Add FIPS crypto-policies configuration

Resolves: RHEL-128409
2025-11-05 19:14:46 -05:00 · 2025-11-05 19:14:46 -05:00 · 5cc23bf61b
commit 5cc23bf61b
parent 4ae3f47a90
2 changed files with 197 additions and 0 deletions
--- a/create-redhat-properties-files.bash
+++ b/create-redhat-properties-files.bash
@ -0,0 +1,173 @@
+#!/bin/bash
+#
+# Create Red Hat OpenJDK security properties directory hierarchy.
+#
+# Copyright (C) 2025 IBM Corporation. All rights reserved.
+#
+# Written by:
+#     Francisco Ferrari Bihurriet <fferrari@redhat.com>
+#     Thomas Fitzsimmons <fitzsim@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# Usage:
+#
+# bash create-redhat-properties-files.bash <target directory>
+#
+# Example usage in spec file:
+#
+# bash -x create-redhat-properties-files.bash ${imagepath}/conf/security
+#
+# When you make changes to the file set here, also update the %files
+# section in the spec file.
+
+[[ $# == 1 ]] || exit 1
+
+SECURITY="${1}"
+VENDOR="${SECURITY}"/redhat
+install --directory --mode=755 "${VENDOR}"
+install --directory --mode=755 "${VENDOR}"/true
+install --directory --mode=755 "${VENDOR}"/false
+
+# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/SunPKCS11-FIPS.cfg
+install --mode 644 /dev/stdin "${VENDOR}"/SunPKCS11-FIPS.cfg <<'EOF'
+name = FIPS
+library = ${java.home}/lib/libnssadapter.so
+slot = 3
+nssUseSecmod = false
+attributes(*,CKO_SECRET_KEY,*)={ CKA_SIGN=true CKA_ENCRYPT=true }
+EOF
+
+# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/false/crypto-policies.properties
+install --mode 644 /dev/stdin "${VENDOR}"/false/crypto-policies.properties <<'EOF'
+# Empty on purpose, for ${redhat.crypto-policies}=false
+EOF
+
+# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/true/crypto-policies.properties
+install --mode 644 /dev/stdin "${VENDOR}"/true/crypto-policies.properties <<'EOF'
+#
+# Apply the system-wide crypto policy
+#
+include /etc/crypto-policies/back-ends/java.config
+
+#
+# Apply the FIPS-specific security properties, if needed
+#
+include ../${__redhat_fips__}/fips.properties
+EOF
+
+# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/crypto-policies.properties
+install --mode 644 /dev/stdin "${VENDOR}"/crypto-policies.properties <<'EOF'
+#
+# Default choice for the crypto-policies setup
+#
+include true/crypto-policies.properties
+EOF
+
+# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/false/fips.properties
+install --mode 644 /dev/stdin "${VENDOR}"/false/fips.properties <<'EOF'
+# Empty on purpose, for when FIPS is disabled.
+EOF
+
+# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/true/fips.properties
+install --mode 644 /dev/stdin "${VENDOR}"/true/fips.properties <<'EOF'
+#
+# Enable the downstream-patch RedHatFIPSFilter code
+#
+__redhat_fips_filter__=true
+
+#
+# FIPS mode Security Providers List
+#
+security.provider.1=SunPKCS11 ${java.home}/conf/security/redhat/SunPKCS11-FIPS.cfg
+security.provider.2=SUN
+security.provider.3=SunEC
+security.provider.4=SunJSSE
+security.provider.5=SunJCE
+security.provider.6=SunRsaSign
+security.provider.7=XMLDSig
+security.provider.8=
+#                   ^ empty on purpose, to finish the Providers List
+
+#
+# FIPS mode default keystore type
+#
+keystore.type=pkcs12
+EOF
+
+# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/fips.properties
+# For now, this prevents an include cycle on JDKs that do not support
+# ${__redhat_fips__}.  In the future the goal is for it be overwritten
+# (based on /proc/sys/crypto/fips_enabled) at FIPS configuration time
+# (by fips-mode-setup or by grubby), at RPM install time by a
+# post-install hook, and/or during boot by a systemd oneshot service.
+install --mode 644 /dev/stdin "${VENDOR}"/fips.properties <<'EOF'
+include false/fips.properties
+EOF
+
+cat >> "${SECURITY}"/java.security <<'EOF'
+
+#
+# System-wide crypto-policies and FIPS setup
+#
+# The following crypto-policies setup automatically detects when the system
+# is in FIPS mode and configures OpenJDK accordingly. If OpenJDK needs to
+# ignore the system and disable its FIPS setup, just disable the usage of
+# the system crypto-policies, by any of the methods described below.
+#
+# The redhat.crypto-policies system property is a boolean switch that
+# controls the usage on a per-run basis. For example, pass
+# -Dredhat.crypto-policies=false to disable the system crypto-policies.
+#
+# This setup consists of the following files in $JAVA_HOME/conf/security:
+#
+#   'redhat/false/crypto-policies.properties' (policies usage disabled file)
+#      Empty file, applied when the boolean switch is passed as false.
+#
+#   'redhat/true/crypto-policies.properties' (policies usage enabled file)
+#      Performs the crypto-policies and FIPS setup, applied when the boolean
+#      switch is passed as true.
+#
+#   'redhat/crypto-policies.properties' (policies usage default file)
+#      Determines the default choice by including one of the previous files,
+#      applied when the boolean switch is not passed.
+#      The system crypto-policies usage is enabled by default:
+#        include true/crypto-policies.properties
+#
+# To enable or disable the usage of the crypto-policies on a per-deployment
+# basis, edit the policies usage default file, changing the included file.
+# For example, execute the following command to persistently disable the
+# crypto-policies:
+#   sed -i s/true/false/ $JAVA_HOME/conf/security/redhat/crypto-policies.properties
+# Applications can still override this on a per-run basis, for example by
+# passing -Dredhat.crypto-policies=true.
+#
+# To disable the redhat.crypto-policies boolean switch, modify the following
+# include directive as follows. Replace ${redhat.crypto-policies} by true to
+# force-apply the system crypto-policies:
+#   include redhat/true/crypto-policies.properties
+# Remove or comment out the include directive to force-disable the setup:
+#   #include redhat/${redhat.crypto-policies}/crypto-policies.properties
+#
+include redhat/${redhat.crypto-policies}/crypto-policies.properties
+#       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+# WARNING: anything placed after this include directive will apply on top
+# of the described setup. Adding properties below this section is strongly
+# discouraged, as it poses a risk of overriding the system crypto-policies
+# or invalidating the FIPS deployment.
+EOF
+
+# Local Variables:
+# compile-command: "shellcheck create-redhat-properties-files.bash"
+# End:
--- a/java-25-openjdk.spec
+++ b/java-25-openjdk.spec
@ -907,6 +907,22 @@ fi
 %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_US_export.policy
 %{etcjavadir -- %{?1}}/conf/security/policy/README.txt
 %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security
+%dir %{etcjavadir -- %{?1}}/conf/security/redhat
+%dir %{etcjavadir -- %{?1}}/conf/security/redhat/false
+%dir %{etcjavadir -- %{?1}}/conf/security/redhat/true
+# config-noreplace in case the system administrator wants to adjust
+# the FIPS configuration
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/redhat/SunPKCS11-FIPS.cfg
+# config-noreplace in case the system administrator wants to change
+# the default for crypto-policies usage
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/redhat/crypto-policies.properties
+# The system administrator is never expected to change these files -- they
+# are implementation details -- so leave them as not config-noreplace
+%config %{etcjavadir -- %{?1}}/conf/security/redhat/false/crypto-policies.properties
+%config %{etcjavadir -- %{?1}}/conf/security/redhat/true/crypto-policies.properties
+%config %{etcjavadir -- %{?1}}/conf/security/redhat/fips.properties
+%config %{etcjavadir -- %{?1}}/conf/security/redhat/false/fips.properties
+%config %{etcjavadir -- %{?1}}/conf/security/redhat/true/fips.properties
 %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access
 # This is a config template, thus not config-noreplace
 %config  %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template
@ -1361,6 +1377,8 @@ Source30: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch
 # FIPS support sources.
 # For libnssadapter.so (RHEL-128413)
 Source31: https://github.com/rh-openjdk/nss-native-fips-key-import-export-adapter/releases/download/%{nssadapter_version}/nssadapter-%{nssadapter_version}.tar.xz
+# Create OpenJDK's crypto-policies hierarchy (RHEL-128409)
+Source32: create-redhat-properties-files.bash

 # Setup variables to reference correct sources
 %global releasezip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.unstripped.jdk.%{_arch}.tar.xz
@ -1967,6 +1985,10 @@ function customisejdk() {
        sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
            ${imagepath}/conf/security/java.security

+        # Install crypto-policies FIPS configuration files and append
+        # include line to java.security
+        bash -x %{SOURCE32} ${imagepath}/conf/security
+
        # Use system-wide tzdata
        rm ${imagepath}/lib/tzdb.dat
        ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
@ -2576,7 +2598,9 @@ exit 0
 %changelog
 * Mon Nov 24 2025 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:25.0.1.0.8-3
 - Add libnssadapter.so
+- Add FIPS crypto-policies configuration
 - Resolves: RHEL-128413
+- Resolves: RHEL-128409

 * Wed Nov 12 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.1.0.8-2
 - Remove superfluous backslashes that cause two alternative commands to be combined