Commit Graph

63 Commits

Author SHA1 Message Date
Andrew Hughes
1c4a8bc563 Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access.
Resolves: rhbz#1997359
2021-08-30 16:52:43 +01:00
Andrew Hughes
027bbcc4e3 Add patch to login to the NSS software token when in FIPS mode.
Fix unused function compiler warning found in systemconf.c

Resolves: rhbz#1997359
Related: rhbz#1995889
2021-08-28 01:38:47 +01:00
Andrew Hughes
cba3bba79b Add patch to disable non-FIPS crypto in the SUN and SunEC security providers.
Resolves: rhbz#1995889
2021-08-27 23:17:20 +01:00
Andrew Hughes
d4c6f7c9b1 Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.

Related: rhbz#1995889
2021-08-27 21:22:49 +01:00
Andrew Hughes
584ffa5a36 Support the FIPS mode crypto policy (RH1655466)
Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.
Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg.
No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable.
Disable FIPS mode support unless com.redhat.fips is set to "true".
Use appropriate keystore types when in FIPS mode (RH1818909)
Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)

Related: rhbz#1995889
2021-08-27 05:58:02 +01:00
Andrew Hughes
ee6b0f24ba Update to jdk-17+33, including JDWP fix and July 2021 CPU
Resolves: rhbz#1870625
2021-08-26 18:47:16 +01:00
Andrew Hughes
f9155e4763 Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
Remove restriction on disabling product build, as debug packages no longer have javadoc packages.

Resolves: rhbz#1870625
2021-08-26 03:36:42 +01:00
Mohan Boddu
1103501516 Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-08-09 21:03:49 +00:00
Andrew Hughes
a9c385cc9a Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
It makes the SunPKCS provider show up again

Resolves: rhbz#1870625
2021-07-14 05:44:00 +01:00
Jiri Vanek
2575952df8 Added gating.yaml
Resolves: rhbz#1870625
2021-07-13 17:42:35 +02:00
Severin Gehwolf
f9fcec76c3 Add possibility to disable system crypto policy
Add PR3695 to allow the system crypto policy to be turned off
Re-enable TestSecurityProperties after inclusion of PR3695

Resolves: rhbz#1870625
2021-07-06 03:59:27 +01:00
Andrew Hughes
780eb3f7a9 Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot.
Update buildjdkver to 17 so as to build with itself

Resolves: rhbz#1870625
2021-06-26 18:34:21 +01:00
Andrew Hughes
913d7c9e5b Import java-17-openjdk
Resolves: rhbz#1870625
2021-06-23 03:08:10 +01:00