import java-17-openjdk-17.0.2.0.8-15.el8
This commit is contained in:
parent
a995e00603
commit
d75fa95bc4
4
.gitignore
vendored
4
.gitignore
vendored
@ -1,2 +1,2 @@
|
|||||||
SOURCES/openjdk-jdk17-jdk-17+35.tar.xz
|
SOURCES/openjdk-jdk17u-jdk-17.0.2+8.tar.xz
|
||||||
SOURCES/tapsets-icedtea-3.15.0.tar.xz
|
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
a2bffc90da173240cdf0e3ea6971d4ba432b3cfe SOURCES/openjdk-jdk17-jdk-17+35.tar.xz
|
47c1e3a97ba6f63908c2a9f55e1514b52f0b8333 SOURCES/openjdk-jdk17u-jdk-17.0.2+8.tar.xz
|
||||||
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz
|
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
|
||||||
|
468
SOURCES/NEWS
468
SOURCES/NEWS
@ -3,6 +3,474 @@ Key:
|
|||||||
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
|
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
|
||||||
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
|
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
|
||||||
|
|
||||||
|
New in release OpenJDK 17.0.2 (2022-01-18):
|
||||||
|
===========================================
|
||||||
|
Live versions of these release notes can be found at:
|
||||||
|
* https://bitly.com/openjdk1702
|
||||||
|
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.2.txt
|
||||||
|
|
||||||
|
* Security fixes
|
||||||
|
- JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside
|
||||||
|
- JDK-8264934, CVE-2022-21248: Enhance cross VM serialization
|
||||||
|
- JDK-8268488: More valuable DerValues
|
||||||
|
- JDK-8268494: Better inlining of inlined interfaces
|
||||||
|
- JDK-8268512: More content for ContentInfo
|
||||||
|
- JDK-8268813, CVE-2022-21283: Better String matching
|
||||||
|
- JDK-8269151: Better construction of EncryptedPrivateKeyInfo
|
||||||
|
- JDK-8269944: Better HTTP transport redux
|
||||||
|
- JDK-8270386, CVE-2022-21291: Better verification of scan methods
|
||||||
|
- JDK-8270392, CVE-2022-21293: Improve String constructions
|
||||||
|
- JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps
|
||||||
|
- JDK-8270492, CVE-2022-21282: Better resolution of URIs
|
||||||
|
- JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management
|
||||||
|
- JDK-8270646, CVE-2022-21299: Improved scanning of XML entities
|
||||||
|
- JDK-8270952, CVE-2022-21277: Improve TIFF file handling
|
||||||
|
- JDK-8271962: Better TrueType font loading
|
||||||
|
- JDK-8271968: Better canonical naming
|
||||||
|
- JDK-8271987: Manifest improved manifest entries
|
||||||
|
- JDK-8272014, CVE-2022-21305: Better array indexing
|
||||||
|
- JDK-8272026, CVE-2022-21340: Verify Jar Verification
|
||||||
|
- JDK-8272236, CVE-2022-21341: Improve serial forms for transport
|
||||||
|
- JDK-8272272: Enhance jcmd communication
|
||||||
|
- JDK-8272462: Enhance image handling
|
||||||
|
- JDK-8273290: Enhance sound handling
|
||||||
|
- JDK-8273756, CVE-2022-21360: Enhance BMP image support
|
||||||
|
- JDK-8273838, CVE-2022-21365: Enhanced BMP processing
|
||||||
|
- JDK-8274096, CVE-2022-21366: Improve decoding of image files
|
||||||
|
* Other changes
|
||||||
|
- JDK-4819544: SwingSet2 JTable Demo throws NullPointerException
|
||||||
|
- JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing
|
||||||
|
- JDK-8140241: (fc) Data transfer from FileChannel to itself causes hang in case of overlap
|
||||||
|
- JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java fails intermittently
|
||||||
|
- JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream
|
||||||
|
- JDK-8214761: Bug in parallel Kahan summation implementation
|
||||||
|
- JDK-8223923: C2: Missing interference with mismatched unsafe accesses
|
||||||
|
- JDK-8233020: (fs) UnixFileSystemProvider should use StaticProperty.userDir().
|
||||||
|
- JDK-8238649: Call new Win32 API SetThreadDescription in os::set_native_thread_name
|
||||||
|
- JDK-8244675: assert(IncrementalInline || (_late_inlines.length() == 0 && !has_mh_late_inlines()))
|
||||||
|
- JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled
|
||||||
|
- JDK-8261579: AArch64: Support for weaker memory ordering in Atomic
|
||||||
|
- JDK-8262031: Create implementation for NSAccessibilityNavigableStaticText protocol
|
||||||
|
- JDK-8262095: NPE in Flow$FlowAnalyzer.visitApply: Cannot invoke getThrownTypes because tree.meth.type is null
|
||||||
|
- JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert
|
||||||
|
- JDK-8263364: sun/net/www/http/KeepAliveStream/KeepAliveStreamCloseWithWrongContentLength.java wedged in getInputStream
|
||||||
|
- JDK-8263375: Support stack watermarks in Zero VM
|
||||||
|
- JDK-8263773: Reenable German localization for builds at Oracle
|
||||||
|
- JDK-8264286: Create implementation for NSAccessibilityColumn protocol peer
|
||||||
|
- JDK-8264287: Create implementation for NSAccessibilityComboBox protocol peer
|
||||||
|
- JDK-8264291: Create implementation for NSAccessibilityCell protocol peer
|
||||||
|
- JDK-8264292: Create implementation for NSAccessibilityList protocol peer
|
||||||
|
- JDK-8264293: Create implementation for NSAccessibilityMenu protocol peer
|
||||||
|
- JDK-8264294: Create implementation for NSAccessibilityMenuBar protocol peer
|
||||||
|
- JDK-8264295: Create implementation for NSAccessibilityMenuItem protocol peer
|
||||||
|
- JDK-8264296: Create implementation for NSAccessibilityPopUpButton protocol peer
|
||||||
|
- JDK-8264297: Create implementation for NSAccessibilityProgressIndicator protocol peer
|
||||||
|
- JDK-8264298: Create implementation for NSAccessibilityRow protocol peer
|
||||||
|
- JDK-8264303: Create implementation for NSAccessibilityTabGroup protocol peer
|
||||||
|
- JDK-8266239: Some duplicated javac command-line options have repeated effect
|
||||||
|
- JDK-8266510: Nimbus JTree default tree cell renderer does not use selected text color
|
||||||
|
- JDK-8266988: compiler/jvmci/compilerToVM/IsMatureTest.java fails with Unexpected isMature state for multiple times invoked method: expected false to equal true
|
||||||
|
- JDK-8267256: Extend minimal retry for loopback connections on Windows to PlainSocketImpl
|
||||||
|
- JDK-8267385: Create NSAccessibilityElement implementation for JavaComponentAccessibility
|
||||||
|
- JDK-8267387: Create implementation for NSAccessibilityOutline protocol
|
||||||
|
- JDK-8267388: Create implementation for NSAccessibilityTable protocol
|
||||||
|
- JDK-8268284: javax/swing/JComponent/7154030/bug7154030.java fails with "Exception: Failed to hide opaque button"
|
||||||
|
- JDK-8268294: Reusing HttpClient in a WebSocket.Listener hangs.
|
||||||
|
- JDK-8268361: Fix the infinite loop in next_line
|
||||||
|
- JDK-8268457: XML Transformer outputs Unicode supplementary character incorrectly to HTML
|
||||||
|
- JDK-8268464: Remove dependancy of TestHttpsServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/https/ tests
|
||||||
|
- JDK-8268626: Remove native pre-jdk9 support for jtreg failure handler
|
||||||
|
- JDK-8268860: Windows-Aarch64 build is failing in GitHub actions
|
||||||
|
- JDK-8268882: C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc
|
||||||
|
- JDK-8268885: duplicate checkcast when destination type is not first type of intersection type
|
||||||
|
- JDK-8268893: jcmd to trim the glibc heap
|
||||||
|
- JDK-8268894: forged ASTs can provoke an AIOOBE at com.sun.tools.javac.jvm.ClassWriter::writePosition
|
||||||
|
- JDK-8268927: Windows: link error: unresolved external symbol "int __cdecl convert_to_unicode(char const *,wchar_t * *)"
|
||||||
|
- JDK-8269031: linux x86_64 check for binutils 2.25 or higher after 8265783
|
||||||
|
- JDK-8269113: Javac throws when compiling switch (null)
|
||||||
|
- JDK-8269216: Useless initialization in com/sun/crypto/provider/PBES2Parameters.java
|
||||||
|
- JDK-8269269: [macos11] SystemIconTest fails with ClassCastException
|
||||||
|
- JDK-8269280: (bf) Replace StringBuffer in *Buffer.toString()
|
||||||
|
- JDK-8269481: SctpMultiChannel never releases own file descriptor
|
||||||
|
- JDK-8269637: javax/swing/JFileChooser/FileSystemView/SystemIconTest.java fails on windows
|
||||||
|
- JDK-8269656: The test test/langtools/tools/javac/versions/Versions.java has duplicate test cycles
|
||||||
|
- JDK-8269687: pauth_aarch64.hpp include name is incorrect
|
||||||
|
- JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0
|
||||||
|
- JDK-8269924: Shenandoah: Introduce weak/strong marking asserts
|
||||||
|
- JDK-8269951: [macos] Focus not painted in JButton when setBorderPainted(false) is invoked
|
||||||
|
- JDK-8270110: Shenandoah: Add test for JDK-8269661
|
||||||
|
- JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to run in all LaFs, including Aqua on macOS
|
||||||
|
- JDK-8270171: Shenandoah: Cleanup TestStringDedup and TestStringDedupStress tests
|
||||||
|
- JDK-8270290: NTLM authentication fails if HEAD request is used
|
||||||
|
- JDK-8270317: Large Allocation in CipherSuite
|
||||||
|
- JDK-8270320: JDK-8270110 committed invalid copyright headers
|
||||||
|
- JDK-8270517: Add Zero support for LoongArch
|
||||||
|
- JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS
|
||||||
|
- JDK-8270886: Crash in PhaseIdealLoop::verify_strip_mined_scheduling
|
||||||
|
- JDK-8270893: IndexOutOfBoundsException while reading large TIFF file
|
||||||
|
- JDK-8270901: Typo PHASE_CPP in CompilerPhaseType
|
||||||
|
- JDK-8270946: X509CertImpl.getFingerprint should not return the empty String
|
||||||
|
- JDK-8271071: accessibility of a table on macOS lacks cell navigation
|
||||||
|
- JDK-8271121: ZGC: stack overflow (segv) when -Xlog:gc+start=debug
|
||||||
|
- JDK-8271142: package help is not displayed for missing X11/extensions/Xrandr.h
|
||||||
|
- JDK-8271170: Add unit test for what jpackage app launcher puts in the environment
|
||||||
|
- JDK-8271215: Fix data races in G1PeriodicGCTask
|
||||||
|
- JDK-8271254: javac generates unreachable code when using empty semicolon statement
|
||||||
|
- JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with "lists don't have the same size expected"
|
||||||
|
- JDK-8271308: (fc) FileChannel.transferTo() transfers no more than Integer.MAX_VALUE bytes in one call
|
||||||
|
- JDK-8271315: Redo: Nimbus JTree renderer properties persist across L&F changes
|
||||||
|
- JDK-8271323: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -XX:TieredStopAtLevel=1
|
||||||
|
- JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop
|
||||||
|
- JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java
|
||||||
|
- JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity
|
||||||
|
- JDK-8271463: Updating RE Configs for Upcoming CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos.
|
||||||
|
- JDK-8271490: [ppc] [s390]: Crash in JavaThread::pd_get_top_frame_for_profiling
|
||||||
|
- JDK-8271560: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java still fails due to "An established connection was aborted by the software in your host machine"
|
||||||
|
- JDK-8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions
|
||||||
|
- JDK-8271600: C2: CheckCastPP which should closely follow Allocate is sunk of a loop
|
||||||
|
- JDK-8271605: Update JMH devkit to 1.32
|
||||||
|
- JDK-8271718: Crash when during color transformation the color profile is replaced
|
||||||
|
- JDK-8271722: [TESTBUG] gc/g1/TestMixedGCLiveThreshold.java can fail if G1 Full GC uses >1 workers
|
||||||
|
- JDK-8271855: [TESTBUG] Wrong weakCompareAndSet assumption in UnsafeIntrinsicsTest
|
||||||
|
- JDK-8271862: C2 intrinsic for Reference.refersTo() is often not used
|
||||||
|
- JDK-8271868: Warn user when using mac-sign option with unsigned app-image.
|
||||||
|
- JDK-8271895: UnProblemList javax/swing/JComponent/7154030/bug7154030.java in JDK18
|
||||||
|
- JDK-8271954: C2: assert(false) failed: Bad graph detected in build_loop_late
|
||||||
|
- JDK-8272047: java/nio/channels/FileChannel/Transfer2GPlus.java failed with Unexpected transfer size: 2147418112
|
||||||
|
- JDK-8272095: ProblemList java/nio/channels/FileChannel/Transfer2GPlus.java on linux-aarch64
|
||||||
|
- JDK-8272114: Unused _last_state in osThread_windows
|
||||||
|
- JDK-8272170: Missing memory barrier when checking active state for regions
|
||||||
|
- JDK-8272305: several hotspot runtime/modules don't check exit codes
|
||||||
|
- JDK-8272318: Improve performance of HeapDumpAllTest
|
||||||
|
- JDK-8272328: java.library.path is not set properly by Windows jpackage app launcher
|
||||||
|
- JDK-8272335: runtime/cds/appcds/MoveJDKTest.java doesn't check exit codes
|
||||||
|
- JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions
|
||||||
|
- JDK-8272345: macos doesn't check `os::set_boot_path()` result
|
||||||
|
- JDK-8272369: java/io/File/GetXSpace.java failed with "RuntimeException: java.nio.file.NoSuchFileException: /run/user/0"
|
||||||
|
- JDK-8272391: Undeleted debug information
|
||||||
|
- JDK-8272413: Incorrect num of element count calculation for vector cast
|
||||||
|
- JDK-8272473: Parsing epoch seconds at a DST transition with a non-UTC parser is wrong
|
||||||
|
- JDK-8272562: C2: assert(false) failed: Bad graph detected in build_loop_late
|
||||||
|
- JDK-8272570: C2: crash in PhaseCFG::global_code_motion
|
||||||
|
- JDK-8272574: C2: assert(false) failed: Bad graph detected in build_loop_late
|
||||||
|
- JDK-8272639: jpackaged applications using microphone on mac
|
||||||
|
- JDK-8272703: StressSeed should be set via FLAG_SET_ERGO
|
||||||
|
- JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit
|
||||||
|
- JDK-8272783: Epsilon: Refactor tests to improve performance
|
||||||
|
- JDK-8272836: Limit run time for java/lang/invoke/LFCaching tests
|
||||||
|
- JDK-8272838: Move CriticalJNI tests out of tier1
|
||||||
|
- JDK-8272846: Move some runtime/Metaspace/elastic/ tests out of tier1
|
||||||
|
- JDK-8272850: Drop zapping values in the Zap* option descriptions
|
||||||
|
- JDK-8272854: split runtime/CommandLine/PrintTouchedMethods.java test
|
||||||
|
- JDK-8272856: DoubleFlagWithIntegerValue uses G1GC-only flag
|
||||||
|
- JDK-8272859: Javadoc external links should only have feature version number in URL
|
||||||
|
- JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test groups
|
||||||
|
- JDK-8272970: Parallelize runtime/InvocationTests/
|
||||||
|
- JDK-8272973: Incorrect compile command used by TestIllegalArrayCopyBeforeInfiniteLoop
|
||||||
|
- JDK-8273021: C2: Improve Add and Xor ideal optimizations
|
||||||
|
- JDK-8273026: Slow LoginContext.login() on multi threading application
|
||||||
|
- JDK-8273135: java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java crashes in liblcms.dylib with NULLSeek+0x7
|
||||||
|
- JDK-8273165: GraphKit::combine_exception_states fails with "matching stack sizes" assert
|
||||||
|
- JDK-8273176: handle latest VS2019 in abstract_vm_version
|
||||||
|
- JDK-8273229: Update OS detection code to recognize Windows Server 2022
|
||||||
|
- JDK-8273234: extended 'for' with expression of type tvar causes the compiler to crash
|
||||||
|
- JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on Windows 32bit
|
||||||
|
- JDK-8273278: Support XSLT on GraalVM Native Image--deterministic bytecode generation in XSLT
|
||||||
|
- JDK-8273308: PatternMatchTest.java fails on CI
|
||||||
|
- JDK-8273314: Add tier4 test groups
|
||||||
|
- JDK-8273315: Parallelize and increase timeouts for java/foreign/TestMatrix.java test
|
||||||
|
- JDK-8273318: Some containers/docker/TestJFREvents.java configs are running out of memory
|
||||||
|
- JDK-8273333: Zero should warn about unimplemented -XX:+LogTouchedMethods
|
||||||
|
- JDK-8273335: compiler/blackhole tests should not run with interpreter-only VMs
|
||||||
|
- JDK-8273342: Null pointer dereference in classFileParser.cpp:2817
|
||||||
|
- JDK-8273359: CI: ciInstanceKlass::get_canonical_holder() doesn't respect instance size
|
||||||
|
- JDK-8273361: InfoOptsTest is failing in tier1
|
||||||
|
- JDK-8273373: Zero: Cannot invoke JVM in primordial threads on Zero
|
||||||
|
- JDK-8273375: Remove redundant 'new String' calls after concatenation in java.desktop
|
||||||
|
- JDK-8273376: Zero: Disable vtable/itableStub gtests
|
||||||
|
- JDK-8273378: Shenandoah: Remove the remaining uses of os::is_MP
|
||||||
|
- JDK-8273408: java.lang.AssertionError: typeSig ERROR on generated class property of record
|
||||||
|
- JDK-8273416: C2: assert(false) failed: bad AD file after JDK-8252372 with UseSSE={0,1}
|
||||||
|
- JDK-8273440: Zero: Disable runtime/Unsafe/InternalErrorTest.java
|
||||||
|
- JDK-8273450: Fix the copyright header of SVML files
|
||||||
|
- JDK-8273451: Remove unreachable return in mutexLocker::wait
|
||||||
|
- JDK-8273483: Zero: Clear pending JNI exception check in native method handler
|
||||||
|
- JDK-8273486: Zero: Handle DiagnoseSyncOnValueBasedClasses VM option
|
||||||
|
- JDK-8273487: Zero: Handle "zero" variant in runtime tests
|
||||||
|
- JDK-8273489: Zero: Handle UseHeavyMonitors on all monitorenter paths
|
||||||
|
- JDK-8273498: compiler/c2/Test7179138_1.java timed out
|
||||||
|
- JDK-8273505: runtime/cds/appcds/loaderConstraints/DynamicLoaderConstraintsTest.java#default-cl crashed with SIGSEGV in MetaspaceShared::link_shared_classes
|
||||||
|
- JDK-8273514: java/util/DoubleStreamSums/CompensatedSums.java failure
|
||||||
|
- JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated
|
||||||
|
- JDK-8273592: Backout JDK-8271868
|
||||||
|
- JDK-8273593: [REDO] Warn user when using mac-sign option with unsigned app-image.
|
||||||
|
- JDK-8273595: tools/jpackage tests do not work on apt-based Linux distros like Debian
|
||||||
|
- JDK-8273606: Zero: SPARC64 build fails with si_band type mismatch
|
||||||
|
- JDK-8273614: Shenandoah: intermittent timeout with ConcurrentGCBreakpoint tests
|
||||||
|
- JDK-8273638: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F
|
||||||
|
- JDK-8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher
|
||||||
|
- JDK-8273678: TableAccessibility and TableRowAccessibility miss autorelease
|
||||||
|
- JDK-8273695: Safepoint deadlock on VMOperation_lock
|
||||||
|
- JDK-8273790: Potential cyclic dependencies between Gregorian and CalendarSystem
|
||||||
|
- JDK-8273806: compiler/cpuflags/TestSSE4Disabled.java should test for CPU feature explicitly
|
||||||
|
- JDK-8273807: Zero: Drop incorrect test block from compiler/startup/NumCompilerThreadsCheck.java
|
||||||
|
- JDK-8273808: Cleanup AddFontsToX11FontPath
|
||||||
|
- JDK-8273826: Correct Manifest file name and NPE checks
|
||||||
|
- JDK-8273887: [macos] java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java timed out
|
||||||
|
- JDK-8273894: ConcurrentModificationException raised every time ReferralsCache drops referral
|
||||||
|
- JDK-8273902: Memory leak in OopStorage due to bug in OopHandle::release()
|
||||||
|
- JDK-8273924: ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add()
|
||||||
|
- JDK-8273935: (zipfs) Files.getFileAttributeView() throws UOE instead of returning null when view not supported
|
||||||
|
- JDK-8273958: gtest/MetaspaceGtests executes unnecessary tests in debug builds
|
||||||
|
- JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file path contains '+' character
|
||||||
|
- JDK-8273965: some testlibrary_tests/ir_framework tests fail when c1 disabled
|
||||||
|
- JDK-8273968: JCK javax_xml tests fail in CI
|
||||||
|
- JDK-8274056: JavaAccessibilityUtilities leaks JNI objects
|
||||||
|
- JDK-8274074: SIGFPE with C2 compiled code with -XX:+StressGCM
|
||||||
|
- JDK-8274083: Update testing docs to mention tiered testing
|
||||||
|
- JDK-8274087: Windows DLL path not set correctly.
|
||||||
|
- JDK-8274145: C2: condition incorrectly made redundant with dominating main loop exit condition
|
||||||
|
- JDK-8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
|
||||||
|
- JDK-8274215: Remove globalsignr2ca root from 17.0.2
|
||||||
|
- JDK-8274242: Implement fast-path for ASCII-compatible CharsetEncoders on x86
|
||||||
|
- JDK-8274265: Suspicious string concatenation in logTestUtils.inline.hpp
|
||||||
|
- JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork is deprecated
|
||||||
|
- JDK-8274325: C4819 warning at vm_version_x86.cpp on Windows after JDK-8234160
|
||||||
|
- JDK-8274326: [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m
|
||||||
|
- JDK-8274329: Fix non-portable HotSpot code in MethodMatcher::parse_method_pattern
|
||||||
|
- JDK-8274338: com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror"
|
||||||
|
- JDK-8274347: Passing a *nested* switch expression as a parameter causes an NPE during compile
|
||||||
|
- JDK-8274349: ForkJoinPool.commonPool() does not work with 1 CPU
|
||||||
|
- JDK-8274381: missing CAccessibility definitions in JNI code
|
||||||
|
- JDK-8274383: JNI call of getAccessibleSelection on a wrong thread
|
||||||
|
- JDK-8274401: C2: GraphKit::load_array_element bypasses Access API
|
||||||
|
- JDK-8274406: RunThese30M.java failed "assert(!LCA_orig->dominates(pred_block) || early->dominates(pred_block)) failed: early is high enough"
|
||||||
|
- JDK-8274407: (tz) Update Timezone Data to 2021c
|
||||||
|
- JDK-8274435: EXCEPTION_ACCESS_VIOLATION in BFSClosure::closure_impl
|
||||||
|
- JDK-8274467: TestZoneInfo310.java fails with tzdata2021b
|
||||||
|
- JDK-8274468: TimeZoneTest.java fails with tzdata2021b
|
||||||
|
- JDK-8274501: c2i entry barriers read int as long on AArch64
|
||||||
|
- JDK-8274521: jdk/jfr/event/gc/detailed/TestGCLockerEvent.java fails when other GC is selected
|
||||||
|
- JDK-8274522: java/lang/management/ManagementFactory/MXBeanException.java test fails with Shenandoah
|
||||||
|
- JDK-8274523: java/lang/management/MemoryMXBean/MemoryTest.java test should handle Shenandoah
|
||||||
|
- JDK-8274550: c2i entry barriers read int as long on PPC
|
||||||
|
- JDK-8274560: JFR: Add test for OldObjectSample event when using Shenandoah
|
||||||
|
- JDK-8274606: Fix jaxp/javax/xml/jaxp/unittest/transform/SurrogateTest.java test
|
||||||
|
- JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with NoSuchElementException after JDK-8271287
|
||||||
|
- JDK-8274716: JDWP Spec: the description for the Dispose command confuses suspend with resume.
|
||||||
|
- JDK-8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily
|
||||||
|
- JDK-8274770: [PPC64] resolve_jobject needs a generic implementation to support load barriers
|
||||||
|
- JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently fails on weak memory model platform
|
||||||
|
- JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST
|
||||||
|
- JDK-8274840: Update OS detection code to recognize Windows 11
|
||||||
|
- JDK-8274848: LambdaMetaFactory::metafactory on REF_invokeSpecial impl method has incorrect behavior
|
||||||
|
- JDK-8274851: [ppc64] Port zgc to linux on ppc64le
|
||||||
|
- JDK-8274942: AssertionError at jdk.compiler/com.sun.tools.javac.util.Assert.error(Assert.java:155)
|
||||||
|
- JDK-8275008: gtest build failure due to stringop-overflow warning with gcc11
|
||||||
|
- JDK-8275049: [ZGC] missing null check in ZNMethod::log_register
|
||||||
|
- JDK-8275051: Shenandoah: Correct ordering of requested gc cause and gc request flag
|
||||||
|
- JDK-8275071: [macos] A11y cursor gets stuck when combobox is closed
|
||||||
|
- JDK-8275104: IR framework does not handle client VM builds correctly
|
||||||
|
- JDK-8275110: Correct RE Configs for CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos.
|
||||||
|
- JDK-8275131: Exceptions after a touchpad gesture on macOS
|
||||||
|
- JDK-8275141: recover corrupted line endings for the version-numbers.conf
|
||||||
|
- JDK-8275145: file.encoding system property has an incorrect value on Windows
|
||||||
|
- JDK-8275226: Shenandoah: Relax memory constraint for worker claiming tasks/ranges
|
||||||
|
- JDK-8275302: unexpected compiler error: cast, intersection types and sealed
|
||||||
|
- JDK-8275426: PretouchTask num_chunks calculation can overflow
|
||||||
|
- JDK-8275604: Zero: Reformat opclabels_data
|
||||||
|
- JDK-8275666: serviceability/jvmti/GetObjectSizeClass.java shouldn't have vm.flagless
|
||||||
|
- JDK-8275703: System.loadLibrary fails on Big Sur for libraries hidden from filesystem
|
||||||
|
- JDK-8275720: CommonComponentAccessibility.createWithParent isWrapped causes mem leak
|
||||||
|
- JDK-8275766: (tz) Update Timezone Data to 2021e
|
||||||
|
- JDK-8275809: crash in [CommonComponentAccessibility getCAccessible:withEnv:]
|
||||||
|
- JDK-8275811: Incorrect instance to dispose
|
||||||
|
- JDK-8275819: [TableRowAccessibility accessibilityChildren] method is ineffective
|
||||||
|
- JDK-8275849: TestZoneInfo310.java fails with tzdata2021e
|
||||||
|
- JDK-8275863: Use encodeASCII for ASCII-compatible DoubleByte encodings
|
||||||
|
- JDK-8275872: Sync J2DBench run and analyze Makefile targets with build.xml
|
||||||
|
- JDK-8276025: Hotspot's libsvml.so may conflict with user dependency
|
||||||
|
- JDK-8276066: Reset LoopPercentProfileLimit for x86 due to suboptimal performance
|
||||||
|
- JDK-8276076: Updating RE Configs for BUILD REQUEST 17.0.2+3
|
||||||
|
- JDK-8276105: C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly
|
||||||
|
- JDK-8276112: Inconsistent scalar replacement debug info at safepoints
|
||||||
|
- JDK-8276122: Change openjdk project in jcheck to jdk-updates
|
||||||
|
- JDK-8276130: Fix Github Actions of JDK17u to account for update version scheme
|
||||||
|
- JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test
|
||||||
|
- JDK-8276157: C2: Compiler stack overflow during escape analysis on Linux x86_32
|
||||||
|
- JDK-8276201: Shenandoah: Race results degenerated GC to enter wrong entry point
|
||||||
|
- JDK-8276205: Shenandoah: CodeCache_lock should always be held for initializing code cache iteration
|
||||||
|
- JDK-8276306: jdk/jshell/CustomInputToolBuilder.java fails intermittently on storage acquisition
|
||||||
|
- JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766
|
||||||
|
- JDK-8276550: Use SHA256 hash in build.tools.depend.Depend
|
||||||
|
- JDK-8276572: Fake libsyslookup.so library causes tooling issues
|
||||||
|
- JDK-8276774: Cookie stored in CookieHandler not sent if user headers contain cookie
|
||||||
|
- JDK-8276801: gc/stress/CriticalNativeStress.java fails intermittently with Shenandoah
|
||||||
|
- JDK-8276805: java/awt/print/PrinterJob/CheckPrivilege.java fails due to disabled SecurityManager
|
||||||
|
- JDK-8276845: (fs) java/nio/file/spi/SetDefaultProvider.java fails on x86_32
|
||||||
|
- JDK-8276846: JDK-8273416 is incomplete for UseSSE=1
|
||||||
|
- JDK-8276854: Windows GHA builds fail due to broken Cygwin
|
||||||
|
- JDK-8276864: Update boot JDKs to 17.0.1 in GHA
|
||||||
|
- JDK-8276905: Use appropriate macosx_version_minimum value while compiling metal shaders
|
||||||
|
- JDK-8276927: [ppc64] Port shenandoahgc to linux on ppc64le
|
||||||
|
- JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify output array sizes
|
||||||
|
- JDK-8277093: Vector should throw ClassNotFoundException for a missing class of an element
|
||||||
|
- JDK-8277159: Fix java/nio/file/FileStore/Basic.java test by ignoring /run/user/* mount points
|
||||||
|
- JDK-8277195: missing CAccessibility definition in [CommonComponentAccessibility accessibilityHitTest]
|
||||||
|
- JDK-8277212: GC accidentally cleans valid megamorphic vtable inline caches
|
||||||
|
- JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE
|
||||||
|
- JDK-8277529: SIGSEGV in C2 CompilerThread Node::rematerialize() compiling Packet::readUnsignedTrint
|
||||||
|
- JDK-8277981: String Deduplication table is never cleaned up due to bad dead_factor_for_cleanup
|
||||||
|
|
||||||
|
Notes on individual issues:
|
||||||
|
===========================
|
||||||
|
|
||||||
|
core-libs/java.io:serialization:
|
||||||
|
|
||||||
|
JDK-8277157: Vector should throw ClassNotFoundException for a missing class of an element
|
||||||
|
=========================================================================================
|
||||||
|
`java.util.Vector` is updated to correctly report
|
||||||
|
`ClassNotFoundException that occurs during deserialization using
|
||||||
|
`java.io.ObjectInputStream.GetField.get(name, object)` when the class
|
||||||
|
of an element of the Vector is not found. Without this fix, a
|
||||||
|
`StreamCorruptedException` is thrown that does not provide information
|
||||||
|
about the missing class.
|
||||||
|
|
||||||
|
security-libs/java.security:
|
||||||
|
|
||||||
|
JDK-8272535: Removed Google's GlobalSign Root Certificate
|
||||||
|
=========================================================
|
||||||
|
The following root certificate from Google has been removed from the
|
||||||
|
`cacerts` keystore:
|
||||||
|
|
||||||
|
Alias Name: globalsignr2ca [jdk]
|
||||||
|
Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
|
||||||
|
|
||||||
|
core-libs/java.io:
|
||||||
|
|
||||||
|
JDK-8275343: file.encoding System Property Has an Incorrect Value on Windows
|
||||||
|
============================================================================
|
||||||
|
The initialization of the `file.encoding` system property on non macOS
|
||||||
|
platforms has been reverted to align with the behavior on or before
|
||||||
|
JDK 11. This has been an issue especially on Windows where the system
|
||||||
|
and user's locales are not the same.
|
||||||
|
|
||||||
|
hotspot/gc:
|
||||||
|
|
||||||
|
JDK-8277533: ZGC: Fixed long Process Non-Strong References times
|
||||||
|
================================================================
|
||||||
|
A bug has been fixed that could cause long "Concurrent Process
|
||||||
|
Non-Strong References" times with ZGC. The bug blocked the GC from
|
||||||
|
making significant progress, and caused both latency and throughput
|
||||||
|
issues for the Java application.
|
||||||
|
|
||||||
|
The long times could be seen in the GC logs when running with `-Xlog:gc*` e.g.
|
||||||
|
|
||||||
|
[17606.140s][info][gc,phases ] GC(719) Concurrent Process Non-Strong References 25781.928ms
|
||||||
|
|
||||||
|
core-libs/java.time:
|
||||||
|
|
||||||
|
JDK-8274857: Update Timezone Data to 2021c
|
||||||
|
===========================================
|
||||||
|
IANA Time Zone Database, on which JDK's Date/Time libraries are based,
|
||||||
|
has been updated to version 2021c
|
||||||
|
(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note
|
||||||
|
that with this update, some of the time zone rules prior to the year
|
||||||
|
1970 have been modified according to the changes which were introduced
|
||||||
|
with 2021b. For more detail, refer to the announcement of 2021b
|
||||||
|
(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html)
|
||||||
|
|
||||||
|
New in release OpenJDK 17.0.1 (2021-10-19):
|
||||||
|
===========================================
|
||||||
|
Live versions of these release notes can be found at:
|
||||||
|
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.1.txt
|
||||||
|
|
||||||
|
* Security fixes
|
||||||
|
- JDK-8263314: Enhance XML Dsig modes
|
||||||
|
- JDK-8265167, CVE-2021-35556: Richer Text Editors
|
||||||
|
- JDK-8265574: Improve handling of sheets
|
||||||
|
- JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit
|
||||||
|
- JDK-8265776: Improve Stream handling for SSL
|
||||||
|
- JDK-8266097, CVE-2021-35561: Better hashing support
|
||||||
|
- JDK-8266103: Better specified spec values
|
||||||
|
- JDK-8266109: More Resilient Classloading
|
||||||
|
- JDK-8266115: More Manifest Jar Loading
|
||||||
|
- JDK-8266137, CVE-2021-35564: Improve Keystore integrity
|
||||||
|
- JDK-8266689, CVE-2021-35567: More Constrained Delegation
|
||||||
|
- JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic
|
||||||
|
- JDK-8267712: Better LDAP reference processing
|
||||||
|
- JDK-8267729, CVE-2021-35578: Improve TLS client handshaking
|
||||||
|
- JDK-8267735, CVE-2021-35586: Better BMP support
|
||||||
|
- JDK-8268193: Improve requests of certificates
|
||||||
|
- JDK-8268199: Correct certificate requests
|
||||||
|
- JDK-8268205: Enhance DTLS client handshake
|
||||||
|
- JDK-8268500: Better specified ParameterSpecs
|
||||||
|
- JDK-8268506: More Manifest Digests
|
||||||
|
- JDK-8269618, CVE-2021-35603: Better session identification
|
||||||
|
- JDK-8269624: Enhance method selection support
|
||||||
|
- JDK-8270398: Enhance canonicalization
|
||||||
|
- JDK-8270404: Better canonicalization
|
||||||
|
* Other changes
|
||||||
|
- JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021
|
||||||
|
- JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails
|
||||||
|
- JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked
|
||||||
|
- JDK-8261088: Repeatable annotations without @Target cannot have containers that target module declarations
|
||||||
|
- JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print"
|
||||||
|
- JDK-8263531: Remove unused buffer int
|
||||||
|
- JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java
|
||||||
|
- JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type
|
||||||
|
- JDK-8267666: Add option to jcmd GC.heap_dump to use existing file
|
||||||
|
- JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected
|
||||||
|
- JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info.
|
||||||
|
- JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance
|
||||||
|
- JDK-8268963: [IR Framework] Some default regexes matching on PrintOptoAssembly in IRNode.java do not work on all platforms
|
||||||
|
- JDK-8269297: Bump version numbers for JDK 17.0.1
|
||||||
|
- JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient
|
||||||
|
- JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events
|
||||||
|
- JDK-8269763: The JEditorPane is blank after JDK-8265167
|
||||||
|
- JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers
|
||||||
|
- JDK-8269882: stack-use-after-scope in NewObjectA
|
||||||
|
- JDK-8269897: Shenandoah: Resolve UNKNOWN access strength, where possible
|
||||||
|
- JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status
|
||||||
|
- JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags
|
||||||
|
- JDK-8270094: Shenandoah: Provide human-readable labels for test configurations
|
||||||
|
- JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode
|
||||||
|
- JDK-8270098: ZGC: ZBarrierSetC2::clone_at_expansion fails with "Guard against surprises" assert
|
||||||
|
- JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup
|
||||||
|
- JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error
|
||||||
|
- JDK-8270344: Session resumption errors
|
||||||
|
- JDK-8271203: C2: assert(iff->Opcode() == Op_If || iff->Opcode() == Op_CountedLoopEnd || iff->Opcode() == Op_RangeCheck) failed: Check this code when new subtype is added
|
||||||
|
- JDK-8271276: C2: Wrong JVM state used for receiver null check
|
||||||
|
- JDK-8271335: Updating RE Configs for BUILD REQUEST 17.0.1+4
|
||||||
|
- JDK-8271589: fatal error with variable shift count integer rotate operation.
|
||||||
|
- JDK-8271723: Unproblemlist runtime/InvocationTests/invokevirtualTests.java
|
||||||
|
- JDK-8271730: Client authentication using RSASSA-PSS fails after correct certificate requests
|
||||||
|
- JDK-8271925: ZGC: Arraycopy stub passes invalid oop to load barrier
|
||||||
|
- JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon
|
||||||
|
- JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj
|
||||||
|
- JDK-8272326: java/util/Random/RandomTestMoments.java had two Gaussian fails
|
||||||
|
- JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790
|
||||||
|
- JDK-8272472: StackGuardPages test doesn't build with glibc 2.34
|
||||||
|
- JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182
|
||||||
|
- JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used
|
||||||
|
- JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848
|
||||||
|
- JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled
|
||||||
|
- JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed
|
||||||
|
- JDK-8273358: macOS Monterey does not have the font Times needed by Serif
|
||||||
|
|
||||||
|
Notes on individual issues:
|
||||||
|
===========================
|
||||||
|
|
||||||
|
security-libs/java.security:
|
||||||
|
|
||||||
|
JDK-8271434: Removed IdenTrust Root Certificate
|
||||||
|
===============================================
|
||||||
|
The following root certificate from IdenTrust has been removed from
|
||||||
|
the `cacerts` keystore:
|
||||||
|
|
||||||
|
Alias Name: identrustdstx3 [jdk]
|
||||||
|
Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.
|
||||||
|
|
||||||
New in release OpenJDK 17.0.0 (2021-09-14):
|
New in release OpenJDK 17.0.0 (2021-09-14):
|
||||||
===========================================
|
===========================================
|
||||||
The full list of changes in the interim releases from 11u to 17u can be found at:
|
The full list of changes in the interim releases from 11u to 17u can be found at:
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
[Desktop Entry]
|
[Desktop Entry]
|
||||||
Name=OpenJDK @JAVA_MAJOR_VERSION@ Monitoring & Management Console @ARCH@
|
Name=OpenJDK @JAVA_VER@ for @target_cpu@ Monitoring & Management Console (@OPENJDK_VER@)
|
||||||
Comment=Monitor and manage OpenJDK @JAVA_MAJOR_VERSION@ applications for @ARCH@
|
Comment=Monitor and manage OpenJDK applications
|
||||||
Exec=@JAVA_HOME@/jconsole
|
Exec=_SDKBINDIR_/jconsole
|
||||||
Icon=java-@JAVA_MAJOR_VERSION@-@JAVA_VENDOR@
|
Icon=java-@JAVA_VER@-@JAVA_VENDOR@
|
||||||
Terminal=false
|
Terminal=false
|
||||||
Type=Application
|
Type=Application
|
||||||
StartupWMClass=sun-tools-jconsole-JConsole
|
StartupWMClass=sun-tools-jconsole-JConsole
|
||||||
|
@ -1,21 +0,0 @@
|
|||||||
commit e506cb23cfce35d1bc997d1e280f4dc40c9b3397
|
|
||||||
Author: Severin Gehwolf <sgehwolf@openjdk.org>
|
|
||||||
Date: Mon Aug 16 09:57:28 2021 +0000
|
|
||||||
|
|
||||||
8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790
|
|
||||||
|
|
||||||
Backport-of: d38b31438dd4730ee2149c02277d60c35b9d7d81
|
|
||||||
|
|
||||||
diff --git openjdk.orig/make/modules/java.desktop/lib/Awt2dLibraries.gmk openjdk/make/modules/java.desktop/lib/Awt2dLibraries.gmk
|
|
||||||
index 4d0c0c00dbf..ef7eadae206 100644
|
|
||||||
--- openjdk.orig/make/modules/java.desktop/lib/Awt2dLibraries.gmk
|
|
||||||
+++ openjdk/make/modules/java.desktop/lib/Awt2dLibraries.gmk
|
|
||||||
@@ -435,7 +435,7 @@ endif
|
|
||||||
|
|
||||||
ifeq ($(USE_EXTERNAL_HARFBUZZ), true)
|
|
||||||
LIBFONTMANAGER_EXTRA_SRC =
|
|
||||||
- BUILD_LIBFONTMANAGER_FONTLIB += $(LIBHARFBUZZ_LIBS)
|
|
||||||
+ BUILD_LIBFONTMANAGER_FONTLIB += $(HARFBUZZ_LIBS)
|
|
||||||
else
|
|
||||||
LIBFONTMANAGER_EXTRA_SRC = libharfbuzz
|
|
||||||
|
|
26
SOURCES/jdk8275535-rh2053256-ldap_auth.patch
Normal file
26
SOURCES/jdk8275535-rh2053256-ldap_auth.patch
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
|
||||||
|
index 70903206ea0..09956084cf9 100644
|
||||||
|
--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
|
||||||
|
+++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
|
||||||
|
@@ -189,6 +189,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
|
||||||
|
ctx = getLdapCtxFromUrl(
|
||||||
|
r.getDomainName(), url, new LdapURL(u), env);
|
||||||
|
return ctx;
|
||||||
|
+ } catch (AuthenticationException e) {
|
||||||
|
+ // do not retry on a different endpoint to avoid blocking
|
||||||
|
+ // the user if authentication credentials are wrong.
|
||||||
|
+ throw e;
|
||||||
|
} catch (NamingException e) {
|
||||||
|
// try the next element
|
||||||
|
lastException = e;
|
||||||
|
@@ -241,6 +245,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
|
||||||
|
for (String u : urls) {
|
||||||
|
try {
|
||||||
|
return getUsingURL(u, env);
|
||||||
|
+ } catch (AuthenticationException e) {
|
||||||
|
+ // do not retry on a different URL to avoid blocking
|
||||||
|
+ // the user if authentication credentials are wrong.
|
||||||
|
+ throw e;
|
||||||
|
} catch (NamingException e) {
|
||||||
|
ex = e;
|
||||||
|
}
|
@ -1,6 +1,6 @@
|
|||||||
name = NSS-FIPS
|
name = NSS-FIPS
|
||||||
nssLibraryDirectory = @NSS_LIBDIR@
|
nssLibraryDirectory = @NSS_LIBDIR@
|
||||||
nssSecmodDirectory = @NSS_SECMOD@
|
nssSecmodDirectory = sql:/etc/pki/nssdb
|
||||||
nssDbMode = readOnly
|
nssDbMode = readOnly
|
||||||
nssModule = fips
|
nssModule = fips
|
||||||
|
|
||||||
|
579
SOURCES/rh1991003-enable_fips_keys_import.patch
Normal file
579
SOURCES/rh1991003-enable_fips_keys_import.patch
Normal file
@ -0,0 +1,579 @@
|
|||||||
|
commit abcd0954643eddbf826d96291d44a143038ab750
|
||||||
|
Author: Martin Balao <mbalao@redhat.com>
|
||||||
|
Date: Sun Oct 10 18:14:01 2021 +0100
|
||||||
|
|
||||||
|
RH1991003: Enable the import of plain keys into the NSS software token.
|
||||||
|
|
||||||
|
This can be individually disabled using -Dcom.redhat.fips.plainKeySupport=false
|
||||||
|
|
||||||
|
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
|
||||||
|
index ce32c939253..dc7020ce668 100644
|
||||||
|
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
|
||||||
|
+++ openjdk/src/java.base/share/classes/java/security/Security.java
|
||||||
|
@@ -82,6 +82,10 @@ public final class Security {
|
||||||
|
public boolean isSystemFipsEnabled() {
|
||||||
|
return SystemConfigurator.isSystemFipsEnabled();
|
||||||
|
}
|
||||||
|
+ @Override
|
||||||
|
+ public boolean isPlainKeySupportEnabled() {
|
||||||
|
+ return SystemConfigurator.isPlainKeySupportEnabled();
|
||||||
|
+ }
|
||||||
|
});
|
||||||
|
|
||||||
|
// doPrivileged here because there are multiple
|
||||||
|
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||||
|
index 6aa1419dfd0..ecab722848e 100644
|
||||||
|
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||||
|
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||||
|
@@ -55,6 +55,7 @@ final class SystemConfigurator {
|
||||||
|
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
|
||||||
|
|
||||||
|
private static boolean systemFipsEnabled = false;
|
||||||
|
+ private static boolean plainKeySupportEnabled = false;
|
||||||
|
|
||||||
|
private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
|
||||||
|
|
||||||
|
@@ -150,6 +151,16 @@ final class SystemConfigurator {
|
||||||
|
}
|
||||||
|
loadedProps = true;
|
||||||
|
systemFipsEnabled = true;
|
||||||
|
+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
|
||||||
|
+ "true");
|
||||||
|
+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
|
||||||
|
+ if (sdebug != null) {
|
||||||
|
+ if (plainKeySupportEnabled) {
|
||||||
|
+ sdebug.println("FIPS support enabled with plain key support");
|
||||||
|
+ } else {
|
||||||
|
+ sdebug.println("FIPS support enabled without plain key support");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
} catch (Exception e) {
|
||||||
|
if (sdebug != null) {
|
||||||
|
@@ -177,6 +188,19 @@ final class SystemConfigurator {
|
||||||
|
return systemFipsEnabled;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /**
|
||||||
|
+ * Returns {@code true} if system FIPS alignment is enabled
|
||||||
|
+ * and plain key support is allowed. Plain key support is
|
||||||
|
+ * enabled by default but can be disabled with
|
||||||
|
+ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
|
||||||
|
+ *
|
||||||
|
+ * @return a boolean indicating whether plain key support
|
||||||
|
+ * should be enabled.
|
||||||
|
+ */
|
||||||
|
+ static boolean isPlainKeySupportEnabled() {
|
||||||
|
+ return plainKeySupportEnabled;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* OpenJDK FIPS mode will be enabled only if the com.redhat.fips
|
||||||
|
* system property is true (default) and the system is in FIPS mode.
|
||||||
|
diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
|
||||||
|
index a31e93ec02e..3f3caac64dc 100644
|
||||||
|
--- openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
|
||||||
|
+++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
|
||||||
|
@@ -27,4 +27,5 @@ package jdk.internal.access;
|
||||||
|
|
||||||
|
public interface JavaSecuritySystemConfiguratorAccess {
|
||||||
|
boolean isSystemFipsEnabled();
|
||||||
|
+ boolean isPlainKeySupportEnabled();
|
||||||
|
}
|
||||||
|
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..bee3a1e1537
|
||||||
|
--- /dev/null
|
||||||
|
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
|
||||||
|
@@ -0,0 +1,291 @@
|
||||||
|
+/*
|
||||||
|
+ * Copyright (c) 2021, Red Hat, Inc.
|
||||||
|
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
|
+ *
|
||||||
|
+ * This code is free software; you can redistribute it and/or modify it
|
||||||
|
+ * under the terms of the GNU General Public License version 2 only, as
|
||||||
|
+ * published by the Free Software Foundation. Oracle designates this
|
||||||
|
+ * particular file as subject to the "Classpath" exception as provided
|
||||||
|
+ * by Oracle in the LICENSE file that accompanied this code.
|
||||||
|
+ *
|
||||||
|
+ * This code is distributed in the hope that it will be useful, but WITHOUT
|
||||||
|
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||||
|
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
+ * version 2 for more details (a copy is included in the LICENSE file that
|
||||||
|
+ * accompanied this code).
|
||||||
|
+ *
|
||||||
|
+ * You should have received a copy of the GNU General Public License version
|
||||||
|
+ * 2 along with this work; if not, write to the Free Software Foundation,
|
||||||
|
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
|
+ *
|
||||||
|
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||||
|
+ * or visit www.oracle.com if you need additional information or have any
|
||||||
|
+ * questions.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+package sun.security.pkcs11;
|
||||||
|
+
|
||||||
|
+import java.math.BigInteger;
|
||||||
|
+import java.security.KeyFactory;
|
||||||
|
+import java.security.Provider;
|
||||||
|
+import java.security.Security;
|
||||||
|
+import java.util.HashMap;
|
||||||
|
+import java.util.Map;
|
||||||
|
+import java.util.concurrent.locks.ReentrantLock;
|
||||||
|
+
|
||||||
|
+import javax.crypto.Cipher;
|
||||||
|
+import javax.crypto.spec.DHPrivateKeySpec;
|
||||||
|
+import javax.crypto.spec.IvParameterSpec;
|
||||||
|
+
|
||||||
|
+import sun.security.jca.JCAUtil;
|
||||||
|
+import sun.security.pkcs11.TemplateManager;
|
||||||
|
+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
|
||||||
|
+import sun.security.pkcs11.wrapper.CK_MECHANISM;
|
||||||
|
+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
|
||||||
|
+import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
|
||||||
|
+import sun.security.pkcs11.wrapper.PKCS11Exception;
|
||||||
|
+import sun.security.rsa.RSAUtil.KeyType;
|
||||||
|
+import sun.security.util.Debug;
|
||||||
|
+import sun.security.util.ECUtil;
|
||||||
|
+
|
||||||
|
+final class FIPSKeyImporter {
|
||||||
|
+
|
||||||
|
+ private static final Debug debug =
|
||||||
|
+ Debug.getInstance("sunpkcs11");
|
||||||
|
+
|
||||||
|
+ private static P11Key importerKey = null;
|
||||||
|
+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
|
||||||
|
+ private static CK_MECHANISM importerKeyMechanism = null;
|
||||||
|
+ private static Cipher importerCipher = null;
|
||||||
|
+
|
||||||
|
+ private static Provider sunECProvider = null;
|
||||||
|
+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
|
||||||
|
+
|
||||||
|
+ private static KeyFactory DHKF = null;
|
||||||
|
+ private static final ReentrantLock DHKFLock = new ReentrantLock();
|
||||||
|
+
|
||||||
|
+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
|
||||||
|
+ throws PKCS11Exception {
|
||||||
|
+ long keyID = -1;
|
||||||
|
+ Token token = sunPKCS11.getToken();
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("Private or Secret key will be imported in" +
|
||||||
|
+ " system FIPS mode.");
|
||||||
|
+ }
|
||||||
|
+ if (importerKey == null) {
|
||||||
|
+ importerKeyLock.lock();
|
||||||
|
+ try {
|
||||||
|
+ if (importerKey == null) {
|
||||||
|
+ if (importerKeyMechanism == null) {
|
||||||
|
+ // Importer Key creation has not been tried yet. Try it.
|
||||||
|
+ createImporterKey(token);
|
||||||
|
+ }
|
||||||
|
+ if (importerKey == null || importerCipher == null) {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("Importer Key could not be" +
|
||||||
|
+ " generated.");
|
||||||
|
+ }
|
||||||
|
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
|
||||||
|
+ }
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("Importer Key successfully" +
|
||||||
|
+ " generated.");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ } finally {
|
||||||
|
+ importerKeyLock.unlock();
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ long importerKeyID = importerKey.getKeyID();
|
||||||
|
+ try {
|
||||||
|
+ byte[] keyBytes = null;
|
||||||
|
+ byte[] encKeyBytes = null;
|
||||||
|
+ long keyClass = 0L;
|
||||||
|
+ long keyType = 0L;
|
||||||
|
+ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
|
||||||
|
+ for (CK_ATTRIBUTE attr : attributes) {
|
||||||
|
+ if (attr.type == CKA_CLASS) {
|
||||||
|
+ keyClass = attr.getLong();
|
||||||
|
+ } else if (attr.type == CKA_KEY_TYPE) {
|
||||||
|
+ keyType = attr.getLong();
|
||||||
|
+ }
|
||||||
|
+ attrsMap.put(attr.type, attr);
|
||||||
|
+ }
|
||||||
|
+ BigInteger v = null;
|
||||||
|
+ if (keyClass == CKO_PRIVATE_KEY) {
|
||||||
|
+ if (keyType == CKK_RSA) {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("Importing an RSA private key...");
|
||||||
|
+ }
|
||||||
|
+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
|
||||||
|
+ KeyType.RSA,
|
||||||
|
+ null,
|
||||||
|
+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
|
||||||
|
+ ? v : BigInteger.ZERO,
|
||||||
|
+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
|
||||||
|
+ ? v : BigInteger.ZERO,
|
||||||
|
+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
|
||||||
|
+ ? v : BigInteger.ZERO,
|
||||||
|
+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
|
||||||
|
+ ? v : BigInteger.ZERO,
|
||||||
|
+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
|
||||||
|
+ ? v : BigInteger.ZERO,
|
||||||
|
+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
|
||||||
|
+ ? v : BigInteger.ZERO,
|
||||||
|
+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
|
||||||
|
+ ? v : BigInteger.ZERO,
|
||||||
|
+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
|
||||||
|
+ ? v : BigInteger.ZERO
|
||||||
|
+ ).getEncoded();
|
||||||
|
+ } else if (keyType == CKK_DSA) {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("Importing a DSA private key...");
|
||||||
|
+ }
|
||||||
|
+ keyBytes = new sun.security.provider.DSAPrivateKey(
|
||||||
|
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
|
||||||
|
+ ? v : BigInteger.ZERO,
|
||||||
|
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
|
||||||
|
+ ? v : BigInteger.ZERO,
|
||||||
|
+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
|
||||||
|
+ ? v : BigInteger.ZERO,
|
||||||
|
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
|
||||||
|
+ ? v : BigInteger.ZERO
|
||||||
|
+ ).getEncoded();
|
||||||
|
+ if (token.config.getNssNetscapeDbWorkaround() &&
|
||||||
|
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
|
||||||
|
+ attrsMap.put(CKA_NETSCAPE_DB,
|
||||||
|
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
|
||||||
|
+ }
|
||||||
|
+ } else if (keyType == CKK_EC) {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("Importing an EC private key...");
|
||||||
|
+ }
|
||||||
|
+ if (sunECProvider == null) {
|
||||||
|
+ sunECProviderLock.lock();
|
||||||
|
+ try {
|
||||||
|
+ if (sunECProvider == null) {
|
||||||
|
+ sunECProvider = Security.getProvider("SunEC");
|
||||||
|
+ }
|
||||||
|
+ } finally {
|
||||||
|
+ sunECProviderLock.unlock();
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ keyBytes = ECUtil.generateECPrivateKey(
|
||||||
|
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
|
||||||
|
+ ? v : BigInteger.ZERO,
|
||||||
|
+ ECUtil.getECParameterSpec(sunECProvider,
|
||||||
|
+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
|
||||||
|
+ .getEncoded();
|
||||||
|
+ if (token.config.getNssNetscapeDbWorkaround() &&
|
||||||
|
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
|
||||||
|
+ attrsMap.put(CKA_NETSCAPE_DB,
|
||||||
|
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
|
||||||
|
+ }
|
||||||
|
+ } else if (keyType == CKK_DH) {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("Importing a Diffie-Hellman private key...");
|
||||||
|
+ }
|
||||||
|
+ if (DHKF == null) {
|
||||||
|
+ DHKFLock.lock();
|
||||||
|
+ try {
|
||||||
|
+ if (DHKF == null) {
|
||||||
|
+ DHKF = KeyFactory.getInstance(
|
||||||
|
+ "DH", P11Util.getSunJceProvider());
|
||||||
|
+ }
|
||||||
|
+ } finally {
|
||||||
|
+ DHKFLock.unlock();
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ DHPrivateKeySpec spec = new DHPrivateKeySpec
|
||||||
|
+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
|
||||||
|
+ ? v : BigInteger.ZERO,
|
||||||
|
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
|
||||||
|
+ ? v : BigInteger.ZERO,
|
||||||
|
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
|
||||||
|
+ ? v : BigInteger.ZERO);
|
||||||
|
+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
|
||||||
|
+ if (token.config.getNssNetscapeDbWorkaround() &&
|
||||||
|
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
|
||||||
|
+ attrsMap.put(CKA_NETSCAPE_DB,
|
||||||
|
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("Unrecognized private key type.");
|
||||||
|
+ }
|
||||||
|
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
|
||||||
|
+ }
|
||||||
|
+ } else if (keyClass == CKO_SECRET_KEY) {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("Importing a secret key...");
|
||||||
|
+ }
|
||||||
|
+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
|
||||||
|
+ }
|
||||||
|
+ if (keyBytes == null || keyBytes.length == 0) {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("Private or secret key plain bytes could" +
|
||||||
|
+ " not be obtained. Import failed.");
|
||||||
|
+ }
|
||||||
|
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
|
||||||
|
+ }
|
||||||
|
+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
|
||||||
|
+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
|
||||||
|
+ null);
|
||||||
|
+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
|
||||||
|
+ attrsMap.values().toArray(attributes);
|
||||||
|
+ encKeyBytes = importerCipher.doFinal(keyBytes);
|
||||||
|
+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
|
||||||
|
+ keyClass, keyType, attributes);
|
||||||
|
+ keyID = token.p11.C_UnwrapKey(hSession,
|
||||||
|
+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("Imported key ID: " + keyID);
|
||||||
|
+ }
|
||||||
|
+ } catch (Throwable t) {
|
||||||
|
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
|
||||||
|
+ } finally {
|
||||||
|
+ importerKey.releaseKeyID();
|
||||||
|
+ }
|
||||||
|
+ return Long.valueOf(keyID);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ private static void createImporterKey(Token token) {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("Generating Importer Key...");
|
||||||
|
+ }
|
||||||
|
+ byte[] iv = new byte[16];
|
||||||
|
+ JCAUtil.getSecureRandom().nextBytes(iv);
|
||||||
|
+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
|
||||||
|
+ try {
|
||||||
|
+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
|
||||||
|
+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
|
||||||
|
+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
|
||||||
|
+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
|
||||||
|
+ Session s = null;
|
||||||
|
+ try {
|
||||||
|
+ s = token.getObjSession();
|
||||||
|
+ long keyID = token.p11.C_GenerateKey(
|
||||||
|
+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
|
||||||
|
+ attributes);
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("Importer Key ID: " + keyID);
|
||||||
|
+ }
|
||||||
|
+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
|
||||||
|
+ 256 >> 3, null);
|
||||||
|
+ } catch (PKCS11Exception e) {
|
||||||
|
+ // best effort
|
||||||
|
+ } finally {
|
||||||
|
+ token.releaseSession(s);
|
||||||
|
+ }
|
||||||
|
+ if (importerKey != null) {
|
||||||
|
+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
|
||||||
|
+ }
|
||||||
|
+ } catch (Throwable t) {
|
||||||
|
+ // best effort
|
||||||
|
+ importerKey = null;
|
||||||
|
+ importerCipher = null;
|
||||||
|
+ // importerKeyMechanism value is kept initialized to indicate that
|
||||||
|
+ // Importer Key creation has been tried and failed.
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||||
|
index 5d3963ea893..42c72b393fd 100644
|
||||||
|
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||||
|
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||||
|
@@ -26,6 +26,9 @@
|
||||||
|
package sun.security.pkcs11;
|
||||||
|
|
||||||
|
import java.io.*;
|
||||||
|
+import java.lang.invoke.MethodHandle;
|
||||||
|
+import java.lang.invoke.MethodHandles;
|
||||||
|
+import java.lang.invoke.MethodType;
|
||||||
|
import java.util.*;
|
||||||
|
|
||||||
|
import java.security.*;
|
||||||
|
@@ -66,6 +69,26 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
|
private static final boolean systemFipsEnabled = SharedSecrets
|
||||||
|
.getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
|
||||||
|
|
||||||
|
+ private static final boolean plainKeySupportEnabled = SharedSecrets
|
||||||
|
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
|
||||||
|
+
|
||||||
|
+ private static final MethodHandle fipsImportKey;
|
||||||
|
+ static {
|
||||||
|
+ MethodHandle fipsImportKeyTmp = null;
|
||||||
|
+ if (plainKeySupportEnabled) {
|
||||||
|
+ try {
|
||||||
|
+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
|
||||||
|
+ FIPSKeyImporter.class, "importKey",
|
||||||
|
+ MethodType.methodType(Long.class, SunPKCS11.class,
|
||||||
|
+ long.class, CK_ATTRIBUTE[].class));
|
||||||
|
+ } catch (Throwable t) {
|
||||||
|
+ throw new SecurityException("FIPS key importer initialization" +
|
||||||
|
+ " failed", t);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ fipsImportKey = fipsImportKeyTmp;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
private static final long serialVersionUID = -1354835039035306505L;
|
||||||
|
|
||||||
|
static final Debug debug = Debug.getInstance("sunpkcs11");
|
||||||
|
@@ -324,10 +347,15 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
|
// request multithreaded access first
|
||||||
|
initArgs.flags = CKF_OS_LOCKING_OK;
|
||||||
|
PKCS11 tmpPKCS11;
|
||||||
|
+ MethodHandle fipsKeyImporter = null;
|
||||||
|
+ if (plainKeySupportEnabled) {
|
||||||
|
+ fipsKeyImporter = MethodHandles.insertArguments(
|
||||||
|
+ fipsImportKey, 0, this);
|
||||||
|
+ }
|
||||||
|
try {
|
||||||
|
tmpPKCS11 = PKCS11.getInstance(
|
||||||
|
library, functionList, initArgs,
|
||||||
|
- config.getOmitInitialize());
|
||||||
|
+ config.getOmitInitialize(), fipsKeyImporter);
|
||||||
|
} catch (PKCS11Exception e) {
|
||||||
|
if (debug != null) {
|
||||||
|
debug.println("Multi-threaded initialization failed: " + e);
|
||||||
|
@@ -343,7 +371,7 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
|
initArgs.flags = 0;
|
||||||
|
}
|
||||||
|
tmpPKCS11 = PKCS11.getInstance(library,
|
||||||
|
- functionList, initArgs, config.getOmitInitialize());
|
||||||
|
+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
|
||||||
|
}
|
||||||
|
p11 = tmpPKCS11;
|
||||||
|
|
||||||
|
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
|
||||||
|
index 5c0aacd1a67..4d80145cb91 100644
|
||||||
|
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
|
||||||
|
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
|
||||||
|
@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
|
||||||
|
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.IOException;
|
||||||
|
+import java.lang.invoke.MethodHandle;
|
||||||
|
import java.util.*;
|
||||||
|
|
||||||
|
import java.security.AccessController;
|
||||||
|
@@ -152,16 +153,28 @@ public class PKCS11 {
|
||||||
|
|
||||||
|
public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
|
||||||
|
String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
|
||||||
|
- boolean omitInitialize) throws IOException, PKCS11Exception {
|
||||||
|
+ boolean omitInitialize, MethodHandle fipsKeyImporter)
|
||||||
|
+ throws IOException, PKCS11Exception {
|
||||||
|
// we may only call C_Initialize once per native .so/.dll
|
||||||
|
// so keep a cache using the (non-canonicalized!) path
|
||||||
|
PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
|
||||||
|
if (pkcs11 == null) {
|
||||||
|
+ boolean nssFipsMode = fipsKeyImporter != null;
|
||||||
|
if ((pInitArgs != null)
|
||||||
|
&& ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
|
||||||
|
- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
|
||||||
|
+ if (nssFipsMode) {
|
||||||
|
+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
|
||||||
|
+ fipsKeyImporter);
|
||||||
|
+ } else {
|
||||||
|
+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
|
||||||
|
+ if (nssFipsMode) {
|
||||||
|
+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
|
||||||
|
+ functionList, fipsKeyImporter);
|
||||||
|
+ } else {
|
||||||
|
+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
if (omitInitialize == false) {
|
||||||
|
try {
|
||||||
|
@@ -1911,4 +1924,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
|
||||||
|
super.C_GenerateRandom(hSession, randomData);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+// PKCS11 subclass that allows using plain private or secret keys in
|
||||||
|
+// FIPS-configured NSS Software Tokens. Only used when System FIPS
|
||||||
|
+// is enabled.
|
||||||
|
+static class FIPSPKCS11 extends PKCS11 {
|
||||||
|
+ private MethodHandle fipsKeyImporter;
|
||||||
|
+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
|
||||||
|
+ MethodHandle fipsKeyImporter) throws IOException {
|
||||||
|
+ super(pkcs11ModulePath, functionListName);
|
||||||
|
+ this.fipsKeyImporter = fipsKeyImporter;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ public synchronized long C_CreateObject(long hSession,
|
||||||
|
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
|
||||||
|
+ // Creating sensitive key objects from plain key material in a
|
||||||
|
+ // FIPS-configured NSS Software Token is not allowed. We apply
|
||||||
|
+ // a key-unwrapping scheme to achieve so.
|
||||||
|
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
|
||||||
|
+ try {
|
||||||
|
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
|
||||||
|
+ .longValue();
|
||||||
|
+ } catch (Throwable t) {
|
||||||
|
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ return super.C_CreateObject(hSession, pTemplate);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+// FIPSPKCS11 synchronized counterpart.
|
||||||
|
+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
|
||||||
|
+ private MethodHandle fipsKeyImporter;
|
||||||
|
+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
|
||||||
|
+ MethodHandle fipsKeyImporter) throws IOException {
|
||||||
|
+ super(pkcs11ModulePath, functionListName);
|
||||||
|
+ this.fipsKeyImporter = fipsKeyImporter;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ public synchronized long C_CreateObject(long hSession,
|
||||||
|
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
|
||||||
|
+ // See FIPSPKCS11::C_CreateObject.
|
||||||
|
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
|
||||||
|
+ try {
|
||||||
|
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
|
||||||
|
+ .longValue();
|
||||||
|
+ } catch (Throwable t) {
|
||||||
|
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ return super.C_CreateObject(hSession, pTemplate);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+private static class FIPSPKCS11Helper {
|
||||||
|
+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
|
||||||
|
+ for (CK_ATTRIBUTE attr : pTemplate) {
|
||||||
|
+ if (attr.type == CKA_CLASS &&
|
||||||
|
+ (attr.getLong() == CKO_PRIVATE_KEY ||
|
||||||
|
+ attr.getLong() == CKO_SECRET_KEY)) {
|
||||||
|
+ return true;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
}
|
||||||
|
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
|
||||||
|
index e2d6d371bec..dc5e7eefdd3 100644
|
||||||
|
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
|
||||||
|
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
|
||||||
|
@@ -219,6 +219,14 @@ public class PKCS11Exception extends Exception {
|
||||||
|
return "0x" + Functions.toFullHexString((int)errorCode);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /**
|
||||||
|
+ * Constructor taking the error code (the CKR_* constants in PKCS#11) with
|
||||||
|
+ * no extra info for the error message.
|
||||||
|
+ */
|
||||||
|
+ public PKCS11Exception(long errorCode) {
|
||||||
|
+ this(errorCode, null);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
* Constructor taking the error code (the CKR_* constants in PKCS#11) and
|
||||||
|
* extra info for error message.
|
@ -1,18 +1,18 @@
|
|||||||
diff --git openjdk/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
|
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
|
||||||
index 9d4a794de1a..39e69362458 100644
|
index 63bb580eb3a..238735c0c8c 100644
|
||||||
--- openjdk/src/java.base/share/classes/module-info.java
|
--- openjdk.orig/src/java.base/share/classes/module-info.java
|
||||||
+++ openjdk/src/java.base/share/classes/module-info.java
|
+++ openjdk/src/java.base/share/classes/module-info.java
|
||||||
@@ -151,6 +151,7 @@ module java.base {
|
@@ -152,6 +152,7 @@ module java.base {
|
||||||
java.management,
|
|
||||||
java.naming,
|
java.naming,
|
||||||
java.rmi,
|
java.rmi,
|
||||||
|
jdk.charsets,
|
||||||
+ jdk.crypto.ec,
|
+ jdk.crypto.ec,
|
||||||
jdk.jartool,
|
jdk.jartool,
|
||||||
jdk.jlink,
|
jdk.jlink,
|
||||||
jdk.net,
|
jdk.net,
|
||||||
diff --git openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
|
diff --git openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
|
||||||
index 912cad59714..c5e13c98bd9 100644
|
index 912cad59714..7cb5ebcde51 100644
|
||||||
--- openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
|
--- openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java
|
||||||
+++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
|
+++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
|
||||||
@@ -30,6 +30,7 @@ import java.net.*;
|
@@ -30,6 +30,7 @@ import java.net.*;
|
||||||
import java.util.*;
|
import java.util.*;
|
||||||
@ -52,149 +52,7 @@ index 912cad59714..c5e13c98bd9 100644
|
|||||||
- if (NativePRNG.NonBlocking.isAvailable()) {
|
- if (NativePRNG.NonBlocking.isAvailable()) {
|
||||||
- add(p, "SecureRandom", "NativePRNGNonBlocking",
|
- add(p, "SecureRandom", "NativePRNGNonBlocking",
|
||||||
- "sun.security.provider.NativePRNG$NonBlocking", attrs);
|
- "sun.security.provider.NativePRNG$NonBlocking", attrs);
|
||||||
+ if (!systemFipsEnabled) {
|
- }
|
||||||
+ /*
|
|
||||||
+ * SecureRandom engines
|
|
||||||
+ */
|
|
||||||
+ attrs.put("ThreadSafe", "true");
|
|
||||||
+ if (NativePRNG.isAvailable()) {
|
|
||||||
+ add(p, "SecureRandom", "NativePRNG",
|
|
||||||
+ "sun.security.provider.NativePRNG", attrs);
|
|
||||||
+ }
|
|
||||||
+ if (NativePRNG.Blocking.isAvailable()) {
|
|
||||||
+ add(p, "SecureRandom", "NativePRNGBlocking",
|
|
||||||
+ "sun.security.provider.NativePRNG$Blocking", attrs);
|
|
||||||
+ }
|
|
||||||
+ if (NativePRNG.NonBlocking.isAvailable()) {
|
|
||||||
+ add(p, "SecureRandom", "NativePRNGNonBlocking",
|
|
||||||
+ "sun.security.provider.NativePRNG$NonBlocking", attrs);
|
|
||||||
+ }
|
|
||||||
+ attrs.put("ImplementedIn", "Software");
|
|
||||||
+ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
|
|
||||||
+ add(p, "SecureRandom", "SHA1PRNG",
|
|
||||||
+ "sun.security.provider.SecureRandom", attrs);
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Signature engines
|
|
||||||
+ */
|
|
||||||
+ attrs.clear();
|
|
||||||
+ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
|
|
||||||
+ "|java.security.interfaces.DSAPrivateKey";
|
|
||||||
+ attrs.put("SupportedKeyClasses", dsaKeyClasses);
|
|
||||||
+ attrs.put("ImplementedIn", "Software");
|
|
||||||
+
|
|
||||||
+ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
|
|
||||||
+
|
|
||||||
+ addWithAlias(p, "Signature", "SHA1withDSA",
|
|
||||||
+ "sun.security.provider.DSA$SHA1withDSA", attrs);
|
|
||||||
+ addWithAlias(p, "Signature", "NONEwithDSA",
|
|
||||||
+ "sun.security.provider.DSA$RawDSA", attrs);
|
|
||||||
+
|
|
||||||
+ // for DSA signatures with 224/256-bit digests
|
|
||||||
+ attrs.put("KeySize", "2048");
|
|
||||||
+
|
|
||||||
+ addWithAlias(p, "Signature", "SHA224withDSA",
|
|
||||||
+ "sun.security.provider.DSA$SHA224withDSA", attrs);
|
|
||||||
+ addWithAlias(p, "Signature", "SHA256withDSA",
|
|
||||||
+ "sun.security.provider.DSA$SHA256withDSA", attrs);
|
|
||||||
+
|
|
||||||
+ addWithAlias(p, "Signature", "SHA3-224withDSA",
|
|
||||||
+ "sun.security.provider.DSA$SHA3_224withDSA", attrs);
|
|
||||||
+ addWithAlias(p, "Signature", "SHA3-256withDSA",
|
|
||||||
+ "sun.security.provider.DSA$SHA3_256withDSA", attrs);
|
|
||||||
+
|
|
||||||
+ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests
|
|
||||||
+
|
|
||||||
+ addWithAlias(p, "Signature", "SHA384withDSA",
|
|
||||||
+ "sun.security.provider.DSA$SHA384withDSA", attrs);
|
|
||||||
+ addWithAlias(p, "Signature", "SHA512withDSA",
|
|
||||||
+ "sun.security.provider.DSA$SHA512withDSA", attrs);
|
|
||||||
+ addWithAlias(p, "Signature", "SHA3-384withDSA",
|
|
||||||
+ "sun.security.provider.DSA$SHA3_384withDSA", attrs);
|
|
||||||
+ addWithAlias(p, "Signature", "SHA3-512withDSA",
|
|
||||||
+ "sun.security.provider.DSA$SHA3_512withDSA", attrs);
|
|
||||||
+
|
|
||||||
+ attrs.remove("KeySize");
|
|
||||||
+
|
|
||||||
+ add(p, "Signature", "SHA1withDSAinP1363Format",
|
|
||||||
+ "sun.security.provider.DSA$SHA1withDSAinP1363Format");
|
|
||||||
+ add(p, "Signature", "NONEwithDSAinP1363Format",
|
|
||||||
+ "sun.security.provider.DSA$RawDSAinP1363Format");
|
|
||||||
+ add(p, "Signature", "SHA224withDSAinP1363Format",
|
|
||||||
+ "sun.security.provider.DSA$SHA224withDSAinP1363Format");
|
|
||||||
+ add(p, "Signature", "SHA256withDSAinP1363Format",
|
|
||||||
+ "sun.security.provider.DSA$SHA256withDSAinP1363Format");
|
|
||||||
+ add(p, "Signature", "SHA384withDSAinP1363Format",
|
|
||||||
+ "sun.security.provider.DSA$SHA384withDSAinP1363Format");
|
|
||||||
+ add(p, "Signature", "SHA512withDSAinP1363Format",
|
|
||||||
+ "sun.security.provider.DSA$SHA512withDSAinP1363Format");
|
|
||||||
+ add(p, "Signature", "SHA3-224withDSAinP1363Format",
|
|
||||||
+ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
|
|
||||||
+ add(p, "Signature", "SHA3-256withDSAinP1363Format",
|
|
||||||
+ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
|
|
||||||
+ add(p, "Signature", "SHA3-384withDSAinP1363Format",
|
|
||||||
+ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
|
|
||||||
+ add(p, "Signature", "SHA3-512withDSAinP1363Format",
|
|
||||||
+ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
|
|
||||||
+ /*
|
|
||||||
+ * Key Pair Generator engines
|
|
||||||
+ */
|
|
||||||
+ attrs.clear();
|
|
||||||
+ attrs.put("ImplementedIn", "Software");
|
|
||||||
+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only
|
|
||||||
+
|
|
||||||
+ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
|
|
||||||
+ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
|
|
||||||
+ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Algorithm Parameter Generator engines
|
|
||||||
+ */
|
|
||||||
+ addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
|
|
||||||
+ "sun.security.provider.DSAParameterGenerator", attrs);
|
|
||||||
+ attrs.remove("KeySize");
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Algorithm Parameter engines
|
|
||||||
+ */
|
|
||||||
+ addWithAlias(p, "AlgorithmParameters", "DSA",
|
|
||||||
+ "sun.security.provider.DSAParameters", attrs);
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Key factories
|
|
||||||
+ */
|
|
||||||
+ addWithAlias(p, "KeyFactory", "DSA",
|
|
||||||
+ "sun.security.provider.DSAKeyFactory", attrs);
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Digest engines
|
|
||||||
+ */
|
|
||||||
+ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs);
|
|
||||||
+ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs);
|
|
||||||
+ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
|
|
||||||
+ attrs);
|
|
||||||
+
|
|
||||||
+ addWithAlias(p, "MessageDigest", "SHA-224",
|
|
||||||
+ "sun.security.provider.SHA2$SHA224", attrs);
|
|
||||||
+ addWithAlias(p, "MessageDigest", "SHA-256",
|
|
||||||
+ "sun.security.provider.SHA2$SHA256", attrs);
|
|
||||||
+ addWithAlias(p, "MessageDigest", "SHA-384",
|
|
||||||
+ "sun.security.provider.SHA5$SHA384", attrs);
|
|
||||||
+ addWithAlias(p, "MessageDigest", "SHA-512",
|
|
||||||
+ "sun.security.provider.SHA5$SHA512", attrs);
|
|
||||||
+ addWithAlias(p, "MessageDigest", "SHA-512/224",
|
|
||||||
+ "sun.security.provider.SHA5$SHA512_224", attrs);
|
|
||||||
+ addWithAlias(p, "MessageDigest", "SHA-512/256",
|
|
||||||
+ "sun.security.provider.SHA5$SHA512_256", attrs);
|
|
||||||
+ addWithAlias(p, "MessageDigest", "SHA3-224",
|
|
||||||
+ "sun.security.provider.SHA3$SHA224", attrs);
|
|
||||||
+ addWithAlias(p, "MessageDigest", "SHA3-256",
|
|
||||||
+ "sun.security.provider.SHA3$SHA256", attrs);
|
|
||||||
+ addWithAlias(p, "MessageDigest", "SHA3-384",
|
|
||||||
+ "sun.security.provider.SHA3$SHA384", attrs);
|
|
||||||
+ addWithAlias(p, "MessageDigest", "SHA3-512",
|
|
||||||
+ "sun.security.provider.SHA3$SHA512", attrs);
|
|
||||||
}
|
|
||||||
- attrs.put("ImplementedIn", "Software");
|
- attrs.put("ImplementedIn", "Software");
|
||||||
- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
|
- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
|
||||||
- add(p, "SecureRandom", "SHA1PRNG",
|
- add(p, "SecureRandom", "SHA1PRNG",
|
||||||
@ -268,30 +126,133 @@ index 912cad59714..c5e13c98bd9 100644
|
|||||||
- attrs.clear();
|
- attrs.clear();
|
||||||
- attrs.put("ImplementedIn", "Software");
|
- attrs.put("ImplementedIn", "Software");
|
||||||
- attrs.put("KeySize", "2048"); // for DSA KPG and APG only
|
- attrs.put("KeySize", "2048"); // for DSA KPG and APG only
|
||||||
-
|
+ if (!systemFipsEnabled) {
|
||||||
|
+ /*
|
||||||
|
+ * SecureRandom engines
|
||||||
|
+ */
|
||||||
|
+ attrs.put("ThreadSafe", "true");
|
||||||
|
+ if (NativePRNG.isAvailable()) {
|
||||||
|
+ add(p, "SecureRandom", "NativePRNG",
|
||||||
|
+ "sun.security.provider.NativePRNG", attrs);
|
||||||
|
+ }
|
||||||
|
+ if (NativePRNG.Blocking.isAvailable()) {
|
||||||
|
+ add(p, "SecureRandom", "NativePRNGBlocking",
|
||||||
|
+ "sun.security.provider.NativePRNG$Blocking", attrs);
|
||||||
|
+ }
|
||||||
|
+ if (NativePRNG.NonBlocking.isAvailable()) {
|
||||||
|
+ add(p, "SecureRandom", "NativePRNGNonBlocking",
|
||||||
|
+ "sun.security.provider.NativePRNG$NonBlocking", attrs);
|
||||||
|
+ }
|
||||||
|
+ attrs.put("ImplementedIn", "Software");
|
||||||
|
+ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
|
||||||
|
+ add(p, "SecureRandom", "SHA1PRNG",
|
||||||
|
+ "sun.security.provider.SecureRandom", attrs);
|
||||||
|
|
||||||
- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
|
- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
|
||||||
- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
|
- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
|
||||||
- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
|
- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
|
||||||
-
|
+ /*
|
||||||
|
+ * Signature engines
|
||||||
|
+ */
|
||||||
|
+ attrs.clear();
|
||||||
|
+ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
|
||||||
|
+ "|java.security.interfaces.DSAPrivateKey";
|
||||||
|
+ attrs.put("SupportedKeyClasses", dsaKeyClasses);
|
||||||
|
+ attrs.put("ImplementedIn", "Software");
|
||||||
|
+
|
||||||
|
+ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
|
||||||
|
+
|
||||||
|
+ addWithAlias(p, "Signature", "SHA1withDSA",
|
||||||
|
+ "sun.security.provider.DSA$SHA1withDSA", attrs);
|
||||||
|
+ addWithAlias(p, "Signature", "NONEwithDSA",
|
||||||
|
+ "sun.security.provider.DSA$RawDSA", attrs);
|
||||||
|
+
|
||||||
|
+ // for DSA signatures with 224/256-bit digests
|
||||||
|
+ attrs.put("KeySize", "2048");
|
||||||
|
+
|
||||||
|
+ addWithAlias(p, "Signature", "SHA224withDSA",
|
||||||
|
+ "sun.security.provider.DSA$SHA224withDSA", attrs);
|
||||||
|
+ addWithAlias(p, "Signature", "SHA256withDSA",
|
||||||
|
+ "sun.security.provider.DSA$SHA256withDSA", attrs);
|
||||||
|
+
|
||||||
|
+ addWithAlias(p, "Signature", "SHA3-224withDSA",
|
||||||
|
+ "sun.security.provider.DSA$SHA3_224withDSA", attrs);
|
||||||
|
+ addWithAlias(p, "Signature", "SHA3-256withDSA",
|
||||||
|
+ "sun.security.provider.DSA$SHA3_256withDSA", attrs);
|
||||||
|
+
|
||||||
|
+ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests
|
||||||
|
+
|
||||||
|
+ addWithAlias(p, "Signature", "SHA384withDSA",
|
||||||
|
+ "sun.security.provider.DSA$SHA384withDSA", attrs);
|
||||||
|
+ addWithAlias(p, "Signature", "SHA512withDSA",
|
||||||
|
+ "sun.security.provider.DSA$SHA512withDSA", attrs);
|
||||||
|
+ addWithAlias(p, "Signature", "SHA3-384withDSA",
|
||||||
|
+ "sun.security.provider.DSA$SHA3_384withDSA", attrs);
|
||||||
|
+ addWithAlias(p, "Signature", "SHA3-512withDSA",
|
||||||
|
+ "sun.security.provider.DSA$SHA3_512withDSA", attrs);
|
||||||
|
+
|
||||||
|
+ attrs.remove("KeySize");
|
||||||
|
+
|
||||||
|
+ add(p, "Signature", "SHA1withDSAinP1363Format",
|
||||||
|
+ "sun.security.provider.DSA$SHA1withDSAinP1363Format");
|
||||||
|
+ add(p, "Signature", "NONEwithDSAinP1363Format",
|
||||||
|
+ "sun.security.provider.DSA$RawDSAinP1363Format");
|
||||||
|
+ add(p, "Signature", "SHA224withDSAinP1363Format",
|
||||||
|
+ "sun.security.provider.DSA$SHA224withDSAinP1363Format");
|
||||||
|
+ add(p, "Signature", "SHA256withDSAinP1363Format",
|
||||||
|
+ "sun.security.provider.DSA$SHA256withDSAinP1363Format");
|
||||||
|
+ add(p, "Signature", "SHA384withDSAinP1363Format",
|
||||||
|
+ "sun.security.provider.DSA$SHA384withDSAinP1363Format");
|
||||||
|
+ add(p, "Signature", "SHA512withDSAinP1363Format",
|
||||||
|
+ "sun.security.provider.DSA$SHA512withDSAinP1363Format");
|
||||||
|
+ add(p, "Signature", "SHA3-224withDSAinP1363Format",
|
||||||
|
+ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
|
||||||
|
+ add(p, "Signature", "SHA3-256withDSAinP1363Format",
|
||||||
|
+ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
|
||||||
|
+ add(p, "Signature", "SHA3-384withDSAinP1363Format",
|
||||||
|
+ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
|
||||||
|
+ add(p, "Signature", "SHA3-512withDSAinP1363Format",
|
||||||
|
+ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
|
||||||
|
+ /*
|
||||||
|
+ * Key Pair Generator engines
|
||||||
|
+ */
|
||||||
|
+ attrs.clear();
|
||||||
|
+ attrs.put("ImplementedIn", "Software");
|
||||||
|
+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only
|
||||||
|
|
||||||
- /*
|
- /*
|
||||||
- * Algorithm Parameter Generator engines
|
- * Algorithm Parameter Generator engines
|
||||||
- */
|
- */
|
||||||
- addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
|
- addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
|
||||||
- "sun.security.provider.DSAParameterGenerator", attrs);
|
- "sun.security.provider.DSAParameterGenerator", attrs);
|
||||||
- attrs.remove("KeySize");
|
- attrs.remove("KeySize");
|
||||||
-
|
+ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
|
||||||
|
+ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
|
||||||
|
+ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
|
||||||
|
|
||||||
- /*
|
- /*
|
||||||
- * Algorithm Parameter engines
|
- * Algorithm Parameter engines
|
||||||
- */
|
- */
|
||||||
- addWithAlias(p, "AlgorithmParameters", "DSA",
|
- addWithAlias(p, "AlgorithmParameters", "DSA",
|
||||||
- "sun.security.provider.DSAParameters", attrs);
|
- "sun.security.provider.DSAParameters", attrs);
|
||||||
-
|
+ /*
|
||||||
|
+ * Algorithm Parameter Generator engines
|
||||||
|
+ */
|
||||||
|
+ addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
|
||||||
|
+ "sun.security.provider.DSAParameterGenerator", attrs);
|
||||||
|
+ attrs.remove("KeySize");
|
||||||
|
|
||||||
- /*
|
- /*
|
||||||
- * Key factories
|
- * Key factories
|
||||||
- */
|
- */
|
||||||
- addWithAlias(p, "KeyFactory", "DSA",
|
- addWithAlias(p, "KeyFactory", "DSA",
|
||||||
- "sun.security.provider.DSAKeyFactory", attrs);
|
- "sun.security.provider.DSAKeyFactory", attrs);
|
||||||
-
|
+ /*
|
||||||
|
+ * Algorithm Parameter engines
|
||||||
|
+ */
|
||||||
|
+ addWithAlias(p, "AlgorithmParameters", "DSA",
|
||||||
|
+ "sun.security.provider.DSAParameters", attrs);
|
||||||
|
|
||||||
- /*
|
- /*
|
||||||
- * Digest engines
|
- * Digest engines
|
||||||
- */
|
- */
|
||||||
@ -299,7 +260,12 @@ index 912cad59714..c5e13c98bd9 100644
|
|||||||
- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs);
|
- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs);
|
||||||
- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
|
- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
|
||||||
- attrs);
|
- attrs);
|
||||||
-
|
+ /*
|
||||||
|
+ * Key factories
|
||||||
|
+ */
|
||||||
|
+ addWithAlias(p, "KeyFactory", "DSA",
|
||||||
|
+ "sun.security.provider.DSAKeyFactory", attrs);
|
||||||
|
|
||||||
- addWithAlias(p, "MessageDigest", "SHA-224",
|
- addWithAlias(p, "MessageDigest", "SHA-224",
|
||||||
- "sun.security.provider.SHA2$SHA224", attrs);
|
- "sun.security.provider.SHA2$SHA224", attrs);
|
||||||
- addWithAlias(p, "MessageDigest", "SHA-256",
|
- addWithAlias(p, "MessageDigest", "SHA-256",
|
||||||
@ -320,12 +286,41 @@ index 912cad59714..c5e13c98bd9 100644
|
|||||||
- "sun.security.provider.SHA3$SHA384", attrs);
|
- "sun.security.provider.SHA3$SHA384", attrs);
|
||||||
- addWithAlias(p, "MessageDigest", "SHA3-512",
|
- addWithAlias(p, "MessageDigest", "SHA3-512",
|
||||||
- "sun.security.provider.SHA3$SHA512", attrs);
|
- "sun.security.provider.SHA3$SHA512", attrs);
|
||||||
|
+ /*
|
||||||
|
+ * Digest engines
|
||||||
|
+ */
|
||||||
|
+ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs);
|
||||||
|
+ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs);
|
||||||
|
+ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
|
||||||
|
+ attrs);
|
||||||
|
+
|
||||||
|
+ addWithAlias(p, "MessageDigest", "SHA-224",
|
||||||
|
+ "sun.security.provider.SHA2$SHA224", attrs);
|
||||||
|
+ addWithAlias(p, "MessageDigest", "SHA-256",
|
||||||
|
+ "sun.security.provider.SHA2$SHA256", attrs);
|
||||||
|
+ addWithAlias(p, "MessageDigest", "SHA-384",
|
||||||
|
+ "sun.security.provider.SHA5$SHA384", attrs);
|
||||||
|
+ addWithAlias(p, "MessageDigest", "SHA-512",
|
||||||
|
+ "sun.security.provider.SHA5$SHA512", attrs);
|
||||||
|
+ addWithAlias(p, "MessageDigest", "SHA-512/224",
|
||||||
|
+ "sun.security.provider.SHA5$SHA512_224", attrs);
|
||||||
|
+ addWithAlias(p, "MessageDigest", "SHA-512/256",
|
||||||
|
+ "sun.security.provider.SHA5$SHA512_256", attrs);
|
||||||
|
+ addWithAlias(p, "MessageDigest", "SHA3-224",
|
||||||
|
+ "sun.security.provider.SHA3$SHA224", attrs);
|
||||||
|
+ addWithAlias(p, "MessageDigest", "SHA3-256",
|
||||||
|
+ "sun.security.provider.SHA3$SHA256", attrs);
|
||||||
|
+ addWithAlias(p, "MessageDigest", "SHA3-384",
|
||||||
|
+ "sun.security.provider.SHA3$SHA384", attrs);
|
||||||
|
+ addWithAlias(p, "MessageDigest", "SHA3-512",
|
||||||
|
+ "sun.security.provider.SHA3$SHA512", attrs);
|
||||||
|
+ }
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Certificates
|
* Certificates
|
||||||
diff --git openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
|
diff --git openjdk.orig/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
|
||||||
index 8c9e4f9dbe6..9eeb3013e0d 100644
|
index 8c9e4f9dbe6..883dc04758e 100644
|
||||||
--- openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
|
--- openjdk.orig/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
|
||||||
+++ openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
|
+++ openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
|
||||||
@@ -38,6 +38,7 @@ import java.util.HashMap;
|
@@ -38,6 +38,7 @@ import java.util.HashMap;
|
||||||
import java.util.Iterator;
|
import java.util.Iterator;
|
||||||
|
@ -5,13 +5,13 @@ Date: Sat Aug 28 00:35:44 2021 +0100
|
|||||||
RH1996182: Login to the NSS Software Token in FIPS Mode
|
RH1996182: Login to the NSS Software Token in FIPS Mode
|
||||||
|
|
||||||
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
|
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
|
||||||
index 39e69362458..aeb5fc2eb46 100644
|
index 238735c0c8c..dbbf11bbb22 100644
|
||||||
--- openjdk.orig/src/java.base/share/classes/module-info.java
|
--- openjdk.orig/src/java.base/share/classes/module-info.java
|
||||||
+++ openjdk/src/java.base/share/classes/module-info.java
|
+++ openjdk/src/java.base/share/classes/module-info.java
|
||||||
@@ -151,6 +151,7 @@ module java.base {
|
@@ -152,6 +152,7 @@ module java.base {
|
||||||
java.management,
|
|
||||||
java.naming,
|
java.naming,
|
||||||
java.rmi,
|
java.rmi,
|
||||||
|
jdk.charsets,
|
||||||
+ jdk.crypto.cryptoki,
|
+ jdk.crypto.cryptoki,
|
||||||
jdk.crypto.ec,
|
jdk.crypto.ec,
|
||||||
jdk.jartool,
|
jdk.jartool,
|
||||||
|
28
SOURCES/rh2021263-fips_ensure_security_initialised.patch
Normal file
28
SOURCES/rh2021263-fips_ensure_security_initialised.patch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
commit 4ac1a03b3ec73358988553fe9e200130847ea3b4
|
||||||
|
Author: Andrew Hughes <gnu.andrew@redhat.com>
|
||||||
|
Date: Mon Jan 10 20:19:40 2022 +0000
|
||||||
|
|
||||||
|
RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
|
||||||
|
|
||||||
|
diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
|
||||||
|
index 5a2c9eb0c46..a1ee182d913 100644
|
||||||
|
--- openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
|
||||||
|
+++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
|
||||||
|
@@ -39,6 +39,7 @@ import java.io.FilePermission;
|
||||||
|
import java.io.ObjectInputStream;
|
||||||
|
import java.io.RandomAccessFile;
|
||||||
|
import java.security.ProtectionDomain;
|
||||||
|
+import java.security.Security;
|
||||||
|
import java.security.Signature;
|
||||||
|
|
||||||
|
/** A repository of "shared secrets", which are a mechanism for
|
||||||
|
@@ -449,6 +450,9 @@ public class SharedSecrets {
|
||||||
|
}
|
||||||
|
|
||||||
|
public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
|
||||||
|
+ if (javaSecuritySystemConfiguratorAccess == null) {
|
||||||
|
+ ensureClassInitialized(Security.class);
|
||||||
|
+ }
|
||||||
|
return javaSecuritySystemConfiguratorAccess;
|
||||||
|
}
|
||||||
|
}
|
24
SOURCES/rh2021263-fips_missing_native_returns.patch
Normal file
24
SOURCES/rh2021263-fips_missing_native_returns.patch
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
commit 8f6e35dc9e9289aed290b36e260beeda76986bb5
|
||||||
|
Author: Fridrich Strba <fstrba@suse.com>
|
||||||
|
Date: Mon Jan 10 19:32:01 2022 +0000
|
||||||
|
|
||||||
|
RH2021263: Return in C code after having generated Java exception
|
||||||
|
|
||||||
|
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||||
|
index 38919d6bb0f..caf678a7dd6 100644
|
||||||
|
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||||
|
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||||
|
@@ -151,11 +151,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
|
||||||
|
dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
|
||||||
|
if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
|
||||||
|
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
|
||||||
|
+ return JNI_FALSE;
|
||||||
|
}
|
||||||
|
fips_enabled = fgetc(fe);
|
||||||
|
fclose(fe);
|
||||||
|
if (fips_enabled == EOF) {
|
||||||
|
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
|
||||||
|
+ return JNI_FALSE;
|
||||||
|
}
|
||||||
|
msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
|
||||||
|
" read character is '%c'", fips_enabled);
|
99
SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
Normal file
99
SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
Normal file
@ -0,0 +1,99 @@
|
|||||||
|
commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
|
||||||
|
Author: Andrew Hughes <gnu.andrew@redhat.com>
|
||||||
|
Date: Tue Jan 18 02:09:27 2022 +0000
|
||||||
|
|
||||||
|
RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
|
||||||
|
|
||||||
|
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
|
||||||
|
index 28ab1846173..f9726741afd 100644
|
||||||
|
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
|
||||||
|
+++ openjdk/src/java.base/share/classes/java/security/Security.java
|
||||||
|
@@ -61,10 +61,6 @@ public final class Security {
|
||||||
|
private static final Debug sdebug =
|
||||||
|
Debug.getInstance("properties");
|
||||||
|
|
||||||
|
- /* System property file*/
|
||||||
|
- private static final String SYSTEM_PROPERTIES =
|
||||||
|
- "/etc/crypto-policies/back-ends/java.config";
|
||||||
|
-
|
||||||
|
/* The java.security properties */
|
||||||
|
private static Properties props;
|
||||||
|
|
||||||
|
@@ -206,22 +202,36 @@ public final class Security {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (!loadedProps) {
|
||||||
|
+ initializeStatic();
|
||||||
|
+ if (sdebug != null) {
|
||||||
|
+ sdebug.println("unable to load security properties " +
|
||||||
|
+ "-- using defaults");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
|
||||||
|
if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
|
||||||
|
"true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
|
||||||
|
- if (SystemConfigurator.configure(props)) {
|
||||||
|
- loadedProps = true;
|
||||||
|
+ if (!SystemConfigurator.configureSysProps(props)) {
|
||||||
|
+ if (sdebug != null) {
|
||||||
|
+ sdebug.println("WARNING: System properties could not be loaded.");
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (!loadedProps) {
|
||||||
|
- initializeStatic();
|
||||||
|
+ // FIPS support depends on the contents of java.security so
|
||||||
|
+ // ensure it has loaded first
|
||||||
|
+ if (loadedProps) {
|
||||||
|
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
|
||||||
|
if (sdebug != null) {
|
||||||
|
- sdebug.println("unable to load security properties " +
|
||||||
|
- "-- using defaults");
|
||||||
|
+ if (fipsEnabled) {
|
||||||
|
+ sdebug.println("FIPS support enabled.");
|
||||||
|
+ } else {
|
||||||
|
+ sdebug.println("FIPS support disabled.");
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
-
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||||
|
index 874c6221ebe..b7ed41acf0f 100644
|
||||||
|
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||||
|
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||||
|
@@ -76,7 +76,7 @@ final class SystemConfigurator {
|
||||||
|
* java.security.disableSystemPropertiesFile property is not set and
|
||||||
|
* security.useSystemPropertiesFile is true.
|
||||||
|
*/
|
||||||
|
- static boolean configure(Properties props) {
|
||||||
|
+ static boolean configureSysProps(Properties props) {
|
||||||
|
boolean loadedProps = false;
|
||||||
|
|
||||||
|
try (BufferedInputStream bis =
|
||||||
|
@@ -96,11 +96,19 @@ final class SystemConfigurator {
|
||||||
|
e.printStackTrace();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ return loadedProps;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Invoked at the end of java.security.Security initialisation
|
||||||
|
+ * if java.security properties have been loaded
|
||||||
|
+ */
|
||||||
|
+ static boolean configureFIPS(Properties props) {
|
||||||
|
+ boolean loadedProps = false;
|
||||||
|
|
||||||
|
try {
|
||||||
|
if (enableFips()) {
|
||||||
|
if (sdebug != null) { sdebug.println("FIPS mode detected"); }
|
||||||
|
- loadedProps = false;
|
||||||
|
// Remove all security providers
|
||||||
|
Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
|
||||||
|
while (i.hasNext()) {
|
1182
SOURCES/rh2052070-enable_algorithmparameters_in_fips_mode.patch
Normal file
1182
SOURCES/rh2052070-enable_algorithmparameters_in_fips_mode.patch
Normal file
File diff suppressed because it is too large
Load Diff
213
SOURCES/rh2052829-fips_runtime_nss_detection.patch
Normal file
213
SOURCES/rh2052829-fips_runtime_nss_detection.patch
Normal file
@ -0,0 +1,213 @@
|
|||||||
|
commit 090ea0389db5c2e0c8ee13652bccd544b17872c2
|
||||||
|
Author: Andrew Hughes <gnu.andrew@redhat.com>
|
||||||
|
Date: Mon Feb 7 15:33:27 2022 +0000
|
||||||
|
|
||||||
|
RH2051605: Detect NSS at Runtime for FIPS detection
|
||||||
|
|
||||||
|
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||||
|
index caf678a7dd6..8dcb7d9073f 100644
|
||||||
|
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||||
|
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||||
|
@@ -23,26 +23,37 @@
|
||||||
|
* questions.
|
||||||
|
*/
|
||||||
|
|
||||||
|
-#include <dlfcn.h>
|
||||||
|
#include <jni.h>
|
||||||
|
#include <jni_util.h>
|
||||||
|
+#include "jvm_md.h"
|
||||||
|
#include <stdio.h>
|
||||||
|
|
||||||
|
#ifdef SYSCONF_NSS
|
||||||
|
#include <nss3/pk11pub.h>
|
||||||
|
+#else
|
||||||
|
+#include <dlfcn.h>
|
||||||
|
#endif //SYSCONF_NSS
|
||||||
|
|
||||||
|
#include "java_security_SystemConfigurator.h"
|
||||||
|
|
||||||
|
-#define MSG_MAX_SIZE 96
|
||||||
|
+#define MSG_MAX_SIZE 256
|
||||||
|
+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
|
||||||
|
+
|
||||||
|
+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
|
||||||
|
|
||||||
|
+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
|
||||||
|
static jmethodID debugPrintlnMethodID = NULL;
|
||||||
|
static jobject debugObj = NULL;
|
||||||
|
|
||||||
|
-// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read
|
||||||
|
-#ifndef SYSCONF_NSS
|
||||||
|
-
|
||||||
|
-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
|
||||||
|
+static void dbgPrint(JNIEnv *env, const char* msg)
|
||||||
|
+{
|
||||||
|
+ jstring jMsg;
|
||||||
|
+ if (debugObj != NULL) {
|
||||||
|
+ jMsg = (*env)->NewStringUTF(env, msg);
|
||||||
|
+ CHECK_NULL(jMsg);
|
||||||
|
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
|
||||||
|
static void throwIOException(JNIEnv *env, const char *msg)
|
||||||
|
{
|
||||||
|
@@ -51,18 +62,61 @@ static void throwIOException(JNIEnv *env, const char *msg)
|
||||||
|
(*env)->ThrowNew(env, cls, msg);
|
||||||
|
}
|
||||||
|
|
||||||
|
-#endif
|
||||||
|
+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
|
||||||
|
+{
|
||||||
|
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
|
||||||
|
+ dbgPrint(env, msg);
|
||||||
|
+ } else {
|
||||||
|
+ dbgPrint(env, "systemconf: cannot render message");
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
|
||||||
|
-static void dbgPrint(JNIEnv *env, const char* msg)
|
||||||
|
+// Only used when NSS is not linked at build time
|
||||||
|
+#ifndef SYSCONF_NSS
|
||||||
|
+
|
||||||
|
+static void *nss_handle;
|
||||||
|
+
|
||||||
|
+static jboolean loadNSS(JNIEnv *env)
|
||||||
|
{
|
||||||
|
- jstring jMsg;
|
||||||
|
- if (debugObj != NULL) {
|
||||||
|
- jMsg = (*env)->NewStringUTF(env, msg);
|
||||||
|
- CHECK_NULL(jMsg);
|
||||||
|
- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
|
||||||
|
- }
|
||||||
|
+ char msg[MSG_MAX_SIZE];
|
||||||
|
+ int msg_bytes;
|
||||||
|
+ const char* errmsg;
|
||||||
|
+
|
||||||
|
+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
|
||||||
|
+ if (nss_handle == NULL) {
|
||||||
|
+ errmsg = dlerror();
|
||||||
|
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
|
||||||
|
+ errmsg);
|
||||||
|
+ handle_msg(env, msg, msg_bytes);
|
||||||
|
+ return JNI_FALSE;
|
||||||
|
+ }
|
||||||
|
+ dlerror(); /* Clear errors */
|
||||||
|
+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
|
||||||
|
+ if ((errmsg = dlerror()) != NULL) {
|
||||||
|
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
|
||||||
|
+ errmsg);
|
||||||
|
+ handle_msg(env, msg, msg_bytes);
|
||||||
|
+ return JNI_FALSE;
|
||||||
|
+ }
|
||||||
|
+ return JNI_TRUE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void closeNSS(JNIEnv *env)
|
||||||
|
+{
|
||||||
|
+ char msg[MSG_MAX_SIZE];
|
||||||
|
+ int msg_bytes;
|
||||||
|
+ const char* errmsg;
|
||||||
|
+
|
||||||
|
+ if (dlclose(nss_handle) != 0) {
|
||||||
|
+ errmsg = dlerror();
|
||||||
|
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
|
||||||
|
+ errmsg);
|
||||||
|
+ handle_msg(env, msg, msg_bytes);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Class: java_security_SystemConfigurator
|
||||||
|
* Method: JNI_OnLoad
|
||||||
|
@@ -104,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
|
||||||
|
debugObj = (*env)->NewGlobalRef(env, debugObj);
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef SYSCONF_NSS
|
||||||
|
+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
|
||||||
|
+#else
|
||||||
|
+ if (loadNSS(env) == JNI_FALSE) {
|
||||||
|
+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
return (*env)->GetVersion(env);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -119,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
|
||||||
|
if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
|
||||||
|
return; /* Should not happen */
|
||||||
|
}
|
||||||
|
+#ifndef SYSCONF_NSS
|
||||||
|
+ closeNSS(env);
|
||||||
|
+#endif
|
||||||
|
(*env)->DeleteGlobalRef(env, debugObj);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -130,44 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
|
||||||
|
char msg[MSG_MAX_SIZE];
|
||||||
|
int msg_bytes;
|
||||||
|
|
||||||
|
-#ifdef SYSCONF_NSS
|
||||||
|
-
|
||||||
|
- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
|
||||||
|
- fips_enabled = SECMOD_GetSystemFIPSEnabled();
|
||||||
|
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
|
||||||
|
- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
|
||||||
|
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
|
||||||
|
- dbgPrint(env, msg);
|
||||||
|
+ if (getSystemFIPSEnabled != NULL) {
|
||||||
|
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
|
||||||
|
+ fips_enabled = (*getSystemFIPSEnabled)();
|
||||||
|
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
|
||||||
|
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
|
||||||
|
+ handle_msg(env, msg, msg_bytes);
|
||||||
|
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
|
||||||
|
} else {
|
||||||
|
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
|
||||||
|
- " SECMOD_GetSystemFIPSEnabled return value");
|
||||||
|
- }
|
||||||
|
- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
|
||||||
|
+ FILE *fe;
|
||||||
|
|
||||||
|
-#else // SYSCONF_NSS
|
||||||
|
-
|
||||||
|
- FILE *fe;
|
||||||
|
-
|
||||||
|
- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
|
||||||
|
- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
|
||||||
|
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
|
||||||
|
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
|
||||||
|
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
|
||||||
|
return JNI_FALSE;
|
||||||
|
- }
|
||||||
|
- fips_enabled = fgetc(fe);
|
||||||
|
- fclose(fe);
|
||||||
|
- if (fips_enabled == EOF) {
|
||||||
|
+ }
|
||||||
|
+ fips_enabled = fgetc(fe);
|
||||||
|
+ fclose(fe);
|
||||||
|
+ if (fips_enabled == EOF) {
|
||||||
|
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
|
||||||
|
return JNI_FALSE;
|
||||||
|
+ }
|
||||||
|
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
|
||||||
|
+ " read character is '%c'", fips_enabled);
|
||||||
|
+ handle_msg(env, msg, msg_bytes);
|
||||||
|
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
|
||||||
|
}
|
||||||
|
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
|
||||||
|
- " read character is '%c'", fips_enabled);
|
||||||
|
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
|
||||||
|
- dbgPrint(env, msg);
|
||||||
|
- } else {
|
||||||
|
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
|
||||||
|
- " read character");
|
||||||
|
- }
|
||||||
|
- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
|
||||||
|
-
|
||||||
|
-#endif // SYSCONF_NSS
|
||||||
|
}
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user