diff --git a/SOURCES/CheckVendor.java b/SOURCES/CheckVendor.java new file mode 100644 index 0000000..e2101cf --- /dev/null +++ b/SOURCES/CheckVendor.java @@ -0,0 +1,57 @@ +/* CheckVendor -- Check the vendor properties match specified values. + Copyright (C) 2020 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +/** + * @test + */ +public class CheckVendor { + + public static void main(String[] args) { + if (args.length < 3) { + System.err.println("CheckVendor "); + System.exit(1); + } + + String vendor = System.getProperty("java.vendor"); + String expectedVendor = args[0]; + String vendorURL = System.getProperty("java.vendor.url"); + String expectedVendorURL = args[1]; + String vendorBugURL = System.getProperty("java.vendor.url.bug"); + String expectedVendorBugURL = args[2]; + + if (!expectedVendor.equals(vendor)) { + System.err.printf("Invalid vendor %s, expected %s\n", + vendor, expectedVendor); + System.exit(2); + } + + if (!expectedVendorURL.equals(vendorURL)) { + System.err.printf("Invalid vendor URL %s, expected %s\n", + vendorURL, expectedVendorURL); + System.exit(3); + } + + if (!expectedVendorBugURL.equals(vendorBugURL)) { + System.err.printf("Invalid vendor bug URL%s, expected %s\n", + vendorBugURL, expectedVendorBugURL); + System.exit(4); + } + + System.err.printf("Vendor information verified as %s, %s, %s\n", + vendor, vendorURL, vendorBugURL); + } +} diff --git a/SOURCES/jdk8251117-rh1860990-pkcs11_key_length.patch b/SOURCES/jdk8251117-rh1860990-pkcs11_key_length.patch new file mode 100644 index 0000000..727ba2d --- /dev/null +++ b/SOURCES/jdk8251117-rh1860990-pkcs11_key_length.patch @@ -0,0 +1,38 @@ +# HG changeset patch +# User mbalao +# Date 1596572361 10800 +# Tue Aug 04 17:19:21 2020 -0300 +# Node ID d8a0513b92ee262d4e64c1e13d43e1b3f3e5c5d5 +# Parent a259b5b1bc7cc4dd0d8fa19e8bdbf96a4e76224f +8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher +Reviewed-by: valeriep +Contributed-by: zzambers@redhat.com + +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java +@@ -279,7 +279,9 @@ + SecureRandom sr) + throws InvalidKeyException, InvalidAlgorithmParameterException { + reset(true); +- if (fixedKeySize != -1 && key.getEncoded().length != fixedKeySize) { ++ if (fixedKeySize != -1 && ++ ((key instanceof P11Key) ? ((P11Key) key).length() >> 3 : ++ key.getEncoded().length) != fixedKeySize) { + throw new InvalidKeyException("Key size is invalid"); + } + P11Key newKey = P11SecretKeyFactory.convertKey(token, key, ALGO); +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java +@@ -345,7 +345,9 @@ + SecureRandom random) + throws InvalidKeyException, InvalidAlgorithmParameterException { + reset(true); +- if (fixedKeySize != -1 && key.getEncoded().length != fixedKeySize) { ++ if (fixedKeySize != -1 && ++ ((key instanceof P11Key) ? ((P11Key) key).length() >> 3 : ++ key.getEncoded().length) != fixedKeySize) { + throw new InvalidKeyException("Key size is invalid"); + } + switch (opmode) { diff --git a/SOURCES/jdk8252258-rh1868406-fix_bad_vendor.patch b/SOURCES/jdk8252258-rh1868406-fix_bad_vendor.patch new file mode 100644 index 0000000..c5a6191 --- /dev/null +++ b/SOURCES/jdk8252258-rh1868406-fix_bad_vendor.patch @@ -0,0 +1,12 @@ +diff --git a/make/autoconf/version-numbers b/make/autoconf/version-numbers +--- a/make/autoconf/version-numbers ++++ b/make/autoconf/version-numbers +@@ -43,7 +43,7 @@ + PRODUCT_NAME=OpenJDK + PRODUCT_SUFFIX="Runtime Environment" + JDK_RC_PLATFORM_NAME=Platform +-COMPANY_NAME=N/A ++COMPANY_NAME="Oracle Corporation" + HOTSPOT_VM_DISTRO="OpenJDK" + VENDOR_URL=https://openjdk.java.net/ + VENDOR_URL_BUG=https://bugreport.java.com/bugreport/ diff --git a/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch new file mode 100644 index 0000000..0a76cad --- /dev/null +++ b/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch @@ -0,0 +1,311 @@ +diff -r bbc65dfa59d1 src/java.base/share/classes/java/security/SystemConfigurator.java +--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Sat Aug 01 23:16:51 2020 -0300 +@@ -1,11 +1,13 @@ + /* +- * Copyright (c) 2019, Red Hat, Inc. ++ * Copyright (c) 2019, 2020, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as +- * published by the Free Software Foundation. ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +@@ -34,10 +36,10 @@ + import java.util.Iterator; + import java.util.Map.Entry; + import java.util.Properties; +-import java.util.function.Consumer; +-import java.util.regex.Matcher; + import java.util.regex.Pattern; + ++import jdk.internal.misc.SharedSecrets; ++import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; + import sun.security.util.Debug; + + /** +@@ -47,7 +49,7 @@ + * + */ + +-class SystemConfigurator { ++final class SystemConfigurator { + + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -61,15 +63,16 @@ + private static final String CRYPTO_POLICIES_CONFIG = + CRYPTO_POLICIES_BASE_DIR + "/config"; + +- private static final class SecurityProviderInfo { +- int number; +- String key; +- String value; +- SecurityProviderInfo(int number, String key, String value) { +- this.number = number; +- this.key = key; +- this.value = value; +- } ++ private static boolean systemFipsEnabled = false; ++ ++ static { ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ }); + } + + /* +@@ -128,9 +131,9 @@ + String nonFipsKeystoreType = props.getProperty("keystore.type"); + props.put("keystore.type", keystoreTypeValue); + if (keystoreTypeValue.equals("PKCS11")) { +- // If keystore.type is PKCS11, javax.net.ssl.keyStore +- // must be "NONE". See JDK-8238264. +- System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); + } + if (System.getProperty("javax.net.ssl.trustStoreType") == null) { + // If no trustStoreType has been set, use the +@@ -144,12 +147,13 @@ + sdebug.println("FIPS mode default keystore.type = " + + keystoreTypeValue); + sdebug.println("FIPS mode javax.net.ssl.keyStore = " + +- System.getProperty("javax.net.ssl.keyStore", "")); ++ System.getProperty("javax.net.ssl.keyStore", "")); + sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + + System.getProperty("javax.net.ssl.trustStoreType", "")); + } + } + loadedProps = true; ++ systemFipsEnabled = true; + } + } catch (Exception e) { + if (sdebug != null) { +@@ -160,13 +164,30 @@ + return loadedProps; + } + ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ + /* + * FIPS is enabled only if crypto-policies are set to "FIPS" + * and the com.redhat.fips property is true. + */ + private static boolean enableFips() throws Exception { +- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); +- if (fipsEnabled) { ++ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); ++ if (shouldEnable) { + String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); + if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } + Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); +diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java Sat Aug 01 23:16:51 2020 -0300 +@@ -0,0 +1,30 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package jdk.internal.misc; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++} +diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +--- openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Sat Aug 01 23:16:51 2020 -0300 +@@ -76,6 +76,7 @@ + private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess; + private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; + private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static JavaUtilJarAccess javaUtilJarAccess() { + if (javaUtilJarAccess == null) { +@@ -361,4 +362,12 @@ + } + return javaxCryptoSealedObjectAccess; + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +--- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Sat Aug 01 23:16:51 2020 -0300 +@@ -31,6 +31,7 @@ + import java.security.cert.*; + import java.util.*; + import javax.net.ssl.*; ++import jdk.internal.misc.SharedSecrets; + import sun.security.action.GetPropertyAction; + import sun.security.provider.certpath.AlgorithmChecker; + import sun.security.validator.Validator; +@@ -542,20 +543,38 @@ + + static { + if (SunJSSE.isFIPS()) { +- supportedProtocols = Arrays.asList( +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- ); ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); + +- serverDefaultProtocols = getAvailableProtocols( +- new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }); ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } else { ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } + } else { + supportedProtocols = Arrays.asList( + ProtocolVersion.TLS13, +@@ -620,6 +639,16 @@ + + static ProtocolVersion[] getSupportedProtocols() { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ return new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + return new ProtocolVersion[] { + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, +@@ -949,6 +978,16 @@ + + static ProtocolVersion[] getProtocols() { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ return new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + return new ProtocolVersion[]{ + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, +diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java +--- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Sat Aug 01 23:16:51 2020 -0300 +@@ -27,6 +27,8 @@ + + import java.security.*; + import java.util.*; ++ ++import jdk.internal.misc.SharedSecrets; + import sun.security.rsa.SunRsaSignEntries; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + import static sun.security.provider.SunEntries.createAliases; +@@ -195,8 +197,13 @@ + "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); + ps("SSLContext", "TLSv1.2", + "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); +- ps("SSLContext", "TLSv1.3", +- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ ps("SSLContext", "TLSv1.3", ++ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ } + ps("SSLContext", "TLS", + "sun.security.ssl.SSLContextImpl$TLSContext", + (isfips? null : createAliases("SSL")), null); diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec index d1b9b3a..b8aac10 100644 --- a/SPECS/java-11-openjdk.spec +++ b/SPECS/java-11-openjdk.spec @@ -250,6 +250,11 @@ %global lts_designator_zip "" %endif +# Define vendor information used by OpenJDK +%global vendor "Oracle Corporation" +%global vendor_url "https://openjdk.java.net/" +%global vendor_bug_url "https://bugreport.java.com/bugreport/" + # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 3.15.0 @@ -259,7 +264,7 @@ %global top_level_dir_name %{origin} %global minorver 0 %global buildver 10 -%global rpmrelease 1 +%global rpmrelease 4 #%%global tagsuffix %%{nil} # priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit %if %is_system_jdk @@ -1120,6 +1125,9 @@ Source14: TestECDSA.java # nss fips configuration file Source15: nss.fips.cfg.in +# Ensure vendor settings are correct +Source16: CheckVendor.java + ############################################ # # RPM/distribution specific patches @@ -1138,6 +1146,8 @@ Patch1001: rh1655466-global_crypto_and_fips.patch Patch1002: rh1818909-fips_default_keystore_type.patch # RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY Patch1003: rh1842572-rsa_default_for_keytool.patch +# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available +Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch ############################################# # @@ -1165,6 +1175,20 @@ Patch6: rh1566890-CVE_2018_3639-speculative_store_bypass.patch Patch7: pr3695-toggle_system_crypto_policy.patch # S390 ambiguous log2_intptr call Patch8: s390-8214206_fix.patch +# JDK-8252258, RH1868406: [11u] JDK-8242154 changes the default vendor +Patch10: jdk8252258-rh1868406-fix_bad_vendor.patch + +############################################# +# +# Patches appearing in 11.0.9 +# +# This section includes patches which are present +# in the listed OpenJDK 11u release and should be +# able to be removed once that release is out +# and used by this RPM. +############################################# +# JDK-8251117, RH1860990: Cannot check P11Key size in P11Cipher and P11AEADCipher +Patch9: jdk8251117-rh1860990-pkcs11_key_length.patch ############################################# # @@ -1533,12 +1557,15 @@ pushd %{top_level_dir_name} %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 +%patch10 -p1 popd # openjdk %patch1000 %patch1001 %patch1002 %patch1003 +%patch1004 # Extract systemtap tapsets %if %{with_systemtap} @@ -1737,6 +1764,10 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev $JAVA_HOME/bin/javac -d . %{SOURCE14} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") +# Check correct vendor values have been set +$JAVA_HOME/bin/javac -d . %{SOURCE16} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") %{vendor} %{vendor_url} %{vendor_bug_url} + # Check debug symbols in static libraries (smoke test) export STATIC_LIBS_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{static_libs_image} readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c @@ -2181,6 +2212,19 @@ end %endif %changelog +* Tue Aug 25 2020 Andrew Hughes - 1:11.0.8.10-4 +- Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use. +- Resolves: rhbz#1860986 + +* Tue Aug 25 2020 Andrew Hughes - 1:11.0.8.10-3 +- Add JDK-8252258 to return default vendor to the original value of 'Oracle Corporation' +- Include a test in the RPM to check the build has the correct vendor information. +- Resolves: rhbz#1868406 + +* Tue Aug 25 2020 Andrew Hughes - 1:11.0.8.10-2 +- Backport JDK-8251117 to allow key length to be retrieved from PKCS#11 FIPS keys +- Resolves: rhbz#1860990 + * Sat Jul 11 2020 Andrew Hughes - 1:11.0.8.10-1 - Update to shenandoah-jdk-11.0.8+10 (GA) - Switch to GA mode for final release.