c96e1e74e2
Update RH1655466 FIPS patch with changes in OpenJDK 8 version. SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable. Disable FIPS mode support unless com.redhat.fips is set to "true". Use appropriate keystore types when in FIPS mode (RH1818909) Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986) Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071) Resolves: rhbz#1830090
69 lines
2.8 KiB
Diff
69 lines
2.8 KiB
Diff
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
|
|
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
|
|
+++ openjdk/src/java.base/share/classes/java/security/Security.java
|
|
@@ -32,6 +32,7 @@
|
|
|
|
import jdk.internal.event.EventHelper;
|
|
import jdk.internal.event.SecurityPropertyModificationEvent;
|
|
+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
|
|
import jdk.internal.misc.SharedSecrets;
|
|
import jdk.internal.util.StaticProperty;
|
|
import sun.security.util.Debug;
|
|
@@ -74,6 +75,15 @@
|
|
}
|
|
|
|
static {
|
|
+ // Initialise here as used by code with system properties disabled
|
|
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
|
|
+ new JavaSecuritySystemConfiguratorAccess() {
|
|
+ @Override
|
|
+ public boolean isSystemFipsEnabled() {
|
|
+ return SystemConfigurator.isSystemFipsEnabled();
|
|
+ }
|
|
+ });
|
|
+
|
|
// doPrivileged here because there are multiple
|
|
// things in initialize that might require privs.
|
|
// (the FileInputStream call and the File.exists call,
|
|
@@ -193,9 +203,8 @@
|
|
}
|
|
|
|
String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
|
|
- if (disableSystemProps == null &&
|
|
- "true".equalsIgnoreCase(props.getProperty
|
|
- ("security.useSystemPropertiesFile"))) {
|
|
+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
|
|
+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
|
|
if (SystemConfigurator.configure(props)) {
|
|
loadedProps = true;
|
|
}
|
|
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
|
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
|
|
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
|
@@ -38,8 +38,6 @@
|
|
import java.util.Properties;
|
|
import java.util.regex.Pattern;
|
|
|
|
-import jdk.internal.misc.SharedSecrets;
|
|
-import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
|
|
import sun.security.util.Debug;
|
|
|
|
/**
|
|
@@ -65,16 +63,6 @@
|
|
|
|
private static boolean systemFipsEnabled = false;
|
|
|
|
- static {
|
|
- SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
|
|
- new JavaSecuritySystemConfiguratorAccess() {
|
|
- @Override
|
|
- public boolean isSystemFipsEnabled() {
|
|
- return SystemConfigurator.isSystemFipsEnabled();
|
|
- }
|
|
- });
|
|
- }
|
|
-
|
|
/*
|
|
* Invoked when java.security.Security class is initialized, if
|
|
* java.security.disableSystemPropertiesFile property is not set and
|