da15b5d337
Backport FIPS mode patch to java-1.8.0-openjdk, simplifying provider removal. nss.fips.cfg needs to be moved to %%{etcjavadir} and symlinked into the JDK, like nss.cfg SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. Disable FIPS mode support unless com.redhat.fips is set to "true". Add JDK-8195607/PR3776 to support NSS SQLite databases. Use appropriate keystore types when in FIPS mode (RH1760838) Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). Disable TLSv1.3 when using the NSS-FIPS provider (RH1860986) Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1906862) Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode Resolves: rhbz#1971696
66 lines
2.4 KiB
Diff
66 lines
2.4 KiB
Diff
# HG changeset patch
|
|
# User andrew
|
|
# Date 1608219816 0
|
|
# Thu Dec 17 15:43:36 2020 +0000
|
|
# Node ID db5d1b28bfce04352b3a48960bf836f6eb20804b
|
|
# Parent a2cfa397150e99b813354226d536eb8509b5850b
|
|
RH1906862: Always initialise JavaSecuritySystemConfiguratorAccess
|
|
|
|
diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
|
|
--- openjdk.orig/jdk/src/share/classes/java/security/Security.java
|
|
+++ openjdk/jdk/src/share/classes/java/security/Security.java
|
|
@@ -30,6 +30,8 @@
|
|
import java.util.concurrent.ConcurrentHashMap;
|
|
import java.io.*;
|
|
import java.net.URL;
|
|
+import sun.misc.SharedSecrets;
|
|
+import sun.misc.JavaSecuritySystemConfiguratorAccess;
|
|
import sun.security.util.Debug;
|
|
import sun.security.util.PropertyExpander;
|
|
|
|
@@ -69,6 +71,15 @@
|
|
}
|
|
|
|
static {
|
|
+ // Initialise here as used by code with system properties disabled
|
|
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
|
|
+ new JavaSecuritySystemConfiguratorAccess() {
|
|
+ @Override
|
|
+ public boolean isSystemFipsEnabled() {
|
|
+ return SystemConfigurator.isSystemFipsEnabled();
|
|
+ }
|
|
+ });
|
|
+
|
|
// doPrivileged here because there are multiple
|
|
// things in initialize that might require privs.
|
|
// (the FileInputStream call and the File.exists call,
|
|
diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
|
|
--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
|
|
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
|
|
@@ -39,8 +39,6 @@
|
|
import java.util.Properties;
|
|
import java.util.regex.Pattern;
|
|
|
|
-import sun.misc.SharedSecrets;
|
|
-import sun.misc.JavaSecuritySystemConfiguratorAccess;
|
|
import sun.security.util.Debug;
|
|
|
|
/**
|
|
@@ -66,16 +64,6 @@
|
|
|
|
private static boolean systemFipsEnabled = false;
|
|
|
|
- static {
|
|
- SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
|
|
- new JavaSecuritySystemConfiguratorAccess() {
|
|
- @Override
|
|
- public boolean isSystemFipsEnabled() {
|
|
- return SystemConfigurator.isSystemFipsEnabled();
|
|
- }
|
|
- });
|
|
- }
|
|
-
|
|
/*
|
|
* Invoked when java.security.Security class is initialized, if
|
|
* java.security.disableSystemPropertiesFile property is not set and
|