diff --git a/.gitignore b/.gitignore
index 09a127e..6bb5934 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u332-b09-4curve.tar.xz
+SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u342-b07-4curve.tar.xz
SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata
index 03f54ee..93dbbb4 100644
--- a/.java-1.8.0-openjdk.metadata
+++ b/.java-1.8.0-openjdk.metadata
@@ -1,2 +1,2 @@
-a93b3d0fd5da1f95f22c85003fd3d4007e69ab32 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u332-b09-4curve.tar.xz
+8c536a306b06fa2d7e6805c4f1a6f79776357926 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u342-b07-4curve.tar.xz
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/SOURCES/NEWS b/SOURCES/NEWS
index 7933b93..afb5e24 100644
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
@@ -3,6 +3,122 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+New in release OpenJDK 8u342 (2022-07-19):
+===========================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk8u342
+ * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u342.txt
+
+* Security fixes
+ - JDK-8272243: Improve DER parsing
+ - JDK-8272249: Better properties of loaded Properties
+ - JDK-8277608: Address IP Addressing
+ - JDK-8281859, CVE-2022-21540: Improve class compilation
+ - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations
+ - JDK-8283190: Improve MIDI processing
+ - JDK-8284370: Improve zlib usage
+ - JDK-8285407, CVE-2022-34169: Improve Xalan supports
+* Other changes
+ - JDK-8031567: Better model for storing source revision information
+ - JDK-8076190: Customizing the generation of a PKCS12 keystore
+ - JDK-8129572: Cleanup usage of getResourceAsStream in jaxp
+ - JDK-8132256: jaxp: Investigate removal of com/sun/org/apache/bcel/internal/util/ClassPath.java
+ - JDK-8168926: C2: Bytecode escape analyzer crashes due to stack overflow
+ - JDK-8170385: JDK-8031567 broke source bundles
+ - JDK-8170392: JDK-8031567 broke builds from source bundles
+ - JDK-8170530: bash configure output contains a typo in a suggested library name
+ - JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream
+ - JDK-8194154: System property user.dir should not be changed
+ - JDK-8202142: jfr/event/io/TestInstrumentation is unstable
+ - JDK-8209771: jdk.test.lib.Utils::runAndCheckException error
+ - JDK-8221988: add possibility to build with Visual Studio 2019
+ - JDK-8223396: [TESTBUG] several jfr tests do not clean up files created in /tmp
+ - JDK-8230865: [TESTBUG] jdk/jfr/event/io/EvilInstrument.java fails at-run shell MakeJAR.sh target
+ - JDK-8235211: serviceability/attach/RemovingUnixDomainSocketTest.java fails with AttachNotSupportedException: Unable to open socket file
+ - JDK-8244973: serviceability/attach/RemovingUnixDomainSocketTest.java fails "stderr was not empty"
+ - JDK-8248876: LoadObject with bad base address created for exec file on linux
+ - JDK-8253424: Add support for running pre-submit testing using GitHub Actions
+ - JDK-8253865: Pre-submit testing using GitHub Actions does not detect failures reliably
+ - JDK-8254054: Pre-submit testing using GitHub Actions should not use the deprecated set-env command
+ - JDK-8254173: Add Zero, Minimal hotspot targets to submit workflow
+ - JDK-8254175: Build no-pch configuration in debug mode for submit checks
+ - JDK-8254282: Add Linux x86_32 builds to submit workflow
+ - JDK-8255239: The timezone of the hs_err_pid log file is corrupted in Japanese locale
+ - JDK-8255305: Add Linux x86_32 tier1 to submit workflow
+ - JDK-8255352: Archive important test outputs in submit workflow
+ - JDK-8255373: Submit workflow artifact name is always "test-results_.zip"
+ - JDK-8255895: Submit workflow artifacts miss hs_errs/replays due to ZIP include mismatch
+ - JDK-8256127: Add cross-compiled foreign architectures builds to submit workflow
+ - JDK-8256277: Github Action build on macOS should define OS and Xcode versions
+ - JDK-8256354: Github Action build on Windows should define OS and MSVC versions
+ - JDK-8256393: Github Actions build on Linux should define OS and GCC versions
+ - JDK-8256414: add optimized build to submit workflow
+ - JDK-8256747: GitHub Actions: decouple the hotspot build-only jobs from Linux x64 testing
+ - JDK-8257056: Submit workflow should apt-get update to avoid package installation errors
+ - JDK-8259924: GitHub actions fail on Linux x86_32 with "Could not configure libc6:i386"
+ - JDK-8260460: GitHub actions still fail on Linux x86_32 with "Could not configure libc6:i386"
+ - JDK-8261107: ArrayIndexOutOfBoundsException in the ICC_Profile.getInstance(InputStream)
+ - JDK-8263667: Avoid running GitHub actions on branches named pr/*
+ - JDK-8266187: Memory leak in appendBootClassPath()
+ - JDK-8274658: ISO 4217 Amendment 170 Update
+ - JDK-8274751: Drag And Drop hangs on Windows
+ - JDK-8278138: OpenJDK8 fails to start on Windows 8.1 after upgrading compiler to VS2017
+ - JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition
+ - JDK-8281814: Debuginfo.diz contains redundant build path after backport JDK-8025936
+ - JDK-8282225: GHA: Allow one concurrent run per PR only
+ - JDK-8282458: Update .jcheck/conf file for 8u move to git
+ - JDK-8282552: Bump update version of OpenJDK: 8u342
+ - JDK-8283350: (tz) Update Timezone Data to 2022a
+ - JDK-8284620: CodeBuffer may leak _overflow_arena
+ - JDK-8284772: 8u GHA: Use GCC Major Version Dependencies Only
+ - JDK-8285445: cannot open file "NUL:"
+ - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java
+ - JDK-8285591: [11] add signum checks in DSA.java engineVerify
+ - JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head
+ - JDK-8286989: Build failure on macOS after 8281814
+ - JDK-8287537: 8u JDK-8284620 backport broke AArch64 build
+
+Notes on individual issues:
+===========================
+
+security-libs/java.security:
+
+JDK-8215293: Customizing PKCS12 keystore Generation
+===================================================
+New system and security properties have been added to enable users to
+customize the generation of PKCS #12 keystores. This includes
+algorithms and parameters for key protection, certificate protection,
+and MacData. The detailed explanation and possible values for these
+properties can be found in the "PKCS12 KeyStore properties" section of
+the `java.security` file.
+
+Also, support for the following SHA-2 based HmacPBE algorithms has
+been added to the SunJCE provider:
+
+* HmacPBESHA224
+* HmacPBESHA256
+* HmacPBESHA384
+* HmacPBESHA512
+* HmacPBESHA512/224
+* HmacPBESHA512/256
+
+core-libs/java.io:
+
+JDK-8285660: Enable Windows Alternate Data Streams by default
+=============================================================
+The Windows implementation of `java.io.File` has been changed so that
+strict validity checks are **not** performed by default on file
+paths. This includes allowing colons (':') in the path other than only
+immediately after a single drive letter. It also allows paths that
+represent NTFS Alternate Data Streams (ADS), such as
+"filename:streamname". This restores the default behavior of
+`java.io.File` to what it was prior to the April 2022 CPU in which
+strict validity checks were not performed by default on file paths on
+Windows. To re-enable strict path checking in `java.io.File`, the
+system property `jdk.io.File.enableADS` should be set to `false` (case
+ignored). This might be preferable, for example, if Windows special
+device paths such as `NUL:` are *not* used.
+
New in release OpenJDK 8u332 (2022-04-22):
===========================================
Live versions of these release notes can be found at:
diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java
index 06a0b07..552bd0f 100644
--- a/SOURCES/TestSecurityProperties.java
+++ b/SOURCES/TestSecurityProperties.java
@@ -9,35 +9,59 @@ public class TestSecurityProperties {
// JDK 8
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
+ private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
+
+ private static final String MSG_PREFIX = "DEBUG: ";
+
public static void main(String[] args) {
+ if (args.length == 0) {
+ System.err.println("TestSecurityProperties ");
+ System.err.println("Invoke with 'true' if system security properties should be enabled.");
+ System.err.println("Invoke with 'false' if system security properties should be disabled.");
+ System.exit(1);
+ }
+ boolean enabled = Boolean.valueOf(args[0]);
+ System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
Properties jdkProps = new Properties();
loadProperties(jdkProps);
+ if (enabled) {
+ loadPolicy(jdkProps);
+ }
for (Object key: jdkProps.keySet()) {
String sKey = (String)key;
String securityVal = Security.getProperty(sKey);
String jdkSecVal = jdkProps.getProperty(sKey);
if (!securityVal.equals(jdkSecVal)) {
- String msg = "Expected value '" + jdkSecVal + "' for key '" +
+ String msg = "Expected value '" + jdkSecVal + "' for key '" +
sKey + "'" + " but got value '" + securityVal + "'";
throw new RuntimeException("Test failed! " + msg);
} else {
- System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
+ System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
}
}
System.out.println("TestSecurityProperties PASSED!");
}
-
+
private static void loadProperties(Properties props) {
String javaVersion = System.getProperty("java.version");
- System.out.println("Debug: Java version is " + javaVersion);
+ System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
String propsFile = JDK_PROPS_FILE_JDK_11;
if (javaVersion.startsWith("1.8.0")) {
propsFile = JDK_PROPS_FILE_JDK_8;
}
- try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
+ try (FileInputStream fin = new FileInputStream(propsFile)) {
+ props.load(fin);
+ } catch (Exception e) {
+ throw new RuntimeException("Test failed!", e);
+ }
+ }
+
+ private static void loadPolicy(Properties props) {
+ try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
+
}
diff --git a/SOURCES/fips-8u-8e8bbf0ff74.patch b/SOURCES/fips-8u-8e8bbf0ff74.patch
new file mode 100644
index 0000000..2379d45
--- /dev/null
+++ b/SOURCES/fips-8u-8e8bbf0ff74.patch
@@ -0,0 +1,2007 @@
+diff --git a/common/autoconf/configure.ac b/common/autoconf/configure.ac
+index 151e5a109f8..a8761b500e0 100644
+--- a/common/autoconf/configure.ac
++++ b/common/autoconf/configure.ac
+@@ -212,6 +212,7 @@ LIB_SETUP_FREETYPE
+ LIB_SETUP_ALSA
+ LIB_SETUP_FONTCONFIG
+ LIB_SETUP_MISC_LIBS
++LIB_SETUP_SYSCONF_LIBS
+ LIB_SETUP_STATIC_LINK_LIBSTDCPP
+ LIB_SETUP_ON_WINDOWS
+
+diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh
+index e77ce854dc5..ec6e9b27ca5 100644
+--- a/common/autoconf/generated-configure.sh
++++ b/common/autoconf/generated-configure.sh
+@@ -651,6 +651,9 @@ LLVM_CONFIG
+ LIBFFI_LIBS
+ LIBFFI_CFLAGS
+ STATIC_CXX_SETTING
++USE_SYSCONF_NSS
++NSS_LIBS
++NSS_CFLAGS
+ LIBDL
+ LIBM
+ LIBZIP_CAN_USE_MMAP
+@@ -1111,6 +1114,7 @@ with_fontconfig
+ with_fontconfig_include
+ with_giflib
+ with_zlib
++enable_sysconf_nss
+ with_stdc__lib
+ with_msvcr_dll
+ with_msvcp_dll
+@@ -1218,6 +1222,8 @@ FREETYPE_CFLAGS
+ FREETYPE_LIBS
+ ALSA_CFLAGS
+ ALSA_LIBS
++NSS_CFLAGS
++NSS_LIBS
+ LIBFFI_CFLAGS
+ LIBFFI_LIBS
+ CCACHE'
+@@ -1871,6 +1877,8 @@ Optional Features:
+ disable bundling of the freetype library with the
+ build result [enabled on Windows or when using
+ --with-freetype, disabled otherwise]
++ --enable-sysconf-nss build the System Configurator (libsysconf) using the
++ system NSS library if available [disabled]
+ --enable-sjavac use sjavac to do fast incremental compiles
+ [disabled]
+ --disable-precompiled-headers
+@@ -2115,6 +2123,8 @@ Some influential environment variables:
+ linker flags for FREETYPE, overriding pkg-config
+ ALSA_CFLAGS C compiler flags for ALSA, overriding pkg-config
+ ALSA_LIBS linker flags for ALSA, overriding pkg-config
++ NSS_CFLAGS C compiler flags for NSS, overriding pkg-config
++ NSS_LIBS linker flags for NSS, overriding pkg-config
+ LIBFFI_CFLAGS
+ C compiler flags for LIBFFI, overriding pkg-config
+ LIBFFI_LIBS linker flags for LIBFFI, overriding pkg-config
+@@ -2879,6 +2889,52 @@ $as_echo "$ac_res" >&6; }
+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+
+ } # ac_fn_c_check_header_compile
++
++# ac_fn_c_try_link LINENO
++# -----------------------
++# Try to link conftest.$ac_ext, and return whether this succeeded.
++ac_fn_c_try_link ()
++{
++ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++ rm -f conftest.$ac_objext conftest$ac_exeext
++ if { { ac_try="$ac_link"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++ (eval "$ac_link") 2>conftest.err
++ ac_status=$?
++ if test -s conftest.err; then
++ grep -v '^ *+' conftest.err >conftest.er1
++ cat conftest.er1 >&5
++ mv -f conftest.er1 conftest.err
++ fi
++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++ test $ac_status = 0; } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest$ac_exeext && {
++ test "$cross_compiling" = yes ||
++ test -x conftest$ac_exeext
++ }; then :
++ ac_retval=0
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ ac_retval=1
++fi
++ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
++ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
++ # interfere with the next link command; also delete a directory that is
++ # left behind by Apple's compiler. We do this before executing the actions.
++ rm -rf conftest.dSYM conftest_ipa8_conftest.oo
++ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
++ as_fn_set_status $ac_retval
++
++} # ac_fn_c_try_link
+ cat >config.log <<_ACEOF
+ This file contains any messages produced by compilers while
+ running configure, to aid debugging if configure makes a mistake.
+@@ -4049,6 +4105,11 @@ fi
+
+
+
++################################################################################
++# Setup system configuration libraries
++################################################################################
++
++
+ #
+ # Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
+ # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+@@ -49290,6 +49351,157 @@ fi
+ LIBS="$save_LIBS"
+
+
++ ###############################################################################
++ #
++ # Check for the NSS library
++ #
++
++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use the system NSS library with the System Configurator (libsysconf)" >&5
++$as_echo_n "checking whether to use the system NSS library with the System Configurator (libsysconf)... " >&6; }
++
++ # default is not available
++ DEFAULT_SYSCONF_NSS=no
++
++ # Check whether --enable-sysconf-nss was given.
++if test "${enable_sysconf_nss+set}" = set; then :
++ enableval=$enable_sysconf_nss;
++ case "${enableval}" in
++ yes)
++ sysconf_nss=yes
++ ;;
++ *)
++ sysconf_nss=no
++ ;;
++ esac
++
++else
++
++ sysconf_nss=${DEFAULT_SYSCONF_NSS}
++
++fi
++
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sysconf_nss" >&5
++$as_echo "$sysconf_nss" >&6; }
++
++ USE_SYSCONF_NSS=false
++ if test "x${sysconf_nss}" = "xyes"; then
++
++pkg_failed=no
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for NSS" >&5
++$as_echo_n "checking for NSS... " >&6; }
++
++if test -n "$NSS_CFLAGS"; then
++ pkg_cv_NSS_CFLAGS="$NSS_CFLAGS"
++ elif test -n "$PKG_CONFIG"; then
++ if test -n "$PKG_CONFIG" && \
++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5
++ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5
++ ac_status=$?
++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++ test $ac_status = 0; }; then
++ pkg_cv_NSS_CFLAGS=`$PKG_CONFIG --cflags "nss >= 3.53" 2>/dev/null`
++else
++ pkg_failed=yes
++fi
++ else
++ pkg_failed=untried
++fi
++if test -n "$NSS_LIBS"; then
++ pkg_cv_NSS_LIBS="$NSS_LIBS"
++ elif test -n "$PKG_CONFIG"; then
++ if test -n "$PKG_CONFIG" && \
++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5
++ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5
++ ac_status=$?
++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++ test $ac_status = 0; }; then
++ pkg_cv_NSS_LIBS=`$PKG_CONFIG --libs "nss >= 3.53" 2>/dev/null`
++else
++ pkg_failed=yes
++fi
++ else
++ pkg_failed=untried
++fi
++
++
++
++if test $pkg_failed = yes; then
++
++if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
++ _pkg_short_errors_supported=yes
++else
++ _pkg_short_errors_supported=no
++fi
++ if test $_pkg_short_errors_supported = yes; then
++ NSS_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "nss >= 3.53" 2>&1`
++ else
++ NSS_PKG_ERRORS=`$PKG_CONFIG --print-errors "nss >= 3.53" 2>&1`
++ fi
++ # Put the nasty error message in config.log where it belongs
++ echo "$NSS_PKG_ERRORS" >&5
++
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++ NSS_FOUND=no
++elif test $pkg_failed = untried; then
++ NSS_FOUND=no
++else
++ NSS_CFLAGS=$pkg_cv_NSS_CFLAGS
++ NSS_LIBS=$pkg_cv_NSS_LIBS
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++ NSS_FOUND=yes
++fi
++ if test "x${NSS_FOUND}" = "xyes"; then
++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for system FIPS support in NSS" >&5
++$as_echo_n "checking for system FIPS support in NSS... " >&6; }
++ saved_libs="${LIBS}"
++ saved_cflags="${CFLAGS}"
++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++ LIBS="${LIBS} ${NSS_LIBS}"
++ ac_ext=c
++ac_cpp='$CPP $CPPFLAGS'
++ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
++ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
++ac_compiler_gnu=$ac_cv_c_compiler_gnu
++
++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h. */
++#include
++int
++main ()
++{
++SECMOD_GetSystemFIPSEnabled()
++ ;
++ return 0;
++}
++_ACEOF
++if ac_fn_c_try_link "$LINENO"; then :
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++else
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++ as_fn_error $? "System NSS FIPS detection unavailable" "$LINENO" 5
++fi
++rm -f core conftest.err conftest.$ac_objext \
++ conftest$ac_exeext conftest.$ac_ext
++ ac_ext=cpp
++ac_cpp='$CXXCPP $CPPFLAGS'
++ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
++ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
++ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
++
++ CFLAGS="${saved_cflags}"
++ LIBS="${saved_libs}"
++ USE_SYSCONF_NSS=true
++ else
++ as_fn_error $? "--enable-sysconf-nss specified, but NSS 3.53 or above not found." "$LINENO" 5
++ fi
++ fi
++
++
++
+ ###############################################################################
+ #
+ # statically link libstdc++ before C++ ABI is stablized on Linux unless
+diff --git a/common/autoconf/libraries.m4 b/common/autoconf/libraries.m4
+index 6efae578ea9..0080846255b 100644
+--- a/common/autoconf/libraries.m4
++++ b/common/autoconf/libraries.m4
+@@ -1067,3 +1067,63 @@ AC_DEFUN_ONCE([LIB_SETUP_ON_WINDOWS],
+ BASIC_DEPRECATED_ARG_WITH([dxsdk-include])
+ fi
+ ])
++
++################################################################################
++# Setup system configuration libraries
++################################################################################
++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
++[
++ ###############################################################################
++ #
++ # Check for the NSS library
++ #
++
++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
++
++ # default is not available
++ DEFAULT_SYSCONF_NSS=no
++
++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
++ [
++ case "${enableval}" in
++ yes)
++ sysconf_nss=yes
++ ;;
++ *)
++ sysconf_nss=no
++ ;;
++ esac
++ ],
++ [
++ sysconf_nss=${DEFAULT_SYSCONF_NSS}
++ ])
++ AC_MSG_RESULT([$sysconf_nss])
++
++ USE_SYSCONF_NSS=false
++ if test "x${sysconf_nss}" = "xyes"; then
++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
++ if test "x${NSS_FOUND}" = "xyes"; then
++ AC_MSG_CHECKING([for system FIPS support in NSS])
++ saved_libs="${LIBS}"
++ saved_cflags="${CFLAGS}"
++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++ LIBS="${LIBS} ${NSS_LIBS}"
++ AC_LANG_PUSH([C])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]],
++ [[SECMOD_GetSystemFIPSEnabled()]])],
++ [AC_MSG_RESULT([yes])],
++ [AC_MSG_RESULT([no])
++ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
++ AC_LANG_POP([C])
++ CFLAGS="${saved_cflags}"
++ LIBS="${saved_libs}"
++ USE_SYSCONF_NSS=true
++ else
++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
++ dnl in nss3/pk11pub.h.
++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
++ fi
++ fi
++ AC_SUBST(USE_SYSCONF_NSS)
++])
+diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in
+index 506cf617087..7241593b1a4 100644
+--- a/common/autoconf/spec.gmk.in
++++ b/common/autoconf/spec.gmk.in
+@@ -312,6 +312,10 @@ CUPS_CFLAGS:=@CUPS_CFLAGS@
+ ALSA_LIBS:=@ALSA_LIBS@
+ ALSA_CFLAGS:=@ALSA_CFLAGS@
+
++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
++NSS_LIBS:=@NSS_LIBS@
++NSS_CFLAGS:=@NSS_CFLAGS@
++
+ PACKAGE_PATH=@PACKAGE_PATH@
+
+ # Source file for cacerts
+diff --git a/common/bin/compare_exceptions.sh.incl b/common/bin/compare_exceptions.sh.incl
+index 3b79a526f56..d2a0e39b206 100644
+--- a/common/bin/compare_exceptions.sh.incl
++++ b/common/bin/compare_exceptions.sh.incl
+@@ -280,6 +280,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
+ ./jre/lib/i386/libsplashscreen.so
+ ./jre/lib/i386/libsunec.so
+ ./jre/lib/i386/libsunwjdga.so
++./jre/lib/i386/libsystemconf.so
+ ./jre/lib/i386/libt2k.so
+ ./jre/lib/i386/libunpack.so
+ ./jre/lib/i386/libverify.so
+@@ -433,6 +434,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
+ ./jre/lib/amd64/libsplashscreen.so
+ ./jre/lib/amd64/libsunec.so
+ ./jre/lib/amd64/libsunwjdga.so
++//jre/lib/amd64/libsystemconf.so
+ ./jre/lib/amd64/libt2k.so
+ ./jre/lib/amd64/libunpack.so
+ ./jre/lib/amd64/libverify.so
+@@ -587,6 +589,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
+ ./jre/lib/sparc/libsplashscreen.so
+ ./jre/lib/sparc/libsunec.so
+ ./jre/lib/sparc/libsunwjdga.so
++./jre/lib/sparc/libsystemconf.so
+ ./jre/lib/sparc/libt2k.so
+ ./jre/lib/sparc/libunpack.so
+ ./jre/lib/sparc/libverify.so
+@@ -741,6 +744,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
+ ./jre/lib/sparcv9/libsplashscreen.so
+ ./jre/lib/sparcv9/libsunec.so
+ ./jre/lib/sparcv9/libsunwjdga.so
++./jre/lib/sparcv9/libsystemconf.so
+ ./jre/lib/sparcv9/libt2k.so
+ ./jre/lib/sparcv9/libunpack.so
+ ./jre/lib/sparcv9/libverify.so
+diff --git a/common/nb_native/nbproject/configurations.xml b/common/nb_native/nbproject/configurations.xml
+index d2beed0b93a..3b6aef98d9a 100644
+--- a/common/nb_native/nbproject/configurations.xml
++++ b/common/nb_native/nbproject/configurations.xml
+@@ -53,6 +53,9 @@
+ jvmtiEnterTrace.cpp
+
+
++
++ systemconf.c
++
+
+
+
+@@ -12772,6 +12775,11 @@
+ tool="0"
+ flavor2="0">
+
++ -
++
+ - Additional default values of security properties are read from a
++ * system-specific location, if available.
++ *
+ * @author Benjamin Renaud
+ */
+
+ public final class Security {
+
++ private static final String SYS_PROP_SWITCH =
++ "java.security.disableSystemPropertiesFile";
++ private static final String SEC_PROP_SWITCH =
++ "security.useSystemPropertiesFile";
++
+ /* Are we debugging? -- for developers */
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+@@ -62,6 +72,19 @@ public final class Security {
+ }
+
+ static {
++ // Initialise here as used by code with system properties disabled
++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
++ new JavaSecuritySystemConfiguratorAccess() {
++ @Override
++ public boolean isSystemFipsEnabled() {
++ return SystemConfigurator.isSystemFipsEnabled();
++ }
++ @Override
++ public boolean isPlainKeySupportEnabled() {
++ return SystemConfigurator.isPlainKeySupportEnabled();
++ }
++ });
++
+ // doPrivileged here because there are multiple
+ // things in initialize that might require privs.
+ // (the FileInputStream call and the File.exists call,
+@@ -78,6 +101,7 @@ public final class Security {
+ props = new Properties();
+ boolean loadedProps = false;
+ boolean overrideAll = false;
++ boolean systemSecPropsEnabled = false;
+
+ // first load the system properties file
+ // to determine the value of security.overridePropertiesFile
+@@ -93,6 +117,7 @@ public final class Security {
+ if (sdebug != null) {
+ sdebug.println("reading security properties file: " +
+ propFile);
++ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+@@ -187,6 +212,61 @@ public final class Security {
+ }
+ }
+
++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
++ if (sdebug != null) {
++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps);
++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps);
++ }
++ if (!sysUseProps && secUseProps) {
++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props);
++ if (!systemSecPropsEnabled) {
++ if (sdebug != null) {
++ sdebug.println("WARNING: System security properties could not be loaded.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("System security property support disabled by user.");
++ }
++ }
++
++ // FIPS support depends on the contents of java.security so
++ // ensure it has loaded first
++ if (loadedProps && systemSecPropsEnabled) {
++ boolean shouldEnable;
++ String sysProp = System.getProperty("com.redhat.fips");
++ if (sysProp == null) {
++ shouldEnable = true;
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips unset, using default value of true");
++ }
++ } else {
++ shouldEnable = Boolean.valueOf(sysProp);
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable);
++ }
++ }
++ if (shouldEnable) {
++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
++ if (sdebug != null) {
++ if (fipsEnabled) {
++ sdebug.println("FIPS mode support configured and enabled.");
++ } else {
++ sdebug.println("FIPS mode support disabled.");
++ }
++ }
++ } else {
++ if (sdebug != null ) {
++ sdebug.println("FIPS mode support disabled by user.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("WARNING: FIPS mode support can not be enabled without " +
++ "system security properties being enabled.");
++ }
++ }
+ }
+
+ /*
+diff --git a/jdk/src/share/classes/java/security/SystemConfigurator.java b/jdk/src/share/classes/java/security/SystemConfigurator.java
+new file mode 100644
+index 00000000000..a24a0445db2
+--- /dev/null
++++ b/jdk/src/share/classes/java/security/SystemConfigurator.java
+@@ -0,0 +1,248 @@
++/*
++ * Copyright (c) 2019, 2021, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package java.security;
++
++import java.io.BufferedInputStream;
++import java.io.FileInputStream;
++import java.io.IOException;
++
++import java.util.Iterator;
++import java.util.Map.Entry;
++import java.util.Properties;
++
++import sun.security.util.Debug;
++
++/**
++ * Internal class to align OpenJDK with global crypto-policies.
++ * Called from java.security.Security class initialization,
++ * during startup.
++ *
++ */
++
++final class SystemConfigurator {
++
++ private static final Debug sdebug =
++ Debug.getInstance("properties");
++
++ private static final String CRYPTO_POLICIES_BASE_DIR =
++ "/etc/crypto-policies";
++
++ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
++
++ private static boolean systemFipsEnabled = false;
++ private static boolean plainKeySupportEnabled = false;
++
++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
++
++ private static native boolean getSystemFIPSEnabled()
++ throws IOException;
++
++ static {
++ AccessController.doPrivileged(new PrivilegedAction() {
++ public Void run() {
++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
++ return null;
++ }
++ });
++ }
++
++ /*
++ * Invoked when java.security.Security class is initialized, if
++ * java.security.disableSystemPropertiesFile property is not set and
++ * security.useSystemPropertiesFile is true.
++ */
++ static boolean configureSysProps(Properties props) {
++ boolean systemSecPropsLoaded = false;
++
++ try (BufferedInputStream bis =
++ new BufferedInputStream(
++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
++ props.load(bis);
++ systemSecPropsLoaded = true;
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load security properties from " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ e.printStackTrace();
++ }
++ }
++ return systemSecPropsLoaded;
++ }
++
++ /*
++ * Invoked at the end of java.security.Security initialisation
++ * if java.security properties have been loaded
++ */
++ static boolean configureFIPS(Properties props) {
++ boolean loadedProps = false;
++
++ try {
++ if (enableFips()) {
++ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
++ // Remove all security providers
++ Iterator> i = props.entrySet().iterator();
++ while (i.hasNext()) {
++ Entry e = i.next();
++ if (((String) e.getKey()).startsWith("security.provider")) {
++ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
++ i.remove();
++ }
++ }
++ // Add FIPS security providers
++ String fipsProviderValue = null;
++ for (int n = 1;
++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
++ String fipsProviderKey = "security.provider." + n;
++ if (sdebug != null) {
++ sdebug.println("Adding provider " + n + ": " +
++ fipsProviderKey + "=" + fipsProviderValue);
++ }
++ props.put(fipsProviderKey, fipsProviderValue);
++ }
++ // Add other security properties
++ String keystoreTypeValue = (String) props.get("fips.keystore.type");
++ if (keystoreTypeValue != null) {
++ String nonFipsKeystoreType = props.getProperty("keystore.type");
++ props.put("keystore.type", keystoreTypeValue);
++ if (keystoreTypeValue.equals("PKCS11")) {
++ // If keystore.type is PKCS11, javax.net.ssl.keyStore
++ // must be "NONE". See JDK-8238264.
++ System.setProperty("javax.net.ssl.keyStore", "NONE");
++ }
++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
++ // If no trustStoreType has been set, use the
++ // previous keystore.type under FIPS mode. In
++ // a default configuration, the Trust Store will
++ // be 'cacerts' (JKS type).
++ System.setProperty("javax.net.ssl.trustStoreType",
++ nonFipsKeystoreType);
++ }
++ if (sdebug != null) {
++ sdebug.println("FIPS mode default keystore.type = " +
++ keystoreTypeValue);
++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
++ System.getProperty("javax.net.ssl.keyStore", ""));
++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
++ System.getProperty("javax.net.ssl.trustStoreType", ""));
++ }
++ }
++ loadedProps = true;
++ systemFipsEnabled = true;
++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
++ "true");
++ plainKeySupportEnabled = !"false".equals(plainKeySupport);
++ if (sdebug != null) {
++ if (plainKeySupportEnabled) {
++ sdebug.println("FIPS support enabled with plain key support");
++ } else {
++ sdebug.println("FIPS support enabled without plain key support");
++ }
++ }
++ } else {
++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); }
++ }
++ } catch (Exception e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load FIPS configuration");
++ e.printStackTrace();
++ }
++ }
++ return loadedProps;
++ }
++
++ /**
++ * Returns whether or not global system FIPS alignment is enabled.
++ *
++ * Value is always 'false' before java.security.Security class is
++ * initialized.
++ *
++ * Call from out of this package through SharedSecrets:
++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ * .isSystemFipsEnabled();
++ *
++ * @return a boolean value indicating whether or not global
++ * system FIPS alignment is enabled.
++ */
++ static boolean isSystemFipsEnabled() {
++ return systemFipsEnabled;
++ }
++
++ /**
++ * Returns {@code true} if system FIPS alignment is enabled
++ * and plain key support is allowed. Plain key support is
++ * enabled by default but can be disabled with
++ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
++ *
++ * @return a boolean indicating whether plain key support
++ * should be enabled.
++ */
++ static boolean isPlainKeySupportEnabled() {
++ return plainKeySupportEnabled;
++ }
++
++ /**
++ * Determines whether FIPS mode should be enabled.
++ *
++ * OpenJDK FIPS mode will be enabled only if the system is in
++ * FIPS mode.
++ *
++ * Calls to this method only occur if the system property
++ * com.redhat.fips is not set to false.
++ *
++ * There are 2 possible ways in which OpenJDK detects that the system
++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
++ * available at OpenJDK's built-time, it is called; 2) otherwise, the
++ * /proc/sys/crypto/fips_enabled file is read.
++ *
++ * @return true if the system is in FIPS mode
++ */
++ private static boolean enableFips() throws IOException {
++ if (sdebug != null) {
++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
++ }
++ try {
++ boolean fipsEnabled = getSystemFIPSEnabled();
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
++ + fipsEnabled);
++ }
++ return fipsEnabled;
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
++ sdebug.println(e.getMessage());
++ }
++ throw e;
++ }
++ }
++}
+diff --git a/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
+new file mode 100644
+index 00000000000..5c30a8b29c7
+--- /dev/null
++++ b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
+@@ -0,0 +1,31 @@
++/*
++ * Copyright (c) 2020, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.misc;
++
++public interface JavaSecuritySystemConfiguratorAccess {
++ boolean isSystemFipsEnabled();
++ boolean isPlainKeySupportEnabled();
++}
+diff --git a/jdk/src/share/classes/sun/misc/SharedSecrets.java b/jdk/src/share/classes/sun/misc/SharedSecrets.java
+index f065a2c685d..0dafe6f59cf 100644
+--- a/jdk/src/share/classes/sun/misc/SharedSecrets.java
++++ b/jdk/src/share/classes/sun/misc/SharedSecrets.java
+@@ -31,6 +31,7 @@ import java.io.Console;
+ import java.io.FileDescriptor;
+ import java.io.ObjectInputStream;
+ import java.security.ProtectionDomain;
++import java.security.Security;
+ import java.security.Signature;
+
+ import java.security.AccessController;
+@@ -63,6 +64,7 @@ public class SharedSecrets {
+ private static JavaObjectInputStreamReadString javaObjectInputStreamReadString;
+ private static JavaObjectInputStreamAccess javaObjectInputStreamAccess;
+ private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
+
+ public static JavaUtilJarAccess javaUtilJarAccess() {
+ if (javaUtilJarAccess == null) {
+@@ -248,4 +250,15 @@ public class SharedSecrets {
+ }
+ return javaxCryptoSealedObjectAccess;
+ }
++
++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
++ javaSecuritySystemConfiguratorAccess = jssca;
++ }
++
++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
++ if (javaSecuritySystemConfiguratorAccess == null) {
++ unsafe.ensureClassInitialized(Security.class);
++ }
++ return javaSecuritySystemConfiguratorAccess;
++ }
+ }
+diff --git a/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
+new file mode 100644
+index 00000000000..14d19450390
+--- /dev/null
++++ b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
+@@ -0,0 +1,290 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.pkcs11;
++
++import java.math.BigInteger;
++import java.security.KeyFactory;
++import java.security.Provider;
++import java.security.Security;
++import java.util.HashMap;
++import java.util.Map;
++import java.util.concurrent.locks.ReentrantLock;
++
++import javax.crypto.Cipher;
++import javax.crypto.spec.DHPrivateKeySpec;
++import javax.crypto.spec.IvParameterSpec;
++
++import sun.security.jca.JCAUtil;
++import sun.security.pkcs11.TemplateManager;
++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
++import sun.security.pkcs11.wrapper.CK_MECHANISM;
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
++import sun.security.pkcs11.wrapper.PKCS11Exception;
++import sun.security.rsa.RSAUtil.KeyType;
++import sun.security.util.Debug;
++import sun.security.util.ECUtil;
++
++final class FIPSKeyImporter {
++
++ private static final Debug debug =
++ Debug.getInstance("sunpkcs11");
++
++ private static P11Key importerKey = null;
++ private static final ReentrantLock importerKeyLock = new ReentrantLock();
++ private static CK_MECHANISM importerKeyMechanism = null;
++ private static Cipher importerCipher = null;
++
++ private static Provider sunECProvider = null;
++ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
++
++ private static KeyFactory DHKF = null;
++ private static final ReentrantLock DHKFLock = new ReentrantLock();
++
++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
++ throws PKCS11Exception {
++ long keyID = -1;
++ Token token = sunPKCS11.getToken();
++ if (debug != null) {
++ debug.println("Private or Secret key will be imported in" +
++ " system FIPS mode.");
++ }
++ if (importerKey == null) {
++ importerKeyLock.lock();
++ try {
++ if (importerKey == null) {
++ if (importerKeyMechanism == null) {
++ // Importer Key creation has not been tried yet. Try it.
++ createImporterKey(token);
++ }
++ if (importerKey == null || importerCipher == null) {
++ if (debug != null) {
++ debug.println("Importer Key could not be" +
++ " generated.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ if (debug != null) {
++ debug.println("Importer Key successfully" +
++ " generated.");
++ }
++ }
++ } finally {
++ importerKeyLock.unlock();
++ }
++ }
++ long importerKeyID = importerKey.getKeyID();
++ try {
++ byte[] keyBytes = null;
++ byte[] encKeyBytes = null;
++ long keyClass = 0L;
++ long keyType = 0L;
++ Map attrsMap = new HashMap<>();
++ for (CK_ATTRIBUTE attr : attributes) {
++ if (attr.type == CKA_CLASS) {
++ keyClass = attr.getLong();
++ } else if (attr.type == CKA_KEY_TYPE) {
++ keyType = attr.getLong();
++ }
++ attrsMap.put(attr.type, attr);
++ }
++ BigInteger v = null;
++ if (keyClass == CKO_PRIVATE_KEY) {
++ if (keyType == CKK_RSA) {
++ if (debug != null) {
++ debug.println("Importing an RSA private key...");
++ }
++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
++ KeyType.RSA,
++ null,
++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ } else if (keyType == CKK_DSA) {
++ if (debug != null) {
++ debug.println("Importing a DSA private key...");
++ }
++ keyBytes = new sun.security.provider.DSAPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else if (keyType == CKK_EC) {
++ if (debug != null) {
++ debug.println("Importing an EC private key...");
++ }
++ if (sunECProvider == null) {
++ sunECProviderLock.lock();
++ try {
++ if (sunECProvider == null) {
++ sunECProvider = Security.getProvider("SunEC");
++ }
++ } finally {
++ sunECProviderLock.unlock();
++ }
++ }
++ keyBytes = P11ECUtil.generateECPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ECUtil.getECParameterSpec(sunECProvider,
++ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
++ .getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else if (keyType == CKK_DH) {
++ if (debug != null) {
++ debug.println("Importing a Diffie-Hellman private key...");
++ }
++ if (DHKF == null) {
++ DHKFLock.lock();
++ try {
++ if (DHKF == null) {
++ DHKF = KeyFactory.getInstance(
++ "DH", P11Util.getSunJceProvider());
++ }
++ } finally {
++ DHKFLock.unlock();
++ }
++ }
++ DHPrivateKeySpec spec = new DHPrivateKeySpec
++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO);
++ keyBytes = DHKF.generatePrivate(spec).getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else {
++ if (debug != null) {
++ debug.println("Unrecognized private key type.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ } else if (keyClass == CKO_SECRET_KEY) {
++ if (debug != null) {
++ debug.println("Importing a secret key...");
++ }
++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
++ }
++ if (keyBytes == null || keyBytes.length == 0) {
++ if (debug != null) {
++ debug.println("Private or secret key plain bytes could" +
++ " not be obtained. Import failed.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
++ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
++ null);
++ attributes = new CK_ATTRIBUTE[attrsMap.size()];
++ attrsMap.values().toArray(attributes);
++ encKeyBytes = importerCipher.doFinal(keyBytes);
++ attributes = token.getAttributes(TemplateManager.O_IMPORT,
++ keyClass, keyType, attributes);
++ keyID = token.p11.C_UnwrapKey(hSession,
++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
++ if (debug != null) {
++ debug.println("Imported key ID: " + keyID);
++ }
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ } finally {
++ importerKey.releaseKeyID();
++ }
++ return Long.valueOf(keyID);
++ }
++
++ private static void createImporterKey(Token token) {
++ if (debug != null) {
++ debug.println("Generating Importer Key...");
++ }
++ byte[] iv = new byte[16];
++ JCAUtil.getSecureRandom().nextBytes(iv);
++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
++ try {
++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
++ Session s = null;
++ try {
++ s = token.getObjSession();
++ long keyID = token.p11.C_GenerateKey(
++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
++ attributes);
++ if (debug != null) {
++ debug.println("Importer Key ID: " + keyID);
++ }
++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
++ 256 >> 3, null);
++ } catch (PKCS11Exception e) {
++ // best effort
++ } finally {
++ token.releaseSession(s);
++ }
++ if (importerKey != null) {
++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
++ }
++ } catch (Throwable t) {
++ // best effort
++ importerKey = null;
++ importerCipher = null;
++ // importerKeyMechanism value is kept initialized to indicate that
++ // Importer Key creation has been tried and failed.
++ }
++ }
++}
+diff --git a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+index fedcd7743ef..f9d70863bd1 100644
+--- a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
++++ b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -26,6 +26,9 @@
+ package sun.security.pkcs11;
+
+ import java.io.*;
++import java.lang.invoke.MethodHandle;
++import java.lang.invoke.MethodHandles;
++import java.lang.invoke.MethodType;
+ import java.util.*;
+
+ import java.security.*;
+@@ -42,6 +45,8 @@ import javax.security.auth.callback.ConfirmationCallback;
+ import javax.security.auth.callback.PasswordCallback;
+ import javax.security.auth.callback.TextOutputCallback;
+
++import sun.misc.SharedSecrets;
++
+ import sun.security.util.Debug;
+ import sun.security.util.ResourcesMgr;
+
+@@ -58,6 +63,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+ */
+ public final class SunPKCS11 extends AuthProvider {
+
++ private static final boolean systemFipsEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
++ private static final MethodHandle fipsImportKey;
++ static {
++ MethodHandle fipsImportKeyTmp = null;
++ if (plainKeySupportEnabled) {
++ try {
++ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
++ FIPSKeyImporter.class, "importKey",
++ MethodType.methodType(Long.class, SunPKCS11.class,
++ long.class, CK_ATTRIBUTE[].class));
++ } catch (Throwable t) {
++ throw new SecurityException("FIPS key importer initialization" +
++ " failed", t);
++ }
++ }
++ fipsImportKey = fipsImportKeyTmp;
++ }
++
+ private static final long serialVersionUID = -1354835039035306505L;
+
+ static final Debug debug = Debug.getInstance("sunpkcs11");
+@@ -309,10 +337,15 @@ public final class SunPKCS11 extends AuthProvider {
+ // request multithreaded access first
+ initArgs.flags = CKF_OS_LOCKING_OK;
+ PKCS11 tmpPKCS11;
++ MethodHandle fipsKeyImporter = null;
++ if (plainKeySupportEnabled) {
++ fipsKeyImporter = MethodHandles.insertArguments(
++ fipsImportKey, 0, this);
++ }
+ try {
+ tmpPKCS11 = PKCS11.getInstance(
+ library, functionList, initArgs,
+- config.getOmitInitialize());
++ config.getOmitInitialize(), fipsKeyImporter);
+ } catch (PKCS11Exception e) {
+ if (debug != null) {
+ debug.println("Multi-threaded initialization failed: " + e);
+@@ -328,7 +361,7 @@ public final class SunPKCS11 extends AuthProvider {
+ initArgs.flags = 0;
+ }
+ tmpPKCS11 = PKCS11.getInstance(library,
+- functionList, initArgs, config.getOmitInitialize());
++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
+ }
+ p11 = tmpPKCS11;
+
+@@ -368,6 +401,24 @@ public final class SunPKCS11 extends AuthProvider {
+ if (nssModule != null) {
+ nssModule.setProvider(this);
+ }
++ if (systemFipsEnabled) {
++ // The NSS Software Token in FIPS 140-2 mode requires a user
++ // login for most operations. See sftk_fipsCheck. The NSS DB
++ // (/etc/pki/nssdb) PIN is empty.
++ Session session = null;
++ try {
++ session = token.getOpSession();
++ p11.C_Login(session.id(), CKU_USER, new char[] {});
++ } catch (PKCS11Exception p11e) {
++ if (debug != null) {
++ debug.println("Error during token login: " +
++ p11e.getMessage());
++ }
++ throw p11e;
++ } finally {
++ token.releaseSession(session);
++ }
++ }
+ } catch (Exception e) {
+ if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
+ throw new UnsupportedOperationException
+diff --git a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+index 2e42d1d9fb0..1b7eed1c656 100644
+--- a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
++++ b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
+
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.invoke.MethodHandle;
+ import java.util.*;
+
+ import java.security.AccessController;
+@@ -145,18 +146,41 @@ public class PKCS11 {
+ this.pkcs11ModulePath = pkcs11ModulePath;
+ }
+
++ /*
++ * Compatibility wrapper to allow this method to work as before
++ * when FIPS mode support is not active.
++ */
++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
++ boolean omitInitialize) throws IOException, PKCS11Exception {
++ return getInstance(pkcs11ModulePath, functionList,
++ pInitArgs, omitInitialize, null);
++ }
++
+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
+- boolean omitInitialize) throws IOException, PKCS11Exception {
++ boolean omitInitialize, MethodHandle fipsKeyImporter)
++ throws IOException, PKCS11Exception {
+ // we may only call C_Initialize once per native .so/.dll
+ // so keep a cache using the (non-canonicalized!) path
+ PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
+ if (pkcs11 == null) {
++ boolean nssFipsMode = fipsKeyImporter != null;
+ if ((pInitArgs != null)
+ && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
+- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
++ fipsKeyImporter);
++ } else {
++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ }
+ } else {
+- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
++ functionList, fipsKeyImporter);
++ } else {
++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ }
+ }
+ if (omitInitialize == false) {
+ try {
+@@ -1905,4 +1929,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
+ super.C_GenerateRandom(hSession, randomData);
+ }
+ }
++
++// PKCS11 subclass that allows using plain private or secret keys in
++// FIPS-configured NSS Software Tokens. Only used when System FIPS
++// is enabled.
++static class FIPSPKCS11 extends PKCS11 {
++ private MethodHandle fipsKeyImporter;
++ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter) throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // Creating sensitive key objects from plain key material in a
++ // FIPS-configured NSS Software Token is not allowed. We apply
++ // a key-unwrapping scheme to achieve so.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++}
++
++// FIPSPKCS11 synchronized counterpart.
++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
++ private MethodHandle fipsKeyImporter;
++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter) throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // See FIPSPKCS11::C_CreateObject.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++}
++
++private static class FIPSPKCS11Helper {
++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
++ for (CK_ATTRIBUTE attr : pTemplate) {
++ if (attr.type == CKA_CLASS &&
++ (attr.getLong() == CKO_PRIVATE_KEY ||
++ attr.getLong() == CKO_SECRET_KEY)) {
++ return true;
++ }
++ }
++ return false;
++ }
++}
+ }
+diff --git a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
+index ffee2c1603b..98119479823 100644
+--- a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
++++ b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
+@@ -33,8 +33,13 @@ import java.security.KeyStore.*;
+
+ import javax.net.ssl.*;
+
++import sun.misc.SharedSecrets;
++
+ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
+ X509ExtendedKeyManager keyManager;
+ boolean isInitialized;
+
+@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+ KeyStoreException, NoSuchAlgorithmException,
+ UnrecoverableKeyException {
+ if ((ks != null) && SunJSSE.isFIPS()) {
+- if (ks.getProvider() != SunJSSE.cryptoProvider) {
++ if (ks.getProvider() != SunJSSE.cryptoProvider &&
++ !plainKeySupportEnabled) {
+ throw new KeyStoreException("FIPS mode: KeyStore must be "
+ + "from provider " + SunJSSE.cryptoProvider.getName());
+ }
+@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+ keyManager = new X509KeyManagerImpl(
+ Collections.emptyList());
+ } else {
+- if (SunJSSE.isFIPS() &&
+- (ks.getProvider() != SunJSSE.cryptoProvider)) {
++ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
++ && !plainKeySupportEnabled) {
+ throw new KeyStoreException(
+ "FIPS mode: KeyStore must be " +
+ "from provider " + SunJSSE.cryptoProvider.getName());
+diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
+index cd0e9e98df9..fba760187c0 100644
+--- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
++++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
+@@ -31,6 +31,7 @@ import java.security.*;
+ import java.security.cert.*;
+ import java.util.*;
+ import javax.net.ssl.*;
++import sun.misc.SharedSecrets;
+ import sun.security.action.GetPropertyAction;
+ import sun.security.provider.certpath.AlgorithmChecker;
+ import sun.security.validator.Validator;
+@@ -539,20 +540,38 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+
+ static {
+ if (SunJSSE.isFIPS()) {
+- supportedProtocols = Arrays.asList(
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10
+- );
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ supportedProtocols = Arrays.asList(
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ );
+
+- serverDefaultProtocols = getAvailableProtocols(
+- new ProtocolVersion[] {
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10
+- });
++ serverDefaultProtocols = getAvailableProtocols(
++ new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ });
++ } else {
++ supportedProtocols = Arrays.asList(
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ );
++
++ serverDefaultProtocols = getAvailableProtocols(
++ new ProtocolVersion[] {
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ });
++ }
+ } else {
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS13,
+@@ -612,6 +631,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+
+ static ProtocolVersion[] getSupportedProtocols() {
+ if (SunJSSE.isFIPS()) {
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ return new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ }
+ return new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+@@ -939,6 +968,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+
+ static ProtocolVersion[] getProtocols() {
+ if (SunJSSE.isFIPS()) {
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ return new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ }
+ return new ProtocolVersion[]{
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+diff --git a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
+index 2845dc37938..52337a7b6cf 100644
+--- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
++++ b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
+@@ -30,6 +30,8 @@ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+
+ import java.security.*;
+
++import sun.misc.SharedSecrets;
++
+ /**
+ * The JSSE provider.
+ *
+@@ -215,8 +217,13 @@ public abstract class SunJSSE extends java.security.Provider {
+ "sun.security.ssl.SSLContextImpl$TLS11Context");
+ put("SSLContext.TLSv1.2",
+ "sun.security.ssl.SSLContextImpl$TLS12Context");
+- put("SSLContext.TLSv1.3",
+- "sun.security.ssl.SSLContextImpl$TLS13Context");
++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ put("SSLContext.TLSv1.3",
++ "sun.security.ssl.SSLContextImpl$TLS13Context");
++ }
+ put("SSLContext.TLS",
+ "sun.security.ssl.SSLContextImpl$TLSContext");
+ if (isfips == false) {
+diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
+index d3d64b3facd..bfe0c593adb 100644
+--- a/jdk/src/share/lib/security/java.security-aix
++++ b/jdk/src/share/lib/security/java.security-aix
+@@ -287,6 +287,13 @@ package.definition=sun.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
+index db610d4bfbb..9d1c8fe8a8e 100644
+--- a/jdk/src/share/lib/security/java.security-linux
++++ b/jdk/src/share/lib/security/java.security-linux
+@@ -75,6 +75,14 @@ security.provider.7=com.sun.security.sasl.Provider
+ security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
+ security.provider.9=sun.security.smartcardio.SunPCSC
+
++#
++# Security providers used when FIPS mode support is active
++#
++fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
++fips.provider.2=sun.security.provider.Sun
++fips.provider.3=sun.security.ec.SunEC
++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
++
+ #
+ # Sun Provider SecureRandom seed source.
+ #
+@@ -170,6 +178,11 @@ policy.ignoreIdentityScope=false
+ #
+ keystore.type=jks
+
++#
++# Default keystore type used when global crypto-policies are set to FIPS.
++#
++fips.keystore.type=PKCS11
++
+ #
+ # Controls compatibility mode for the JKS keystore type.
+ #
+@@ -287,6 +300,13 @@ package.definition=sun.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
+index a919ba3d5cd..19047c61097 100644
+--- a/jdk/src/share/lib/security/java.security-macosx
++++ b/jdk/src/share/lib/security/java.security-macosx
+@@ -290,6 +290,13 @@ package.definition=sun.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
+index 86265ba5fb6..7eda556ae13 100644
+--- a/jdk/src/share/lib/security/java.security-solaris
++++ b/jdk/src/share/lib/security/java.security-solaris
+@@ -288,6 +288,13 @@ package.definition=sun.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
+index 9b4bda23cbe..dfa1a669aa9 100644
+--- a/jdk/src/share/lib/security/java.security-windows
++++ b/jdk/src/share/lib/security/java.security-windows
+@@ -290,6 +290,13 @@ package.definition=sun.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/solaris/native/java/security/systemconf.c b/jdk/src/solaris/native/java/security/systemconf.c
+new file mode 100644
+index 00000000000..8dcb7d9073f
+--- /dev/null
++++ b/jdk/src/solaris/native/java/security/systemconf.c
+@@ -0,0 +1,224 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#include
++#include
++#include "jvm_md.h"
++#include
++
++#ifdef SYSCONF_NSS
++#include
++#else
++#include
++#endif //SYSCONF_NSS
++
++#include "java_security_SystemConfigurator.h"
++
++#define MSG_MAX_SIZE 256
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++
++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
++
++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
++static jmethodID debugPrintlnMethodID = NULL;
++static jobject debugObj = NULL;
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++ jclass cls = (*env)->FindClass(env, "java/io/IOException");
++ if (cls != 0)
++ (*env)->ThrowNew(env, cls, msg);
++}
++
++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
++{
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "systemconf: cannot render message");
++ }
++}
++
++// Only used when NSS is not linked at build time
++#ifndef SYSCONF_NSS
++
++static void *nss_handle;
++
++static jboolean loadNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
++ if (nss_handle == NULL) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ dlerror(); /* Clear errors */
++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
++ if ((errmsg = dlerror()) != NULL) {
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ return JNI_TRUE;
++}
++
++static void closeNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ if (dlclose(nss_handle) != 0) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ }
++}
++
++#endif
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnLoad
++ */
++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++ jclass sysConfCls, debugCls;
++ jfieldID sdebugFld;
++
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return JNI_EVERSION; /* JNI version not supported */
++ }
++
++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
++ if (sysConfCls == NULL) {
++ printf("libsystemconf: SystemConfigurator class not found\n");
++ return JNI_ERR;
++ }
++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
++ "sdebug", "Lsun/security/util/Debug;");
++ if (sdebugFld == NULL) {
++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
++ if (debugObj != NULL) {
++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
++ if (debugCls == NULL) {
++ printf("libsystemconf: Debug class not found\n");
++ return JNI_ERR;
++ }
++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
++ "println", "(Ljava/lang/String;)V");
++ if (debugPrintlnMethodID == NULL) {
++ printf("libsystemconf: Debug::println(String) method not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->NewGlobalRef(env, debugObj);
++ }
++
++#ifdef SYSCONF_NSS
++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
++#else
++ if (loadNSS(env) == JNI_FALSE) {
++ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
++ }
++#endif
++
++ return (*env)->GetVersion(env);
++}
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnUnload
++ */
++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++
++ if (debugObj != NULL) {
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return; /* Should not happen */
++ }
++#ifndef SYSCONF_NSS
++ closeNSS(env);
++#endif
++ (*env)->DeleteGlobalRef(env, debugObj);
++ }
++}
++
++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
++ (JNIEnv *env, jclass cls)
++{
++ int fips_enabled;
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++
++ if (getSystemFIPSEnabled != NULL) {
++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++ fips_enabled = (*getSystemFIPSEnabled)();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
++ } else {
++ FILE *fe;
++
++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ fips_enabled = fgetc(fe);
++ fclose(fe);
++ if (fips_enabled == EOF) {
++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " read character is '%c'", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
++ }
++}
diff --git a/SOURCES/nss.fips.cfg.in b/SOURCES/nss.fips.cfg.in
index 1aff153..2d9ec35 100644
--- a/SOURCES/nss.fips.cfg.in
+++ b/SOURCES/nss.fips.cfg.in
@@ -4,3 +4,5 @@ nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips
+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
+
diff --git a/SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch b/SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
deleted file mode 100644
index 5a619b4..0000000
--- a/SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
+++ /dev/null
@@ -1,158 +0,0 @@
-
-# HG changeset patch
-# User andrew
-# Date 1478057514 0
-# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c
-# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a
-PR3183: Support Fedora/RHEL system crypto policy
-
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/classes/java/security/Security.java
---- openjdk/jdk/src/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100
-+++ openjdk/jdk/src/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000
-@@ -43,6 +43,9 @@
- * implementation-specific location, which is typically the properties file
- * {@code lib/security/java.security} in the Java installation directory.
- *
-+ * Additional default values of security properties are read from a
-+ * system-specific location, if available.
-+ *
- * @author Benjamin Renaud
- */
-
-@@ -52,6 +55,10 @@
- private static final Debug sdebug =
- Debug.getInstance("properties");
-
-+ /* System property file*/
-+ private static final String SYSTEM_PROPERTIES =
-+ "/etc/crypto-policies/back-ends/java.config";
-+
- /* The java.security properties */
- private static Properties props;
-
-@@ -93,6 +100,7 @@
- if (sdebug != null) {
- sdebug.println("reading security properties file: " +
- propFile);
-+ sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
-@@ -114,6 +122,31 @@
- }
-
- if ("true".equalsIgnoreCase(props.getProperty
-+ ("security.useSystemPropertiesFile"))) {
-+
-+ // now load the system file, if it exists, so its values
-+ // will win if they conflict with the earlier values
-+ try (BufferedInputStream bis =
-+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
-+ props.load(bis);
-+ loadedProps = true;
-+
-+ if (sdebug != null) {
-+ sdebug.println("reading system security properties file " +
-+ SYSTEM_PROPERTIES);
-+ sdebug.println(props.toString());
-+ }
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println
-+ ("unable to load security properties from " +
-+ SYSTEM_PROPERTIES);
-+ e.printStackTrace();
-+ }
-+ }
-+ }
-+
-+ if ("true".equalsIgnoreCase(props.getProperty
- ("security.overridePropertiesFile"))) {
-
- String extraPropFile = System.getProperty
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-aix
---- openjdk/jdk/src/share/lib/security/java.security-aix Wed Oct 26 03:51:39 2016 +0100
-+++ openjdk/jdk/src/share/lib/security/java.security-aix Wed Nov 02 03:31:54 2016 +0000
-@@ -276,6 +276,13 @@
- security.overridePropertiesFile=true
-
- #
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
-+#
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
- #
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-linux
---- openjdk/jdk/src/share/lib/security/java.security-linux Wed Oct 26 03:51:39 2016 +0100
-+++ openjdk/jdk/src/share/lib/security/java.security-linux Wed Nov 02 03:31:54 2016 +0000
-@@ -276,6 +276,13 @@
- security.overridePropertiesFile=true
-
- #
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=true
-+
-+#
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
- #
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-macosx
---- openjdk/jdk/src/share/lib/security/java.security-macosx Wed Oct 26 03:51:39 2016 +0100
-+++ openjdk/jdk/src/share/lib/security/java.security-macosx Wed Nov 02 03:31:54 2016 +0000
-@@ -279,6 +279,13 @@
- security.overridePropertiesFile=true
-
- #
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
-+#
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
- #
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-solaris
---- openjdk/jdk/src/share/lib/security/java.security-solaris Wed Oct 26 03:51:39 2016 +0100
-+++ openjdk/jdk/src/share/lib/security/java.security-solaris Wed Nov 02 03:31:54 2016 +0000
-@@ -278,6 +278,13 @@
- security.overridePropertiesFile=true
-
- #
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
-+#
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
- #
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-windows
---- openjdk/jdk/src/share/lib/security/java.security-windows Wed Oct 26 03:51:39 2016 +0100
-+++ openjdk/jdk/src/share/lib/security/java.security-windows Wed Nov 02 03:31:54 2016 +0000
-@@ -279,6 +279,13 @@
- security.overridePropertiesFile=true
-
- #
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
-+#
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
- #
-
diff --git a/SOURCES/pr3655-toggle_system_crypto_policy.patch b/SOURCES/pr3655-toggle_system_crypto_policy.patch
deleted file mode 100644
index abfac45..0000000
--- a/SOURCES/pr3655-toggle_system_crypto_policy.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-# HG changeset patch
-# User andrew
-# Date 1545198926 0
-# Wed Dec 19 05:55:26 2018 +0000
-# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776
-# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c
-PR3655: Allow use of system crypto policy to be disabled by the user
-Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile
-
-diff --git a/src/share/classes/javopenjdk.orig/jdk/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
---- openjdk.orig/jdk/src/share/classes/java/security/Security.java
-+++ openjdk/jdk/src/share/classes/java/security/Security.java
-@@ -122,31 +122,6 @@
- }
-
- if ("true".equalsIgnoreCase(props.getProperty
-- ("security.useSystemPropertiesFile"))) {
--
-- // now load the system file, if it exists, so its values
-- // will win if they conflict with the earlier values
-- try (BufferedInputStream bis =
-- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
-- props.load(bis);
-- loadedProps = true;
--
-- if (sdebug != null) {
-- sdebug.println("reading system security properties file " +
-- SYSTEM_PROPERTIES);
-- sdebug.println(props.toString());
-- }
-- } catch (IOException e) {
-- if (sdebug != null) {
-- sdebug.println
-- ("unable to load security properties from " +
-- SYSTEM_PROPERTIES);
-- e.printStackTrace();
-- }
-- }
-- }
--
-- if ("true".equalsIgnoreCase(props.getProperty
- ("security.overridePropertiesFile"))) {
-
- String extraPropFile = System.getProperty
-@@ -212,6 +187,33 @@
- }
- }
-
-+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
-+ if (disableSystemProps == null &&
-+ "true".equalsIgnoreCase(props.getProperty
-+ ("security.useSystemPropertiesFile"))) {
-+
-+ // now load the system file, if it exists, so its values
-+ // will win if they conflict with the earlier values
-+ try (BufferedInputStream bis =
-+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
-+ props.load(bis);
-+ loadedProps = true;
-+
-+ if (sdebug != null) {
-+ sdebug.println("reading system security properties file " +
-+ SYSTEM_PROPERTIES);
-+ sdebug.println(props.toString());
-+ }
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println
-+ ("unable to load security properties from " +
-+ SYSTEM_PROPERTIES);
-+ e.printStackTrace();
-+ }
-+ }
-+ }
-+
- if (!loadedProps) {
- initializeStatic();
- if (sdebug != null) {
diff --git a/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
index febd87e..eb8f255 100644
--- a/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+++ b/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
@@ -1,11 +1,12 @@
-diff -r 5b86f66575b7 src/share/lib/security/java.security-linux
---- openjdk/jdk/src/share/lib/security/java.security-linux Tue May 16 13:29:05 2017 -0700
-+++ openjdk/jdk/src/share/lib/security/java.security-linux Tue Jun 06 14:05:12 2017 +0200
-@@ -74,6 +74,7 @@
+diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
+index 9d1c8fe8a8e..a80a3c12abb 100644
+--- a/jdk/src/share/lib/security/java.security-linux
++++ b/jdk/src/share/lib/security/java.security-linux
+@@ -74,6 +74,7 @@ security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
+#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
#
- # Sun Provider SecureRandom seed source.
+ # Security providers used when FIPS mode support is active
diff --git a/SOURCES/rh1655466-global_crypto_and_fips.patch b/SOURCES/rh1655466-global_crypto_and_fips.patch
deleted file mode 100644
index 58d77b3..0000000
--- a/SOURCES/rh1655466-global_crypto_and_fips.patch
+++ /dev/null
@@ -1,208 +0,0 @@
-diff --git a/src/share/classes/javopenjdk.orig/jdk/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
---- openjdk.orig/jdk/src/share/classes/java/security/Security.java
-+++ openjdk/jdk/src/share/classes/java/security/Security.java
-@@ -191,27 +191,7 @@
- if (disableSystemProps == null &&
- "true".equalsIgnoreCase(props.getProperty
- ("security.useSystemPropertiesFile"))) {
--
-- // now load the system file, if it exists, so its values
-- // will win if they conflict with the earlier values
-- try (BufferedInputStream bis =
-- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
-- props.load(bis);
-- loadedProps = true;
--
-- if (sdebug != null) {
-- sdebug.println("reading system security properties file " +
-- SYSTEM_PROPERTIES);
-- sdebug.println(props.toString());
-- }
-- } catch (IOException e) {
-- if (sdebug != null) {
-- sdebug.println
-- ("unable to load security properties from " +
-- SYSTEM_PROPERTIES);
-- e.printStackTrace();
-- }
-- }
-+ loadedProps = loadedProps && SystemConfigurator.configure(props);
- }
-
- if (!loadedProps) {
-diff --git a/src/share/classes/javopenjdk.orig/jdk/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
-new file mode 100644
---- /dev/null
-+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
-@@ -0,0 +1,153 @@
-+/*
-+ * Copyright (c) 2019, Red Hat, Inc.
-+ *
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package java.security;
-+
-+import java.io.BufferedInputStream;
-+import java.io.FileInputStream;
-+import java.io.IOException;
-+
-+import java.nio.file.Files;
-+import java.nio.file.FileSystems;
-+import java.nio.file.Path;
-+
-+import java.util.Iterator;
-+import java.util.Map.Entry;
-+import java.util.Properties;
-+import java.util.function.Consumer;
-+import java.util.regex.Matcher;
-+import java.util.regex.Pattern;
-+
-+import sun.security.util.Debug;
-+
-+/**
-+ * Internal class to align OpenJDK with global crypto-policies.
-+ * Called from java.security.Security class initialization,
-+ * during startup.
-+ *
-+ */
-+
-+class SystemConfigurator {
-+
-+ private static final Debug sdebug =
-+ Debug.getInstance("properties");
-+
-+ private static final String CRYPTO_POLICIES_BASE_DIR =
-+ "/etc/crypto-policies";
-+
-+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
-+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
-+
-+ private static final String CRYPTO_POLICIES_CONFIG =
-+ CRYPTO_POLICIES_BASE_DIR + "/config";
-+
-+ private static final class SecurityProviderInfo {
-+ int number;
-+ String key;
-+ String value;
-+ SecurityProviderInfo(int number, String key, String value) {
-+ this.number = number;
-+ this.key = key;
-+ this.value = value;
-+ }
-+ }
-+
-+ /*
-+ * Invoked when java.security.Security class is initialized, if
-+ * java.security.disableSystemPropertiesFile property is not set and
-+ * security.useSystemPropertiesFile is true.
-+ */
-+ static boolean configure(Properties props) {
-+ boolean loadedProps = false;
-+
-+ try (BufferedInputStream bis =
-+ new BufferedInputStream(
-+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
-+ props.load(bis);
-+ loadedProps = true;
-+ if (sdebug != null) {
-+ sdebug.println("reading system security properties file " +
-+ CRYPTO_POLICIES_JAVA_CONFIG);
-+ sdebug.println(props.toString());
-+ }
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println("unable to load security properties from " +
-+ CRYPTO_POLICIES_JAVA_CONFIG);
-+ e.printStackTrace();
-+ }
-+ }
-+
-+ try {
-+ if (enableFips()) {
-+ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
-+ loadedProps = false;
-+ // Remove all security providers
-+ Iterator> i = props.entrySet().iterator();
-+ while (i.hasNext()) {
-+ Entry e = i.next();
-+ if (((String) e.getKey()).startsWith("security.provider")) {
-+ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
-+ i.remove();
-+ }
-+ }
-+ // Add FIPS security providers
-+ String fipsProviderValue = null;
-+ for (int n = 1;
-+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
-+ String fipsProviderKey = "security.provider." + n;
-+ if (sdebug != null) {
-+ sdebug.println("Adding provider " + n + ": " +
-+ fipsProviderKey + "=" + fipsProviderValue);
-+ }
-+ props.put(fipsProviderKey, fipsProviderValue);
-+ }
-+ loadedProps = true;
-+ }
-+ } catch (Exception e) {
-+ if (sdebug != null) {
-+ sdebug.println("unable to load FIPS configuration");
-+ e.printStackTrace();
-+ }
-+ }
-+ return loadedProps;
-+ }
-+
-+ /*
-+ * FIPS is enabled only if crypto-policies are set to "FIPS"
-+ * and the com.redhat.fips property is true.
-+ */
-+ private static boolean enableFips() throws Exception {
-+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
-+ if (fipsEnabled) {
-+ Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
-+ String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
-+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
-+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
-+ return pattern.matcher(cryptoPoliciesConfig).find();
-+ } else {
-+ return false;
-+ }
-+ }
-+}
-diff --git openjdk.orig/jdk/src/share/lib/security/java.security-linux openjdk/jdk/src/share/lib/security/java.security-linux
---- openjdk.orig/jdk/src/share/lib/security/java.security-linux
-+++ openjdk/jdk/src/share/lib/security/java.security-linux
-@@ -77,6 +77,14 @@
- #security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
-
- #
-+# Security providers used when global crypto-policies are set to FIPS.
-+#
-+fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
-+fips.provider.2=sun.security.provider.Sun
-+fips.provider.3=sun.security.ec.SunEC
-+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
-+
-+#
- # Sun Provider SecureRandom seed source.
- #
- # Select the primary source of seed data for the "SHA1PRNG" and
diff --git a/SOURCES/rh1760838-fips_default_keystore_type.patch b/SOURCES/rh1760838-fips_default_keystore_type.patch
deleted file mode 100644
index bedc8ea..0000000
--- a/SOURCES/rh1760838-fips_default_keystore_type.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
---- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300
-@@ -123,6 +123,33 @@
- }
- props.put(fipsProviderKey, fipsProviderValue);
- }
-+ // Add other security properties
-+ String keystoreTypeValue = (String) props.get("fips.keystore.type");
-+ if (keystoreTypeValue != null) {
-+ String nonFipsKeystoreType = props.getProperty("keystore.type");
-+ props.put("keystore.type", keystoreTypeValue);
-+ if (keystoreTypeValue.equals("PKCS11")) {
-+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
-+ // must be "NONE". See JDK-8238264.
-+ System.setProperty("javax.net.ssl.keyStore", "NONE");
-+ }
-+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
-+ // If no trustStoreType has been set, use the
-+ // previous keystore.type under FIPS mode. In
-+ // a default configuration, the Trust Store will
-+ // be 'cacerts' (JKS type).
-+ System.setProperty("javax.net.ssl.trustStoreType",
-+ nonFipsKeystoreType);
-+ }
-+ if (sdebug != null) {
-+ sdebug.println("FIPS mode default keystore.type = " +
-+ keystoreTypeValue);
-+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
-+ System.getProperty("javax.net.ssl.keyStore", ""));
-+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
-+ System.getProperty("javax.net.ssl.trustStoreType", ""));
-+ }
-+ }
- loadedProps = true;
- }
- } catch (Exception e) {
-diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
---- openjdk.orig/jdk/src/share/lib/security/java.security-linux Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/jdk/src/share/lib/security/java.security-linux Mon Mar 02 19:20:17 2020 -0300
-@@ -179,6 +179,11 @@
- keystore.type=jks
-
- #
-+# Default keystore type used when global crypto-policies are set to FIPS.
-+#
-+fips.keystore.type=PKCS11
-+
-+#
- # Controls compatibility mode for the JKS keystore type.
- #
- # When set to 'true', the JKS keystore type supports loading
diff --git a/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch
deleted file mode 100644
index 91e3705..0000000
--- a/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch
+++ /dev/null
@@ -1,327 +0,0 @@
-diff -r bbc65dfa59d1 src/share/classes/java/security/SystemConfigurator.java
---- openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Sat Aug 01 23:16:51 2020 -0300
-@@ -1,11 +1,13 @@
- /*
-- * Copyright (c) 2019, Red Hat, Inc.
-+ * Copyright (c) 2019, 2020, Red Hat, Inc.
- *
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
-- * published by the Free Software Foundation.
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-@@ -34,10 +36,10 @@
- import java.util.Iterator;
- import java.util.Map.Entry;
- import java.util.Properties;
--import java.util.function.Consumer;
--import java.util.regex.Matcher;
- import java.util.regex.Pattern;
-
-+import sun.misc.SharedSecrets;
-+import sun.misc.JavaSecuritySystemConfiguratorAccess;
- import sun.security.util.Debug;
-
- /**
-@@ -47,7 +49,7 @@
- *
- */
-
--class SystemConfigurator {
-+final class SystemConfigurator {
-
- private static final Debug sdebug =
- Debug.getInstance("properties");
-@@ -61,15 +63,16 @@
- private static final String CRYPTO_POLICIES_CONFIG =
- CRYPTO_POLICIES_BASE_DIR + "/config";
-
-- private static final class SecurityProviderInfo {
-- int number;
-- String key;
-- String value;
-- SecurityProviderInfo(int number, String key, String value) {
-- this.number = number;
-- this.key = key;
-- this.value = value;
-- }
-+ private static boolean systemFipsEnabled = false;
-+
-+ static {
-+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
-+ new JavaSecuritySystemConfiguratorAccess() {
-+ @Override
-+ public boolean isSystemFipsEnabled() {
-+ return SystemConfigurator.isSystemFipsEnabled();
-+ }
-+ });
- }
-
- /*
-@@ -128,9 +131,9 @@
- String nonFipsKeystoreType = props.getProperty("keystore.type");
- props.put("keystore.type", keystoreTypeValue);
- if (keystoreTypeValue.equals("PKCS11")) {
-- // If keystore.type is PKCS11, javax.net.ssl.keyStore
-- // must be "NONE". See JDK-8238264.
-- System.setProperty("javax.net.ssl.keyStore", "NONE");
-+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
-+ // must be "NONE". See JDK-8238264.
-+ System.setProperty("javax.net.ssl.keyStore", "NONE");
- }
- if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
- // If no trustStoreType has been set, use the
-@@ -144,12 +147,13 @@
- sdebug.println("FIPS mode default keystore.type = " +
- keystoreTypeValue);
- sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
-- System.getProperty("javax.net.ssl.keyStore", ""));
-+ System.getProperty("javax.net.ssl.keyStore", ""));
- sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
- System.getProperty("javax.net.ssl.trustStoreType", ""));
- }
- }
- loadedProps = true;
-+ systemFipsEnabled = true;
- }
- } catch (Exception e) {
- if (sdebug != null) {
-@@ -165,20 +165,37 @@
- return loadedProps;
- }
-
-+ /**
-+ * Returns whether or not global system FIPS alignment is enabled.
-+ *
-+ * Value is always 'false' before java.security.Security class is
-+ * initialized.
-+ *
-+ * Call from out of this package through SharedSecrets:
-+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ * .isSystemFipsEnabled();
-+ *
-+ * @return a boolean value indicating whether or not global
-+ * system FIPS alignment is enabled.
-+ */
-+ static boolean isSystemFipsEnabled() {
-+ return systemFipsEnabled;
-+ }
-+
- /*
- * FIPS is enabled only if crypto-policies are set to "FIPS"
- * and the com.redhat.fips property is true.
- */
- private static boolean enableFips() throws Exception {
-- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
-- if (fipsEnabled) {
-- Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
-- String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
-- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
-- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
-- return pattern.matcher(cryptoPoliciesConfig).find();
-- } else {
-- return false;
-- }
-+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
-+ if (shouldEnable) {
-+ Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
-+ String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
-+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
-+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
-+ return pattern.matcher(cryptoPoliciesConfig).find();
-+ } else {
-+ return false;
-+ }
- }
- }
-diff --git openjdk.orig/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
-new file mode 100644
---- /dev/null
-+++ openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
-@@ -0,0 +1,30 @@
-+/*
-+ * Copyright (c) 2020, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package sun.misc;
-+
-+public interface JavaSecuritySystemConfiguratorAccess {
-+ boolean isSystemFipsEnabled();
-+}
-diff --git openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
---- openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java
-+++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
-@@ -63,6 +63,7 @@
- private static JavaObjectInputStreamReadString javaObjectInputStreamReadString;
- private static JavaObjectInputStreamAccess javaObjectInputStreamAccess;
- private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
-+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
-
- public static JavaUtilJarAccess javaUtilJarAccess() {
- if (javaUtilJarAccess == null) {
-@@ -248,4 +249,12 @@
- }
- return javaxCryptoSealedObjectAccess;
- }
-+
-+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
-+ javaSecuritySystemConfiguratorAccess = jssca;
-+ }
-+
-+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
-+ return javaSecuritySystemConfiguratorAccess;
-+ }
- }
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
-@@ -31,6 +31,7 @@
- import java.security.cert.*;
- import java.util.*;
- import javax.net.ssl.*;
-+import sun.misc.SharedSecrets;
- import sun.security.action.GetPropertyAction;
- import sun.security.provider.certpath.AlgorithmChecker;
- import sun.security.validator.Validator;
-@@ -539,20 +540,38 @@
-
- static {
- if (SunJSSE.isFIPS()) {
-- supportedProtocols = Arrays.asList(
-- ProtocolVersion.TLS13,
-- ProtocolVersion.TLS12,
-- ProtocolVersion.TLS11,
-- ProtocolVersion.TLS10
-- );
-+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ supportedProtocols = Arrays.asList(
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ );
-
-- serverDefaultProtocols = getAvailableProtocols(
-- new ProtocolVersion[] {
-- ProtocolVersion.TLS13,
-- ProtocolVersion.TLS12,
-- ProtocolVersion.TLS11,
-- ProtocolVersion.TLS10
-- });
-+ serverDefaultProtocols = getAvailableProtocols(
-+ new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ });
-+ } else {
-+ supportedProtocols = Arrays.asList(
-+ ProtocolVersion.TLS13,
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ );
-+
-+ serverDefaultProtocols = getAvailableProtocols(
-+ new ProtocolVersion[] {
-+ ProtocolVersion.TLS13,
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ });
-+ }
- } else {
- supportedProtocols = Arrays.asList(
- ProtocolVersion.TLS13,
-@@ -612,6 +631,16 @@
-
- static ProtocolVersion[] getSupportedProtocols() {
- if (SunJSSE.isFIPS()) {
-+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ return new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ };
-+ }
- return new ProtocolVersion[] {
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
-@@ -939,6 +968,16 @@
-
- static ProtocolVersion[] getProtocols() {
- if (SunJSSE.isFIPS()) {
-+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ return new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ };
-+ }
- return new ProtocolVersion[]{
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/SunJSSE.java openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
-@@ -30,6 +30,8 @@
-
- import java.security.*;
-
-+import sun.misc.SharedSecrets;
-+
- /**
- * The JSSE provider.
- *
-@@ -215,8 +217,13 @@
- "sun.security.ssl.SSLContextImpl$TLS11Context");
- put("SSLContext.TLSv1.2",
- "sun.security.ssl.SSLContextImpl$TLS12Context");
-- put("SSLContext.TLSv1.3",
-- "sun.security.ssl.SSLContextImpl$TLS13Context");
-+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ put("SSLContext.TLSv1.3",
-+ "sun.security.ssl.SSLContextImpl$TLS13Context");
-+ }
- put("SSLContext.TLS",
- "sun.security.ssl.SSLContextImpl$TLSContext");
- if (isfips == false) {
diff --git a/SOURCES/rh1906862-always_initialise_configurator_access.patch b/SOURCES/rh1906862-always_initialise_configurator_access.patch
deleted file mode 100644
index 82116ad..0000000
--- a/SOURCES/rh1906862-always_initialise_configurator_access.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-# HG changeset patch
-# User andrew
-# Date 1608219816 0
-# Thu Dec 17 15:43:36 2020 +0000
-# Node ID db5d1b28bfce04352b3a48960bf836f6eb20804b
-# Parent a2cfa397150e99b813354226d536eb8509b5850b
-RH1906862: Always initialise JavaSecuritySystemConfiguratorAccess
-
-diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
---- openjdk.orig/jdk/src/share/classes/java/security/Security.java
-+++ openjdk/jdk/src/share/classes/java/security/Security.java
-@@ -30,6 +30,8 @@
- import java.util.concurrent.ConcurrentHashMap;
- import java.io.*;
- import java.net.URL;
-+import sun.misc.SharedSecrets;
-+import sun.misc.JavaSecuritySystemConfiguratorAccess;
- import sun.security.util.Debug;
- import sun.security.util.PropertyExpander;
-
-@@ -69,6 +71,15 @@
- }
-
- static {
-+ // Initialise here as used by code with system properties disabled
-+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
-+ new JavaSecuritySystemConfiguratorAccess() {
-+ @Override
-+ public boolean isSystemFipsEnabled() {
-+ return SystemConfigurator.isSystemFipsEnabled();
-+ }
-+ });
-+
- // doPrivileged here because there are multiple
- // things in initialize that might require privs.
- // (the FileInputStream call and the File.exists call,
-diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
---- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
-@@ -39,8 +39,6 @@
- import java.util.Properties;
- import java.util.regex.Pattern;
-
--import sun.misc.SharedSecrets;
--import sun.misc.JavaSecuritySystemConfiguratorAccess;
- import sun.security.util.Debug;
-
- /**
-@@ -66,16 +64,6 @@
-
- private static boolean systemFipsEnabled = false;
-
-- static {
-- SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
-- new JavaSecuritySystemConfiguratorAccess() {
-- @Override
-- public boolean isSystemFipsEnabled() {
-- return SystemConfigurator.isSystemFipsEnabled();
-- }
-- });
-- }
--
- /*
- * Invoked when java.security.Security class is initialized, if
- * java.security.disableSystemPropertiesFile property is not set and
diff --git a/SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch b/SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch
deleted file mode 100644
index 1461be8..0000000
--- a/SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch
+++ /dev/null
@@ -1,344 +0,0 @@
-diff --git openjdk.orig/jdk/make/lib/SecurityLibraries.gmk openjdk/jdk/make/lib/SecurityLibraries.gmk
---- openjdk.orig/jdk/make/lib/SecurityLibraries.gmk
-+++ openjdk/jdk/make/lib/SecurityLibraries.gmk
-@@ -289,3 +289,34 @@
-
- endif
- endif
-+
-+################################################################################
-+# Create the systemconf library
-+
-+LIBSYSTEMCONF_CFLAGS :=
-+LIBSYSTEMCONF_CXXFLAGS :=
-+
-+ifeq ($(USE_SYSCONF_NSS), true)
-+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
-+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
-+endif
-+
-+ifeq ($(OPENJDK_BUILD_OS), linux)
-+ $(eval $(call SetupNativeCompilation,BUILD_LIBSYSTEMCONF, \
-+ LIBRARY := systemconf, \
-+ OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \
-+ SRC := $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/native/java/security, \
-+ LANG := C, \
-+ OPTIMIZATION := LOW, \
-+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
-+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
-+ MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libsystemconf/mapfile-vers, \
-+ LDFLAGS := $(LDFLAGS_JDKLIB) \
-+ $(call SET_SHARED_LIBRARY_ORIGIN), \
-+ LDFLAGS_SUFFIX := $(LIBDL) $(NSS_LIBS), \
-+ OBJECT_DIR := $(JDK_OUTPUTDIR)/objs/libsystemconf, \
-+ DEBUG_SYMBOLS := $(DEBUG_ALL_BINARIES)))
-+
-+ BUILD_LIBRARIES += $(BUILD_LIBSYSTEMCONF)
-+endif
-+
-diff --git openjdk.orig/jdk/make/mapfiles/libsystemconf/mapfile-vers openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers
-new file mode 100644
---- /dev/null
-+++ openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers
-@@ -0,0 +1,35 @@
-+#
-+# Copyright (c) 2021, Red Hat, Inc.
-+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+#
-+# This code is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License version 2 only, as
-+# published by the Free Software Foundation. Oracle designates this
-+# particular file as subject to the "Classpath" exception as provided
-+# by Oracle in the LICENSE file that accompanied this code.
-+#
-+# This code is distributed in the hope that it will be useful, but WITHOUT
-+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+# version 2 for more details (a copy is included in the LICENSE file that
-+# accompanied this code).
-+#
-+# You should have received a copy of the GNU General Public License version
-+# 2 along with this work; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+#
-+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+# or visit www.oracle.com if you need additional information or have any
-+# questions.
-+#
-+
-+# Define public interface.
-+
-+SUNWprivate_1.1 {
-+ global:
-+ DEF_JNI_OnLoad;
-+ DEF_JNI_OnUnLoad;
-+ Java_java_security_SystemConfigurator_getSystemFIPSEnabled;
-+ local:
-+ *;
-+};
-diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
---- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2019, 2020, Red Hat, Inc.
-+ * Copyright (c) 2019, 2021, Red Hat, Inc.
- *
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
-@@ -30,14 +30,9 @@
- import java.io.FileInputStream;
- import java.io.IOException;
-
--import java.nio.file.Files;
--import java.nio.file.FileSystems;
--import java.nio.file.Path;
--
- import java.util.Iterator;
- import java.util.Map.Entry;
- import java.util.Properties;
--import java.util.regex.Pattern;
-
- import sun.security.util.Debug;
-
-@@ -59,10 +54,21 @@
- private static final String CRYPTO_POLICIES_JAVA_CONFIG =
- CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
-
-- private static final String CRYPTO_POLICIES_CONFIG =
-- CRYPTO_POLICIES_BASE_DIR + "/config";
-+ private static boolean systemFipsEnabled = false;
-+
-+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
-+
-+ private static native boolean getSystemFIPSEnabled()
-+ throws IOException;
-
-- private static boolean systemFipsEnabled = false;
-+ static {
-+ AccessController.doPrivileged(new PrivilegedAction() {
-+ public Void run() {
-+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
-+ return null;
-+ }
-+ });
-+ }
-
- /*
- * Invoked when java.security.Security class is initialized, if
-@@ -171,17 +177,34 @@
- }
-
- /*
-- * FIPS is enabled only if crypto-policies are set to "FIPS"
-- * and the com.redhat.fips property is true.
-+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
-+ * system property is true (default) and the system is in FIPS mode.
-+ *
-+ * There are 2 possible ways in which OpenJDK detects that the system
-+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
-+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
-+ * /proc/sys/crypto/fips_enabled file is read.
- */
-- private static boolean enableFips() throws Exception {
-+ private static boolean enableFips() throws IOException {
- boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
- if (shouldEnable) {
-- Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
-- String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
-- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
-- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
-- return pattern.matcher(cryptoPoliciesConfig).find();
-+ if (sdebug != null) {
-+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
-+ }
-+ try {
-+ shouldEnable = getSystemFIPSEnabled();
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
-+ + shouldEnable);
-+ }
-+ return shouldEnable;
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
-+ sdebug.println(e.getMessage());
-+ }
-+ throw e;
-+ }
- } else {
- return false;
- }
-diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
-new file mode 100644
---- /dev/null
-+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
-@@ -0,0 +1,168 @@
-+/*
-+ * Copyright (c) 2021, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+#include
-+#include
-+#include
-+#include
-+
-+#ifdef SYSCONF_NSS
-+#include
-+#endif //SYSCONF_NSS
-+
-+#include "java_security_SystemConfigurator.h"
-+
-+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
-+#define MSG_MAX_SIZE 96
-+
-+static jmethodID debugPrintlnMethodID = NULL;
-+static jobject debugObj = NULL;
-+
-+static void throwIOException(JNIEnv *env, const char *msg);
-+static void dbgPrint(JNIEnv *env, const char* msg);
-+
-+/*
-+ * Class: java_security_SystemConfigurator
-+ * Method: JNI_OnLoad
-+ */
-+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
-+{
-+ JNIEnv *env;
-+ jclass sysConfCls, debugCls;
-+ jfieldID sdebugFld;
-+
-+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+ return JNI_EVERSION; /* JNI version not supported */
-+ }
-+
-+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
-+ if (sysConfCls == NULL) {
-+ printf("libsystemconf: SystemConfigurator class not found\n");
-+ return JNI_ERR;
-+ }
-+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
-+ "sdebug", "Lsun/security/util/Debug;");
-+ if (sdebugFld == NULL) {
-+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
-+ return JNI_ERR;
-+ }
-+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
-+ if (debugObj != NULL) {
-+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
-+ if (debugCls == NULL) {
-+ printf("libsystemconf: Debug class not found\n");
-+ return JNI_ERR;
-+ }
-+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
-+ "println", "(Ljava/lang/String;)V");
-+ if (debugPrintlnMethodID == NULL) {
-+ printf("libsystemconf: Debug::println(String) method not found\n");
-+ return JNI_ERR;
-+ }
-+ debugObj = (*env)->NewGlobalRef(env, debugObj);
-+ }
-+
-+ return (*env)->GetVersion(env);
-+}
-+
-+/*
-+ * Class: java_security_SystemConfigurator
-+ * Method: JNI_OnUnload
-+ */
-+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
-+{
-+ JNIEnv *env;
-+
-+ if (debugObj != NULL) {
-+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+ return; /* Should not happen */
-+ }
-+ (*env)->DeleteGlobalRef(env, debugObj);
-+ }
-+}
-+
-+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
-+ (JNIEnv *env, jclass cls)
-+{
-+ int fips_enabled;
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+
-+#ifdef SYSCONF_NSS
-+
-+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-+ fips_enabled = SECMOD_GetSystemFIPSEnabled();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-+ " SECMOD_GetSystemFIPSEnabled return value");
-+ }
-+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
-+
-+#else // SYSCONF_NSS
-+
-+ FILE *fe;
-+
-+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
-+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
-+ }
-+ fips_enabled = fgetc(fe);
-+ fclose(fe);
-+ if (fips_enabled == EOF) {
-+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
-+ }
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " read character is '%c'", fips_enabled);
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-+ " read character");
-+ }
-+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-+
-+#endif // SYSCONF_NSS
-+}
-+
-+static void throwIOException(JNIEnv *env, const char *msg)
-+{
-+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
-+ if (cls != 0)
-+ (*env)->ThrowNew(env, cls, msg);
-+}
-+
-+static void dbgPrint(JNIEnv *env, const char* msg)
-+{
-+ jstring jMsg;
-+ if (debugObj != NULL) {
-+ jMsg = (*env)->NewStringUTF(env, msg);
-+ CHECK_NULL(jMsg);
-+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+}
diff --git a/SOURCES/rh1929465-improve_system_FIPS_detection-root.patch b/SOURCES/rh1929465-improve_system_FIPS_detection-root.patch
deleted file mode 100644
index 64d8ac0..0000000
--- a/SOURCES/rh1929465-improve_system_FIPS_detection-root.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-diff --git openjdk.orig/common/autoconf/configure.ac openjdk/common/autoconf/configure.ac
---- openjdk.orig/common/autoconf/configure.ac
-+++ openjdk/common/autoconf/configure.ac
-@@ -212,6 +212,7 @@
- LIB_SETUP_ALSA
- LIB_SETUP_FONTCONFIG
- LIB_SETUP_MISC_LIBS
-+LIB_SETUP_SYSCONF_LIBS
- LIB_SETUP_STATIC_LINK_LIBSTDCPP
- LIB_SETUP_ON_WINDOWS
-
-diff --git openjdk.orig/common/autoconf/libraries.m4 openjdk/common/autoconf/libraries.m4
---- openjdk.orig/common/autoconf/libraries.m4
-+++ openjdk/common/autoconf/libraries.m4
-@@ -1067,3 +1067,63 @@
- BASIC_DEPRECATED_ARG_WITH([dxsdk-include])
- fi
- ])
-+
-+################################################################################
-+# Setup system configuration libraries
-+################################################################################
-+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
-+[
-+ ###############################################################################
-+ #
-+ # Check for the NSS library
-+ #
-+
-+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
-+
-+ # default is not available
-+ DEFAULT_SYSCONF_NSS=no
-+
-+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
-+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
-+ [
-+ case "${enableval}" in
-+ yes)
-+ sysconf_nss=yes
-+ ;;
-+ *)
-+ sysconf_nss=no
-+ ;;
-+ esac
-+ ],
-+ [
-+ sysconf_nss=${DEFAULT_SYSCONF_NSS}
-+ ])
-+ AC_MSG_RESULT([$sysconf_nss])
-+
-+ USE_SYSCONF_NSS=false
-+ if test "x${sysconf_nss}" = "xyes"; then
-+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
-+ if test "x${NSS_FOUND}" = "xyes"; then
-+ AC_MSG_CHECKING([for system FIPS support in NSS])
-+ saved_libs="${LIBS}"
-+ saved_cflags="${CFLAGS}"
-+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
-+ LIBS="${LIBS} ${NSS_LIBS}"
-+ AC_LANG_PUSH([C])
-+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]],
-+ [[SECMOD_GetSystemFIPSEnabled()]])],
-+ [AC_MSG_RESULT([yes])],
-+ [AC_MSG_RESULT([no])
-+ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
-+ AC_LANG_POP([C])
-+ CFLAGS="${saved_cflags}"
-+ LIBS="${saved_libs}"
-+ USE_SYSCONF_NSS=true
-+ else
-+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
-+ dnl in nss3/pk11pub.h.
-+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
-+ fi
-+ fi
-+ AC_SUBST(USE_SYSCONF_NSS)
-+])
-diff --git openjdk.orig/common/autoconf/spec.gmk.in openjdk/common/autoconf/spec.gmk.in
---- openjdk.orig/common/autoconf/spec.gmk.in
-+++ openjdk/common/autoconf/spec.gmk.in
-@@ -312,6 +312,10 @@
- ALSA_LIBS:=@ALSA_LIBS@
- ALSA_CFLAGS:=@ALSA_CFLAGS@
-
-+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
-+NSS_LIBS:=@NSS_LIBS@
-+NSS_CFLAGS:=@NSS_CFLAGS@
-+
- PACKAGE_PATH=@PACKAGE_PATH@
-
- # Source file for cacerts
-diff --git openjdk.orig/common/bin/compare_exceptions.sh.incl openjdk/common/bin/compare_exceptions.sh.incl
---- openjdk.orig/common/bin/compare_exceptions.sh.incl
-+++ openjdk/common/bin/compare_exceptions.sh.incl
-@@ -280,6 +280,7 @@
- ./jre/lib/i386/libsplashscreen.so
- ./jre/lib/i386/libsunec.so
- ./jre/lib/i386/libsunwjdga.so
-+./jre/lib/i386/libsystemconf.so
- ./jre/lib/i386/libt2k.so
- ./jre/lib/i386/libunpack.so
- ./jre/lib/i386/libverify.so
-@@ -433,6 +434,7 @@
- ./jre/lib/amd64/libsplashscreen.so
- ./jre/lib/amd64/libsunec.so
- ./jre/lib/amd64/libsunwjdga.so
-+//jre/lib/amd64/libsystemconf.so
- ./jre/lib/amd64/libt2k.so
- ./jre/lib/amd64/libunpack.so
- ./jre/lib/amd64/libverify.so
-@@ -587,6 +589,7 @@
- ./jre/lib/sparc/libsplashscreen.so
- ./jre/lib/sparc/libsunec.so
- ./jre/lib/sparc/libsunwjdga.so
-+./jre/lib/sparc/libsystemconf.so
- ./jre/lib/sparc/libt2k.so
- ./jre/lib/sparc/libunpack.so
- ./jre/lib/sparc/libverify.so
-@@ -741,6 +744,7 @@
- ./jre/lib/sparcv9/libsplashscreen.so
- ./jre/lib/sparcv9/libsunec.so
- ./jre/lib/sparcv9/libsunwjdga.so
-+./jre/lib/sparcv9/libsystemconf.so
- ./jre/lib/sparcv9/libt2k.so
- ./jre/lib/sparcv9/libunpack.so
- ./jre/lib/sparcv9/libverify.so
-diff --git openjdk.orig/common/nb_native/nbproject/configurations.xml openjdk/common/nb_native/nbproject/configurations.xml
---- openjdk.orig/common/nb_native/nbproject/configurations.xml
-+++ openjdk/common/nb_native/nbproject/configurations.xml
-@@ -53,6 +53,9 @@
- jvmtiEnterTrace.cpp
-
-
-+
-+ systemconf.c
-+
-
-
-
-@@ -12772,6 +12775,11 @@
- tool="0"
- flavor2="0">
-
-+ -
-+
- - attrsMap = new HashMap<>();
-+ for (CK_ATTRIBUTE attr : attributes) {
-+ if (attr.type == CKA_CLASS) {
-+ keyClass = attr.getLong();
-+ } else if (attr.type == CKA_KEY_TYPE) {
-+ keyType = attr.getLong();
-+ }
-+ attrsMap.put(attr.type, attr);
-+ }
-+ BigInteger v = null;
-+ if (keyClass == CKO_PRIVATE_KEY) {
-+ if (keyType == CKK_RSA) {
-+ if (debug != null) {
-+ debug.println("Importing an RSA private key...");
-+ }
-+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
-+ KeyType.RSA,
-+ null,
-+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO
-+ ).getEncoded();
-+ } else if (keyType == CKK_DSA) {
-+ if (debug != null) {
-+ debug.println("Importing a DSA private key...");
-+ }
-+ keyBytes = new sun.security.provider.DSAPrivateKey(
-+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO
-+ ).getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else if (keyType == CKK_EC) {
-+ if (debug != null) {
-+ debug.println("Importing an EC private key...");
-+ }
-+ if (sunECProvider == null) {
-+ sunECProviderLock.lock();
-+ try {
-+ if (sunECProvider == null) {
-+ sunECProvider = Security.getProvider("SunEC");
-+ }
-+ } finally {
-+ sunECProviderLock.unlock();
-+ }
-+ }
-+ keyBytes = P11ECUtil.generateECPrivateKey(
-+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ECUtil.getECParameterSpec(sunECProvider,
-+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
-+ .getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else if (keyType == CKK_DH) {
-+ if (debug != null) {
-+ debug.println("Importing a Diffie-Hellman private key...");
-+ }
-+ if (DHKF == null) {
-+ DHKFLock.lock();
-+ try {
-+ if (DHKF == null) {
-+ DHKF = KeyFactory.getInstance(
-+ "DH", P11Util.getSunJceProvider());
-+ }
-+ } finally {
-+ DHKFLock.unlock();
-+ }
-+ }
-+ DHPrivateKeySpec spec = new DHPrivateKeySpec
-+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO);
-+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else {
-+ if (debug != null) {
-+ debug.println("Unrecognized private key type.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ } else if (keyClass == CKO_SECRET_KEY) {
-+ if (debug != null) {
-+ debug.println("Importing a secret key...");
-+ }
-+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
-+ }
-+ if (keyBytes == null || keyBytes.length == 0) {
-+ if (debug != null) {
-+ debug.println("Private or secret key plain bytes could" +
-+ " not be obtained. Import failed.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
-+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
-+ null);
-+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
-+ attrsMap.values().toArray(attributes);
-+ encKeyBytes = importerCipher.doFinal(keyBytes);
-+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
-+ keyClass, keyType, attributes);
-+ keyID = token.p11.C_UnwrapKey(hSession,
-+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
-+ if (debug != null) {
-+ debug.println("Imported key ID: " + keyID);
-+ }
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ } finally {
-+ importerKey.releaseKeyID();
-+ }
-+ return Long.valueOf(keyID);
-+ }
-+
-+ private static void createImporterKey(Token token) {
-+ if (debug != null) {
-+ debug.println("Generating Importer Key...");
-+ }
-+ byte[] iv = new byte[16];
-+ JCAUtil.getSecureRandom().nextBytes(iv);
-+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
-+ try {
-+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
-+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
-+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
-+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
-+ Session s = null;
-+ try {
-+ s = token.getObjSession();
-+ long keyID = token.p11.C_GenerateKey(
-+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
-+ attributes);
-+ if (debug != null) {
-+ debug.println("Importer Key ID: " + keyID);
-+ }
-+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
-+ 256 >> 3, null);
-+ } catch (PKCS11Exception e) {
-+ // best effort
-+ } finally {
-+ token.releaseSession(s);
-+ }
-+ if (importerKey != null) {
-+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-+ }
-+ } catch (Throwable t) {
-+ // best effort
-+ importerKey = null;
-+ importerCipher = null;
-+ // importerKeyMechanism value is kept initialized to indicate that
-+ // Importer Key creation has been tried and failed.
-+ }
-+ }
-+}
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -26,6 +26,9 @@
- package sun.security.pkcs11;
-
- import java.io.*;
-+import java.lang.invoke.MethodHandle;
-+import java.lang.invoke.MethodHandles;
-+import java.lang.invoke.MethodType;
- import java.util.*;
-
- import java.security.*;
-@@ -63,6 +66,26 @@
- private static final boolean systemFipsEnabled = SharedSecrets
- .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
-
-+ private static final boolean plainKeySupportEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
-+ private static final MethodHandle fipsImportKey;
-+ static {
-+ MethodHandle fipsImportKeyTmp = null;
-+ if (plainKeySupportEnabled) {
-+ try {
-+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
-+ FIPSKeyImporter.class, "importKey",
-+ MethodType.methodType(Long.class, SunPKCS11.class,
-+ long.class, CK_ATTRIBUTE[].class));
-+ } catch (Throwable t) {
-+ throw new SecurityException("FIPS key importer initialization" +
-+ " failed", t);
-+ }
-+ }
-+ fipsImportKey = fipsImportKeyTmp;
-+ }
-+
- private static final long serialVersionUID = -1354835039035306505L;
-
- static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -314,10 +337,15 @@
- // request multithreaded access first
- initArgs.flags = CKF_OS_LOCKING_OK;
- PKCS11 tmpPKCS11;
-+ MethodHandle fipsKeyImporter = null;
-+ if (plainKeySupportEnabled) {
-+ fipsKeyImporter = MethodHandles.insertArguments(
-+ fipsImportKey, 0, this);
-+ }
- try {
- tmpPKCS11 = PKCS11.getInstance(
- library, functionList, initArgs,
-- config.getOmitInitialize());
-+ config.getOmitInitialize(), fipsKeyImporter);
- } catch (PKCS11Exception e) {
- if (debug != null) {
- debug.println("Multi-threaded initialization failed: " + e);
-@@ -333,7 +361,7 @@
- initArgs.flags = 0;
- }
- tmpPKCS11 = PKCS11.getInstance(library,
-- functionList, initArgs, config.getOmitInitialize());
-+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
- }
- p11 = tmpPKCS11;
-
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-@@ -49,6 +49,7 @@
-
- import java.io.File;
- import java.io.IOException;
-+import java.lang.invoke.MethodHandle;
- import java.util.*;
-
- import java.security.AccessController;
-@@ -147,16 +148,28 @@
-
- public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
- String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
-- boolean omitInitialize) throws IOException, PKCS11Exception {
-+ boolean omitInitialize, MethodHandle fipsKeyImporter)
-+ throws IOException, PKCS11Exception {
- // we may only call C_Initialize once per native .so/.dll
- // so keep a cache using the (non-canonicalized!) path
- PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
- if (pkcs11 == null) {
-+ boolean nssFipsMode = fipsKeyImporter != null;
- if ((pInitArgs != null)
- && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
-- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+ if (nssFipsMode) {
-+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
-+ fipsKeyImporter);
-+ } else {
-+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+ }
- } else {
-- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+ if (nssFipsMode) {
-+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
-+ functionList, fipsKeyImporter);
-+ } else {
-+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+ }
- }
- if (omitInitialize == false) {
- try {
-@@ -1905,4 +1918,69 @@
- super.C_GenerateRandom(hSession, randomData);
- }
- }
-+
-+// PKCS11 subclass that allows using plain private or secret keys in
-+// FIPS-configured NSS Software Tokens. Only used when System FIPS
-+// is enabled.
-+static class FIPSPKCS11 extends PKCS11 {
-+ private MethodHandle fipsKeyImporter;
-+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter) throws IOException {
-+ super(pkcs11ModulePath, functionListName);
-+ this.fipsKeyImporter = fipsKeyImporter;
-+ }
-+
-+ public synchronized long C_CreateObject(long hSession,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ // Creating sensitive key objects from plain key material in a
-+ // FIPS-configured NSS Software Token is not allowed. We apply
-+ // a key-unwrapping scheme to achieve so.
-+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+ try {
-+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+ .longValue();
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ }
-+ return super.C_CreateObject(hSession, pTemplate);
-+ }
- }
-+
-+// FIPSPKCS11 synchronized counterpart.
-+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
-+ private MethodHandle fipsKeyImporter;
-+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter) throws IOException {
-+ super(pkcs11ModulePath, functionListName);
-+ this.fipsKeyImporter = fipsKeyImporter;
-+ }
-+
-+ public synchronized long C_CreateObject(long hSession,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ // See FIPSPKCS11::C_CreateObject.
-+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+ try {
-+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+ .longValue();
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ }
-+ return super.C_CreateObject(hSession, pTemplate);
-+ }
-+}
-+
-+private static class FIPSPKCS11Helper {
-+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
-+ for (CK_ATTRIBUTE attr : pTemplate) {
-+ if (attr.type == CKA_CLASS &&
-+ (attr.getLong() == CKO_PRIVATE_KEY ||
-+ attr.getLong() == CKO_SECRET_KEY)) {
-+ return true;
-+ }
-+ }
-+ return false;
-+ }
-+}
-+}
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java openjdk/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-@@ -33,8 +33,13 @@
-
- import javax.net.ssl.*;
-
-+import sun.misc.SharedSecrets;
-+
- abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
-
-+ private static final boolean plainKeySupportEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
- X509ExtendedKeyManager keyManager;
- boolean isInitialized;
-
-@@ -62,7 +67,8 @@
- KeyStoreException, NoSuchAlgorithmException,
- UnrecoverableKeyException {
- if ((ks != null) && SunJSSE.isFIPS()) {
-- if (ks.getProvider() != SunJSSE.cryptoProvider) {
-+ if (ks.getProvider() != SunJSSE.cryptoProvider &&
-+ !plainKeySupportEnabled) {
- throw new KeyStoreException("FIPS mode: KeyStore must be "
- + "from provider " + SunJSSE.cryptoProvider.getName());
- }
-@@ -91,8 +97,8 @@
- keyManager = new X509KeyManagerImpl(
- Collections.
emptyList());
- } else {
-- if (SunJSSE.isFIPS() &&
-- (ks.getProvider() != SunJSSE.cryptoProvider)) {
-+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
-+ && !plainKeySupportEnabled) {
- throw new KeyStoreException(
- "FIPS mode: KeyStore must be " +
- "from provider " + SunJSSE.cryptoProvider.getName());
diff --git a/SOURCES/rh1996182-login_to_nss_software_token.patch b/SOURCES/rh1996182-login_to_nss_software_token.patch
deleted file mode 100644
index 341e092..0000000
--- a/SOURCES/rh1996182-login_to_nss_software_token.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-# HG changeset patch
-# User mbalao
-# Date 1630103180 -3600
-# Fri Aug 27 23:26:20 2021 +0100
-# Node ID b3bd3119fab9bc5adfd7073377aca12bb1af80b3
-# Parent c90394a76ee02a689f95199559d5724824b4b25e
-RH1996182: Login to the NSS Software Token in FIPS Mode
-
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -42,6 +42,8 @@
- import javax.security.auth.callback.PasswordCallback;
- import javax.security.auth.callback.TextOutputCallback;
-
-+import sun.misc.SharedSecrets;
-+
- import sun.security.util.Debug;
- import sun.security.util.ResourcesMgr;
-
-@@ -58,6 +60,9 @@
- */
- public final class SunPKCS11 extends AuthProvider {
-
-+ private static final boolean systemFipsEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
-+
- private static final long serialVersionUID = -1354835039035306505L;
-
- static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -368,6 +373,24 @@
- if (nssModule != null) {
- nssModule.setProvider(this);
- }
-+ if (systemFipsEnabled) {
-+ // The NSS Software Token in FIPS 140-2 mode requires a user
-+ // login for most operations. See sftk_fipsCheck. The NSS DB
-+ // (/etc/pki/nssdb) PIN is empty.
-+ Session session = null;
-+ try {
-+ session = token.getOpSession();
-+ p11.C_Login(session.id(), CKU_USER, new char[] {});
-+ } catch (PKCS11Exception p11e) {
-+ if (debug != null) {
-+ debug.println("Error during token login: " +
-+ p11e.getMessage());
-+ }
-+ throw p11e;
-+ } finally {
-+ token.releaseSession(session);
-+ }
-+ }
- } catch (Exception e) {
- if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
- throw new UnsupportedOperationException
diff --git a/SOURCES/rh2021263-fips_ensure_security_initialised.patch b/SOURCES/rh2021263-fips_ensure_security_initialised.patch
deleted file mode 100644
index 5aa9ec7..0000000
--- a/SOURCES/rh2021263-fips_ensure_security_initialised.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-commit 06c2decab204fcce5aca2d285953fcac1820b1ae
-Author: Andrew John Hughes
-Date: Mon Jan 24 01:23:28 2022 +0000
-
- RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
-
-diff --git openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
-index 40ca609e02..0dafe6f59c 100644
---- openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java
-+++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
-@@ -31,6 +31,7 @@ import java.io.Console;
- import java.io.FileDescriptor;
- import java.io.ObjectInputStream;
- import java.security.ProtectionDomain;
-+import java.security.Security;
- import java.security.Signature;
-
- import java.security.AccessController;
-@@ -255,6 +256,9 @@ public class SharedSecrets {
- }
-
- public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
-+ if (javaSecuritySystemConfiguratorAccess == null) {
-+ unsafe.ensureClassInitialized(Security.class);
-+ }
- return javaSecuritySystemConfiguratorAccess;
- }
- }
diff --git a/SOURCES/rh2021263-fips_missing_native_returns.patch b/SOURCES/rh2021263-fips_missing_native_returns.patch
deleted file mode 100644
index 90cc44e..0000000
--- a/SOURCES/rh2021263-fips_missing_native_returns.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-commit 7f58a05104138ebdfd3b7b968ed67ea4c8573073
-Author: Fridrich Strba
-Date: Mon Jan 24 01:10:57 2022 +0000
-
- RH2021263: Return in C code after having generated Java exception
-
-diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
-index 6f4656bfcb..34d0ff0ce9 100644
---- openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c
-+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
-@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
- throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
-+ return JNI_FALSE;
- }
- fips_enabled = fgetc(fe);
- fclose(fe);
- if (fips_enabled == EOF) {
- throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
-+ return JNI_FALSE;
- }
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " read character is '%c'", fips_enabled);
diff --git a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
deleted file mode 100644
index e237841..0000000
--- a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-commit aaf92165ad1cbb1c9818eb60178c91293e13b053
-Author: Andrew John Hughes
-Date: Mon Jan 24 15:13:14 2022 +0000
-
- RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
-
-diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
-index fa494b680f..b5aa5c749d 100644
---- openjdk.orig/jdk/src/share/classes/java/security/Security.java
-+++ openjdk/jdk/src/share/classes/java/security/Security.java
-@@ -57,10 +57,6 @@ public final class Security {
- private static final Debug sdebug =
- Debug.getInstance("properties");
-
-- /* System property file*/
-- private static final String SYSTEM_PROPERTIES =
-- "/etc/crypto-policies/back-ends/java.config";
--
- /* The java.security properties */
- private static Properties props;
-
-@@ -202,13 +198,6 @@ public final class Security {
- }
- }
-
-- String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
-- if (disableSystemProps == null &&
-- "true".equalsIgnoreCase(props.getProperty
-- ("security.useSystemPropertiesFile"))) {
-- loadedProps = loadedProps && SystemConfigurator.configure(props);
-- }
--
- if (!loadedProps) {
- initializeStatic();
- if (sdebug != null) {
-@@ -217,6 +206,28 @@ public final class Security {
- }
- }
-
-+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
-+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
-+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
-+ if (!SystemConfigurator.configureSysProps(props)) {
-+ if (sdebug != null) {
-+ sdebug.println("WARNING: System properties could not be loaded.");
-+ }
-+ }
-+ }
-+
-+ // FIPS support depends on the contents of java.security so
-+ // ensure it has loaded first
-+ if (loadedProps) {
-+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
-+ if (sdebug != null) {
-+ if (fipsEnabled) {
-+ sdebug.println("FIPS support enabled.");
-+ } else {
-+ sdebug.println("FIPS support disabled.");
-+ }
-+ }
-+ }
- }
-
- /*
-diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
-index d1f677597d..7da65b1d2c 100644
---- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
-@@ -76,7 +76,7 @@ final class SystemConfigurator {
- * java.security.disableSystemPropertiesFile property is not set and
- * security.useSystemPropertiesFile is true.
- */
-- static boolean configure(Properties props) {
-+ static boolean configureSysProps(Properties props) {
- boolean loadedProps = false;
-
- try (BufferedInputStream bis =
-@@ -96,11 +96,19 @@ final class SystemConfigurator {
- e.printStackTrace();
- }
- }
-+ return loadedProps;
-+ }
-+
-+ /*
-+ * Invoked at the end of java.security.Security initialisation
-+ * if java.security properties have been loaded
-+ */
-+ static boolean configureFIPS(Properties props) {
-+ boolean loadedProps = false;
-
- try {
- if (enableFips()) {
- if (sdebug != null) { sdebug.println("FIPS mode detected"); }
-- loadedProps = false;
- // Remove all security providers
- Iterator> i = props.entrySet().iterator();
- while (i.hasNext()) {
diff --git a/SOURCES/rh2052829-fips_runtime_nss_detection.patch b/SOURCES/rh2052829-fips_runtime_nss_detection.patch
deleted file mode 100644
index 52a7803..0000000
--- a/SOURCES/rh2052829-fips_runtime_nss_detection.patch
+++ /dev/null
@@ -1,220 +0,0 @@
-commit 820d1b1b23be6ea2fd34c687a1be384e7a9830e2
-Author: Andrew John Hughes
-Date: Mon Feb 28 05:50:10 2022 +0000
-
- RH2051605: Detect NSS at Runtime for FIPS detection
-
-diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
-index 34d0ff0ce9..8dcb7d9073 100644
---- openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c
-+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
-@@ -23,25 +23,99 @@
- * questions.
- */
-
--#include
- #include
- #include
-+#include "jvm_md.h"
- #include
-
- #ifdef SYSCONF_NSS
- #include
-+#else
-+#include
- #endif //SYSCONF_NSS
-
- #include "java_security_SystemConfigurator.h"
-
-+#define MSG_MAX_SIZE 256
- #define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
--#define MSG_MAX_SIZE 96
-
-+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
-+
-+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
- static jmethodID debugPrintlnMethodID = NULL;
- static jobject debugObj = NULL;
-
--static void throwIOException(JNIEnv *env, const char *msg);
--static void dbgPrint(JNIEnv *env, const char* msg);
-+static void dbgPrint(JNIEnv *env, const char* msg)
-+{
-+ jstring jMsg;
-+ if (debugObj != NULL) {
-+ jMsg = (*env)->NewStringUTF(env, msg);
-+ CHECK_NULL(jMsg);
-+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+}
-+
-+static void throwIOException(JNIEnv *env, const char *msg)
-+{
-+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
-+ if (cls != 0)
-+ (*env)->ThrowNew(env, cls, msg);
-+}
-+
-+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
-+{
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "systemconf: cannot render message");
-+ }
-+}
-+
-+// Only used when NSS is not linked at build time
-+#ifndef SYSCONF_NSS
-+
-+static void *nss_handle;
-+
-+static jboolean loadNSS(JNIEnv *env)
-+{
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+ const char* errmsg;
-+
-+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
-+ if (nss_handle == NULL) {
-+ errmsg = dlerror();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ return JNI_FALSE;
-+ }
-+ dlerror(); /* Clear errors */
-+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
-+ if ((errmsg = dlerror()) != NULL) {
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ return JNI_FALSE;
-+ }
-+ return JNI_TRUE;
-+}
-+
-+static void closeNSS(JNIEnv *env)
-+{
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+ const char* errmsg;
-+
-+ if (dlclose(nss_handle) != 0) {
-+ errmsg = dlerror();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ }
-+}
-+
-+#endif
-
- /*
- * Class: java_security_SystemConfigurator
-@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
- debugObj = (*env)->NewGlobalRef(env, debugObj);
- }
-
-+#ifdef SYSCONF_NSS
-+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
-+#else
-+ if (loadNSS(env) == JNI_FALSE) {
-+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
-+ }
-+#endif
-+
- return (*env)->GetVersion(env);
- }
-
-@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
- if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
- return; /* Should not happen */
- }
-+#ifndef SYSCONF_NSS
-+ closeNSS(env);
-+#endif
- (*env)->DeleteGlobalRef(env, debugObj);
- }
- }
-@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
- char msg[MSG_MAX_SIZE];
- int msg_bytes;
-
--#ifdef SYSCONF_NSS
--
-- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-- fips_enabled = SECMOD_GetSystemFIPSEnabled();
-- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-- dbgPrint(env, msg);
-+ if (getSystemFIPSEnabled != NULL) {
-+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-+ fips_enabled = (*getSystemFIPSEnabled)();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-+ handle_msg(env, msg, msg_bytes);
-+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
- } else {
-- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-- " SECMOD_GetSystemFIPSEnabled return value");
-- }
-- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
--
--#else // SYSCONF_NSS
-+ FILE *fe;
-
-- FILE *fe;
--
-- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
-+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
- throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
- return JNI_FALSE;
-- }
-- fips_enabled = fgetc(fe);
-- fclose(fe);
-- if (fips_enabled == EOF) {
-+ }
-+ fips_enabled = fgetc(fe);
-+ fclose(fe);
-+ if (fips_enabled == EOF) {
- throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
- return JNI_FALSE;
-- }
-- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-- " read character is '%c'", fips_enabled);
-- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-- dbgPrint(env, msg);
-- } else {
-- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-- " read character");
-- }
-- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
--
--#endif // SYSCONF_NSS
--}
--
--static void throwIOException(JNIEnv *env, const char *msg)
--{
-- jclass cls = (*env)->FindClass(env, "java/io/IOException");
-- if (cls != 0)
-- (*env)->ThrowNew(env, cls, msg);
--}
--
--static void dbgPrint(JNIEnv *env, const char* msg)
--{
-- jstring jMsg;
-- if (debugObj != NULL) {
-- jMsg = (*env)->NewStringUTF(env, msg);
-- CHECK_NULL(jMsg);
-- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " read character is '%c'", fips_enabled);
-+ handle_msg(env, msg, msg_bytes);
-+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
- }
- }
diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec
index c362a69..60b012d 100644
--- a/SPECS/java-1.8.0-openjdk.spec
+++ b/SPECS/java-1.8.0-openjdk.spec
@@ -280,6 +280,8 @@
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 3.15.0
+# Define current Git revision for the FIPS support patches
+%global fipsver 8e8bbf0ff74
# Standard JPackage naming and versioning defines
%global origin openjdk
@@ -307,9 +309,10 @@
%endif
# note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there.
-%global shenandoah_project openjdk
-%global shenandoah_repo shenandoah-jdk8u
-%global shenandoah_revision shenandoah-jdk8u332-b09
+%global shenandoah_project openjdk
+%global shenandoah_repo shenandoah-jdk8u
+%global openjdk_revision jdk8u342-b07
+%global shenandoah_revision shenandoah-%{openjdk_revision}
# Define old aarch64/jdk8u tree variables for compatibility
%global project %{shenandoah_project}
%global repo %{shenandoah_repo}
@@ -1208,8 +1211,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem
# Require zoneinfo data provided by tzdata-java subpackage.
-# 2021e required as of JDK-8275766 in January 2022 CPU
-Requires: tzdata-java >= 2021e
+# 2022a required as of JDK-8283350 in 8u342
+Requires: tzdata-java >= 2022a
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
@@ -1220,6 +1223,8 @@ Requires: copy-jdk-configs >= 4.0
OrderWithRequires: copy-jdk-configs
# for printing support
Requires: cups-libs
+# for system security properties
+Requires: crypto-policies
# for FIPS PKCS11 provider
Requires: nss
# Post requires alternatives to install tool alternatives
@@ -1404,32 +1409,29 @@ Source101: config.sub
Patch534: rh1648246-always_instruct_vm_to_assume_multiple_processors_are_available.patch
# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY
Patch1003: rh1582504-rsa_default_for_keytool.patch
-
-# FIPS support patches
# RH1648249: Add PKCS11 provider to java.security
Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+
+# Crypto policy and FIPS support patches
+# Patch is generated from the fips tree at https://github.com/rh-openjdk/jdk11u/tree/fips
+# as follows: git diff %%{openjdk_revision} common jdk > fips-8u-$(git show -s --format=%h HEAD).patch
+# Diff is limited to src and make subdirectories to exclude .github changes
+# Fixes currently included:
+# PR3183, RH1340845: Support Fedora/RHEL8 system crypto policy
+# PR3655: Allow use of system crypto policy to be disabled by the user
# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
-Patch1001: rh1655466-global_crypto_and_fips.patch
# RH1760838: No ciphersuites available for SSLSocket in FIPS mode
-Patch1002: rh1760838-fips_default_keystore_type.patch
# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
-Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
# RH1906862: Always initialise JavaSecuritySystemConfiguratorAccess
-Patch1005: rh1906862-always_initialise_configurator_access.patch
# RH1929465: Improve system FIPS detection
-Patch1006: rh1929465-improve_system_FIPS_detection-root.patch
-Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch
# RH1996182: Login to the NSS software token in FIPS mode
-Patch1008: rh1996182-login_to_nss_software_token.patch
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
-Patch1011: rh1991003-enable_fips_keys_import.patch
# RH2021263: Resolve outstanding FIPS issues
-Patch1014: rh2021263-fips_ensure_security_initialised.patch
-Patch1015: rh2021263-fips_missing_native_returns.patch
# RH2052819: Fix FIPS reliance on crypto policies
-Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
# RH2052829: Detect NSS at Runtime for FIPS detection
-Patch1017: rh2052829-fips_runtime_nss_detection.patch
+# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+# RH2090378: Revert to disabling system security properties and FIPS mode support together
+Patch1001: fips-8u-%{fipsver}.patch
#############################################
#
@@ -1452,10 +1454,6 @@ Patch528: pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_t
# PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)
# PR3575, RH1567204: System cacerts database handling should not affect jssecacerts
Patch539: pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch
-# PR3183, RH1340845: Support Fedora/RHEL8 system crypto policy
-Patch400: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
-# PR3655: Allow use of system crypto policy to be disabled by the user
-Patch401: pr3655-toggle_system_crypto_policy.patch
# enable build of speculative store bypass hardened alt-java
Patch600: rh1750419-redhat_alt_java.patch
# JDK-8218811: replace open by os::open in hotspot coding
@@ -1582,6 +1580,8 @@ BuildRequires: libXt-devel
BuildRequires: libXtst-devel
# Requirement for setting up nss.cfg and nss.fips.cfg
BuildRequires: nss-devel
+# Requirement for system security property test
+BuildRequires: crypto-policies
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@@ -1592,8 +1592,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
-# 2021e required as of JDK-8275766 in January 2022 CPU
-BuildRequires: tzdata-java >= 2021e
+# 2022a required as of JDK-8283350 in 8u342
+BuildRequires: tzdata-java >= 2022a
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@@ -1862,10 +1862,6 @@ sh %{SOURCE12}
%patch203
%patch204
-# System security policy fixes
-%patch400
-%patch401
-
%patch5
# s390 build fixes
@@ -1892,23 +1888,17 @@ sh %{SOURCE12}
%patch581
%patch113
+pushd %{top_level_dir_name}
+# Add crypto policy and FIPS support
+%patch1001 -p1
+# nss.cfg PKCS11 support; must come last as it also alters java.security
+%patch1000 -p1
+popd
+
# RPM-only fixes
%patch539
%patch600
-%patch1000
-%patch1001
-%patch1002
%patch1003
-%patch1004
-%patch1005
-%patch1006
-%patch1007
-%patch1008
-%patch1011
-%patch1014
-%patch1015
-%patch1016
-%patch1017
# RHEL-only patches
%if ! 0%{?fedora} && 0%{?rhel} <= 7
@@ -2103,6 +2093,30 @@ function installjdk() {
# https://bugs.openjdk.java.net/browse/JDK-8173610
find ${imagepath} -iname '*.so' -exec chmod +x {} \;
find ${imagepath}/bin/ -exec chmod +x {} \;
+
+ # Install nss.cfg right away as we will be using the JRE above
+ install -m 644 nss.cfg ${imagepath}/jre/lib/security/
+
+ # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
+ install -m 644 nss.fips.cfg ${imagepath}/jre/lib/security/
+
+ # Turn on system security properties
+ sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
+ ${imagepath}/jre/lib/security/java.security
+
+ # Use system-wide tzdata
+ rm ${imagepath}/jre/lib/tzdb.dat
+ ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat
+
+ # add alt-java man page
+ pushd ${imagepath}
+ echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
+ cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
+ popd
+
+ # Print release information
+ cat ${imagepath}/release
+
fi
}
@@ -2151,25 +2165,6 @@ else
installjdk ${builddir} ${installdir}
fi
-# Install nss.cfg right away as we will be using the JRE above
-export JAVA_HOME=$(pwd)/%{installoutputdir -- $suffix}/images/%{jdkimage}
-
-# Install nss.cfg right away as we will be using the JRE above
-install -m 644 nss.cfg $JAVA_HOME/jre/lib/security/
-
-# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
-install -m 644 nss.fips.cfg $JAVA_HOME/jre/lib/security/
-
-# Use system-wide tzdata
-rm $JAVA_HOME/jre/lib/tzdb.dat
-ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/jre/lib/tzdb.dat
-
-# add alt-java man page
-pushd ${JAVA_HOME}
-echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
-cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
-popd
-
# build cycles
done
@@ -2188,9 +2183,14 @@ $JAVA_HOME/bin/java TestCryptoLevel
$JAVA_HOME/bin/javac -d . %{SOURCE14}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
-# Check system crypto (policy) can be disabled
+# Check system crypto (policy) is active and can be disabled
+# Test takes a single argument - true or false - to state whether system
+# security properties are enabled or not.
$JAVA_HOME/bin/javac -d . %{SOURCE15}
-$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export SEC_DEBUG="-Djava.security.debug=properties"
+$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
+$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
# Check java launcher has no SSB mitigation
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
@@ -2658,6 +2658,33 @@ cjc.mainProgram(args)
%endif
%changelog
+* Mon Jul 18 2022 Andrew Hughes - 1:1.8.0.342.b07-1
+- Update to shenandoah-jdk8u342-b07
+- Update release notes for shenandoah-8u342-b07.
+- Print release file during build, which should now include a correct SOURCE value from .src-rev
+- Update tarball script with IcedTea GitHub URL and .src-rev generation
+- Use "git apply" with patches in the tarball script to allow binary diffs
+- Remove redundant "REPOS" variable from tarball script
+- Include script to generate bug list for release notes
+- Update tzdata requirement to 2022a to match JDK-8283350
+- Rebase FIPS patches from fips branch and simplify by using a single patch from that repository
+- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+- * RH2090378: Revert to disabling system security properties and FIPS mode support together
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- Perform configuration changes (e.g. nss.cfg, nss.fips.cfg, tzdb.dat) in installjdk
+- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
+- Improve security properties test to check both enabled and disabled behaviour
+- Run security properties test with property debugging on
+- Explicitly require crypto-policies during build and runtime for system security properties
+- Resolves: rhbz#2099916
+- Resolves: rhbz#2107958
+- Resolves: rhbz#2084776
+- Resolves: rhbz#2106508
+
+* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:1.8.0.332.b09-2
+- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
+- Resolves: rhbz#2107956
+
* Mon Apr 18 2022 Andrew Hughes - 1:1.8.0.332.b09-1
- Update to shenandoah-jdk8u332-b09 (GA)
- Update release notes for 8u332-b09.