Update FIPS support to bring in latest changes
* Add nss.fips.cfg support to OpenJDK tree * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode * Remove forgotten dead code from RH2020290 and RH2104724 Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build
This commit is contained in:
parent
9253c5fd01
commit
fc0191002b
@ -1,9 +1,33 @@
|
|||||||
|
diff --git a/make/autoconf/build-aux/pkg.m4 b/make/autoconf/build-aux/pkg.m4
|
||||||
|
index 5f4b22bb27f..1ca9f5b8ffe 100644
|
||||||
|
--- a/make/autoconf/build-aux/pkg.m4
|
||||||
|
+++ b/make/autoconf/build-aux/pkg.m4
|
||||||
|
@@ -179,3 +179,19 @@ else
|
||||||
|
ifelse([$3], , :, [$3])
|
||||||
|
fi[]dnl
|
||||||
|
])# PKG_CHECK_MODULES
|
||||||
|
+
|
||||||
|
+dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE,
|
||||||
|
+dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
|
||||||
|
+dnl -------------------------------------------
|
||||||
|
+dnl Since: 0.28
|
||||||
|
+dnl
|
||||||
|
+dnl Retrieves the value of the pkg-config variable for the given module.
|
||||||
|
+AC_DEFUN([PKG_CHECK_VAR],
|
||||||
|
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
|
||||||
|
+AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl
|
||||||
|
+
|
||||||
|
+_PKG_CONFIG([$1], [variable="][$3]["], [$2])
|
||||||
|
+AS_VAR_COPY([$1], [pkg_cv_][$1])
|
||||||
|
+
|
||||||
|
+AS_VAR_IF([$1], [""], [$5], [$4])dnl
|
||||||
|
+])dnl PKG_CHECK_VAR
|
||||||
diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4
|
diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 00000000000..b2b1c1787da
|
index 00000000000..f48fc7f7e80
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/make/autoconf/lib-sysconf.m4
|
+++ b/make/autoconf/lib-sysconf.m4
|
||||||
@@ -0,0 +1,84 @@
|
@@ -0,0 +1,87 @@
|
||||||
+#
|
+#
|
||||||
+# Copyright (c) 2021, Red Hat, Inc.
|
+# Copyright (c) 2021, Red Hat, Inc.
|
||||||
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
@ -38,8 +62,10 @@ index 00000000000..b2b1c1787da
|
|||||||
+ #
|
+ #
|
||||||
+ # Check for the NSS library
|
+ # Check for the NSS library
|
||||||
+ #
|
+ #
|
||||||
|
+ AC_MSG_CHECKING([for NSS library directory])
|
||||||
|
+ PKG_CHECK_VAR(NSS_LIBDIR, nss, libdir, [AC_MSG_RESULT([$NSS_LIBDIR])], [AC_MSG_RESULT([not found])])
|
||||||
+
|
+
|
||||||
+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
|
+ AC_MSG_CHECKING([whether to link the system NSS library with the System Configurator (libsysconf)])
|
||||||
+
|
+
|
||||||
+ # default is not available
|
+ # default is not available
|
||||||
+ DEFAULT_SYSCONF_NSS=no
|
+ DEFAULT_SYSCONF_NSS=no
|
||||||
@ -87,6 +113,7 @@ index 00000000000..b2b1c1787da
|
|||||||
+ fi
|
+ fi
|
||||||
+ fi
|
+ fi
|
||||||
+ AC_SUBST(USE_SYSCONF_NSS)
|
+ AC_SUBST(USE_SYSCONF_NSS)
|
||||||
|
+ AC_SUBST(NSS_LIBDIR)
|
||||||
+])
|
+])
|
||||||
diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
|
diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
|
||||||
index a65d91ee974..a8f054c1397 100644
|
index a65d91ee974..a8f054c1397 100644
|
||||||
@ -109,20 +136,43 @@ index a65d91ee974..a8f054c1397 100644
|
|||||||
BASIC_JDKLIB_LIBS=""
|
BASIC_JDKLIB_LIBS=""
|
||||||
if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then
|
if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then
|
||||||
diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
|
diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
|
||||||
index c2c9c4adf3a..9d105b37acf 100644
|
index d557549adb3..1cb44bd2595 100644
|
||||||
--- a/make/autoconf/spec.gmk.in
|
--- a/make/autoconf/spec.gmk.in
|
||||||
+++ b/make/autoconf/spec.gmk.in
|
+++ b/make/autoconf/spec.gmk.in
|
||||||
@@ -836,6 +836,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@
|
@@ -840,6 +840,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@
|
||||||
# Libraries
|
# Libraries
|
||||||
#
|
#
|
||||||
|
|
||||||
+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
|
+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
|
||||||
+NSS_LIBS:=@NSS_LIBS@
|
+NSS_LIBS:=@NSS_LIBS@
|
||||||
+NSS_CFLAGS:=@NSS_CFLAGS@
|
+NSS_CFLAGS:=@NSS_CFLAGS@
|
||||||
|
+NSS_LIBDIR:=@NSS_LIBDIR@
|
||||||
+
|
+
|
||||||
USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
|
USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
|
||||||
LCMS_CFLAGS:=@LCMS_CFLAGS@
|
LCMS_CFLAGS:=@LCMS_CFLAGS@
|
||||||
LCMS_LIBS:=@LCMS_LIBS@
|
LCMS_LIBS:=@LCMS_LIBS@
|
||||||
|
diff --git a/make/modules/java.base/Gendata.gmk b/make/modules/java.base/Gendata.gmk
|
||||||
|
index 4b894eeae4a..51567071aa8 100644
|
||||||
|
--- a/make/modules/java.base/Gendata.gmk
|
||||||
|
+++ b/make/modules/java.base/Gendata.gmk
|
||||||
|
@@ -98,3 +98,17 @@ $(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS_JDK) $(GENDATA_JAVA_SECURITY_SRC) $(REST
|
||||||
|
TARGETS += $(GENDATA_JAVA_SECURITY)
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
+
|
||||||
|
+GENDATA_NSS_FIPS_CFG_SRC := $(TOPDIR)/src/java.base/share/conf/security/nss.fips.cfg.in
|
||||||
|
+GENDATA_NSS_FIPS_CFG := $(SUPPORT_OUTPUTDIR)/modules_conf/java.base/security/nss.fips.cfg
|
||||||
|
+
|
||||||
|
+$(GENDATA_NSS_FIPS_CFG): $(GENDATA_NSS_FIPS_CFG_SRC)
|
||||||
|
+ $(call LogInfo, Generating nss.fips.cfg)
|
||||||
|
+ $(call MakeTargetDir)
|
||||||
|
+ $(call ExecuteWithLog, $(SUPPORT_OUTPUTDIR)/gensrc/java.base/_$(@F), \
|
||||||
|
+ ( $(SED) -e 's:@NSS_LIBDIR@:$(NSS_LIBDIR):g' $< ) > $@ \
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+TARGETS += $(GENDATA_NSS_FIPS_CFG)
|
||||||
|
+
|
||||||
|
+################################################################################
|
||||||
diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk
|
diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk
|
||||||
index 5658ff342e5..c8bc5bde1e1 100644
|
index 5658ff342e5..c8bc5bde1e1 100644
|
||||||
--- a/make/modules/java.base/Lib.gmk
|
--- a/make/modules/java.base/Lib.gmk
|
||||||
@ -1771,7 +1821,7 @@ index f6d3638c3dd..a1ee182d913 100644
|
|||||||
+ }
|
+ }
|
||||||
}
|
}
|
||||||
diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
|
diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
|
||||||
index 63bb580eb3a..dbbf11bbb22 100644
|
index 9faee9cae36..27f43550aa4 100644
|
||||||
--- a/src/java.base/share/classes/module-info.java
|
--- a/src/java.base/share/classes/module-info.java
|
||||||
+++ b/src/java.base/share/classes/module-info.java
|
+++ b/src/java.base/share/classes/module-info.java
|
||||||
@@ -152,6 +152,8 @@ module java.base {
|
@@ -152,6 +152,8 @@ module java.base {
|
||||||
@ -2193,18 +2243,6 @@ index ca79f25cc44..225517ac69b 100644
|
|||||||
addA(p, "AlgorithmParameters", "RSASSA-PSS",
|
addA(p, "AlgorithmParameters", "RSASSA-PSS",
|
||||||
"sun.security.rsa.PSSParameters", null);
|
"sun.security.rsa.PSSParameters", null);
|
||||||
}
|
}
|
||||||
diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
|
|
||||||
index 6ffdfeda18d..82e896170f0 100644
|
|
||||||
--- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
|
|
||||||
+++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
|
|
||||||
@@ -32,6 +32,7 @@ import java.security.cert.*;
|
|
||||||
import java.util.*;
|
|
||||||
import java.util.concurrent.locks.ReentrantLock;
|
|
||||||
import javax.net.ssl.*;
|
|
||||||
+import jdk.internal.access.SharedSecrets;
|
|
||||||
import sun.security.action.GetPropertyAction;
|
|
||||||
import sun.security.provider.certpath.AlgorithmChecker;
|
|
||||||
import sun.security.validator.Validator;
|
|
||||||
diff --git a/src/java.base/share/classes/sun/security/util/PBEUtil.java b/src/java.base/share/classes/sun/security/util/PBEUtil.java
|
diff --git a/src/java.base/share/classes/sun/security/util/PBEUtil.java b/src/java.base/share/classes/sun/security/util/PBEUtil.java
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 00000000000..dc8bc72fccb
|
index 00000000000..dc8bc72fccb
|
||||||
@ -2509,7 +2547,7 @@ index 00000000000..dc8bc72fccb
|
|||||||
+ }
|
+ }
|
||||||
+}
|
+}
|
||||||
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
|
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
|
||||||
index 6d91e3f8e4e..f357b630460 100644
|
index 63be286686d..b0a589c3fb4 100644
|
||||||
--- a/src/java.base/share/conf/security/java.security
|
--- a/src/java.base/share/conf/security/java.security
|
||||||
+++ b/src/java.base/share/conf/security/java.security
|
+++ b/src/java.base/share/conf/security/java.security
|
||||||
@@ -79,6 +79,16 @@ security.provider.tbd=Apple
|
@@ -79,6 +79,16 @@ security.provider.tbd=Apple
|
||||||
@ -2529,7 +2567,7 @@ index 6d91e3f8e4e..f357b630460 100644
|
|||||||
#
|
#
|
||||||
# A list of preferred providers for specific algorithms. These providers will
|
# A list of preferred providers for specific algorithms. These providers will
|
||||||
# be searched for matching algorithms before the list of registered providers.
|
# be searched for matching algorithms before the list of registered providers.
|
||||||
@@ -289,6 +299,11 @@ policy.ignoreIdentityScope=false
|
@@ -289,6 +299,47 @@ policy.ignoreIdentityScope=false
|
||||||
#
|
#
|
||||||
keystore.type=pkcs12
|
keystore.type=pkcs12
|
||||||
|
|
||||||
@ -2537,11 +2575,47 @@ index 6d91e3f8e4e..f357b630460 100644
|
|||||||
+# Default keystore type used when global crypto-policies are set to FIPS.
|
+# Default keystore type used when global crypto-policies are set to FIPS.
|
||||||
+#
|
+#
|
||||||
+fips.keystore.type=pkcs12
|
+fips.keystore.type=pkcs12
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Location of the NSS DB keystore (PKCS11) in FIPS mode.
|
||||||
|
+#
|
||||||
|
+# The syntax for this property is identical to the 'nssSecmodDirectory'
|
||||||
|
+# attribute available in the SunPKCS11 NSS configuration file. Use the
|
||||||
|
+# 'sql:' prefix to refer to an SQLite DB.
|
||||||
|
+#
|
||||||
|
+# If the system property fips.nssdb.path is also specified, it supersedes
|
||||||
|
+# the security property value defined here.
|
||||||
|
+#
|
||||||
|
+# Note: the default value for this property points to an NSS DB that might be
|
||||||
|
+# readable by multiple operating system users and unsuitable to store keys.
|
||||||
|
+#
|
||||||
|
+fips.nssdb.path=sql:/etc/pki/nssdb
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# PIN for the NSS DB keystore (PKCS11) in FIPS mode.
|
||||||
|
+#
|
||||||
|
+# Values must take any of the following forms:
|
||||||
|
+# 1) pin:<value>
|
||||||
|
+# Value: clear text PIN value.
|
||||||
|
+# 2) env:<value>
|
||||||
|
+# Value: environment variable containing the PIN value.
|
||||||
|
+# 3) file:<value>
|
||||||
|
+# Value: path to a file containing the PIN value in its first
|
||||||
|
+# line.
|
||||||
|
+#
|
||||||
|
+# If the system property fips.nssdb.pin is also specified, it supersedes
|
||||||
|
+# the security property value defined here.
|
||||||
|
+#
|
||||||
|
+# When used as a system property, UTF-8 encoded values are valid. When
|
||||||
|
+# used as a security property (such as in this file), encode non-Basic
|
||||||
|
+# Latin Unicode characters with \uXXXX.
|
||||||
|
+#
|
||||||
|
+fips.nssdb.pin=pin:
|
||||||
+
|
+
|
||||||
#
|
#
|
||||||
# Controls compatibility mode for JKS and PKCS12 keystore types.
|
# Controls compatibility mode for JKS and PKCS12 keystore types.
|
||||||
#
|
#
|
||||||
@@ -326,6 +341,13 @@ package.definition=sun.misc.,\
|
@@ -326,6 +377,13 @@ package.definition=sun.misc.,\
|
||||||
#
|
#
|
||||||
security.overridePropertiesFile=true
|
security.overridePropertiesFile=true
|
||||||
|
|
||||||
@ -2555,6 +2629,20 @@ index 6d91e3f8e4e..f357b630460 100644
|
|||||||
#
|
#
|
||||||
# Determines the default key and trust manager factory algorithms for
|
# Determines the default key and trust manager factory algorithms for
|
||||||
# the javax.net.ssl package.
|
# the javax.net.ssl package.
|
||||||
|
diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..55bbba98b7a
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/java.base/share/conf/security/nss.fips.cfg.in
|
||||||
|
@@ -0,0 +1,8 @@
|
||||||
|
+name = NSS-FIPS
|
||||||
|
+nssLibraryDirectory = @NSS_LIBDIR@
|
||||||
|
+nssSecmodDirectory = ${fips.nssdb.path}
|
||||||
|
+nssDbMode = readWrite
|
||||||
|
+nssModule = fips
|
||||||
|
+
|
||||||
|
+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
|
||||||
|
+
|
||||||
diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy
|
diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy
|
||||||
index b22f26947af..3ee2ce6ea88 100644
|
index b22f26947af..3ee2ce6ea88 100644
|
||||||
--- a/src/java.base/share/lib/security/default.policy
|
--- a/src/java.base/share/lib/security/default.policy
|
||||||
@ -2819,10 +2907,10 @@ index 00000000000..ddf9befe5bc
|
|||||||
+#endif
|
+#endif
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 00000000000..8cfa2734d4e
|
index 00000000000..d3f0bffb821
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
|
||||||
@@ -0,0 +1,461 @@
|
@@ -0,0 +1,457 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2021, Red Hat, Inc.
|
+ * Copyright (c) 2021, Red Hat, Inc.
|
||||||
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
@ -2897,9 +2985,6 @@ index 00000000000..8cfa2734d4e
|
|||||||
+ private static volatile Provider sunECProvider = null;
|
+ private static volatile Provider sunECProvider = null;
|
||||||
+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
|
+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
|
||||||
+
|
+
|
||||||
+ private static volatile KeyFactory DHKF = null;
|
|
||||||
+ private static final ReentrantLock DHKFLock = new ReentrantLock();
|
|
||||||
+
|
|
||||||
+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
|
+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
|
||||||
+ throws PKCS11Exception {
|
+ throws PKCS11Exception {
|
||||||
+ long keyID = -1;
|
+ long keyID = -1;
|
||||||
@ -3144,8 +3229,7 @@ index 00000000000..8cfa2734d4e
|
|||||||
+ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2,
|
+ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2,
|
||||||
+ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT);
|
+ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT);
|
||||||
+ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey(
|
+ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey(
|
||||||
+ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey
|
+ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey);
|
||||||
+ );
|
|
||||||
+ CK_ATTRIBUTE attr;
|
+ CK_ATTRIBUTE attr;
|
||||||
+ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) {
|
+ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) {
|
||||||
+ attr.pValue = rsaPKey.getPrivateExponent().toByteArray();
|
+ attr.pValue = rsaPKey.getPrivateExponent().toByteArray();
|
||||||
@ -3284,6 +3368,162 @@ index 00000000000..8cfa2734d4e
|
|||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+}
|
+}
|
||||||
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..f8d505ca815
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java
|
||||||
|
@@ -0,0 +1,149 @@
|
||||||
|
+/*
|
||||||
|
+ * Copyright (c) 2022, Red Hat, Inc.
|
||||||
|
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
|
+ *
|
||||||
|
+ * This code is free software; you can redistribute it and/or modify it
|
||||||
|
+ * under the terms of the GNU General Public License version 2 only, as
|
||||||
|
+ * published by the Free Software Foundation. Oracle designates this
|
||||||
|
+ * particular file as subject to the "Classpath" exception as provided
|
||||||
|
+ * by Oracle in the LICENSE file that accompanied this code.
|
||||||
|
+ *
|
||||||
|
+ * This code is distributed in the hope that it will be useful, but WITHOUT
|
||||||
|
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||||
|
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
+ * version 2 for more details (a copy is included in the LICENSE file that
|
||||||
|
+ * accompanied this code).
|
||||||
|
+ *
|
||||||
|
+ * You should have received a copy of the GNU General Public License version
|
||||||
|
+ * 2 along with this work; if not, write to the Free Software Foundation,
|
||||||
|
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
|
+ *
|
||||||
|
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||||
|
+ * or visit www.oracle.com if you need additional information or have any
|
||||||
|
+ * questions.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+package sun.security.pkcs11;
|
||||||
|
+
|
||||||
|
+import java.io.BufferedReader;
|
||||||
|
+import java.io.ByteArrayInputStream;
|
||||||
|
+import java.io.InputStream;
|
||||||
|
+import java.io.InputStreamReader;
|
||||||
|
+import java.io.IOException;
|
||||||
|
+import java.nio.charset.StandardCharsets;
|
||||||
|
+import java.nio.file.Files;
|
||||||
|
+import java.nio.file.Path;
|
||||||
|
+import java.nio.file.Paths;
|
||||||
|
+import java.nio.file.StandardOpenOption;
|
||||||
|
+import java.security.ProviderException;
|
||||||
|
+
|
||||||
|
+import javax.security.auth.callback.Callback;
|
||||||
|
+import javax.security.auth.callback.CallbackHandler;
|
||||||
|
+import javax.security.auth.callback.PasswordCallback;
|
||||||
|
+import javax.security.auth.callback.UnsupportedCallbackException;
|
||||||
|
+
|
||||||
|
+import sun.security.util.Debug;
|
||||||
|
+import sun.security.util.SecurityProperties;
|
||||||
|
+
|
||||||
|
+final class FIPSTokenLoginHandler implements CallbackHandler {
|
||||||
|
+
|
||||||
|
+ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin";
|
||||||
|
+
|
||||||
|
+ private static final Debug debug = Debug.getInstance("sunpkcs11");
|
||||||
|
+
|
||||||
|
+ public void handle(Callback[] callbacks)
|
||||||
|
+ throws IOException, UnsupportedCallbackException {
|
||||||
|
+ if (!(callbacks[0] instanceof PasswordCallback)) {
|
||||||
|
+ throw new UnsupportedCallbackException(callbacks[0]);
|
||||||
|
+ }
|
||||||
|
+ PasswordCallback pc = (PasswordCallback)callbacks[0];
|
||||||
|
+ pc.setPassword(getFipsNssdbPin());
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ private static char[] getFipsNssdbPin() throws ProviderException {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("FIPS: Reading NSS DB PIN for token...");
|
||||||
|
+ }
|
||||||
|
+ String pinProp = SecurityProperties
|
||||||
|
+ .privilegedGetOverridable(FIPS_NSSDB_PIN_PROP);
|
||||||
|
+ if (pinProp != null && !pinProp.isEmpty()) {
|
||||||
|
+ String[] pinPropParts = pinProp.split(":", 2);
|
||||||
|
+ if (pinPropParts.length < 2) {
|
||||||
|
+ throw new ProviderException("Invalid " + FIPS_NSSDB_PIN_PROP +
|
||||||
|
+ " property value.");
|
||||||
|
+ }
|
||||||
|
+ String prefix = pinPropParts[0].toLowerCase();
|
||||||
|
+ String value = pinPropParts[1];
|
||||||
|
+ String pin = null;
|
||||||
|
+ if (prefix.equals("env")) {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("FIPS: PIN value from the '" + value +
|
||||||
|
+ "' environment variable.");
|
||||||
|
+ }
|
||||||
|
+ pin = System.getenv(value);
|
||||||
|
+ } else if (prefix.equals("file")) {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("FIPS: PIN value from the '" + value +
|
||||||
|
+ "' file.");
|
||||||
|
+ }
|
||||||
|
+ pin = getPinFromFile(Paths.get(value));
|
||||||
|
+ } else if (prefix.equals("pin")) {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("FIPS: PIN value from the " +
|
||||||
|
+ FIPS_NSSDB_PIN_PROP + " property.");
|
||||||
|
+ }
|
||||||
|
+ pin = value;
|
||||||
|
+ } else {
|
||||||
|
+ throw new ProviderException("Unsupported prefix for " +
|
||||||
|
+ FIPS_NSSDB_PIN_PROP + ".");
|
||||||
|
+ }
|
||||||
|
+ if (pin != null && !pin.isEmpty()) {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("FIPS: non-empty PIN.");
|
||||||
|
+ }
|
||||||
|
+ /*
|
||||||
|
+ * C_Login in libj2pkcs11 receives the PIN in a char[] and
|
||||||
|
+ * discards the upper byte of each char, before passing
|
||||||
|
+ * the value to the NSS Software Token. However, the
|
||||||
|
+ * NSS Software Token accepts any UTF-8 PIN value. Thus,
|
||||||
|
+ * expand the PIN here to account for later truncation.
|
||||||
|
+ */
|
||||||
|
+ byte[] pinUtf8 = pin.getBytes(StandardCharsets.UTF_8);
|
||||||
|
+ char[] pinChar = new char[pinUtf8.length];
|
||||||
|
+ for (int i = 0; i < pinChar.length; i++) {
|
||||||
|
+ pinChar[i] = (char)(pinUtf8[i] & 0xFF);
|
||||||
|
+ }
|
||||||
|
+ return pinChar;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("FIPS: empty PIN.");
|
||||||
|
+ }
|
||||||
|
+ return null;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * This method extracts the token PIN from the first line of a password
|
||||||
|
+ * file in the same way as NSS modutil. See for example the -newpwfile
|
||||||
|
+ * argument used to change the password for an NSS DB.
|
||||||
|
+ */
|
||||||
|
+ private static String getPinFromFile(Path f) throws ProviderException {
|
||||||
|
+ try (InputStream is =
|
||||||
|
+ Files.newInputStream(f, StandardOpenOption.READ)) {
|
||||||
|
+ /*
|
||||||
|
+ * SECU_FilePasswd in NSS (nss/cmd/lib/secutil.c), used by modutil,
|
||||||
|
+ * reads up to 4096 bytes. In addition, the NSS Software Token
|
||||||
|
+ * does not accept PINs longer than 500 bytes (see SFTK_MAX_PIN
|
||||||
|
+ * in nss/lib/softoken/pkcs11i.h).
|
||||||
|
+ */
|
||||||
|
+ BufferedReader in =
|
||||||
|
+ new BufferedReader(new InputStreamReader(
|
||||||
|
+ new ByteArrayInputStream(is.readNBytes(4096)),
|
||||||
|
+ StandardCharsets.UTF_8));
|
||||||
|
+ return in.readLine();
|
||||||
|
+ } catch (IOException ioe) {
|
||||||
|
+ throw new ProviderException("Error reading " + FIPS_NSSDB_PIN_PROP +
|
||||||
|
+ " from the '" + f + "' file.", ioe);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
\ No newline at end of file
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
|
||||||
index 9b69072280e..5696b904979 100644
|
index 9b69072280e..5696b904979 100644
|
||||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
|
||||||
@ -3597,7 +3837,7 @@ index 00000000000..ae4262703e6
|
|||||||
+
|
+
|
||||||
+}
|
+}
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
|
||||||
index c98960f7fcc..c14319a5356 100644
|
index 8d1b8ccb0ae..950ed20cf62 100644
|
||||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
|
||||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
|
||||||
@@ -31,6 +31,7 @@ import java.security.*;
|
@@ -31,6 +31,7 @@ import java.security.*;
|
||||||
@ -3608,7 +3848,7 @@ index c98960f7fcc..c14319a5356 100644
|
|||||||
import javax.crypto.spec.*;
|
import javax.crypto.spec.*;
|
||||||
|
|
||||||
import static sun.security.pkcs11.TemplateManager.*;
|
import static sun.security.pkcs11.TemplateManager.*;
|
||||||
@@ -193,6 +194,128 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
|
@@ -194,6 +195,128 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
|
||||||
return p11Key;
|
return p11Key;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -3737,7 +3977,7 @@ index c98960f7fcc..c14319a5356 100644
|
|||||||
static void fixDESParity(byte[] key, int offset) {
|
static void fixDESParity(byte[] key, int offset) {
|
||||||
for (int i = 0; i < 8; i++) {
|
for (int i = 0; i < 8; i++) {
|
||||||
int b = key[offset] & 0xfe;
|
int b = key[offset] & 0xfe;
|
||||||
@@ -319,6 +442,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
|
@@ -320,6 +443,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
|
||||||
keySpec = new SecretKeySpec(keyBytes, "DESede");
|
keySpec = new SecretKeySpec(keyBytes, "DESede");
|
||||||
return engineGenerateSecret(keySpec);
|
return engineGenerateSecret(keySpec);
|
||||||
}
|
}
|
||||||
@ -3747,7 +3987,7 @@ index c98960f7fcc..c14319a5356 100644
|
|||||||
}
|
}
|
||||||
throw new InvalidKeySpecException
|
throw new InvalidKeySpecException
|
||||||
("Unsupported spec: " + keySpec.getClass().getName());
|
("Unsupported spec: " + keySpec.getClass().getName());
|
||||||
@@ -372,6 +498,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
|
@@ -373,6 +499,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
|
||||||
// see JCE spec
|
// see JCE spec
|
||||||
protected SecretKey engineTranslateKey(SecretKey key)
|
protected SecretKey engineTranslateKey(SecretKey key)
|
||||||
throws InvalidKeyException {
|
throws InvalidKeyException {
|
||||||
@ -3880,7 +4120,7 @@ index 262cfc062ad..72b64f72c0a 100644
|
|||||||
Provider p = sun;
|
Provider p = sun;
|
||||||
if (p == null) {
|
if (p == null) {
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||||
index 112b639aa96..3e170b4c115 100644
|
index aa35e8fa668..f4d7c9cc201 100644
|
||||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||||
@@ -26,6 +26,9 @@
|
@@ -26,6 +26,9 @@
|
||||||
@ -3893,7 +4133,7 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
import java.util.*;
|
import java.util.*;
|
||||||
|
|
||||||
import java.security.*;
|
import java.security.*;
|
||||||
@@ -42,6 +45,7 @@ import javax.security.auth.callback.PasswordCallback;
|
@@ -42,10 +45,12 @@ import javax.security.auth.callback.PasswordCallback;
|
||||||
|
|
||||||
import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
|
import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
|
||||||
|
|
||||||
@ -3901,7 +4141,12 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
import jdk.internal.misc.InnocuousThread;
|
import jdk.internal.misc.InnocuousThread;
|
||||||
import sun.security.util.Debug;
|
import sun.security.util.Debug;
|
||||||
import sun.security.util.ResourcesMgr;
|
import sun.security.util.ResourcesMgr;
|
||||||
@@ -62,6 +66,37 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
|
import static sun.security.util.SecurityConstants.PROVIDER_VER;
|
||||||
|
+import sun.security.util.SecurityProperties;
|
||||||
|
import static sun.security.util.SecurityProviderConstants.getAliases;
|
||||||
|
|
||||||
|
import sun.security.pkcs11.Secmod.*;
|
||||||
|
@@ -62,6 +67,39 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
|
||||||
*/
|
*/
|
||||||
public final class SunPKCS11 extends AuthProvider {
|
public final class SunPKCS11 extends AuthProvider {
|
||||||
|
|
||||||
@ -3935,11 +4180,32 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
+ fipsImportKey = fipsImportKeyTmp;
|
+ fipsImportKey = fipsImportKeyTmp;
|
||||||
+ fipsExportKey = fipsExportKeyTmp;
|
+ fipsExportKey = fipsExportKeyTmp;
|
||||||
+ }
|
+ }
|
||||||
|
+
|
||||||
|
+ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path";
|
||||||
+
|
+
|
||||||
private static final long serialVersionUID = -1354835039035306505L;
|
private static final long serialVersionUID = -1354835039035306505L;
|
||||||
|
|
||||||
static final Debug debug = Debug.getInstance("sunpkcs11");
|
static final Debug debug = Debug.getInstance("sunpkcs11");
|
||||||
@@ -320,10 +355,19 @@ public final class SunPKCS11 extends AuthProvider {
|
@@ -115,6 +153,18 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
|
return AccessController.doPrivileged(new PrivilegedExceptionAction<>() {
|
||||||
|
@Override
|
||||||
|
public SunPKCS11 run() throws Exception {
|
||||||
|
+ if (systemFipsEnabled) {
|
||||||
|
+ /*
|
||||||
|
+ * The nssSecmodDirectory attribute in the SunPKCS11
|
||||||
|
+ * NSS configuration file takes the value of the
|
||||||
|
+ * fips.nssdb.path System property after expansion.
|
||||||
|
+ * Security properties expansion is unsupported.
|
||||||
|
+ */
|
||||||
|
+ System.setProperty(
|
||||||
|
+ FIPS_NSSDB_PATH_PROP,
|
||||||
|
+ SecurityProperties.privilegedGetOverridable(
|
||||||
|
+ FIPS_NSSDB_PATH_PROP));
|
||||||
|
+ }
|
||||||
|
return new SunPKCS11(new Config(newConfigName));
|
||||||
|
}
|
||||||
|
});
|
||||||
|
@@ -320,10 +370,19 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
// request multithreaded access first
|
// request multithreaded access first
|
||||||
initArgs.flags = CKF_OS_LOCKING_OK;
|
initArgs.flags = CKF_OS_LOCKING_OK;
|
||||||
PKCS11 tmpPKCS11;
|
PKCS11 tmpPKCS11;
|
||||||
@ -3960,7 +4226,7 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
} catch (PKCS11Exception e) {
|
} catch (PKCS11Exception e) {
|
||||||
if (debug != null) {
|
if (debug != null) {
|
||||||
debug.println("Multi-threaded initialization failed: " + e);
|
debug.println("Multi-threaded initialization failed: " + e);
|
||||||
@@ -339,11 +383,12 @@ public final class SunPKCS11 extends AuthProvider {
|
@@ -339,11 +398,12 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
initArgs.flags = 0;
|
initArgs.flags = 0;
|
||||||
}
|
}
|
||||||
tmpPKCS11 = PKCS11.getInstance(library,
|
tmpPKCS11 = PKCS11.getInstance(library,
|
||||||
@ -3975,32 +4241,7 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
if (p11Info.cryptokiVersion.major < 2) {
|
if (p11Info.cryptokiVersion.major < 2) {
|
||||||
throw new ProviderException("Only PKCS#11 v2.0 and later "
|
throw new ProviderException("Only PKCS#11 v2.0 and later "
|
||||||
+ "supported, library version is v" + p11Info.cryptokiVersion);
|
+ "supported, library version is v" + p11Info.cryptokiVersion);
|
||||||
@@ -379,6 +424,24 @@ public final class SunPKCS11 extends AuthProvider {
|
@@ -417,14 +477,19 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
if (nssModule != null) {
|
|
||||||
nssModule.setProvider(this);
|
|
||||||
}
|
|
||||||
+ if (systemFipsEnabled) {
|
|
||||||
+ // The NSS Software Token in FIPS 140-2 mode requires a user
|
|
||||||
+ // login for most operations. See sftk_fipsCheck. The NSS DB
|
|
||||||
+ // (/etc/pki/nssdb) PIN is empty.
|
|
||||||
+ Session session = null;
|
|
||||||
+ try {
|
|
||||||
+ session = token.getOpSession();
|
|
||||||
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
|
|
||||||
+ } catch (PKCS11Exception p11e) {
|
|
||||||
+ if (debug != null) {
|
|
||||||
+ debug.println("Error during token login: " +
|
|
||||||
+ p11e.getMessage());
|
|
||||||
+ }
|
|
||||||
+ throw p11e;
|
|
||||||
+ } finally {
|
|
||||||
+ token.releaseSession(session);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
} catch (Exception e) {
|
|
||||||
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
|
|
||||||
throw new UnsupportedOperationException
|
|
||||||
@@ -417,14 +480,19 @@ public final class SunPKCS11 extends AuthProvider {
|
|
||||||
final String className;
|
final String className;
|
||||||
final List<String> aliases;
|
final List<String> aliases;
|
||||||
final int[] mechanisms;
|
final int[] mechanisms;
|
||||||
@ -4021,7 +4262,7 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
}
|
}
|
||||||
private P11Service service(Token token, int mechanism) {
|
private P11Service service(Token token, int mechanism) {
|
||||||
return new P11Service
|
return new P11Service
|
||||||
@@ -458,18 +526,29 @@ public final class SunPKCS11 extends AuthProvider {
|
@@ -458,18 +523,29 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
|
|
||||||
private static void d(String type, String algorithm, String className,
|
private static void d(String type, String algorithm, String className,
|
||||||
int[] m) {
|
int[] m) {
|
||||||
@ -4054,7 +4295,7 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
private static void register(Descriptor d) {
|
private static void register(Descriptor d) {
|
||||||
@@ -525,6 +604,7 @@ public final class SunPKCS11 extends AuthProvider {
|
@@ -525,6 +601,7 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
String P11Cipher = "sun.security.pkcs11.P11Cipher";
|
String P11Cipher = "sun.security.pkcs11.P11Cipher";
|
||||||
String P11RSACipher = "sun.security.pkcs11.P11RSACipher";
|
String P11RSACipher = "sun.security.pkcs11.P11RSACipher";
|
||||||
String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher";
|
String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher";
|
||||||
@ -4062,7 +4303,7 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
String P11Signature = "sun.security.pkcs11.P11Signature";
|
String P11Signature = "sun.security.pkcs11.P11Signature";
|
||||||
String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature";
|
String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature";
|
||||||
|
|
||||||
@@ -587,6 +667,30 @@ public final class SunPKCS11 extends AuthProvider {
|
@@ -587,6 +664,30 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
d(MAC, "SslMacSHA1", P11Mac,
|
d(MAC, "SslMacSHA1", P11Mac,
|
||||||
m(CKM_SSL3_SHA1_MAC));
|
m(CKM_SSL3_SHA1_MAC));
|
||||||
|
|
||||||
@ -4093,7 +4334,7 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
d(KPG, "RSA", P11KeyPairGenerator,
|
d(KPG, "RSA", P11KeyPairGenerator,
|
||||||
getAliases("PKCS1"),
|
getAliases("PKCS1"),
|
||||||
m(CKM_RSA_PKCS_KEY_PAIR_GEN));
|
m(CKM_RSA_PKCS_KEY_PAIR_GEN));
|
||||||
@@ -685,6 +789,66 @@ public final class SunPKCS11 extends AuthProvider {
|
@@ -685,6 +786,66 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
d(SKF, "ChaCha20", P11SecretKeyFactory,
|
d(SKF, "ChaCha20", P11SecretKeyFactory,
|
||||||
m(CKM_CHACHA20_POLY1305));
|
m(CKM_CHACHA20_POLY1305));
|
||||||
|
|
||||||
@ -4160,7 +4401,7 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
// XXX attributes for Ciphers (supported modes, padding)
|
// XXX attributes for Ciphers (supported modes, padding)
|
||||||
dA(CIP, "ARCFOUR", P11Cipher,
|
dA(CIP, "ARCFOUR", P11Cipher,
|
||||||
m(CKM_RC4));
|
m(CKM_RC4));
|
||||||
@@ -754,6 +918,46 @@ public final class SunPKCS11 extends AuthProvider {
|
@@ -754,6 +915,46 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
d(CIP, "RSA/ECB/NoPadding", P11RSACipher,
|
d(CIP, "RSA/ECB/NoPadding", P11RSACipher,
|
||||||
m(CKM_RSA_X_509));
|
m(CKM_RSA_X_509));
|
||||||
|
|
||||||
@ -4207,7 +4448,7 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
d(SIG, "RawDSA", P11Signature,
|
d(SIG, "RawDSA", P11Signature,
|
||||||
List.of("NONEwithDSA"),
|
List.of("NONEwithDSA"),
|
||||||
m(CKM_DSA));
|
m(CKM_DSA));
|
||||||
@@ -1144,9 +1348,21 @@ public final class SunPKCS11 extends AuthProvider {
|
@@ -1144,9 +1345,21 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
if (ds == null) {
|
if (ds == null) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
@ -4229,7 +4470,35 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
supportedAlgs.put(d, integerMech);
|
supportedAlgs.put(d, integerMech);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
@@ -1244,6 +1460,8 @@ public final class SunPKCS11 extends AuthProvider {
|
@@ -1225,6 +1438,27 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
|
if (token.isValid() == false) {
|
||||||
|
throw new NoSuchAlgorithmException("Token has been removed");
|
||||||
|
}
|
||||||
|
+ if (systemFipsEnabled && !token.fipsLoggedIn &&
|
||||||
|
+ !getType().equals("KeyStore")) {
|
||||||
|
+ /*
|
||||||
|
+ * The NSS Software Token in FIPS 140-2 mode requires a
|
||||||
|
+ * user login for most operations. See sftk_fipsCheck
|
||||||
|
+ * (nss/lib/softoken/fipstokn.c). In case of a KeyStore
|
||||||
|
+ * service, let the caller perform the login with
|
||||||
|
+ * KeyStore::load. Keytool, for example, does this to pass a
|
||||||
|
+ * PIN from either the -srcstorepass or -deststorepass
|
||||||
|
+ * argument. In case of a non-KeyStore service, perform the
|
||||||
|
+ * login now with the PIN available in the fips.nssdb.pin
|
||||||
|
+ * property.
|
||||||
|
+ */
|
||||||
|
+ try {
|
||||||
|
+ token.ensureLoggedIn(null);
|
||||||
|
+ } catch (PKCS11Exception | LoginException e) {
|
||||||
|
+ throw new ProviderException("FIPS: error during the Token" +
|
||||||
|
+ " login required for the " + getType() +
|
||||||
|
+ " service.", e);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
try {
|
||||||
|
return newInstance0(param);
|
||||||
|
} catch (PKCS11Exception e) {
|
||||||
|
@@ -1244,6 +1478,8 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
} else if (algorithm.endsWith("GCM/NoPadding") ||
|
} else if (algorithm.endsWith("GCM/NoPadding") ||
|
||||||
algorithm.startsWith("ChaCha20-Poly1305")) {
|
algorithm.startsWith("ChaCha20-Poly1305")) {
|
||||||
return new P11AEADCipher(token, algorithm, mechanism);
|
return new P11AEADCipher(token, algorithm, mechanism);
|
||||||
@ -4238,6 +4507,63 @@ index 112b639aa96..3e170b4c115 100644
|
|||||||
} else {
|
} else {
|
||||||
return new P11Cipher(token, algorithm, mechanism);
|
return new P11Cipher(token, algorithm, mechanism);
|
||||||
}
|
}
|
||||||
|
@@ -1579,6 +1815,9 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
|
try {
|
||||||
|
session = token.getOpSession();
|
||||||
|
p11.C_Logout(session.id());
|
||||||
|
+ if (systemFipsEnabled) {
|
||||||
|
+ token.fipsLoggedIn = false;
|
||||||
|
+ }
|
||||||
|
if (debug != null) {
|
||||||
|
debug.println("logout succeeded");
|
||||||
|
}
|
||||||
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
|
||||||
|
index 9858a5faedf..e63585486d9 100644
|
||||||
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
|
||||||
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
|
||||||
|
@@ -33,6 +33,7 @@ import java.lang.ref.*;
|
||||||
|
import java.security.*;
|
||||||
|
import javax.security.auth.login.LoginException;
|
||||||
|
|
||||||
|
+import jdk.internal.access.SharedSecrets;
|
||||||
|
import sun.security.jca.JCAUtil;
|
||||||
|
|
||||||
|
import sun.security.pkcs11.wrapper.*;
|
||||||
|
@@ -48,6 +49,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
|
||||||
|
*/
|
||||||
|
class Token implements Serializable {
|
||||||
|
|
||||||
|
+ private static final boolean systemFipsEnabled = SharedSecrets
|
||||||
|
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
|
||||||
|
+
|
||||||
|
// need to be serializable to allow SecureRandom to be serialized
|
||||||
|
private static final long serialVersionUID = 2541527649100571747L;
|
||||||
|
|
||||||
|
@@ -114,6 +118,10 @@ class Token implements Serializable {
|
||||||
|
// flag indicating whether we are logged in
|
||||||
|
private volatile boolean loggedIn;
|
||||||
|
|
||||||
|
+ // Flag indicating the login status for the NSS Software Token in FIPS mode.
|
||||||
|
+ // This Token is never asynchronously removed. Used from SunPKCS11.
|
||||||
|
+ volatile boolean fipsLoggedIn;
|
||||||
|
+
|
||||||
|
// time we last checked login status
|
||||||
|
private long lastLoginCheck;
|
||||||
|
|
||||||
|
@@ -232,7 +240,12 @@ class Token implements Serializable {
|
||||||
|
// call provider.login() if not
|
||||||
|
void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException {
|
||||||
|
if (isLoggedIn(session) == false) {
|
||||||
|
- provider.login(null, null);
|
||||||
|
+ if (systemFipsEnabled) {
|
||||||
|
+ provider.login(null, new FIPSTokenLoginHandler());
|
||||||
|
+ fipsLoggedIn = true;
|
||||||
|
+ } else {
|
||||||
|
+ provider.login(null, null);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java
|
||||||
index 88ff8a71fc3..47a2f97eddf 100644
|
index 88ff8a71fc3..47a2f97eddf 100644
|
||||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java
|
||||||
@ -4877,7 +5203,7 @@ index 5c0aacd1a67..5fbf8addcba 100644
|
|||||||
+}
|
+}
|
||||||
}
|
}
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
|
||||||
index d22844cfba8..9e02958b4b0 100644
|
index 0d65ee26805..38fd4aff1f3 100644
|
||||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
|
||||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
|
||||||
@@ -1104,17 +1104,6 @@ public interface PKCS11Constants {
|
@@ -1104,17 +1104,6 @@ public interface PKCS11Constants {
|
||||||
@ -4939,7 +5265,7 @@ index d22844cfba8..9e02958b4b0 100644
|
|||||||
+ /* (CKM_NSS + 32) */ = 0xCE534370L;
|
+ /* (CKM_NSS + 32) */ = 0xCE534370L;
|
||||||
}
|
}
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
|
diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
|
||||||
index 666c5eb9b3b..5523dafcdb4 100644
|
index d941b574cc7..e2de13648be 100644
|
||||||
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
|
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
|
||||||
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
|
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
|
||||||
@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
|
@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
|
@ -361,7 +361,7 @@
|
|||||||
# Define IcedTea version used for SystemTap tapsets and desktop file
|
# Define IcedTea version used for SystemTap tapsets and desktop file
|
||||||
%global icedteaver 6.0.0pre00-c848b93a8598
|
%global icedteaver 6.0.0pre00-c848b93a8598
|
||||||
# Define current Git revision for the FIPS support patches
|
# Define current Git revision for the FIPS support patches
|
||||||
%global fipsver 0bd5ca9ccc5
|
%global fipsver 72d08e3226f
|
||||||
|
|
||||||
# Standard JPackage naming and versioning defines
|
# Standard JPackage naming and versioning defines
|
||||||
%global origin openjdk
|
%global origin openjdk
|
||||||
@ -369,7 +369,7 @@
|
|||||||
%global top_level_dir_name %{origin}
|
%global top_level_dir_name %{origin}
|
||||||
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
||||||
%global buildver 1
|
%global buildver 1
|
||||||
%global rpmrelease 1
|
%global rpmrelease 2
|
||||||
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
|
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
|
||||||
%if %is_system_jdk
|
%if %is_system_jdk
|
||||||
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
|
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
|
||||||
@ -1353,9 +1353,6 @@ Source15: TestSecurityProperties.java
|
|||||||
# Ensure vendor settings are correct
|
# Ensure vendor settings are correct
|
||||||
Source16: CheckVendor.java
|
Source16: CheckVendor.java
|
||||||
|
|
||||||
# nss fips configuration file
|
|
||||||
Source17: nss.fips.cfg.in
|
|
||||||
|
|
||||||
# Ensure translations are available for new timezones
|
# Ensure translations are available for new timezones
|
||||||
Source18: TestTranslations.java
|
Source18: TestTranslations.java
|
||||||
|
|
||||||
@ -1407,6 +1404,9 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
|
|||||||
# Build the systemconf library on all platforms
|
# Build the systemconf library on all platforms
|
||||||
# RH2048582: Support PKCS#12 keystores
|
# RH2048582: Support PKCS#12 keystores
|
||||||
# RH2020290: Support TLS 1.3 in FIPS mode
|
# RH2020290: Support TLS 1.3 in FIPS mode
|
||||||
|
# Add nss.fips.cfg support to OpenJDK tree
|
||||||
|
# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
|
||||||
|
# Remove forgotten dead code from RH2020290 and RH2104724
|
||||||
Patch1001: fips-17u-%{fipsver}.patch
|
Patch1001: fips-17u-%{fipsver}.patch
|
||||||
|
|
||||||
#############################################
|
#############################################
|
||||||
@ -1929,9 +1929,6 @@ done
|
|||||||
# Setup nss.cfg
|
# Setup nss.cfg
|
||||||
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
|
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
|
||||||
|
|
||||||
# Setup nss.fips.cfg
|
|
||||||
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
|
||||||
# How many CPU's do we have?
|
# How many CPU's do we have?
|
||||||
@ -2066,9 +2063,6 @@ function installjdk() {
|
|||||||
# Install nss.cfg right away as we will be using the JRE above
|
# Install nss.cfg right away as we will be using the JRE above
|
||||||
install -m 644 nss.cfg ${imagepath}/conf/security/
|
install -m 644 nss.cfg ${imagepath}/conf/security/
|
||||||
|
|
||||||
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
|
|
||||||
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
|
|
||||||
|
|
||||||
# Turn on system security properties
|
# Turn on system security properties
|
||||||
sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
|
sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
|
||||||
${imagepath}/conf/security/java.security
|
${imagepath}/conf/security/java.security
|
||||||
@ -2678,6 +2672,13 @@ cjc.mainProgram(args)
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Nov 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.1-0.2.ea
|
||||||
|
- Update FIPS support to bring in latest changes
|
||||||
|
- * Add nss.fips.cfg support to OpenJDK tree
|
||||||
|
- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
|
||||||
|
- * Remove forgotten dead code from RH2020290 and RH2104724
|
||||||
|
- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build
|
||||||
|
|
||||||
* Wed Nov 09 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.1-0.1.ea
|
* Wed Nov 09 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.1-0.1.ea
|
||||||
- Update to jdk-17.0.6+1
|
- Update to jdk-17.0.6+1
|
||||||
- Update release notes to 17.0.6+1
|
- Update release notes to 17.0.6+1
|
||||||
|
@ -1,8 +0,0 @@
|
|||||||
name = NSS-FIPS
|
|
||||||
nssLibraryDirectory = @NSS_LIBDIR@
|
|
||||||
nssSecmodDirectory = sql:/etc/pki/nssdb
|
|
||||||
nssDbMode = readOnly
|
|
||||||
nssModule = fips
|
|
||||||
|
|
||||||
attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user