import java-11-openjdk-11.0.12.0.7-4.el8
This commit is contained in:
parent
fcdb3429a4
commit
500b1da933
.gitignore.java-11-openjdk.metadata
SOURCES
NEWSTestSecurityProperties.javajdk8236512-pkcs11_incorrrect_session_closure.patchjdk8250861-rh1895274-crash_in_MinINode_Ideal.patchjdk8254177-tzdata2020b.patchjdk8269668-rh1977671-aarch64_lib_path_fix.patchremove-intree-libraries.shrh1750419-redhat_alt_java.patchrh1842572-rsa_default_for_keytool.patchrh1868740-cryptoki_access_to_sunjce.patchrh1868754-pkcs11_cancel_on_failure.patchrh1883849-cryptoki_access_to_sunjce_with_security_manager.patchrh1915071-always_initialise_configurator_access.patchrh1929465-improve_system_FIPS_detection.patchrh1996182-extend_security_policy.patchrh1996182-login_to_nss_software_token.patchs390-8214206_fix.patch
SPECS
4
.gitignore
vendored
4
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/jdk-updates-jdk11u-jdk-11.0.9+11-4curve.tar.xz
|
||||
SOURCES/tapsets-icedtea-3.15.0.tar.xz
|
||||
SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz
|
||||
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
|
||||
|
@ -1,2 +1,2 @@
|
||||
4a65c2e79897772480e91d1bc60aca9a4c7e20f2 SOURCES/jdk-updates-jdk11u-jdk-11.0.9+11-4curve.tar.xz
|
||||
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz
|
||||
7459fbf6c597831b6039c3a608048131cb637528 SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz
|
||||
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
|
||||
|
1008
SOURCES/NEWS
1008
SOURCES/NEWS
File diff suppressed because it is too large
Load Diff
43
SOURCES/TestSecurityProperties.java
Normal file
43
SOURCES/TestSecurityProperties.java
Normal file
@ -0,0 +1,43 @@
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.security.Security;
|
||||
import java.util.Properties;
|
||||
|
||||
public class TestSecurityProperties {
|
||||
// JDK 11
|
||||
private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security";
|
||||
// JDK 8
|
||||
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
|
||||
|
||||
public static void main(String[] args) {
|
||||
Properties jdkProps = new Properties();
|
||||
loadProperties(jdkProps);
|
||||
for (Object key: jdkProps.keySet()) {
|
||||
String sKey = (String)key;
|
||||
String securityVal = Security.getProperty(sKey);
|
||||
String jdkSecVal = jdkProps.getProperty(sKey);
|
||||
if (!securityVal.equals(jdkSecVal)) {
|
||||
String msg = "Expected value '" + jdkSecVal + "' for key '" +
|
||||
sKey + "'" + " but got value '" + securityVal + "'";
|
||||
throw new RuntimeException("Test failed! " + msg);
|
||||
} else {
|
||||
System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
|
||||
}
|
||||
}
|
||||
System.out.println("TestSecurityProperties PASSED!");
|
||||
}
|
||||
|
||||
private static void loadProperties(Properties props) {
|
||||
String javaVersion = System.getProperty("java.version");
|
||||
System.out.println("Debug: Java version is " + javaVersion);
|
||||
String propsFile = JDK_PROPS_FILE_JDK_11;
|
||||
if (javaVersion.startsWith("1.8.0")) {
|
||||
propsFile = JDK_PROPS_FILE_JDK_8;
|
||||
}
|
||||
try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
|
||||
props.load(fin);
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException("Test failed!", e);
|
||||
}
|
||||
}
|
||||
}
|
@ -1,480 +0,0 @@
|
||||
# HG changeset patch
|
||||
# User valeriep
|
||||
# Date 1581468987 0
|
||||
# Wed Feb 12 00:56:27 2020 +0000
|
||||
# Node ID e47d22d82b0464720ccb7641e290080972b6ce88
|
||||
# Parent 5c41dc4c48f85e5a1e1ce6e3836b54674f273367
|
||||
8236512: PKCS11 Connection closed after Cipher.doFinal and NoPadding
|
||||
Summary: Removed killSession() calls in certain impl classes when cancelling operations
|
||||
Reviewed-by: xuelei
|
||||
|
||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java
|
||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java
|
||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java
|
||||
@@ -1,4 +1,5 @@
|
||||
-/* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
|
||||
+/*
|
||||
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@@ -334,25 +335,25 @@
|
||||
}
|
||||
|
||||
private void cancelOperation() {
|
||||
+ // cancel operation by finishing it; avoid killSession as some
|
||||
+ // hardware vendors may require re-login
|
||||
+ int bufLen = doFinalLength(0);
|
||||
+ byte[] buffer = new byte[bufLen];
|
||||
+ byte[] in = dataBuffer.toByteArray();
|
||||
+ int inLen = in.length;
|
||||
try {
|
||||
- if (session.hasObjects() == false) {
|
||||
- session = token.killSession(session);
|
||||
- return;
|
||||
+ if (encrypt) {
|
||||
+ token.p11.C_Encrypt(session.id(), 0, in, 0, inLen,
|
||||
+ 0, buffer, 0, bufLen);
|
||||
} else {
|
||||
- // cancel operation by finishing it
|
||||
- int bufLen = doFinalLength(0);
|
||||
- byte[] buffer = new byte[bufLen];
|
||||
-
|
||||
- if (encrypt) {
|
||||
- token.p11.C_Encrypt(session.id(), 0, buffer, 0, bufLen,
|
||||
- 0, buffer, 0, bufLen);
|
||||
- } else {
|
||||
- token.p11.C_Decrypt(session.id(), 0, buffer, 0, bufLen,
|
||||
- 0, buffer, 0, bufLen);
|
||||
- }
|
||||
+ token.p11.C_Decrypt(session.id(), 0, in, 0, inLen,
|
||||
+ 0, buffer, 0, bufLen);
|
||||
}
|
||||
} catch (PKCS11Exception e) {
|
||||
- throw new ProviderException("Cancel failed", e);
|
||||
+ if (encrypt) {
|
||||
+ throw new ProviderException("Cancel failed", e);
|
||||
+ }
|
||||
+ // ignore failure for decryption
|
||||
}
|
||||
}
|
||||
|
||||
@@ -434,18 +435,21 @@
|
||||
if (!initialized) {
|
||||
return;
|
||||
}
|
||||
+ initialized = false;
|
||||
+
|
||||
try {
|
||||
if (session == null) {
|
||||
return;
|
||||
}
|
||||
+
|
||||
if (doCancel && token.explicitCancel) {
|
||||
cancelOperation();
|
||||
}
|
||||
} finally {
|
||||
p11Key.releaseKeyID();
|
||||
session = token.releaseSession(session);
|
||||
+ dataBuffer.reset();
|
||||
}
|
||||
- initialized = false;
|
||||
}
|
||||
|
||||
// see JCE spec
|
||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
|
||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
|
||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
|
||||
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@@ -409,10 +409,12 @@
|
||||
return;
|
||||
}
|
||||
initialized = false;
|
||||
+
|
||||
try {
|
||||
if (session == null) {
|
||||
return;
|
||||
}
|
||||
+
|
||||
if (doCancel && token.explicitCancel) {
|
||||
cancelOperation();
|
||||
}
|
||||
@@ -426,22 +428,21 @@
|
||||
|
||||
private void cancelOperation() {
|
||||
token.ensureValid();
|
||||
- if (session.hasObjects() == false) {
|
||||
- session = token.killSession(session);
|
||||
- return;
|
||||
- } else {
|
||||
- try {
|
||||
- // cancel operation by finishing it
|
||||
- int bufLen = doFinalLength(0);
|
||||
- byte[] buffer = new byte[bufLen];
|
||||
- if (encrypt) {
|
||||
- token.p11.C_EncryptFinal(session.id(), 0, buffer, 0, bufLen);
|
||||
- } else {
|
||||
- token.p11.C_DecryptFinal(session.id(), 0, buffer, 0, bufLen);
|
||||
- }
|
||||
- } catch (PKCS11Exception e) {
|
||||
+ // cancel operation by finishing it; avoid killSession as some
|
||||
+ // hardware vendors may require re-login
|
||||
+ try {
|
||||
+ int bufLen = doFinalLength(0);
|
||||
+ byte[] buffer = new byte[bufLen];
|
||||
+ if (encrypt) {
|
||||
+ token.p11.C_EncryptFinal(session.id(), 0, buffer, 0, bufLen);
|
||||
+ } else {
|
||||
+ token.p11.C_DecryptFinal(session.id(), 0, buffer, 0, bufLen);
|
||||
+ }
|
||||
+ } catch (PKCS11Exception e) {
|
||||
+ if (encrypt) {
|
||||
throw new ProviderException("Cancel failed", e);
|
||||
}
|
||||
+ // ignore failure for decryption
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
|
||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
|
||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
|
||||
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@@ -124,10 +124,12 @@
|
||||
return;
|
||||
}
|
||||
initialized = false;
|
||||
+
|
||||
try {
|
||||
if (session == null) {
|
||||
return;
|
||||
}
|
||||
+
|
||||
if (doCancel && token.explicitCancel) {
|
||||
cancelOperation();
|
||||
}
|
||||
@@ -139,15 +141,12 @@
|
||||
|
||||
private void cancelOperation() {
|
||||
token.ensureValid();
|
||||
- if (session.hasObjects() == false) {
|
||||
- session = token.killSession(session);
|
||||
- return;
|
||||
- } else {
|
||||
- try {
|
||||
- token.p11.C_SignFinal(session.id(), 0);
|
||||
- } catch (PKCS11Exception e) {
|
||||
- throw new ProviderException("Cancel failed", e);
|
||||
- }
|
||||
+ // cancel operation by finishing it; avoid killSession as some
|
||||
+ // hardware vendors may require re-login
|
||||
+ try {
|
||||
+ token.p11.C_SignFinal(session.id(), 0);
|
||||
+ } catch (PKCS11Exception e) {
|
||||
+ throw new ProviderException("Cancel failed", e);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -209,7 +208,6 @@
|
||||
ensureInitialized();
|
||||
return token.p11.C_SignFinal(session.id(), 0);
|
||||
} catch (PKCS11Exception e) {
|
||||
- reset(true);
|
||||
throw new ProviderException("doFinal() failed", e);
|
||||
} finally {
|
||||
reset(false);
|
||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
|
||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
|
||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
|
||||
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@@ -223,10 +223,12 @@
|
||||
return;
|
||||
}
|
||||
initialized = false;
|
||||
+
|
||||
try {
|
||||
if (session == null) {
|
||||
return;
|
||||
}
|
||||
+
|
||||
if (doCancel && token.explicitCancel) {
|
||||
cancelOperation();
|
||||
}
|
||||
@@ -242,14 +244,10 @@
|
||||
token.ensureValid();
|
||||
if (DEBUG) System.out.print("Cancelling operation");
|
||||
|
||||
- if (session.hasObjects() == false) {
|
||||
- if (DEBUG) System.out.println(" by killing session");
|
||||
- session = token.killSession(session);
|
||||
- return;
|
||||
- }
|
||||
- // "cancel" operation by finishing it
|
||||
- if (mode == M_SIGN) {
|
||||
- try {
|
||||
+ // cancel operation by finishing it; avoid killSession as some
|
||||
+ // hardware vendors may require re-login
|
||||
+ try {
|
||||
+ if (mode == M_SIGN) {
|
||||
if (type == T_UPDATE) {
|
||||
if (DEBUG) System.out.println(" by C_SignFinal");
|
||||
token.p11.C_SignFinal(session.id(), 0);
|
||||
@@ -259,11 +257,7 @@
|
||||
if (DEBUG) System.out.println(" by C_Sign");
|
||||
token.p11.C_Sign(session.id(), digest);
|
||||
}
|
||||
- } catch (PKCS11Exception e) {
|
||||
- throw new ProviderException("cancel failed", e);
|
||||
- }
|
||||
- } else { // M_VERIFY
|
||||
- try {
|
||||
+ } else { // M_VERIFY
|
||||
byte[] signature =
|
||||
new byte[(p11Key.length() + 7) >> 3];
|
||||
if (type == T_UPDATE) {
|
||||
@@ -275,10 +269,12 @@
|
||||
if (DEBUG) System.out.println(" by C_Verify");
|
||||
token.p11.C_Verify(session.id(), digest, signature);
|
||||
}
|
||||
- } catch (PKCS11Exception e) {
|
||||
- // will fail since the signature is incorrect
|
||||
- // XXX check error code
|
||||
}
|
||||
+ } catch (PKCS11Exception e) {
|
||||
+ if (mode == M_SIGN) {
|
||||
+ throw new ProviderException("cancel failed", e);
|
||||
+ }
|
||||
+ // ignore failure for verification
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java
|
||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java
|
||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
|
||||
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@@ -247,10 +247,12 @@
|
||||
return;
|
||||
}
|
||||
initialized = false;
|
||||
+
|
||||
try {
|
||||
if (session == null) {
|
||||
return;
|
||||
}
|
||||
+
|
||||
if (doCancel && token.explicitCancel) {
|
||||
cancelOperation();
|
||||
}
|
||||
@@ -264,36 +266,33 @@
|
||||
// state variables such as "initialized"
|
||||
private void cancelOperation() {
|
||||
token.ensureValid();
|
||||
- if (session.hasObjects() == false) {
|
||||
- session = token.killSession(session);
|
||||
- return;
|
||||
- } else {
|
||||
- try {
|
||||
- PKCS11 p11 = token.p11;
|
||||
- int inLen = maxInputSize;
|
||||
- int outLen = buffer.length;
|
||||
- long sessId = session.id();
|
||||
- switch (mode) {
|
||||
- case MODE_ENCRYPT:
|
||||
- p11.C_Encrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
|
||||
- break;
|
||||
- case MODE_DECRYPT:
|
||||
- p11.C_Decrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
|
||||
- break;
|
||||
- case MODE_SIGN:
|
||||
- byte[] tmpBuffer = new byte[maxInputSize];
|
||||
- p11.C_Sign(sessId, tmpBuffer);
|
||||
- break;
|
||||
- case MODE_VERIFY:
|
||||
- p11.C_VerifyRecover(sessId, buffer, 0, inLen, buffer,
|
||||
- 0, outLen);
|
||||
- break;
|
||||
- default:
|
||||
- throw new ProviderException("internal error");
|
||||
- }
|
||||
- } catch (PKCS11Exception e) {
|
||||
- // XXX ensure this always works, ignore error
|
||||
+ // cancel operation by finishing it; avoid killSession as some
|
||||
+ // hardware vendors may require re-login
|
||||
+ try {
|
||||
+ PKCS11 p11 = token.p11;
|
||||
+ int inLen = maxInputSize;
|
||||
+ int outLen = buffer.length;
|
||||
+ long sessId = session.id();
|
||||
+ switch (mode) {
|
||||
+ case MODE_ENCRYPT:
|
||||
+ p11.C_Encrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
|
||||
+ break;
|
||||
+ case MODE_DECRYPT:
|
||||
+ p11.C_Decrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
|
||||
+ break;
|
||||
+ case MODE_SIGN:
|
||||
+ byte[] tmpBuffer = new byte[maxInputSize];
|
||||
+ p11.C_Sign(sessId, tmpBuffer);
|
||||
+ break;
|
||||
+ case MODE_VERIFY:
|
||||
+ p11.C_VerifyRecover(sessId, buffer, 0, inLen, buffer,
|
||||
+ 0, outLen);
|
||||
+ break;
|
||||
+ default:
|
||||
+ throw new ProviderException("internal error");
|
||||
}
|
||||
+ } catch (PKCS11Exception e) {
|
||||
+ // XXX ensure this always works, ignore error
|
||||
}
|
||||
}
|
||||
|
||||
@@ -362,6 +361,7 @@
|
||||
private int implDoFinal(byte[] out, int outOfs, int outLen)
|
||||
throws BadPaddingException, IllegalBlockSizeException {
|
||||
if (bufOfs > maxInputSize) {
|
||||
+ reset(true);
|
||||
throw new IllegalBlockSizeException("Data must not be longer "
|
||||
+ "than " + maxInputSize + " bytes");
|
||||
}
|
||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
|
||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
|
||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
|
||||
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@@ -270,10 +270,12 @@
|
||||
return;
|
||||
}
|
||||
initialized = false;
|
||||
+
|
||||
try {
|
||||
if (session == null) {
|
||||
return;
|
||||
}
|
||||
+
|
||||
if (doCancel && token.explicitCancel) {
|
||||
cancelOperation();
|
||||
}
|
||||
@@ -284,59 +286,51 @@
|
||||
}
|
||||
|
||||
private void cancelOperation() {
|
||||
-
|
||||
token.ensureValid();
|
||||
- if (session.hasObjects() == false) {
|
||||
- session = token.killSession(session);
|
||||
- return;
|
||||
- } else {
|
||||
- // "cancel" operation by finishing it
|
||||
- // XXX make sure all this always works correctly
|
||||
+ // cancel operation by finishing it; avoid killSession as some
|
||||
+ // hardware vendors may require re-login
|
||||
+ try {
|
||||
if (mode == M_SIGN) {
|
||||
- try {
|
||||
- if (type == T_UPDATE) {
|
||||
- token.p11.C_SignFinal(session.id(), 0);
|
||||
- } else {
|
||||
- byte[] digest;
|
||||
- if (type == T_DIGEST) {
|
||||
- digest = md.digest();
|
||||
- } else { // T_RAW
|
||||
- digest = buffer;
|
||||
- }
|
||||
- token.p11.C_Sign(session.id(), digest);
|
||||
+ if (type == T_UPDATE) {
|
||||
+ token.p11.C_SignFinal(session.id(), 0);
|
||||
+ } else {
|
||||
+ byte[] digest;
|
||||
+ if (type == T_DIGEST) {
|
||||
+ digest = md.digest();
|
||||
+ } else { // T_RAW
|
||||
+ digest = buffer;
|
||||
}
|
||||
- } catch (PKCS11Exception e) {
|
||||
- throw new ProviderException("cancel failed", e);
|
||||
+ token.p11.C_Sign(session.id(), digest);
|
||||
}
|
||||
} else { // M_VERIFY
|
||||
byte[] signature;
|
||||
- try {
|
||||
- if (keyAlgorithm.equals("DSA")) {
|
||||
- signature = new byte[40];
|
||||
- } else {
|
||||
- signature = new byte[(p11Key.length() + 7) >> 3];
|
||||
+ if (keyAlgorithm.equals("DSA")) {
|
||||
+ signature = new byte[40];
|
||||
+ } else {
|
||||
+ signature = new byte[(p11Key.length() + 7) >> 3];
|
||||
+ }
|
||||
+ if (type == T_UPDATE) {
|
||||
+ token.p11.C_VerifyFinal(session.id(), signature);
|
||||
+ } else {
|
||||
+ byte[] digest;
|
||||
+ if (type == T_DIGEST) {
|
||||
+ digest = md.digest();
|
||||
+ } else { // T_RAW
|
||||
+ digest = buffer;
|
||||
}
|
||||
- if (type == T_UPDATE) {
|
||||
- token.p11.C_VerifyFinal(session.id(), signature);
|
||||
- } else {
|
||||
- byte[] digest;
|
||||
- if (type == T_DIGEST) {
|
||||
- digest = md.digest();
|
||||
- } else { // T_RAW
|
||||
- digest = buffer;
|
||||
- }
|
||||
- token.p11.C_Verify(session.id(), digest, signature);
|
||||
- }
|
||||
- } catch (PKCS11Exception e) {
|
||||
- long errorCode = e.getErrorCode();
|
||||
- if ((errorCode == CKR_SIGNATURE_INVALID) ||
|
||||
- (errorCode == CKR_SIGNATURE_LEN_RANGE)) {
|
||||
- // expected since signature is incorrect
|
||||
- return;
|
||||
- }
|
||||
- throw new ProviderException("cancel failed", e);
|
||||
+ token.p11.C_Verify(session.id(), digest, signature);
|
||||
}
|
||||
}
|
||||
+ } catch (PKCS11Exception e) {
|
||||
+ if (mode == M_VERIFY) {
|
||||
+ long errorCode = e.getErrorCode();
|
||||
+ if ((errorCode == CKR_SIGNATURE_INVALID) ||
|
||||
+ (errorCode == CKR_SIGNATURE_LEN_RANGE)) {
|
||||
+ // expected since signature is incorrect
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
+ throw new ProviderException("cancel failed", e);
|
||||
}
|
||||
}
|
||||
|
@ -1,32 +0,0 @@
|
||||
|
||||
# HG changeset patch
|
||||
# User thartmann
|
||||
# Date 1604482955 -3600
|
||||
# Node ID 27723943c0dd65a191cbefe031cec001521e4b13
|
||||
# Parent e9d90c9daf895b469b461b727b6887e7780b4ac2
|
||||
8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)
|
||||
Summary: Added missing NULL checks.
|
||||
Reviewed-by: kvn, chagedorn
|
||||
|
||||
diff -r e9d90c9daf89 -r 27723943c0dd src/hotspot/share/opto/addnode.cpp
|
||||
--- a/src/hotspot/share/opto/addnode.cpp Mon Nov 02 20:20:05 2020 +0100
|
||||
+++ b/src/hotspot/share/opto/addnode.cpp Wed Nov 04 10:42:35 2020 +0100
|
||||
@@ -917,7 +917,7 @@
|
||||
|
||||
// Transform MIN2(x + c0, MIN2(x + c1, z)) into MIN2(x + MIN2(c0, c1), z)
|
||||
// if x == y and the additions can't overflow.
|
||||
- if (phase->eqv(x,y) &&
|
||||
+ if (phase->eqv(x,y) && tx != NULL &&
|
||||
!can_overflow(tx, x_off) &&
|
||||
!can_overflow(tx, y_off)) {
|
||||
return new MinINode(phase->transform(new AddINode(x, phase->intcon(MIN2(x_off, y_off)))), r->in(2));
|
||||
@@ -925,7 +925,7 @@
|
||||
} else {
|
||||
// Transform MIN2(x + c0, y + c1) into x + MIN2(c0, c1)
|
||||
// if x == y and the additions can't overflow.
|
||||
- if (phase->eqv(x,y) &&
|
||||
+ if (phase->eqv(x,y) && tx != NULL &&
|
||||
!can_overflow(tx, x_off) &&
|
||||
!can_overflow(tx, y_off)) {
|
||||
return new AddINode(x,phase->intcon(MIN2(x_off,y_off)));
|
||||
|
File diff suppressed because it is too large
Load Diff
32
SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch
Normal file
32
SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From ec03fdb752f2dc0833784a6877a4c232a8cdd9d2 Mon Sep 17 00:00:00 2001
|
||||
From: Severin Gehwolf <sgehwolf@redhat.com>
|
||||
Date: Wed, 14 Jul 2021 12:06:39 +0200
|
||||
Subject: [PATCH] Backport e14801cdd9b108aa4ca47d0bc1dc67fca575764c
|
||||
|
||||
---
|
||||
src/hotspot/os/linux/os_linux.cpp | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/hotspot/os/linux/os_linux.cpp b/src/hotspot/os/linux/os_linux.cpp
|
||||
index e8baf704e3a..12b75b733b5 100644
|
||||
--- a/src/hotspot/os/linux/os_linux.cpp
|
||||
+++ b/src/hotspot/os/linux/os_linux.cpp
|
||||
@@ -413,8 +413,15 @@ void os::init_system_properties_values() {
|
||||
// 7: The default directories, normally /lib and /usr/lib.
|
||||
#if defined(AMD64) || (defined(_LP64) && defined(SPARC)) || defined(PPC64) || defined(S390)
|
||||
#define DEFAULT_LIBPATH "/usr/lib64:/lib64:/lib:/usr/lib"
|
||||
+#else
|
||||
+#if defined(AARCH64)
|
||||
+ // Use 32-bit locations first for AARCH64 (a 64-bit architecture), since some systems
|
||||
+ // might not adhere to the FHS and it would be a change in behaviour if we used
|
||||
+ // DEFAULT_LIBPATH of other 64-bit architectures which prefer the 64-bit paths.
|
||||
+ #define DEFAULT_LIBPATH "/lib:/usr/lib:/usr/lib64:/lib64"
|
||||
#else
|
||||
#define DEFAULT_LIBPATH "/lib:/usr/lib"
|
||||
+#endif // AARCH64
|
||||
#endif
|
||||
|
||||
// Base path of extensions installed on the system.
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,24 +1,52 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Arguments: <JDK TREE> <MINIMAL|FULL>
|
||||
TREE=${1}
|
||||
TYPE=${2}
|
||||
|
||||
ZIP_SRC=src/java.base/share/native/libzip/zlib/
|
||||
JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
|
||||
GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
|
||||
PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
|
||||
LCMS_SRC=src/java.desktop/share/native/liblcms/
|
||||
|
||||
cd openjdk
|
||||
if test "x${TREE}" = "x"; then
|
||||
echo "$0 <JDK_TREE> (MINIMAL|FULL)";
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
if test "x${TYPE}" = "x"; then
|
||||
TYPE=minimal;
|
||||
fi
|
||||
|
||||
if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then
|
||||
echo "Type must be minimal or full";
|
||||
exit 2;
|
||||
fi
|
||||
|
||||
echo "Removing in-tree libraries from ${TREE}"
|
||||
echo "Cleansing operation: ${TYPE}";
|
||||
|
||||
cd ${TREE}
|
||||
|
||||
echo "Removing built-in libs (they will be linked)"
|
||||
|
||||
# On full runs, allow for zlib having already been deleted by minimal
|
||||
echo "Removing zlib"
|
||||
if [ ! -d ${ZIP_SRC} ]; then
|
||||
if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
|
||||
echo "${ZIP_SRC} does not exist. Refusing to proceed."
|
||||
exit 1
|
||||
fi
|
||||
rm -rvf ${ZIP_SRC}
|
||||
|
||||
# Minimal is limited to just zlib so finish here
|
||||
if test "x${TYPE}" = "xminimal"; then
|
||||
echo "Finished.";
|
||||
exit 0;
|
||||
fi
|
||||
|
||||
echo "Removing libjpeg"
|
||||
if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that sound definitely exist
|
||||
if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist
|
||||
echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed."
|
||||
exit 1
|
||||
fi
|
||||
|
@ -1,12 +1,13 @@
|
||||
diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk
|
||||
--- openjdk/make/launcher/Launcher-java.base.gmk Wed Nov 25 08:27:15 2020 +0100
|
||||
+++ openjdk/make/launcher/Launcher-java.base.gmk Tue Dec 01 12:29:30 2020 +0100
|
||||
@@ -41,6 +41,15 @@
|
||||
@@ -41,6 +41,16 @@
|
||||
OPTIMIZATION := HIGH, \
|
||||
))
|
||||
|
||||
+#Wno-error=cpp is present to allow commented warning in ifdef part of main.c
|
||||
+$(eval $(call SetupBuildLauncher, alt-java, \
|
||||
+ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA, \
|
||||
+ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \
|
||||
+ LDFLAGS_solaris := -R$(OPENWIN_HOME)/lib$(OPENJDK_TARGET_CPU_ISADIR), \
|
||||
+ LIBS_windows := user32.lib comctl32.lib, \
|
||||
+ EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \
|
||||
@ -98,12 +99,16 @@ diff -r 25e94aa812b2 src/share/bin/alt_main.h
|
||||
diff -r 25e94aa812b2 src/share/bin/main.c
|
||||
--- openjdk/src/java.base/share/native/launcher/main.c Wed Feb 05 12:20:36 2020 -0300
|
||||
+++ openjdk/src/java.base/share/native/launcher/main.c Tue Jun 02 17:15:28 2020 +0100
|
||||
@@ -34,6 +34,10 @@
|
||||
@@ -34,6 +34,14 @@
|
||||
#include "jli_util.h"
|
||||
#include "jni.h"
|
||||
|
||||
+#if defined(linux) && defined(__x86_64)
|
||||
+#ifdef REDHAT_ALT_JAVA
|
||||
+#if defined(__linux__) && defined(__x86_64__)
|
||||
+#include "alt_main.h"
|
||||
+#else
|
||||
+#warning alt-java requested but SSB mitigation not available on this platform.
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
#ifdef _MSC_VER
|
||||
|
@ -1,12 +1,12 @@
|
||||
diff --git openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
|
||||
--- openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java
|
||||
+++ openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
|
||||
@@ -1122,7 +1122,7 @@
|
||||
@@ -1135,7 +1135,7 @@
|
||||
}
|
||||
} else if (command == GENKEYPAIR) {
|
||||
if (keyAlgName == null) {
|
||||
- keyAlgName = "DSA";
|
||||
+ keyAlgName = "RSA";
|
||||
}
|
||||
doGenKeyPair(alias, dname, keyAlgName, keysize, sigAlgName);
|
||||
doGenKeyPair(alias, dname, keyAlgName, keysize, groupName, sigAlgName);
|
||||
kssave = true;
|
||||
|
@ -1,12 +0,0 @@
|
||||
diff -r eba0f976c468 -r 1fceafb49be5 src/java.base/share/classes/module-info.java
|
||||
--- openjdk/src/java.base/share/classes/module-info.java Thu Jul 30 15:05:22 2020 +0200
|
||||
+++ openjdk/src/java.base/share/classes/module-info.java Thu Aug 13 15:17:59 2020 +0200
|
||||
@@ -132,6 +132,8 @@
|
||||
// additional qualified exports may be inserted at build time
|
||||
// see make/gensrc/GenModuleInfo.gmk
|
||||
|
||||
+ exports com.sun.crypto.provider to
|
||||
+ jdk.crypto.cryptoki;
|
||||
exports com.sun.security.ntlm to
|
||||
java.security.sasl;
|
||||
exports jdk.internal to
|
@ -1,21 +0,0 @@
|
||||
diff -r e10f558e1df5 openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
|
||||
--- openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java Mon Aug 31 16:12:32 2020 +0100
|
||||
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java Mon Aug 31 15:17:50 2020 -0300
|
||||
@@ -628,7 +628,7 @@
|
||||
throw (ShortBufferException)
|
||||
(new ShortBufferException().initCause(e));
|
||||
}
|
||||
- reset(false);
|
||||
+ reset(true);
|
||||
throw new ProviderException("update() failed", e);
|
||||
}
|
||||
}
|
||||
@@ -746,7 +746,7 @@
|
||||
throw (ShortBufferException)
|
||||
(new ShortBufferException().initCause(e));
|
||||
}
|
||||
- reset(false);
|
||||
+ reset(true);
|
||||
throw new ProviderException("update() failed", e);
|
||||
}
|
||||
}
|
@ -1,60 +0,0 @@
|
||||
# HG changeset patch
|
||||
# User Zdenek Zambersky <zzambers@redhat.com>
|
||||
# Date 1601403587 -7200
|
||||
# Tue Sep 29 20:19:47 2020 +0200
|
||||
# Node ID f77ac813eee61b2e9616b2d71a2c5372d0cbd158
|
||||
# Parent d484fdfcc7d5c21812de8a0712236d077b0f2dde
|
||||
Fixed default policy for jdk.crypto.cryptoki
|
||||
|
||||
diff -r d484fdfcc7d5 -r f77ac813eee6 src/java.base/share/lib/security/default.policy
|
||||
--- openjdk.orig/src/java.base/share/lib/security/default.policy Wed Sep 02 07:36:15 2020 +0200
|
||||
+++ openjdk/src/java.base/share/lib/security/default.policy Tue Sep 29 20:19:47 2020 +0200
|
||||
@@ -124,6 +124,8 @@
|
||||
grant codeBase "jrt:/jdk.crypto.cryptoki" {
|
||||
permission java.lang.RuntimePermission
|
||||
"accessClassInPackage.sun.security.*";
|
||||
+ permission java.lang.RuntimePermission
|
||||
+ "accessClassInPackage.com.sun.crypto.provider";
|
||||
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
|
||||
permission java.lang.RuntimePermission "loadLibrary.j2pkcs11";
|
||||
permission java.util.PropertyPermission "sun.security.pkcs11.allowSingleThreadedModules", "read";
|
||||
# HG changeset patch
|
||||
# User Zdenek Zambersky <zzambers@redhat.com>
|
||||
# Date 1601419086 -7200
|
||||
# Wed Sep 30 00:38:06 2020 +0200
|
||||
# Node ID 02c8b154f728be3dd06239a98519d654e2127186
|
||||
# Parent f77ac813eee61b2e9616b2d71a2c5372d0cbd158
|
||||
P11Util: Create provider in priviledged block
|
||||
|
||||
diff -r f77ac813eee6 -r 02c8b154f728 src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java
|
||||
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java Tue Sep 29 20:19:47 2020 +0200
|
||||
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java Wed Sep 30 00:38:06 2020 +0200
|
||||
@@ -87,14 +87,20 @@
|
||||
}
|
||||
p = Security.getProvider(providerName);
|
||||
if (p == null) {
|
||||
- try {
|
||||
- @SuppressWarnings("deprecation")
|
||||
- Object o = Class.forName(className).newInstance();
|
||||
- p = (Provider)o;
|
||||
- } catch (Exception e) {
|
||||
- throw new ProviderException
|
||||
- ("Could not find provider " + providerName, e);
|
||||
- }
|
||||
+ p = AccessController.doPrivileged(
|
||||
+ new PrivilegedAction<Provider>() {
|
||||
+ public Provider run() {
|
||||
+ try {
|
||||
+ @SuppressWarnings("deprecation")
|
||||
+ Object o = Class.forName(className).newInstance();
|
||||
+ return (Provider) o;
|
||||
+ } catch (Exception e) {
|
||||
+ throw new ProviderException
|
||||
+ ("Could not find provider " + providerName, e);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ );
|
||||
}
|
||||
return p;
|
||||
}
|
@ -0,0 +1,68 @@
|
||||
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
|
||||
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
|
||||
+++ openjdk/src/java.base/share/classes/java/security/Security.java
|
||||
@@ -32,6 +32,7 @@
|
||||
|
||||
import jdk.internal.event.EventHelper;
|
||||
import jdk.internal.event.SecurityPropertyModificationEvent;
|
||||
+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
|
||||
import jdk.internal.misc.SharedSecrets;
|
||||
import jdk.internal.util.StaticProperty;
|
||||
import sun.security.util.Debug;
|
||||
@@ -74,6 +75,15 @@
|
||||
}
|
||||
|
||||
static {
|
||||
+ // Initialise here as used by code with system properties disabled
|
||||
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
|
||||
+ new JavaSecuritySystemConfiguratorAccess() {
|
||||
+ @Override
|
||||
+ public boolean isSystemFipsEnabled() {
|
||||
+ return SystemConfigurator.isSystemFipsEnabled();
|
||||
+ }
|
||||
+ });
|
||||
+
|
||||
// doPrivileged here because there are multiple
|
||||
// things in initialize that might require privs.
|
||||
// (the FileInputStream call and the File.exists call,
|
||||
@@ -193,9 +203,8 @@
|
||||
}
|
||||
|
||||
String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
|
||||
- if (disableSystemProps == null &&
|
||||
- "true".equalsIgnoreCase(props.getProperty
|
||||
- ("security.useSystemPropertiesFile"))) {
|
||||
+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
|
||||
+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
|
||||
if (SystemConfigurator.configure(props)) {
|
||||
loadedProps = true;
|
||||
}
|
||||
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
@@ -38,8 +38,6 @@
|
||||
import java.util.Properties;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
-import jdk.internal.misc.SharedSecrets;
|
||||
-import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
|
||||
import sun.security.util.Debug;
|
||||
|
||||
/**
|
||||
@@ -65,16 +63,6 @@
|
||||
|
||||
private static boolean systemFipsEnabled = false;
|
||||
|
||||
- static {
|
||||
- SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
|
||||
- new JavaSecuritySystemConfiguratorAccess() {
|
||||
- @Override
|
||||
- public boolean isSystemFipsEnabled() {
|
||||
- return SystemConfigurator.isSystemFipsEnabled();
|
||||
- }
|
||||
- });
|
||||
- }
|
||||
-
|
||||
/*
|
||||
* Invoked when java.security.Security class is initialized, if
|
||||
* java.security.disableSystemPropertiesFile property is not set and
|
430
SOURCES/rh1929465-improve_system_FIPS_detection.patch
Normal file
430
SOURCES/rh1929465-improve_system_FIPS_detection.patch
Normal file
@ -0,0 +1,430 @@
|
||||
diff --git openjdk.orig/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4
|
||||
--- openjdk.orig/make/autoconf/libraries.m4
|
||||
+++ openjdk/make/autoconf/libraries.m4
|
||||
@@ -101,6 +101,7 @@
|
||||
LIB_SETUP_LIBFFI
|
||||
LIB_SETUP_BUNDLED_LIBS
|
||||
LIB_SETUP_MISC_LIBS
|
||||
+ LIB_SETUP_SYSCONF_LIBS
|
||||
LIB_SETUP_SOLARIS_STLPORT
|
||||
LIB_TESTS_SETUP_GRAALUNIT
|
||||
|
||||
@@ -223,3 +224,62 @@
|
||||
fi
|
||||
])
|
||||
|
||||
+################################################################################
|
||||
+# Setup system configuration libraries
|
||||
+################################################################################
|
||||
+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
|
||||
+[
|
||||
+ ###############################################################################
|
||||
+ #
|
||||
+ # Check for the NSS library
|
||||
+ #
|
||||
+
|
||||
+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
|
||||
+
|
||||
+ # default is not available
|
||||
+ DEFAULT_SYSCONF_NSS=no
|
||||
+
|
||||
+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
|
||||
+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
|
||||
+ [
|
||||
+ case "${enableval}" in
|
||||
+ yes)
|
||||
+ sysconf_nss=yes
|
||||
+ ;;
|
||||
+ *)
|
||||
+ sysconf_nss=no
|
||||
+ ;;
|
||||
+ esac
|
||||
+ ],
|
||||
+ [
|
||||
+ sysconf_nss=${DEFAULT_SYSCONF_NSS}
|
||||
+ ])
|
||||
+ AC_MSG_RESULT([$sysconf_nss])
|
||||
+
|
||||
+ USE_SYSCONF_NSS=false
|
||||
+ if test "x${sysconf_nss}" = "xyes"; then
|
||||
+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
|
||||
+ if test "x${NSS_FOUND}" = "xyes"; then
|
||||
+ AC_MSG_CHECKING([for system FIPS support in NSS])
|
||||
+ saved_libs="${LIBS}"
|
||||
+ saved_cflags="${CFLAGS}"
|
||||
+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
|
||||
+ LIBS="${LIBS} ${NSS_LIBS}"
|
||||
+ AC_LANG_PUSH([C])
|
||||
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
|
||||
+ [[SECMOD_GetSystemFIPSEnabled()]])],
|
||||
+ [AC_MSG_RESULT([yes])],
|
||||
+ [AC_MSG_RESULT([no])
|
||||
+ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
|
||||
+ AC_LANG_POP([C])
|
||||
+ CFLAGS="${saved_cflags}"
|
||||
+ LIBS="${saved_libs}"
|
||||
+ USE_SYSCONF_NSS=true
|
||||
+ else
|
||||
+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
|
||||
+ dnl in nss3/pk11pub.h.
|
||||
+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
|
||||
+ fi
|
||||
+ fi
|
||||
+ AC_SUBST(USE_SYSCONF_NSS)
|
||||
+])
|
||||
diff --git openjdk.orig/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in
|
||||
--- openjdk.orig/make/autoconf/spec.gmk.in
|
||||
+++ openjdk/make/autoconf/spec.gmk.in
|
||||
@@ -828,6 +828,10 @@
|
||||
# Libraries
|
||||
#
|
||||
|
||||
+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
|
||||
+NSS_LIBS:=@NSS_LIBS@
|
||||
+NSS_CFLAGS:=@NSS_CFLAGS@
|
||||
+
|
||||
USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
|
||||
LCMS_CFLAGS:=@LCMS_CFLAGS@
|
||||
LCMS_LIBS:=@LCMS_LIBS@
|
||||
diff --git openjdk.orig/make/lib/Lib-java.base.gmk openjdk/make/lib/Lib-java.base.gmk
|
||||
--- openjdk.orig/make/lib/Lib-java.base.gmk
|
||||
+++ openjdk/make/lib/Lib-java.base.gmk
|
||||
@@ -179,6 +179,31 @@
|
||||
endif
|
||||
|
||||
################################################################################
|
||||
+# Create the systemconf library
|
||||
+
|
||||
+LIBSYSTEMCONF_CFLAGS :=
|
||||
+LIBSYSTEMCONF_CXXFLAGS :=
|
||||
+
|
||||
+ifeq ($(USE_SYSCONF_NSS), true)
|
||||
+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
|
||||
+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
|
||||
+endif
|
||||
+
|
||||
+ifeq ($(OPENJDK_BUILD_OS), linux)
|
||||
+ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
|
||||
+ NAME := systemconf, \
|
||||
+ OPTIMIZATION := LOW, \
|
||||
+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
|
||||
+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
|
||||
+ LDFLAGS := $(LDFLAGS_JDKLIB) \
|
||||
+ $(call SET_SHARED_LIBRARY_ORIGIN), \
|
||||
+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \
|
||||
+ ))
|
||||
+
|
||||
+ TARGETS += $(BUILD_LIBSYSTEMCONF)
|
||||
+endif
|
||||
+
|
||||
+################################################################################
|
||||
# Create the symbols file for static builds.
|
||||
|
||||
ifeq ($(STATIC_BUILD), true)
|
||||
diff --git openjdk.orig/make/nb_native/nbproject/configurations.xml openjdk/make/nb_native/nbproject/configurations.xml
|
||||
--- openjdk.orig/make/nb_native/nbproject/configurations.xml
|
||||
+++ openjdk/make/nb_native/nbproject/configurations.xml
|
||||
@@ -2950,6 +2950,9 @@
|
||||
<in>LinuxWatchService.c</in>
|
||||
</df>
|
||||
</df>
|
||||
+ <df name="libsystemconf">
|
||||
+ <in>systemconf.c</in>
|
||||
+ </df>
|
||||
</df>
|
||||
</df>
|
||||
<df name="macosx">
|
||||
@@ -29301,6 +29304,11 @@
|
||||
tool="0"
|
||||
flavor2="0">
|
||||
</item>
|
||||
+ <item path="../../src/java.base/linux/native/libsystemconf/systemconf.c"
|
||||
+ ex="false"
|
||||
+ tool="0"
|
||||
+ flavor2="0">
|
||||
+ </item>
|
||||
<item path="../../src/java.base/macosx/native/include/jni_md.h"
|
||||
ex="false"
|
||||
tool="3"
|
||||
diff --git openjdk.orig/make/scripts/compare_exceptions.sh.incl openjdk/make/scripts/compare_exceptions.sh.incl
|
||||
--- openjdk.orig/make/scripts/compare_exceptions.sh.incl
|
||||
+++ openjdk/make/scripts/compare_exceptions.sh.incl
|
||||
@@ -179,6 +179,7 @@
|
||||
./lib/libsplashscreen.so
|
||||
./lib/libsunec.so
|
||||
./lib/libsunwjdga.so
|
||||
+ ./lib/libsystemconf.so
|
||||
./lib/libunpack.so
|
||||
./lib/libverify.so
|
||||
./lib/libzip.so
|
||||
@@ -289,6 +290,7 @@
|
||||
./lib/libsplashscreen.so
|
||||
./lib/libsunec.so
|
||||
./lib/libsunwjdga.so
|
||||
+ ./lib/libsystemconf.so
|
||||
./lib/libunpack.so
|
||||
./lib/libverify.so
|
||||
./lib/libzip.so
|
||||
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||
@@ -0,0 +1,168 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2021, Red Hat, Inc.
|
||||
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
+ *
|
||||
+ * This code is free software; you can redistribute it and/or modify it
|
||||
+ * under the terms of the GNU General Public License version 2 only, as
|
||||
+ * published by the Free Software Foundation. Oracle designates this
|
||||
+ * particular file as subject to the "Classpath" exception as provided
|
||||
+ * by Oracle in the LICENSE file that accompanied this code.
|
||||
+ *
|
||||
+ * This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
+ * version 2 for more details (a copy is included in the LICENSE file that
|
||||
+ * accompanied this code).
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License version
|
||||
+ * 2 along with this work; if not, write to the Free Software Foundation,
|
||||
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
+ *
|
||||
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||
+ * or visit www.oracle.com if you need additional information or have any
|
||||
+ * questions.
|
||||
+ */
|
||||
+
|
||||
+#include <dlfcn.h>
|
||||
+#include <jni.h>
|
||||
+#include <jni_util.h>
|
||||
+#include <stdio.h>
|
||||
+
|
||||
+#ifdef SYSCONF_NSS
|
||||
+#include <nss3/pk11pub.h>
|
||||
+#endif //SYSCONF_NSS
|
||||
+
|
||||
+#include "java_security_SystemConfigurator.h"
|
||||
+
|
||||
+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
|
||||
+#define MSG_MAX_SIZE 96
|
||||
+
|
||||
+static jmethodID debugPrintlnMethodID = NULL;
|
||||
+static jobject debugObj = NULL;
|
||||
+
|
||||
+static void throwIOException(JNIEnv *env, const char *msg);
|
||||
+static void dbgPrint(JNIEnv *env, const char* msg);
|
||||
+
|
||||
+/*
|
||||
+ * Class: java_security_SystemConfigurator
|
||||
+ * Method: JNI_OnLoad
|
||||
+ */
|
||||
+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
|
||||
+{
|
||||
+ JNIEnv *env;
|
||||
+ jclass sysConfCls, debugCls;
|
||||
+ jfieldID sdebugFld;
|
||||
+
|
||||
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
|
||||
+ return JNI_EVERSION; /* JNI version not supported */
|
||||
+ }
|
||||
+
|
||||
+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
|
||||
+ if (sysConfCls == NULL) {
|
||||
+ printf("libsystemconf: SystemConfigurator class not found\n");
|
||||
+ return JNI_ERR;
|
||||
+ }
|
||||
+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
|
||||
+ "sdebug", "Lsun/security/util/Debug;");
|
||||
+ if (sdebugFld == NULL) {
|
||||
+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
|
||||
+ return JNI_ERR;
|
||||
+ }
|
||||
+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
|
||||
+ if (debugObj != NULL) {
|
||||
+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
|
||||
+ if (debugCls == NULL) {
|
||||
+ printf("libsystemconf: Debug class not found\n");
|
||||
+ return JNI_ERR;
|
||||
+ }
|
||||
+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
|
||||
+ "println", "(Ljava/lang/String;)V");
|
||||
+ if (debugPrintlnMethodID == NULL) {
|
||||
+ printf("libsystemconf: Debug::println(String) method not found\n");
|
||||
+ return JNI_ERR;
|
||||
+ }
|
||||
+ debugObj = (*env)->NewGlobalRef(env, debugObj);
|
||||
+ }
|
||||
+
|
||||
+ return (*env)->GetVersion(env);
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Class: java_security_SystemConfigurator
|
||||
+ * Method: JNI_OnUnload
|
||||
+ */
|
||||
+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
|
||||
+{
|
||||
+ JNIEnv *env;
|
||||
+
|
||||
+ if (debugObj != NULL) {
|
||||
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
|
||||
+ return; /* Should not happen */
|
||||
+ }
|
||||
+ (*env)->DeleteGlobalRef(env, debugObj);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
|
||||
+ (JNIEnv *env, jclass cls)
|
||||
+{
|
||||
+ int fips_enabled;
|
||||
+ char msg[MSG_MAX_SIZE];
|
||||
+ int msg_bytes;
|
||||
+
|
||||
+#ifdef SYSCONF_NSS
|
||||
+
|
||||
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
|
||||
+ fips_enabled = SECMOD_GetSystemFIPSEnabled();
|
||||
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
|
||||
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
|
||||
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
|
||||
+ dbgPrint(env, msg);
|
||||
+ } else {
|
||||
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
|
||||
+ " SECMOD_GetSystemFIPSEnabled return value");
|
||||
+ }
|
||||
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
|
||||
+
|
||||
+#else // SYSCONF_NSS
|
||||
+
|
||||
+ FILE *fe;
|
||||
+
|
||||
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
|
||||
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
|
||||
+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
|
||||
+ }
|
||||
+ fips_enabled = fgetc(fe);
|
||||
+ fclose(fe);
|
||||
+ if (fips_enabled == EOF) {
|
||||
+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
|
||||
+ }
|
||||
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
|
||||
+ " read character is '%c'", fips_enabled);
|
||||
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
|
||||
+ dbgPrint(env, msg);
|
||||
+ } else {
|
||||
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
|
||||
+ " read character");
|
||||
+ }
|
||||
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
|
||||
+
|
||||
+#endif // SYSCONF_NSS
|
||||
+}
|
||||
+
|
||||
+static void throwIOException(JNIEnv *env, const char *msg)
|
||||
+{
|
||||
+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
|
||||
+ if (cls != 0)
|
||||
+ (*env)->ThrowNew(env, cls, msg);
|
||||
+}
|
||||
+
|
||||
+static void dbgPrint(JNIEnv *env, const char* msg)
|
||||
+{
|
||||
+ jstring jMsg;
|
||||
+ if (debugObj != NULL) {
|
||||
+ jMsg = (*env)->NewStringUTF(env, msg);
|
||||
+ CHECK_NULL(jMsg);
|
||||
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
|
||||
+ }
|
||||
+}
|
||||
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2019, 2020, Red Hat, Inc.
|
||||
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
|
||||
*
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
@@ -30,13 +30,9 @@
|
||||
import java.io.FileInputStream;
|
||||
import java.io.IOException;
|
||||
|
||||
-import java.nio.file.Files;
|
||||
-import java.nio.file.Path;
|
||||
-
|
||||
import java.util.Iterator;
|
||||
import java.util.Map.Entry;
|
||||
import java.util.Properties;
|
||||
-import java.util.regex.Pattern;
|
||||
|
||||
import sun.security.util.Debug;
|
||||
|
||||
@@ -58,10 +54,21 @@
|
||||
private static final String CRYPTO_POLICIES_JAVA_CONFIG =
|
||||
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
|
||||
|
||||
- private static final String CRYPTO_POLICIES_CONFIG =
|
||||
- CRYPTO_POLICIES_BASE_DIR + "/config";
|
||||
+ private static boolean systemFipsEnabled = false;
|
||||
+
|
||||
+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
|
||||
+
|
||||
+ private static native boolean getSystemFIPSEnabled()
|
||||
+ throws IOException;
|
||||
|
||||
- private static boolean systemFipsEnabled = false;
|
||||
+ static {
|
||||
+ AccessController.doPrivileged(new PrivilegedAction<Void>() {
|
||||
+ public Void run() {
|
||||
+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
|
||||
+ return null;
|
||||
+ }
|
||||
+ });
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Invoked when java.security.Security class is initialized, if
|
||||
@@ -170,16 +177,34 @@
|
||||
}
|
||||
|
||||
/*
|
||||
- * FIPS is enabled only if crypto-policies are set to "FIPS"
|
||||
- * and the com.redhat.fips property is true.
|
||||
+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
|
||||
+ * system property is true (default) and the system is in FIPS mode.
|
||||
+ *
|
||||
+ * There are 2 possible ways in which OpenJDK detects that the system
|
||||
+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
|
||||
+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
|
||||
+ * /proc/sys/crypto/fips_enabled file is read.
|
||||
*/
|
||||
private static boolean enableFips() throws Exception {
|
||||
boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
|
||||
if (shouldEnable) {
|
||||
- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
|
||||
- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
|
||||
- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
|
||||
- return pattern.matcher(cryptoPoliciesConfig).find();
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
|
||||
+ }
|
||||
+ try {
|
||||
+ shouldEnable = getSystemFIPSEnabled();
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
|
||||
+ + shouldEnable);
|
||||
+ }
|
||||
+ return shouldEnable;
|
||||
+ } catch (IOException e) {
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
|
||||
+ sdebug.println(e.getMessage());
|
||||
+ }
|
||||
+ throw e;
|
||||
+ }
|
||||
} else {
|
||||
return false;
|
||||
}
|
18
SOURCES/rh1996182-extend_security_policy.patch
Normal file
18
SOURCES/rh1996182-extend_security_policy.patch
Normal file
@ -0,0 +1,18 @@
|
||||
commit 598fe421216b0a437fa36ee91a29966599867aa3
|
||||
Author: Andrew Hughes <gnu.andrew@redhat.com>
|
||||
Date: Mon Aug 30 16:12:52 2021 +0100
|
||||
|
||||
RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.misc
|
||||
|
||||
diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy
|
||||
index ab59a334cd..5db744ff17 100644
|
||||
--- openjdk.orig/src/java.base/share/lib/security/default.policy
|
||||
+++ openjdk/src/java.base/share/lib/security/default.policy
|
||||
@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
|
||||
grant codeBase "jrt:/jdk.crypto.cryptoki" {
|
||||
permission java.lang.RuntimePermission
|
||||
"accessClassInPackage.com.sun.crypto.provider";
|
||||
+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
|
||||
permission java.lang.RuntimePermission
|
||||
"accessClassInPackage.sun.security.*";
|
||||
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
|
66
SOURCES/rh1996182-login_to_nss_software_token.patch
Normal file
66
SOURCES/rh1996182-login_to_nss_software_token.patch
Normal file
@ -0,0 +1,66 @@
|
||||
commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e
|
||||
Author: Martin Balao <mbalao@redhat.com>
|
||||
Date: Fri Aug 27 19:42:07 2021 +0100
|
||||
|
||||
RH1996182: Login to the NSS Software Token in FIPS Mode
|
||||
|
||||
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
|
||||
index 0cf61732d7..2cd851587c 100644
|
||||
--- openjdk.orig/src/java.base/share/classes/module-info.java
|
||||
+++ openjdk/src/java.base/share/classes/module-info.java
|
||||
@@ -182,6 +182,7 @@ module java.base {
|
||||
java.security.jgss,
|
||||
java.sql,
|
||||
java.xml,
|
||||
+ jdk.crypto.cryptoki,
|
||||
jdk.jartool,
|
||||
jdk.attach,
|
||||
jdk.charsets,
|
||||
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
index b00b738b85..1eca1f8f0a 100644
|
||||
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback;
|
||||
import javax.security.auth.callback.PasswordCallback;
|
||||
import javax.security.auth.callback.TextOutputCallback;
|
||||
|
||||
+import jdk.internal.misc.SharedSecrets;
|
||||
+
|
||||
import sun.security.util.Debug;
|
||||
import sun.security.util.ResourcesMgr;
|
||||
import static sun.security.util.SecurityConstants.PROVIDER_VER;
|
||||
@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
|
||||
*/
|
||||
public final class SunPKCS11 extends AuthProvider {
|
||||
|
||||
+ private static final boolean systemFipsEnabled = SharedSecrets
|
||||
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
|
||||
+
|
||||
private static final long serialVersionUID = -1354835039035306505L;
|
||||
|
||||
static final Debug debug = Debug.getInstance("sunpkcs11");
|
||||
@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
if (nssModule != null) {
|
||||
nssModule.setProvider(this);
|
||||
}
|
||||
+ if (systemFipsEnabled) {
|
||||
+ // The NSS Software Token in FIPS 140-2 mode requires a user
|
||||
+ // login for most operations. See sftk_fipsCheck. The NSS DB
|
||||
+ // (/etc/pki/nssdb) PIN is empty.
|
||||
+ Session session = null;
|
||||
+ try {
|
||||
+ session = token.getOpSession();
|
||||
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
|
||||
+ } catch (PKCS11Exception p11e) {
|
||||
+ if (debug != null) {
|
||||
+ debug.println("Error during token login: " +
|
||||
+ p11e.getMessage());
|
||||
+ }
|
||||
+ throw p11e;
|
||||
+ } finally {
|
||||
+ token.releaseSession(session);
|
||||
+ }
|
||||
+ }
|
||||
} catch (Exception e) {
|
||||
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
|
||||
throw new UnsupportedOperationException
|
@ -1,12 +0,0 @@
|
||||
diff --git openjdk.orig/jdk/src/hotspot/share/runtime/os.cpp openjdk/jdk/src/hotspot/share/runtime/os.cpp
|
||||
--- openjdk.orig/src/hotspot/share/runtime/os.cpp
|
||||
+++ openjdk/src/hotspot/share/runtime/os.cpp
|
||||
@@ -1368,7 +1368,7 @@
|
||||
}
|
||||
|
||||
void os::set_memory_serialize_page(address page) {
|
||||
- int count = log2_intptr(sizeof(class JavaThread)) - log2_int(64);
|
||||
+ int count = log2_intptr((uintptr_t) sizeof(class JavaThread)) - log2_int(64);
|
||||
_mem_serialize_page = (volatile int32_t *)page;
|
||||
// We initialize the serialization page shift count here
|
||||
// We assume a cache line size of 64 bytes
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user