rpms/java-17-openjdk
7
0
Fork 0
Code Issues Pull Requests Releases Activity
75be5786f3
java-17-openjdk/TestSecurityProperties.java

85 lines
3.5 KiB
Java
Raw Normal View History

Update to jdk-17.0.4.1+1 Update release notes to 17.0.4.1+1 Add patch to provide translations for Europe/Kyiv added in tzdata2022b Add test to ensure timezones can be translated Related: RHEL-45216
2022-08-21 11:10:43 +00:00
/* TestSecurityProperties -- Ensure system security properties can be used to
enable the crypto policies.
Copyright (C) 2022 Red Hat, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
Import java-17-openjdk - Update to jdk-17+35, also known as jdk-17-ga. - Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot. - Update buildjdkver to 17 so as to build with itself - Add possibility to disable system crypto policy - Add PR3695 to allow the system crypto policy to be turned off - Re-enable TestSecurityProperties after inclusion of PR3695 - Added gating.yaml - Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch - Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. - Remove restriction on disabling product build, as debug packages no longer have javadoc packages. - Update to jdk-17+33, including JDWP fix and July 2021 CPU - Support the FIPS mode crypto policy (RH1655466) - Update RH1655466 FIPS patch with changes in OpenJDK 8 version. - SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. - Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. - No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable. - Disable FIPS mode support unless com.redhat.fips is set to "true". - Use appropriate keystore types when in FIPS mode (RH1818909) - Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). - Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986) - Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode - Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071) - Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. - Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. - Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. - Add patch to disable non-FIPS crypto in the SUN and SunEC security providers. - Add patch to login to the NSS software token when in FIPS mode. - Fix unused function compiler warning found in systemconf.c - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access. - Add JDK-8272332 fix so we actually link against HarfBuzz. - Update release notes to document the major changes between OpenJDK 11 & 17. - Add FIPS patch to allow plain key import. - Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false - Patch syslookup.c so it actually has some code to be compiled into libsyslookup - alternatives creation moved to posttrans - Set LTS designator on RHEL, but not Fedora or EPEL. Related: RHEL-45216
2020-12-10 15:04:50 +00:00
import java.io.File;
import java.io.FileInputStream;
import java.security.Security;
import java.util.Properties;
public class TestSecurityProperties {
// JDK 11
private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security";
// JDK 8
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository * Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch * RH2023467: Enable FIPS keys export * RH2094027: SunEC runtime permission for FIPS - Update FIPS support to bring in latest changes * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage * RH2090378: Revert to disabling system security properties and FIPS mode support together - Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch - Enable system security properties in the RPM (now disabled by default in the FIPS repo) - Improve security properties test to check both enabled and disabled behaviour - Run security properties test with property debugging on - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode - Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see: https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION - Turn on system security properties as part of the build's install section - Move cacerts replacement to install section and retain original of this and tzdb.dat - Run tests on the installed image, rather than the build image - Introduce variables to refer to the static library installation directories - Use relative symlinks so they work within the image - Run debug symbols check during build stage, before the install strips them Related: RHEL-45216
2022-06-14 19:19:46 +00:00
private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
private static final String MSG_PREFIX = "DEBUG: ";
Import java-17-openjdk - Update to jdk-17+35, also known as jdk-17-ga. - Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot. - Update buildjdkver to 17 so as to build with itself - Add possibility to disable system crypto policy - Add PR3695 to allow the system crypto policy to be turned off - Re-enable TestSecurityProperties after inclusion of PR3695 - Added gating.yaml - Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch - Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. - Remove restriction on disabling product build, as debug packages no longer have javadoc packages. - Update to jdk-17+33, including JDWP fix and July 2021 CPU - Support the FIPS mode crypto policy (RH1655466) - Update RH1655466 FIPS patch with changes in OpenJDK 8 version. - SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. - Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. - No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable. - Disable FIPS mode support unless com.redhat.fips is set to "true". - Use appropriate keystore types when in FIPS mode (RH1818909) - Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). - Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986) - Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode - Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071) - Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. - Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. - Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. - Add patch to disable non-FIPS crypto in the SUN and SunEC security providers. - Add patch to login to the NSS software token when in FIPS mode. - Fix unused function compiler warning found in systemconf.c - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access. - Add JDK-8272332 fix so we actually link against HarfBuzz. - Update release notes to document the major changes between OpenJDK 11 & 17. - Add FIPS patch to allow plain key import. - Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false - Patch syslookup.c so it actually has some code to be compiled into libsyslookup - alternatives creation moved to posttrans - Set LTS designator on RHEL, but not Fedora or EPEL. Related: RHEL-45216
2020-12-10 15:04:50 +00:00
public static void main(String[] args) {
Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository * Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch * RH2023467: Enable FIPS keys export * RH2094027: SunEC runtime permission for FIPS - Update FIPS support to bring in latest changes * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage * RH2090378: Revert to disabling system security properties and FIPS mode support together - Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch - Enable system security properties in the RPM (now disabled by default in the FIPS repo) - Improve security properties test to check both enabled and disabled behaviour - Run security properties test with property debugging on - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode - Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see: https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION - Turn on system security properties as part of the build's install section - Move cacerts replacement to install section and retain original of this and tzdb.dat - Run tests on the installed image, rather than the build image - Introduce variables to refer to the static library installation directories - Use relative symlinks so they work within the image - Run debug symbols check during build stage, before the install strips them Related: RHEL-45216
2022-06-14 19:19:46 +00:00
if (args.length == 0) {
System.err.println("TestSecurityProperties <true|false>");
System.err.println("Invoke with 'true' if system security properties should be enabled.");
System.err.println("Invoke with 'false' if system security properties should be disabled.");
System.exit(1);
}
boolean enabled = Boolean.valueOf(args[0]);
System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
Import java-17-openjdk - Update to jdk-17+35, also known as jdk-17-ga. - Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot. - Update buildjdkver to 17 so as to build with itself - Add possibility to disable system crypto policy - Add PR3695 to allow the system crypto policy to be turned off - Re-enable TestSecurityProperties after inclusion of PR3695 - Added gating.yaml - Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch - Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. - Remove restriction on disabling product build, as debug packages no longer have javadoc packages. - Update to jdk-17+33, including JDWP fix and July 2021 CPU - Support the FIPS mode crypto policy (RH1655466) - Update RH1655466 FIPS patch with changes in OpenJDK 8 version. - SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. - Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. - No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable. - Disable FIPS mode support unless com.redhat.fips is set to "true". - Use appropriate keystore types when in FIPS mode (RH1818909) - Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). - Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986) - Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode - Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071) - Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. - Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. - Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. - Add patch to disable non-FIPS crypto in the SUN and SunEC security providers. - Add patch to login to the NSS software token when in FIPS mode. - Fix unused function compiler warning found in systemconf.c - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access. - Add JDK-8272332 fix so we actually link against HarfBuzz. - Update release notes to document the major changes between OpenJDK 11 & 17. - Add FIPS patch to allow plain key import. - Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false - Patch syslookup.c so it actually has some code to be compiled into libsyslookup - alternatives creation moved to posttrans - Set LTS designator on RHEL, but not Fedora or EPEL. Related: RHEL-45216
2020-12-10 15:04:50 +00:00
Properties jdkProps = new Properties();
loadProperties(jdkProps);
Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository * Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch * RH2023467: Enable FIPS keys export * RH2094027: SunEC runtime permission for FIPS - Update FIPS support to bring in latest changes * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage * RH2090378: Revert to disabling system security properties and FIPS mode support together - Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch - Enable system security properties in the RPM (now disabled by default in the FIPS repo) - Improve security properties test to check both enabled and disabled behaviour - Run security properties test with property debugging on - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode - Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see: https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION - Turn on system security properties as part of the build's install section - Move cacerts replacement to install section and retain original of this and tzdb.dat - Run tests on the installed image, rather than the build image - Introduce variables to refer to the static library installation directories - Use relative symlinks so they work within the image - Run debug symbols check during build stage, before the install strips them Related: RHEL-45216
2022-06-14 19:19:46 +00:00
if (enabled) {
loadPolicy(jdkProps);
}
Import java-17-openjdk - Update to jdk-17+35, also known as jdk-17-ga. - Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot. - Update buildjdkver to 17 so as to build with itself - Add possibility to disable system crypto policy - Add PR3695 to allow the system crypto policy to be turned off - Re-enable TestSecurityProperties after inclusion of PR3695 - Added gating.yaml - Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch - Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. - Remove restriction on disabling product build, as debug packages no longer have javadoc packages. - Update to jdk-17+33, including JDWP fix and July 2021 CPU - Support the FIPS mode crypto policy (RH1655466) - Update RH1655466 FIPS patch with changes in OpenJDK 8 version. - SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. - Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. - No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable. - Disable FIPS mode support unless com.redhat.fips is set to "true". - Use appropriate keystore types when in FIPS mode (RH1818909) - Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). - Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986) - Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode - Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071) - Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. - Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. - Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. - Add patch to disable non-FIPS crypto in the SUN and SunEC security providers. - Add patch to login to the NSS software token when in FIPS mode. - Fix unused function compiler warning found in systemconf.c - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access. - Add JDK-8272332 fix so we actually link against HarfBuzz. - Update release notes to document the major changes between OpenJDK 11 & 17. - Add FIPS patch to allow plain key import. - Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false - Patch syslookup.c so it actually has some code to be compiled into libsyslookup - alternatives creation moved to posttrans - Set LTS designator on RHEL, but not Fedora or EPEL. Related: RHEL-45216
2020-12-10 15:04:50 +00:00
for (Object key: jdkProps.keySet()) {
String sKey = (String)key;
String securityVal = Security.getProperty(sKey);
String jdkSecVal = jdkProps.getProperty(sKey);
if (!securityVal.equals(jdkSecVal)) {
Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository * Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch * RH2023467: Enable FIPS keys export * RH2094027: SunEC runtime permission for FIPS - Update FIPS support to bring in latest changes * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage * RH2090378: Revert to disabling system security properties and FIPS mode support together - Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch - Enable system security properties in the RPM (now disabled by default in the FIPS repo) - Improve security properties test to check both enabled and disabled behaviour - Run security properties test with property debugging on - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode - Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see: https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION - Turn on system security properties as part of the build's install section - Move cacerts replacement to install section and retain original of this and tzdb.dat - Run tests on the installed image, rather than the build image - Introduce variables to refer to the static library installation directories - Use relative symlinks so they work within the image - Run debug symbols check during build stage, before the install strips them Related: RHEL-45216
2022-06-14 19:19:46 +00:00
String msg = "Expected value '" + jdkSecVal + "' for key '" +
Import java-17-openjdk - Update to jdk-17+35, also known as jdk-17-ga. - Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot. - Update buildjdkver to 17 so as to build with itself - Add possibility to disable system crypto policy - Add PR3695 to allow the system crypto policy to be turned off - Re-enable TestSecurityProperties after inclusion of PR3695 - Added gating.yaml - Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch - Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. - Remove restriction on disabling product build, as debug packages no longer have javadoc packages. - Update to jdk-17+33, including JDWP fix and July 2021 CPU - Support the FIPS mode crypto policy (RH1655466) - Update RH1655466 FIPS patch with changes in OpenJDK 8 version. - SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. - Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. - No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable. - Disable FIPS mode support unless com.redhat.fips is set to "true". - Use appropriate keystore types when in FIPS mode (RH1818909) - Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). - Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986) - Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode - Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071) - Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. - Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. - Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. - Add patch to disable non-FIPS crypto in the SUN and SunEC security providers. - Add patch to login to the NSS software token when in FIPS mode. - Fix unused function compiler warning found in systemconf.c - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access. - Add JDK-8272332 fix so we actually link against HarfBuzz. - Update release notes to document the major changes between OpenJDK 11 & 17. - Add FIPS patch to allow plain key import. - Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false - Patch syslookup.c so it actually has some code to be compiled into libsyslookup - alternatives creation moved to posttrans - Set LTS designator on RHEL, but not Fedora or EPEL. Related: RHEL-45216
2020-12-10 15:04:50 +00:00
sKey + "'" + " but got value '" + securityVal + "'";
throw new RuntimeException("Test failed! " + msg);
} else {
Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository * Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch * RH2023467: Enable FIPS keys export * RH2094027: SunEC runtime permission for FIPS - Update FIPS support to bring in latest changes * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage * RH2090378: Revert to disabling system security properties and FIPS mode support together - Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch - Enable system security properties in the RPM (now disabled by default in the FIPS repo) - Improve security properties test to check both enabled and disabled behaviour - Run security properties test with property debugging on - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode - Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see: https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION - Turn on system security properties as part of the build's install section - Move cacerts replacement to install section and retain original of this and tzdb.dat - Run tests on the installed image, rather than the build image - Introduce variables to refer to the static library installation directories - Use relative symlinks so they work within the image - Run debug symbols check during build stage, before the install strips them Related: RHEL-45216
2022-06-14 19:19:46 +00:00
System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
Import java-17-openjdk - Update to jdk-17+35, also known as jdk-17-ga. - Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot. - Update buildjdkver to 17 so as to build with itself - Add possibility to disable system crypto policy - Add PR3695 to allow the system crypto policy to be turned off - Re-enable TestSecurityProperties after inclusion of PR3695 - Added gating.yaml - Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch - Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. - Remove restriction on disabling product build, as debug packages no longer have javadoc packages. - Update to jdk-17+33, including JDWP fix and July 2021 CPU - Support the FIPS mode crypto policy (RH1655466) - Update RH1655466 FIPS patch with changes in OpenJDK 8 version. - SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. - Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. - No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable. - Disable FIPS mode support unless com.redhat.fips is set to "true". - Use appropriate keystore types when in FIPS mode (RH1818909) - Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). - Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986) - Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode - Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071) - Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. - Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. - Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. - Add patch to disable non-FIPS crypto in the SUN and SunEC security providers. - Add patch to login to the NSS software token when in FIPS mode. - Fix unused function compiler warning found in systemconf.c - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access. - Add JDK-8272332 fix so we actually link against HarfBuzz. - Update release notes to document the major changes between OpenJDK 11 & 17. - Add FIPS patch to allow plain key import. - Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false - Patch syslookup.c so it actually has some code to be compiled into libsyslookup - alternatives creation moved to posttrans - Set LTS designator on RHEL, but not Fedora or EPEL. Related: RHEL-45216
2020-12-10 15:04:50 +00:00
}
}
System.out.println("TestSecurityProperties PASSED!");
}
Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository * Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch * RH2023467: Enable FIPS keys export * RH2094027: SunEC runtime permission for FIPS - Update FIPS support to bring in latest changes * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage * RH2090378: Revert to disabling system security properties and FIPS mode support together - Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch - Enable system security properties in the RPM (now disabled by default in the FIPS repo) - Improve security properties test to check both enabled and disabled behaviour - Run security properties test with property debugging on - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode - Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see: https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION - Turn on system security properties as part of the build's install section - Move cacerts replacement to install section and retain original of this and tzdb.dat - Run tests on the installed image, rather than the build image - Introduce variables to refer to the static library installation directories - Use relative symlinks so they work within the image - Run debug symbols check during build stage, before the install strips them Related: RHEL-45216
2022-06-14 19:19:46 +00:00
Import java-17-openjdk - Update to jdk-17+35, also known as jdk-17-ga. - Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot. - Update buildjdkver to 17 so as to build with itself - Add possibility to disable system crypto policy - Add PR3695 to allow the system crypto policy to be turned off - Re-enable TestSecurityProperties after inclusion of PR3695 - Added gating.yaml - Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch - Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. - Remove restriction on disabling product build, as debug packages no longer have javadoc packages. - Update to jdk-17+33, including JDWP fix and July 2021 CPU - Support the FIPS mode crypto policy (RH1655466) - Update RH1655466 FIPS patch with changes in OpenJDK 8 version. - SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. - Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. - No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable. - Disable FIPS mode support unless com.redhat.fips is set to "true". - Use appropriate keystore types when in FIPS mode (RH1818909) - Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). - Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986) - Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode - Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071) - Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. - Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. - Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. - Add patch to disable non-FIPS crypto in the SUN and SunEC security providers. - Add patch to login to the NSS software token when in FIPS mode. - Fix unused function compiler warning found in systemconf.c - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access. - Add JDK-8272332 fix so we actually link against HarfBuzz. - Update release notes to document the major changes between OpenJDK 11 & 17. - Add FIPS patch to allow plain key import. - Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false - Patch syslookup.c so it actually has some code to be compiled into libsyslookup - alternatives creation moved to posttrans - Set LTS designator on RHEL, but not Fedora or EPEL. Related: RHEL-45216
2020-12-10 15:04:50 +00:00
private static void loadProperties(Properties props) {
String javaVersion = System.getProperty("java.version");
Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository * Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch * RH2023467: Enable FIPS keys export * RH2094027: SunEC runtime permission for FIPS - Update FIPS support to bring in latest changes * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage * RH2090378: Revert to disabling system security properties and FIPS mode support together - Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch - Enable system security properties in the RPM (now disabled by default in the FIPS repo) - Improve security properties test to check both enabled and disabled behaviour - Run security properties test with property debugging on - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode - Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see: https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION - Turn on system security properties as part of the build's install section - Move cacerts replacement to install section and retain original of this and tzdb.dat - Run tests on the installed image, rather than the build image - Introduce variables to refer to the static library installation directories - Use relative symlinks so they work within the image - Run debug symbols check during build stage, before the install strips them Related: RHEL-45216
2022-06-14 19:19:46 +00:00
System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
Import java-17-openjdk - Update to jdk-17+35, also known as jdk-17-ga. - Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot. - Update buildjdkver to 17 so as to build with itself - Add possibility to disable system crypto policy - Add PR3695 to allow the system crypto policy to be turned off - Re-enable TestSecurityProperties after inclusion of PR3695 - Added gating.yaml - Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch - Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. - Remove restriction on disabling product build, as debug packages no longer have javadoc packages. - Update to jdk-17+33, including JDWP fix and July 2021 CPU - Support the FIPS mode crypto policy (RH1655466) - Update RH1655466 FIPS patch with changes in OpenJDK 8 version. - SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. - Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. - No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable. - Disable FIPS mode support unless com.redhat.fips is set to "true". - Use appropriate keystore types when in FIPS mode (RH1818909) - Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). - Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986) - Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode - Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071) - Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. - Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. - Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. - Add patch to disable non-FIPS crypto in the SUN and SunEC security providers. - Add patch to login to the NSS software token when in FIPS mode. - Fix unused function compiler warning found in systemconf.c - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access. - Add JDK-8272332 fix so we actually link against HarfBuzz. - Update release notes to document the major changes between OpenJDK 11 & 17. - Add FIPS patch to allow plain key import. - Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false - Patch syslookup.c so it actually has some code to be compiled into libsyslookup - alternatives creation moved to posttrans - Set LTS designator on RHEL, but not Fedora or EPEL. Related: RHEL-45216
2020-12-10 15:04:50 +00:00
String propsFile = JDK_PROPS_FILE_JDK_11;
if (javaVersion.startsWith("1.8.0")) {
propsFile = JDK_PROPS_FILE_JDK_8;
}
Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository * Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch * RH2023467: Enable FIPS keys export * RH2094027: SunEC runtime permission for FIPS - Update FIPS support to bring in latest changes * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage * RH2090378: Revert to disabling system security properties and FIPS mode support together - Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch - Enable system security properties in the RPM (now disabled by default in the FIPS repo) - Improve security properties test to check both enabled and disabled behaviour - Run security properties test with property debugging on - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode - Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see: https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION - Turn on system security properties as part of the build's install section - Move cacerts replacement to install section and retain original of this and tzdb.dat - Run tests on the installed image, rather than the build image - Introduce variables to refer to the static library installation directories - Use relative symlinks so they work within the image - Run debug symbols check during build stage, before the install strips them Related: RHEL-45216
2022-06-14 19:19:46 +00:00
try (FileInputStream fin = new FileInputStream(propsFile)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
private static void loadPolicy(Properties props) {
try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
Import java-17-openjdk - Update to jdk-17+35, also known as jdk-17-ga. - Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot. - Update buildjdkver to 17 so as to build with itself - Add possibility to disable system crypto policy - Add PR3695 to allow the system crypto policy to be turned off - Re-enable TestSecurityProperties after inclusion of PR3695 - Added gating.yaml - Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch - Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. - Remove restriction on disabling product build, as debug packages no longer have javadoc packages. - Update to jdk-17+33, including JDWP fix and July 2021 CPU - Support the FIPS mode crypto policy (RH1655466) - Update RH1655466 FIPS patch with changes in OpenJDK 8 version. - SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. - Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. - No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable. - Disable FIPS mode support unless com.redhat.fips is set to "true". - Use appropriate keystore types when in FIPS mode (RH1818909) - Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). - Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986) - Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode - Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071) - Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. - Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. - Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. - Add patch to disable non-FIPS crypto in the SUN and SunEC security providers. - Add patch to login to the NSS software token when in FIPS mode. - Fix unused function compiler warning found in systemconf.c - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access. - Add JDK-8272332 fix so we actually link against HarfBuzz. - Update release notes to document the major changes between OpenJDK 11 & 17. - Add FIPS patch to allow plain key import. - Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false - Patch syslookup.c so it actually has some code to be compiled into libsyslookup - alternatives creation moved to posttrans - Set LTS designator on RHEL, but not Fedora or EPEL. Related: RHEL-45216
2020-12-10 15:04:50 +00:00
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository * Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch * RH2023467: Enable FIPS keys export * RH2094027: SunEC runtime permission for FIPS - Update FIPS support to bring in latest changes * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage * RH2090378: Revert to disabling system security properties and FIPS mode support together - Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch - Enable system security properties in the RPM (now disabled by default in the FIPS repo) - Improve security properties test to check both enabled and disabled behaviour - Run security properties test with property debugging on - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode - Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see: https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION - Turn on system security properties as part of the build's install section - Move cacerts replacement to install section and retain original of this and tzdb.dat - Run tests on the installed image, rather than the build image - Introduce variables to refer to the static library installation directories - Use relative symlinks so they work within the image - Run debug symbols check during build stage, before the install strips them Related: RHEL-45216
2022-06-14 19:19:46 +00:00
Import java-17-openjdk - Update to jdk-17+35, also known as jdk-17-ga. - Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot. - Update buildjdkver to 17 so as to build with itself - Add possibility to disable system crypto policy - Add PR3695 to allow the system crypto policy to be turned off - Re-enable TestSecurityProperties after inclusion of PR3695 - Added gating.yaml - Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch - Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. - Remove restriction on disabling product build, as debug packages no longer have javadoc packages. - Update to jdk-17+33, including JDWP fix and July 2021 CPU - Support the FIPS mode crypto policy (RH1655466) - Update RH1655466 FIPS patch with changes in OpenJDK 8 version. - SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. - Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. - No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable. - Disable FIPS mode support unless com.redhat.fips is set to "true". - Use appropriate keystore types when in FIPS mode (RH1818909) - Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). - Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986) - Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode - Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071) - Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. - Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. - Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. - Add patch to disable non-FIPS crypto in the SUN and SunEC security providers. - Add patch to login to the NSS software token when in FIPS mode. - Fix unused function compiler warning found in systemconf.c - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access. - Add JDK-8272332 fix so we actually link against HarfBuzz. - Update release notes to document the major changes between OpenJDK 11 & 17. - Add FIPS patch to allow plain key import. - Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false - Patch syslookup.c so it actually has some code to be compiled into libsyslookup - alternatives creation moved to posttrans - Set LTS designator on RHEL, but not Fedora or EPEL. Related: RHEL-45216
2020-12-10 15:04:50 +00:00
}
Reference in New Issue Copy Permalink