import java-17-openjdk-17.0.2.0.8-15.el8

This commit is contained in:
CentOS Sources 2022-03-24 06:33:34 +00:00 committed by Stepan Oksanichenko
parent a995e00603
commit d75fa95bc4
16 changed files with 3401 additions and 407 deletions

4
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/openjdk-jdk17-jdk-17+35.tar.xz SOURCES/openjdk-jdk17u-jdk-17.0.2+8.tar.xz
SOURCES/tapsets-icedtea-3.15.0.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

View File

@ -1,2 +1,2 @@
a2bffc90da173240cdf0e3ea6971d4ba432b3cfe SOURCES/openjdk-jdk17-jdk-17+35.tar.xz 47c1e3a97ba6f63908c2a9f55e1514b52f0b8333 SOURCES/openjdk-jdk17u-jdk-17.0.2+8.tar.xz
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

View File

@ -3,6 +3,474 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release OpenJDK 17.0.2 (2022-01-18):
===========================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk1702
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.2.txt
* Security fixes
- JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside
- JDK-8264934, CVE-2022-21248: Enhance cross VM serialization
- JDK-8268488: More valuable DerValues
- JDK-8268494: Better inlining of inlined interfaces
- JDK-8268512: More content for ContentInfo
- JDK-8268813, CVE-2022-21283: Better String matching
- JDK-8269151: Better construction of EncryptedPrivateKeyInfo
- JDK-8269944: Better HTTP transport redux
- JDK-8270386, CVE-2022-21291: Better verification of scan methods
- JDK-8270392, CVE-2022-21293: Improve String constructions
- JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps
- JDK-8270492, CVE-2022-21282: Better resolution of URIs
- JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management
- JDK-8270646, CVE-2022-21299: Improved scanning of XML entities
- JDK-8270952, CVE-2022-21277: Improve TIFF file handling
- JDK-8271962: Better TrueType font loading
- JDK-8271968: Better canonical naming
- JDK-8271987: Manifest improved manifest entries
- JDK-8272014, CVE-2022-21305: Better array indexing
- JDK-8272026, CVE-2022-21340: Verify Jar Verification
- JDK-8272236, CVE-2022-21341: Improve serial forms for transport
- JDK-8272272: Enhance jcmd communication
- JDK-8272462: Enhance image handling
- JDK-8273290: Enhance sound handling
- JDK-8273756, CVE-2022-21360: Enhance BMP image support
- JDK-8273838, CVE-2022-21365: Enhanced BMP processing
- JDK-8274096, CVE-2022-21366: Improve decoding of image files
* Other changes
- JDK-4819544: SwingSet2 JTable Demo throws NullPointerException
- JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing
- JDK-8140241: (fc) Data transfer from FileChannel to itself causes hang in case of overlap
- JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java fails intermittently
- JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream
- JDK-8214761: Bug in parallel Kahan summation implementation
- JDK-8223923: C2: Missing interference with mismatched unsafe accesses
- JDK-8233020: (fs) UnixFileSystemProvider should use StaticProperty.userDir().
- JDK-8238649: Call new Win32 API SetThreadDescription in os::set_native_thread_name
- JDK-8244675: assert(IncrementalInline || (_late_inlines.length() == 0 && !has_mh_late_inlines()))
- JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled
- JDK-8261579: AArch64: Support for weaker memory ordering in Atomic
- JDK-8262031: Create implementation for NSAccessibilityNavigableStaticText protocol
- JDK-8262095: NPE in Flow$FlowAnalyzer.visitApply: Cannot invoke getThrownTypes because tree.meth.type is null
- JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert
- JDK-8263364: sun/net/www/http/KeepAliveStream/KeepAliveStreamCloseWithWrongContentLength.java wedged in getInputStream
- JDK-8263375: Support stack watermarks in Zero VM
- JDK-8263773: Reenable German localization for builds at Oracle
- JDK-8264286: Create implementation for NSAccessibilityColumn protocol peer
- JDK-8264287: Create implementation for NSAccessibilityComboBox protocol peer
- JDK-8264291: Create implementation for NSAccessibilityCell protocol peer
- JDK-8264292: Create implementation for NSAccessibilityList protocol peer
- JDK-8264293: Create implementation for NSAccessibilityMenu protocol peer
- JDK-8264294: Create implementation for NSAccessibilityMenuBar protocol peer
- JDK-8264295: Create implementation for NSAccessibilityMenuItem protocol peer
- JDK-8264296: Create implementation for NSAccessibilityPopUpButton protocol peer
- JDK-8264297: Create implementation for NSAccessibilityProgressIndicator protocol peer
- JDK-8264298: Create implementation for NSAccessibilityRow protocol peer
- JDK-8264303: Create implementation for NSAccessibilityTabGroup protocol peer
- JDK-8266239: Some duplicated javac command-line options have repeated effect
- JDK-8266510: Nimbus JTree default tree cell renderer does not use selected text color
- JDK-8266988: compiler/jvmci/compilerToVM/IsMatureTest.java fails with Unexpected isMature state for multiple times invoked method: expected false to equal true
- JDK-8267256: Extend minimal retry for loopback connections on Windows to PlainSocketImpl
- JDK-8267385: Create NSAccessibilityElement implementation for JavaComponentAccessibility
- JDK-8267387: Create implementation for NSAccessibilityOutline protocol
- JDK-8267388: Create implementation for NSAccessibilityTable protocol
- JDK-8268284: javax/swing/JComponent/7154030/bug7154030.java fails with "Exception: Failed to hide opaque button"
- JDK-8268294: Reusing HttpClient in a WebSocket.Listener hangs.
- JDK-8268361: Fix the infinite loop in next_line
- JDK-8268457: XML Transformer outputs Unicode supplementary character incorrectly to HTML
- JDK-8268464: Remove dependancy of TestHttpsServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/https/ tests
- JDK-8268626: Remove native pre-jdk9 support for jtreg failure handler
- JDK-8268860: Windows-Aarch64 build is failing in GitHub actions
- JDK-8268882: C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc
- JDK-8268885: duplicate checkcast when destination type is not first type of intersection type
- JDK-8268893: jcmd to trim the glibc heap
- JDK-8268894: forged ASTs can provoke an AIOOBE at com.sun.tools.javac.jvm.ClassWriter::writePosition
- JDK-8268927: Windows: link error: unresolved external symbol "int __cdecl convert_to_unicode(char const *,wchar_t * *)"
- JDK-8269031: linux x86_64 check for binutils 2.25 or higher after 8265783
- JDK-8269113: Javac throws when compiling switch (null)
- JDK-8269216: Useless initialization in com/sun/crypto/provider/PBES2Parameters.java
- JDK-8269269: [macos11] SystemIconTest fails with ClassCastException
- JDK-8269280: (bf) Replace StringBuffer in *Buffer.toString()
- JDK-8269481: SctpMultiChannel never releases own file descriptor
- JDK-8269637: javax/swing/JFileChooser/FileSystemView/SystemIconTest.java fails on windows
- JDK-8269656: The test test/langtools/tools/javac/versions/Versions.java has duplicate test cycles
- JDK-8269687: pauth_aarch64.hpp include name is incorrect
- JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0
- JDK-8269924: Shenandoah: Introduce weak/strong marking asserts
- JDK-8269951: [macos] Focus not painted in JButton when setBorderPainted(false) is invoked
- JDK-8270110: Shenandoah: Add test for JDK-8269661
- JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to run in all LaFs, including Aqua on macOS
- JDK-8270171: Shenandoah: Cleanup TestStringDedup and TestStringDedupStress tests
- JDK-8270290: NTLM authentication fails if HEAD request is used
- JDK-8270317: Large Allocation in CipherSuite
- JDK-8270320: JDK-8270110 committed invalid copyright headers
- JDK-8270517: Add Zero support for LoongArch
- JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS
- JDK-8270886: Crash in PhaseIdealLoop::verify_strip_mined_scheduling
- JDK-8270893: IndexOutOfBoundsException while reading large TIFF file
- JDK-8270901: Typo PHASE_CPP in CompilerPhaseType
- JDK-8270946: X509CertImpl.getFingerprint should not return the empty String
- JDK-8271071: accessibility of a table on macOS lacks cell navigation
- JDK-8271121: ZGC: stack overflow (segv) when -Xlog:gc+start=debug
- JDK-8271142: package help is not displayed for missing X11/extensions/Xrandr.h
- JDK-8271170: Add unit test for what jpackage app launcher puts in the environment
- JDK-8271215: Fix data races in G1PeriodicGCTask
- JDK-8271254: javac generates unreachable code when using empty semicolon statement
- JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with "lists don't have the same size expected"
- JDK-8271308: (fc) FileChannel.transferTo() transfers no more than Integer.MAX_VALUE bytes in one call
- JDK-8271315: Redo: Nimbus JTree renderer properties persist across L&F changes
- JDK-8271323: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -XX:TieredStopAtLevel=1
- JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop
- JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java
- JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity
- JDK-8271463: Updating RE Configs for Upcoming CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos.
- JDK-8271490: [ppc] [s390]: Crash in JavaThread::pd_get_top_frame_for_profiling
- JDK-8271560: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java still fails due to "An established connection was aborted by the software in your host machine"
- JDK-8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions
- JDK-8271600: C2: CheckCastPP which should closely follow Allocate is sunk of a loop
- JDK-8271605: Update JMH devkit to 1.32
- JDK-8271718: Crash when during color transformation the color profile is replaced
- JDK-8271722: [TESTBUG] gc/g1/TestMixedGCLiveThreshold.java can fail if G1 Full GC uses >1 workers
- JDK-8271855: [TESTBUG] Wrong weakCompareAndSet assumption in UnsafeIntrinsicsTest
- JDK-8271862: C2 intrinsic for Reference.refersTo() is often not used
- JDK-8271868: Warn user when using mac-sign option with unsigned app-image.
- JDK-8271895: UnProblemList javax/swing/JComponent/7154030/bug7154030.java in JDK18
- JDK-8271954: C2: assert(false) failed: Bad graph detected in build_loop_late
- JDK-8272047: java/nio/channels/FileChannel/Transfer2GPlus.java failed with Unexpected transfer size: 2147418112
- JDK-8272095: ProblemList java/nio/channels/FileChannel/Transfer2GPlus.java on linux-aarch64
- JDK-8272114: Unused _last_state in osThread_windows
- JDK-8272170: Missing memory barrier when checking active state for regions
- JDK-8272305: several hotspot runtime/modules don't check exit codes
- JDK-8272318: Improve performance of HeapDumpAllTest
- JDK-8272328: java.library.path is not set properly by Windows jpackage app launcher
- JDK-8272335: runtime/cds/appcds/MoveJDKTest.java doesn't check exit codes
- JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions
- JDK-8272345: macos doesn't check `os::set_boot_path()` result
- JDK-8272369: java/io/File/GetXSpace.java failed with "RuntimeException: java.nio.file.NoSuchFileException: /run/user/0"
- JDK-8272391: Undeleted debug information
- JDK-8272413: Incorrect num of element count calculation for vector cast
- JDK-8272473: Parsing epoch seconds at a DST transition with a non-UTC parser is wrong
- JDK-8272562: C2: assert(false) failed: Bad graph detected in build_loop_late
- JDK-8272570: C2: crash in PhaseCFG::global_code_motion
- JDK-8272574: C2: assert(false) failed: Bad graph detected in build_loop_late
- JDK-8272639: jpackaged applications using microphone on mac
- JDK-8272703: StressSeed should be set via FLAG_SET_ERGO
- JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit
- JDK-8272783: Epsilon: Refactor tests to improve performance
- JDK-8272836: Limit run time for java/lang/invoke/LFCaching tests
- JDK-8272838: Move CriticalJNI tests out of tier1
- JDK-8272846: Move some runtime/Metaspace/elastic/ tests out of tier1
- JDK-8272850: Drop zapping values in the Zap* option descriptions
- JDK-8272854: split runtime/CommandLine/PrintTouchedMethods.java test
- JDK-8272856: DoubleFlagWithIntegerValue uses G1GC-only flag
- JDK-8272859: Javadoc external links should only have feature version number in URL
- JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test groups
- JDK-8272970: Parallelize runtime/InvocationTests/
- JDK-8272973: Incorrect compile command used by TestIllegalArrayCopyBeforeInfiniteLoop
- JDK-8273021: C2: Improve Add and Xor ideal optimizations
- JDK-8273026: Slow LoginContext.login() on multi threading application
- JDK-8273135: java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java crashes in liblcms.dylib with NULLSeek+0x7
- JDK-8273165: GraphKit::combine_exception_states fails with "matching stack sizes" assert
- JDK-8273176: handle latest VS2019 in abstract_vm_version
- JDK-8273229: Update OS detection code to recognize Windows Server 2022
- JDK-8273234: extended 'for' with expression of type tvar causes the compiler to crash
- JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on Windows 32bit
- JDK-8273278: Support XSLT on GraalVM Native Image--deterministic bytecode generation in XSLT
- JDK-8273308: PatternMatchTest.java fails on CI
- JDK-8273314: Add tier4 test groups
- JDK-8273315: Parallelize and increase timeouts for java/foreign/TestMatrix.java test
- JDK-8273318: Some containers/docker/TestJFREvents.java configs are running out of memory
- JDK-8273333: Zero should warn about unimplemented -XX:+LogTouchedMethods
- JDK-8273335: compiler/blackhole tests should not run with interpreter-only VMs
- JDK-8273342: Null pointer dereference in classFileParser.cpp:2817
- JDK-8273359: CI: ciInstanceKlass::get_canonical_holder() doesn't respect instance size
- JDK-8273361: InfoOptsTest is failing in tier1
- JDK-8273373: Zero: Cannot invoke JVM in primordial threads on Zero
- JDK-8273375: Remove redundant 'new String' calls after concatenation in java.desktop
- JDK-8273376: Zero: Disable vtable/itableStub gtests
- JDK-8273378: Shenandoah: Remove the remaining uses of os::is_MP
- JDK-8273408: java.lang.AssertionError: typeSig ERROR on generated class property of record
- JDK-8273416: C2: assert(false) failed: bad AD file after JDK-8252372 with UseSSE={0,1}
- JDK-8273440: Zero: Disable runtime/Unsafe/InternalErrorTest.java
- JDK-8273450: Fix the copyright header of SVML files
- JDK-8273451: Remove unreachable return in mutexLocker::wait
- JDK-8273483: Zero: Clear pending JNI exception check in native method handler
- JDK-8273486: Zero: Handle DiagnoseSyncOnValueBasedClasses VM option
- JDK-8273487: Zero: Handle "zero" variant in runtime tests
- JDK-8273489: Zero: Handle UseHeavyMonitors on all monitorenter paths
- JDK-8273498: compiler/c2/Test7179138_1.java timed out
- JDK-8273505: runtime/cds/appcds/loaderConstraints/DynamicLoaderConstraintsTest.java#default-cl crashed with SIGSEGV in MetaspaceShared::link_shared_classes
- JDK-8273514: java/util/DoubleStreamSums/CompensatedSums.java failure
- JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated
- JDK-8273592: Backout JDK-8271868
- JDK-8273593: [REDO] Warn user when using mac-sign option with unsigned app-image.
- JDK-8273595: tools/jpackage tests do not work on apt-based Linux distros like Debian
- JDK-8273606: Zero: SPARC64 build fails with si_band type mismatch
- JDK-8273614: Shenandoah: intermittent timeout with ConcurrentGCBreakpoint tests
- JDK-8273638: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F
- JDK-8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher
- JDK-8273678: TableAccessibility and TableRowAccessibility miss autorelease
- JDK-8273695: Safepoint deadlock on VMOperation_lock
- JDK-8273790: Potential cyclic dependencies between Gregorian and CalendarSystem
- JDK-8273806: compiler/cpuflags/TestSSE4Disabled.java should test for CPU feature explicitly
- JDK-8273807: Zero: Drop incorrect test block from compiler/startup/NumCompilerThreadsCheck.java
- JDK-8273808: Cleanup AddFontsToX11FontPath
- JDK-8273826: Correct Manifest file name and NPE checks
- JDK-8273887: [macos] java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java timed out
- JDK-8273894: ConcurrentModificationException raised every time ReferralsCache drops referral
- JDK-8273902: Memory leak in OopStorage due to bug in OopHandle::release()
- JDK-8273924: ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add()
- JDK-8273935: (zipfs) Files.getFileAttributeView() throws UOE instead of returning null when view not supported
- JDK-8273958: gtest/MetaspaceGtests executes unnecessary tests in debug builds
- JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file path contains '+' character
- JDK-8273965: some testlibrary_tests/ir_framework tests fail when c1 disabled
- JDK-8273968: JCK javax_xml tests fail in CI
- JDK-8274056: JavaAccessibilityUtilities leaks JNI objects
- JDK-8274074: SIGFPE with C2 compiled code with -XX:+StressGCM
- JDK-8274083: Update testing docs to mention tiered testing
- JDK-8274087: Windows DLL path not set correctly.
- JDK-8274145: C2: condition incorrectly made redundant with dominating main loop exit condition
- JDK-8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
- JDK-8274215: Remove globalsignr2ca root from 17.0.2
- JDK-8274242: Implement fast-path for ASCII-compatible CharsetEncoders on x86
- JDK-8274265: Suspicious string concatenation in logTestUtils.inline.hpp
- JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork is deprecated
- JDK-8274325: C4819 warning at vm_version_x86.cpp on Windows after JDK-8234160
- JDK-8274326: [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m
- JDK-8274329: Fix non-portable HotSpot code in MethodMatcher::parse_method_pattern
- JDK-8274338: com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror"
- JDK-8274347: Passing a *nested* switch expression as a parameter causes an NPE during compile
- JDK-8274349: ForkJoinPool.commonPool() does not work with 1 CPU
- JDK-8274381: missing CAccessibility definitions in JNI code
- JDK-8274383: JNI call of getAccessibleSelection on a wrong thread
- JDK-8274401: C2: GraphKit::load_array_element bypasses Access API
- JDK-8274406: RunThese30M.java failed "assert(!LCA_orig->dominates(pred_block) || early->dominates(pred_block)) failed: early is high enough"
- JDK-8274407: (tz) Update Timezone Data to 2021c
- JDK-8274435: EXCEPTION_ACCESS_VIOLATION in BFSClosure::closure_impl
- JDK-8274467: TestZoneInfo310.java fails with tzdata2021b
- JDK-8274468: TimeZoneTest.java fails with tzdata2021b
- JDK-8274501: c2i entry barriers read int as long on AArch64
- JDK-8274521: jdk/jfr/event/gc/detailed/TestGCLockerEvent.java fails when other GC is selected
- JDK-8274522: java/lang/management/ManagementFactory/MXBeanException.java test fails with Shenandoah
- JDK-8274523: java/lang/management/MemoryMXBean/MemoryTest.java test should handle Shenandoah
- JDK-8274550: c2i entry barriers read int as long on PPC
- JDK-8274560: JFR: Add test for OldObjectSample event when using Shenandoah
- JDK-8274606: Fix jaxp/javax/xml/jaxp/unittest/transform/SurrogateTest.java test
- JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with NoSuchElementException after JDK-8271287
- JDK-8274716: JDWP Spec: the description for the Dispose command confuses suspend with resume.
- JDK-8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily
- JDK-8274770: [PPC64] resolve_jobject needs a generic implementation to support load barriers
- JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently fails on weak memory model platform
- JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST
- JDK-8274840: Update OS detection code to recognize Windows 11
- JDK-8274848: LambdaMetaFactory::metafactory on REF_invokeSpecial impl method has incorrect behavior
- JDK-8274851: [ppc64] Port zgc to linux on ppc64le
- JDK-8274942: AssertionError at jdk.compiler/com.sun.tools.javac.util.Assert.error(Assert.java:155)
- JDK-8275008: gtest build failure due to stringop-overflow warning with gcc11
- JDK-8275049: [ZGC] missing null check in ZNMethod::log_register
- JDK-8275051: Shenandoah: Correct ordering of requested gc cause and gc request flag
- JDK-8275071: [macos] A11y cursor gets stuck when combobox is closed
- JDK-8275104: IR framework does not handle client VM builds correctly
- JDK-8275110: Correct RE Configs for CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos.
- JDK-8275131: Exceptions after a touchpad gesture on macOS
- JDK-8275141: recover corrupted line endings for the version-numbers.conf
- JDK-8275145: file.encoding system property has an incorrect value on Windows
- JDK-8275226: Shenandoah: Relax memory constraint for worker claiming tasks/ranges
- JDK-8275302: unexpected compiler error: cast, intersection types and sealed
- JDK-8275426: PretouchTask num_chunks calculation can overflow
- JDK-8275604: Zero: Reformat opclabels_data
- JDK-8275666: serviceability/jvmti/GetObjectSizeClass.java shouldn't have vm.flagless
- JDK-8275703: System.loadLibrary fails on Big Sur for libraries hidden from filesystem
- JDK-8275720: CommonComponentAccessibility.createWithParent isWrapped causes mem leak
- JDK-8275766: (tz) Update Timezone Data to 2021e
- JDK-8275809: crash in [CommonComponentAccessibility getCAccessible:withEnv:]
- JDK-8275811: Incorrect instance to dispose
- JDK-8275819: [TableRowAccessibility accessibilityChildren] method is ineffective
- JDK-8275849: TestZoneInfo310.java fails with tzdata2021e
- JDK-8275863: Use encodeASCII for ASCII-compatible DoubleByte encodings
- JDK-8275872: Sync J2DBench run and analyze Makefile targets with build.xml
- JDK-8276025: Hotspot's libsvml.so may conflict with user dependency
- JDK-8276066: Reset LoopPercentProfileLimit for x86 due to suboptimal performance
- JDK-8276076: Updating RE Configs for BUILD REQUEST 17.0.2+3
- JDK-8276105: C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly
- JDK-8276112: Inconsistent scalar replacement debug info at safepoints
- JDK-8276122: Change openjdk project in jcheck to jdk-updates
- JDK-8276130: Fix Github Actions of JDK17u to account for update version scheme
- JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test
- JDK-8276157: C2: Compiler stack overflow during escape analysis on Linux x86_32
- JDK-8276201: Shenandoah: Race results degenerated GC to enter wrong entry point
- JDK-8276205: Shenandoah: CodeCache_lock should always be held for initializing code cache iteration
- JDK-8276306: jdk/jshell/CustomInputToolBuilder.java fails intermittently on storage acquisition
- JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766
- JDK-8276550: Use SHA256 hash in build.tools.depend.Depend
- JDK-8276572: Fake libsyslookup.so library causes tooling issues
- JDK-8276774: Cookie stored in CookieHandler not sent if user headers contain cookie
- JDK-8276801: gc/stress/CriticalNativeStress.java fails intermittently with Shenandoah
- JDK-8276805: java/awt/print/PrinterJob/CheckPrivilege.java fails due to disabled SecurityManager
- JDK-8276845: (fs) java/nio/file/spi/SetDefaultProvider.java fails on x86_32
- JDK-8276846: JDK-8273416 is incomplete for UseSSE=1
- JDK-8276854: Windows GHA builds fail due to broken Cygwin
- JDK-8276864: Update boot JDKs to 17.0.1 in GHA
- JDK-8276905: Use appropriate macosx_version_minimum value while compiling metal shaders
- JDK-8276927: [ppc64] Port shenandoahgc to linux on ppc64le
- JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify output array sizes
- JDK-8277093: Vector should throw ClassNotFoundException for a missing class of an element
- JDK-8277159: Fix java/nio/file/FileStore/Basic.java test by ignoring /run/user/* mount points
- JDK-8277195: missing CAccessibility definition in [CommonComponentAccessibility accessibilityHitTest]
- JDK-8277212: GC accidentally cleans valid megamorphic vtable inline caches
- JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE
- JDK-8277529: SIGSEGV in C2 CompilerThread Node::rematerialize() compiling Packet::readUnsignedTrint
- JDK-8277981: String Deduplication table is never cleaned up due to bad dead_factor_for_cleanup
Notes on individual issues:
===========================
core-libs/java.io:serialization:
JDK-8277157: Vector should throw ClassNotFoundException for a missing class of an element
=========================================================================================
`java.util.Vector` is updated to correctly report
`ClassNotFoundException that occurs during deserialization using
`java.io.ObjectInputStream.GetField.get(name, object)` when the class
of an element of the Vector is not found. Without this fix, a
`StreamCorruptedException` is thrown that does not provide information
about the missing class.
security-libs/java.security:
JDK-8272535: Removed Google's GlobalSign Root Certificate
=========================================================
The following root certificate from Google has been removed from the
`cacerts` keystore:
Alias Name: globalsignr2ca [jdk]
Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
core-libs/java.io:
JDK-8275343: file.encoding System Property Has an Incorrect Value on Windows
============================================================================
The initialization of the `file.encoding` system property on non macOS
platforms has been reverted to align with the behavior on or before
JDK 11. This has been an issue especially on Windows where the system
and user's locales are not the same.
hotspot/gc:
JDK-8277533: ZGC: Fixed long Process Non-Strong References times
================================================================
A bug has been fixed that could cause long "Concurrent Process
Non-Strong References" times with ZGC. The bug blocked the GC from
making significant progress, and caused both latency and throughput
issues for the Java application.
The long times could be seen in the GC logs when running with `-Xlog:gc*` e.g.
[17606.140s][info][gc,phases ] GC(719) Concurrent Process Non-Strong References 25781.928ms
core-libs/java.time:
JDK-8274857: Update Timezone Data to 2021c
===========================================
IANA Time Zone Database, on which JDK's Date/Time libraries are based,
has been updated to version 2021c
(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note
that with this update, some of the time zone rules prior to the year
1970 have been modified according to the changes which were introduced
with 2021b. For more detail, refer to the announcement of 2021b
(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html)
New in release OpenJDK 17.0.1 (2021-10-19):
===========================================
Live versions of these release notes can be found at:
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.1.txt
* Security fixes
- JDK-8263314: Enhance XML Dsig modes
- JDK-8265167, CVE-2021-35556: Richer Text Editors
- JDK-8265574: Improve handling of sheets
- JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit
- JDK-8265776: Improve Stream handling for SSL
- JDK-8266097, CVE-2021-35561: Better hashing support
- JDK-8266103: Better specified spec values
- JDK-8266109: More Resilient Classloading
- JDK-8266115: More Manifest Jar Loading
- JDK-8266137, CVE-2021-35564: Improve Keystore integrity
- JDK-8266689, CVE-2021-35567: More Constrained Delegation
- JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic
- JDK-8267712: Better LDAP reference processing
- JDK-8267729, CVE-2021-35578: Improve TLS client handshaking
- JDK-8267735, CVE-2021-35586: Better BMP support
- JDK-8268193: Improve requests of certificates
- JDK-8268199: Correct certificate requests
- JDK-8268205: Enhance DTLS client handshake
- JDK-8268500: Better specified ParameterSpecs
- JDK-8268506: More Manifest Digests
- JDK-8269618, CVE-2021-35603: Better session identification
- JDK-8269624: Enhance method selection support
- JDK-8270398: Enhance canonicalization
- JDK-8270404: Better canonicalization
* Other changes
- JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021
- JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails
- JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked
- JDK-8261088: Repeatable annotations without @Target cannot have containers that target module declarations
- JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print"
- JDK-8263531: Remove unused buffer int
- JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java
- JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type
- JDK-8267666: Add option to jcmd GC.heap_dump to use existing file
- JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected
- JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info.
- JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance
- JDK-8268963: [IR Framework] Some default regexes matching on PrintOptoAssembly in IRNode.java do not work on all platforms
- JDK-8269297: Bump version numbers for JDK 17.0.1
- JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient
- JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events
- JDK-8269763: The JEditorPane is blank after JDK-8265167
- JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers
- JDK-8269882: stack-use-after-scope in NewObjectA
- JDK-8269897: Shenandoah: Resolve UNKNOWN access strength, where possible
- JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status
- JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags
- JDK-8270094: Shenandoah: Provide human-readable labels for test configurations
- JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode
- JDK-8270098: ZGC: ZBarrierSetC2::clone_at_expansion fails with "Guard against surprises" assert
- JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup
- JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error
- JDK-8270344: Session resumption errors
- JDK-8271203: C2: assert(iff->Opcode() == Op_If || iff->Opcode() == Op_CountedLoopEnd || iff->Opcode() == Op_RangeCheck) failed: Check this code when new subtype is added
- JDK-8271276: C2: Wrong JVM state used for receiver null check
- JDK-8271335: Updating RE Configs for BUILD REQUEST 17.0.1+4
- JDK-8271589: fatal error with variable shift count integer rotate operation.
- JDK-8271723: Unproblemlist runtime/InvocationTests/invokevirtualTests.java
- JDK-8271730: Client authentication using RSASSA-PSS fails after correct certificate requests
- JDK-8271925: ZGC: Arraycopy stub passes invalid oop to load barrier
- JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon
- JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj
- JDK-8272326: java/util/Random/RandomTestMoments.java had two Gaussian fails
- JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790
- JDK-8272472: StackGuardPages test doesn't build with glibc 2.34
- JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182
- JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used
- JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848
- JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled
- JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed
- JDK-8273358: macOS Monterey does not have the font Times needed by Serif
Notes on individual issues:
===========================
security-libs/java.security:
JDK-8271434: Removed IdenTrust Root Certificate
===============================================
The following root certificate from IdenTrust has been removed from
the `cacerts` keystore:
Alias Name: identrustdstx3 [jdk]
Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.
New in release OpenJDK 17.0.0 (2021-09-14): New in release OpenJDK 17.0.0 (2021-09-14):
=========================================== ===========================================
The full list of changes in the interim releases from 11u to 17u can be found at: The full list of changes in the interim releases from 11u to 17u can be found at:

View File

@ -1,8 +1,8 @@
[Desktop Entry] [Desktop Entry]
Name=OpenJDK @JAVA_MAJOR_VERSION@ Monitoring & Management Console @ARCH@ Name=OpenJDK @JAVA_VER@ for @target_cpu@ Monitoring & Management Console (@OPENJDK_VER@)
Comment=Monitor and manage OpenJDK @JAVA_MAJOR_VERSION@ applications for @ARCH@ Comment=Monitor and manage OpenJDK applications
Exec=@JAVA_HOME@/jconsole Exec=_SDKBINDIR_/jconsole
Icon=java-@JAVA_MAJOR_VERSION@-@JAVA_VENDOR@ Icon=java-@JAVA_VER@-@JAVA_VENDOR@
Terminal=false Terminal=false
Type=Application Type=Application
StartupWMClass=sun-tools-jconsole-JConsole StartupWMClass=sun-tools-jconsole-JConsole

View File

@ -1,21 +0,0 @@
commit e506cb23cfce35d1bc997d1e280f4dc40c9b3397
Author: Severin Gehwolf <sgehwolf@openjdk.org>
Date: Mon Aug 16 09:57:28 2021 +0000
8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790
Backport-of: d38b31438dd4730ee2149c02277d60c35b9d7d81
diff --git openjdk.orig/make/modules/java.desktop/lib/Awt2dLibraries.gmk openjdk/make/modules/java.desktop/lib/Awt2dLibraries.gmk
index 4d0c0c00dbf..ef7eadae206 100644
--- openjdk.orig/make/modules/java.desktop/lib/Awt2dLibraries.gmk
+++ openjdk/make/modules/java.desktop/lib/Awt2dLibraries.gmk
@@ -435,7 +435,7 @@ endif
ifeq ($(USE_EXTERNAL_HARFBUZZ), true)
LIBFONTMANAGER_EXTRA_SRC =
- BUILD_LIBFONTMANAGER_FONTLIB += $(LIBHARFBUZZ_LIBS)
+ BUILD_LIBFONTMANAGER_FONTLIB += $(HARFBUZZ_LIBS)
else
LIBFONTMANAGER_EXTRA_SRC = libharfbuzz

View File

@ -0,0 +1,26 @@
diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
index 70903206ea0..09956084cf9 100644
--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
@@ -189,6 +189,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
ctx = getLdapCtxFromUrl(
r.getDomainName(), url, new LdapURL(u), env);
return ctx;
+ } catch (AuthenticationException e) {
+ // do not retry on a different endpoint to avoid blocking
+ // the user if authentication credentials are wrong.
+ throw e;
} catch (NamingException e) {
// try the next element
lastException = e;
@@ -241,6 +245,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
for (String u : urls) {
try {
return getUsingURL(u, env);
+ } catch (AuthenticationException e) {
+ // do not retry on a different URL to avoid blocking
+ // the user if authentication credentials are wrong.
+ throw e;
} catch (NamingException e) {
ex = e;
}

View File

@ -1,6 +1,6 @@
name = NSS-FIPS name = NSS-FIPS
nssLibraryDirectory = @NSS_LIBDIR@ nssLibraryDirectory = @NSS_LIBDIR@
nssSecmodDirectory = @NSS_SECMOD@ nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly nssDbMode = readOnly
nssModule = fips nssModule = fips

View File

@ -0,0 +1,579 @@
commit abcd0954643eddbf826d96291d44a143038ab750
Author: Martin Balao <mbalao@redhat.com>
Date: Sun Oct 10 18:14:01 2021 +0100
RH1991003: Enable the import of plain keys into the NSS software token.
This can be individually disabled using -Dcom.redhat.fips.plainKeySupport=false
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
index ce32c939253..dc7020ce668 100644
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -82,6 +82,10 @@ public final class Security {
public boolean isSystemFipsEnabled() {
return SystemConfigurator.isSystemFipsEnabled();
}
+ @Override
+ public boolean isPlainKeySupportEnabled() {
+ return SystemConfigurator.isPlainKeySupportEnabled();
+ }
});
// doPrivileged here because there are multiple
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 6aa1419dfd0..ecab722848e 100644
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -55,6 +55,7 @@ final class SystemConfigurator {
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
private static boolean systemFipsEnabled = false;
+ private static boolean plainKeySupportEnabled = false;
private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
@@ -150,6 +151,16 @@ final class SystemConfigurator {
}
loadedProps = true;
systemFipsEnabled = true;
+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
+ "true");
+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
+ if (sdebug != null) {
+ if (plainKeySupportEnabled) {
+ sdebug.println("FIPS support enabled with plain key support");
+ } else {
+ sdebug.println("FIPS support enabled without plain key support");
+ }
+ }
}
} catch (Exception e) {
if (sdebug != null) {
@@ -177,6 +188,19 @@ final class SystemConfigurator {
return systemFipsEnabled;
}
+ /**
+ * Returns {@code true} if system FIPS alignment is enabled
+ * and plain key support is allowed. Plain key support is
+ * enabled by default but can be disabled with
+ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
+ *
+ * @return a boolean indicating whether plain key support
+ * should be enabled.
+ */
+ static boolean isPlainKeySupportEnabled() {
+ return plainKeySupportEnabled;
+ }
+
/*
* OpenJDK FIPS mode will be enabled only if the com.redhat.fips
* system property is true (default) and the system is in FIPS mode.
diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
index a31e93ec02e..3f3caac64dc 100644
--- openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
+++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
@@ -27,4 +27,5 @@ package jdk.internal.access;
public interface JavaSecuritySystemConfiguratorAccess {
boolean isSystemFipsEnabled();
+ boolean isPlainKeySupportEnabled();
}
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
new file mode 100644
index 00000000000..bee3a1e1537
--- /dev/null
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
@@ -0,0 +1,291 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs11;
+
+import java.math.BigInteger;
+import java.security.KeyFactory;
+import java.security.Provider;
+import java.security.Security;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.locks.ReentrantLock;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.DHPrivateKeySpec;
+import javax.crypto.spec.IvParameterSpec;
+
+import sun.security.jca.JCAUtil;
+import sun.security.pkcs11.TemplateManager;
+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
+import sun.security.pkcs11.wrapper.CK_MECHANISM;
+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
+import sun.security.pkcs11.wrapper.PKCS11Exception;
+import sun.security.rsa.RSAUtil.KeyType;
+import sun.security.util.Debug;
+import sun.security.util.ECUtil;
+
+final class FIPSKeyImporter {
+
+ private static final Debug debug =
+ Debug.getInstance("sunpkcs11");
+
+ private static P11Key importerKey = null;
+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
+ private static CK_MECHANISM importerKeyMechanism = null;
+ private static Cipher importerCipher = null;
+
+ private static Provider sunECProvider = null;
+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
+
+ private static KeyFactory DHKF = null;
+ private static final ReentrantLock DHKFLock = new ReentrantLock();
+
+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
+ throws PKCS11Exception {
+ long keyID = -1;
+ Token token = sunPKCS11.getToken();
+ if (debug != null) {
+ debug.println("Private or Secret key will be imported in" +
+ " system FIPS mode.");
+ }
+ if (importerKey == null) {
+ importerKeyLock.lock();
+ try {
+ if (importerKey == null) {
+ if (importerKeyMechanism == null) {
+ // Importer Key creation has not been tried yet. Try it.
+ createImporterKey(token);
+ }
+ if (importerKey == null || importerCipher == null) {
+ if (debug != null) {
+ debug.println("Importer Key could not be" +
+ " generated.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ if (debug != null) {
+ debug.println("Importer Key successfully" +
+ " generated.");
+ }
+ }
+ } finally {
+ importerKeyLock.unlock();
+ }
+ }
+ long importerKeyID = importerKey.getKeyID();
+ try {
+ byte[] keyBytes = null;
+ byte[] encKeyBytes = null;
+ long keyClass = 0L;
+ long keyType = 0L;
+ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
+ for (CK_ATTRIBUTE attr : attributes) {
+ if (attr.type == CKA_CLASS) {
+ keyClass = attr.getLong();
+ } else if (attr.type == CKA_KEY_TYPE) {
+ keyType = attr.getLong();
+ }
+ attrsMap.put(attr.type, attr);
+ }
+ BigInteger v = null;
+ if (keyClass == CKO_PRIVATE_KEY) {
+ if (keyType == CKK_RSA) {
+ if (debug != null) {
+ debug.println("Importing an RSA private key...");
+ }
+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
+ KeyType.RSA,
+ null,
+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ } else if (keyType == CKK_DSA) {
+ if (debug != null) {
+ debug.println("Importing a DSA private key...");
+ }
+ keyBytes = new sun.security.provider.DSAPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_EC) {
+ if (debug != null) {
+ debug.println("Importing an EC private key...");
+ }
+ if (sunECProvider == null) {
+ sunECProviderLock.lock();
+ try {
+ if (sunECProvider == null) {
+ sunECProvider = Security.getProvider("SunEC");
+ }
+ } finally {
+ sunECProviderLock.unlock();
+ }
+ }
+ keyBytes = ECUtil.generateECPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ECUtil.getECParameterSpec(sunECProvider,
+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
+ .getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_DH) {
+ if (debug != null) {
+ debug.println("Importing a Diffie-Hellman private key...");
+ }
+ if (DHKF == null) {
+ DHKFLock.lock();
+ try {
+ if (DHKF == null) {
+ DHKF = KeyFactory.getInstance(
+ "DH", P11Util.getSunJceProvider());
+ }
+ } finally {
+ DHKFLock.unlock();
+ }
+ }
+ DHPrivateKeySpec spec = new DHPrivateKeySpec
+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO);
+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else {
+ if (debug != null) {
+ debug.println("Unrecognized private key type.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ } else if (keyClass == CKO_SECRET_KEY) {
+ if (debug != null) {
+ debug.println("Importing a secret key...");
+ }
+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
+ }
+ if (keyBytes == null || keyBytes.length == 0) {
+ if (debug != null) {
+ debug.println("Private or secret key plain bytes could" +
+ " not be obtained. Import failed.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
+ null);
+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
+ attrsMap.values().toArray(attributes);
+ encKeyBytes = importerCipher.doFinal(keyBytes);
+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
+ keyClass, keyType, attributes);
+ keyID = token.p11.C_UnwrapKey(hSession,
+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
+ if (debug != null) {
+ debug.println("Imported key ID: " + keyID);
+ }
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ } finally {
+ importerKey.releaseKeyID();
+ }
+ return Long.valueOf(keyID);
+ }
+
+ private static void createImporterKey(Token token) {
+ if (debug != null) {
+ debug.println("Generating Importer Key...");
+ }
+ byte[] iv = new byte[16];
+ JCAUtil.getSecureRandom().nextBytes(iv);
+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
+ try {
+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
+ Session s = null;
+ try {
+ s = token.getObjSession();
+ long keyID = token.p11.C_GenerateKey(
+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
+ attributes);
+ if (debug != null) {
+ debug.println("Importer Key ID: " + keyID);
+ }
+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
+ 256 >> 3, null);
+ } catch (PKCS11Exception e) {
+ // best effort
+ } finally {
+ token.releaseSession(s);
+ }
+ if (importerKey != null) {
+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+ }
+ } catch (Throwable t) {
+ // best effort
+ importerKey = null;
+ importerCipher = null;
+ // importerKeyMechanism value is kept initialized to indicate that
+ // Importer Key creation has been tried and failed.
+ }
+ }
+}
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index 5d3963ea893..42c72b393fd 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -26,6 +26,9 @@
package sun.security.pkcs11;
import java.io.*;
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.MethodType;
import java.util.*;
import java.security.*;
@@ -66,6 +69,26 @@ public final class SunPKCS11 extends AuthProvider {
private static final boolean systemFipsEnabled = SharedSecrets
.getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+ private static final boolean plainKeySupportEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
+
+ private static final MethodHandle fipsImportKey;
+ static {
+ MethodHandle fipsImportKeyTmp = null;
+ if (plainKeySupportEnabled) {
+ try {
+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
+ FIPSKeyImporter.class, "importKey",
+ MethodType.methodType(Long.class, SunPKCS11.class,
+ long.class, CK_ATTRIBUTE[].class));
+ } catch (Throwable t) {
+ throw new SecurityException("FIPS key importer initialization" +
+ " failed", t);
+ }
+ }
+ fipsImportKey = fipsImportKeyTmp;
+ }
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -324,10 +347,15 @@ public final class SunPKCS11 extends AuthProvider {
// request multithreaded access first
initArgs.flags = CKF_OS_LOCKING_OK;
PKCS11 tmpPKCS11;
+ MethodHandle fipsKeyImporter = null;
+ if (plainKeySupportEnabled) {
+ fipsKeyImporter = MethodHandles.insertArguments(
+ fipsImportKey, 0, this);
+ }
try {
tmpPKCS11 = PKCS11.getInstance(
library, functionList, initArgs,
- config.getOmitInitialize());
+ config.getOmitInitialize(), fipsKeyImporter);
} catch (PKCS11Exception e) {
if (debug != null) {
debug.println("Multi-threaded initialization failed: " + e);
@@ -343,7 +371,7 @@ public final class SunPKCS11 extends AuthProvider {
initArgs.flags = 0;
}
tmpPKCS11 = PKCS11.getInstance(library,
- functionList, initArgs, config.getOmitInitialize());
+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
}
p11 = tmpPKCS11;
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
index 5c0aacd1a67..4d80145cb91 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
import java.io.File;
import java.io.IOException;
+import java.lang.invoke.MethodHandle;
import java.util.*;
import java.security.AccessController;
@@ -152,16 +153,28 @@ public class PKCS11 {
public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
- boolean omitInitialize) throws IOException, PKCS11Exception {
+ boolean omitInitialize, MethodHandle fipsKeyImporter)
+ throws IOException, PKCS11Exception {
// we may only call C_Initialize once per native .so/.dll
// so keep a cache using the (non-canonicalized!) path
PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
if (pkcs11 == null) {
+ boolean nssFipsMode = fipsKeyImporter != null;
if ((pInitArgs != null)
&& ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
+ fipsKeyImporter);
+ } else {
+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ }
} else {
- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
+ functionList, fipsKeyImporter);
+ } else {
+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ }
}
if (omitInitialize == false) {
try {
@@ -1911,4 +1924,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
super.C_GenerateRandom(hSession, randomData);
}
}
+
+// PKCS11 subclass that allows using plain private or secret keys in
+// FIPS-configured NSS Software Tokens. Only used when System FIPS
+// is enabled.
+static class FIPSPKCS11 extends PKCS11 {
+ private MethodHandle fipsKeyImporter;
+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // Creating sensitive key objects from plain key material in a
+ // FIPS-configured NSS Software Token is not allowed. We apply
+ // a key-unwrapping scheme to achieve so.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
+}
+
+// FIPSPKCS11 synchronized counterpart.
+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
+ private MethodHandle fipsKeyImporter;
+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // See FIPSPKCS11::C_CreateObject.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
+}
+
+private static class FIPSPKCS11Helper {
+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
+ for (CK_ATTRIBUTE attr : pTemplate) {
+ if (attr.type == CKA_CLASS &&
+ (attr.getLong() == CKO_PRIVATE_KEY ||
+ attr.getLong() == CKO_SECRET_KEY)) {
+ return true;
+ }
+ }
+ return false;
+ }
+}
}
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
index e2d6d371bec..dc5e7eefdd3 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
@@ -219,6 +219,14 @@ public class PKCS11Exception extends Exception {
return "0x" + Functions.toFullHexString((int)errorCode);
}
+ /**
+ * Constructor taking the error code (the CKR_* constants in PKCS#11) with
+ * no extra info for the error message.
+ */
+ public PKCS11Exception(long errorCode) {
+ this(errorCode, null);
+ }
+
/**
* Constructor taking the error code (the CKR_* constants in PKCS#11) and
* extra info for error message.

View File

@ -1,18 +1,18 @@
diff --git openjdk/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
index 9d4a794de1a..39e69362458 100644 index 63bb580eb3a..238735c0c8c 100644
--- openjdk/src/java.base/share/classes/module-info.java --- openjdk.orig/src/java.base/share/classes/module-info.java
+++ openjdk/src/java.base/share/classes/module-info.java +++ openjdk/src/java.base/share/classes/module-info.java
@@ -151,6 +151,7 @@ module java.base { @@ -152,6 +152,7 @@ module java.base {
java.management,
java.naming, java.naming,
java.rmi, java.rmi,
jdk.charsets,
+ jdk.crypto.ec, + jdk.crypto.ec,
jdk.jartool, jdk.jartool,
jdk.jlink, jdk.jlink,
jdk.net, jdk.net,
diff --git openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java diff --git openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
index 912cad59714..c5e13c98bd9 100644 index 912cad59714..7cb5ebcde51 100644
--- openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java --- openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java
+++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java +++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
@@ -30,6 +30,7 @@ import java.net.*; @@ -30,6 +30,7 @@ import java.net.*;
import java.util.*; import java.util.*;
@ -52,149 +52,7 @@ index 912cad59714..c5e13c98bd9 100644
- if (NativePRNG.NonBlocking.isAvailable()) { - if (NativePRNG.NonBlocking.isAvailable()) {
- add(p, "SecureRandom", "NativePRNGNonBlocking", - add(p, "SecureRandom", "NativePRNGNonBlocking",
- "sun.security.provider.NativePRNG$NonBlocking", attrs); - "sun.security.provider.NativePRNG$NonBlocking", attrs);
+ if (!systemFipsEnabled) { - }
+ /*
+ * SecureRandom engines
+ */
+ attrs.put("ThreadSafe", "true");
+ if (NativePRNG.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNG",
+ "sun.security.provider.NativePRNG", attrs);
+ }
+ if (NativePRNG.Blocking.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNGBlocking",
+ "sun.security.provider.NativePRNG$Blocking", attrs);
+ }
+ if (NativePRNG.NonBlocking.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNGNonBlocking",
+ "sun.security.provider.NativePRNG$NonBlocking", attrs);
+ }
+ attrs.put("ImplementedIn", "Software");
+ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
+ add(p, "SecureRandom", "SHA1PRNG",
+ "sun.security.provider.SecureRandom", attrs);
+
+ /*
+ * Signature engines
+ */
+ attrs.clear();
+ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
+ "|java.security.interfaces.DSAPrivateKey";
+ attrs.put("SupportedKeyClasses", dsaKeyClasses);
+ attrs.put("ImplementedIn", "Software");
+
+ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
+
+ addWithAlias(p, "Signature", "SHA1withDSA",
+ "sun.security.provider.DSA$SHA1withDSA", attrs);
+ addWithAlias(p, "Signature", "NONEwithDSA",
+ "sun.security.provider.DSA$RawDSA", attrs);
+
+ // for DSA signatures with 224/256-bit digests
+ attrs.put("KeySize", "2048");
+
+ addWithAlias(p, "Signature", "SHA224withDSA",
+ "sun.security.provider.DSA$SHA224withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA256withDSA",
+ "sun.security.provider.DSA$SHA256withDSA", attrs);
+
+ addWithAlias(p, "Signature", "SHA3-224withDSA",
+ "sun.security.provider.DSA$SHA3_224withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA3-256withDSA",
+ "sun.security.provider.DSA$SHA3_256withDSA", attrs);
+
+ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests
+
+ addWithAlias(p, "Signature", "SHA384withDSA",
+ "sun.security.provider.DSA$SHA384withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA512withDSA",
+ "sun.security.provider.DSA$SHA512withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA3-384withDSA",
+ "sun.security.provider.DSA$SHA3_384withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA3-512withDSA",
+ "sun.security.provider.DSA$SHA3_512withDSA", attrs);
+
+ attrs.remove("KeySize");
+
+ add(p, "Signature", "SHA1withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA1withDSAinP1363Format");
+ add(p, "Signature", "NONEwithDSAinP1363Format",
+ "sun.security.provider.DSA$RawDSAinP1363Format");
+ add(p, "Signature", "SHA224withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA224withDSAinP1363Format");
+ add(p, "Signature", "SHA256withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA256withDSAinP1363Format");
+ add(p, "Signature", "SHA384withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA384withDSAinP1363Format");
+ add(p, "Signature", "SHA512withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA512withDSAinP1363Format");
+ add(p, "Signature", "SHA3-224withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
+ add(p, "Signature", "SHA3-256withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
+ add(p, "Signature", "SHA3-384withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
+ add(p, "Signature", "SHA3-512withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
+ /*
+ * Key Pair Generator engines
+ */
+ attrs.clear();
+ attrs.put("ImplementedIn", "Software");
+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only
+
+ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
+ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
+ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
+
+ /*
+ * Algorithm Parameter Generator engines
+ */
+ addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
+ "sun.security.provider.DSAParameterGenerator", attrs);
+ attrs.remove("KeySize");
+
+ /*
+ * Algorithm Parameter engines
+ */
+ addWithAlias(p, "AlgorithmParameters", "DSA",
+ "sun.security.provider.DSAParameters", attrs);
+
+ /*
+ * Key factories
+ */
+ addWithAlias(p, "KeyFactory", "DSA",
+ "sun.security.provider.DSAKeyFactory", attrs);
+
+ /*
+ * Digest engines
+ */
+ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs);
+ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
+ attrs);
+
+ addWithAlias(p, "MessageDigest", "SHA-224",
+ "sun.security.provider.SHA2$SHA224", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-256",
+ "sun.security.provider.SHA2$SHA256", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-384",
+ "sun.security.provider.SHA5$SHA384", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-512",
+ "sun.security.provider.SHA5$SHA512", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-512/224",
+ "sun.security.provider.SHA5$SHA512_224", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-512/256",
+ "sun.security.provider.SHA5$SHA512_256", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-224",
+ "sun.security.provider.SHA3$SHA224", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-256",
+ "sun.security.provider.SHA3$SHA256", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-384",
+ "sun.security.provider.SHA3$SHA384", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-512",
+ "sun.security.provider.SHA3$SHA512", attrs);
}
- attrs.put("ImplementedIn", "Software"); - attrs.put("ImplementedIn", "Software");
- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); - add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
- add(p, "SecureRandom", "SHA1PRNG", - add(p, "SecureRandom", "SHA1PRNG",
@ -268,30 +126,133 @@ index 912cad59714..c5e13c98bd9 100644
- attrs.clear(); - attrs.clear();
- attrs.put("ImplementedIn", "Software"); - attrs.put("ImplementedIn", "Software");
- attrs.put("KeySize", "2048"); // for DSA KPG and APG only - attrs.put("KeySize", "2048"); // for DSA KPG and APG only
- + if (!systemFipsEnabled) {
+ /*
+ * SecureRandom engines
+ */
+ attrs.put("ThreadSafe", "true");
+ if (NativePRNG.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNG",
+ "sun.security.provider.NativePRNG", attrs);
+ }
+ if (NativePRNG.Blocking.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNGBlocking",
+ "sun.security.provider.NativePRNG$Blocking", attrs);
+ }
+ if (NativePRNG.NonBlocking.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNGNonBlocking",
+ "sun.security.provider.NativePRNG$NonBlocking", attrs);
+ }
+ attrs.put("ImplementedIn", "Software");
+ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
+ add(p, "SecureRandom", "SHA1PRNG",
+ "sun.security.provider.SecureRandom", attrs);
- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; - String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); - dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); - addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
- + /*
+ * Signature engines
+ */
+ attrs.clear();
+ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
+ "|java.security.interfaces.DSAPrivateKey";
+ attrs.put("SupportedKeyClasses", dsaKeyClasses);
+ attrs.put("ImplementedIn", "Software");
+
+ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
+
+ addWithAlias(p, "Signature", "SHA1withDSA",
+ "sun.security.provider.DSA$SHA1withDSA", attrs);
+ addWithAlias(p, "Signature", "NONEwithDSA",
+ "sun.security.provider.DSA$RawDSA", attrs);
+
+ // for DSA signatures with 224/256-bit digests
+ attrs.put("KeySize", "2048");
+
+ addWithAlias(p, "Signature", "SHA224withDSA",
+ "sun.security.provider.DSA$SHA224withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA256withDSA",
+ "sun.security.provider.DSA$SHA256withDSA", attrs);
+
+ addWithAlias(p, "Signature", "SHA3-224withDSA",
+ "sun.security.provider.DSA$SHA3_224withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA3-256withDSA",
+ "sun.security.provider.DSA$SHA3_256withDSA", attrs);
+
+ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests
+
+ addWithAlias(p, "Signature", "SHA384withDSA",
+ "sun.security.provider.DSA$SHA384withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA512withDSA",
+ "sun.security.provider.DSA$SHA512withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA3-384withDSA",
+ "sun.security.provider.DSA$SHA3_384withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA3-512withDSA",
+ "sun.security.provider.DSA$SHA3_512withDSA", attrs);
+
+ attrs.remove("KeySize");
+
+ add(p, "Signature", "SHA1withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA1withDSAinP1363Format");
+ add(p, "Signature", "NONEwithDSAinP1363Format",
+ "sun.security.provider.DSA$RawDSAinP1363Format");
+ add(p, "Signature", "SHA224withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA224withDSAinP1363Format");
+ add(p, "Signature", "SHA256withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA256withDSAinP1363Format");
+ add(p, "Signature", "SHA384withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA384withDSAinP1363Format");
+ add(p, "Signature", "SHA512withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA512withDSAinP1363Format");
+ add(p, "Signature", "SHA3-224withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
+ add(p, "Signature", "SHA3-256withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
+ add(p, "Signature", "SHA3-384withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
+ add(p, "Signature", "SHA3-512withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
+ /*
+ * Key Pair Generator engines
+ */
+ attrs.clear();
+ attrs.put("ImplementedIn", "Software");
+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only
- /* - /*
- * Algorithm Parameter Generator engines - * Algorithm Parameter Generator engines
- */ - */
- addWithAlias(p, "AlgorithmParameterGenerator", "DSA", - addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
- "sun.security.provider.DSAParameterGenerator", attrs); - "sun.security.provider.DSAParameterGenerator", attrs);
- attrs.remove("KeySize"); - attrs.remove("KeySize");
- + String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
+ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
+ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
- /* - /*
- * Algorithm Parameter engines - * Algorithm Parameter engines
- */ - */
- addWithAlias(p, "AlgorithmParameters", "DSA", - addWithAlias(p, "AlgorithmParameters", "DSA",
- "sun.security.provider.DSAParameters", attrs); - "sun.security.provider.DSAParameters", attrs);
- + /*
+ * Algorithm Parameter Generator engines
+ */
+ addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
+ "sun.security.provider.DSAParameterGenerator", attrs);
+ attrs.remove("KeySize");
- /* - /*
- * Key factories - * Key factories
- */ - */
- addWithAlias(p, "KeyFactory", "DSA", - addWithAlias(p, "KeyFactory", "DSA",
- "sun.security.provider.DSAKeyFactory", attrs); - "sun.security.provider.DSAKeyFactory", attrs);
- + /*
+ * Algorithm Parameter engines
+ */
+ addWithAlias(p, "AlgorithmParameters", "DSA",
+ "sun.security.provider.DSAParameters", attrs);
- /* - /*
- * Digest engines - * Digest engines
- */ - */
@ -299,7 +260,12 @@ index 912cad59714..c5e13c98bd9 100644
- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); - add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs);
- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", - addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
- attrs); - attrs);
- + /*
+ * Key factories
+ */
+ addWithAlias(p, "KeyFactory", "DSA",
+ "sun.security.provider.DSAKeyFactory", attrs);
- addWithAlias(p, "MessageDigest", "SHA-224", - addWithAlias(p, "MessageDigest", "SHA-224",
- "sun.security.provider.SHA2$SHA224", attrs); - "sun.security.provider.SHA2$SHA224", attrs);
- addWithAlias(p, "MessageDigest", "SHA-256", - addWithAlias(p, "MessageDigest", "SHA-256",
@ -320,12 +286,41 @@ index 912cad59714..c5e13c98bd9 100644
- "sun.security.provider.SHA3$SHA384", attrs); - "sun.security.provider.SHA3$SHA384", attrs);
- addWithAlias(p, "MessageDigest", "SHA3-512", - addWithAlias(p, "MessageDigest", "SHA3-512",
- "sun.security.provider.SHA3$SHA512", attrs); - "sun.security.provider.SHA3$SHA512", attrs);
+ /*
+ * Digest engines
+ */
+ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs);
+ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
+ attrs);
+
+ addWithAlias(p, "MessageDigest", "SHA-224",
+ "sun.security.provider.SHA2$SHA224", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-256",
+ "sun.security.provider.SHA2$SHA256", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-384",
+ "sun.security.provider.SHA5$SHA384", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-512",
+ "sun.security.provider.SHA5$SHA512", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-512/224",
+ "sun.security.provider.SHA5$SHA512_224", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-512/256",
+ "sun.security.provider.SHA5$SHA512_256", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-224",
+ "sun.security.provider.SHA3$SHA224", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-256",
+ "sun.security.provider.SHA3$SHA256", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-384",
+ "sun.security.provider.SHA3$SHA384", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-512",
+ "sun.security.provider.SHA3$SHA512", attrs);
+ }
/* /*
* Certificates * Certificates
diff --git openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java diff --git openjdk.orig/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
index 8c9e4f9dbe6..9eeb3013e0d 100644 index 8c9e4f9dbe6..883dc04758e 100644
--- openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java --- openjdk.orig/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+++ openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +++ openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
@@ -38,6 +38,7 @@ import java.util.HashMap; @@ -38,6 +38,7 @@ import java.util.HashMap;
import java.util.Iterator; import java.util.Iterator;

View File

@ -5,13 +5,13 @@ Date: Sat Aug 28 00:35:44 2021 +0100
RH1996182: Login to the NSS Software Token in FIPS Mode RH1996182: Login to the NSS Software Token in FIPS Mode
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
index 39e69362458..aeb5fc2eb46 100644 index 238735c0c8c..dbbf11bbb22 100644
--- openjdk.orig/src/java.base/share/classes/module-info.java --- openjdk.orig/src/java.base/share/classes/module-info.java
+++ openjdk/src/java.base/share/classes/module-info.java +++ openjdk/src/java.base/share/classes/module-info.java
@@ -151,6 +151,7 @@ module java.base { @@ -152,6 +152,7 @@ module java.base {
java.management,
java.naming, java.naming,
java.rmi, java.rmi,
jdk.charsets,
+ jdk.crypto.cryptoki, + jdk.crypto.cryptoki,
jdk.crypto.ec, jdk.crypto.ec,
jdk.jartool, jdk.jartool,

View File

@ -0,0 +1,28 @@
commit 4ac1a03b3ec73358988553fe9e200130847ea3b4
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Mon Jan 10 20:19:40 2022 +0000
RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
index 5a2c9eb0c46..a1ee182d913 100644
--- openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
+++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
@@ -39,6 +39,7 @@ import java.io.FilePermission;
import java.io.ObjectInputStream;
import java.io.RandomAccessFile;
import java.security.ProtectionDomain;
+import java.security.Security;
import java.security.Signature;
/** A repository of "shared secrets", which are a mechanism for
@@ -449,6 +450,9 @@ public class SharedSecrets {
}
public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
+ if (javaSecuritySystemConfiguratorAccess == null) {
+ ensureClassInitialized(Security.class);
+ }
return javaSecuritySystemConfiguratorAccess;
}
}

View File

@ -0,0 +1,24 @@
commit 8f6e35dc9e9289aed290b36e260beeda76986bb5
Author: Fridrich Strba <fstrba@suse.com>
Date: Mon Jan 10 19:32:01 2022 +0000
RH2021263: Return in C code after having generated Java exception
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
index 38919d6bb0f..caf678a7dd6 100644
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -151,11 +151,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
}
fips_enabled = fgetc(fe);
fclose(fe);
if (fips_enabled == EOF) {
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
}
msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
" read character is '%c'", fips_enabled);

View File

@ -0,0 +1,99 @@
commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Tue Jan 18 02:09:27 2022 +0000
RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
index 28ab1846173..f9726741afd 100644
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -61,10 +61,6 @@ public final class Security {
private static final Debug sdebug =
Debug.getInstance("properties");
- /* System property file*/
- private static final String SYSTEM_PROPERTIES =
- "/etc/crypto-policies/back-ends/java.config";
-
/* The java.security properties */
private static Properties props;
@@ -206,22 +202,36 @@ public final class Security {
}
}
+ if (!loadedProps) {
+ initializeStatic();
+ if (sdebug != null) {
+ sdebug.println("unable to load security properties " +
+ "-- using defaults");
+ }
+ }
+
String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
"true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
- if (SystemConfigurator.configure(props)) {
- loadedProps = true;
+ if (!SystemConfigurator.configureSysProps(props)) {
+ if (sdebug != null) {
+ sdebug.println("WARNING: System properties could not be loaded.");
+ }
}
}
- if (!loadedProps) {
- initializeStatic();
+ // FIPS support depends on the contents of java.security so
+ // ensure it has loaded first
+ if (loadedProps) {
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
if (sdebug != null) {
- sdebug.println("unable to load security properties " +
- "-- using defaults");
+ if (fipsEnabled) {
+ sdebug.println("FIPS support enabled.");
+ } else {
+ sdebug.println("FIPS support disabled.");
+ }
}
}
-
}
/*
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 874c6221ebe..b7ed41acf0f 100644
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -76,7 +76,7 @@ final class SystemConfigurator {
* java.security.disableSystemPropertiesFile property is not set and
* security.useSystemPropertiesFile is true.
*/
- static boolean configure(Properties props) {
+ static boolean configureSysProps(Properties props) {
boolean loadedProps = false;
try (BufferedInputStream bis =
@@ -96,11 +96,19 @@ final class SystemConfigurator {
e.printStackTrace();
}
}
+ return loadedProps;
+ }
+
+ /*
+ * Invoked at the end of java.security.Security initialisation
+ * if java.security properties have been loaded
+ */
+ static boolean configureFIPS(Properties props) {
+ boolean loadedProps = false;
try {
if (enableFips()) {
if (sdebug != null) { sdebug.println("FIPS mode detected"); }
- loadedProps = false;
// Remove all security providers
Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
while (i.hasNext()) {

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,213 @@
commit 090ea0389db5c2e0c8ee13652bccd544b17872c2
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Mon Feb 7 15:33:27 2022 +0000
RH2051605: Detect NSS at Runtime for FIPS detection
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
index caf678a7dd6..8dcb7d9073f 100644
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -23,26 +23,37 @@
* questions.
*/
-#include <dlfcn.h>
#include <jni.h>
#include <jni_util.h>
+#include "jvm_md.h"
#include <stdio.h>
#ifdef SYSCONF_NSS
#include <nss3/pk11pub.h>
+#else
+#include <dlfcn.h>
#endif //SYSCONF_NSS
#include "java_security_SystemConfigurator.h"
-#define MSG_MAX_SIZE 96
+#define MSG_MAX_SIZE 256
+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+
+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
static jmethodID debugPrintlnMethodID = NULL;
static jobject debugObj = NULL;
-// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read
-#ifndef SYSCONF_NSS
-
-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+ jstring jMsg;
+ if (debugObj != NULL) {
+ jMsg = (*env)->NewStringUTF(env, msg);
+ CHECK_NULL(jMsg);
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+}
static void throwIOException(JNIEnv *env, const char *msg)
{
@@ -51,18 +62,61 @@ static void throwIOException(JNIEnv *env, const char *msg)
(*env)->ThrowNew(env, cls, msg);
}
-#endif
+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
+{
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "systemconf: cannot render message");
+ }
+}
-static void dbgPrint(JNIEnv *env, const char* msg)
+// Only used when NSS is not linked at build time
+#ifndef SYSCONF_NSS
+
+static void *nss_handle;
+
+static jboolean loadNSS(JNIEnv *env)
{
- jstring jMsg;
- if (debugObj != NULL) {
- jMsg = (*env)->NewStringUTF(env, msg);
- CHECK_NULL(jMsg);
- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
- }
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+ const char* errmsg;
+
+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
+ if (nss_handle == NULL) {
+ errmsg = dlerror();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ return JNI_FALSE;
+ }
+ dlerror(); /* Clear errors */
+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
+ if ((errmsg = dlerror()) != NULL) {
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ return JNI_FALSE;
+ }
+ return JNI_TRUE;
+}
+
+static void closeNSS(JNIEnv *env)
+{
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+ const char* errmsg;
+
+ if (dlclose(nss_handle) != 0) {
+ errmsg = dlerror();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ }
}
+#endif
+
/*
* Class: java_security_SystemConfigurator
* Method: JNI_OnLoad
@@ -104,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
debugObj = (*env)->NewGlobalRef(env, debugObj);
}
+#ifdef SYSCONF_NSS
+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
+#else
+ if (loadNSS(env) == JNI_FALSE) {
+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
+ }
+#endif
+
return (*env)->GetVersion(env);
}
@@ -119,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
return; /* Should not happen */
}
+#ifndef SYSCONF_NSS
+ closeNSS(env);
+#endif
(*env)->DeleteGlobalRef(env, debugObj);
}
}
@@ -130,44 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
char msg[MSG_MAX_SIZE];
int msg_bytes;
-#ifdef SYSCONF_NSS
-
- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
- fips_enabled = SECMOD_GetSystemFIPSEnabled();
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
- dbgPrint(env, msg);
+ if (getSystemFIPSEnabled != NULL) {
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+ fips_enabled = (*getSystemFIPSEnabled)();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+ handle_msg(env, msg, msg_bytes);
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
} else {
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
- " SECMOD_GetSystemFIPSEnabled return value");
- }
- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+ FILE *fe;
-#else // SYSCONF_NSS
-
- FILE *fe;
-
- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
return JNI_FALSE;
- }
- fips_enabled = fgetc(fe);
- fclose(fe);
- if (fips_enabled == EOF) {
+ }
+ fips_enabled = fgetc(fe);
+ fclose(fe);
+ if (fips_enabled == EOF) {
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
return JNI_FALSE;
+ }
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " read character is '%c'", fips_enabled);
+ handle_msg(env, msg, msg_bytes);
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
}
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " read character is '%c'", fips_enabled);
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
- dbgPrint(env, msg);
- } else {
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
- " read character");
- }
- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-
-#endif // SYSCONF_NSS
}

File diff suppressed because it is too large Load Diff