commit aaf92165ad1cbb1c9818eb60178c91293e13b053

Author: Andrew John Hughes <andrew@openjdk.org>

Date:   Mon Jan 24 15:13:14 2022 +0000

    RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support

diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java

index fa494b680f..b5aa5c749d 100644

--- openjdk.orig/jdk/src/share/classes/java/security/Security.java

+++ openjdk/jdk/src/share/classes/java/security/Security.java

@@ -57,10 +57,6 @@ public final class Security {

     private static final Debug sdebug =

                         Debug.getInstance("properties");

-    /* System property file*/

-    private static final String SYSTEM_PROPERTIES =

-        "/etc/crypto-policies/back-ends/java.config";

-

     /* The java.security properties */

     private static Properties props;

@@ -202,13 +198,6 @@ public final class Security {

             }

         }

-        String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");

-        if (disableSystemProps == null &&

-            "true".equalsIgnoreCase(props.getProperty

-                ("security.useSystemPropertiesFile"))) {

-            loadedProps = loadedProps && SystemConfigurator.configure(props);

-        }

-

         if (!loadedProps) {

             initializeStatic();

             if (sdebug != null) {

@@ -217,6 +206,28 @@ public final class Security {

             }

         }

+        String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");

+        if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&

+            "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {

+            if (!SystemConfigurator.configureSysProps(props)) {

+                if (sdebug != null) {

+                    sdebug.println("WARNING: System properties could not be loaded.");

+                }

+            }

+        }

+

+        // FIPS support depends on the contents of java.security so

+        // ensure it has loaded first

+        if (loadedProps) {

+            boolean fipsEnabled = SystemConfigurator.configureFIPS(props);

+             if (sdebug != null) {

+                if (fipsEnabled) {

+                    sdebug.println("FIPS support enabled.");

+                } else {

+                    sdebug.println("FIPS support disabled.");

+                }

+             }

+        }

     }

     /*

diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java

index d1f677597d..7da65b1d2c 100644

--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java

+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java

@@ -76,7 +76,7 @@ final class SystemConfigurator {

      * java.security.disableSystemPropertiesFile property is not set and

      * security.useSystemPropertiesFile is true.

      */

-    static boolean configure(Properties props) {

+    static boolean configureSysProps(Properties props) {

         boolean loadedProps = false;

         try (BufferedInputStream bis =

@@ -96,11 +96,19 @@ final class SystemConfigurator {

                 e.printStackTrace();

             }

         }

+        return loadedProps;

+    }

+

+    /*

+     * Invoked at the end of java.security.Security initialisation

+     * if java.security properties have been loaded

+     */

+    static boolean configureFIPS(Properties props) {

+        boolean loadedProps = false;

         try {

             if (enableFips()) {

                 if (sdebug != null) { sdebug.println("FIPS mode detected"); }

-                loadedProps = false;

                 // Remove all security providers

                 Iterator<Entry<Object, Object>> i = props.entrySet().iterator();

                 while (i.hasNext()) {