1 |
diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java |
2 |
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 |
3 |
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300 |
4 |
@@ -123,6 +123,33 @@ |
5 |
} |
6 |
props.put(fipsProviderKey, fipsProviderValue); |
7 |
} |
8 |
+ // Add other security properties |
9 |
+ String keystoreTypeValue = (String) props.get("fips.keystore.type"); |
10 |
+ if (keystoreTypeValue != null) { |
11 |
+ String nonFipsKeystoreType = props.getProperty("keystore.type"); |
12 |
+ props.put("keystore.type", keystoreTypeValue); |
13 |
+ if (keystoreTypeValue.equals("PKCS11")) { |
14 |
+ // If keystore.type is PKCS11, javax.net.ssl.keyStore |
15 |
+ // must be "NONE". See JDK-8238264. |
16 |
+ System.setProperty("javax.net.ssl.keyStore", "NONE"); |
17 |
+ } |
18 |
+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { |
19 |
+ // If no trustStoreType has been set, use the |
20 |
+ // previous keystore.type under FIPS mode. In |
21 |
+ // a default configuration, the Trust Store will |
22 |
+ // be 'cacerts' (JKS type). |
23 |
+ System.setProperty("javax.net.ssl.trustStoreType", |
24 |
+ nonFipsKeystoreType); |
25 |
+ } |
26 |
+ if (sdebug != null) { |
27 |
+ sdebug.println("FIPS mode default keystore.type = " + |
28 |
+ keystoreTypeValue); |
29 |
+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + |
30 |
+ System.getProperty("javax.net.ssl.keyStore", "")); |
31 |
+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + |
32 |
+ System.getProperty("javax.net.ssl.trustStoreType", "")); |
33 |
+ } |
34 |
+ } |
35 |
loadedProps = true; |
36 |
} |
37 |
} catch (Exception e) { |
38 |
diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux |
39 |
--- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300 |
40 |
+++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300 |
41 |
@@ -299,6 +299,11 @@ |
42 |
keystore.type=pkcs12 |
43 |
|
44 |
# |
45 |
+# Default keystore type used when global crypto-policies are set to FIPS. |
46 |
+# |
47 |
+fips.keystore.type=PKCS11 |
48 |
+ |
49 |
+# |
50 |
# Controls compatibility mode for JKS and PKCS12 keystore types. |
51 |
# |
52 |
# When set to 'true', both JKS and PKCS12 keystore types support loading |