diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 index a73c0f38181..80710886ed8 100644 --- a/make/autoconf/libraries.m4 +++ b/make/autoconf/libraries.m4 @@ -101,6 +101,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], LIB_SETUP_LIBFFI LIB_SETUP_BUNDLED_LIBS LIB_SETUP_MISC_LIBS + LIB_SETUP_SYSCONF_LIBS LIB_SETUP_SOLARIS_STLPORT LIB_TESTS_SETUP_GRAALUNIT @@ -223,3 +224,62 @@ AC_DEFUN_ONCE([LIB_SETUP_SOLARIS_STLPORT], fi ]) +################################################################################ +# Setup system configuration libraries +################################################################################ +AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], +[ + ############################################################################### + # + # Check for the NSS library + # + + AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) + + # default is not available + DEFAULT_SYSCONF_NSS=no + + AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], + [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], + [ + case "${enableval}" in + yes) + sysconf_nss=yes + ;; + *) + sysconf_nss=no + ;; + esac + ], + [ + sysconf_nss=${DEFAULT_SYSCONF_NSS} + ]) + AC_MSG_RESULT([$sysconf_nss]) + + USE_SYSCONF_NSS=false + if test "x${sysconf_nss}" = "xyes"; then + PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) + if test "x${NSS_FOUND}" = "xyes"; then + AC_MSG_CHECKING([for system FIPS support in NSS]) + saved_libs="${LIBS}" + saved_cflags="${CFLAGS}" + CFLAGS="${CFLAGS} ${NSS_CFLAGS}" + LIBS="${LIBS} ${NSS_LIBS}" + AC_LANG_PUSH([C]) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], + [[SECMOD_GetSystemFIPSEnabled()]])], + [AC_MSG_RESULT([yes])], + [AC_MSG_RESULT([no]) + AC_MSG_ERROR([System NSS FIPS detection unavailable])]) + AC_LANG_POP([C]) + CFLAGS="${saved_cflags}" + LIBS="${saved_libs}" + USE_SYSCONF_NSS=true + else + dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API + dnl in nss3/pk11pub.h. + AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) + fi + fi + AC_SUBST(USE_SYSCONF_NSS) +]) diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in index 0ae23b93167..a242acc1234 100644 --- a/make/autoconf/spec.gmk.in +++ b/make/autoconf/spec.gmk.in @@ -826,6 +826,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@ # Libraries # +USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ +NSS_LIBS:=@NSS_LIBS@ +NSS_CFLAGS:=@NSS_CFLAGS@ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ LCMS_CFLAGS:=@LCMS_CFLAGS@ LCMS_LIBS:=@LCMS_LIBS@ diff --git a/make/lib/Lib-java.base.gmk b/make/lib/Lib-java.base.gmk index a529768f39e..daf9c947172 100644 --- a/make/lib/Lib-java.base.gmk +++ b/make/lib/Lib-java.base.gmk @@ -178,6 +178,31 @@ ifeq ($(OPENJDK_TARGET_OS_TYPE), unix) endif endif +################################################################################ +# Create the systemconf library + +LIBSYSTEMCONF_CFLAGS := +LIBSYSTEMCONF_CXXFLAGS := + +ifeq ($(USE_SYSCONF_NSS), true) + LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS + LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS +endif + +ifeq ($(OPENJDK_BUILD_OS), linux) + $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ + NAME := systemconf, \ + OPTIMIZATION := LOW, \ + CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ + CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ + LDFLAGS := $(LDFLAGS_JDKLIB) \ + $(call SET_SHARED_LIBRARY_ORIGIN), \ + LIBS_unix := $(LIBDL) $(NSS_LIBS), \ + )) + + TARGETS += $(BUILD_LIBSYSTEMCONF) +endif + ################################################################################ # Create the symbols file for static builds. diff --git a/make/nb_native/nbproject/configurations.xml b/make/nb_native/nbproject/configurations.xml index fb07d54c1f0..c5813e2b7aa 100644 --- a/make/nb_native/nbproject/configurations.xml +++ b/make/nb_native/nbproject/configurations.xml @@ -2950,6 +2950,9 @@ LinuxWatchService.c + + systemconf.c + @@ -29301,6 +29304,11 @@ tool="0" flavor2="0"> + + +#include +#include "jvm_md.h" +#include + +#ifdef SYSCONF_NSS +#include +#else +#include +#endif //SYSCONF_NSS + +#include "java_security_SystemConfigurator.h" + +#define MSG_MAX_SIZE 256 +#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" + +typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); + +static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; +static jmethodID debugPrintlnMethodID = NULL; +static jobject debugObj = NULL; + +static void dbgPrint(JNIEnv *env, const char* msg) +{ + jstring jMsg; + if (debugObj != NULL) { + jMsg = (*env)->NewStringUTF(env, msg); + CHECK_NULL(jMsg); + (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); + } +} + +static void throwIOException(JNIEnv *env, const char *msg) +{ + jclass cls = (*env)->FindClass(env, "java/io/IOException"); + if (cls != 0) + (*env)->ThrowNew(env, cls, msg); +} + +static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) +{ + if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { + dbgPrint(env, msg); + } else { + dbgPrint(env, "systemconf: cannot render message"); + } +} + +// Only used when NSS is not linked at build time +#ifndef SYSCONF_NSS + +static void *nss_handle; + +static jboolean loadNSS(JNIEnv *env) +{ + char msg[MSG_MAX_SIZE]; + int msg_bytes; + const char* errmsg; + + nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); + if (nss_handle == NULL) { + errmsg = dlerror(); + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", + errmsg); + handle_msg(env, msg, msg_bytes); + return JNI_FALSE; + } + dlerror(); /* Clear errors */ + getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); + if ((errmsg = dlerror()) != NULL) { + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", + errmsg); + handle_msg(env, msg, msg_bytes); + return JNI_FALSE; + } + return JNI_TRUE; +} + +static void closeNSS(JNIEnv *env) +{ + char msg[MSG_MAX_SIZE]; + int msg_bytes; + const char* errmsg; + + if (dlclose(nss_handle) != 0) { + errmsg = dlerror(); + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", + errmsg); + handle_msg(env, msg, msg_bytes); + } +} + +#endif + +/* + * Class: java_security_SystemConfigurator + * Method: JNI_OnLoad + */ +JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) +{ + JNIEnv *env; + jclass sysConfCls, debugCls; + jfieldID sdebugFld; + + if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { + return JNI_EVERSION; /* JNI version not supported */ + } + + sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); + if (sysConfCls == NULL) { + printf("libsystemconf: SystemConfigurator class not found\n"); + return JNI_ERR; + } + sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, + "sdebug", "Lsun/security/util/Debug;"); + if (sdebugFld == NULL) { + printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); + return JNI_ERR; + } + debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); + if (debugObj != NULL) { + debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); + if (debugCls == NULL) { + printf("libsystemconf: Debug class not found\n"); + return JNI_ERR; + } + debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, + "println", "(Ljava/lang/String;)V"); + if (debugPrintlnMethodID == NULL) { + printf("libsystemconf: Debug::println(String) method not found\n"); + return JNI_ERR; + } + debugObj = (*env)->NewGlobalRef(env, debugObj); + } + +#ifdef SYSCONF_NSS + getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; +#else + if (loadNSS(env) == JNI_FALSE) { + dbgPrint(env, "libsystemconf: Failed to load NSS library."); + } +#endif + + return (*env)->GetVersion(env); +} + +/* + * Class: java_security_SystemConfigurator + * Method: JNI_OnUnload + */ +JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) +{ + JNIEnv *env; + + if (debugObj != NULL) { + if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { + return; /* Should not happen */ + } +#ifndef SYSCONF_NSS + closeNSS(env); +#endif + (*env)->DeleteGlobalRef(env, debugObj); + } +} + +JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled + (JNIEnv *env, jclass cls) +{ + int fips_enabled; + char msg[MSG_MAX_SIZE]; + int msg_bytes; + + if (getSystemFIPSEnabled != NULL) { + dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); + fips_enabled = (*getSystemFIPSEnabled)(); + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ + " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); + handle_msg(env, msg, msg_bytes); + return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); + } else { + FILE *fe; + + dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); + if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { + throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); + return JNI_FALSE; + } + fips_enabled = fgetc(fe); + fclose(fe); + if (fips_enabled == EOF) { + throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); + return JNI_FALSE; + } + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ + " read character is '%c'", fips_enabled); + handle_msg(env, msg, msg_bytes); + return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); + } +} diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java index b36510a376b..ad5182e1e7c 100644 --- a/src/java.base/share/classes/java/security/Security.java +++ b/src/java.base/share/classes/java/security/Security.java @@ -32,6 +32,7 @@ import java.net.URL; import jdk.internal.event.EventHelper; import jdk.internal.event.SecurityPropertyModificationEvent; +import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; import jdk.internal.misc.SharedSecrets; import jdk.internal.util.StaticProperty; import sun.security.util.Debug; @@ -47,12 +48,20 @@ import sun.security.jca.*; * implementation-specific location, which is typically the properties file * {@code conf/security/java.security} in the Java installation directory. * + *

Additional default values of security properties are read from a + * system-specific location, if available.

+ * * @author Benjamin Renaud * @since 1.1 */ public final class Security { + private static final String SYS_PROP_SWITCH = + "java.security.disableSystemPropertiesFile"; + private static final String SEC_PROP_SWITCH = + "security.useSystemPropertiesFile"; + /* Are we debugging? -- for developers */ private static final Debug sdebug = Debug.getInstance("properties"); @@ -67,6 +76,19 @@ public final class Security { } static { + // Initialise here as used by code with system properties disabled + SharedSecrets.setJavaSecuritySystemConfiguratorAccess( + new JavaSecuritySystemConfiguratorAccess() { + @Override + public boolean isSystemFipsEnabled() { + return SystemConfigurator.isSystemFipsEnabled(); + } + @Override + public boolean isPlainKeySupportEnabled() { + return SystemConfigurator.isPlainKeySupportEnabled(); + } + }); + // doPrivileged here because there are multiple // things in initialize that might require privs. // (the FileInputStream call and the File.exists call, @@ -83,6 +105,7 @@ public final class Security { props = new Properties(); boolean loadedProps = false; boolean overrideAll = false; + boolean systemSecPropsEnabled = false; // first load the system properties file // to determine the value of security.overridePropertiesFile @@ -98,6 +121,7 @@ public final class Security { if (sdebug != null) { sdebug.println("reading security properties file: " + propFile); + sdebug.println(props.toString()); } } catch (IOException e) { if (sdebug != null) { @@ -192,6 +216,61 @@ public final class Security { } } + boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); + boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); + if (sdebug != null) { + sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); + sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); + } + if (!sysUseProps && secUseProps) { + systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); + if (!systemSecPropsEnabled) { + if (sdebug != null) { + sdebug.println("WARNING: System security properties could not be loaded."); + } + } + } else { + if (sdebug != null) { + sdebug.println("System security property support disabled by user."); + } + } + + // FIPS support depends on the contents of java.security so + // ensure it has loaded first + if (loadedProps && systemSecPropsEnabled) { + boolean shouldEnable; + String sysProp = System.getProperty("com.redhat.fips"); + if (sysProp == null) { + shouldEnable = true; + if (sdebug != null) { + sdebug.println("com.redhat.fips unset, using default value of true"); + } + } else { + shouldEnable = Boolean.valueOf(sysProp); + if (sdebug != null) { + sdebug.println("com.redhat.fips set, using its value " + shouldEnable); + } + } + if (shouldEnable) { + boolean fipsEnabled = SystemConfigurator.configureFIPS(props); + if (sdebug != null) { + if (fipsEnabled) { + sdebug.println("FIPS mode support configured and enabled."); + } else { + sdebug.println("FIPS mode support disabled."); + } + } + } else { + if (sdebug != null ) { + sdebug.println("FIPS mode support disabled by user."); + } + } + } else { + if (sdebug != null) { + sdebug.println("WARNING: FIPS mode support can not be enabled without " + + "system security properties being enabled."); + } + } } /* diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java new file mode 100644 index 00000000000..90f6dd2ebc0 --- /dev/null +++ b/src/java.base/share/classes/java/security/SystemConfigurator.java @@ -0,0 +1,248 @@ +/* + * Copyright (c) 2019, 2021, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package java.security; + +import java.io.BufferedInputStream; +import java.io.FileInputStream; +import java.io.IOException; + +import java.util.Iterator; +import java.util.Map.Entry; +import java.util.Properties; + +import sun.security.util.Debug; + +/** + * Internal class to align OpenJDK with global crypto-policies. + * Called from java.security.Security class initialization, + * during startup. + * + */ + +final class SystemConfigurator { + + private static final Debug sdebug = + Debug.getInstance("properties"); + + private static final String CRYPTO_POLICIES_BASE_DIR = + "/etc/crypto-policies"; + + private static final String CRYPTO_POLICIES_JAVA_CONFIG = + CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; + + private static boolean systemFipsEnabled = false; + private static boolean plainKeySupportEnabled = false; + + private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; + + private static native boolean getSystemFIPSEnabled() + throws IOException; + + static { + AccessController.doPrivileged(new PrivilegedAction() { + public Void run() { + System.loadLibrary(SYSTEMCONF_NATIVE_LIB); + return null; + } + }); + } + + /* + * Invoked when java.security.Security class is initialized, if + * java.security.disableSystemPropertiesFile property is not set and + * security.useSystemPropertiesFile is true. + */ + static boolean configureSysProps(Properties props) { + boolean systemSecPropsLoaded = false; + + try (BufferedInputStream bis = + new BufferedInputStream( + new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { + props.load(bis); + systemSecPropsLoaded = true; + if (sdebug != null) { + sdebug.println("reading system security properties file " + + CRYPTO_POLICIES_JAVA_CONFIG); + sdebug.println(props.toString()); + } + } catch (IOException e) { + if (sdebug != null) { + sdebug.println("unable to load security properties from " + + CRYPTO_POLICIES_JAVA_CONFIG); + e.printStackTrace(); + } + } + return systemSecPropsLoaded; + } + + /* + * Invoked at the end of java.security.Security initialisation + * if java.security properties have been loaded + */ + static boolean configureFIPS(Properties props) { + boolean loadedProps = false; + + try { + if (enableFips()) { + if (sdebug != null) { sdebug.println("FIPS mode detected"); } + // Remove all security providers + Iterator> i = props.entrySet().iterator(); + while (i.hasNext()) { + Entry e = i.next(); + if (((String) e.getKey()).startsWith("security.provider")) { + if (sdebug != null) { sdebug.println("Removing provider: " + e); } + i.remove(); + } + } + // Add FIPS security providers + String fipsProviderValue = null; + for (int n = 1; + (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { + String fipsProviderKey = "security.provider." + n; + if (sdebug != null) { + sdebug.println("Adding provider " + n + ": " + + fipsProviderKey + "=" + fipsProviderValue); + } + props.put(fipsProviderKey, fipsProviderValue); + } + // Add other security properties + String keystoreTypeValue = (String) props.get("fips.keystore.type"); + if (keystoreTypeValue != null) { + String nonFipsKeystoreType = props.getProperty("keystore.type"); + props.put("keystore.type", keystoreTypeValue); + if (keystoreTypeValue.equals("PKCS11")) { + // If keystore.type is PKCS11, javax.net.ssl.keyStore + // must be "NONE". See JDK-8238264. + System.setProperty("javax.net.ssl.keyStore", "NONE"); + } + if (System.getProperty("javax.net.ssl.trustStoreType") == null) { + // If no trustStoreType has been set, use the + // previous keystore.type under FIPS mode. In + // a default configuration, the Trust Store will + // be 'cacerts' (JKS type). + System.setProperty("javax.net.ssl.trustStoreType", + nonFipsKeystoreType); + } + if (sdebug != null) { + sdebug.println("FIPS mode default keystore.type = " + + keystoreTypeValue); + sdebug.println("FIPS mode javax.net.ssl.keyStore = " + + System.getProperty("javax.net.ssl.keyStore", "")); + sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + + System.getProperty("javax.net.ssl.trustStoreType", "")); + } + } + loadedProps = true; + systemFipsEnabled = true; + String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", + "true"); + plainKeySupportEnabled = !"false".equals(plainKeySupport); + if (sdebug != null) { + if (plainKeySupportEnabled) { + sdebug.println("FIPS support enabled with plain key support"); + } else { + sdebug.println("FIPS support enabled without plain key support"); + } + } + } else { + if (sdebug != null) { sdebug.println("FIPS mode not detected"); } + } + } catch (Exception e) { + if (sdebug != null) { + sdebug.println("unable to load FIPS configuration"); + e.printStackTrace(); + } + } + return loadedProps; + } + + /** + * Returns whether or not global system FIPS alignment is enabled. + * + * Value is always 'false' before java.security.Security class is + * initialized. + * + * Call from out of this package through SharedSecrets: + * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() + * .isSystemFipsEnabled(); + * + * @return a boolean value indicating whether or not global + * system FIPS alignment is enabled. + */ + static boolean isSystemFipsEnabled() { + return systemFipsEnabled; + } + + /** + * Returns {@code true} if system FIPS alignment is enabled + * and plain key support is allowed. Plain key support is + * enabled by default but can be disabled with + * {@code -Dcom.redhat.fips.plainKeySupport=false}. + * + * @return a boolean indicating whether plain key support + * should be enabled. + */ + static boolean isPlainKeySupportEnabled() { + return plainKeySupportEnabled; + } + + /** + * Determines whether FIPS mode should be enabled. + * + * OpenJDK FIPS mode will be enabled only if the system is in + * FIPS mode. + * + * Calls to this method only occur if the system property + * com.redhat.fips is not set to false. + * + * There are 2 possible ways in which OpenJDK detects that the system + * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is + * available at OpenJDK's built-time, it is called; 2) otherwise, the + * /proc/sys/crypto/fips_enabled file is read. + * + * @return true if the system is in FIPS mode + */ + private static boolean enableFips() throws Exception { + if (sdebug != null) { + sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); + } + try { + boolean fipsEnabled = getSystemFIPSEnabled(); + if (sdebug != null) { + sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " + + fipsEnabled); + } + return fipsEnabled; + } catch (IOException e) { + if (sdebug != null) { + sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); + sdebug.println(e.getMessage()); + } + throw e; + } + } +} diff --git a/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java new file mode 100644 index 00000000000..21bc6d0b591 --- /dev/null +++ b/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2020, Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package jdk.internal.misc; + +public interface JavaSecuritySystemConfiguratorAccess { + boolean isSystemFipsEnabled(); + boolean isPlainKeySupportEnabled(); +} diff --git a/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java index 688ec9f0915..8489b940c43 100644 --- a/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +++ b/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java @@ -36,6 +36,7 @@ import java.io.FilePermission; import java.io.ObjectInputStream; import java.io.RandomAccessFile; import java.security.ProtectionDomain; +import java.security.Security; import java.security.Signature; /** A repository of "shared secrets", which are a mechanism for @@ -76,6 +77,7 @@ public class SharedSecrets { private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess; private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; + private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; public static JavaUtilJarAccess javaUtilJarAccess() { if (javaUtilJarAccess == null) { @@ -361,4 +363,15 @@ public class SharedSecrets { } return javaxCryptoSealedObjectAccess; } + + public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { + javaSecuritySystemConfiguratorAccess = jssca; + } + + public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { + if (javaSecuritySystemConfiguratorAccess == null) { + unsafe.ensureClassInitialized(Security.class); + } + return javaSecuritySystemConfiguratorAccess; + } } diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java index 5460efcf8c5..f08dc2fafc5 100644 --- a/src/java.base/share/classes/module-info.java +++ b/src/java.base/share/classes/module-info.java @@ -182,6 +182,7 @@ module java.base { java.security.jgss, java.sql, java.xml, + jdk.crypto.cryptoki, jdk.jartool, jdk.attach, jdk.charsets, diff --git a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java index ffee2c1603b..ff3d5e0e4ab 100644 --- a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java +++ b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java @@ -33,8 +33,13 @@ import java.security.KeyStore.*; import javax.net.ssl.*; +import jdk.internal.misc.SharedSecrets; + abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + private static final boolean plainKeySupportEnabled = SharedSecrets + .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); + X509ExtendedKeyManager keyManager; boolean isInitialized; @@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException { if ((ks != null) && SunJSSE.isFIPS()) { - if (ks.getProvider() != SunJSSE.cryptoProvider) { + if (ks.getProvider() != SunJSSE.cryptoProvider && + !plainKeySupportEnabled) { throw new KeyStoreException("FIPS mode: KeyStore must be " + "from provider " + SunJSSE.cryptoProvider.getName()); } @@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { keyManager = new X509KeyManagerImpl( Collections.emptyList()); } else { - if (SunJSSE.isFIPS() && - (ks.getProvider() != SunJSSE.cryptoProvider)) { + if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider) + && !plainKeySupportEnabled) { throw new KeyStoreException( "FIPS mode: KeyStore must be " + "from provider " + SunJSSE.cryptoProvider.getName()); diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java index de7da5c3379..5c3813dda7b 100644 --- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java @@ -31,6 +31,7 @@ import java.security.*; import java.security.cert.*; import java.util.*; import javax.net.ssl.*; +import jdk.internal.misc.SharedSecrets; import sun.security.action.GetPropertyAction; import sun.security.provider.certpath.AlgorithmChecker; import sun.security.validator.Validator; @@ -542,20 +543,38 @@ public abstract class SSLContextImpl extends SSLContextSpi { static { if (SunJSSE.isFIPS()) { - supportedProtocols = Arrays.asList( - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, - ProtocolVersion.TLS11, - ProtocolVersion.TLS10 - ); + if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() + .isSystemFipsEnabled()) { + // RH1860986: TLSv1.3 key derivation not supported with + // the Security Providers available in system FIPS mode. + supportedProtocols = Arrays.asList( + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + ); - serverDefaultProtocols = getAvailableProtocols( - new ProtocolVersion[] { - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, - ProtocolVersion.TLS11, - ProtocolVersion.TLS10 - }); + serverDefaultProtocols = getAvailableProtocols( + new ProtocolVersion[] { + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + }); + } else { + supportedProtocols = Arrays.asList( + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + ); + + serverDefaultProtocols = getAvailableProtocols( + new ProtocolVersion[] { + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + }); + } } else { supportedProtocols = Arrays.asList( ProtocolVersion.TLS13, @@ -620,6 +639,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { static ProtocolVersion[] getSupportedProtocols() { if (SunJSSE.isFIPS()) { + if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() + .isSystemFipsEnabled()) { + // RH1860986: TLSv1.3 key derivation not supported with + // the Security Providers available in system FIPS mode. + return new ProtocolVersion[] { + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + }; + } return new ProtocolVersion[] { ProtocolVersion.TLS13, ProtocolVersion.TLS12, @@ -949,6 +978,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { static ProtocolVersion[] getProtocols() { if (SunJSSE.isFIPS()) { + if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() + .isSystemFipsEnabled()) { + // RH1860986: TLSv1.3 key derivation not supported with + // the Security Providers available in system FIPS mode. + return new ProtocolVersion[] { + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + }; + } return new ProtocolVersion[]{ ProtocolVersion.TLS13, ProtocolVersion.TLS12, diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java index c50ba93ecfc..de2a91a478c 100644 --- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java +++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java @@ -27,6 +27,8 @@ package sun.security.ssl; import java.security.*; import java.util.*; + +import jdk.internal.misc.SharedSecrets; import sun.security.rsa.SunRsaSignEntries; import static sun.security.util.SecurityConstants.PROVIDER_VER; import static sun.security.provider.SunEntries.createAliases; @@ -195,8 +197,13 @@ public abstract class SunJSSE extends java.security.Provider { "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); ps("SSLContext", "TLSv1.2", "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); - ps("SSLContext", "TLSv1.3", - "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); + if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() + .isSystemFipsEnabled()) { + // RH1860986: TLSv1.3 key derivation not supported with + // the Security Providers available in system FIPS mode. + ps("SSLContext", "TLSv1.3", + "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); + } ps("SSLContext", "TLS", "sun.security.ssl.SSLContextImpl$TLSContext", (isfips? null : createAliases("SSL")), null); diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security index 097517926d1..474fe6f401f 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -85,6 +85,14 @@ security.provider.tbd=Apple security.provider.tbd=SunPKCS11 #endif +# +# Security providers used when FIPS mode support is active +# +fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg +fips.provider.2=SUN +fips.provider.3=SunEC +fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS + # # A list of preferred providers for specific algorithms. These providers will # be searched for matching algorithms before the list of registered providers. @@ -298,6 +306,11 @@ policy.ignoreIdentityScope=false # keystore.type=pkcs12 +# +# Default keystore type used when global crypto-policies are set to FIPS. +# +fips.keystore.type=PKCS11 + # # Controls compatibility mode for JKS and PKCS12 keystore types. # @@ -335,6 +348,13 @@ package.definition=sun.misc.,\ # security.overridePropertiesFile=true +# +# Determines whether this properties file will be appended to +# using the system properties file stored at +# /etc/crypto-policies/back-ends/java.config +# +security.useSystemPropertiesFile=false + # # Determines the default key and trust manager factory algorithms for # the javax.net.ssl package. diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java new file mode 100644 index 00000000000..b848a1fd783 --- /dev/null +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java @@ -0,0 +1,290 @@ +/* + * Copyright (c) 2021, Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.math.BigInteger; +import java.security.KeyFactory; +import java.security.Provider; +import java.security.Security; +import java.util.HashMap; +import java.util.Map; +import java.util.concurrent.locks.ReentrantLock; + +import javax.crypto.Cipher; +import javax.crypto.spec.DHPrivateKeySpec; +import javax.crypto.spec.IvParameterSpec; + +import sun.security.jca.JCAUtil; +import sun.security.pkcs11.TemplateManager; +import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; +import sun.security.pkcs11.wrapper.CK_MECHANISM; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; +import sun.security.pkcs11.wrapper.PKCS11Exception; +import sun.security.rsa.RSAUtil.KeyType; +import sun.security.util.Debug; +import sun.security.util.ECUtil; + +final class FIPSKeyImporter { + + private static final Debug debug = + Debug.getInstance("sunpkcs11"); + + private static P11Key importerKey = null; + private static final ReentrantLock importerKeyLock = new ReentrantLock(); + private static CK_MECHANISM importerKeyMechanism = null; + private static Cipher importerCipher = null; + + private static Provider sunECProvider = null; + private static final ReentrantLock sunECProviderLock = new ReentrantLock(); + + private static KeyFactory DHKF = null; + private static final ReentrantLock DHKFLock = new ReentrantLock(); + + static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) + throws PKCS11Exception { + long keyID = -1; + Token token = sunPKCS11.getToken(); + if (debug != null) { + debug.println("Private or Secret key will be imported in" + + " system FIPS mode."); + } + if (importerKey == null) { + importerKeyLock.lock(); + try { + if (importerKey == null) { + if (importerKeyMechanism == null) { + // Importer Key creation has not been tried yet. Try it. + createImporterKey(token); + } + if (importerKey == null || importerCipher == null) { + if (debug != null) { + debug.println("Importer Key could not be" + + " generated."); + } + throw new PKCS11Exception(CKR_GENERAL_ERROR); + } + if (debug != null) { + debug.println("Importer Key successfully" + + " generated."); + } + } + } finally { + importerKeyLock.unlock(); + } + } + long importerKeyID = importerKey.getKeyID(); + try { + byte[] keyBytes = null; + byte[] encKeyBytes = null; + long keyClass = 0L; + long keyType = 0L; + Map attrsMap = new HashMap<>(); + for (CK_ATTRIBUTE attr : attributes) { + if (attr.type == CKA_CLASS) { + keyClass = attr.getLong(); + } else if (attr.type == CKA_KEY_TYPE) { + keyType = attr.getLong(); + } + attrsMap.put(attr.type, attr); + } + BigInteger v = null; + if (keyClass == CKO_PRIVATE_KEY) { + if (keyType == CKK_RSA) { + if (debug != null) { + debug.println("Importing an RSA private key..."); + } + keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( + KeyType.RSA, + null, + ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) + ? v : BigInteger.ZERO + ).getEncoded(); + } else if (keyType == CKK_DSA) { + if (debug != null) { + debug.println("Importing a DSA private key..."); + } + keyBytes = new sun.security.provider.DSAPrivateKey( + ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) + ? v : BigInteger.ZERO + ).getEncoded(); + if (token.config.getNssNetscapeDbWorkaround() && + attrsMap.get(CKA_NETSCAPE_DB) == null) { + attrsMap.put(CKA_NETSCAPE_DB, + new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); + } + } else if (keyType == CKK_EC) { + if (debug != null) { + debug.println("Importing an EC private key..."); + } + if (sunECProvider == null) { + sunECProviderLock.lock(); + try { + if (sunECProvider == null) { + sunECProvider = Security.getProvider("SunEC"); + } + } finally { + sunECProviderLock.unlock(); + } + } + keyBytes = ECUtil.generateECPrivateKey( + ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ECUtil.getECParameterSpec(sunECProvider, + attrsMap.get(CKA_EC_PARAMS).getByteArray())) + .getEncoded(); + if (token.config.getNssNetscapeDbWorkaround() && + attrsMap.get(CKA_NETSCAPE_DB) == null) { + attrsMap.put(CKA_NETSCAPE_DB, + new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); + } + } else if (keyType == CKK_DH) { + if (debug != null) { + debug.println("Importing a Diffie-Hellman private key..."); + } + if (DHKF == null) { + DHKFLock.lock(); + try { + if (DHKF == null) { + DHKF = KeyFactory.getInstance( + "DH", P11Util.getSunJceProvider()); + } + } finally { + DHKFLock.unlock(); + } + } + DHPrivateKeySpec spec = new DHPrivateKeySpec + (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) + ? v : BigInteger.ZERO, + ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) + ? v : BigInteger.ZERO); + keyBytes = DHKF.generatePrivate(spec).getEncoded(); + if (token.config.getNssNetscapeDbWorkaround() && + attrsMap.get(CKA_NETSCAPE_DB) == null) { + attrsMap.put(CKA_NETSCAPE_DB, + new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); + } + } else { + if (debug != null) { + debug.println("Unrecognized private key type."); + } + throw new PKCS11Exception(CKR_GENERAL_ERROR); + } + } else if (keyClass == CKO_SECRET_KEY) { + if (debug != null) { + debug.println("Importing a secret key..."); + } + keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); + } + if (keyBytes == null || keyBytes.length == 0) { + if (debug != null) { + debug.println("Private or secret key plain bytes could" + + " not be obtained. Import failed."); + } + throw new PKCS11Exception(CKR_GENERAL_ERROR); + } + importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, + new IvParameterSpec((byte[])importerKeyMechanism.pParameter), + null); + attributes = new CK_ATTRIBUTE[attrsMap.size()]; + attrsMap.values().toArray(attributes); + encKeyBytes = importerCipher.doFinal(keyBytes); + attributes = token.getAttributes(TemplateManager.O_IMPORT, + keyClass, keyType, attributes); + keyID = token.p11.C_UnwrapKey(hSession, + importerKeyMechanism, importerKeyID, encKeyBytes, attributes); + if (debug != null) { + debug.println("Imported key ID: " + keyID); + } + } catch (Throwable t) { + throw new PKCS11Exception(CKR_GENERAL_ERROR); + } finally { + importerKey.releaseKeyID(); + } + return Long.valueOf(keyID); + } + + private static void createImporterKey(Token token) { + if (debug != null) { + debug.println("Generating Importer Key..."); + } + byte[] iv = new byte[16]; + JCAUtil.getSecureRandom().nextBytes(iv); + importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); + try { + CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, + CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), + new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); + Session s = null; + try { + s = token.getObjSession(); + long keyID = token.p11.C_GenerateKey( + s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), + attributes); + if (debug != null) { + debug.println("Importer Key ID: " + keyID); + } + importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", + 256 >> 3, null); + } catch (PKCS11Exception e) { + // best effort + } finally { + token.releaseSession(s); + } + if (importerKey != null) { + importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); + } + } catch (Throwable t) { + // best effort + importerKey = null; + importerCipher = null; + // importerKeyMechanism value is kept initialized to indicate that + // Importer Key creation has been tried and failed. + } + } +} diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java index 099caac605f..977e5332bd1 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -26,6 +26,9 @@ package sun.security.pkcs11; import java.io.*; +import java.lang.invoke.MethodHandle; +import java.lang.invoke.MethodHandles; +import java.lang.invoke.MethodType; import java.util.*; import java.security.*; @@ -43,6 +46,8 @@ import javax.security.auth.callback.PasswordCallback; import com.sun.crypto.provider.ChaCha20Poly1305Parameters; import jdk.internal.misc.InnocuousThread; +import jdk.internal.misc.SharedSecrets; + import sun.security.util.Debug; import sun.security.util.ResourcesMgr; import static sun.security.util.SecurityConstants.PROVIDER_VER; @@ -60,6 +65,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; */ public final class SunPKCS11 extends AuthProvider { + private static final boolean systemFipsEnabled = SharedSecrets + .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); + + private static final boolean plainKeySupportEnabled = SharedSecrets + .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); + + private static final MethodHandle fipsImportKey; + static { + MethodHandle fipsImportKeyTmp = null; + if (plainKeySupportEnabled) { + try { + fipsImportKeyTmp = MethodHandles.lookup().findStatic( + FIPSKeyImporter.class, "importKey", + MethodType.methodType(Long.class, SunPKCS11.class, + long.class, CK_ATTRIBUTE[].class)); + } catch (Throwable t) { + throw new SecurityException("FIPS key importer initialization" + + " failed", t); + } + } + fipsImportKey = fipsImportKeyTmp; + } + private static final long serialVersionUID = -1354835039035306505L; static final Debug debug = Debug.getInstance("sunpkcs11"); @@ -317,10 +345,15 @@ public final class SunPKCS11 extends AuthProvider { // request multithreaded access first initArgs.flags = CKF_OS_LOCKING_OK; PKCS11 tmpPKCS11; + MethodHandle fipsKeyImporter = null; + if (plainKeySupportEnabled) { + fipsKeyImporter = MethodHandles.insertArguments( + fipsImportKey, 0, this); + } try { tmpPKCS11 = PKCS11.getInstance( library, functionList, initArgs, - config.getOmitInitialize()); + config.getOmitInitialize(), fipsKeyImporter); } catch (PKCS11Exception e) { if (debug != null) { debug.println("Multi-threaded initialization failed: " + e); @@ -336,7 +369,7 @@ public final class SunPKCS11 extends AuthProvider { initArgs.flags = 0; } tmpPKCS11 = PKCS11.getInstance(library, - functionList, initArgs, config.getOmitInitialize()); + functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); } p11 = tmpPKCS11; @@ -376,6 +409,24 @@ public final class SunPKCS11 extends AuthProvider { if (nssModule != null) { nssModule.setProvider(this); } + if (systemFipsEnabled) { + // The NSS Software Token in FIPS 140-2 mode requires a user + // login for most operations. See sftk_fipsCheck. The NSS DB + // (/etc/pki/nssdb) PIN is empty. + Session session = null; + try { + session = token.getOpSession(); + p11.C_Login(session.id(), CKU_USER, new char[] {}); + } catch (PKCS11Exception p11e) { + if (debug != null) { + debug.println("Error during token login: " + + p11e.getMessage()); + } + throw p11e; + } finally { + token.releaseSession(session); + } + } } catch (Exception e) { if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { throw new UnsupportedOperationException diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java index 04a369f453c..f033fe47593 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java @@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper; import java.io.File; import java.io.IOException; +import java.lang.invoke.MethodHandle; import java.util.*; import java.security.AccessController; @@ -148,18 +149,41 @@ public class PKCS11 { this.pkcs11ModulePath = pkcs11ModulePath; } + /* + * Compatibility wrapper to allow this method to work as before + * when FIPS mode support is not active. + */ + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, + String functionList, CK_C_INITIALIZE_ARGS pInitArgs, + boolean omitInitialize) throws IOException, PKCS11Exception { + return getInstance(pkcs11ModulePath, functionList, + pInitArgs, omitInitialize, null); + } + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, String functionList, CK_C_INITIALIZE_ARGS pInitArgs, - boolean omitInitialize) throws IOException, PKCS11Exception { + boolean omitInitialize, MethodHandle fipsKeyImporter) + throws IOException, PKCS11Exception { // we may only call C_Initialize once per native .so/.dll // so keep a cache using the (non-canonicalized!) path PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); if (pkcs11 == null) { + boolean nssFipsMode = fipsKeyImporter != null; if ((pInitArgs != null) && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { - pkcs11 = new PKCS11(pkcs11ModulePath, functionList); + if (nssFipsMode) { + pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, + fipsKeyImporter); + } else { + pkcs11 = new PKCS11(pkcs11ModulePath, functionList); + } } else { - pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); + if (nssFipsMode) { + pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, + functionList, fipsKeyImporter); + } else { + pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); + } } if (omitInitialize == false) { try { @@ -1909,4 +1933,69 @@ static class SynchronizedPKCS11 extends PKCS11 { super.C_GenerateRandom(hSession, randomData); } } + +// PKCS11 subclass that allows using plain private or secret keys in +// FIPS-configured NSS Software Tokens. Only used when System FIPS +// is enabled. +static class FIPSPKCS11 extends PKCS11 { + private MethodHandle fipsKeyImporter; + FIPSPKCS11(String pkcs11ModulePath, String functionListName, + MethodHandle fipsKeyImporter) throws IOException { + super(pkcs11ModulePath, functionListName); + this.fipsKeyImporter = fipsKeyImporter; + } + + public synchronized long C_CreateObject(long hSession, + CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { + // Creating sensitive key objects from plain key material in a + // FIPS-configured NSS Software Token is not allowed. We apply + // a key-unwrapping scheme to achieve so. + if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { + try { + return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) + .longValue(); + } catch (Throwable t) { + throw new PKCS11Exception(CKR_GENERAL_ERROR); + } + } + return super.C_CreateObject(hSession, pTemplate); + } +} + +// FIPSPKCS11 synchronized counterpart. +static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { + private MethodHandle fipsKeyImporter; + SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, + MethodHandle fipsKeyImporter) throws IOException { + super(pkcs11ModulePath, functionListName); + this.fipsKeyImporter = fipsKeyImporter; + } + + public synchronized long C_CreateObject(long hSession, + CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { + // See FIPSPKCS11::C_CreateObject. + if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { + try { + return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) + .longValue(); + } catch (Throwable t) { + throw new PKCS11Exception(CKR_GENERAL_ERROR); + } + } + return super.C_CreateObject(hSession, pTemplate); + } +} + +private static class FIPSPKCS11Helper { + static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { + for (CK_ATTRIBUTE attr : pTemplate) { + if (attr.type == CKA_CLASS && + (attr.getLong() == CKO_PRIVATE_KEY || + attr.getLong() == CKO_SECRET_KEY)) { + return true; + } + } + return false; + } +} }