);
+            loadedProps = true;
+            if (sdebug != null) {
+                sdebug.println("reading system security properties file " +
+                        CRYPTO_POLICIES_JAVA_CONFIG);
+                sdebug.println(props.toString());
+            }
+        } catch (IOException e) {
+            if (sdebug != null) {
+                sdebug.println("unable to load security properties from " +
+                        CRYPTO_POLICIES_JAVA_CONFIG);
+                e.printStackTrace();
+            }
+        }
+
+        try {
+            if (enableFips()) {
+                if (sdebug != null) { sdebug.println("FIPS mode detected"); }
+                loadedProps = false;
+                // Remove all security providers
+                Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
+                while (i.hasNext()) {
+                    Entry<Object, Object> e = i.next();
+                    if (((String) e.getKey()).startsWith("security.provider")) {
+                        if (sdebug != null) { sdebug.println("Removing provider: " + e); }
+                        i.remove();
+                    }
+                }
+                // Add FIPS security providers
+                String fipsProviderValue = null;
+                for (int n = 1;
+                     (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
+                    String fipsProviderKey = "security.provider." + n;
+                    if (sdebug != null) {
+                        sdebug.println("Adding provider " + n + ": " +
+                                fipsProviderKey + "=" + fipsProviderValue);
+                    }
+                    props.put(fipsProviderKey, fipsProviderValue);
+                }
+                loadedProps = true;
+            }
+        } catch (Exception e) {
+            if (sdebug != null) {
+                sdebug.println("unable to load FIPS configuration");
+                e.printStackTrace();
+            }
+        }
+        return loadedProps;
+    }
+
+    /*
+     * FIPS is enabled only if crypto-policies are set to "FIPS"
+     * and the com.redhat.fips property is true.
+     */
+    private static boolean enableFips() throws Exception {
+        boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+        if (fipsEnabled) {
+            String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
+            if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+            Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+            return pattern.matcher(cryptoPoliciesConfig).find();
+        } else {
+            return false;
+        }
+    }
+}
diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security
--- openjdk.orig/src/java.base/share/conf/security/java.security
+++ openjdk/src/java.base/share/conf/security/java.security
@@ -87,6 +87,14 @@
 #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
 
 #
+# Security providers used when global crypto-policies are set to FIPS.
+#
+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
+fips.provider.2=SUN
+fips.provider.3=SunEC
+fips.provider.4=SunJSSE
+
+#
 # A list of preferred providers for specific algorithms. These providers will
 # be searched for matching algorithms before the list of registered providers.
 # Entries containing errors (parsing, etc) will be ignored. Use the
1	diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java
2	--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
3	+++ openjdk/src/java.base/share/classes/java/security/Security.java
4	@@ -196,26 +196,8 @@
5	if (disableSystemProps == null &&
6	"true".equalsIgnoreCase(props.getProperty
7	("security.useSystemPropertiesFile"))) {
8	-
9	- // now load the system file, if it exists, so its values
10	- // will win if they conflict with the earlier values
11	- try (BufferedInputStream bis =
12	- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
13	- props.load(bis);
14	+ if (SystemConfigurator.configure(props)) {
15	loadedProps = true;
16	-
17	- if (sdebug != null) {
18	- sdebug.println("reading system security properties file " +
19	- SYSTEM_PROPERTIES);
20	- sdebug.println(props.toString());
21	- }
22	- } catch (IOException e) {
23	- if (sdebug != null) {
24	- sdebug.println
25	- ("unable to load security properties from " +
26	- SYSTEM_PROPERTIES);
27	- e.printStackTrace();
28	- }
29	}
30	}
31
32	diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
33	new file mode 100644
34	--- /dev/null
35	+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
36	@@ -0,0 +1,151 @@
37	+/*
38	+ * Copyright (c) 2019, Red Hat, Inc.
39	+ *
40	+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
41	+ *
42	+ * This code is free software; you can redistribute it and/or modify it
43	+ * under the terms of the GNU General Public License version 2 only, as
44	+ * published by the Free Software Foundation.
45	+ *
46	+ * This code is distributed in the hope that it will be useful, but WITHOUT
47	+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
48	+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
49	+ * version 2 for more details (a copy is included in the LICENSE file that
50	+ * accompanied this code).
51	+ *
52	+ * You should have received a copy of the GNU General Public License version
53	+ * 2 along with this work; if not, write to the Free Software Foundation,
54	+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
55	+ *
56	+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
57	+ * or visit www.oracle.com if you need additional information or have any
58	+ * questions.
59	+ */
60	+
61	+package java.security;
62	+
63	+import java.io.BufferedInputStream;
64	+import java.io.FileInputStream;
65	+import java.io.IOException;
66	+
67	+import java.nio.file.Files;
68	+import java.nio.file.Path;
69	+
70	+import java.util.Iterator;
71	+import java.util.Map.Entry;
72	+import java.util.Properties;
73	+import java.util.function.Consumer;
74	+import java.util.regex.Matcher;
75	+import java.util.regex.Pattern;
76	+
77	+import sun.security.util.Debug;
78	+
79	+/**
80	+ * Internal class to align OpenJDK with global crypto-policies.
81	+ * Called from java.security.Security class initialization,
82	+ * during startup.
83	+ *
84	+ */
85	+
86	+class SystemConfigurator {
87	+
88	+ private static final Debug sdebug =
89	+ Debug.getInstance("properties");
90	+
91	+ private static final String CRYPTO_POLICIES_BASE_DIR =
92	+ "/etc/crypto-policies";
93	+
94	+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
95	+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
96	+
97	+ private static final String CRYPTO_POLICIES_CONFIG =
98	+ CRYPTO_POLICIES_BASE_DIR + "/config";
99	+
100	+ private static final class SecurityProviderInfo {
101	+ int number;
102	+ String key;
103	+ String value;
104	+ SecurityProviderInfo(int number, String key, String value) {
105	+ this.number = number;
106	+ this.key = key;
107	+ this.value = value;
108	+ }
109	+ }
110	+
111	+ /*
112	+ * Invoked when java.security.Security class is initialized, if
113	+ * java.security.disableSystemPropertiesFile property is not set and
114	+ * security.useSystemPropertiesFile is true.
115	+ */
116	+ static boolean configure(Properties props) {
117	+ boolean loadedProps = false;
118	+
119	+ try (BufferedInputStream bis =
120	+ new BufferedInputStream(
121	+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
122	+ props.load(bis);
123	+ loadedProps = true;
124	+ if (sdebug != null) {
125	+ sdebug.println("reading system security properties file " +
126	+ CRYPTO_POLICIES_JAVA_CONFIG);
127	+ sdebug.println(props.toString());
128	+ }
129	+ } catch (IOException e) {
130	+ if (sdebug != null) {
131	+ sdebug.println("unable to load security properties from " +
132	+ CRYPTO_POLICIES_JAVA_CONFIG);
133	+ e.printStackTrace();
134	+ }
135	+ }
136	+
137	+ try {
138	+ if (enableFips()) {
139	+ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
140	+ loadedProps = false;
141	+ // Remove all security providers
142	+ Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
143	+ while (i.hasNext()) {
144	+ Entry<Object, Object> e = i.next();
145	+ if (((String) e.getKey()).startsWith("security.provider")) {
146	+ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
147	+ i.remove();
148	+ }
149	+ }
150	+ // Add FIPS security providers
151	+ String fipsProviderValue = null;
152	+ for (int n = 1;
153	+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
154	+ String fipsProviderKey = "security.provider." + n;
155	+ if (sdebug != null) {
156	+ sdebug.println("Adding provider " + n + ": " +
157	+ fipsProviderKey + "=" + fipsProviderValue);
158	+ }
159	+ props.put(fipsProviderKey, fipsProviderValue);
160	+ }
161	+ loadedProps = true;
162	+ }
163	+ } catch (Exception e) {
164	+ if (sdebug != null) {
165	+ sdebug.println("unable to load FIPS configuration");
166	+ e.printStackTrace();
167	+ }
168	+ }
169	+ return loadedProps;
170	+ }
171	+
172	+ /*
173	+ * FIPS is enabled only if crypto-policies are set to "FIPS"
174	+ * and the com.redhat.fips property is true.
175	+ */
176	+ private static boolean enableFips() throws Exception {
177	+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
178	+ if (fipsEnabled) {
179	+ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
180	+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
181	+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
182	+ return pattern.matcher(cryptoPoliciesConfig).find();
183	+ } else {
184	+ return false;
185	+ }
186	+ }
187	+}
188	diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security
189	--- openjdk.orig/src/java.base/share/conf/security/java.security
190	+++ openjdk/src/java.base/share/conf/security/java.security
191	@@ -87,6 +87,14 @@
192	#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
193
194	#
195	+# Security providers used when global crypto-policies are set to FIPS.
196	+#
197	+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
198	+fips.provider.2=SUN
199	+fips.provider.3=SunEC
200	+fips.provider.4=SunJSSE
201	+
202	+#
203	# A list of preferred providers for specific algorithms. These providers will
204	# be searched for matching algorithms before the list of registered providers.
205	# Entries containing errors (parsing, etc) will be ignored. Use the