From 5cc23bf61b5dcce0e9813d5fd666576c03ac32bb Mon Sep 17 00:00:00 2001 From: Thomas Fitzsimmons Date: Wed, 5 Nov 2025 19:14:46 -0500 Subject: [PATCH] Add FIPS crypto-policies configuration Resolves: RHEL-128409 --- create-redhat-properties-files.bash | 173 ++++++++++++++++++++++++++++ java-25-openjdk.spec | 24 ++++ 2 files changed, 197 insertions(+) create mode 100644 create-redhat-properties-files.bash diff --git a/create-redhat-properties-files.bash b/create-redhat-properties-files.bash new file mode 100644 index 0000000..04d7f31 --- /dev/null +++ b/create-redhat-properties-files.bash @@ -0,0 +1,173 @@ +#!/bin/bash +# +# Create Red Hat OpenJDK security properties directory hierarchy. +# +# Copyright (C) 2025 IBM Corporation. All rights reserved. +# +# Written by: +# Francisco Ferrari Bihurriet +# Thomas Fitzsimmons +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . +# +# Usage: +# +# bash create-redhat-properties-files.bash +# +# Example usage in spec file: +# +# bash -x create-redhat-properties-files.bash ${imagepath}/conf/security +# +# When you make changes to the file set here, also update the %files +# section in the spec file. + +[[ $# == 1 ]] || exit 1 + +SECURITY="${1}" +VENDOR="${SECURITY}"/redhat +install --directory --mode=755 "${VENDOR}" +install --directory --mode=755 "${VENDOR}"/true +install --directory --mode=755 "${VENDOR}"/false + +# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/SunPKCS11-FIPS.cfg +install --mode 644 /dev/stdin "${VENDOR}"/SunPKCS11-FIPS.cfg <<'EOF' +name = FIPS +library = ${java.home}/lib/libnssadapter.so +slot = 3 +nssUseSecmod = false +attributes(*,CKO_SECRET_KEY,*)={ CKA_SIGN=true CKA_ENCRYPT=true } +EOF + +# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/false/crypto-policies.properties +install --mode 644 /dev/stdin "${VENDOR}"/false/crypto-policies.properties <<'EOF' +# Empty on purpose, for ${redhat.crypto-policies}=false +EOF + +# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/true/crypto-policies.properties +install --mode 644 /dev/stdin "${VENDOR}"/true/crypto-policies.properties <<'EOF' +# +# Apply the system-wide crypto policy +# +include /etc/crypto-policies/back-ends/java.config + +# +# Apply the FIPS-specific security properties, if needed +# +include ../${__redhat_fips__}/fips.properties +EOF + +# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/crypto-policies.properties +install --mode 644 /dev/stdin "${VENDOR}"/crypto-policies.properties <<'EOF' +# +# Default choice for the crypto-policies setup +# +include true/crypto-policies.properties +EOF + +# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/false/fips.properties +install --mode 644 /dev/stdin "${VENDOR}"/false/fips.properties <<'EOF' +# Empty on purpose, for when FIPS is disabled. +EOF + +# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/true/fips.properties +install --mode 644 /dev/stdin "${VENDOR}"/true/fips.properties <<'EOF' +# +# Enable the downstream-patch RedHatFIPSFilter code +# +__redhat_fips_filter__=true + +# +# FIPS mode Security Providers List +# +security.provider.1=SunPKCS11 ${java.home}/conf/security/redhat/SunPKCS11-FIPS.cfg +security.provider.2=SUN +security.provider.3=SunEC +security.provider.4=SunJSSE +security.provider.5=SunJCE +security.provider.6=SunRsaSign +security.provider.7=XMLDSig +security.provider.8= +# ^ empty on purpose, to finish the Providers List + +# +# FIPS mode default keystore type +# +keystore.type=pkcs12 +EOF + +# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/fips.properties +# For now, this prevents an include cycle on JDKs that do not support +# ${__redhat_fips__}. In the future the goal is for it be overwritten +# (based on /proc/sys/crypto/fips_enabled) at FIPS configuration time +# (by fips-mode-setup or by grubby), at RPM install time by a +# post-install hook, and/or during boot by a systemd oneshot service. +install --mode 644 /dev/stdin "${VENDOR}"/fips.properties <<'EOF' +include false/fips.properties +EOF + +cat >> "${SECURITY}"/java.security <<'EOF' + +# +# System-wide crypto-policies and FIPS setup +# +# The following crypto-policies setup automatically detects when the system +# is in FIPS mode and configures OpenJDK accordingly. If OpenJDK needs to +# ignore the system and disable its FIPS setup, just disable the usage of +# the system crypto-policies, by any of the methods described below. +# +# The redhat.crypto-policies system property is a boolean switch that +# controls the usage on a per-run basis. For example, pass +# -Dredhat.crypto-policies=false to disable the system crypto-policies. +# +# This setup consists of the following files in $JAVA_HOME/conf/security: +# +# 'redhat/false/crypto-policies.properties' (policies usage disabled file) +# Empty file, applied when the boolean switch is passed as false. +# +# 'redhat/true/crypto-policies.properties' (policies usage enabled file) +# Performs the crypto-policies and FIPS setup, applied when the boolean +# switch is passed as true. +# +# 'redhat/crypto-policies.properties' (policies usage default file) +# Determines the default choice by including one of the previous files, +# applied when the boolean switch is not passed. +# The system crypto-policies usage is enabled by default: +# include true/crypto-policies.properties +# +# To enable or disable the usage of the crypto-policies on a per-deployment +# basis, edit the policies usage default file, changing the included file. +# For example, execute the following command to persistently disable the +# crypto-policies: +# sed -i s/true/false/ $JAVA_HOME/conf/security/redhat/crypto-policies.properties +# Applications can still override this on a per-run basis, for example by +# passing -Dredhat.crypto-policies=true. +# +# To disable the redhat.crypto-policies boolean switch, modify the following +# include directive as follows. Replace ${redhat.crypto-policies} by true to +# force-apply the system crypto-policies: +# include redhat/true/crypto-policies.properties +# Remove or comment out the include directive to force-disable the setup: +# #include redhat/${redhat.crypto-policies}/crypto-policies.properties +# +include redhat/${redhat.crypto-policies}/crypto-policies.properties +# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +# WARNING: anything placed after this include directive will apply on top +# of the described setup. Adding properties below this section is strongly +# discouraged, as it poses a risk of overriding the system crypto-policies +# or invalidating the FIPS deployment. +EOF + +# Local Variables: +# compile-command: "shellcheck create-redhat-properties-files.bash" +# End: diff --git a/java-25-openjdk.spec b/java-25-openjdk.spec index b8e7147..e17f97f 100644 --- a/java-25-openjdk.spec +++ b/java-25-openjdk.spec @@ -907,6 +907,22 @@ fi %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_US_export.policy %{etcjavadir -- %{?1}}/conf/security/policy/README.txt %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security +%dir %{etcjavadir -- %{?1}}/conf/security/redhat +%dir %{etcjavadir -- %{?1}}/conf/security/redhat/false +%dir %{etcjavadir -- %{?1}}/conf/security/redhat/true +# config-noreplace in case the system administrator wants to adjust +# the FIPS configuration +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/redhat/SunPKCS11-FIPS.cfg +# config-noreplace in case the system administrator wants to change +# the default for crypto-policies usage +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/redhat/crypto-policies.properties +# The system administrator is never expected to change these files -- they +# are implementation details -- so leave them as not config-noreplace +%config %{etcjavadir -- %{?1}}/conf/security/redhat/false/crypto-policies.properties +%config %{etcjavadir -- %{?1}}/conf/security/redhat/true/crypto-policies.properties +%config %{etcjavadir -- %{?1}}/conf/security/redhat/fips.properties +%config %{etcjavadir -- %{?1}}/conf/security/redhat/false/fips.properties +%config %{etcjavadir -- %{?1}}/conf/security/redhat/true/fips.properties %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access # This is a config template, thus not config-noreplace %config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template @@ -1361,6 +1377,8 @@ Source30: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch # FIPS support sources. # For libnssadapter.so (RHEL-128413) Source31: https://github.com/rh-openjdk/nss-native-fips-key-import-export-adapter/releases/download/%{nssadapter_version}/nssadapter-%{nssadapter_version}.tar.xz +# Create OpenJDK's crypto-policies hierarchy (RHEL-128409) +Source32: create-redhat-properties-files.bash # Setup variables to reference correct sources %global releasezip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.unstripped.jdk.%{_arch}.tar.xz @@ -1967,6 +1985,10 @@ function customisejdk() { sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ ${imagepath}/conf/security/java.security + # Install crypto-policies FIPS configuration files and append + # include line to java.security + bash -x %{SOURCE32} ${imagepath}/conf/security + # Use system-wide tzdata rm ${imagepath}/lib/tzdb.dat ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat @@ -2576,7 +2598,9 @@ exit 0 %changelog * Mon Nov 24 2025 Thomas Fitzsimmons - 1:25.0.1.0.8-3 - Add libnssadapter.so +- Add FIPS crypto-policies configuration - Resolves: RHEL-128413 +- Resolves: RHEL-128409 * Wed Nov 12 2025 Andrew Hughes - 1:25.0.1.0.8-2 - Remove superfluous backslashes that cause two alternative commands to be combined