rpms/java-17-openjdk
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import java-17-openjdk-17.0.3.0.6-2.el8_5

Browse Source
This commit is contained in:
CentOS Sources 2022-04-20 08:22:20 -04:00 committed by Stepan Oksanichenko
parent 2cacaa346d
commit 806b0e8864
8 changed files with 2231 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/openjdk-jdk17u-jdk-17.0.2+8.tar.xz
SOURCES/openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

2
.java-17-openjdk.metadata
View File

@ -1,2 +1,2 @@
47c1e3a97ba6f63908c2a9f55e1514b52f0b8333 SOURCES/openjdk-jdk17u-jdk-17.0.2+8.tar.xz
15b13a23d8a862fc881ab110858c0054cf34180e SOURCES/openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

204
SOURCES/NEWS
View File

@ -3,6 +3,210 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release OpenJDK 17.0.3 (2022-04-19):
===========================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk1703
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.3.txt
* Security fixes
- JDK-8269938: Enhance XML processing passes redux
- JDK-8270504, CVE-2022-21426: Better XPath expression handling
- JDK-8272255: Completely handle MIDI files
- JDK-8272261: Improve JFR recording file processing
- JDK-8272588: Enhanced recording parsing
- JDK-8272594: Better record of recordings
- JDK-8274221: More definite BER encodings
- JDK-8275082, JDK-8278008, CVE-2022-21476: Update XML Security for Java to 2.3.0
- JDK-8275151, CVE-2022-21443: Improved Object Identification
- JDK-8277227: Better identification of OIDs
- JDK-8277233, CVE-2022-21449: Improve ECDSA signature support
- JDK-8277672, CVE-2022-21434: Better invocation handler handling
- JDK-8278356: Improve file creation
- JDK-8278449: Improve keychain support
- JDK-8278798: Improve supported intrinsic
- JDK-8278805: Enhance BMP image loading
- JDK-8278972, CVE-2022-21496: Improve URL supports
- JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo
* Other changes
- JDK-8177814: jdk/editpad is not in jdk TEST.groups
- JDK-8186670: Implement _onSpinWait() intrinsic for AArch64
- JDK-8190748: java/text/Format/DateFormat/DateFormatTest.java and NonGregorianFormatTest fail intermittently
- JDK-8225559: assertion error at TransTypes.visitApply
- JDK-8236505: Mark jdk/editpad/EditPadTest.java as @headful
- JDK-8239502: [TEST_BUG] Test javax/swing/text/FlowView/6318524/bug6318524.java never fails
- JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a test
- JDK-8247980: Exclusive execution of java/util/stream tests slows down tier1
- JDK-8251216: Implement MD5 intrinsics on AArch64
- JDK-8253197: vmTestbase/nsk/jvmti/StopThread/stopthrd007/TestDescription.java fails with "ERROR: DebuggeeSleepingThread: ThreadDeath lost"
- JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt"
- JDK-8263567: gtests don't terminate the VM safely
- JDK-8265150: AsyncGetCallTrace crashes on ResourceMark
- JDK-8266490: Extend the OSContainer API to support the pids controller of cgroups
- JDK-8269032: Stringdedup tests are failing if the ergonomically select GC does not support it
- JDK-8269037: jsig/Testjsig.java doesn't have to be restricted to linux only
- JDK-8269087: CheckSegmentedCodeCache test fails in an emulated-client VM
- JDK-8269175: [macosx-aarch64] wrong CPU speed in hs_err file
- JDK-8269206: A small typo in comment in test/lib/sun/hotspot/WhiteBox.java
- JDK-8269523: runtime/Safepoint/TestAbortOnVMOperationTimeout.java failed when expecting 'VM operation took too long'
- JDK-8269616: serviceability/dcmd/framework/VMVersionTest.java fails with Address already in use error
- JDK-8269849: vmTestbase/gc/gctests/PhantomReference/phantom002/TestDescription.java failed with "OutOfMemoryError: Java heap space: failed reallocation of scalar replaced objects"
- JDK-8270117: Broken jtreg link in "Building the JDK" page
- JDK-8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI monitor
- JDK-8271056: C2: "assert(no_dead_loop) failed: dead loop detected" due to cmoving identity
- JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
- JDK-8271202: C1: assert(false) failed: live_in set of first block must be empty
- JDK-8271506: Add ResourceHashtable support for deleting selected entries
- JDK-8271721: Split gc/g1/TestMixedGCLiveThreshold into separate tests
- JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories
- JDK-8272327: Shenandoah: Avoid enqueuing duplicate string candidates
- JDK-8272398: Update DockerTestUtils.buildJdkDockerImage()
- JDK-8272541: Incorrect overflow test in Toom-Cook branch of BigInteger multiplication
- JDK-8272553: several hotspot runtime/CommandLine tests don't check exit code
- JDK-8272600: (test) Use native "sleep" in Basic.java
- JDK-8272866: java.util.random package summary contains incorrect mixing function in table
- JDK-8272996: JNDI DNS provider fails to resolve SRV entries when IPV6 stack is enabled
- JDK-8273162: AbstractSplittableWithBrineGenerator does not create a random salt
- JDK-8273277: C2: Move conditional negation into rc_predicate
- JDK-8273341: Update Siphash to version 1.0
- JDK-8273351: bad tag in jdk.random module-info.java
- JDK-8273366: [testbug] javax/swing/UIDefaults/6302464/bug6302464.java fails on macOS12
- JDK-8273381: Assert in PtrQueueBufferAllocatorTest.stress_free_list_allocator_vm
- JDK-8273387: remove some unreferenced gtk-related functions
- JDK-8273433: Enable parallelism in vmTestbase_nsk_sysdict tests
- JDK-8273438: Enable parallelism in vmTestbase/metaspace/stressHierarchy tests
- JDK-8273526: Extend the OSContainer API pids controller with pids.current
- JDK-8273634: [TEST_BUG] Improve javax/swing/text/ParagraphView/6364882/bug6364882.java
- JDK-8273655: content-types.properties files are missing some common types
- JDK-8273682: Upgrade Jline to 3.20.0
- JDK-8273704: DrawStringWithInfiniteXform.java failed : drawString with InfiniteXform transform takes long time
- JDK-8273895: compiler/ciReplay/TestVMNoCompLevel.java fails due to wrong data size with TieredStopAtLevel=2,3
- JDK-8273933: [TESTBUG] Test must run without preallocated exceptions
- JDK-8273967: gtest os.dll_address_to_function_and_library_name_vm fails on macOS12
- JDK-8273972: Multi-core choke point in CMM engine (LCMSTransform.doTransform)
- JDK-8274130: C2: MulNode::Ideal chained transformations may act on wrong nodes
- JDK-8274171: java/nio/file/Files/probeContentType/Basic.java failed on "Content type" mismatches
- JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/bug6364882.java failures
- JDK-8274471: Add support for RSASSA-PSS in OCSP Response
- JDK-8274506: TestPids.java and TestPidsLimit.java fail with podman run as root
- JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake
- JDK-8274562: (fs) UserDefinedFileAttributeView doesn't correctly determine if supported when using OverlayFS
- JDK-8274658: ISO 4217 Amendment 170 Update
- JDK-8274714: Incorrect verifier protected access error message
- JDK-8274750: java/io/File/GetXSpace.java failed: '/dev': 191488 != 190976
- JDK-8274753: ZGC: SEGV in MetaspaceShared::link_shared_classes
- JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler
- JDK-8274935: dumptime_table has stale entry
- JDK-8274944: AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class info
- JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected
- JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions
- JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime
- JDK-8275586: Zero: Simplify interpreter initialization
- JDK-8275608: runtime/Metaspace/elastic/TestMetaspaceAllocationMT2 too slow
- JDK-8275610: C2: Object field load floats above its null check resulting in a segfault
- JDK-8275643: C2's unaryOp vector intrinsic does not properly handle LongVector.neg
- JDK-8275645: [JVMCI] avoid unaligned volatile reads on AArch64
- JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11
- JDK-8275687: runtime/CommandLine/PrintTouchedMethods test shouldn't catch RuntimeException
- JDK-8275800: Redefinition leaks MethodData::_extra_data_lock
- JDK-8275847: Scheduling fails with "too many D-U pinch points" on small method
- JDK-8275874: [JVMCI] only support aligned reads in c2v_readFieldValue
- JDK-8276057: Update JMH devkit to 1.33
- JDK-8276141: XPathFactory set/getProperty method
- JDK-8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here"
- JDK-8276314: [JVMCI] check alignment of call displacement during code installation
- JDK-8276623: JDK-8275650 accidentally pushed "out" file
- JDK-8276654: element-list order is non deterministic
- JDK-8276662: Scalability bottleneck in SymbolTable::lookup_common()
- JDK-8276764: Enable deterministic file content ordering for Jar and Jmod
- JDK-8276766: Enable jar and jmod to produce deterministic timestamped content
- JDK-8276841: Add support for Visual Studio 2022
- JDK-8277069: [REDO] JDK-8276743 Make openjdk build Zip Archive generation "reproducible"
- JDK-8277137: Set OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for Arm Neoverse N1
- JDK-8277180: Intrinsify recursive ObjectMonitor locking for C2 x64 and A64
- JDK-8277299: STACK_OVERFLOW in Java_sun_awt_shell_Win32ShellFolder2_getIconBits
- JDK-8277328: jdk/jshell/CommandCompletionTest.java failures on Windows
- JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for
- JDK-8277383: VM.metaspace optionally show chunk freelist details
- JDK-8277385: Zero: Enable CompactStrings support
- JDK-8277441: CompileQueue::add fails with assert(_last->next() == __null) failed: not last
- JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend fun with loop
- JDK-8277449: compiler/vectorapi/TestLongVectorNeg.java fails with release VMs
- JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022
- JDK-8277497: Last column cell in the JTable row is read as empty cell
- JDK-8277503: compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java failed with "OnSpinWaitInst with the expected value 'isb' not found."
- JDK-8277762: Allow configuration of HOTSPOT_BUILD_USER
- JDK-8277777: [Vector API] assert(r->is_XMMRegister()) failed: must be in x86_32.ad
- JDK-8277795: ldap connection timeout not honoured under contention
- JDK-8277846: Implement fast-path for ASCII-compatible CharsetEncoders on ppc64
- JDK-8277919: OldObjectSample event causing bloat in the class constant pool in JFR recording
- JDK-8277992: Add fast jdk_svc subtests to jdk:tier3
- JDK-8278016: Add compiler tests to tier{2,3}
- JDK-8278020: ~13% variation in Renaissance-Scrabble
- JDK-8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation
- JDK-8278099: two sun/security/pkcs11/Signature tests failed with AssertionError
- JDK-8278104: C1 should support the compiler directive 'BreakAtExecute'
- JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java has duplicate -Xmx
- JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has duplicate -Xmx
- JDK-8278163: --with-cacerts-src variable resolved after GenerateCacerts recipe setup
- JDK-8278172: java/nio/channels/FileChannel/BlockDeviceSize.java should only run on Linux
- JDK-8278185: Custom JRE cannot find non-ASCII named module inside
- JDK-8278239: vmTestbase/nsk/jvmti/RedefineClasses/StressRedefine failed with EXCEPTION_ACCESS_VIOLATION at 0x000000000000000d
- JDK-8278241: Implement JVM SpinPause on linux-aarch64
- JDK-8278309: [windows] use of uninitialized OSThread::_state
- JDK-8278344: sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of different openssl output
- JDK-8278346: java/nio/file/Files/probeContentType/Basic.java fails on Linux SLES15 machine
- JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec
- JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT
- JDK-8278389: SuspendibleThreadSet::_suspend_all should be volatile/atomic
- JDK-8278526: [macos] Screen reader reads SwingSet2 JTable row selection as null, dimmed row for last column
- JDK-8278604: SwingSet2 table demo does not have accessible description set for images
- JDK-8278627: Shenandoah: TestHeapDump test failed
- JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134
- JDK-8278822: Bump update version for OpenJDK: jdk-17.0.3
- JDK-8278824: Uneven work distribution when scanning heap roots in G1
- JDK-8278871: [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob
- JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10
- JDK-8278987: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in __write_sample_info__
- JDK-8279011: JFR: JfrChunkWriter incorrectly handles int64_t chunk size as size_t
- JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0
- JDK-8279124: VM does not handle SIGQUIT during initialization
- JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers
- JDK-8279300: [arm32] SIGILL when running GetObjectSizeIntrinsicsTest
- JDK-8279379: GHA: Print tests that are in error
- JDK-8279385: [test] Adjust sun/security/pkcs12/KeytoolOpensslInteropTest.java after 8278344
- JDK-8279412: [JVMCI] failed speculations list must outlive any nmethod that refers to it
- JDK-8279445: Update JMH devkit to 1.34
- JDK-8279453: Disable tools/jar/ReproducibleJar.java on 32-bit platforms
- JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT
- JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition
- JDK-8279695: [TESTBUG] modify compiler/loopopts/TestSkeletonPredicateNegation.java to run on C1 also
- JDK-8279702: [macosx] ignore xcodebuild warnings on M1
- JDK-8279833: Loop optimization issue in String.encodeUTF8_UTF16
- JDK-8279924: [PPC64, s390] implement frame::is_interpreted_frame_valid checks
- JDK-8279998: PPC64 debug builds fail with "untested: RangeCheckStub: predicate_failed_trap_id"
- JDK-8280002: jmap -histo may leak stream
- JDK-8280155: [PPC64, s390] frame size checks are not yet correct
- JDK-8280373: Update Xalan serializer / SystemIDResolver to align with JDK-8270492
- JDK-8280414: Memory leak in DefaultProxySelector
- JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1}
- JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames
- JDK-8281460: Let ObjectMonitor have its own NMT category
- JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX
- JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972
- JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character
- JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods
- JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException
Notes on individual issues:
===========================
security-libs/java.security:
JDK-8274791: Support for RSASSA-PSS in OCSP Response
====================================================
An OCSP response signed with the RSASSA-PSS algorithm is now supported.
New in release OpenJDK 17.0.2 (2022-01-18):
===========================================
Live versions of these release notes can be found at:

96
SOURCES/jdk8284548-jaxp_regression.patch Normal file
View File

@ -0,0 +1,96 @@
From 722bf5b20de2ee64e0fdabb2f5e5fa89e043e3f1 Mon Sep 17 00:00:00 2001
From: Christoph Langer <clanger@openjdk.org>
Date: Fri, 8 Apr 2022 14:06:47 +0200
Subject: [PATCH] 8284548: Unexpected StringIndexOutOfBoundsException can occur
for invalid XPath expressions after JDK-8270504
---
.../apache/xpath/internal/compiler/Lexer.java | 4 +-
.../javax/xml/jaxp/XPath/InvalidXPath.java | 53 +++++++++++++++++++
2 files changed, 54 insertions(+), 3 deletions(-)
create mode 100644 test/jdk/javax/xml/jaxp/XPath/InvalidXPath.java
diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
index 54595e2d036..b7b3f419eb2 100644
--- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
@@ -24,7 +24,6 @@ import com.sun.org.apache.xalan.internal.res.XSLMessages;
import com.sun.org.apache.xml.internal.utils.PrefixResolver;
import com.sun.org.apache.xpath.internal.res.XPATHErrorResources;
import java.util.List;
-import java.util.Objects;
import javax.xml.transform.TransformerException;
import jdk.xml.internal.XMLSecurityManager;
import jdk.xml.internal.XMLSecurityManager.Limit;
@@ -451,8 +450,7 @@ class Lexer
* @return the next char
*/
private char peekNext(String s, int index) {
- Objects.checkIndex(index, s.length());
- if (s.length() > index) {
+ if (index >= 0 && index < s.length() - 1) {
return s.charAt(index + 1);
}
return 0;
diff --git openjdk.orig/test/jdk/javax/xml/jaxp/XPath/InvalidXPath.java openjdk/test/jdk/javax/xml/jaxp/XPath/InvalidXPath.java
new file mode 100644
index 00000000000..478f4212d5b
--- /dev/null
+++ openjdk/test/jdk/javax/xml/jaxp/XPath/InvalidXPath.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2022, SAP SE. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8284548
+ * @summary Test whether the expected exception is thrown when
+ * trying to compile an invalid XPath expression.
+ * @run main InvalidXPath
+ */
+
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;
+
+public class InvalidXPath {
+
+ public static void main(String... args) {
+ // define an invalid XPath expression
+ final String invalidXPath = ">>";
+
+ // expect XPathExpressionException when the invalid XPath expression is compiled
+ try {
+ XPathFactory.newInstance().newXPath().compile(invalidXPath);
+ } catch (XPathExpressionException e) {
+ System.out.println("Caught expected exception: " + e.getClass().getName() +
+ "(" + e.getMessage() + ").");
+ } catch (Exception e) {
+ System.out.println("Caught unexpected exception: " + e.getClass().getName() +
+ "(" + e.getMessage() + ")!");
+ throw e;
+ }
+ }
+}
--
2.35.1.windows.2

102
SOURCES/jdk8284920-incorrect_token_type.patch Normal file
View File

@ -0,0 +1,102 @@
From 0d3aea2f11df585b491ae5c07de9f66679601d58 Mon Sep 17 00:00:00 2001
From: Anton Kozlov <akozlov@azul.com>
Date: Fri, 15 Apr 2022 14:07:52 +0300
Subject: [PATCH] 8284920: Incorrect Token type causes XPath expression to
return empty result
Reviewed-by:
---
.../com/sun/org/apache/xpath/internal/compiler/Lexer.java | 4 ++--
.../com/sun/org/apache/xpath/internal/compiler/Token.java | 4 ++--
.../org/apache/xpath/internal/compiler/XPathParser.java | 8 ++++----
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
index b7b3f419eb2..41b58da8e99 100644
--- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
@@ -360,7 +360,7 @@ class Lexer
addToTokenQueue(pat.substring(i, i + 1));
break;
- case Token.COLON :
+ case Token.COLON_CHAR:
if (i>0)
{
if (posOfNSSep == (i - 1))
@@ -615,7 +615,7 @@ class Lexer
resetTokenMark(tokPos + 1);
}
- if (m_processor.lookahead(Token.COLON, 1))
+ if (m_processor.lookahead(Token.COLON_CHAR, 1))
{
tokPos += 2;
}
diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java
index 8c4fee146c6..7bce14e5770 100644
--- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java
+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java
@@ -45,10 +45,9 @@ public final class Token {
static final char LPAREN = '(';
static final char RPAREN = ')';
static final char COMMA = ',';
- static final char DOT = '.';
static final char AT = '@';
static final char US = '_';
- static final char COLON = ':';
+ static final char COLON_CHAR = ':';
static final char SQ = '\'';
static final char DQ = '"';
static final char DOLLAR = '$';
@@ -58,6 +57,7 @@ public final class Token {
static final String DIV = "div";
static final String MOD = "mod";
static final String QUO = "quo";
+ static final String DOT = ".";
static final String DDOT = "..";
static final String DCOLON = "::";
static final String ATTR = "attribute";
diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java
index c3f9e1494be..22192fd06f6 100644
--- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java
+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java
@@ -1413,7 +1413,7 @@ public class XPathParser
matchFound = true;
}
- else if (lookahead(Token.LPAREN, 1) || (lookahead(Token.COLON, 1) && lookahead(Token.LPAREN, 3)))
+ else if (lookahead(Token.LPAREN, 1) || (lookahead(Token.COLON_CHAR, 1) && lookahead(Token.LPAREN, 3)))
{
matchFound = FunctionCall();
}
@@ -1457,7 +1457,7 @@ public class XPathParser
int opPos = m_ops.getOp(OpMap.MAPINDEX_LENGTH);
- if (lookahead(Token.COLON, 1))
+ if (lookahead(Token.COLON_CHAR, 1))
{
appendOp(4, OpCodes.OP_EXTFUNCTION);
@@ -1841,7 +1841,7 @@ public class XPathParser
m_ops.setOp(m_ops.getOp(OpMap.MAPINDEX_LENGTH), OpCodes.NODENAME);
m_ops.setOp(OpMap.MAPINDEX_LENGTH, m_ops.getOp(OpMap.MAPINDEX_LENGTH) + 1);
- if (lookahead(Token.COLON, 1))
+ if (lookahead(Token.COLON_CHAR, 1))
{
if (tokenIs(Token.STAR))
{
@@ -1944,7 +1944,7 @@ public class XPathParser
protected void QName() throws TransformerException
{
// Namespace
- if(lookahead(Token.COLON, 1))
+ if(lookahead(Token.COLON_CHAR, 1))
{
m_ops.setOp(m_ops.getOp(OpMap.MAPINDEX_LENGTH), m_queueMark - 1);
m_ops.setOp(OpMap.MAPINDEX_LENGTH, m_ops.getOp(OpMap.MAPINDEX_LENGTH) + 1);
--
2.24.3

579
SOURCES/rh1991003-enable_fips_keys_import.patch Normal file
View File

@ -0,0 +1,579 @@
commit abcd0954643eddbf826d96291d44a143038ab750
Author: Martin Balao <mbalao@redhat.com>
Date: Sun Oct 10 18:14:01 2021 +0100
RH1991003: Enable the import of plain keys into the NSS software token.
This can be individually disabled using -Dcom.redhat.fips.plainKeySupport=false
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
index ce32c939253..dc7020ce668 100644
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -82,6 +82,10 @@ public final class Security {
public boolean isSystemFipsEnabled() {
return SystemConfigurator.isSystemFipsEnabled();
}
+ @Override
+ public boolean isPlainKeySupportEnabled() {
+ return SystemConfigurator.isPlainKeySupportEnabled();
+ }
});
// doPrivileged here because there are multiple
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 6aa1419dfd0..ecab722848e 100644
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -55,6 +55,7 @@ final class SystemConfigurator {
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
private static boolean systemFipsEnabled = false;
+ private static boolean plainKeySupportEnabled = false;
private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
@@ -150,6 +151,16 @@ final class SystemConfigurator {
}
loadedProps = true;
systemFipsEnabled = true;
+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
+ "true");
+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
+ if (sdebug != null) {
+ if (plainKeySupportEnabled) {
+ sdebug.println("FIPS support enabled with plain key support");
+ } else {
+ sdebug.println("FIPS support enabled without plain key support");
+ }
+ }
}
} catch (Exception e) {
if (sdebug != null) {
@@ -177,6 +188,19 @@ final class SystemConfigurator {
return systemFipsEnabled;
}
+ /**
+ * Returns {@code true} if system FIPS alignment is enabled
+ * and plain key support is allowed. Plain key support is
+ * enabled by default but can be disabled with
+ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
+ *
+ * @return a boolean indicating whether plain key support
+ * should be enabled.
+ */
+ static boolean isPlainKeySupportEnabled() {
+ return plainKeySupportEnabled;
+ }
+
/*
* OpenJDK FIPS mode will be enabled only if the com.redhat.fips
* system property is true (default) and the system is in FIPS mode.
diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
index a31e93ec02e..3f3caac64dc 100644
--- openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
+++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
@@ -27,4 +27,5 @@ package jdk.internal.access;
public interface JavaSecuritySystemConfiguratorAccess {
boolean isSystemFipsEnabled();
+ boolean isPlainKeySupportEnabled();
}
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
new file mode 100644
index 00000000000..bee3a1e1537
--- /dev/null
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
@@ -0,0 +1,291 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs11;
+
+import java.math.BigInteger;
+import java.security.KeyFactory;
+import java.security.Provider;
+import java.security.Security;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.locks.ReentrantLock;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.DHPrivateKeySpec;
+import javax.crypto.spec.IvParameterSpec;
+
+import sun.security.jca.JCAUtil;
+import sun.security.pkcs11.TemplateManager;
+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
+import sun.security.pkcs11.wrapper.CK_MECHANISM;
+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
+import sun.security.pkcs11.wrapper.PKCS11Exception;
+import sun.security.rsa.RSAUtil.KeyType;
+import sun.security.util.Debug;
+import sun.security.util.ECUtil;
+
+final class FIPSKeyImporter {
+
+ private static final Debug debug =
+ Debug.getInstance("sunpkcs11");
+
+ private static P11Key importerKey = null;
+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
+ private static CK_MECHANISM importerKeyMechanism = null;
+ private static Cipher importerCipher = null;
+
+ private static Provider sunECProvider = null;
+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
+
+ private static KeyFactory DHKF = null;
+ private static final ReentrantLock DHKFLock = new ReentrantLock();
+
+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
+ throws PKCS11Exception {
+ long keyID = -1;
+ Token token = sunPKCS11.getToken();
+ if (debug != null) {
+ debug.println("Private or Secret key will be imported in" +
+ " system FIPS mode.");
+ }
+ if (importerKey == null) {
+ importerKeyLock.lock();
+ try {
+ if (importerKey == null) {
+ if (importerKeyMechanism == null) {
+ // Importer Key creation has not been tried yet. Try it.
+ createImporterKey(token);
+ }
+ if (importerKey == null || importerCipher == null) {
+ if (debug != null) {
+ debug.println("Importer Key could not be" +
+ " generated.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ if (debug != null) {
+ debug.println("Importer Key successfully" +
+ " generated.");
+ }
+ }
+ } finally {
+ importerKeyLock.unlock();
+ }
+ }
+ long importerKeyID = importerKey.getKeyID();
+ try {
+ byte[] keyBytes = null;
+ byte[] encKeyBytes = null;
+ long keyClass = 0L;
+ long keyType = 0L;
+ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
+ for (CK_ATTRIBUTE attr : attributes) {
+ if (attr.type == CKA_CLASS) {
+ keyClass = attr.getLong();
+ } else if (attr.type == CKA_KEY_TYPE) {
+ keyType = attr.getLong();
+ }
+ attrsMap.put(attr.type, attr);
+ }
+ BigInteger v = null;
+ if (keyClass == CKO_PRIVATE_KEY) {
+ if (keyType == CKK_RSA) {
+ if (debug != null) {
+ debug.println("Importing an RSA private key...");
+ }
+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
+ KeyType.RSA,
+ null,
+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ } else if (keyType == CKK_DSA) {
+ if (debug != null) {
+ debug.println("Importing a DSA private key...");
+ }
+ keyBytes = new sun.security.provider.DSAPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_EC) {
+ if (debug != null) {
+ debug.println("Importing an EC private key...");
+ }
+ if (sunECProvider == null) {
+ sunECProviderLock.lock();
+ try {
+ if (sunECProvider == null) {
+ sunECProvider = Security.getProvider("SunEC");
+ }
+ } finally {
+ sunECProviderLock.unlock();
+ }
+ }
+ keyBytes = ECUtil.generateECPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ECUtil.getECParameterSpec(sunECProvider,
+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
+ .getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_DH) {
+ if (debug != null) {
+ debug.println("Importing a Diffie-Hellman private key...");
+ }
+ if (DHKF == null) {
+ DHKFLock.lock();
+ try {
+ if (DHKF == null) {
+ DHKF = KeyFactory.getInstance(
+ "DH", P11Util.getSunJceProvider());
+ }
+ } finally {
+ DHKFLock.unlock();
+ }
+ }
+ DHPrivateKeySpec spec = new DHPrivateKeySpec
+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO);
+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else {
+ if (debug != null) {
+ debug.println("Unrecognized private key type.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ } else if (keyClass == CKO_SECRET_KEY) {
+ if (debug != null) {
+ debug.println("Importing a secret key...");
+ }
+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
+ }
+ if (keyBytes == null || keyBytes.length == 0) {
+ if (debug != null) {
+ debug.println("Private or secret key plain bytes could" +
+ " not be obtained. Import failed.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
+ null);
+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
+ attrsMap.values().toArray(attributes);
+ encKeyBytes = importerCipher.doFinal(keyBytes);
+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
+ keyClass, keyType, attributes);
+ keyID = token.p11.C_UnwrapKey(hSession,
+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
+ if (debug != null) {
+ debug.println("Imported key ID: " + keyID);
+ }
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ } finally {
+ importerKey.releaseKeyID();
+ }
+ return Long.valueOf(keyID);
+ }
+
+ private static void createImporterKey(Token token) {
+ if (debug != null) {
+ debug.println("Generating Importer Key...");
+ }
+ byte[] iv = new byte[16];
+ JCAUtil.getSecureRandom().nextBytes(iv);
+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
+ try {
+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
+ Session s = null;
+ try {
+ s = token.getObjSession();
+ long keyID = token.p11.C_GenerateKey(
+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
+ attributes);
+ if (debug != null) {
+ debug.println("Importer Key ID: " + keyID);
+ }
+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
+ 256 >> 3, null);
+ } catch (PKCS11Exception e) {
+ // best effort
+ } finally {
+ token.releaseSession(s);
+ }
+ if (importerKey != null) {
+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+ }
+ } catch (Throwable t) {
+ // best effort
+ importerKey = null;
+ importerCipher = null;
+ // importerKeyMechanism value is kept initialized to indicate that
+ // Importer Key creation has been tried and failed.
+ }
+ }
+}
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index 5d3963ea893..42c72b393fd 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -26,6 +26,9 @@
package sun.security.pkcs11;
import java.io.*;
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.MethodType;
import java.util.*;
import java.security.*;
@@ -66,6 +69,26 @@ public final class SunPKCS11 extends AuthProvider {
private static final boolean systemFipsEnabled = SharedSecrets
.getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+ private static final boolean plainKeySupportEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
+
+ private static final MethodHandle fipsImportKey;
+ static {
+ MethodHandle fipsImportKeyTmp = null;
+ if (plainKeySupportEnabled) {
+ try {
+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
+ FIPSKeyImporter.class, "importKey",
+ MethodType.methodType(Long.class, SunPKCS11.class,
+ long.class, CK_ATTRIBUTE[].class));
+ } catch (Throwable t) {
+ throw new SecurityException("FIPS key importer initialization" +
+ " failed", t);
+ }
+ }
+ fipsImportKey = fipsImportKeyTmp;
+ }
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -324,10 +347,15 @@ public final class SunPKCS11 extends AuthProvider {
// request multithreaded access first
initArgs.flags = CKF_OS_LOCKING_OK;
PKCS11 tmpPKCS11;
+ MethodHandle fipsKeyImporter = null;
+ if (plainKeySupportEnabled) {
+ fipsKeyImporter = MethodHandles.insertArguments(
+ fipsImportKey, 0, this);
+ }
try {
tmpPKCS11 = PKCS11.getInstance(
library, functionList, initArgs,
- config.getOmitInitialize());
+ config.getOmitInitialize(), fipsKeyImporter);
} catch (PKCS11Exception e) {
if (debug != null) {
debug.println("Multi-threaded initialization failed: " + e);
@@ -343,7 +371,7 @@ public final class SunPKCS11 extends AuthProvider {
initArgs.flags = 0;
}
tmpPKCS11 = PKCS11.getInstance(library,
- functionList, initArgs, config.getOmitInitialize());
+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
}
p11 = tmpPKCS11;
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
index 5c0aacd1a67..4d80145cb91 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
import java.io.File;
import java.io.IOException;
+import java.lang.invoke.MethodHandle;
import java.util.*;
import java.security.AccessController;
@@ -152,16 +153,28 @@ public class PKCS11 {
public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
- boolean omitInitialize) throws IOException, PKCS11Exception {
+ boolean omitInitialize, MethodHandle fipsKeyImporter)
+ throws IOException, PKCS11Exception {
// we may only call C_Initialize once per native .so/.dll
// so keep a cache using the (non-canonicalized!) path
PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
if (pkcs11 == null) {
+ boolean nssFipsMode = fipsKeyImporter != null;
if ((pInitArgs != null)
&& ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
+ fipsKeyImporter);
+ } else {
+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ }
} else {
- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
+ functionList, fipsKeyImporter);
+ } else {
+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ }
}
if (omitInitialize == false) {
try {
@@ -1911,4 +1924,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
super.C_GenerateRandom(hSession, randomData);
}
}
+
+// PKCS11 subclass that allows using plain private or secret keys in
+// FIPS-configured NSS Software Tokens. Only used when System FIPS
+// is enabled.
+static class FIPSPKCS11 extends PKCS11 {
+ private MethodHandle fipsKeyImporter;
+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // Creating sensitive key objects from plain key material in a
+ // FIPS-configured NSS Software Token is not allowed. We apply
+ // a key-unwrapping scheme to achieve so.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
+}
+
+// FIPSPKCS11 synchronized counterpart.
+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
+ private MethodHandle fipsKeyImporter;
+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // See FIPSPKCS11::C_CreateObject.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
+}
+
+private static class FIPSPKCS11Helper {
+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
+ for (CK_ATTRIBUTE attr : pTemplate) {
+ if (attr.type == CKA_CLASS &&
+ (attr.getLong() == CKO_PRIVATE_KEY ||
+ attr.getLong() == CKO_SECRET_KEY)) {
+ return true;
+ }
+ }
+ return false;
+ }
+}
}
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
index e2d6d371bec..dc5e7eefdd3 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
@@ -219,6 +219,14 @@ public class PKCS11Exception extends Exception {
return "0x" + Functions.toFullHexString((int)errorCode);
}
+ /**
+ * Constructor taking the error code (the CKR_* constants in PKCS#11) with
+ * no extra info for the error message.
+ */
+ public PKCS11Exception(long errorCode) {
+ this(errorCode, null);
+ }
+
/**
* Constructor taking the error code (the CKR_* constants in PKCS#11) and
* extra info for error message.

1182
SOURCES/rh2052070-enable_algorithmparameters_in_fips_mode.patch Normal file
View File

File diff suppressed because it is too large Load Diff

73
SPECS/java-17-openjdk.spec
View File

@ -274,7 +274,7 @@
# New Version-String scheme-style defines
%global featurever 17
%global interimver 0
%global updatever 2
%global updatever 3
%global patchver 0
# If you bump featurever, you must also bump vendor_version_string
# Used via new version scheme. JDK 17 was
@ -302,8 +302,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 8
%global rpmrelease 4
%global buildver 6
%global rpmrelease 2
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@ -322,6 +322,11 @@
# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
# The tag used to create the OpenJDK tarball
#%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
# Temporarily use pre-release tag from vulnerability group
%global vcstag 17usec.17.0.3+5-220408
# Define milestone (EA for pre-releases, GA for releases)
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
@ -1111,9 +1116,8 @@ License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv
URL: http://openjdk.java.net/
# to regenerate source0 (jdk) run update_package.sh
# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
Source0: openjdk-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz
# The source tarball, generated using generate_source_tarball.sh
Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
# Use 'icedtea_sync.sh' to update the following
# They are based on code contained in the IcedTea project (6.x).
@ -1185,9 +1189,13 @@ Patch1009: rh1995150-disable_non-fips_crypto.patch
# RH1996182: Login to the NSS software token in FIPS mode
Patch1010: rh1996182-login_to_nss_software_token.patch
Patch1012: rh1996182-extend_security_policy.patch
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
Patch1013: rh1991003-enable_fips_keys_import.patch
# RH2021263: Resolve outstanding FIPS issues
Patch1014: rh2021263-fips_ensure_security_initialised.patch
Patch1015: rh2021263-fips_missing_native_returns.patch
# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
Patch1018: rh2052070-enable_algorithmparameters_in_fips_mode.patch
#############################################
#
@ -1197,9 +1205,13 @@ Patch1015: rh2021263-fips_missing_native_returns.patch
#############################################
#
# OpenJDK patches appearing in 17.0.1
# OpenJDK patches appearing in 17.0.3
#
#############################################
# JDK-8284548: Unexpected StringIndexOutOfBoundsException can occur for invalid XPath expressions after JDK-8270504
Patch2002: jdk8284548-jaxp_regression.patch
# JDK-8284920: Incorrect Token type causes XPath expression to return empty result
Patch2003: jdk8284920-incorrect_token_type.patch
BuildRequires: autoconf
BuildRequires: automake
@ -1559,8 +1571,13 @@ popd # openjdk
%patch1010
%patch1011
%patch1012
%patch1013
%patch1014
%patch1015
%patch1018
%patch2002
%patch2003
# Extract systemtap tapsets
%if %{with_systemtap}
@ -2280,6 +2297,48 @@ require "copy_jdk_configs.lua"
%endif
%changelog
* Sat Apr 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.6-2
- Add JDK-8284920 fix for XPath regression
- Related: rhbz#2073575
* Fri Apr 15 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.6-2
- JDK-8275082 should be listed as also resolving JDK-8278008 & CVE-2022-21476
- Related: rhbz#2073575
* Mon Apr 11 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.6-1
- JDK-8283911 patch no longer needed now we're GA...
- Resolves: rhbz#2073575
* Mon Apr 11 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.6-1
- April 2022 security update to jdk 17.0.3+6
- Update to jdk-17.0.3.0+6 pre-release tarball (17usec.17.0.3+5-220408)
- Add JDK-8284548 regression fix missing from pre-release tarball but in jdk-17.0.3+6/jdk-17.0.3-ga
- Update release notes to 17.0.3.0+6
- Add missing README.md and generate_source_tarball.sh
- Introduce tests/tests.yml, based on the one in java-11-openjdk
- Switch to GA mode for release
- ** This tarball is embargoed until 2022-04-19 @ 1pm PT. **
- Resolves: rhbz#2073575
* Sun Apr 10 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.5-0.1.ea
- Update to jdk-17.0.3.0+5
- Update release notes to 17.0.3.0+5
- Switch to EA mode for 17.0.3 pre-release builds.
- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value
- Related: rhbz#2073422
* Sun Apr 10 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-6
- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
- Resolves: rhbz#2055396
* Sat Apr 09 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-5
- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
- Resolves: rhbz#2018189
* Sat Apr 09 2022 Martin Balao <mbalao@redhat.com> - 1:17.0.2.0.8-5
- Add patch to allow plain key import.
- Resolves: rhbz#2018189
* Mon Jan 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-4
- Fix FIPS issues in native code and with initialisation of java.security.Security
- Related: rhbz#2039366