|
 |
e797a2 |
diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
|
|
|
e797a2 |
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
|
|
|
e797a2 |
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300
|
|
|
e797a2 |
@@ -123,6 +123,33 @@
|
|
|
e797a2 |
}
|
|
|
e797a2 |
props.put(fipsProviderKey, fipsProviderValue);
|
|
|
e797a2 |
}
|
|
|
e797a2 |
+ // Add other security properties
|
|
|
e797a2 |
+ String keystoreTypeValue = (String) props.get("fips.keystore.type");
|
|
|
e797a2 |
+ if (keystoreTypeValue != null) {
|
|
|
e797a2 |
+ String nonFipsKeystoreType = props.getProperty("keystore.type");
|
|
|
e797a2 |
+ props.put("keystore.type", keystoreTypeValue);
|
|
|
e797a2 |
+ if (keystoreTypeValue.equals("PKCS11")) {
|
|
|
e797a2 |
+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
|
|
|
e797a2 |
+ // must be "NONE". See JDK-8238264.
|
|
|
e797a2 |
+ System.setProperty("javax.net.ssl.keyStore", "NONE");
|
|
|
e797a2 |
+ }
|
|
|
e797a2 |
+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
|
|
|
e797a2 |
+ // If no trustStoreType has been set, use the
|
|
|
e797a2 |
+ // previous keystore.type under FIPS mode. In
|
|
|
e797a2 |
+ // a default configuration, the Trust Store will
|
|
|
e797a2 |
+ // be 'cacerts' (JKS type).
|
|
|
e797a2 |
+ System.setProperty("javax.net.ssl.trustStoreType",
|
|
|
e797a2 |
+ nonFipsKeystoreType);
|
|
|
e797a2 |
+ }
|
|
|
e797a2 |
+ if (sdebug != null) {
|
|
|
e797a2 |
+ sdebug.println("FIPS mode default keystore.type = " +
|
|
|
e797a2 |
+ keystoreTypeValue);
|
|
|
e797a2 |
+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
|
|
|
e797a2 |
+ System.getProperty("javax.net.ssl.keyStore", ""));
|
|
|
e797a2 |
+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
|
|
|
e797a2 |
+ System.getProperty("javax.net.ssl.trustStoreType", ""));
|
|
|
e797a2 |
+ }
|
|
|
e797a2 |
+ }
|
|
|
e797a2 |
loadedProps = true;
|
|
|
e797a2 |
}
|
|
|
e797a2 |
} catch (Exception e) {
|
|
|
e797a2 |
diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
|
|
|
e797a2 |
--- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300
|
|
|
e797a2 |
+++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300
|
|
|
e797a2 |
@@ -299,6 +299,11 @@
|
|
|
e797a2 |
keystore.type=pkcs12
|
|
|
e797a2 |
|
|
|
e797a2 |
#
|
|
|
e797a2 |
+# Default keystore type used when global crypto-policies are set to FIPS.
|
|
|
e797a2 |
+#
|
|
|
e797a2 |
+fips.keystore.type=PKCS11
|
|
|
e797a2 |
+
|
|
|
e797a2 |
+#
|
|
|
e797a2 |
# Controls compatibility mode for JKS and PKCS12 keystore types.
|
|
|
e797a2 |
#
|
|
|
e797a2 |
# When set to 'true', both JKS and PKCS12 keystore types support loading
|