--- openjdk/common/autoconf/configure.ac 2022-02-08 15:00:13.864829794 +0100 +++ openjdk/common/autoconf/configure.ac 2022-02-08 15:00:30.560949558 +0100 @@ -212,6 +212,7 @@ LIB_SETUP_ALSA LIB_SETUP_FONTCONFIG LIB_SETUP_MISC_LIBS +LIB_SETUP_SYSCONF_LIBS LIB_SETUP_STATIC_LINK_LIBSTDCPP LIB_SETUP_ON_WINDOWS --- openjdk/common/autoconf/libraries.m4 2022-02-08 15:00:13.864829794 +0100 +++ openjdk/common/autoconf/libraries.m4 2022-02-08 15:00:30.560949558 +0100 @@ -1334,3 +1334,63 @@ BASIC_DEPRECATED_ARG_WITH([dxsdk-include]) fi ]) + +################################################################################ +# Setup system configuration libraries +################################################################################ +AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], +[ + ############################################################################### + # + # Check for the NSS library + # + + AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) + + # default is not available + DEFAULT_SYSCONF_NSS=no + + AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], + [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], + [ + case "${enableval}" in + yes) + sysconf_nss=yes + ;; + *) + sysconf_nss=no + ;; + esac + ], + [ + sysconf_nss=${DEFAULT_SYSCONF_NSS} + ]) + AC_MSG_RESULT([$sysconf_nss]) + + USE_SYSCONF_NSS=false + if test "x${sysconf_nss}" = "xyes"; then + PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) + if test "x${NSS_FOUND}" = "xyes"; then + AC_MSG_CHECKING([for system FIPS support in NSS]) + saved_libs="${LIBS}" + saved_cflags="${CFLAGS}" + CFLAGS="${CFLAGS} ${NSS_CFLAGS}" + LIBS="${LIBS} ${NSS_LIBS}" + AC_LANG_PUSH([C]) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], + [[SECMOD_GetSystemFIPSEnabled()]])], + [AC_MSG_RESULT([yes])], + [AC_MSG_RESULT([no]) + AC_MSG_ERROR([System NSS FIPS detection unavailable])]) + AC_LANG_POP([C]) + CFLAGS="${saved_cflags}" + LIBS="${saved_libs}" + USE_SYSCONF_NSS=true + else + dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API + dnl in nss3/pk11pub.h. + AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) + fi + fi + AC_SUBST(USE_SYSCONF_NSS) +]) --- openjdk/common/autoconf/spec.gmk.in 2022-02-08 15:00:13.864829794 +0100 +++ openjdk/common/autoconf/spec.gmk.in 2022-02-08 15:00:30.560949558 +0100 @@ -313,6 +313,10 @@ ALSA_LIBS:=@ALSA_LIBS@ ALSA_CFLAGS:=@ALSA_CFLAGS@ +USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ +NSS_LIBS:=@NSS_LIBS@ +NSS_CFLAGS:=@NSS_CFLAGS@ + PACKAGE_PATH=@PACKAGE_PATH@ # Source file for cacerts --- openjdk/common/bin/compare_exceptions.sh.incl 2022-02-08 15:00:13.864829794 +0100 +++ openjdk/common/bin/compare_exceptions.sh.incl 2022-02-08 15:00:30.560949558 +0100 @@ -280,6 +280,7 @@ ./jre/lib/i386/libsplashscreen.so ./jre/lib/i386/libsunec.so ./jre/lib/i386/libsunwjdga.so +./jre/lib/i386/libsystemconf.so ./jre/lib/i386/libunpack.so ./jre/lib/i386/libverify.so ./jre/lib/i386/libzip.so @@ -432,6 +433,7 @@ ./jre/lib/amd64/libsplashscreen.so ./jre/lib/amd64/libsunec.so ./jre/lib/amd64/libsunwjdga.so +./jre/lib/amd64/libsystemconf.so ./jre/lib/amd64/libunpack.so ./jre/lib/amd64/libverify.so ./jre/lib/amd64/libzip.so @@ -585,6 +587,7 @@ ./jre/lib/sparc/libsplashscreen.so ./jre/lib/sparc/libsunec.so ./jre/lib/sparc/libsunwjdga.so +./jre/lib/sparc/libsystemconf.so ./jre/lib/sparc/libunpack.so ./jre/lib/sparc/libverify.so ./jre/lib/sparc/libzip.so @@ -738,6 +741,7 @@ ./jre/lib/sparcv9/libsplashscreen.so ./jre/lib/sparcv9/libsunec.so ./jre/lib/sparcv9/libsunwjdga.so +./jre/lib/sparcv9/libsystemconf.so ./jre/lib/sparcv9/libunpack.so ./jre/lib/sparcv9/libverify.so ./jre/lib/sparcv9/libzip.so --- openjdk/common/nb_native/nbproject/configurations.xml 2022-02-08 15:00:13.868829822 +0100 +++ openjdk/common/nb_native/nbproject/configurations.xml 2022-02-08 15:00:30.564949586 +0100 @@ -53,6 +53,9 @@ jvmtiEnterTrace.cpp + + systemconf.c + @@ -12771,6 +12774,11 @@ ex="false" tool="0" flavor2="0"> + + () { + public Void run() { + System.loadLibrary(SYSTEMCONF_NATIVE_LIB); + return null; + } + }); + } + + /* + * Invoked when java.security.Security class is initialized, if + * java.security.disableSystemPropertiesFile property is not set and + * security.useSystemPropertiesFile is true. + */ + static boolean configure(Properties props) { + boolean loadedProps = false; + + try (BufferedInputStream bis = + new BufferedInputStream( + new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { + props.load(bis); + loadedProps = true; + if (sdebug != null) { + sdebug.println("reading system security properties file " + + CRYPTO_POLICIES_JAVA_CONFIG); + sdebug.println(props.toString()); + } + } catch (IOException e) { + if (sdebug != null) { + sdebug.println("unable to load security properties from " + + CRYPTO_POLICIES_JAVA_CONFIG); + e.printStackTrace(); + } + } + + try { + if (enableFips()) { + if (sdebug != null) { sdebug.println("FIPS mode detected"); } + loadedProps = false; + // Remove all security providers + Iterator> i = props.entrySet().iterator(); + while (i.hasNext()) { + Entry e = i.next(); + if (((String) e.getKey()).startsWith("security.provider")) { + if (sdebug != null) { sdebug.println("Removing provider: " + e); } + i.remove(); + } + } + // Add FIPS security providers + String fipsProviderValue = null; + for (int n = 1; + (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { + String fipsProviderKey = "security.provider." + n; + if (sdebug != null) { + sdebug.println("Adding provider " + n + ": " + + fipsProviderKey + "=" + fipsProviderValue); + } + props.put(fipsProviderKey, fipsProviderValue); + } + // Add other security properties + String keystoreTypeValue = (String) props.get("fips.keystore.type"); + if (keystoreTypeValue != null) { + String nonFipsKeystoreType = props.getProperty("keystore.type"); + props.put("keystore.type", keystoreTypeValue); + if (keystoreTypeValue.equals("PKCS11")) { + // If keystore.type is PKCS11, javax.net.ssl.keyStore + // must be "NONE". See JDK-8238264. + System.setProperty("javax.net.ssl.keyStore", "NONE"); + } + if (System.getProperty("javax.net.ssl.trustStoreType") == null) { + // If no trustStoreType has been set, use the + // previous keystore.type under FIPS mode. In + // a default configuration, the Trust Store will + // be 'cacerts' (JKS type). + System.setProperty("javax.net.ssl.trustStoreType", + nonFipsKeystoreType); + } + if (sdebug != null) { + sdebug.println("FIPS mode default keystore.type = " + + keystoreTypeValue); + sdebug.println("FIPS mode javax.net.ssl.keyStore = " + + System.getProperty("javax.net.ssl.keyStore", "")); + sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + + System.getProperty("javax.net.ssl.trustStoreType", "")); + } + } + loadedProps = true; + systemFipsEnabled = true; + String plainKeySupport = System.getProperty("com.suse.fips.plainKeySupport", + "true"); + plainKeySupportEnabled = !"false".equals(plainKeySupport); + if (sdebug != null) { + if (plainKeySupportEnabled) { + sdebug.println("FIPS support enabled with plain key support"); + } else { + sdebug.println("FIPS support enabled without plain key support"); + } + } + } + } catch (Exception e) { + if (sdebug != null) { + sdebug.println("unable to load FIPS configuration"); + e.printStackTrace(); + } + } + return loadedProps; + } + + /** + * Returns whether or not global system FIPS alignment is enabled. + * + * Value is always 'false' before java.security.Security class is + * initialized. + * + * Call from out of this package through SharedSecrets: + * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() + * .isSystemFipsEnabled(); + * + * @return a boolean value indicating whether or not global + * system FIPS alignment is enabled. + */ + static boolean isSystemFipsEnabled() { + return systemFipsEnabled; + } + + /** + * Returns {@code true} if system FIPS alignment is enabled + * and plain key support is allowed. Plain key support is + * enabled by default but can be disabled with + * {@code -Dcom.suse.fips.plainKeySupport=false}. + * + * @return a boolean indicating whether plain key support + * should be enabled. + */ + static boolean isPlainKeySupportEnabled() { + return plainKeySupportEnabled; + } + + /* + * OpenJDK FIPS mode will be enabled only if the com.suse.fips + * system property is true (default) and the system is in FIPS mode. + * + * There are 2 possible ways in which OpenJDK detects that the system + * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is + * available at OpenJDK's built-time, it is called; 2) otherwise, the + * /proc/sys/crypto/fips_enabled file is read. + */ + private static boolean enableFips() throws IOException { + boolean shouldEnable = Boolean.valueOf(System.getProperty("com.suse.fips", "true")); + if (shouldEnable) { + if (sdebug != null) { + sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); + } + try { + shouldEnable = getSystemFIPSEnabled(); + if (sdebug != null) { + sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " + + shouldEnable); + } + return shouldEnable; + } catch (IOException e) { + if (sdebug != null) { + sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); + sdebug.println(e.getMessage()); + } + throw e; + } + } else { + return false; + } + } +} --- openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java 1970-01-01 01:00:00.000000000 +0100 +++ openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java 2022-02-08 15:03:03.346045505 +0100 @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2020, Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.misc; + +public interface JavaSecuritySystemConfiguratorAccess { + boolean isSystemFipsEnabled(); + boolean isPlainKeySupportEnabled(); +} --- openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java 2022-02-08 15:00:17.096852977 +0100 +++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java 2022-02-08 15:00:30.568949614 +0100 @@ -63,6 +63,7 @@ private static JavaObjectInputStreamReadString javaObjectInputStreamReadString; private static JavaObjectInputStreamAccess javaObjectInputStreamAccess; private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; + private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; public static JavaUtilJarAccess javaUtilJarAccess() { if (javaUtilJarAccess == null) { @@ -248,4 +249,12 @@ } return javaxCryptoSealedObjectAccess; } + + public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { + javaSecuritySystemConfiguratorAccess = jssca; + } + + public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { + return javaSecuritySystemConfiguratorAccess; + } } --- openjdk/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java 1970-01-01 01:00:00.000000000 +0100 +++ openjdk/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java 2022-02-08 15:03:03.346045505 +0100 @@ -0,0 +1,290 @@ +/* + * Copyright (c) 2021, Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.math.BigInteger; +import java.security.KeyFactory; +import java.security.Provider; +import java.security.Security; +import java.util.HashMap; +import java.util.Map; +import java.util.concurrent.locks.ReentrantLock; + +import javax.crypto.Cipher; +import javax.crypto.spec.DHPrivateKeySpec; +import javax.crypto.spec.IvParameterSpec; + +import sun.security.jca.JCAUtil; +import sun.security.pkcs11.TemplateManager; +import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; +import sun.security.pkcs11.wrapper.CK_MECHANISM; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; +import sun.security.pkcs11.wrapper.PKCS11Exception; +import sun.security.rsa.RSAUtil.KeyType; +import sun.security.util.Debug; +import sun.security.util.ECUtil; + +final class FIPSKeyImporter { + + private static final Debug debug = + Debug.getInstance("sunpkcs11"); + + private static P11Key importerKey = null; + private static final ReentrantLock importerKeyLock = new ReentrantLock(); + private static CK_MECHANISM importerKeyMechanism = null; + private static Cipher importerCipher = null; + + private static Provider sunECProvider = null; + private static final ReentrantLock sunECProviderLock = new ReentrantLock(); + + private static KeyFactory DHKF = null; + private static final ReentrantLock DHKFLock = new ReentrantLock(); + + static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) + throws PKCS11Exception { + long keyID = -1; + Token token = sunPKCS11.getToken(); + if (debug != null) { + debug.println("Private or Secret key will be imported in" + + " system FIPS mode."); + } + if (importerKey == null) { + importerKeyLock.lock(); + try { + if (importerKey == null) { + if (importerKeyMechanism == null) { + // Importer Key creation has not been tried yet. Try it. + createImporterKey(token); + } + if (importerKey == null || importerCipher == null) { + if (debug != null) { + debug.println("Importer Key could not be" + + " generated."); + } + throw new PKCS11Exception(CKR_GENERAL_ERROR); + } + if (debug != null) { + debug.println("Importer Key successfully" + + " generated."); + } + } + } finally { + importerKeyLock.unlock(); + } + } + long importerKeyID = importerKey.getKeyID(); + try { + byte[] keyBytes = null; + byte[] encKeyBytes = null; + long keyClass = 0L; + long keyType = 0L; + Map attrsMap = new HashMap<>(); + for (CK_ATTRIBUTE attr : attributes) { + if (attr.type == CKA_CLASS) { + keyClass = attr.getLong(); + } else if (attr.type == CKA_KEY_TYPE) { + keyType = attr.getLong(); + } + attrsMap.put(attr.type, attr); + } + BigInteger v = null; + if (keyClass == CKO_PRIVATE_KEY) { + if (keyType == CKK_RSA) { + if (debug != null) { + debug.println("Importing an RSA private key..."); + } + keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( + KeyType.RSA, + null, + ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) + ? v : BigInteger.ZERO + ).getEncoded(); + } else if (keyType == CKK_DSA) { + if (debug != null) { + debug.println("Importing a DSA private key..."); + } + keyBytes = new sun.security.provider.DSAPrivateKey( + ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) + ? v : BigInteger.ZERO + ).getEncoded(); + if (token.config.getNssNetscapeDbWorkaround() && + attrsMap.get(CKA_NETSCAPE_DB) == null) { + attrsMap.put(CKA_NETSCAPE_DB, + new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); + } + } else if (keyType == CKK_EC) { + if (debug != null) { + debug.println("Importing an EC private key..."); + } + if (sunECProvider == null) { + sunECProviderLock.lock(); + try { + if (sunECProvider == null) { + sunECProvider = Security.getProvider("SunEC"); + } + } finally { + sunECProviderLock.unlock(); + } + } + keyBytes = P11ECUtil.generateECPrivateKey( + ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ECUtil.getECParameterSpec(sunECProvider, + attrsMap.get(CKA_EC_PARAMS).getByteArray())) + .getEncoded(); + if (token.config.getNssNetscapeDbWorkaround() && + attrsMap.get(CKA_NETSCAPE_DB) == null) { + attrsMap.put(CKA_NETSCAPE_DB, + new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); + } + } else if (keyType == CKK_DH) { + if (debug != null) { + debug.println("Importing a Diffie-Hellman private key..."); + } + if (DHKF == null) { + DHKFLock.lock(); + try { + if (DHKF == null) { + DHKF = KeyFactory.getInstance( + "DH", P11Util.getSunJceProvider()); + } + } finally { + DHKFLock.unlock(); + } + } + DHPrivateKeySpec spec = new DHPrivateKeySpec + (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) + ? v : BigInteger.ZERO); + keyBytes = DHKF.generatePrivate(spec).getEncoded(); + if (token.config.getNssNetscapeDbWorkaround() && + attrsMap.get(CKA_NETSCAPE_DB) == null) { + attrsMap.put(CKA_NETSCAPE_DB, + new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); + } + } else { + if (debug != null) { + debug.println("Unrecognized private key type."); + } + throw new PKCS11Exception(CKR_GENERAL_ERROR); + } + } else if (keyClass == CKO_SECRET_KEY) { + if (debug != null) { + debug.println("Importing a secret key..."); + } + keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); + } + if (keyBytes == null || keyBytes.length == 0) { + if (debug != null) { + debug.println("Private or secret key plain bytes could" + + " not be obtained. Import failed."); + } + throw new PKCS11Exception(CKR_GENERAL_ERROR); + } + importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, + new IvParameterSpec((byte[])importerKeyMechanism.pParameter), + null); + attributes = new CK_ATTRIBUTE[attrsMap.size()]; + attrsMap.values().toArray(attributes); + encKeyBytes = importerCipher.doFinal(keyBytes); + attributes = token.getAttributes(TemplateManager.O_IMPORT, + keyClass, keyType, attributes); + keyID = token.p11.C_UnwrapKey(hSession, + importerKeyMechanism, importerKeyID, encKeyBytes, attributes); + if (debug != null) { + debug.println("Imported key ID: " + keyID); + } + } catch (Throwable t) { + throw new PKCS11Exception(CKR_GENERAL_ERROR); + } finally { + importerKey.releaseKeyID(); + } + return Long.valueOf(keyID); + } + + private static void createImporterKey(Token token) { + if (debug != null) { + debug.println("Generating Importer Key..."); + } + byte[] iv = new byte[16]; + JCAUtil.getSecureRandom().nextBytes(iv); + importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); + try { + CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, + CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), + new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); + Session s = null; + try { + s = token.getObjSession(); + long keyID = token.p11.C_GenerateKey( + s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), + attributes); + if (debug != null) { + debug.println("Importer Key ID: " + keyID); + } + importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", + 256 >> 3, null); + } catch (PKCS11Exception e) { + // best effort + } finally { + token.releaseSession(s); + } + if (importerKey != null) { + importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); + } + } catch (Throwable t) { + // best effort + importerKey = null; + importerCipher = null; + // importerKeyMechanism value is kept initialized to indicate that + // Importer Key creation has been tried and failed. + } + } +} --- openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2022-02-08 15:00:17.144853321 +0100 +++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2022-02-08 15:03:03.350045534 +0100 @@ -26,6 +26,9 @@ package sun.security.pkcs11; import java.io.*; +import java.lang.invoke.MethodHandle; +import java.lang.invoke.MethodHandles; +import java.lang.invoke.MethodType; import java.util.*; import java.security.*; @@ -42,6 +45,8 @@ import javax.security.auth.callback.PasswordCallback; import javax.security.auth.callback.TextOutputCallback; +import sun.misc.SharedSecrets; + import sun.security.util.Debug; import sun.security.util.ResourcesMgr; @@ -58,6 +63,29 @@ */ public final class SunPKCS11 extends AuthProvider { + private static final boolean systemFipsEnabled = SharedSecrets + .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); + + private static final boolean plainKeySupportEnabled = SharedSecrets + .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); + + private static final MethodHandle fipsImportKey; + static { + MethodHandle fipsImportKeyTmp = null; + if (plainKeySupportEnabled) { + try { + fipsImportKeyTmp = MethodHandles.lookup().findStatic( + FIPSKeyImporter.class, "importKey", + MethodType.methodType(Long.class, SunPKCS11.class, + long.class, CK_ATTRIBUTE[].class)); + } catch (Throwable t) { + throw new SecurityException("FIPS key importer initialization" + + " failed", t); + } + } + fipsImportKey = fipsImportKeyTmp; + } + private static final long serialVersionUID = -1354835039035306505L; static final Debug debug = Debug.getInstance("sunpkcs11"); @@ -320,10 +348,15 @@ // request multithreaded access first initArgs.flags = CKF_OS_LOCKING_OK; PKCS11 tmpPKCS11; + MethodHandle fipsKeyImporter = null; + if (plainKeySupportEnabled) { + fipsKeyImporter = MethodHandles.insertArguments( + fipsImportKey, 0, this); + } try { tmpPKCS11 = PKCS11.getInstance( library, functionList, initArgs, - config.getOmitInitialize()); + config.getOmitInitialize(), fipsKeyImporter); } catch (PKCS11Exception e) { if (debug != null) { debug.println("Multi-threaded initialization failed: " + e); @@ -339,7 +372,7 @@ initArgs.flags = 0; } tmpPKCS11 = PKCS11.getInstance(library, - functionList, initArgs, config.getOmitInitialize()); + functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); } p11 = tmpPKCS11; @@ -379,6 +412,24 @@ if (nssModule != null) { nssModule.setProvider(this); } + if (systemFipsEnabled) { + // The NSS Software Token in FIPS 140-2 mode requires a user + // login for most operations. See sftk_fipsCheck. The NSS DB + // (/etc/pki/nssdb) PIN is empty. + Session session = null; + try { + session = token.getOpSession(); + p11.C_Login(session.id(), CKU_USER, new char[] {}); + } catch (PKCS11Exception p11e) { + if (debug != null) { + debug.println("Error during token login: " + + p11e.getMessage()); + } + throw p11e; + } finally { + token.releaseSession(session); + } + } } catch (Exception e) { if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { throw new UnsupportedOperationException --- openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java 2022-02-08 15:00:17.148853350 +0100 +++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java 2022-02-08 15:03:03.350045534 +0100 @@ -49,6 +49,7 @@ import java.io.File; import java.io.IOException; +import java.lang.invoke.MethodHandle; import java.util.*; import java.security.AccessController; @@ -147,17 +148,29 @@ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, String functionList, CK_C_INITIALIZE_ARGS pInitArgs, - boolean omitInitialize) throws IOException, PKCS11Exception { + boolean omitInitialize, MethodHandle fipsKeyImporter) + throws IOException, PKCS11Exception { // we may only call C_Initialize once per native .so/.dll // so keep a cache using the (non-canonicalized!) path PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); if (pkcs11 == null) { + boolean nssFipsMode = fipsKeyImporter != null; if ((pInitArgs != null) && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { + if (nssFipsMode) { + pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, + fipsKeyImporter); + } else { pkcs11 = new PKCS11(pkcs11ModulePath, functionList); + } + } else { + if (nssFipsMode) { + pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, + functionList, fipsKeyImporter); } else { pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); } + } if (omitInitialize == false) { try { pkcs11.C_Initialize(pInitArgs); @@ -1905,4 +1918,69 @@ super.C_GenerateRandom(hSession, randomData); } } + +// PKCS11 subclass that allows using plain private or secret keys in +// FIPS-configured NSS Software Tokens. Only used when System FIPS +// is enabled. +static class FIPSPKCS11 extends PKCS11 { + private MethodHandle fipsKeyImporter; + FIPSPKCS11(String pkcs11ModulePath, String functionListName, + MethodHandle fipsKeyImporter) throws IOException { + super(pkcs11ModulePath, functionListName); + this.fipsKeyImporter = fipsKeyImporter; + } + + public synchronized long C_CreateObject(long hSession, + CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { + // Creating sensitive key objects from plain key material in a + // FIPS-configured NSS Software Token is not allowed. We apply + // a key-unwrapping scheme to achieve so. + if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { + try { + return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) + .longValue(); + } catch (Throwable t) { + throw new PKCS11Exception(CKR_GENERAL_ERROR); + } + } + return super.C_CreateObject(hSession, pTemplate); + } +} + +// FIPSPKCS11 synchronized counterpart. +static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { + private MethodHandle fipsKeyImporter; + SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, + MethodHandle fipsKeyImporter) throws IOException { + super(pkcs11ModulePath, functionListName); + this.fipsKeyImporter = fipsKeyImporter; + } + + public synchronized long C_CreateObject(long hSession, + CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { + // See FIPSPKCS11::C_CreateObject. + if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { + try { + return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) + .longValue(); + } catch (Throwable t) { + throw new PKCS11Exception(CKR_GENERAL_ERROR); + } + } + return super.C_CreateObject(hSession, pTemplate); + } +} + +private static class FIPSPKCS11Helper { + static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { + for (CK_ATTRIBUTE attr : pTemplate) { + if (attr.type == CKA_CLASS && + (attr.getLong() == CKO_PRIVATE_KEY || + attr.getLong() == CKO_SECRET_KEY)) { + return true; + } + } + return false; + } +} } --- openjdk/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java 2022-02-08 15:00:17.152853378 +0100 +++ openjdk/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java 2022-02-08 15:03:03.350045534 +0100 @@ -33,8 +33,13 @@ import javax.net.ssl.*; +import sun.misc.SharedSecrets; + abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + private static final boolean plainKeySupportEnabled = SharedSecrets + .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); + X509ExtendedKeyManager keyManager; boolean isInitialized; @@ -62,7 +67,8 @@ KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException { if ((ks != null) && SunJSSE.isFIPS()) { - if (ks.getProvider() != SunJSSE.cryptoProvider) { + if (ks.getProvider() != SunJSSE.cryptoProvider && + !plainKeySupportEnabled) { throw new KeyStoreException("FIPS mode: KeyStore must be " + "from provider " + SunJSSE.cryptoProvider.getName()); } @@ -91,8 +97,8 @@ keyManager = new X509KeyManagerImpl( Collections.emptyList()); } else { - if (SunJSSE.isFIPS() && - (ks.getProvider() != SunJSSE.cryptoProvider)) { + if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider) + && !plainKeySupportEnabled) { throw new KeyStoreException( "FIPS mode: KeyStore must be " + "from provider " + SunJSSE.cryptoProvider.getName()); --- openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java 2022-02-08 15:00:17.152853378 +0100 +++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java 2022-02-08 15:00:30.568949614 +0100 @@ -31,6 +31,7 @@ import java.security.cert.*; import java.util.*; import javax.net.ssl.*; +import sun.misc.SharedSecrets; import sun.security.action.GetPropertyAction; import sun.security.provider.certpath.AlgorithmChecker; import sun.security.validator.Validator; @@ -539,6 +540,23 @@ static { if (SunJSSE.isFIPS()) { + if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() + .isSystemFipsEnabled()) { + // RH1860986: TLSv1.3 key derivation not supported with + // the Security Providers available in system FIPS mode. + supportedProtocols = Arrays.asList( + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + ); + + serverDefaultProtocols = getAvailableProtocols( + new ProtocolVersion[] { + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + }); + } else { supportedProtocols = Arrays.asList( ProtocolVersion.TLS13, ProtocolVersion.TLS12, @@ -553,6 +571,7 @@ ProtocolVersion.TLS11, ProtocolVersion.TLS10 }); + } } else { supportedProtocols = Arrays.asList( ProtocolVersion.TLS13, @@ -612,6 +631,16 @@ static ProtocolVersion[] getSupportedProtocols() { if (SunJSSE.isFIPS()) { + if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() + .isSystemFipsEnabled()) { + // RH1860986: TLSv1.3 key derivation not supported with + // the Security Providers available in system FIPS mode. + return new ProtocolVersion[] { + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + }; + } return new ProtocolVersion[] { ProtocolVersion.TLS13, ProtocolVersion.TLS12, @@ -939,6 +968,16 @@ static ProtocolVersion[] getProtocols() { if (SunJSSE.isFIPS()) { + if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() + .isSystemFipsEnabled()) { + // RH1860986: TLSv1.3 key derivation not supported with + // the Security Providers available in system FIPS mode. + return new ProtocolVersion[] { + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + }; + } return new ProtocolVersion[]{ ProtocolVersion.TLS12, ProtocolVersion.TLS11, --- openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java 2022-02-08 15:00:17.156853408 +0100 +++ openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java 2022-02-08 15:00:30.568949614 +0100 @@ -30,6 +30,8 @@ import java.security.*; +import sun.misc.SharedSecrets; + /** * The JSSE provider. * @@ -215,8 +217,13 @@ "sun.security.ssl.SSLContextImpl$TLS11Context"); put("SSLContext.TLSv1.2", "sun.security.ssl.SSLContextImpl$TLS12Context"); + if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() + .isSystemFipsEnabled()) { + // RH1860986: TLSv1.3 key derivation not supported with + // the Security Providers available in system FIPS mode. put("SSLContext.TLSv1.3", "sun.security.ssl.SSLContextImpl$TLS13Context"); + } put("SSLContext.TLS", "sun.security.ssl.SSLContextImpl$TLSContext"); if (isfips == false) { --- openjdk/jdk/src/share/lib/security/java.security-linux 2022-02-08 15:00:17.300854441 +0100 +++ openjdk/jdk/src/share/lib/security/java.security-linux 2022-02-08 15:00:30.568949614 +0100 @@ -80,6 +80,14 @@ #security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg # +# Security providers used when global crypto-policies are set to FIPS. +# +fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg +fips.provider.2=sun.security.provider.Sun +fips.provider.3=sun.security.ec.SunEC +fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS + +# # Sun Provider SecureRandom seed source. # # Select the primary source of seed data for the "SHA1PRNG" and @@ -175,6 +183,11 @@ keystore.type=jks # +# Default keystore type used when global crypto-policies are set to FIPS. +# +fips.keystore.type=PKCS11 + +# # Controls compatibility mode for the JKS keystore type. # # When set to 'true', the JKS keystore type supports loading --- openjdk/jdk/src/solaris/native/java/security/systemconf.c 1970-01-01 01:00:00.000000000 +0100 +++ openjdk/jdk/src/solaris/native/java/security/systemconf.c 2022-02-08 15:00:30.568949614 +0100 @@ -0,0 +1,170 @@ +/* + * Copyright (c) 2021, Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +#include +#include +#include +#include + +#ifdef SYSCONF_NSS +#include +#endif //SYSCONF_NSS + +#include "java_security_SystemConfigurator.h" + +#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" +#define MSG_MAX_SIZE 96 + +static jmethodID debugPrintlnMethodID = NULL; +static jobject debugObj = NULL; + +static void throwIOException(JNIEnv *env, const char *msg); +static void dbgPrint(JNIEnv *env, const char* msg); + +/* + * Class: java_security_SystemConfigurator + * Method: JNI_OnLoad + */ +JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) +{ + JNIEnv *env; + jclass sysConfCls, debugCls; + jfieldID sdebugFld; + + if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { + return JNI_EVERSION; /* JNI version not supported */ + } + + sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); + if (sysConfCls == NULL) { + printf("libsystemconf: SystemConfigurator class not found\n"); + return JNI_ERR; + } + sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, + "sdebug", "Lsun/security/util/Debug;"); + if (sdebugFld == NULL) { + printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); + return JNI_ERR; + } + debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); + if (debugObj != NULL) { + debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); + if (debugCls == NULL) { + printf("libsystemconf: Debug class not found\n"); + return JNI_ERR; + } + debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, + "println", "(Ljava/lang/String;)V"); + if (debugPrintlnMethodID == NULL) { + printf("libsystemconf: Debug::println(String) method not found\n"); + return JNI_ERR; + } + debugObj = (*env)->NewGlobalRef(env, debugObj); + } + + return (*env)->GetVersion(env); +} + +/* + * Class: java_security_SystemConfigurator + * Method: JNI_OnUnload + */ +JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) +{ + JNIEnv *env; + + if (debugObj != NULL) { + if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { + return; /* Should not happen */ + } + (*env)->DeleteGlobalRef(env, debugObj); + } +} + +JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled + (JNIEnv *env, jclass cls) +{ + int fips_enabled; + char msg[MSG_MAX_SIZE]; + int msg_bytes; + +#ifdef SYSCONF_NSS + + dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); + fips_enabled = SECMOD_GetSystemFIPSEnabled(); + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ + " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); + if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { + dbgPrint(env, msg); + } else { + dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ + " SECMOD_GetSystemFIPSEnabled return value"); + } + return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); + +#else // SYSCONF_NSS + + FILE *fe; + + dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); + if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { + throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); + return JNI_FALSE; + } + fips_enabled = fgetc(fe); + fclose(fe); + if (fips_enabled == EOF) { + throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); + return JNI_FALSE; + } + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ + " read character is '%c'", fips_enabled); + if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { + dbgPrint(env, msg); + } else { + dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ + " read character"); + } + return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); + +#endif // SYSCONF_NSS +} + +static void throwIOException(JNIEnv *env, const char *msg) +{ + jclass cls = (*env)->FindClass(env, "java/io/IOException"); + if (cls != 0) + (*env)->ThrowNew(env, cls, msg); +} + +static void dbgPrint(JNIEnv *env, const char* msg) +{ + jstring jMsg; + if (debugObj != NULL) { + jMsg = (*env)->NewStringUTF(env, msg); + CHECK_NULL(jMsg); + (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); + } +}