da15b5d337
Backport FIPS mode patch to java-1.8.0-openjdk, simplifying provider removal. nss.fips.cfg needs to be moved to %%{etcjavadir} and symlinked into the JDK, like nss.cfg SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. Disable FIPS mode support unless com.redhat.fips is set to "true". Add JDK-8195607/PR3776 to support NSS SQLite databases. Use appropriate keystore types when in FIPS mode (RH1760838) Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). Disable TLSv1.3 when using the NSS-FIPS provider (RH1860986) Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1906862) Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode Resolves: rhbz#1971696
126 lines
5.2 KiB
Diff
126 lines
5.2 KiB
Diff
# HG changeset patch
|
|
# User mbalao
|
|
# Date 1529971845 -28800
|
|
# Tue Jun 26 08:10:45 2018 +0800
|
|
# Node ID e9c20b7250cd98d16a67f2a30b34284c2caa01dc
|
|
# Parent 9f1aa2e38d90dd60522237d7414af6bdcf03c4ff
|
|
8195607, PR3776: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1
|
|
Reviewed-by: valeriep, weijun
|
|
|
|
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java
|
|
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java
|
|
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java
|
|
@@ -197,7 +197,7 @@
|
|
|
|
if (configDir != null) {
|
|
String configDirPath = null;
|
|
- String sqlPrefix = "sql:/";
|
|
+ String sqlPrefix = "sql:";
|
|
if (!configDir.startsWith(sqlPrefix)) {
|
|
configDirPath = configDir;
|
|
} else {
|
|
diff --git openjdk.orig/jdk/src/share/native/sun/security/pkcs11/j2secmod.c openjdk/jdk/src/share/native/sun/security/pkcs11/j2secmod.c
|
|
--- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/j2secmod.c
|
|
+++ openjdk/jdk/src/share/native/sun/security/pkcs11/j2secmod.c
|
|
@@ -69,9 +69,14 @@
|
|
int res = 0;
|
|
FPTR_Initialize initialize =
|
|
(FPTR_Initialize)findFunction(env, jHandle, "NSS_Initialize");
|
|
+ #ifdef SECMOD_DEBUG
|
|
+ FPTR_GetError getError =
|
|
+ (FPTR_GetError)findFunction(env, jHandle, "PORT_GetError");
|
|
+ #endif // SECMOD_DEBUG
|
|
unsigned int flags = 0x00;
|
|
const char *configDir = NULL;
|
|
const char *functionName = NULL;
|
|
+ const char *configFile = NULL;
|
|
|
|
/* If we cannot initialize, exit now */
|
|
if (initialize == NULL) {
|
|
@@ -97,13 +102,18 @@
|
|
flags = 0x20; // NSS_INIT_OPTIMIZESPACE flag
|
|
}
|
|
|
|
+ configFile = "secmod.db";
|
|
+ if (configDir != NULL && strncmp("sql:", configDir, 4U) == 0) {
|
|
+ configFile = "pkcs11.txt";
|
|
+ }
|
|
+
|
|
/*
|
|
* If the NSS_Init function is requested then call NSS_Initialize to
|
|
* open the Cert, Key and Security Module databases, read only.
|
|
*/
|
|
if (strcmp("NSS_Init", functionName) == 0) {
|
|
flags = flags | 0x01; // NSS_INIT_READONLY flag
|
|
- res = initialize(configDir, "", "", "secmod.db", flags);
|
|
+ res = initialize(configDir, "", "", configFile, flags);
|
|
|
|
/*
|
|
* If the NSS_InitReadWrite function is requested then call
|
|
@@ -111,7 +121,7 @@
|
|
* read/write.
|
|
*/
|
|
} else if (strcmp("NSS_InitReadWrite", functionName) == 0) {
|
|
- res = initialize(configDir, "", "", "secmod.db", flags);
|
|
+ res = initialize(configDir, "", "", configFile, flags);
|
|
|
|
/*
|
|
* If the NSS_NoDB_Init function is requested then call
|
|
@@ -137,6 +147,13 @@
|
|
(*env)->ReleaseStringUTFChars(env, jConfigDir, configDir);
|
|
}
|
|
dprintf1("-res: %d\n", res);
|
|
+ #ifdef SECMOD_DEBUG
|
|
+ if (res == -1) {
|
|
+ if (getError != NULL) {
|
|
+ dprintf1("-NSS error: %d\n", getError());
|
|
+ }
|
|
+ }
|
|
+ #endif // SECMOD_DEBUG
|
|
|
|
return (res == 0) ? JNI_TRUE : JNI_FALSE;
|
|
}
|
|
diff --git openjdk.orig/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h openjdk/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h
|
|
--- openjdk.orig/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h
|
|
+++ openjdk/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h
|
|
@@ -34,6 +34,10 @@
|
|
const char *certPrefix, const char *keyPrefix,
|
|
const char *secmodName, unsigned int flags);
|
|
|
|
+#ifdef SECMOD_DEBUG
|
|
+typedef int (*FPTR_GetError)(void);
|
|
+#endif //SECMOD_DEBUG
|
|
+
|
|
// in secmod.h
|
|
//extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent,
|
|
// PRBool recurse);
|
|
diff --git openjdk.orig/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt openjdk/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt
|
|
new file mode 100644
|
|
--- /dev/null
|
|
+++ openjdk/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt
|
|
@@ -0,0 +1,4 @@
|
|
+library=
|
|
+name=NSS Internal PKCS #11 Module
|
|
+parameters=configdir='sql:./tmpdb' certPrefix='' keyPrefix='' secmod='' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
|
|
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
|
|
diff --git openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java
|
|
--- openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java
|
|
+++ openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java
|
|
@@ -55,7 +55,7 @@
|
|
|
|
DBDIR = System.getProperty("test.classes", ".") + SEP + "tmpdb";
|
|
if (useSqlite) {
|
|
- System.setProperty("pkcs11test.nss.db", "sql:/" + DBDIR);
|
|
+ System.setProperty("pkcs11test.nss.db", "sql:" + DBDIR);
|
|
} else {
|
|
System.setProperty("pkcs11test.nss.db", DBDIR);
|
|
}
|
|
@@ -67,6 +67,7 @@
|
|
if (useSqlite) {
|
|
copyFile("key4.db", BASE, DBDIR);
|
|
copyFile("cert9.db", BASE, DBDIR);
|
|
+ copyFile("pkcs11.txt", BASE, DBDIR);
|
|
} else {
|
|
copyFile("secmod.db", BASE, DBDIR);
|
|
copyFile("key3.db", BASE, DBDIR);
|