commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07

Author: Andrew Hughes <gnu.andrew@redhat.com>

Date:   Tue Jan 18 02:09:27 2022 +0000

    RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support

diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java

index 28ab1846173..f9726741afd 100644

--- openjdk.orig/src/java.base/share/classes/java/security/Security.java

+++ openjdk/src/java.base/share/classes/java/security/Security.java

@@ -61,10 +61,6 @@ public final class Security {

     private static final Debug sdebug =

                         Debug.getInstance("properties");

-    /* System property file*/

-    private static final String SYSTEM_PROPERTIES =

-        "/etc/crypto-policies/back-ends/java.config";

-

     /* The java.security properties */

     private static Properties props;

@@ -206,22 +202,36 @@ public final class Security {

             }

         }

+        if (!loadedProps) {

+            initializeStatic();

+            if (sdebug != null) {

+                sdebug.println("unable to load security properties " +

+                        "-- using defaults");

+            }

+        }

+

         String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");

         if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&

             "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {

-            if (SystemConfigurator.configure(props)) {

-                loadedProps = true;

+            if (!SystemConfigurator.configureSysProps(props)) {

+                if (sdebug != null) {

+                    sdebug.println("WARNING: System properties could not be loaded.");

+                }

             }

         }

-        if (!loadedProps) {

-            initializeStatic();

+        // FIPS support depends on the contents of java.security so

+        // ensure it has loaded first

+        if (loadedProps) {

+            boolean fipsEnabled = SystemConfigurator.configureFIPS(props);

             if (sdebug != null) {

-                sdebug.println("unable to load security properties " +

-                        "-- using defaults");

+                if (fipsEnabled) {

+                    sdebug.println("FIPS support enabled.");

+                } else {

+                    sdebug.println("FIPS support disabled.");

+                }

             }

         }

-

     }

     /*

diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java

index 874c6221ebe..b7ed41acf0f 100644

--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java

+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java

@@ -76,7 +76,7 @@ final class SystemConfigurator {

      * java.security.disableSystemPropertiesFile property is not set and

      * security.useSystemPropertiesFile is true.

      */

-    static boolean configure(Properties props) {

+    static boolean configureSysProps(Properties props) {

         boolean loadedProps = false;

         try (BufferedInputStream bis =

@@ -96,11 +96,19 @@ final class SystemConfigurator {

                 e.printStackTrace();

             }

         }

+        return loadedProps;

+    }

+

+    /*

+     * Invoked at the end of java.security.Security initialisation

+     * if java.security properties have been loaded

+     */

+    static boolean configureFIPS(Properties props) {

+        boolean loadedProps = false;

         try {

             if (enableFips()) {

                 if (sdebug != null) { sdebug.println("FIPS mode detected"); }

-                loadedProps = false;

                 // Remove all security providers

                 Iterator<Entry<Object, Object>> i = props.entrySet().iterator();

                 while (i.hasNext()) {