pool/java-1_8_0-openjdk
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-1_8_0-openjdk?expand=0&rev=401

Browse Source
This commit is contained in:
Fridrich Strba 2022-02-09 14:56:21 +00:00 committed by Git OBS Bridge
parent e86fd18a23
commit fc7297d136
4 changed files with 576 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
comment-nss-security-provider.patch
View File

@ -1,11 +0,0 @@
--- openjdk/jdk/src/share/lib/security/java.security-linux 2021-09-16 11:10:18.388933075 +0200
+++ openjdk/jdk/src/share/lib/security/java.security-linux 2021-10-11 13:35:57.523155519 +0200
@@ -74,7 +74,7 @@
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
-security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
+#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
#
# Sun Provider SecureRandom seed source.

600
fips.patch
View File

@ -1,5 +1,5 @@
--- openjdk/common/autoconf/configure.ac 2021-12-04 07:42:42.465816095 +0100
+++ openjdk/common/autoconf/configure.ac 2021-12-04 07:43:01.237927592 +0100
--- openjdk/common/autoconf/configure.ac 2022-02-08 15:00:13.864829794 +0100
+++ openjdk/common/autoconf/configure.ac 2022-02-08 15:00:30.560949558 +0100
@@ -212,6 +212,7 @@
LIB_SETUP_ALSA
LIB_SETUP_FONTCONFIG
@ -8,8 +8,8 @@
LIB_SETUP_STATIC_LINK_LIBSTDCPP
LIB_SETUP_ON_WINDOWS
--- openjdk/common/autoconf/libraries.m4 2021-12-04 07:42:42.465816095 +0100
+++ openjdk/common/autoconf/libraries.m4 2021-12-04 07:43:01.237927592 +0100
--- openjdk/common/autoconf/libraries.m4 2022-02-08 15:00:13.864829794 +0100
+++ openjdk/common/autoconf/libraries.m4 2022-02-08 15:00:30.560949558 +0100
@@ -1334,3 +1334,63 @@
BASIC_DEPRECATED_ARG_WITH([dxsdk-include])
fi
@ -74,8 +74,8 @@
+ fi
+ AC_SUBST(USE_SYSCONF_NSS)
+])
--- openjdk/common/autoconf/spec.gmk.in 2021-12-04 07:42:42.465816095 +0100
+++ openjdk/common/autoconf/spec.gmk.in 2021-12-04 07:43:01.249927665 +0100
--- openjdk/common/autoconf/spec.gmk.in 2022-02-08 15:00:13.864829794 +0100
+++ openjdk/common/autoconf/spec.gmk.in 2022-02-08 15:00:30.560949558 +0100
@@ -313,6 +313,10 @@
ALSA_LIBS:=@ALSA_LIBS@
ALSA_CFLAGS:=@ALSA_CFLAGS@
@ -87,8 +87,8 @@
PACKAGE_PATH=@PACKAGE_PATH@
# Source file for cacerts
--- openjdk/common/bin/compare_exceptions.sh.incl 2021-12-04 07:42:42.465816095 +0100
+++ openjdk/common/bin/compare_exceptions.sh.incl 2021-12-04 07:43:01.261927736 +0100
--- openjdk/common/bin/compare_exceptions.sh.incl 2022-02-08 15:00:13.864829794 +0100
+++ openjdk/common/bin/compare_exceptions.sh.incl 2022-02-08 15:00:30.560949558 +0100
@@ -280,6 +280,7 @@
./jre/lib/i386/libsplashscreen.so
./jre/lib/i386/libsunec.so
@ -121,8 +121,8 @@
./jre/lib/sparcv9/libunpack.so
./jre/lib/sparcv9/libverify.so
./jre/lib/sparcv9/libzip.so
--- openjdk/common/nb_native/nbproject/configurations.xml 2021-12-04 07:42:42.469816118 +0100
+++ openjdk/common/nb_native/nbproject/configurations.xml 2021-12-04 07:43:01.265927761 +0100
--- openjdk/common/nb_native/nbproject/configurations.xml 2022-02-08 15:00:13.868829822 +0100
+++ openjdk/common/nb_native/nbproject/configurations.xml 2022-02-08 15:00:30.564949586 +0100
@@ -53,6 +53,9 @@
<in>jvmtiEnterTrace.cpp</in>
</df>
@ -145,8 +145,8 @@
</item>
<item path="../../jdk/src/share/native/java/util/TimeZone.c"
ex="false"
--- openjdk/jdk/make/lib/SecurityLibraries.gmk 2021-12-04 07:42:43.161820203 +0100
+++ openjdk/jdk/make/lib/SecurityLibraries.gmk 2021-12-04 07:43:01.277927833 +0100
--- openjdk/jdk/make/lib/SecurityLibraries.gmk 2022-02-08 15:00:15.708843020 +0100
+++ openjdk/jdk/make/lib/SecurityLibraries.gmk 2022-02-08 15:00:30.564949586 +0100
@@ -300,3 +300,34 @@
endif
@ -183,7 +183,7 @@
+endif
+
--- openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers 1970-01-01 01:00:00.000000000 +0100
+++ openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers 2021-12-04 07:43:01.281927857 +0100
+++ openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers 2022-02-08 15:00:30.564949586 +0100
@@ -0,0 +1,35 @@
+#
+# Copyright (c) 2021, Red Hat, Inc.
@ -220,8 +220,8 @@
+ local:
+ *;
+};
--- openjdk/jdk/src/share/classes/java/security/Security.java 2021-12-04 07:42:43.693823344 +0100
+++ openjdk/jdk/src/share/classes/java/security/Security.java 2021-12-04 10:17:29.503072332 +0100
--- openjdk/jdk/src/share/classes/java/security/Security.java 2022-02-08 15:00:16.912851658 +0100
+++ openjdk/jdk/src/share/classes/java/security/Security.java 2022-02-08 15:03:03.346045505 +0100
@@ -30,6 +30,8 @@
import java.util.concurrent.ConcurrentHashMap;
import java.io.*;
@ -231,7 +231,7 @@
import sun.security.util.Debug;
import sun.security.util.PropertyExpander;
@@ -69,6 +71,15 @@
@@ -69,6 +71,19 @@
}
static {
@ -242,12 +242,16 @@
+ public boolean isSystemFipsEnabled() {
+ return SystemConfigurator.isSystemFipsEnabled();
+ }
+ @Override
+ public boolean isPlainKeySupportEnabled() {
+ return SystemConfigurator.isPlainKeySupportEnabled();
+ }
+ });
+
// doPrivileged here because there are multiple
// things in initialize that might require privs.
// (the FileInputStream call and the File.exists call,
@@ -188,29 +199,10 @@
@@ -188,29 +203,10 @@
}
String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
@ -281,8 +285,8 @@
}
--- openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java 1970-01-01 01:00:00.000000000 +0100
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java 2021-12-04 10:17:58.159258084 +0100
@@ -0,0 +1,212 @@
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java 2022-02-08 15:03:03.346045505 +0100
@@ -0,0 +1,236 @@
+/*
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
+ *
@ -340,6 +344,7 @@
+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
+
+ private static boolean systemFipsEnabled = false;
+ private static boolean plainKeySupportEnabled = false;
+
+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
+
@ -434,6 +439,16 @@
+ }
+ loadedProps = true;
+ systemFipsEnabled = true;
+ String plainKeySupport = System.getProperty("com.suse.fips.plainKeySupport",
+ "true");
+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
+ if (sdebug != null) {
+ if (plainKeySupportEnabled) {
+ sdebug.println("FIPS support enabled with plain key support");
+ } else {
+ sdebug.println("FIPS support enabled without plain key support");
+ }
+ }
+ }
+ } catch (Exception e) {
+ if (sdebug != null) {
@ -461,6 +476,19 @@
+ return systemFipsEnabled;
+ }
+
+ /**
+ * Returns {@code true} if system FIPS alignment is enabled
+ * and plain key support is allowed. Plain key support is
+ * enabled by default but can be disabled with
+ * {@code -Dcom.suse.fips.plainKeySupport=false}.
+ *
+ * @return a boolean indicating whether plain key support
+ * should be enabled.
+ */
+ static boolean isPlainKeySupportEnabled() {
+ return plainKeySupportEnabled;
+ }
+
+ /*
+ * OpenJDK FIPS mode will be enabled only if the com.suse.fips
+ * system property is true (default) and the system is in FIPS mode.
@ -496,8 +524,8 @@
+ }
+}
--- openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java 1970-01-01 01:00:00.000000000 +0100
+++ openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java 2021-12-04 07:43:01.285927881 +0100
@@ -0,0 +1,30 @@
+++ openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java 2022-02-08 15:03:03.346045505 +0100
@@ -0,0 +1,31 @@
+/*
+ * Copyright (c) 2020, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
@ -527,9 +555,10 @@
+
+public interface JavaSecuritySystemConfiguratorAccess {
+ boolean isSystemFipsEnabled();
+ boolean isPlainKeySupportEnabled();
+}
--- openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java 2021-12-04 07:42:43.793823935 +0100
+++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java 2021-12-04 07:43:01.285927881 +0100
--- openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java 2022-02-08 15:00:17.096852977 +0100
+++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java 2022-02-08 15:00:30.568949614 +0100
@@ -63,6 +63,7 @@
private static JavaObjectInputStreamReadString javaObjectInputStreamReadString;
private static JavaObjectInputStreamAccess javaObjectInputStreamAccess;
@ -551,9 +580,312 @@
+ return javaSecuritySystemConfiguratorAccess;
+ }
}
--- openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2021-12-04 07:42:43.821824100 +0100
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2021-12-04 07:43:01.289927905 +0100
@@ -42,6 +42,8 @@
--- openjdk/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java 1970-01-01 01:00:00.000000000 +0100
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java 2022-02-08 15:03:03.346045505 +0100
@@ -0,0 +1,290 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs11;
+
+import java.math.BigInteger;
+import java.security.KeyFactory;
+import java.security.Provider;
+import java.security.Security;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.locks.ReentrantLock;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.DHPrivateKeySpec;
+import javax.crypto.spec.IvParameterSpec;
+
+import sun.security.jca.JCAUtil;
+import sun.security.pkcs11.TemplateManager;
+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
+import sun.security.pkcs11.wrapper.CK_MECHANISM;
+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+import sun.security.pkcs11.wrapper.PKCS11Exception;
+import sun.security.rsa.RSAUtil.KeyType;
+import sun.security.util.Debug;
+import sun.security.util.ECUtil;
+
+final class FIPSKeyImporter {
+
+ private static final Debug debug =
+ Debug.getInstance("sunpkcs11");
+
+ private static P11Key importerKey = null;
+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
+ private static CK_MECHANISM importerKeyMechanism = null;
+ private static Cipher importerCipher = null;
+
+ private static Provider sunECProvider = null;
+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
+
+ private static KeyFactory DHKF = null;
+ private static final ReentrantLock DHKFLock = new ReentrantLock();
+
+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
+ throws PKCS11Exception {
+ long keyID = -1;
+ Token token = sunPKCS11.getToken();
+ if (debug != null) {
+ debug.println("Private or Secret key will be imported in" +
+ " system FIPS mode.");
+ }
+ if (importerKey == null) {
+ importerKeyLock.lock();
+ try {
+ if (importerKey == null) {
+ if (importerKeyMechanism == null) {
+ // Importer Key creation has not been tried yet. Try it.
+ createImporterKey(token);
+ }
+ if (importerKey == null || importerCipher == null) {
+ if (debug != null) {
+ debug.println("Importer Key could not be" +
+ " generated.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ if (debug != null) {
+ debug.println("Importer Key successfully" +
+ " generated.");
+ }
+ }
+ } finally {
+ importerKeyLock.unlock();
+ }
+ }
+ long importerKeyID = importerKey.getKeyID();
+ try {
+ byte[] keyBytes = null;
+ byte[] encKeyBytes = null;
+ long keyClass = 0L;
+ long keyType = 0L;
+ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
+ for (CK_ATTRIBUTE attr : attributes) {
+ if (attr.type == CKA_CLASS) {
+ keyClass = attr.getLong();
+ } else if (attr.type == CKA_KEY_TYPE) {
+ keyType = attr.getLong();
+ }
+ attrsMap.put(attr.type, attr);
+ }
+ BigInteger v = null;
+ if (keyClass == CKO_PRIVATE_KEY) {
+ if (keyType == CKK_RSA) {
+ if (debug != null) {
+ debug.println("Importing an RSA private key...");
+ }
+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
+ KeyType.RSA,
+ null,
+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ } else if (keyType == CKK_DSA) {
+ if (debug != null) {
+ debug.println("Importing a DSA private key...");
+ }
+ keyBytes = new sun.security.provider.DSAPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_EC) {
+ if (debug != null) {
+ debug.println("Importing an EC private key...");
+ }
+ if (sunECProvider == null) {
+ sunECProviderLock.lock();
+ try {
+ if (sunECProvider == null) {
+ sunECProvider = Security.getProvider("SunEC");
+ }
+ } finally {
+ sunECProviderLock.unlock();
+ }
+ }
+ keyBytes = P11ECUtil.generateECPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ECUtil.getECParameterSpec(sunECProvider,
+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
+ .getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_DH) {
+ if (debug != null) {
+ debug.println("Importing a Diffie-Hellman private key...");
+ }
+ if (DHKF == null) {
+ DHKFLock.lock();
+ try {
+ if (DHKF == null) {
+ DHKF = KeyFactory.getInstance(
+ "DH", P11Util.getSunJceProvider());
+ }
+ } finally {
+ DHKFLock.unlock();
+ }
+ }
+ DHPrivateKeySpec spec = new DHPrivateKeySpec
+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO);
+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else {
+ if (debug != null) {
+ debug.println("Unrecognized private key type.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ } else if (keyClass == CKO_SECRET_KEY) {
+ if (debug != null) {
+ debug.println("Importing a secret key...");
+ }
+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
+ }
+ if (keyBytes == null || keyBytes.length == 0) {
+ if (debug != null) {
+ debug.println("Private or secret key plain bytes could" +
+ " not be obtained. Import failed.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
+ null);
+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
+ attrsMap.values().toArray(attributes);
+ encKeyBytes = importerCipher.doFinal(keyBytes);
+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
+ keyClass, keyType, attributes);
+ keyID = token.p11.C_UnwrapKey(hSession,
+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
+ if (debug != null) {
+ debug.println("Imported key ID: " + keyID);
+ }
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ } finally {
+ importerKey.releaseKeyID();
+ }
+ return Long.valueOf(keyID);
+ }
+
+ private static void createImporterKey(Token token) {
+ if (debug != null) {
+ debug.println("Generating Importer Key...");
+ }
+ byte[] iv = new byte[16];
+ JCAUtil.getSecureRandom().nextBytes(iv);
+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
+ try {
+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
+ Session s = null;
+ try {
+ s = token.getObjSession();
+ long keyID = token.p11.C_GenerateKey(
+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
+ attributes);
+ if (debug != null) {
+ debug.println("Importer Key ID: " + keyID);
+ }
+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
+ 256 >> 3, null);
+ } catch (PKCS11Exception e) {
+ // best effort
+ } finally {
+ token.releaseSession(s);
+ }
+ if (importerKey != null) {
+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+ }
+ } catch (Throwable t) {
+ // best effort
+ importerKey = null;
+ importerCipher = null;
+ // importerKeyMechanism value is kept initialized to indicate that
+ // Importer Key creation has been tried and failed.
+ }
+ }
+}
--- openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2022-02-08 15:00:17.144853321 +0100
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2022-02-08 15:03:03.350045534 +0100
@@ -26,6 +26,9 @@
package sun.security.pkcs11;
import java.io.*;
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.MethodType;
import java.util.*;
import java.security.*;
@@ -42,6 +45,8 @@
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.TextOutputCallback;
@ -562,17 +894,63 @@
import sun.security.util.Debug;
import sun.security.util.ResourcesMgr;
@@ -58,6 +60,9 @@
@@ -58,6 +63,29 @@
*/
public final class SunPKCS11 extends AuthProvider {
+ private static final boolean systemFipsEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+
+ private static final boolean plainKeySupportEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
+
+ private static final MethodHandle fipsImportKey;
+ static {
+ MethodHandle fipsImportKeyTmp = null;
+ if (plainKeySupportEnabled) {
+ try {
+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
+ FIPSKeyImporter.class, "importKey",
+ MethodType.methodType(Long.class, SunPKCS11.class,
+ long.class, CK_ATTRIBUTE[].class));
+ } catch (Throwable t) {
+ throw new SecurityException("FIPS key importer initialization" +
+ " failed", t);
+ }
+ }
+ fipsImportKey = fipsImportKeyTmp;
+ }
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -379,6 +384,24 @@
@@ -320,10 +348,15 @@
// request multithreaded access first
initArgs.flags = CKF_OS_LOCKING_OK;
PKCS11 tmpPKCS11;
+ MethodHandle fipsKeyImporter = null;
+ if (plainKeySupportEnabled) {
+ fipsKeyImporter = MethodHandles.insertArguments(
+ fipsImportKey, 0, this);
+ }
try {
tmpPKCS11 = PKCS11.getInstance(
library, functionList, initArgs,
- config.getOmitInitialize());
+ config.getOmitInitialize(), fipsKeyImporter);
} catch (PKCS11Exception e) {
if (debug != null) {
debug.println("Multi-threaded initialization failed: " + e);
@@ -339,7 +372,7 @@
initArgs.flags = 0;
}
tmpPKCS11 = PKCS11.getInstance(library,
- functionList, initArgs, config.getOmitInitialize());
+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
}
p11 = tmpPKCS11;
@@ -379,6 +412,24 @@
if (nssModule != null) {
nssModule.setProvider(this);
}
@ -597,8 +975,156 @@
} catch (Exception e) {
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
throw new UnsupportedOperationException
--- openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java 2021-12-04 07:42:43.825824124 +0100
+++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java 2021-12-04 07:43:01.293927930 +0100
--- openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java 2022-02-08 15:00:17.148853350 +0100
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java 2022-02-08 15:03:03.350045534 +0100
@@ -49,6 +49,7 @@
import java.io.File;
import java.io.IOException;
+import java.lang.invoke.MethodHandle;
import java.util.*;
import java.security.AccessController;
@@ -147,17 +148,29 @@
public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
- boolean omitInitialize) throws IOException, PKCS11Exception {
+ boolean omitInitialize, MethodHandle fipsKeyImporter)
+ throws IOException, PKCS11Exception {
// we may only call C_Initialize once per native .so/.dll
// so keep a cache using the (non-canonicalized!) path
PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
if (pkcs11 == null) {
+ boolean nssFipsMode = fipsKeyImporter != null;
if ((pInitArgs != null)
&& ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
+ if (nssFipsMode) {
+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
+ fipsKeyImporter);
+ } else {
pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ }
+ } else {
+ if (nssFipsMode) {
+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
+ functionList, fipsKeyImporter);
} else {
pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
}
+ }
if (omitInitialize == false) {
try {
pkcs11.C_Initialize(pInitArgs);
@@ -1905,4 +1918,69 @@
super.C_GenerateRandom(hSession, randomData);
}
}
+
+// PKCS11 subclass that allows using plain private or secret keys in
+// FIPS-configured NSS Software Tokens. Only used when System FIPS
+// is enabled.
+static class FIPSPKCS11 extends PKCS11 {
+ private MethodHandle fipsKeyImporter;
+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // Creating sensitive key objects from plain key material in a
+ // FIPS-configured NSS Software Token is not allowed. We apply
+ // a key-unwrapping scheme to achieve so.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
+}
+
+// FIPSPKCS11 synchronized counterpart.
+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
+ private MethodHandle fipsKeyImporter;
+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // See FIPSPKCS11::C_CreateObject.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
+}
+
+private static class FIPSPKCS11Helper {
+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
+ for (CK_ATTRIBUTE attr : pTemplate) {
+ if (attr.type == CKA_CLASS &&
+ (attr.getLong() == CKO_PRIVATE_KEY ||
+ attr.getLong() == CKO_SECRET_KEY)) {
+ return true;
+ }
+ }
+ return false;
+ }
+}
}
--- openjdk/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java 2022-02-08 15:00:17.152853378 +0100
+++ openjdk/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java 2022-02-08 15:03:03.350045534 +0100
@@ -33,8 +33,13 @@
import javax.net.ssl.*;
+import sun.misc.SharedSecrets;
+
abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+ private static final boolean plainKeySupportEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
+
X509ExtendedKeyManager keyManager;
boolean isInitialized;
@@ -62,7 +67,8 @@
KeyStoreException, NoSuchAlgorithmException,
UnrecoverableKeyException {
if ((ks != null) && SunJSSE.isFIPS()) {
- if (ks.getProvider() != SunJSSE.cryptoProvider) {
+ if (ks.getProvider() != SunJSSE.cryptoProvider &&
+ !plainKeySupportEnabled) {
throw new KeyStoreException("FIPS mode: KeyStore must be "
+ "from provider " + SunJSSE.cryptoProvider.getName());
}
@@ -91,8 +97,8 @@
keyManager = new X509KeyManagerImpl(
Collections.<Builder>emptyList());
} else {
- if (SunJSSE.isFIPS() &&
- (ks.getProvider() != SunJSSE.cryptoProvider)) {
+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
+ && !plainKeySupportEnabled) {
throw new KeyStoreException(
"FIPS mode: KeyStore must be " +
"from provider " + SunJSSE.cryptoProvider.getName());
--- openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java 2022-02-08 15:00:17.152853378 +0100
+++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java 2022-02-08 15:00:30.568949614 +0100
@@ -31,6 +31,7 @@
import java.security.cert.*;
import java.util.*;
@ -673,8 +1199,8 @@
return new ProtocolVersion[]{
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
--- openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java 2021-12-04 07:42:43.825824124 +0100
+++ openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java 2021-12-04 07:43:01.293927930 +0100
--- openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java 2022-02-08 15:00:17.156853408 +0100
+++ openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java 2022-02-08 15:00:30.568949614 +0100
@@ -30,6 +30,8 @@
import java.security.*;
@ -698,9 +1224,9 @@
put("SSLContext.TLS",
"sun.security.ssl.SSLContextImpl$TLSContext");
if (isfips == false) {
--- openjdk/jdk/src/share/lib/security/java.security-linux 2021-12-04 07:42:43.901824572 +0100
+++ openjdk/jdk/src/share/lib/security/java.security-linux 2021-12-04 07:43:01.297927954 +0100
@@ -77,6 +77,14 @@
--- openjdk/jdk/src/share/lib/security/java.security-linux 2022-02-08 15:00:17.300854441 +0100
+++ openjdk/jdk/src/share/lib/security/java.security-linux 2022-02-08 15:00:30.568949614 +0100
@@ -80,6 +80,14 @@
#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
#
@ -715,7 +1241,7 @@
# Sun Provider SecureRandom seed source.
#
# Select the primary source of seed data for the "SHA1PRNG" and
@@ -172,6 +180,11 @@
@@ -175,6 +183,11 @@
keystore.type=jks
#
@ -728,7 +1254,7 @@
#
# When set to 'true', the JKS keystore type supports loading
--- openjdk/jdk/src/solaris/native/java/security/systemconf.c 1970-01-01 01:00:00.000000000 +0100
+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c 2021-12-04 07:43:01.297927954 +0100
+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c 2022-02-08 15:00:30.568949614 +0100
@@ -0,0 +1,170 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.

11
java-1_8_0-openjdk.changes
View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Wed Feb 9 14:51:51 UTC 2022 - Fridrich Strba <fstrba@suse.com>
- Removed patch:
* comment-nss-security-provider.patch
+ there is a configure-time option to do exactly the same thing
- Modified patch:
* fips.patch
+ allow plain key import, unless disabled with
-Dcom.suse.fips.plainKeySupport=false command-line option
-------------------------------------------------------------------
Sat Dec 4 07:23:12 UTC 2021 - Fridrich Strba <fstrba@suse.com>

6
java-1_8_0-openjdk.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package java-1_8_0-openjdk
#
# Copyright (c) 2021 SUSE LLC
# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -198,7 +198,6 @@ Patch2001: disable-doclint-by-default.patch
Patch2002: JDK_1_8_0-8208602.patch
Patch3000: tls13extensions.patch
Patch4000: riscv64-zero.patch
Patch5000: comment-nss-security-provider.patch
Patch5001: fips.patch
BuildRequires: alsa-lib-devel
BuildRequires: autoconf
@ -455,7 +454,7 @@ sh autogen.sh
--with-tzdata-dir=%{_datadir}/javazi \
--with-pkgversion="build %{javaver}_%{updatever}-b%{buildver} suse-%{release}-%{_arch}" \
--with-jdk-home="%{_sysconfdir}/alternatives/java_sdk" \
--enable-nss \
--disable-nss \
--enable-sysconf-nss \
--enable-non-nss-curves \
%if %{with bootstrap}
@ -542,7 +541,6 @@ patch -p0 -i %{PATCH3000}
patch -p0 -i %{PATCH4000}
patch -p0 -i %{PATCH5000}
patch -p0 -i %{PATCH5001}
(cd openjdk/common/autoconf