From 0a390a26f09f2d4a0908247f17d7332afb6d6c29 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 31 2021 08:18:49 +0000 Subject: import java-17-openjdk-17.0.0.0.33-0.5.ea.el8 --- diff --git a/SOURCES/rh1929465-dont_define_unused_throwioexception.patch b/SOURCES/rh1929465-dont_define_unused_throwioexception.patch new file mode 100644 index 0000000..eba090f --- /dev/null +++ b/SOURCES/rh1929465-dont_define_unused_throwioexception.patch @@ -0,0 +1,69 @@ +commit 90e344e7d4987af610fa0054c92d18fe1c2edd41 +Author: Andrew Hughes +Date: Sat Aug 28 01:15:28 2021 +0100 + + RH1929465: Don't define unused throwIOException function when using NSS detection + +diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +index 6f4656bfcb6..38919d6bb0f 100644 +--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c ++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -34,14 +34,34 @@ + + #include "java_security_SystemConfigurator.h" + +-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" + #define MSG_MAX_SIZE 96 + + static jmethodID debugPrintlnMethodID = NULL; + static jobject debugObj = NULL; + +-static void throwIOException(JNIEnv *env, const char *msg); +-static void dbgPrint(JNIEnv *env, const char* msg); ++// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read ++#ifndef SYSCONF_NSS ++ ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++#endif ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} + + /* + * Class: java_security_SystemConfigurator +@@ -149,20 +169,3 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn + + #endif // SYSCONF_NSS + } +- +-static void throwIOException(JNIEnv *env, const char *msg) +-{ +- jclass cls = (*env)->FindClass(env, "java/io/IOException"); +- if (cls != 0) +- (*env)->ThrowNew(env, cls, msg); +-} +- +-static void dbgPrint(JNIEnv *env, const char* msg) +-{ +- jstring jMsg; +- if (debugObj != NULL) { +- jMsg = (*env)->NewStringUTF(env, msg); +- CHECK_NULL(jMsg); +- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); +- } +-} diff --git a/SOURCES/rh1929465-improve_system_FIPS_detection.patch b/SOURCES/rh1929465-improve_system_FIPS_detection.patch new file mode 100644 index 0000000..4dfd1d4 --- /dev/null +++ b/SOURCES/rh1929465-improve_system_FIPS_detection.patch @@ -0,0 +1,428 @@ +diff --git openjdk/make/autoconf/lib-sysconf.m4 openjdk/make/autoconf/lib-sysconf.m4 +new file mode 100644 +index 00000000000..b2b1c1787da +--- /dev/null ++++ openjdk/make/autoconf/lib-sysconf.m4 +@@ -0,0 +1,84 @@ ++# ++# Copyright (c) 2021, Red Hat, Inc. ++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++# ++# This code is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License version 2 only, as ++# published by the Free Software Foundation. Oracle designates this ++# particular file as subject to the "Classpath" exception as provided ++# by Oracle in the LICENSE file that accompanied this code. ++# ++# This code is distributed in the hope that it will be useful, but WITHOUT ++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# version 2 for more details (a copy is included in the LICENSE file that ++# accompanied this code). ++# ++# You should have received a copy of the GNU General Public License version ++# 2 along with this work; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++# or visit www.oracle.com if you need additional information or have any ++# questions. ++# ++ ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++]) +diff --git openjdk/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4 +index a65d91ee974..a8f054c1397 100644 +--- openjdk/make/autoconf/libraries.m4 ++++ openjdk/make/autoconf/libraries.m4 +@@ -33,6 +33,7 @@ m4_include([lib-std.m4]) + m4_include([lib-x11.m4]) + m4_include([lib-fontconfig.m4]) + m4_include([lib-tests.m4]) ++m4_include([lib-sysconf.m4]) + + ################################################################################ + # Determine which libraries are needed for this configuration +@@ -104,6 +105,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], + LIB_SETUP_BUNDLED_LIBS + LIB_SETUP_MISC_LIBS + LIB_TESTS_SETUP_GTEST ++ LIB_SETUP_SYSCONF_LIBS + + BASIC_JDKLIB_LIBS="" + if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then +diff --git openjdk/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in +index 29445c8c24f..9b1b512a34a 100644 +--- openjdk/make/autoconf/spec.gmk.in ++++ openjdk/make/autoconf/spec.gmk.in +@@ -834,6 +834,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@ + # Libraries + # + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ + LCMS_CFLAGS:=@LCMS_CFLAGS@ + LCMS_LIBS:=@LCMS_LIBS@ +diff --git openjdk/make/modules/java.base/Lib.gmk openjdk/make/modules/java.base/Lib.gmk +index 5658ff342e5..cb7a56852f7 100644 +--- openjdk/make/modules/java.base/Lib.gmk ++++ openjdk/make/modules/java.base/Lib.gmk +@@ -167,6 +167,31 @@ ifeq ($(call isTargetOsType, unix), true) + endif + endif + ++################################################################################ ++# Create the systemconf library ++ ++LIBSYSTEMCONF_CFLAGS := ++LIBSYSTEMCONF_CXXFLAGS := ++ ++ifeq ($(USE_SYSCONF_NSS), true) ++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++endif ++ ++ifeq ($(OPENJDK_BUILD_OS), linux) ++ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++ )) ++ ++ TARGETS += $(BUILD_LIBSYSTEMCONF) ++endif ++ + ################################################################################ + # Create the symbols file for static builds. + +diff --git openjdk/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +new file mode 100644 +index 00000000000..6f4656bfcb6 +--- /dev/null ++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -0,0 +1,168 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#include ++#include ++#include ++#include ++ ++#ifdef SYSCONF_NSS ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++#define MSG_MAX_SIZE 96 ++ ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void throwIOException(JNIEnv *env, const char *msg); ++static void dbgPrint(JNIEnv *env, const char* msg); ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++#ifdef SYSCONF_NSS ++ ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = SECMOD_GetSystemFIPSEnabled(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ ++ " SECMOD_GetSystemFIPSEnabled return value"); ++ } ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ ++#else // SYSCONF_NSS ++ ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ ++ " read character"); ++ } ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ ++#endif // SYSCONF_NSS ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} +diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +index 10b54aa4ce4..6aa1419dfd0 100644 +--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2019, 2020, Red Hat, Inc. ++ * Copyright (c) 2019, 2021, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * +@@ -30,13 +30,9 @@ import java.io.BufferedInputStream; + import java.io.FileInputStream; + import java.io.IOException; + +-import java.nio.file.Files; +-import java.nio.file.Path; +- + import java.util.Iterator; + import java.util.Map.Entry; + import java.util.Properties; +-import java.util.regex.Pattern; + + import sun.security.util.Debug; + +@@ -58,11 +54,23 @@ final class SystemConfigurator { + private static final String CRYPTO_POLICIES_JAVA_CONFIG = + CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; + +- private static final String CRYPTO_POLICIES_CONFIG = +- CRYPTO_POLICIES_BASE_DIR + "/config"; +- + private static boolean systemFipsEnabled = false; + ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ @SuppressWarnings("removal") ++ var dummy = AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } ++ + /* + * Invoked when java.security.Security class is initialized, if + * java.security.disableSystemPropertiesFile property is not set and +@@ -170,16 +178,34 @@ final class SystemConfigurator { + } + + /* +- * FIPS is enabled only if crypto-policies are set to "FIPS" +- * and the com.redhat.fips property is true. ++ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips ++ * system property is true (default) and the system is in FIPS mode. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. + */ + private static boolean enableFips() throws Exception { + boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); + if (shouldEnable) { +- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); +- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } +- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); +- return pattern.matcher(cryptoPoliciesConfig).find(); ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ shouldEnable = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + shouldEnable); ++ } ++ return shouldEnable; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } + } else { + return false; + } diff --git a/SOURCES/rh1995150-disable_non-fips_crypto.patch b/SOURCES/rh1995150-disable_non-fips_crypto.patch new file mode 100644 index 0000000..b3d0ae7 --- /dev/null +++ b/SOURCES/rh1995150-disable_non-fips_crypto.patch @@ -0,0 +1,596 @@ +diff --git openjdk/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java +index 9d4a794de1a..39e69362458 100644 +--- openjdk/src/java.base/share/classes/module-info.java ++++ openjdk/src/java.base/share/classes/module-info.java +@@ -151,6 +151,7 @@ module java.base { + java.management, + java.naming, + java.rmi, ++ jdk.crypto.ec, + jdk.jartool, + jdk.jlink, + jdk.net, +diff --git openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java +index 912cad59714..c5e13c98bd9 100644 +--- openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java ++++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java +@@ -30,6 +30,7 @@ import java.net.*; + import java.util.*; + import java.security.*; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.action.GetPropertyAction; + import sun.security.util.SecurityProviderConstants; +@@ -83,6 +84,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + + public final class SunEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + // the default algo used by SecureRandom class for new SecureRandom() calls + public static final String DEF_SECURE_RANDOM_ALGO; + +@@ -94,147 +99,149 @@ public final class SunEntries { + // common attribute map + HashMap attrs = new HashMap<>(3); + +- /* +- * SecureRandom engines +- */ +- attrs.put("ThreadSafe", "true"); +- if (NativePRNG.isAvailable()) { +- add(p, "SecureRandom", "NativePRNG", +- "sun.security.provider.NativePRNG", attrs); +- } +- if (NativePRNG.Blocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGBlocking", +- "sun.security.provider.NativePRNG$Blocking", attrs); +- } +- if (NativePRNG.NonBlocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGNonBlocking", +- "sun.security.provider.NativePRNG$NonBlocking", attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * SecureRandom engines ++ */ ++ attrs.put("ThreadSafe", "true"); ++ if (NativePRNG.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNG", ++ "sun.security.provider.NativePRNG", attrs); ++ } ++ if (NativePRNG.Blocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGBlocking", ++ "sun.security.provider.NativePRNG$Blocking", attrs); ++ } ++ if (NativePRNG.NonBlocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGNonBlocking", ++ "sun.security.provider.NativePRNG$NonBlocking", attrs); ++ } ++ attrs.put("ImplementedIn", "Software"); ++ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); ++ add(p, "SecureRandom", "SHA1PRNG", ++ "sun.security.provider.SecureRandom", attrs); ++ ++ /* ++ * Signature engines ++ */ ++ attrs.clear(); ++ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + ++ "|java.security.interfaces.DSAPrivateKey"; ++ attrs.put("SupportedKeyClasses", dsaKeyClasses); ++ attrs.put("ImplementedIn", "Software"); ++ ++ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures ++ ++ addWithAlias(p, "Signature", "SHA1withDSA", ++ "sun.security.provider.DSA$SHA1withDSA", attrs); ++ addWithAlias(p, "Signature", "NONEwithDSA", ++ "sun.security.provider.DSA$RawDSA", attrs); ++ ++ // for DSA signatures with 224/256-bit digests ++ attrs.put("KeySize", "2048"); ++ ++ addWithAlias(p, "Signature", "SHA224withDSA", ++ "sun.security.provider.DSA$SHA224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA256withDSA", ++ "sun.security.provider.DSA$SHA256withDSA", attrs); ++ ++ addWithAlias(p, "Signature", "SHA3-224withDSA", ++ "sun.security.provider.DSA$SHA3_224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-256withDSA", ++ "sun.security.provider.DSA$SHA3_256withDSA", attrs); ++ ++ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests ++ ++ addWithAlias(p, "Signature", "SHA384withDSA", ++ "sun.security.provider.DSA$SHA384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA512withDSA", ++ "sun.security.provider.DSA$SHA512withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-384withDSA", ++ "sun.security.provider.DSA$SHA3_384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-512withDSA", ++ "sun.security.provider.DSA$SHA3_512withDSA", attrs); ++ ++ attrs.remove("KeySize"); ++ ++ add(p, "Signature", "SHA1withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA1withDSAinP1363Format"); ++ add(p, "Signature", "NONEwithDSAinP1363Format", ++ "sun.security.provider.DSA$RawDSAinP1363Format"); ++ add(p, "Signature", "SHA224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA224withDSAinP1363Format"); ++ add(p, "Signature", "SHA256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA256withDSAinP1363Format"); ++ add(p, "Signature", "SHA384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA384withDSAinP1363Format"); ++ add(p, "Signature", "SHA512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA512withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); ++ /* ++ * Key Pair Generator engines ++ */ ++ attrs.clear(); ++ attrs.put("ImplementedIn", "Software"); ++ attrs.put("KeySize", "2048"); // for DSA KPG and APG only ++ ++ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; ++ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); ++ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ ++ /* ++ * Algorithm Parameter Generator engines ++ */ ++ addWithAlias(p, "AlgorithmParameterGenerator", "DSA", ++ "sun.security.provider.DSAParameterGenerator", attrs); ++ attrs.remove("KeySize"); ++ ++ /* ++ * Algorithm Parameter engines ++ */ ++ addWithAlias(p, "AlgorithmParameters", "DSA", ++ "sun.security.provider.DSAParameters", attrs); ++ ++ /* ++ * Key factories ++ */ ++ addWithAlias(p, "KeyFactory", "DSA", ++ "sun.security.provider.DSAKeyFactory", attrs); ++ ++ /* ++ * Digest engines ++ */ ++ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); ++ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", ++ attrs); ++ ++ addWithAlias(p, "MessageDigest", "SHA-224", ++ "sun.security.provider.SHA2$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-256", ++ "sun.security.provider.SHA2$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-384", ++ "sun.security.provider.SHA5$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512", ++ "sun.security.provider.SHA5$SHA512", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/224", ++ "sun.security.provider.SHA5$SHA512_224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/256", ++ "sun.security.provider.SHA5$SHA512_256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-224", ++ "sun.security.provider.SHA3$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-256", ++ "sun.security.provider.SHA3$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-384", ++ "sun.security.provider.SHA3$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-512", ++ "sun.security.provider.SHA3$SHA512", attrs); + } +- attrs.put("ImplementedIn", "Software"); +- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); +- add(p, "SecureRandom", "SHA1PRNG", +- "sun.security.provider.SecureRandom", attrs); +- +- /* +- * Signature engines +- */ +- attrs.clear(); +- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + +- "|java.security.interfaces.DSAPrivateKey"; +- attrs.put("SupportedKeyClasses", dsaKeyClasses); +- attrs.put("ImplementedIn", "Software"); +- +- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures +- +- addWithAlias(p, "Signature", "SHA1withDSA", +- "sun.security.provider.DSA$SHA1withDSA", attrs); +- addWithAlias(p, "Signature", "NONEwithDSA", +- "sun.security.provider.DSA$RawDSA", attrs); +- +- // for DSA signatures with 224/256-bit digests +- attrs.put("KeySize", "2048"); +- +- addWithAlias(p, "Signature", "SHA224withDSA", +- "sun.security.provider.DSA$SHA224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA256withDSA", +- "sun.security.provider.DSA$SHA256withDSA", attrs); +- +- addWithAlias(p, "Signature", "SHA3-224withDSA", +- "sun.security.provider.DSA$SHA3_224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-256withDSA", +- "sun.security.provider.DSA$SHA3_256withDSA", attrs); +- +- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests +- +- addWithAlias(p, "Signature", "SHA384withDSA", +- "sun.security.provider.DSA$SHA384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA512withDSA", +- "sun.security.provider.DSA$SHA512withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-384withDSA", +- "sun.security.provider.DSA$SHA3_384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-512withDSA", +- "sun.security.provider.DSA$SHA3_512withDSA", attrs); +- +- attrs.remove("KeySize"); +- +- add(p, "Signature", "SHA1withDSAinP1363Format", +- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); +- add(p, "Signature", "NONEwithDSAinP1363Format", +- "sun.security.provider.DSA$RawDSAinP1363Format"); +- add(p, "Signature", "SHA224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); +- add(p, "Signature", "SHA256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); +- add(p, "Signature", "SHA384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); +- add(p, "Signature", "SHA512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); +- add(p, "Signature", "SHA3-224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); +- add(p, "Signature", "SHA3-256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); +- add(p, "Signature", "SHA3-384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); +- add(p, "Signature", "SHA3-512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); +- /* +- * Key Pair Generator engines +- */ +- attrs.clear(); +- attrs.put("ImplementedIn", "Software"); +- attrs.put("KeySize", "2048"); // for DSA KPG and APG only +- +- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; +- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); +- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); +- +- /* +- * Algorithm Parameter Generator engines +- */ +- addWithAlias(p, "AlgorithmParameterGenerator", "DSA", +- "sun.security.provider.DSAParameterGenerator", attrs); +- attrs.remove("KeySize"); +- +- /* +- * Algorithm Parameter engines +- */ +- addWithAlias(p, "AlgorithmParameters", "DSA", +- "sun.security.provider.DSAParameters", attrs); +- +- /* +- * Key factories +- */ +- addWithAlias(p, "KeyFactory", "DSA", +- "sun.security.provider.DSAKeyFactory", attrs); +- +- /* +- * Digest engines +- */ +- add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); +- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); +- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", +- attrs); +- +- addWithAlias(p, "MessageDigest", "SHA-224", +- "sun.security.provider.SHA2$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-256", +- "sun.security.provider.SHA2$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA-384", +- "sun.security.provider.SHA5$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512", +- "sun.security.provider.SHA5$SHA512", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/224", +- "sun.security.provider.SHA5$SHA512_224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/256", +- "sun.security.provider.SHA5$SHA512_256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-224", +- "sun.security.provider.SHA3$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-256", +- "sun.security.provider.SHA3$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-384", +- "sun.security.provider.SHA3$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-512", +- "sun.security.provider.SHA3$SHA512", attrs); + + /* + * Certificates +diff --git openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +index 8c9e4f9dbe6..9eeb3013e0d 100644 +--- openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java ++++ openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +@@ -38,6 +38,7 @@ import java.util.HashMap; + import java.util.Iterator; + import java.util.List; + ++import jdk.internal.access.SharedSecrets; + import sun.security.ec.ed.EdDSAAlgorithmParameters; + import sun.security.ec.ed.EdDSAKeyFactory; + import sun.security.ec.ed.EdDSAKeyPairGenerator; +@@ -56,6 +57,10 @@ public final class SunEC extends Provider { + + private static final long serialVersionUID = -2279741672933606418L; + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private static class ProviderServiceA extends ProviderService { + ProviderServiceA(Provider p, String type, String algo, String cn, + HashMap attrs) { +@@ -249,85 +254,86 @@ public final class SunEC extends Provider { + + putXDHEntries(); + putEdDSAEntries(); +- +- /* +- * Signature engines +- */ +- putService(new ProviderService(this, "Signature", +- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", +- null, ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", +- ATTRS)); +- +- putService(new ProviderService(this, "Signature", +- "NONEwithECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$RawinP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA1withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA1inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA224withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA224inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA256withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA256inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA384withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA384inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA512withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA512inP1363Format")); +- +- putService(new ProviderService(this, "Signature", +- "SHA3-224withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-256withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-384withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-512withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); +- +- /* +- * Key Pair Generator engine +- */ +- putService(new ProviderService(this, "KeyPairGenerator", +- "EC", "sun.security.ec.ECKeyPairGenerator", +- List.of("EllipticCurve"), ATTRS)); +- +- /* +- * Key Agreement engine +- */ +- putService(new ProviderService(this, "KeyAgreement", +- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); ++ if (!systemFipsEnabled) { ++ /* ++ * Signature engines ++ */ ++ putService(new ProviderService(this, "Signature", ++ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", ++ null, ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "Signature", ++ "NONEwithECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$RawinP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA1withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA1inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA224withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA224inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA256withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA256inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA384withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA384inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA512withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA512inP1363Format")); ++ ++ putService(new ProviderService(this, "Signature", ++ "SHA3-224withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-256withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-384withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-512withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); ++ ++ /* ++ * Key Pair Generator engine ++ */ ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "EC", "sun.security.ec.ECKeyPairGenerator", ++ List.of("EllipticCurve"), ATTRS)); ++ ++ /* ++ * Key Agreement engine ++ */ ++ putService(new ProviderService(this, "KeyAgreement", ++ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); ++ } + } + + private void putXDHEntries() { +@@ -344,23 +350,25 @@ public final class SunEC extends Provider { + "X448", "sun.security.ec.XDHKeyFactory.X448", + ATTRS)); + +- putService(new ProviderService(this, "KeyPairGenerator", +- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "X448", "sun.security.ec.XDHKeyPairGenerator.X448", +- ATTRS)); +- +- putService(new ProviderService(this, "KeyAgreement", +- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyAgreement", +- "X25519", "sun.security.ec.XDHKeyAgreement.X25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyAgreement", +- "X448", "sun.security.ec.XDHKeyAgreement.X448", +- ATTRS)); ++ if (!systemFipsEnabled) { ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "X448", "sun.security.ec.XDHKeyPairGenerator.X448", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "KeyAgreement", ++ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyAgreement", ++ "X25519", "sun.security.ec.XDHKeyAgreement.X25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyAgreement", ++ "X448", "sun.security.ec.XDHKeyAgreement.X448", ++ ATTRS)); ++ } + } + + private void putEdDSAEntries() { +@@ -375,21 +383,23 @@ public final class SunEC extends Provider { + putService(new ProviderServiceA(this, "KeyFactory", + "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS)); + +- putService(new ProviderService(this, "KeyPairGenerator", +- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", +- ATTRS)); +- +- putService(new ProviderService(this, "Signature", +- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); ++ if (!systemFipsEnabled) { ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "Signature", ++ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); ++ } + + } + } diff --git a/SOURCES/rh1996182-extend_security_policy.patch b/SOURCES/rh1996182-extend_security_policy.patch new file mode 100644 index 0000000..7622622 --- /dev/null +++ b/SOURCES/rh1996182-extend_security_policy.patch @@ -0,0 +1,18 @@ +commit bfd7c5dae9c15266799cb885b8c60199217b65b9 +Author: Andrew Hughes +Date: Mon Aug 30 16:14:14 2021 +0100 + + RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access + +diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy +index 8356e56367b..23925f048be 100644 +--- openjdk.orig/src/java.base/share/lib/security/default.policy ++++ openjdk/src/java.base/share/lib/security/default.policy +@@ -128,6 +128,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { + grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.lang.RuntimePermission + "accessClassInPackage.com.sun.crypto.provider"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; + permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; diff --git a/SOURCES/rh1996182-login_to_nss_software_token.patch b/SOURCES/rh1996182-login_to_nss_software_token.patch new file mode 100644 index 0000000..475c521 --- /dev/null +++ b/SOURCES/rh1996182-login_to_nss_software_token.patch @@ -0,0 +1,65 @@ +commit 93c9f6330bf2b4405c789bf893a5256c3f4a4923 +Author: Martin Balao +Date: Sat Aug 28 00:35:44 2021 +0100 + + RH1996182: Login to the NSS Software Token in FIPS Mode + +diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java +index 39e69362458..aeb5fc2eb46 100644 +--- openjdk.orig/src/java.base/share/classes/module-info.java ++++ openjdk/src/java.base/share/classes/module-info.java +@@ -151,6 +151,7 @@ module java.base { + java.management, + java.naming, + java.rmi, ++ jdk.crypto.cryptoki, + jdk.crypto.ec, + jdk.jartool, + jdk.jlink, +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index 112b639aa96..5d3963ea893 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -42,6 +42,7 @@ import javax.security.auth.callback.PasswordCallback; + + import com.sun.crypto.provider.ChaCha20Poly1305Parameters; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.misc.InnocuousThread; + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; +@@ -62,6 +63,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -379,6 +383,24 @@ public final class SunPKCS11 extends AuthProvider { + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException diff --git a/SPECS/java-17-openjdk.spec b/SPECS/java-17-openjdk.spec index d4ec893..ed96b3c 100644 --- a/SPECS/java-17-openjdk.spec +++ b/SPECS/java-17-openjdk.spec @@ -298,7 +298,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 33 -%global rpmrelease 1 +%global rpmrelease 5 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -370,7 +370,7 @@ # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 # https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 # https://bugzilla.redhat.com/show_bug.cgi?id=1655938 -%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libzip[.]so.* +%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.* %global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* %if %is_system_jdk %global __provides_exclude ^(%{_privatelibs})$ @@ -708,6 +708,7 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so %endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so %ifarch %{svml_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsvml.so %endif @@ -969,8 +970,6 @@ OrderWithRequires: copy-jdk-configs %endif # for printing support Requires: cups-libs -# for FIPS PKCS11 provider -Requires: nss # Post requires alternatives to install tool alternatives Requires(post): %{alternatives_requires} # Postun requires alternatives to uninstall tool alternatives @@ -1174,6 +1173,14 @@ Patch1002: rh1818909-fips_default_keystore_type.patch Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch # RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess Patch1007: rh1915071-always_initialise_configurator_access.patch +# RH1929465: Improve system FIPS detection +Patch1008: rh1929465-improve_system_FIPS_detection.patch +Patch1011: rh1929465-dont_define_unused_throwioexception.patch +# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers +Patch1009: rh1995150-disable_non-fips_crypto.patch +# RH1996182: Login to the NSS software token in FIPS mode +Patch1010: rh1996182-login_to_nss_software_token.patch +Patch1012: rh1996182-extend_security_policy.patch ############################################# # @@ -1207,8 +1214,8 @@ BuildRequires: libXrandr-devel BuildRequires: libXrender-devel BuildRequires: libXt-devel BuildRequires: libXtst-devel -# Requirements for setting up the nss.cfg -BuildRequires: nss-devel +# Requirements for setting up the nss.cfg and FIPS support +BuildRequires: nss-devel >= 3.53 BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip @@ -1535,6 +1542,11 @@ popd # openjdk %patch1002 %patch1004 %patch1007 +%patch1008 +%patch1009 +%patch1010 +%patch1011 +%patch1012 # Extract systemtap tapsets %if %{with_systemtap} @@ -1686,6 +1698,7 @@ bash ${top_dir_abs_src_path}/configure \ --with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \ --with-debug-level=$debugbuild \ --with-native-debug-symbols=internal \ + --enable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=system \ --with-libjpeg=${link_opt} \ @@ -2250,6 +2263,31 @@ require "copy_jdk_configs.lua" %endif %changelog +* Mon Aug 30 2021 Andrew Hughes - 1:17.0.0.0.33-0.5.ea +- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access. +- Resolves: rhbz#1996182 + +* Sat Aug 28 2021 Andrew Hughes - 1:17.0.0.0.33-0.4.ea +- Fix unused function compiler warning found in systemconf.c +- Related: rhbz#1995150 + +* Sat Aug 28 2021 Martin Balao - 1:17.0.0.0.33-0.4.ea +- Add patch to login to the NSS software token when in FIPS mode. +- Resolves: rhbz#1996182 + +* Fri Aug 27 2021 Martin Balao - 1:17.0.0.0.33-0.3.ea +- Add patch to disable non-FIPS crypto in the SUN and SunEC security providers. +- Resolves: rhbz#1995150 + +* Fri Aug 27 2021 Andrew Hughes - 1:17.0.0.0.33-0.2.ea +- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. +- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. +- Related: rhbz#1995150 + +* Fri Aug 27 2021 Martin Balao - 1:17.0.0.0.33-0.2.ea +- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. +- Related: rhbz#1995150 + * Thu Aug 26 2021 Andrew Hughes - 1:17.0.0.0.33-0.1.ea - Update RH1655466 FIPS patch with changes in OpenJDK 8 version. - SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.