rpms/java-1.8.0-openjdk
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent

Browse Source 
Resolves: rhbz#2052821
This commit is contained in:
Andrew Hughes 2022-02-23 18:00:32 +00:00
parent 01b1de5ea3
commit 5368472a23
2 changed files with 105 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
java-1.8.0-openjdk.spec
View File

@ -324,7 +324,7 @@
%global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u})
# eg jdk8u60-b27 -> b27 # eg jdk8u60-b27 -> b27
%global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-})
%global rpmrelease 3 %global rpmrelease 4
# Define milestone (EA for pre-releases, GA ("fcs") for releases) # Define milestone (EA for pre-releases, GA ("fcs") for releases)
# Release will be (where N is usually a number starting at 1): # Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases, # - 0.N%%{?extraver}%%{?dist} for EA releases,
@ -1337,6 +1337,7 @@ Patch1011: rh1991003-enable_fips_keys_import.patch
# RH2021263: Resolve outstanding FIPS issues # RH2021263: Resolve outstanding FIPS issues
Patch1014: rh2021263-fips_ensure_security_initialised.patch Patch1014: rh2021263-fips_ensure_security_initialised.patch
Patch1015: rh2021263-fips_missing_native_returns.patch Patch1015: rh2021263-fips_missing_native_returns.patch
Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
############################################# #############################################
# #
@ -1811,6 +1812,7 @@ sh %{SOURCE12}
%patch1011 %patch1011
%patch1014 %patch1014
%patch1015 %patch1015
%patch1016
# RHEL-only patches # RHEL-only patches
%if ! 0%{?fedora} && 0%{?rhel} <= 7 %if ! 0%{?fedora} && 0%{?rhel} <= 7
@ -2560,6 +2562,10 @@ cjc.mainProgram(args)
%endif %endif
%changelog %changelog
* Wed Feb 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-4
- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
- Resolves: rhbz#2052821
* Tue Feb 22 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-3 * Tue Feb 22 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-3
- Fix FIPS issues in native code and with initialisation of java.security.Security - Fix FIPS issues in native code and with initialisation of java.security.Security
- Resolves: rhbz#2023387 - Resolves: rhbz#2023387

98
rh2021263-fips_separate_policy_and_fips_init.patch Normal file
View File

@ -0,0 +1,98 @@
commit aaf92165ad1cbb1c9818eb60178c91293e13b053
Author: Andrew John Hughes <andrew@openjdk.org>
Date: Mon Jan 24 15:13:14 2022 +0000
RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
index fa494b680f..b5aa5c749d 100644
--- openjdk.orig/jdk/src/share/classes/java/security/Security.java
+++ openjdk/jdk/src/share/classes/java/security/Security.java
@@ -57,10 +57,6 @@ public final class Security {
private static final Debug sdebug =
Debug.getInstance("properties");
- /* System property file*/
- private static final String SYSTEM_PROPERTIES =
- "/etc/crypto-policies/back-ends/java.config";
-
/* The java.security properties */
private static Properties props;
@@ -202,13 +198,6 @@ public final class Security {
}
}
- String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
- if (disableSystemProps == null &&
- "true".equalsIgnoreCase(props.getProperty
- ("security.useSystemPropertiesFile"))) {
- loadedProps = loadedProps && SystemConfigurator.configure(props);
- }
-
if (!loadedProps) {
initializeStatic();
if (sdebug != null) {
@@ -217,6 +206,28 @@ public final class Security {
}
}
+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
+ if (!SystemConfigurator.configureSysProps(props)) {
+ if (sdebug != null) {
+ sdebug.println("WARNING: System properties could not be loaded.");
+ }
+ }
+ }
+
+ // FIPS support depends on the contents of java.security so
+ // ensure it has loaded first
+ if (loadedProps) {
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
+ if (sdebug != null) {
+ if (fipsEnabled) {
+ sdebug.println("FIPS support enabled.");
+ } else {
+ sdebug.println("FIPS support disabled.");
+ }
+ }
+ }
}
/*
diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
index d1f677597d..7da65b1d2c 100644
--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
@@ -76,7 +76,7 @@ final class SystemConfigurator {
* java.security.disableSystemPropertiesFile property is not set and
* security.useSystemPropertiesFile is true.
*/
- static boolean configure(Properties props) {
+ static boolean configureSysProps(Properties props) {
boolean loadedProps = false;
try (BufferedInputStream bis =
@@ -96,11 +96,19 @@ final class SystemConfigurator {
e.printStackTrace();
}
}
+ return loadedProps;
+ }
+
+ /*
+ * Invoked at the end of java.security.Security initialisation
+ * if java.security properties have been loaded
+ */
+ static boolean configureFIPS(Properties props) {
+ boolean loadedProps = false;
try {
if (enableFips()) {
if (sdebug != null) { sdebug.println("FIPS mode detected"); }
- loadedProps = false;
// Remove all security providers
Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
while (i.hasNext()) {