rpms / java-1.8.0-openjdk

Clone
Source Code
GIT

Blame SOURCES/rh1760838-fips_default_keystore_type.patch

c7 c7-alt c7-armhfp c7-beta c8 c8-beta c8-containeronly-stream-flatpak c8s c9 c9-beta
  1.   53c576f2245205d63bd1e81318dc701fb985851d
  2.   SOURCES
  3.   rh1760838-fips_default_keystore_type.patch
Blob History Raw
53c576 
diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
53c576 
--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java	Thu Jan 23 18:22:31 2020 -0300
53c576 
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java	Mon Mar 02 19:20:17 2020 -0300
53c576 
@@ -123,6 +123,33 @@
53c576 
                     }
53c576 
                     props.put(fipsProviderKey, fipsProviderValue);
53c576 
                 }
53c576 
+                // Add other security properties
53c576 
+                String keystoreTypeValue = (String) props.get("fips.keystore.type");
53c576 
+                if (keystoreTypeValue != null) {
53c576 
+                    String nonFipsKeystoreType = props.getProperty("keystore.type");
53c576 
+                    props.put("keystore.type", keystoreTypeValue);
53c576 
+                    if (keystoreTypeValue.equals("PKCS11")) {
53c576 
+                    	// If keystore.type is PKCS11, javax.net.ssl.keyStore
53c576 
+                    	// must be "NONE". See JDK-8238264.
53c576 
+                    	System.setProperty("javax.net.ssl.keyStore", "NONE");
53c576 
+                    }
53c576 
+                    if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
53c576 
+                        // If no trustStoreType has been set, use the
53c576 
+                        // previous keystore.type under FIPS mode. In
53c576 
+                        // a default configuration, the Trust Store will
53c576 
+                        // be 'cacerts' (JKS type).
53c576 
+                        System.setProperty("javax.net.ssl.trustStoreType",
53c576 
+                                nonFipsKeystoreType);
53c576 
+                    }
53c576 
+                    if (sdebug != null) {
53c576 
+                        sdebug.println("FIPS mode default keystore.type = " +
53c576 
+                                keystoreTypeValue);
53c576 
+                        sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
53c576 
+                        		System.getProperty("javax.net.ssl.keyStore", ""));
53c576 
+                        sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
53c576 
+                                System.getProperty("javax.net.ssl.trustStoreType", ""));
53c576 
+                    }
53c576 
+                }
53c576 
                 loadedProps = true;
53c576 
             }
53c576 
         } catch (Exception e) {
53c576 
diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
53c576 
--- openjdk.orig/jdk/src/share/lib/security/java.security-linux	Thu Jan 23 18:22:31 2020 -0300
53c576 
+++ openjdk/jdk/src/share/lib/security/java.security-linux	Mon Mar 02 19:20:17 2020 -0300
53c576 
@@ -179,6 +179,11 @@
53c576 
 keystore.type=jks
53c576
53c576 
 #
53c576 
+# Default keystore type used when global crypto-policies are set to FIPS.
53c576 
+#
53c576 
+fips.keystore.type=PKCS11
53c576 
+
53c576 
+#
53c576 
 # Controls compatibility mode for the JKS keystore type.
53c576 
 #
53c576 
 # When set to 'true', the JKS keystore type supports loading

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation