java-1.8.0-openjdk/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch

99 lines
3.9 KiB
Diff
Raw Normal View History

commit aaf92165ad1cbb1c9818eb60178c91293e13b053
Author: Andrew John Hughes <andrew@openjdk.org>
Date: Mon Jan 24 15:13:14 2022 +0000
RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
index fa494b680f..b5aa5c749d 100644
--- openjdk.orig/jdk/src/share/classes/java/security/Security.java
+++ openjdk/jdk/src/share/classes/java/security/Security.java
@@ -57,10 +57,6 @@ public final class Security {
private static final Debug sdebug =
Debug.getInstance("properties");
- /* System property file*/
- private static final String SYSTEM_PROPERTIES =
- "/etc/crypto-policies/back-ends/java.config";
-
/* The java.security properties */
private static Properties props;
@@ -202,13 +198,6 @@ public final class Security {
}
}
- String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
- if (disableSystemProps == null &&
- "true".equalsIgnoreCase(props.getProperty
- ("security.useSystemPropertiesFile"))) {
- loadedProps = loadedProps && SystemConfigurator.configure(props);
- }
-
if (!loadedProps) {
initializeStatic();
if (sdebug != null) {
@@ -217,6 +206,28 @@ public final class Security {
}
}
+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
+ if (!SystemConfigurator.configureSysProps(props)) {
+ if (sdebug != null) {
+ sdebug.println("WARNING: System properties could not be loaded.");
+ }
+ }
+ }
+
+ // FIPS support depends on the contents of java.security so
+ // ensure it has loaded first
+ if (loadedProps) {
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
+ if (sdebug != null) {
+ if (fipsEnabled) {
+ sdebug.println("FIPS support enabled.");
+ } else {
+ sdebug.println("FIPS support disabled.");
+ }
+ }
+ }
}
/*
diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
index d1f677597d..7da65b1d2c 100644
--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
@@ -76,7 +76,7 @@ final class SystemConfigurator {
* java.security.disableSystemPropertiesFile property is not set and
* security.useSystemPropertiesFile is true.
*/
- static boolean configure(Properties props) {
+ static boolean configureSysProps(Properties props) {
boolean loadedProps = false;
try (BufferedInputStream bis =
@@ -96,11 +96,19 @@ final class SystemConfigurator {
e.printStackTrace();
}
}
+ return loadedProps;
+ }
+
+ /*
+ * Invoked at the end of java.security.Security initialisation
+ * if java.security properties have been loaded
+ */
+ static boolean configureFIPS(Properties props) {
+ boolean loadedProps = false;
try {
if (enableFips()) {
if (sdebug != null) { sdebug.println("FIPS mode detected"); }
- loadedProps = false;
// Remove all security providers
Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
while (i.hasNext()) {