332589c5ef
* Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch * RH2023467: Enable FIPS keys export * RH2094027: SunEC runtime permission for FIPS - Update FIPS support to bring in latest changes * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage * RH2090378: Revert to disabling system security properties and FIPS mode support together - Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch - Enable system security properties in the RPM (now disabled by default in the FIPS repo) - Improve security properties test to check both enabled and disabled behaviour - Run security properties test with property debugging on - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode - Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see: https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION - Turn on system security properties as part of the build's install section - Move cacerts replacement to install section and retain original of this and tzdb.dat - Run tests on the installed image, rather than the build image - Introduce variables to refer to the static library installation directories - Use relative symlinks so they work within the image - Run debug symbols check during build stage, before the install strips them Related: RHEL-45216
68 lines
2.7 KiB
Java
68 lines
2.7 KiB
Java
import java.io.File;
|
|
import java.io.FileInputStream;
|
|
import java.security.Security;
|
|
import java.util.Properties;
|
|
|
|
public class TestSecurityProperties {
|
|
// JDK 11
|
|
private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security";
|
|
// JDK 8
|
|
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
|
|
|
|
private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
|
|
|
|
private static final String MSG_PREFIX = "DEBUG: ";
|
|
|
|
public static void main(String[] args) {
|
|
if (args.length == 0) {
|
|
System.err.println("TestSecurityProperties <true|false>");
|
|
System.err.println("Invoke with 'true' if system security properties should be enabled.");
|
|
System.err.println("Invoke with 'false' if system security properties should be disabled.");
|
|
System.exit(1);
|
|
}
|
|
boolean enabled = Boolean.valueOf(args[0]);
|
|
System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
|
|
Properties jdkProps = new Properties();
|
|
loadProperties(jdkProps);
|
|
if (enabled) {
|
|
loadPolicy(jdkProps);
|
|
}
|
|
for (Object key: jdkProps.keySet()) {
|
|
String sKey = (String)key;
|
|
String securityVal = Security.getProperty(sKey);
|
|
String jdkSecVal = jdkProps.getProperty(sKey);
|
|
if (!securityVal.equals(jdkSecVal)) {
|
|
String msg = "Expected value '" + jdkSecVal + "' for key '" +
|
|
sKey + "'" + " but got value '" + securityVal + "'";
|
|
throw new RuntimeException("Test failed! " + msg);
|
|
} else {
|
|
System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
|
|
}
|
|
}
|
|
System.out.println("TestSecurityProperties PASSED!");
|
|
}
|
|
|
|
private static void loadProperties(Properties props) {
|
|
String javaVersion = System.getProperty("java.version");
|
|
System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
|
|
String propsFile = JDK_PROPS_FILE_JDK_11;
|
|
if (javaVersion.startsWith("1.8.0")) {
|
|
propsFile = JDK_PROPS_FILE_JDK_8;
|
|
}
|
|
try (FileInputStream fin = new FileInputStream(propsFile)) {
|
|
props.load(fin);
|
|
} catch (Exception e) {
|
|
throw new RuntimeException("Test failed!", e);
|
|
}
|
|
}
|
|
|
|
private static void loadPolicy(Properties props) {
|
|
try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
|
|
props.load(fin);
|
|
} catch (Exception e) {
|
|
throw new RuntimeException("Test failed!", e);
|
|
}
|
|
}
|
|
|
|
}
|