From de63da1595cd20969522c23d6f029c3ec24a83841cf9f68ad45b70288f341fe2 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Wed, 19 Apr 2023 11:38:07 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-20-openjdk?expand=0&rev=3 --- fips.patch | 1704 ++++++++++++++++++++---------------------- java-20-openjdk.spec | 5 +- 2 files changed, 822 insertions(+), 887 deletions(-) diff --git a/fips.patch b/fips.patch index 60bba72..ffc16ca 100644 --- a/fips.patch +++ b/fips.patch @@ -1,6 +1,5 @@ -diff -urEbwBN jdk20u-jdk-20-36.orig/make/autoconf/libraries.m4 jdk20u-jdk-20-36/make/autoconf/libraries.m4 ---- jdk20u-jdk-20-36.orig/make/autoconf/libraries.m4 2023-04-01 12:03:25.147537077 +0200 -+++ jdk20u-jdk-20-36/make/autoconf/libraries.m4 2023-04-01 12:11:56.850719740 +0200 +--- jdk20/make/autoconf/libraries.m4 2023-04-19 12:01:23.129921089 +0200 ++++ jdk20/make/autoconf/libraries.m4 2023-04-19 12:01:39.630022967 +0200 @@ -35,6 +35,7 @@ m4_include([lib-x11.m4]) @@ -17,9 +16,8 @@ diff -urEbwBN jdk20u-jdk-20-36.orig/make/autoconf/libraries.m4 jdk20u-jdk-20-36/ BASIC_JDKLIB_LIBS="" if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then -diff -urEbwBN jdk20u-jdk-20-36.orig/make/autoconf/lib-sysconf.m4 jdk20u-jdk-20-36/make/autoconf/lib-sysconf.m4 ---- jdk20u-jdk-20-36.orig/make/autoconf/lib-sysconf.m4 1970-01-01 01:00:00.000000000 +0100 -+++ jdk20u-jdk-20-36/make/autoconf/lib-sysconf.m4 2023-04-01 12:11:56.846719713 +0200 +--- jdk20/make/autoconf/lib-sysconf.m4 1970-01-01 01:00:00.000000000 +0100 ++++ jdk20/make/autoconf/lib-sysconf.m4 2023-04-19 12:01:39.630022967 +0200 @@ -0,0 +1,84 @@ +# +# Copyright (c) 2021, Red Hat, Inc. @@ -105,9 +103,8 @@ diff -urEbwBN jdk20u-jdk-20-36.orig/make/autoconf/lib-sysconf.m4 jdk20u-jdk-20-3 + fi + AC_SUBST(USE_SYSCONF_NSS) +]) -diff -urEbwBN jdk20u-jdk-20-36.orig/make/autoconf/spec.gmk.in jdk20u-jdk-20-36/make/autoconf/spec.gmk.in ---- jdk20u-jdk-20-36.orig/make/autoconf/spec.gmk.in 2023-04-01 12:03:25.147537077 +0200 -+++ jdk20u-jdk-20-36/make/autoconf/spec.gmk.in 2023-04-01 12:11:56.850719740 +0200 +--- jdk20/make/autoconf/spec.gmk.in 2023-04-19 12:01:23.133921115 +0200 ++++ jdk20/make/autoconf/spec.gmk.in 2023-04-19 12:01:39.638023017 +0200 @@ -859,6 +859,10 @@ # Libraries # @@ -119,10 +116,9 @@ diff -urEbwBN jdk20u-jdk-20-36.orig/make/autoconf/spec.gmk.in jdk20u-jdk-20-36/m USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ LCMS_CFLAGS:=@LCMS_CFLAGS@ LCMS_LIBS:=@LCMS_LIBS@ -diff -urEbwBN jdk20u-jdk-20-36.orig/make/modules/java.base/Lib.gmk jdk20u-jdk-20-36/make/modules/java.base/Lib.gmk ---- jdk20u-jdk-20-36.orig/make/modules/java.base/Lib.gmk 2023-04-01 12:03:25.243537662 +0200 -+++ jdk20u-jdk-20-36/make/modules/java.base/Lib.gmk 2023-04-01 12:11:56.850719740 +0200 -@@ -164,6 +164,31 @@ +--- jdk20/make/modules/java.base/Lib.gmk 2023-04-19 12:01:23.229921707 +0200 ++++ jdk20/make/modules/java.base/Lib.gmk 2023-04-19 12:01:48.954080528 +0200 +@@ -164,6 +164,29 @@ endif ################################################################################ @@ -136,28 +132,785 @@ diff -urEbwBN jdk20u-jdk-20-36.orig/make/modules/java.base/Lib.gmk jdk20u-jdk-20 + LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS +endif + -+ifeq ($(OPENJDK_BUILD_OS), linux) -+ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ -+ NAME := systemconf, \ -+ OPTIMIZATION := LOW, \ -+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ -+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ -+ LDFLAGS := $(LDFLAGS_JDKLIB) \ -+ $(call SET_SHARED_LIBRARY_ORIGIN), \ -+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ -+ )) ++$(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++)) + -+ TARGETS += $(BUILD_LIBSYSTEMCONF) -+endif ++TARGETS += $(BUILD_LIBSYSTEMCONF) + +################################################################################ # Create the symbols file for static builds. ifeq ($(STATIC_BUILD), true) -diff -urEbwBN jdk20u-jdk-20-36.orig/src/java.base/linux/native/libsystemconf/systemconf.c jdk20u-jdk-20-36/src/java.base/linux/native/libsystemconf/systemconf.c ---- jdk20u-jdk-20-36.orig/src/java.base/linux/native/libsystemconf/systemconf.c 1970-01-01 01:00:00.000000000 +0100 -+++ jdk20u-jdk-20-36/src/java.base/linux/native/libsystemconf/systemconf.c 2023-04-01 12:11:56.850719740 +0200 -@@ -0,0 +1,224 @@ +--- jdk20/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java 2023-04-19 12:01:23.265921929 +0200 ++++ jdk20/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java 2023-04-19 12:01:48.958080553 +0200 +@@ -31,6 +31,7 @@ + import java.security.PrivilegedAction; + import java.util.HashMap; + import java.util.List; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + import static sun.security.util.SecurityProviderConstants.*; + +@@ -78,6 +79,10 @@ + + public final class SunJCE extends Provider { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + @java.io.Serial + private static final long serialVersionUID = 6812507587804302833L; + +@@ -143,6 +148,7 @@ + void putEntries() { + // reuse attribute map and reset before each reuse + HashMap attrs = new HashMap<>(3); ++ if (!systemFipsEnabled) { + attrs.put("SupportedModes", "ECB"); + attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" + + "|OAEPWITHMD5ANDMGF1PADDING" +@@ -422,6 +428,7 @@ + psA("KeyPairGenerator", "DiffieHellman", + "com.sun.crypto.provider.DHKeyPairGenerator", + null); ++ } + + /* + * Algorithm parameter generation engines +@@ -430,6 +437,7 @@ + "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", + null); + ++ if (!systemFipsEnabled) { + /* + * Key Agreement engines + */ +@@ -439,6 +447,7 @@ + psA("KeyAgreement", "DiffieHellman", + "com.sun.crypto.provider.DHKeyAgreement", + attrs); ++ } + + /* + * Algorithm Parameter engines +@@ -610,6 +619,7 @@ + ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); + ++ if (!systemFipsEnabled) { + // PBKDF2 + psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", + "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", +@@ -723,6 +733,7 @@ + "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", + List.of("SunTls12RsaPremasterSecret"), null); + } ++ } + + // Return the instance of this class or create one if needed. + static SunJCE getInstance() { +--- jdk20/src/java.base/share/classes/java/security/Security.java 2023-04-19 12:01:23.289922078 +0200 ++++ jdk20/src/java.base/share/classes/java/security/Security.java 2023-04-19 12:01:48.958080553 +0200 +@@ -34,6 +34,7 @@ + import jdk.internal.access.JavaSecurityPropertiesAccess; + import jdk.internal.event.EventHelper; + import jdk.internal.event.SecurityPropertyModificationEvent; ++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; + import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.util.Debug; +@@ -58,6 +59,11 @@ + + public final class Security { + ++ private static final String SYS_PROP_SWITCH = ++ "java.security.disableSystemPropertiesFile"; ++ private static final String SEC_PROP_SWITCH = ++ "security.useSystemPropertiesFile"; ++ + /* Are we debugging? -- for developers */ + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -75,6 +81,19 @@ + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -96,6 +115,7 @@ + private static void initialize() { + props = new Properties(); + boolean overrideAll = false; ++ boolean systemSecPropsEnabled = false; + + // first load the system properties file + // to determine the value of security.overridePropertiesFile +@@ -116,6 +136,61 @@ + } + loadProps(null, extraPropFile, overrideAll); + } ++ ++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); ++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); ++ if (sdebug != null) { ++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); ++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); ++ } ++ if (!sysUseProps && secUseProps) { ++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); ++ if (!systemSecPropsEnabled) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System security properties could not be loaded."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("System security property support disabled by user."); ++ } ++ } ++ ++ if (systemSecPropsEnabled) { ++ boolean shouldEnable; ++ String sysProp = System.getProperty("com.suse.fips"); ++ if (sysProp == null) { ++ shouldEnable = true; ++ if (sdebug != null) { ++ sdebug.println("com.suse.fips unset, using default value of true"); ++ } ++ } else { ++ shouldEnable = Boolean.valueOf(sysProp); ++ if (sdebug != null) { ++ sdebug.println("com.suse.fips set, using its value " + shouldEnable); ++ } ++ } ++ if (shouldEnable) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS mode support configured and enabled."); ++ } else { ++ sdebug.println("FIPS mode support disabled."); ++ } ++ } ++ } else { ++ if (sdebug != null ) { ++ sdebug.println("FIPS mode support disabled by user."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("WARNING: FIPS mode support can not be enabled without " + ++ "system security properties being enabled."); ++ } ++ } ++ + initialSecurityProperties = (Properties) props.clone(); + if (sdebug != null) { + for (String key : props.stringPropertyNames()) { +@@ -126,7 +201,7 @@ + + } + +- private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { ++ static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { + InputStream is = null; + try { + if (masterFile != null && masterFile.exists()) { +--- jdk20/src/java.base/share/classes/java/security/SystemConfigurator.java 1970-01-01 01:00:00.000000000 +0100 ++++ jdk20/src/java.base/share/classes/java/security/SystemConfigurator.java 2023-04-19 12:01:48.958080553 +0200 +@@ -0,0 +1,232 @@ ++/* ++ * Copyright (c) 2019, 2021, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++final class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ @SuppressWarnings("removal") ++ var dummy = AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configureSysProps(Properties props) { ++ // now load the system file, if it exists, so its values ++ // will win if they conflict with the earlier values ++ return Security.loadProps(null, CRYPTO_POLICIES_JAVA_CONFIG, false); ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } ++ loadedProps = true; ++ systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.suse.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } ++ } else { ++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.suse.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ ++ /** ++ * Determines whether FIPS mode should be enabled. ++ * ++ * OpenJDK FIPS mode will be enabled only if the system is in ++ * FIPS mode. ++ * ++ * Calls to this method only occur if the system property ++ * com.suse.fips is not set to false. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. ++ * ++ * @return true if the system is in FIPS mode ++ */ ++ private static boolean enableFips() throws Exception { ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ boolean fipsEnabled = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + fipsEnabled); ++ } ++ return fipsEnabled; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } ++ } ++} +--- jdk20/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java 1970-01-01 01:00:00.000000000 +0100 ++++ jdk20/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java 2023-04-19 12:01:48.958080553 +0200 +@@ -0,0 +1,31 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package jdk.internal.access; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); ++} +--- jdk20/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java 2023-04-19 12:01:23.317922250 +0200 ++++ jdk20/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java 2023-04-19 12:01:48.958080553 +0200 +@@ -43,6 +43,7 @@ + import java.io.PrintWriter; + import java.io.RandomAccessFile; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + /** A repository of "shared secrets", which are a mechanism for +@@ -89,6 +90,7 @@ + private static JavaSecuritySpecAccess javaSecuritySpecAccess; + private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; + private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { + javaUtilCollectionAccess = juca; +@@ -521,4 +523,15 @@ + MethodHandles.lookup().ensureInitialized(c); + } catch (IllegalAccessException e) {} + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ ensureClassInitialized(Security.class); ++ } ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +--- jdk20/src/java.base/share/classes/module-info.java 2023-04-19 12:01:23.261921904 +0200 ++++ jdk20/src/java.base/share/classes/module-info.java 2023-04-19 12:01:48.958080553 +0200 +@@ -163,6 +163,7 @@ + java.naming, + java.rmi, + jdk.charsets, ++ jdk.crypto.ec, + jdk.jartool, + jdk.jlink, + jdk.jfr, +--- jdk20/src/java.base/share/classes/sun/security/provider/SunEntries.java 2023-04-19 12:01:23.345922423 +0200 ++++ jdk20/src/java.base/share/classes/sun/security/provider/SunEntries.java 2023-04-19 12:01:48.958080553 +0200 +@@ -38,6 +38,7 @@ + import java.util.Iterator; + import java.util.LinkedHashSet; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.action.GetBooleanAction; + +@@ -91,6 +92,10 @@ + + public final class SunEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + // the default algo used by SecureRandom class for new SecureRandom() calls + public static final String DEF_SECURE_RANDOM_ALGO; + +@@ -102,6 +107,7 @@ + // common attribute map + HashMap attrs = new HashMap<>(3); + ++ if (!systemFipsEnabled) { + /* + * SecureRandom engines + */ +@@ -195,6 +201,7 @@ + String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; + dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); + addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ } + + /* + * Algorithm Parameter Generator engines +@@ -209,6 +216,7 @@ + addWithAlias(p, "AlgorithmParameters", "DSA", + "sun.security.provider.DSAParameters", attrs); + ++ if (!systemFipsEnabled) { + /* + * Key factories + */ +@@ -245,6 +253,7 @@ + "sun.security.provider.SHA3$SHA384", attrs); + addWithAlias(p, "MessageDigest", "SHA3-512", + "sun.security.provider.SHA3$SHA512", attrs); ++ } + + /* + * Certificates +--- jdk20/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java 2023-04-19 12:01:23.349922447 +0200 ++++ jdk20/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java 2023-04-19 12:01:48.958080553 +0200 +@@ -27,6 +27,7 @@ + + import java.util.*; + import java.security.Provider; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityProviderConstants.getAliases; + + /** +@@ -36,6 +37,10 @@ + */ + public final class SunRsaSignEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private void add(Provider p, String type, String algo, String cn, + List aliases, HashMap attrs) { + services.add(new Provider.Service(p, type, algo, cn, +@@ -56,13 +61,17 @@ + // start populating content using the specified provider + // common attribute map + HashMap attrs = new HashMap<>(3); ++ if (!systemFipsEnabled) { + attrs.put("SupportedKeyClasses", + "java.security.interfaces.RSAPublicKey" + + "|java.security.interfaces.RSAPrivateKey"); ++ } + + add(p, "KeyFactory", "RSA", + "sun.security.rsa.RSAKeyFactory$Legacy", + getAliases("PKCS1"), null); ++ ++ if (!systemFipsEnabled) { + add(p, "KeyPairGenerator", "RSA", + "sun.security.rsa.RSAKeyPairGenerator$Legacy", + getAliases("PKCS1"), null); +@@ -92,13 +101,18 @@ + "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); + addA(p, "Signature", "SHA3-512withRSA", + "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ } + + addA(p, "KeyFactory", "RSASSA-PSS", + "sun.security.rsa.RSAKeyFactory$PSS", attrs); ++ ++ if (!systemFipsEnabled) { + addA(p, "KeyPairGenerator", "RSASSA-PSS", + "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); + addA(p, "Signature", "RSASSA-PSS", + "sun.security.rsa.RSAPSSSignature", attrs); ++ } ++ + addA(p, "AlgorithmParameters", "RSASSA-PSS", + "sun.security.rsa.PSSParameters", null); + } +--- jdk20/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java 2023-04-19 12:01:23.353922472 +0200 ++++ jdk20/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java 2023-04-19 12:01:48.958080553 +0200 +@@ -32,6 +32,7 @@ + import java.util.*; + import java.util.concurrent.locks.ReentrantLock; + import javax.net.ssl.*; ++import jdk.internal.access.SharedSecrets; + import sun.security.action.GetPropertyAction; + import sun.security.provider.certpath.AlgorithmChecker; + import sun.security.validator.Validator; +@@ -530,6 +531,23 @@ + private static final List serverDefaultCipherSuites; + + static { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } else { + supportedProtocols = Arrays.asList( + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, +@@ -546,6 +564,7 @@ + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + }); ++ } + + supportedCipherSuites = getApplicableSupportedCipherSuites( + supportedProtocols); +@@ -836,12 +855,23 @@ + ProtocolVersion[] candidates; + if (refactored.isEmpty()) { + // Client and server use the same default protocols. ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } else { + candidates = new ProtocolVersion[] { + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + }; ++ } + } else { + // Use the customized TLS protocols. + candidates = +--- jdk20/src/java.base/share/classes/sun/security/ssl/SunJSSE.java 2023-04-19 12:01:23.353922472 +0200 ++++ jdk20/src/java.base/share/classes/sun/security/ssl/SunJSSE.java 2023-04-19 12:01:48.958080553 +0200 +@@ -27,6 +27,8 @@ + + import java.security.*; + import java.util.*; ++ ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + + /** +@@ -102,8 +104,13 @@ + "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); + ps("SSLContext", "TLSv1.2", + "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); ++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. + ps("SSLContext", "TLSv1.3", + "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ } + ps("SSLContext", "TLS", + "sun.security.ssl.SSLContextImpl$TLSContext", + List.of("SSL"), null); +--- jdk20/src/java.base/share/conf/security/java.security 2023-04-19 12:01:23.365922546 +0200 ++++ jdk20/src/java.base/share/conf/security/java.security 2023-04-19 12:01:48.962080578 +0200 +@@ -86,6 +86,16 @@ + #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg + + # ++# Security providers used when FIPS mode support is active ++# ++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg ++fips.provider.2=SUN ++fips.provider.3=SunEC ++fips.provider.4=SunJSSE ++fips.provider.5=SunJCE ++fips.provider.6=SunRsaSign ++ ++# + # A list of preferred providers for specific algorithms. These providers will + # be searched for matching algorithms before the list of registered providers. + # Entries containing errors (parsing, etc) will be ignored. Use the +@@ -296,6 +306,11 @@ + keystore.type=pkcs12 + + # ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=PKCS11 ++ ++# + # Controls compatibility mode for JKS and PKCS12 keystore types. + # + # When set to 'true', both JKS and PKCS12 keystore types support loading +@@ -333,6 +348,13 @@ + security.overridePropertiesFile=true + + # ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ ++# + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. + # +--- jdk20/src/java.base/share/lib/security/default.policy 2023-04-19 12:01:23.373922596 +0200 ++++ jdk20/src/java.base/share/lib/security/default.policy 2023-04-19 12:01:48.962080578 +0200 +@@ -124,6 +124,7 @@ + grant codeBase "jrt:/jdk.crypto.ec" { + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; + permission java.lang.RuntimePermission "loadLibrary.sunec"; + permission java.security.SecurityPermission "putProviderProperty.SunEC"; + permission java.security.SecurityPermission "clearProviderProperties.SunEC"; +--- jdk20/src/java.base/share/native/libsystemconf/systemconf.c 1970-01-01 01:00:00.000000000 +0100 ++++ jdk20/src/java.base/share/native/libsystemconf/systemconf.c 2023-04-19 12:01:48.962080578 +0200 +@@ -0,0 +1,236 @@ +/* + * Copyright (c) 2021, Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. @@ -188,6 +941,8 @@ diff -urEbwBN jdk20u-jdk-20-36.orig/src/java.base/linux/native/libsystemconf/sys +#include "jvm_md.h" +#include + ++#ifdef LINUX ++ +#ifdef SYSCONF_NSS +#include +#else @@ -382,807 +1137,19 @@ diff -urEbwBN jdk20u-jdk-20-36.orig/src/java.base/linux/native/libsystemconf/sys + return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); + } +} -diff -urEbwBN jdk20u-jdk-20-36.orig/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java jdk20u-jdk-20-36/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java ---- jdk20u-jdk-20-36.orig/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java 2023-04-01 12:03:25.459538978 +0200 -+++ jdk20u-jdk-20-36/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java 2023-04-01 12:11:56.850719740 +0200 -@@ -31,6 +31,7 @@ - import java.security.PrivilegedAction; - import java.util.HashMap; - import java.util.List; -+import jdk.internal.access.SharedSecrets; - import static sun.security.util.SecurityConstants.PROVIDER_VER; - import static sun.security.util.SecurityProviderConstants.*; - -@@ -78,6 +79,10 @@ - - public final class SunJCE extends Provider { - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); + - @java.io.Serial - private static final long serialVersionUID = 6812507587804302833L; - -@@ -143,6 +148,7 @@ - void putEntries() { - // reuse attribute map and reset before each reuse - HashMap attrs = new HashMap<>(3); -+ if (!systemFipsEnabled) { - attrs.put("SupportedModes", "ECB"); - attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" - + "|OAEPWITHMD5ANDMGF1PADDING" -@@ -422,6 +428,7 @@ - psA("KeyPairGenerator", "DiffieHellman", - "com.sun.crypto.provider.DHKeyPairGenerator", - null); -+ } - - /* - * Algorithm parameter generation engines -@@ -430,6 +437,7 @@ - "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", - null); - -+ if (!systemFipsEnabled) { - /* - * Key Agreement engines - */ -@@ -439,6 +447,7 @@ - psA("KeyAgreement", "DiffieHellman", - "com.sun.crypto.provider.DHKeyAgreement", - attrs); -+ } - - /* - * Algorithm Parameter engines -@@ -531,6 +540,7 @@ - psA("AlgorithmParameters", "ChaCha20-Poly1305", - "com.sun.crypto.provider.ChaCha20Poly1305Parameters", null); - -+ if (!systemFipsEnabled) { - /* - * Key factories - */ -@@ -723,6 +733,7 @@ - "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", - List.of("SunTls12RsaPremasterSecret"), null); - } -+ } - - // Return the instance of this class or create one if needed. - static SunJCE getInstance() { -diff -urEbwBN jdk20u-jdk-20-36.orig/src/java.base/share/classes/java/security/Security.java jdk20u-jdk-20-36/src/java.base/share/classes/java/security/Security.java ---- jdk20u-jdk-20-36.orig/src/java.base/share/classes/java/security/Security.java 2023-04-01 12:03:25.483539125 +0200 -+++ jdk20u-jdk-20-36/src/java.base/share/classes/java/security/Security.java 2023-04-01 12:11:56.854719765 +0200 -@@ -34,6 +34,7 @@ - import jdk.internal.access.JavaSecurityPropertiesAccess; - import jdk.internal.event.EventHelper; - import jdk.internal.event.SecurityPropertyModificationEvent; -+import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; - import jdk.internal.access.SharedSecrets; - import jdk.internal.util.StaticProperty; - import sun.security.util.Debug; -@@ -52,12 +53,20 @@ - * @implNote If the properties file fails to load, the JDK implementation will - * throw an unspecified error when initializing the {@code Security} class. - * -+ *

Additional default values of security properties are read from a -+ * system-specific location, if available.

-+ * - * @author Benjamin Renaud - * @since 1.1 - */ - - public final class Security { - -+ private static final String SYS_PROP_SWITCH = -+ "java.security.disableSystemPropertiesFile"; -+ private static final String SEC_PROP_SWITCH = -+ "security.useSystemPropertiesFile"; ++#else // !LINUX + - /* Are we debugging? -- for developers */ - private static final Debug sdebug = - Debug.getInstance("properties"); -@@ -75,6 +84,19 @@ - } - - static { -+ // Initialise here as used by code with system properties disabled -+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -+ new JavaSecuritySystemConfiguratorAccess() { -+ @Override -+ public boolean isSystemFipsEnabled() { -+ return SystemConfigurator.isSystemFipsEnabled(); -+ } -+ @Override -+ public boolean isPlainKeySupportEnabled() { -+ return SystemConfigurator.isPlainKeySupportEnabled(); -+ } -+ }); -+ - // doPrivileged here because there are multiple - // things in initialize that might require privs. - // (the FileInputStream call and the File.exists call, -@@ -96,6 +118,7 @@ - private static void initialize() { - props = new Properties(); - boolean overrideAll = false; -+ boolean systemSecPropsEnabled = false; - - // first load the system properties file - // to determine the value of security.overridePropertiesFile -@@ -124,6 +147,61 @@ - } - } - -+ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); -+ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); -+ if (sdebug != null) { -+ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); -+ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); -+ } -+ if (!sysUseProps && secUseProps) { -+ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); -+ if (!systemSecPropsEnabled) { -+ if (sdebug != null) { -+ sdebug.println("WARNING: System security properties could not be loaded."); -+ } -+ } -+ } else { -+ if (sdebug != null) { -+ sdebug.println("System security property support disabled by user."); -+ } -+ } -+ -+ // FIPS support depends on the contents of java.security so -+ // ensure it has loaded first -+ if (loadedProps && systemSecPropsEnabled) { -+ boolean shouldEnable; -+ String sysProp = System.getProperty("com.suse.fips"); -+ if (sysProp == null) { -+ shouldEnable = true; -+ if (sdebug != null) { -+ sdebug.println("com.suse.fips unset, using default value of true"); -+ } -+ } else { -+ shouldEnable = Boolean.valueOf(sysProp); -+ if (sdebug != null) { -+ sdebug.println("com.suse.fips set, using its value " + shouldEnable); -+ } -+ } -+ if (shouldEnable) { -+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); -+ if (sdebug != null) { -+ if (fipsEnabled) { -+ sdebug.println("FIPS mode support configured and enabled."); -+ } else { -+ sdebug.println("FIPS mode support disabled."); -+ } -+ } -+ } else { -+ if (sdebug != null ) { -+ sdebug.println("FIPS mode support disabled by user."); -+ } -+ } -+ } else { -+ if (sdebug != null) { -+ sdebug.println("WARNING: FIPS mode support can not be enabled without " + -+ "system security properties being enabled."); -+ } -+ } - } - - private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { -diff -urEbwBN jdk20u-jdk-20-36.orig/src/java.base/share/classes/java/security/SystemConfigurator.java jdk20u-jdk-20-36/src/java.base/share/classes/java/security/SystemConfigurator.java ---- jdk20u-jdk-20-36.orig/src/java.base/share/classes/java/security/SystemConfigurator.java 1970-01-01 01:00:00.000000000 +0100 -+++ jdk20u-jdk-20-36/src/java.base/share/classes/java/security/SystemConfigurator.java 2023-04-01 12:11:56.854719765 +0200 -@@ -0,0 +1,249 @@ -+/* -+ * Copyright (c) 2019, 2021, Red Hat, Inc. -+ * -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package java.security; -+ -+import java.io.BufferedInputStream; -+import java.io.FileInputStream; -+import java.io.IOException; -+ -+import java.util.Iterator; -+import java.util.Map.Entry; -+import java.util.Properties; -+ -+import sun.security.util.Debug; -+ -+/** -+ * Internal class to align OpenJDK with global crypto-policies. -+ * Called from java.security.Security class initialization, -+ * during startup. -+ * -+ */ -+ -+final class SystemConfigurator { -+ -+ private static final Debug sdebug = -+ Debug.getInstance("properties"); -+ -+ private static final String CRYPTO_POLICIES_BASE_DIR = -+ "/etc/crypto-policies"; -+ -+ private static final String CRYPTO_POLICIES_JAVA_CONFIG = -+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; -+ -+ private static boolean systemFipsEnabled = false; -+ private static boolean plainKeySupportEnabled = false; -+ -+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; -+ -+ private static native boolean getSystemFIPSEnabled() -+ throws IOException; -+ -+ static { -+ @SuppressWarnings("removal") -+ var dummy = AccessController.doPrivileged(new PrivilegedAction() { -+ public Void run() { -+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); -+ return null; -+ } -+ }); -+ } -+ -+ /* -+ * Invoked when java.security.Security class is initialized, if -+ * java.security.disableSystemPropertiesFile property is not set and -+ * security.useSystemPropertiesFile is true. -+ */ -+ static boolean configureSysProps(Properties props) { -+ boolean systemSecPropsLoaded = false; -+ -+ try (BufferedInputStream bis = -+ new BufferedInputStream( -+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { -+ props.load(bis); -+ systemSecPropsLoaded = true; -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load security properties from " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ e.printStackTrace(); -+ } -+ } -+ return systemSecPropsLoaded; -+ } -+ -+ /* -+ * Invoked at the end of java.security.Security initialisation -+ * if java.security properties have been loaded -+ */ -+ static boolean configureFIPS(Properties props) { -+ boolean loadedProps = false; -+ -+ try { -+ if (enableFips()) { -+ if (sdebug != null) { sdebug.println("FIPS mode detected"); } -+ // Remove all security providers -+ Iterator> i = props.entrySet().iterator(); -+ while (i.hasNext()) { -+ Entry e = i.next(); -+ if (((String) e.getKey()).startsWith("security.provider")) { -+ if (sdebug != null) { sdebug.println("Removing provider: " + e); } -+ i.remove(); -+ } -+ } -+ // Add FIPS security providers -+ String fipsProviderValue = null; -+ for (int n = 1; -+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { -+ String fipsProviderKey = "security.provider." + n; -+ if (sdebug != null) { -+ sdebug.println("Adding provider " + n + ": " + -+ fipsProviderKey + "=" + fipsProviderValue); -+ } -+ props.put(fipsProviderKey, fipsProviderValue); -+ } -+ // Add other security properties -+ String keystoreTypeValue = (String) props.get("fips.keystore.type"); -+ if (keystoreTypeValue != null) { -+ String nonFipsKeystoreType = props.getProperty("keystore.type"); -+ props.put("keystore.type", keystoreTypeValue); -+ if (keystoreTypeValue.equals("PKCS11")) { -+ // If keystore.type is PKCS11, javax.net.ssl.keyStore -+ // must be "NONE". See JDK-8238264. -+ System.setProperty("javax.net.ssl.keyStore", "NONE"); -+ } -+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { -+ // If no trustStoreType has been set, use the -+ // previous keystore.type under FIPS mode. In -+ // a default configuration, the Trust Store will -+ // be 'cacerts' (JKS type). -+ System.setProperty("javax.net.ssl.trustStoreType", -+ nonFipsKeystoreType); -+ } -+ if (sdebug != null) { -+ sdebug.println("FIPS mode default keystore.type = " + -+ keystoreTypeValue); -+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + -+ System.getProperty("javax.net.ssl.keyStore", "")); -+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + -+ System.getProperty("javax.net.ssl.trustStoreType", "")); -+ } -+ } -+ loadedProps = true; -+ systemFipsEnabled = true; -+ String plainKeySupport = System.getProperty("com.suse.fips.plainKeySupport", -+ "true"); -+ plainKeySupportEnabled = !"false".equals(plainKeySupport); -+ if (sdebug != null) { -+ if (plainKeySupportEnabled) { -+ sdebug.println("FIPS support enabled with plain key support"); -+ } else { -+ sdebug.println("FIPS support enabled without plain key support"); -+ } -+ } -+ } else { -+ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } -+ } -+ } catch (Exception e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load FIPS configuration"); -+ e.printStackTrace(); -+ } -+ } -+ return loadedProps; -+ } -+ -+ /** -+ * Returns whether or not global system FIPS alignment is enabled. -+ * -+ * Value is always 'false' before java.security.Security class is -+ * initialized. -+ * -+ * Call from out of this package through SharedSecrets: -+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ * .isSystemFipsEnabled(); -+ * -+ * @return a boolean value indicating whether or not global -+ * system FIPS alignment is enabled. -+ */ -+ static boolean isSystemFipsEnabled() { -+ return systemFipsEnabled; -+ } -+ -+ /** -+ * Returns {@code true} if system FIPS alignment is enabled -+ * and plain key support is allowed. Plain key support is -+ * enabled by default but can be disabled with -+ * {@code -Dcom.suse.fips.plainKeySupport=false}. -+ * -+ * @return a boolean indicating whether plain key support -+ * should be enabled. -+ */ -+ static boolean isPlainKeySupportEnabled() { -+ return plainKeySupportEnabled; -+ } -+ -+ /** -+ * Determines whether FIPS mode should be enabled. -+ * -+ * OpenJDK FIPS mode will be enabled only if the system is in -+ * FIPS mode. -+ * -+ * Calls to this method only occur if the system property -+ * com.suse.fips is not set to false. -+ * -+ * There are 2 possible ways in which OpenJDK detects that the system -+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is -+ * available at OpenJDK's built-time, it is called; 2) otherwise, the -+ * /proc/sys/crypto/fips_enabled file is read. -+ * -+ * @return true if the system is in FIPS mode -+ */ -+ private static boolean enableFips() throws Exception { -+ if (sdebug != null) { -+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); -+ } -+ try { -+ boolean fipsEnabled = getSystemFIPSEnabled(); -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " -+ + fipsEnabled); -+ } -+ return fipsEnabled; -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); -+ sdebug.println(e.getMessage()); -+ } -+ throw e; -+ } -+ } ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ return JNI_FALSE; +} -diff -urEbwBN jdk20u-jdk-20-36.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java jdk20u-jdk-20-36/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java ---- jdk20u-jdk-20-36.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java 1970-01-01 01:00:00.000000000 +0100 -+++ jdk20u-jdk-20-36/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java 2023-04-01 12:11:56.854719765 +0200 -@@ -0,0 +1,31 @@ -+/* -+ * Copyright (c) 2020, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ + -+package jdk.internal.access; -+ -+public interface JavaSecuritySystemConfiguratorAccess { -+ boolean isSystemFipsEnabled(); -+ boolean isPlainKeySupportEnabled(); -+} -diff -urEbwBN jdk20u-jdk-20-36.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java jdk20u-jdk-20-36/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java ---- jdk20u-jdk-20-36.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java 2023-04-01 12:03:25.511539296 +0200 -+++ jdk20u-jdk-20-36/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java 2023-04-01 12:11:56.854719765 +0200 -@@ -43,6 +43,7 @@ - import java.io.PrintWriter; - import java.io.RandomAccessFile; - import java.security.ProtectionDomain; -+import java.security.Security; - import java.security.Signature; - - /** A repository of "shared secrets", which are a mechanism for -@@ -89,6 +90,7 @@ - private static JavaSecuritySpecAccess javaSecuritySpecAccess; - private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; - private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; -+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; - - public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { - javaUtilCollectionAccess = juca; -@@ -521,4 +523,15 @@ - MethodHandles.lookup().ensureInitialized(c); - } catch (IllegalAccessException e) {} - } -+ -+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { -+ javaSecuritySystemConfiguratorAccess = jssca; -+ } -+ -+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { -+ if (javaSecuritySystemConfiguratorAccess == null) { -+ ensureClassInitialized(Security.class); -+ } -+ return javaSecuritySystemConfiguratorAccess; -+ } - } -diff -urEbwBN jdk20u-jdk-20-36.orig/src/java.base/share/classes/module-info.java jdk20u-jdk-20-36/src/java.base/share/classes/module-info.java ---- jdk20u-jdk-20-36.orig/src/java.base/share/classes/module-info.java 2023-04-01 12:03:25.459538978 +0200 -+++ jdk20u-jdk-20-36/src/java.base/share/classes/module-info.java 2023-04-01 12:11:56.854719765 +0200 -@@ -163,6 +163,7 @@ - java.naming, - java.rmi, - jdk.charsets, -+ jdk.crypto.ec, - jdk.jartool, - jdk.jlink, - jdk.jfr, -diff -urEbwBN jdk20u-jdk-20-36.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java jdk20u-jdk-20-36/src/java.base/share/classes/sun/security/provider/SunEntries.java ---- jdk20u-jdk-20-36.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java 2023-04-01 12:03:25.539539467 +0200 -+++ jdk20u-jdk-20-36/src/java.base/share/classes/sun/security/provider/SunEntries.java 2023-04-01 12:11:56.854719765 +0200 -@@ -38,6 +38,7 @@ - import java.util.Iterator; - import java.util.LinkedHashSet; - -+import jdk.internal.access.SharedSecrets; - import jdk.internal.util.StaticProperty; - import sun.security.action.GetBooleanAction; - -@@ -91,6 +92,10 @@ - - public final class SunEntries { - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - // the default algo used by SecureRandom class for new SecureRandom() calls - public static final String DEF_SECURE_RANDOM_ALGO; - -@@ -102,6 +107,7 @@ - // common attribute map - HashMap attrs = new HashMap<>(3); - -+ if (!systemFipsEnabled) { - /* - * SecureRandom engines - */ -@@ -195,6 +201,7 @@ - String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; - dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); - addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); -+ } - - /* - * Algorithm Parameter Generator engines -@@ -209,6 +216,7 @@ - addWithAlias(p, "AlgorithmParameters", "DSA", - "sun.security.provider.DSAParameters", attrs); - -+ if (!systemFipsEnabled) { - /* - * Key factories - */ -@@ -245,6 +253,7 @@ - "sun.security.provider.SHA3$SHA384", attrs); - addWithAlias(p, "MessageDigest", "SHA3-512", - "sun.security.provider.SHA3$SHA512", attrs); -+ } - - /* - * Certificates -diff -urEbwBN jdk20u-jdk-20-36.orig/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java jdk20u-jdk-20-36/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java ---- jdk20u-jdk-20-36.orig/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java 2023-04-01 12:03:25.539539467 +0200 -+++ jdk20u-jdk-20-36/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java 2023-04-01 12:11:56.854719765 +0200 -@@ -27,6 +27,7 @@ - - import java.util.*; - import java.security.Provider; -+import jdk.internal.access.SharedSecrets; - import static sun.security.util.SecurityProviderConstants.getAliases; - - /** -@@ -36,6 +37,10 @@ - */ - public final class SunRsaSignEntries { - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - private void add(Provider p, String type, String algo, String cn, - List aliases, HashMap attrs) { - services.add(new Provider.Service(p, type, algo, cn, -@@ -56,13 +61,17 @@ - // start populating content using the specified provider - // common attribute map - HashMap attrs = new HashMap<>(3); -+ if (!systemFipsEnabled) { - attrs.put("SupportedKeyClasses", - "java.security.interfaces.RSAPublicKey" + - "|java.security.interfaces.RSAPrivateKey"); -+ } - - add(p, "KeyFactory", "RSA", - "sun.security.rsa.RSAKeyFactory$Legacy", - getAliases("PKCS1"), null); -+ -+ if (!systemFipsEnabled) { - add(p, "KeyPairGenerator", "RSA", - "sun.security.rsa.RSAKeyPairGenerator$Legacy", - getAliases("PKCS1"), null); -@@ -92,13 +101,18 @@ - "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); - addA(p, "Signature", "SHA3-512withRSA", - "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); -+ } - - addA(p, "KeyFactory", "RSASSA-PSS", - "sun.security.rsa.RSAKeyFactory$PSS", attrs); -+ -+ if (!systemFipsEnabled) { - addA(p, "KeyPairGenerator", "RSASSA-PSS", - "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); - addA(p, "Signature", "RSASSA-PSS", - "sun.security.rsa.RSAPSSSignature", attrs); -+ } -+ - addA(p, "AlgorithmParameters", "RSASSA-PSS", - "sun.security.rsa.PSSParameters", null); - } -diff -urEbwBN jdk20u-jdk-20-36.orig/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java jdk20u-jdk-20-36/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java ---- jdk20u-jdk-20-36.orig/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java 2023-04-01 12:03:25.543539491 +0200 -+++ jdk20u-jdk-20-36/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java 2023-04-01 12:11:56.854719765 +0200 -@@ -32,6 +32,7 @@ - import java.util.*; - import java.util.concurrent.locks.ReentrantLock; - import javax.net.ssl.*; -+import jdk.internal.access.SharedSecrets; - import sun.security.action.GetPropertyAction; - import sun.security.provider.certpath.AlgorithmChecker; - import sun.security.validator.Validator; -@@ -530,6 +531,23 @@ - private static final List serverDefaultCipherSuites; - - static { -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ ); -+ -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } else { - supportedProtocols = Arrays.asList( - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, -@@ -546,6 +564,7 @@ - ProtocolVersion.TLS11, - ProtocolVersion.TLS10 - }); -+ } - - supportedCipherSuites = getApplicableSupportedCipherSuites( - supportedProtocols); -@@ -836,12 +855,23 @@ - ProtocolVersion[] candidates; - if (refactored.isEmpty()) { - // Client and server use the same default protocols. -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ candidates = new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } else { - candidates = new ProtocolVersion[] { - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, - ProtocolVersion.TLS11, - ProtocolVersion.TLS10 - }; -+ } - } else { - // Use the customized TLS protocols. - candidates = -diff -urEbwBN jdk20u-jdk-20-36.orig/src/java.base/share/classes/sun/security/ssl/SunJSSE.java jdk20u-jdk-20-36/src/java.base/share/classes/sun/security/ssl/SunJSSE.java ---- jdk20u-jdk-20-36.orig/src/java.base/share/classes/sun/security/ssl/SunJSSE.java 2023-04-01 12:03:25.543539491 +0200 -+++ jdk20u-jdk-20-36/src/java.base/share/classes/sun/security/ssl/SunJSSE.java 2023-04-01 12:11:56.854719765 +0200 -@@ -27,6 +27,8 @@ - - import java.security.*; - import java.util.*; -+ -+import jdk.internal.access.SharedSecrets; - import static sun.security.util.SecurityConstants.PROVIDER_VER; - - /** -@@ -102,8 +104,13 @@ - "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); - ps("SSLContext", "TLSv1.2", - "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); -+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. - ps("SSLContext", "TLSv1.3", - "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); -+ } - ps("SSLContext", "TLS", - "sun.security.ssl.SSLContextImpl$TLSContext", - List.of("SSL"), null); -diff -urEbwBN jdk20u-jdk-20-36.orig/src/java.base/share/conf/security/java.security jdk20u-jdk-20-36/src/java.base/share/conf/security/java.security ---- jdk20u-jdk-20-36.orig/src/java.base/share/conf/security/java.security 2023-04-01 12:03:25.555539564 +0200 -+++ jdk20u-jdk-20-36/src/java.base/share/conf/security/java.security 2023-04-01 12:11:56.858719789 +0200 -@@ -87,6 +87,16 @@ - #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg - - # -+# Security providers used when FIPS mode support is active -+# -+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg -+fips.provider.2=SUN -+fips.provider.3=SunEC -+fips.provider.4=SunJSSE -+fips.provider.5=SunJCE -+fips.provider.6=SunRsaSign -+ -+# - # A list of preferred providers for specific algorithms. These providers will - # be searched for matching algorithms before the list of registered providers. - # Entries containing errors (parsing, etc) will be ignored. Use the -@@ -296,6 +306,11 @@ - keystore.type=pkcs12 - - # -+# Default keystore type used when global crypto-policies are set to FIPS. -+# -+fips.keystore.type=PKCS11 -+ -+# - # Controls compatibility mode for JKS and PKCS12 keystore types. - # - # When set to 'true', both JKS and PKCS12 keystore types support loading -@@ -333,6 +348,13 @@ - security.overridePropertiesFile=true - - # -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ -+# - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. - # -diff -urEbwBN jdk20u-jdk-20-36.orig/src/java.base/share/lib/security/default.policy jdk20u-jdk-20-36/src/java.base/share/lib/security/default.policy ---- jdk20u-jdk-20-36.orig/src/java.base/share/lib/security/default.policy 2023-04-01 12:03:25.563539612 +0200 -+++ jdk20u-jdk-20-36/src/java.base/share/lib/security/default.policy 2023-04-01 12:11:56.858719789 +0200 -@@ -124,6 +124,7 @@ - grant codeBase "jrt:/jdk.crypto.ec" { - permission java.lang.RuntimePermission - "accessClassInPackage.sun.security.*"; -+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; - permission java.lang.RuntimePermission "loadLibrary.sunec"; - permission java.security.SecurityPermission "putProviderProperty.SunEC"; - permission java.security.SecurityPermission "clearProviderProperties.SunEC"; -@@ -133,6 +134,7 @@ - grant codeBase "jrt:/jdk.crypto.cryptoki" { - permission java.lang.RuntimePermission - "accessClassInPackage.com.sun.crypto.provider"; -+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; - permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; - permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; - permission java.lang.RuntimePermission -diff -urEbwBN jdk20u-jdk-20-36.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java jdk20u-jdk-20-36/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java ---- jdk20u-jdk-20-36.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java 1970-01-01 01:00:00.000000000 +0100 -+++ jdk20u-jdk-20-36/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java 2023-04-01 12:11:56.858719789 +0200 -@@ -0,0 +1,490 @@ ++#endif +--- jdk20/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java 1970-01-01 01:00:00.000000000 +0100 ++++ jdk20/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java 2023-04-19 12:01:48.962080578 +0200 +@@ -0,0 +1,461 @@ +/* + * Copyright (c) 2021, Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. @@ -1223,7 +1190,6 @@ diff -urEbwBN jdk20u-jdk-20-36.orig/src/jdk.crypto.cryptoki/share/classes/sun/se +import javax.crypto.Cipher; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.SecretKeySpec; -+import javax.crypto.spec.DHPrivateKeySpec; +import javax.crypto.spec.IvParameterSpec; + +import sun.security.jca.JCAUtil; @@ -1379,34 +1345,6 @@ diff -urEbwBN jdk20u-jdk-20-36.orig/src/jdk.crypto.cryptoki/share/classes/sun/se + attrsMap.put(CKA_NETSCAPE_DB, + new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); + } -+ } else if (keyType == CKK_DH) { -+ if (debug != null) { -+ debug.println("Importing a Diffie-Hellman private key..."); -+ } -+ if (DHKF == null) { -+ DHKFLock.lock(); -+ try { -+ if (DHKF == null) { -+ DHKF = KeyFactory.getInstance( -+ "DH", P11Util.getSunJceProvider()); -+ } -+ } finally { -+ DHKFLock.unlock(); -+ } -+ } -+ DHPrivateKeySpec spec = new DHPrivateKeySpec -+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO); -+ keyBytes = DHKF.generatePrivate(spec).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } + } else { + if (debug != null) { + debug.println("Unrecognized private key type."); @@ -1673,9 +1611,8 @@ diff -urEbwBN jdk20u-jdk-20-36.orig/src/jdk.crypto.cryptoki/share/classes/sun/se + } + } +} -diff -urEbwBN jdk20u-jdk-20-36.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java jdk20u-jdk-20-36/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java ---- jdk20u-jdk-20-36.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java 2023-04-01 12:03:26.147543172 +0200 -+++ jdk20u-jdk-20-36/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java 2023-04-01 12:17:27.628814638 +0200 +--- jdk20/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java 2023-04-19 12:01:23.837925460 +0200 ++++ jdk20/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java 2023-04-19 12:01:48.962080578 +0200 @@ -37,6 +37,8 @@ import javax.crypto.interfaces.*; import javax.crypto.spec.*; @@ -1685,29 +1622,30 @@ diff -urEbwBN jdk20u-jdk-20-36.orig/src/jdk.crypto.cryptoki/share/classes/sun/se import sun.security.rsa.RSAUtil.KeyType; import sun.security.rsa.RSAPublicKeyImpl; import sun.security.rsa.RSAPrivateCrtKeyImpl; -@@ -69,6 +71,9 @@ - */ - abstract class P11Key implements Key, Length { +@@ -72,6 +74,9 @@ + @Serial + private static final long serialVersionUID = -2575874101938349339L; + private static final boolean plainKeySupportEnabled = SharedSecrets + .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); + - @Serial - private static final long serialVersionUID = -2575874101938349339L; - -@@ -391,8 +396,9 @@ + private static final String PUBLIC = "public"; + private static final String PRIVATE = "private"; + private static final String SECRET = "secret"; +@@ -391,8 +396,10 @@ new CK_ATTRIBUTE(CKA_EXTRACTABLE), }); - boolean keySensitive = (attrs[0].getBoolean() || - attrs[1].getBoolean() || !attrs[2].getBoolean()); -+ boolean keySensitive = (!plainKeySupportEnabled && ++ boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH"); ++ boolean keySensitive = (!exportable && + (attrs[0].getBoolean() || + attrs[1].getBoolean() || !attrs[2].getBoolean())); return switch (algorithm) { case "RSA" -> P11RSAPrivateKeyInternal.of(session, keyID, algorithm, -@@ -444,7 +450,8 @@ +@@ -444,7 +451,8 @@ public String getFormat() { token.ensureValid(); @@ -1717,9 +1655,8 @@ diff -urEbwBN jdk20u-jdk-20-36.orig/src/jdk.crypto.cryptoki/share/classes/sun/se return null; } else { return "RAW"; -diff -urEbwBN jdk20u-jdk-20-36.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java jdk20u-jdk-20-36/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ---- jdk20u-jdk-20-36.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java 2023-04-01 12:03:26.147543172 +0200 -+++ jdk20u-jdk-20-36/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java 2023-04-01 12:16:59.948639329 +0200 +--- jdk20/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java 2023-04-19 12:01:23.841925485 +0200 ++++ jdk20/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java 2023-04-19 12:01:48.962080578 +0200 @@ -26,6 +26,9 @@ package sun.security.pkcs11; @@ -1738,9 +1675,9 @@ diff -urEbwBN jdk20u-jdk-20-36.orig/src/jdk.crypto.cryptoki/share/classes/sun/se import jdk.internal.misc.InnocuousThread; import sun.security.util.Debug; import sun.security.util.ResourcesMgr; -@@ -62,6 +66,37 @@ - */ - public final class SunPKCS11 extends AuthProvider { +@@ -65,6 +69,37 @@ + @Serial + private static final long serialVersionUID = -1354835039035306505L; + private static final boolean systemFipsEnabled = SharedSecrets + .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); @@ -1773,9 +1710,9 @@ diff -urEbwBN jdk20u-jdk-20-36.orig/src/jdk.crypto.cryptoki/share/classes/sun/se + fipsExportKey = fipsExportKeyTmp; + } + - @Serial - private static final long serialVersionUID = -1354835039035306505L; - + static final Debug debug = Debug.getInstance("sunpkcs11"); + // the PKCS11 object through which we make the native calls + @SuppressWarnings("serial") // Type of field is not Serializable; @@ -325,9 +360,19 @@ // request multithreaded access first initArgs.flags = CKF_OS_LOCKING_OK; @@ -1835,9 +1772,8 @@ diff -urEbwBN jdk20u-jdk-20-36.orig/src/jdk.crypto.cryptoki/share/classes/sun/se } catch (Exception e) { if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { throw new UnsupportedOperationException -diff -urEbwBN jdk20u-jdk-20-36.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java jdk20u-jdk-20-36/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java ---- jdk20u-jdk-20-36.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java 2023-04-01 12:03:26.151543197 +0200 -+++ jdk20u-jdk-20-36/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java 2023-04-01 12:11:56.862719816 +0200 +--- jdk20/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java 2023-04-19 12:01:23.841925485 +0200 ++++ jdk20/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java 2023-04-19 12:01:48.962080578 +0200 @@ -216,6 +216,14 @@ } @@ -1853,9 +1789,8 @@ diff -urEbwBN jdk20u-jdk-20-36.orig/src/jdk.crypto.cryptoki/share/classes/sun/se * Constructor taking the error code (the CKR_* constants in PKCS#11) and * extra info for error message. */ -diff -urEbwBN jdk20u-jdk-20-36.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java jdk20u-jdk-20-36/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java ---- jdk20u-jdk-20-36.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java 2023-04-01 12:03:26.147543172 +0200 -+++ jdk20u-jdk-20-36/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java 2023-04-01 12:11:56.862719816 +0200 +--- jdk20/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java 2023-04-19 12:01:23.841925485 +0200 ++++ jdk20/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java 2023-04-19 12:01:48.962080578 +0200 @@ -49,6 +49,9 @@ import java.io.File; @@ -2106,9 +2041,8 @@ diff -urEbwBN jdk20u-jdk-20-36.orig/src/jdk.crypto.cryptoki/share/classes/sun/se + } +} } -diff -urEbwBN jdk20u-jdk-20-36.orig/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java jdk20u-jdk-20-36/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java ---- jdk20u-jdk-20-36.orig/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java 2023-04-01 12:03:26.151543197 +0200 -+++ jdk20u-jdk-20-36/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java 2023-04-01 12:12:47.051037667 +0200 +--- jdk20/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java 2023-04-19 12:01:23.841925485 +0200 ++++ jdk20/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java 2023-04-19 12:01:48.966080602 +0200 @@ -34,6 +34,7 @@ import java.util.HashMap; import java.util.List; diff --git a/java-20-openjdk.spec b/java-20-openjdk.spec index c4b3bcf..449c7ba 100644 --- a/java-20-openjdk.spec +++ b/java-20-openjdk.spec @@ -403,7 +403,7 @@ rm -rvf src/java.desktop/share/native/liblcms/lcms2* %endif %patch17 -p1 -# % patch18 -p1 +%patch18 -p1 %patch20 -p1 @@ -480,6 +480,7 @@ bash ../configure \ --disable-keep-packaged-modules \ --with-debug-level=%{debugbuild} \ --with-native-debug-symbols=internal \ + --enable-sysconf-nss \ --with-zlib=system \ --with-libjpeg=system \ --with-giflib=system \ @@ -931,7 +932,7 @@ fi %{_jvmdir}/%{sdkdir}/lib/libprefs.so %{_jvmdir}/%{sdkdir}/lib/librmi.so %{_jvmdir}/%{sdkdir}/lib/libsctp.so -# %{_jvmdir}/%{sdkdir}/lib/libsystemconf.so +%{_jvmdir}/%{sdkdir}/lib/libsystemconf.so %ifarch x86_64 %{_jvmdir}/%{sdkdir}/lib/libjsvml.so %endif