174 lines
6.4 KiB
Bash
174 lines
6.4 KiB
Bash
#!/bin/bash
|
|
#
|
|
# Create Red Hat OpenJDK security properties directory hierarchy.
|
|
#
|
|
# Copyright (C) 2025 IBM Corporation. All rights reserved.
|
|
#
|
|
# Written by:
|
|
# Francisco Ferrari Bihurriet <fferrari@redhat.com>
|
|
# Thomas Fitzsimmons <fitzsim@redhat.com>
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as
|
|
# published by the Free Software Foundation, either version 3 of the
|
|
# License, or (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Affero General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
# Usage:
|
|
#
|
|
# bash create-redhat-properties-files.bash <target directory>
|
|
#
|
|
# Example usage in spec file:
|
|
#
|
|
# bash -x create-redhat-properties-files.bash ${imagepath}/conf/security
|
|
#
|
|
# When you make changes to the file set here, also update the %files
|
|
# section in the spec file.
|
|
|
|
[[ $# == 1 ]] || exit 1
|
|
|
|
SECURITY="${1}"
|
|
VENDOR="${SECURITY}"/redhat
|
|
install --directory --mode=755 "${VENDOR}"
|
|
install --directory --mode=755 "${VENDOR}"/true
|
|
install --directory --mode=755 "${VENDOR}"/false
|
|
|
|
# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/SunPKCS11-FIPS.cfg
|
|
install --mode 644 /dev/stdin "${VENDOR}"/SunPKCS11-FIPS.cfg <<'EOF'
|
|
name = FIPS
|
|
library = ${java.home}/lib/libnssadapter.so
|
|
slot = 3
|
|
nssUseSecmod = false
|
|
attributes(*,CKO_SECRET_KEY,*)={ CKA_SIGN=true CKA_ENCRYPT=true }
|
|
EOF
|
|
|
|
# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/false/crypto-policies.properties
|
|
install --mode 644 /dev/stdin "${VENDOR}"/false/crypto-policies.properties <<'EOF'
|
|
# Empty on purpose, for ${redhat.crypto-policies}=false
|
|
EOF
|
|
|
|
# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/true/crypto-policies.properties
|
|
install --mode 644 /dev/stdin "${VENDOR}"/true/crypto-policies.properties <<'EOF'
|
|
#
|
|
# Apply the system-wide crypto policy
|
|
#
|
|
include /etc/crypto-policies/back-ends/java.config
|
|
|
|
#
|
|
# Apply the FIPS-specific security properties, if needed
|
|
#
|
|
include ../${__redhat_fips__}/fips.properties
|
|
EOF
|
|
|
|
# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/crypto-policies.properties
|
|
install --mode 644 /dev/stdin "${VENDOR}"/crypto-policies.properties <<'EOF'
|
|
#
|
|
# Default choice for the crypto-policies setup
|
|
#
|
|
include true/crypto-policies.properties
|
|
EOF
|
|
|
|
# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/false/fips.properties
|
|
install --mode 644 /dev/stdin "${VENDOR}"/false/fips.properties <<'EOF'
|
|
# Empty on purpose, for when FIPS is disabled.
|
|
EOF
|
|
|
|
# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/true/fips.properties
|
|
install --mode 644 /dev/stdin "${VENDOR}"/true/fips.properties <<'EOF'
|
|
#
|
|
# Enable the downstream-patch RedHatFIPSFilter code
|
|
#
|
|
__redhat_fips_filter__=true
|
|
|
|
#
|
|
# FIPS mode Security Providers List
|
|
#
|
|
security.provider.1=SunPKCS11 ${java.home}/conf/security/redhat/SunPKCS11-FIPS.cfg
|
|
security.provider.2=SUN
|
|
security.provider.3=SunEC
|
|
security.provider.4=SunJSSE
|
|
security.provider.5=SunJCE
|
|
security.provider.6=SunRsaSign
|
|
security.provider.7=XMLDSig
|
|
security.provider.8=
|
|
# ^ empty on purpose, to finish the Providers List
|
|
|
|
#
|
|
# FIPS mode default keystore type
|
|
#
|
|
keystore.type=pkcs12
|
|
EOF
|
|
|
|
# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/fips.properties
|
|
# For now, this prevents an include cycle on JDKs that do not support
|
|
# ${__redhat_fips__}. In the future the goal is for it be overwritten
|
|
# (based on /proc/sys/crypto/fips_enabled) at FIPS configuration time
|
|
# (by fips-mode-setup or by grubby), at RPM install time by a
|
|
# post-install hook, and/or during boot by a systemd oneshot service.
|
|
install --mode 644 /dev/stdin "${VENDOR}"/fips.properties <<'EOF'
|
|
include false/fips.properties
|
|
EOF
|
|
|
|
cat >> "${SECURITY}"/java.security <<'EOF'
|
|
|
|
#
|
|
# System-wide crypto-policies and FIPS setup
|
|
#
|
|
# The following crypto-policies setup automatically detects when the system
|
|
# is in FIPS mode and configures OpenJDK accordingly. If OpenJDK needs to
|
|
# ignore the system and disable its FIPS setup, just disable the usage of
|
|
# the system crypto-policies, by any of the methods described below.
|
|
#
|
|
# The redhat.crypto-policies system property is a boolean switch that
|
|
# controls the usage on a per-run basis. For example, pass
|
|
# -Dredhat.crypto-policies=false to disable the system crypto-policies.
|
|
#
|
|
# This setup consists of the following files in $JAVA_HOME/conf/security:
|
|
#
|
|
# 'redhat/false/crypto-policies.properties' (policies usage disabled file)
|
|
# Empty file, applied when the boolean switch is passed as false.
|
|
#
|
|
# 'redhat/true/crypto-policies.properties' (policies usage enabled file)
|
|
# Performs the crypto-policies and FIPS setup, applied when the boolean
|
|
# switch is passed as true.
|
|
#
|
|
# 'redhat/crypto-policies.properties' (policies usage default file)
|
|
# Determines the default choice by including one of the previous files,
|
|
# applied when the boolean switch is not passed.
|
|
# The system crypto-policies usage is enabled by default:
|
|
# include true/crypto-policies.properties
|
|
#
|
|
# To enable or disable the usage of the crypto-policies on a per-deployment
|
|
# basis, edit the policies usage default file, changing the included file.
|
|
# For example, execute the following command to persistently disable the
|
|
# crypto-policies:
|
|
# sed -i s/true/false/ $JAVA_HOME/conf/security/redhat/crypto-policies.properties
|
|
# Applications can still override this on a per-run basis, for example by
|
|
# passing -Dredhat.crypto-policies=true.
|
|
#
|
|
# To disable the redhat.crypto-policies boolean switch, modify the following
|
|
# include directive as follows. Replace ${redhat.crypto-policies} by true to
|
|
# force-apply the system crypto-policies:
|
|
# include redhat/true/crypto-policies.properties
|
|
# Remove or comment out the include directive to force-disable the setup:
|
|
# #include redhat/${redhat.crypto-policies}/crypto-policies.properties
|
|
#
|
|
include redhat/${redhat.crypto-policies}/crypto-policies.properties
|
|
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
# WARNING: anything placed after this include directive will apply on top
|
|
# of the described setup. Adding properties below this section is strongly
|
|
# discouraged, as it poses a risk of overriding the system crypto-policies
|
|
# or invalidating the FIPS deployment.
|
|
EOF
|
|
|
|
# Local Variables:
|
|
# compile-command: "shellcheck create-redhat-properties-files.bash"
|
|
# End:
|