From b87969b5b65aab66e51580a8736158e4b1fc6bdf Mon Sep 17 00:00:00 2001
From: Andrew Hughes <gnu.andrew@redhat.com>
Date: Tue, 3 Mar 2026 00:28:23 +0000
Subject: [PATCH] Update FIPS patch to e55ada9353e to include the fix for the
 too restrictive provider lockdown

- Fix FIPS issue list to represent the new 25u version

Resolves: RHEL-155000
---
 ...414ef4.patch => fips-25u-e55ada9353e.patch | 17 +++----
 java-25-openjdk.spec                          | 45 +++++--------------
 2 files changed, 17 insertions(+), 45 deletions(-)
 rename fips-25u-df044414ef4.patch => fips-25u-e55ada9353e.patch (87%)

diff --git a/fips-25u-df044414ef4.patch b/fips-25u-e55ada9353e.patch
similarity index 87%
rename from fips-25u-df044414ef4.patch
rename to fips-25u-e55ada9353e.patch
index 8b210e6..69e2dad 100644
--- a/fips-25u-df044414ef4.patch
+++ b/fips-25u-e55ada9353e.patch
@@ -1,8 +1,8 @@
 diff --git a/src/java.base/share/classes/java/security/Provider.java b/src/java.base/share/classes/java/security/Provider.java
-index de2845fb550..b1e416b90f4 100644
+index de2845fb550..60eeab678ca 100644
 --- a/src/java.base/share/classes/java/security/Provider.java
 +++ b/src/java.base/share/classes/java/security/Provider.java
-@@ -1203,6 +1203,39 @@ public Set<Service> getServices() {
+@@ -1203,6 +1203,34 @@ public Service getService(String type, String algorithm) {
          return serviceSet;
      }
  
@@ -10,9 +10,7 @@ index de2845fb550..b1e416b90f4 100644
 +    private static final class RedHatFIPSFilter {
 +        static final boolean IS_ON = Boolean.parseBoolean(
 +                Security.getProperty("__redhat_fips_filter__"));
-+        private static final Set<String> ANY_SERVICE_TYPE = Set.of();
 +        private static final Map<String, Set<String>> ALLOW_LIST = Map.of(
-+                "SunPKCS11-FIPS", ANY_SERVICE_TYPE,
 +                "SUN", Set.of(
 +                        "AlgorithmParameterGenerator",
 +                        "AlgorithmParameters", "CertificateFactory",
@@ -20,21 +18,18 @@ index de2845fb550..b1e416b90f4 100644
 +                        "Configuration", "KeyStore"),
 +                "SunEC", Set.of(
 +                        "AlgorithmParameters", "KeyFactory"),
-+                "SunJSSE", ANY_SERVICE_TYPE,
 +                "SunJCE", Set.of(
 +                        "AlgorithmParameters",
 +                        "AlgorithmParameterGenerator", "KeyFactory",
 +                        "SecretKeyFactory"),
 +                "SunRsaSign", Set.of(
-+                        "KeyFactory", "AlgorithmParameters"),
-+                "XMLDSig", ANY_SERVICE_TYPE
++                        "KeyFactory", "AlgorithmParameters")
 +        );
 +
 +        static boolean isAllowed(String provName, String serviceType) {
 +            Set<String> allowedServiceTypes = ALLOW_LIST.get(provName);
-+            return allowedServiceTypes != null &&
-+                    (allowedServiceTypes == ANY_SERVICE_TYPE ||
-+                            allowedServiceTypes.contains(serviceType));
++            return allowedServiceTypes == null ||
++                    allowedServiceTypes.contains(serviceType);
 +        }
 +    }
 +    /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
@@ -42,7 +37,7 @@ index de2845fb550..b1e416b90f4 100644
      /**
       * Add a service. If a service of the same type with the same algorithm
       * name exists, and it was added using {@link #putService putService()},
-@@ -1231,6 +1264,15 @@ protected void putService(Service s) {
+@@ -1231,6 +1259,15 @@ protected void putService(Service s) {
                      ("service.getProvider() must match this Provider object");
          }
          String type = s.getType();
diff --git a/java-25-openjdk.spec b/java-25-openjdk.spec
index d020ab5..6cd1389 100644
--- a/java-25-openjdk.spec
+++ b/java-25-openjdk.spec
@@ -322,7 +322,7 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the crypto policy & FIPS support patches
-%global fipsver df044414ef4
+%global fipsver e55ada9353e
 # Define nssadapter variables
 %global nssadapter_version 0.1.0
 %global nssadapter_name nssadapter-%{nssadapter_version}
@@ -349,9 +349,9 @@
 %global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        10
-%global rpmrelease      2
+%global rpmrelease      3
 # Settings used by the portable build
-%global portablerelease 2
+%global portablerelease 3
 # Portable suffix differs between RHEL and CentOS
 %if 0%{?centos} == 0
 %global portablerhel %{?pkgos:7_9}%{!?pkgos:8}
@@ -1371,37 +1371,9 @@ Source32: create-redhat-properties-files.bash
 # as follows: git diff %%{vcstag} src make test > fips-25u-$(git show -s --format=%h HEAD).patch
 # Diff is limited to src and make subdirectories to exclude .github changes
 # Fixes currently included:
-# PR3183, RH1340845: Follow system wide crypto policy
-# PR3695: Allow use of system crypto policy to be disabled by the user
-# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
-# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
-# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
-# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
-# RH1929465: Improve system FIPS detection
-# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
-# RH1996182: Login to the NSS software token in FIPS mode
-# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
-# RH2021263: Resolve outstanding FIPS issues
-# RH2052819: Fix FIPS reliance on crypto policies
-# RH2052829: Detect NSS at Runtime for FIPS detection
-# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
-# RH2023467: Enable FIPS keys export
-# RH2094027: SunEC runtime permission for FIPS
-# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
-# RH2090378: Revert to disabling system security properties and FIPS mode support together
-# RH2104724: Avoid import/export of DH private keys
-# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
-# Build the systemconf library on all platforms
-# RH2048582: Support PKCS#12 keystores [now part of JDK-8301553 upstream]
-# RH2020290: Support TLS 1.3 in FIPS mode
-# Add nss.fips.cfg support to OpenJDK tree
-# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
-# Remove forgotten dead code from RH2020290 and RH2104724
-# OJ1357: Fix issue on FIPS with a SecurityManager in place
-# RH2134669: Add missing attributes when registering services in FIPS mode.
-# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
-# RH1940064: Enable XML Signature provider in FIPS mode
-# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream]
+# OPENJDK-2108: Internal __redhat_fips__ property
+# OPENJDK-2123: Algorithms lockdown
+# OPENJDK-4559: Red Hat Build of OpenJDK 25 should not restrict all the providers in FIPS
 Patch1001: fips-%{featurever}u-%{fipsver}.patch
 
 #############################################
@@ -2629,6 +2601,11 @@ exit 0
 %endif
 
 %changelog
+* Tue Mar 03 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.2.0.10-3
+- Update FIPS patch to e55ada9353e to include the fix for the too restrictive provider lockdown
+- Fix FIPS issue list to represent the new 25u version
+- Resolves: RHEL-155000
+
 * Wed Feb 18 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.2.0.10-2
 - Bump rpmrelease for CentOS build
 - Related: RHEL-139579