From 06051b6c4d8d0fba4b8622b54f5cbe10bc54f7cd Mon Sep 17 00:00:00 2001 From: Severin Gehwolf Date: Tue, 12 Feb 2019 16:58:38 +0100 Subject: [PATCH] Add a test verifying system crypto policies can be disabled --- TestSecurityProperties.java | 43 +++++++++++++++++++++++++++++++++++++ java-11-openjdk.spec | 12 ++++++++++- 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 TestSecurityProperties.java diff --git a/TestSecurityProperties.java b/TestSecurityProperties.java new file mode 100644 index 0000000..06a0b07 --- /dev/null +++ b/TestSecurityProperties.java @@ -0,0 +1,43 @@ +import java.io.File; +import java.io.FileInputStream; +import java.security.Security; +import java.util.Properties; + +public class TestSecurityProperties { + // JDK 11 + private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security"; + // JDK 8 + private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security"; + + public static void main(String[] args) { + Properties jdkProps = new Properties(); + loadProperties(jdkProps); + for (Object key: jdkProps.keySet()) { + String sKey = (String)key; + String securityVal = Security.getProperty(sKey); + String jdkSecVal = jdkProps.getProperty(sKey); + if (!securityVal.equals(jdkSecVal)) { + String msg = "Expected value '" + jdkSecVal + "' for key '" + + sKey + "'" + " but got value '" + securityVal + "'"; + throw new RuntimeException("Test failed! " + msg); + } else { + System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected."); + } + } + System.out.println("TestSecurityProperties PASSED!"); + } + + private static void loadProperties(Properties props) { + String javaVersion = System.getProperty("java.version"); + System.out.println("Debug: Java version is " + javaVersion); + String propsFile = JDK_PROPS_FILE_JDK_11; + if (javaVersion.startsWith("1.8.0")) { + propsFile = JDK_PROPS_FILE_JDK_8; + } + try (FileInputStream fin = new FileInputStream(new File(propsFile))) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } +} diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index 077451c..cb27f7d 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -957,7 +957,7 @@ Provides: java-src%{?1} = %{epoch}:%{version}-%{release} Name: java-%{javaver}-%{origin} Version: %{newjavaver}.%{buildver} -Release: 3%{?dist} +Release: 4%{?dist} # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -1009,6 +1009,9 @@ Source13: TestCryptoLevel.java # Ensure ECDSA is working Source14: TestECDSA.java +# Verify system crypto (policy) can be disabled via a property +Source15: TestSecurityProperties.java + ############################################ # # RPM/distribution specific patches @@ -1504,6 +1507,10 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev $JAVA_HOME/bin/javac -d . %{SOURCE14} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") +# Check system crypto (policy) can be disabled +$JAVA_HOME/bin/javac -d . %{SOURCE15} +$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||") + # Check debug symbols are present and can identify code find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib do @@ -1877,6 +1884,9 @@ require "copy_jdk_configs.lua" %changelog +* Tue Feb 14 2019 Severin Gehwolf - 1:11.0.2.7-4 +- Add a test verifying system crypto policies can be disabled + * Tue Feb 12 2019 Severin Gehwolf - 1:11.0.2.7-3 - Don't build the test images needlessly.