Blame SOURCES/rh1655466-global_crypto_and_fips.patch

d05dfb
diff --git a/src/share/classes/javopenjdk.orig/jdk/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
d05dfb
--- openjdk.orig/jdk/src/share/classes/java/security/Security.java
d05dfb
+++ openjdk/jdk/src/share/classes/java/security/Security.java
d05dfb
@@ -191,27 +191,7 @@
d05dfb
         if (disableSystemProps == null &&
d05dfb
             "true".equalsIgnoreCase(props.getProperty
d05dfb
                 ("security.useSystemPropertiesFile"))) {
d05dfb
-
d05dfb
-            // now load the system file, if it exists, so its values
d05dfb
-            // will win if they conflict with the earlier values
d05dfb
-            try (BufferedInputStream bis =
d05dfb
-                 new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
d05dfb
-                props.load(bis);
d05dfb
-                loadedProps = true;
d05dfb
-
d05dfb
-                if (sdebug != null) {
d05dfb
-                    sdebug.println("reading system security properties file " +
d05dfb
-                                   SYSTEM_PROPERTIES);
d05dfb
-                    sdebug.println(props.toString());
d05dfb
-                }
d05dfb
-            } catch (IOException e) {
d05dfb
-                if (sdebug != null) {
d05dfb
-                    sdebug.println
d05dfb
-                        ("unable to load security properties from " +
d05dfb
-                         SYSTEM_PROPERTIES);
d05dfb
-                    e.printStackTrace();
d05dfb
-                }
d05dfb
-            }
d05dfb
+            loadedProps = loadedProps && SystemConfigurator.configure(props);
d05dfb
         }
d05dfb
 
d05dfb
         if (!loadedProps) {
d05dfb
diff --git a/src/share/classes/javopenjdk.orig/jdk/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
d05dfb
new file mode 100644
d05dfb
--- /dev/null
d05dfb
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
d05dfb
@@ -0,0 +1,153 @@
d05dfb
+/*
d05dfb
+ * Copyright (c) 2019, Red Hat, Inc.
d05dfb
+ *
d05dfb
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
d05dfb
+ *
d05dfb
+ * This code is free software; you can redistribute it and/or modify it
d05dfb
+ * under the terms of the GNU General Public License version 2 only, as
d05dfb
+ * published by the Free Software Foundation.
d05dfb
+ *
d05dfb
+ * This code is distributed in the hope that it will be useful, but WITHOUT
d05dfb
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
d05dfb
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
d05dfb
+ * version 2 for more details (a copy is included in the LICENSE file that
d05dfb
+ * accompanied this code).
d05dfb
+ *
d05dfb
+ * You should have received a copy of the GNU General Public License version
d05dfb
+ * 2 along with this work; if not, write to the Free Software Foundation,
d05dfb
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
d05dfb
+ *
d05dfb
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
d05dfb
+ * or visit www.oracle.com if you need additional information or have any
d05dfb
+ * questions.
d05dfb
+ */
d05dfb
+
d05dfb
+package java.security;
d05dfb
+
d05dfb
+import java.io.BufferedInputStream;
d05dfb
+import java.io.FileInputStream;
d05dfb
+import java.io.IOException;
d05dfb
+
d05dfb
+import java.nio.file.Files;
d05dfb
+import java.nio.file.FileSystems;
d05dfb
+import java.nio.file.Path;
d05dfb
+
d05dfb
+import java.util.Iterator;
d05dfb
+import java.util.Map.Entry;
d05dfb
+import java.util.Properties;
d05dfb
+import java.util.function.Consumer;
d05dfb
+import java.util.regex.Matcher;
d05dfb
+import java.util.regex.Pattern;
d05dfb
+
d05dfb
+import sun.security.util.Debug;
d05dfb
+
d05dfb
+/**
d05dfb
+ * Internal class to align OpenJDK with global crypto-policies.
d05dfb
+ * Called from java.security.Security class initialization,
d05dfb
+ * during startup.
d05dfb
+ *
d05dfb
+ */
d05dfb
+
d05dfb
+class SystemConfigurator {
d05dfb
+
d05dfb
+    private static final Debug sdebug =
d05dfb
+            Debug.getInstance("properties");
d05dfb
+
d05dfb
+    private static final String CRYPTO_POLICIES_BASE_DIR =
d05dfb
+            "/etc/crypto-policies";
d05dfb
+
d05dfb
+    private static final String CRYPTO_POLICIES_JAVA_CONFIG =
d05dfb
+            CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
d05dfb
+
d05dfb
+    private static final String CRYPTO_POLICIES_CONFIG =
d05dfb
+            CRYPTO_POLICIES_BASE_DIR + "/config";
d05dfb
+
d05dfb
+    private static final class SecurityProviderInfo {
d05dfb
+        int number;
d05dfb
+        String key;
d05dfb
+        String value;
d05dfb
+        SecurityProviderInfo(int number, String key, String value) {
d05dfb
+            this.number = number;
d05dfb
+            this.key = key;
d05dfb
+            this.value = value;
d05dfb
+        }
d05dfb
+    }
d05dfb
+
d05dfb
+    /*
d05dfb
+     * Invoked when java.security.Security class is initialized, if
d05dfb
+     * java.security.disableSystemPropertiesFile property is not set and
d05dfb
+     * security.useSystemPropertiesFile is true.
d05dfb
+     */
d05dfb
+    static boolean configure(Properties props) {
d05dfb
+        boolean loadedProps = false;
d05dfb
+
d05dfb
+        try (BufferedInputStream bis =
d05dfb
+                new BufferedInputStream(
d05dfb
+                        new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
d05dfb
+            props.load(bis);
d05dfb
+            loadedProps = true;
d05dfb
+            if (sdebug != null) {
d05dfb
+                sdebug.println("reading system security properties file " +
d05dfb
+                        CRYPTO_POLICIES_JAVA_CONFIG);
d05dfb
+                sdebug.println(props.toString());
d05dfb
+            }
d05dfb
+        } catch (IOException e) {
d05dfb
+            if (sdebug != null) {
d05dfb
+                sdebug.println("unable to load security properties from " +
d05dfb
+                        CRYPTO_POLICIES_JAVA_CONFIG);
d05dfb
+                e.printStackTrace();
d05dfb
+            }
d05dfb
+        }
d05dfb
+
d05dfb
+        try {
d05dfb
+            if (enableFips()) {
d05dfb
+                if (sdebug != null) { sdebug.println("FIPS mode detected"); }
d05dfb
+                loadedProps = false;
d05dfb
+                // Remove all security providers
d05dfb
+                Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
d05dfb
+                while (i.hasNext()) {
d05dfb
+                    Entry<Object, Object> e = i.next();
d05dfb
+                    if (((String) e.getKey()).startsWith("security.provider")) {
d05dfb
+                        if (sdebug != null) { sdebug.println("Removing provider: " + e); }
d05dfb
+                        i.remove();
d05dfb
+                    }
d05dfb
+                }
d05dfb
+                // Add FIPS security providers
d05dfb
+                String fipsProviderValue = null;
d05dfb
+                for (int n = 1;
d05dfb
+                     (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
d05dfb
+                    String fipsProviderKey = "security.provider." + n;
d05dfb
+                    if (sdebug != null) {
d05dfb
+                        sdebug.println("Adding provider " + n + ": " +
d05dfb
+                                fipsProviderKey + "=" + fipsProviderValue);
d05dfb
+                    }
d05dfb
+                    props.put(fipsProviderKey, fipsProviderValue);
d05dfb
+                }
d05dfb
+                loadedProps = true;
d05dfb
+            }
d05dfb
+        } catch (Exception e) {
d05dfb
+            if (sdebug != null) {
d05dfb
+                sdebug.println("unable to load FIPS configuration");
d05dfb
+                e.printStackTrace();
d05dfb
+            }
d05dfb
+        }
d05dfb
+        return loadedProps;
d05dfb
+    }
d05dfb
+
d05dfb
+    /*
d05dfb
+     * FIPS is enabled only if crypto-policies are set to "FIPS"
d05dfb
+     * and the com.redhat.fips property is true.
d05dfb
+     */
d05dfb
+    private static boolean enableFips() throws Exception {
d05dfb
+	boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "false"));
d05dfb
+	if (fipsEnabled) {
d05dfb
+	    Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
d05dfb
+	    String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
d05dfb
+	    if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
d05dfb
+	    Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
d05dfb
+	    return pattern.matcher(cryptoPoliciesConfig).find();
d05dfb
+	} else {
d05dfb
+	    return false;
d05dfb
+	}
d05dfb
+    }
d05dfb
+}
d05dfb
diff --git openjdk.orig/jdk/src/share/lib/security/java.security-linux openjdk/jdk/src/share/lib/security/java.security-linux
d05dfb
--- openjdk.orig/jdk/src/share/lib/security/java.security-linux
d05dfb
+++ openjdk/jdk/src/share/lib/security/java.security-linux
d05dfb
@@ -77,6 +77,14 @@
d05dfb
 #security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
d05dfb
 
d05dfb
 #
d05dfb
+# Security providers used when global crypto-policies are set to FIPS.
d05dfb
+#
d05dfb
+fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
d05dfb
+fips.provider.2=sun.security.provider.Sun
d05dfb
+fips.provider.3=sun.security.ec.SunEC
d05dfb
+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
d05dfb
+
d05dfb
+#
d05dfb
 # Sun Provider SecureRandom seed source.
d05dfb
 #
d05dfb
 # Select the primary source of seed data for the "SHA1PRNG" and