diff --git a/.gitignore b/.gitignore index d0b6103..21401bd 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openjdk-jdk11u-jdk-11.0.20+8-4curve.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz +SOURCES/openjdk-jdk11u-jdk-11.0.21+9.tar.xz diff --git a/.java-11-openjdk-portable.metadata b/.java-11-openjdk-portable.metadata new file mode 100644 index 0000000..04d41e5 --- /dev/null +++ b/.java-11-openjdk-portable.metadata @@ -0,0 +1,2 @@ +c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz +ddc652d12c849ca56ef68be500ec71bfe88a5a29 SOURCES/openjdk-jdk11u-jdk-11.0.21+9.tar.xz diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata deleted file mode 100644 index 58dbe67..0000000 --- a/.java-11-openjdk.metadata +++ /dev/null @@ -1,2 +0,0 @@ -27b1851203504050481d9a2c7b07a3bc39f23908 SOURCES/openjdk-jdk11u-jdk-11.0.20+8-4curve.tar.xz -c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/SOURCES/fips-11u-f93a863b56.patch b/SOURCES/fips-11u-f93a863b56.patch new file mode 100644 index 0000000..3690cb8 --- /dev/null +++ b/SOURCES/fips-11u-f93a863b56.patch @@ -0,0 +1,1616 @@ +diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 +index 16e906bdc6..1a352e5a32 100644 +--- a/make/autoconf/libraries.m4 ++++ b/make/autoconf/libraries.m4 +@@ -101,6 +101,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], + LIB_SETUP_LIBFFI + LIB_SETUP_BUNDLED_LIBS + LIB_SETUP_MISC_LIBS ++ LIB_SETUP_SYSCONF_LIBS + LIB_SETUP_SOLARIS_STLPORT + LIB_TESTS_SETUP_GRAALUNIT + +@@ -223,3 +224,62 @@ AC_DEFUN_ONCE([LIB_SETUP_SOLARIS_STLPORT], + fi + ]) + ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++]) +diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in +index 3787b12600..dab108a82b 100644 +--- a/make/autoconf/spec.gmk.in ++++ b/make/autoconf/spec.gmk.in +@@ -848,6 +848,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@ + # Libraries + # + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ + LCMS_CFLAGS:=@LCMS_CFLAGS@ + LCMS_LIBS:=@LCMS_LIBS@ +diff --git a/make/lib/Lib-java.base.gmk b/make/lib/Lib-java.base.gmk +index b40d3114b9..0d1d83cf3e 100644 +--- a/make/lib/Lib-java.base.gmk ++++ b/make/lib/Lib-java.base.gmk +@@ -178,6 +178,31 @@ ifeq ($(call isTargetOsType, unix), true) + endif + endif + ++################################################################################ ++# Create the systemconf library ++ ++LIBSYSTEMCONF_CFLAGS := ++LIBSYSTEMCONF_CXXFLAGS := ++ ++ifeq ($(USE_SYSCONF_NSS), true) ++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++endif ++ ++ifeq ($(OPENJDK_BUILD_OS), linux) ++ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++ )) ++ ++ TARGETS += $(BUILD_LIBSYSTEMCONF) ++endif ++ + ################################################################################ + # Create the symbols file for static builds. + +diff --git a/make/nb_native/nbproject/configurations.xml b/make/nb_native/nbproject/configurations.xml +index fb07d54c1f..c5813e2b7a 100644 +--- a/make/nb_native/nbproject/configurations.xml ++++ b/make/nb_native/nbproject/configurations.xml +@@ -2950,6 +2950,9 @@ + LinuxWatchService.c + + ++ ++ systemconf.c ++ + + + +@@ -29301,6 +29304,11 @@ + tool="0" + flavor2="0"> + ++ ++ + ++#include ++#include "jvm_md.h" ++#include ++ ++#ifdef SYSCONF_NSS ++#include ++#else ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ } else { ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ } ++} +diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java +index 5b9552058b..b46de49211 100644 +--- a/src/java.base/share/classes/java/security/Security.java ++++ b/src/java.base/share/classes/java/security/Security.java +@@ -32,6 +32,7 @@ import java.net.URL; + + import jdk.internal.event.EventHelper; + import jdk.internal.event.SecurityPropertyModificationEvent; ++import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; + import jdk.internal.misc.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.util.Debug; +@@ -47,6 +48,9 @@ import sun.security.jca.*; + * implementation-specific location, which is typically the properties file + * {@code conf/security/java.security} in the Java installation directory. + * ++ *

Additional default values of security properties are read from a ++ * system-specific location, if available.

++ * + * @implNote If the properties file fails to load, the JDK implementation will + * throw an unspecified error when initializing the {@code Security} class. + * +@@ -56,6 +60,11 @@ import sun.security.jca.*; + + public final class Security { + ++ private static final String SYS_PROP_SWITCH = ++ "java.security.disableSystemPropertiesFile"; ++ private static final String SEC_PROP_SWITCH = ++ "security.useSystemPropertiesFile"; ++ + /* Are we debugging? -- for developers */ + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -70,6 +79,19 @@ public final class Security { + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -85,6 +107,7 @@ public final class Security { + private static void initialize() { + props = new Properties(); + boolean overrideAll = false; ++ boolean systemSecPropsEnabled = false; + + // first load the system properties file + // to determine the value of security.overridePropertiesFile +@@ -105,9 +128,63 @@ public final class Security { + } + loadProps(null, extraPropFile, overrideAll); + } ++ ++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); ++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); ++ if (sdebug != null) { ++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); ++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); ++ } ++ if (!sysUseProps && secUseProps) { ++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); ++ if (!systemSecPropsEnabled) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System security properties could not be loaded."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("System security property support disabled by user."); ++ } ++ } ++ ++ if (systemSecPropsEnabled) { ++ boolean shouldEnable; ++ String sysProp = System.getProperty("com.redhat.fips"); ++ if (sysProp == null) { ++ shouldEnable = true; ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips unset, using default value of true"); ++ } ++ } else { ++ shouldEnable = Boolean.valueOf(sysProp); ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); ++ } ++ } ++ if (shouldEnable) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS mode support configured and enabled."); ++ } else { ++ sdebug.println("FIPS mode support disabled."); ++ } ++ } ++ } else { ++ if (sdebug != null ) { ++ sdebug.println("FIPS mode support disabled by user."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("WARNING: FIPS mode support can not be enabled without " + ++ "system security properties being enabled."); ++ } ++ } + } + +- private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { ++ static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { + InputStream is = null; + try { + if (masterFile != null && masterFile.exists()) { +diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +index 0000000000..49bf17ea17 +--- /dev/null ++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,231 @@ ++/* ++ * Copyright (c) 2019, 2023, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++final class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configureSysProps(Properties props) { ++ // now load the system file, if it exists, so its values ++ // will win if they conflict with the earlier values ++ return Security.loadProps(null, CRYPTO_POLICIES_JAVA_CONFIG, false); ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } ++ loadedProps = true; ++ systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } ++ } else { ++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.redhat.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ ++ /** ++ * Determines whether FIPS mode should be enabled. ++ * ++ * OpenJDK FIPS mode will be enabled only if the system is in ++ * FIPS mode. ++ * ++ * Calls to this method only occur if the system property ++ * com.redhat.fips is not set to false. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. ++ * ++ * @return true if the system is in FIPS mode ++ */ ++ private static boolean enableFips() throws Exception { ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ boolean fipsEnabled = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + fipsEnabled); ++ } ++ return fipsEnabled; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } ++ } ++} +diff --git a/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java +new file mode 100644 +index 0000000000..21bc6d0b59 +--- /dev/null ++++ b/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java +@@ -0,0 +1,31 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package jdk.internal.misc; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); ++} +diff --git a/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +index 688ec9f091..8489b940c4 100644 +--- a/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java ++++ b/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +@@ -36,6 +36,7 @@ import java.io.FilePermission; + import java.io.ObjectInputStream; + import java.io.RandomAccessFile; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + /** A repository of "shared secrets", which are a mechanism for +@@ -76,6 +77,7 @@ public class SharedSecrets { + private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess; + private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; + private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static JavaUtilJarAccess javaUtilJarAccess() { + if (javaUtilJarAccess == null) { +@@ -361,4 +363,15 @@ public class SharedSecrets { + } + return javaxCryptoSealedObjectAccess; + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ unsafe.ensureClassInitialized(Security.class); ++ } ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java +index 7351627db3..859591890d 100644 +--- a/src/java.base/share/classes/module-info.java ++++ b/src/java.base/share/classes/module-info.java +@@ -182,6 +182,7 @@ module java.base { + java.security.jgss, + java.sql, + java.xml, ++ jdk.crypto.cryptoki, + jdk.jartool, + jdk.attach, + jdk.charsets, +diff --git a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java +index ffee2c1603..ff3d5e0e4a 100644 +--- a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java ++++ b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java +@@ -33,8 +33,13 @@ import java.security.KeyStore.*; + + import javax.net.ssl.*; + ++import jdk.internal.misc.SharedSecrets; ++ + abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ + X509ExtendedKeyManager keyManager; + boolean isInitialized; + +@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + KeyStoreException, NoSuchAlgorithmException, + UnrecoverableKeyException { + if ((ks != null) && SunJSSE.isFIPS()) { +- if (ks.getProvider() != SunJSSE.cryptoProvider) { ++ if (ks.getProvider() != SunJSSE.cryptoProvider && ++ !plainKeySupportEnabled) { + throw new KeyStoreException("FIPS mode: KeyStore must be " + + "from provider " + SunJSSE.cryptoProvider.getName()); + } +@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + keyManager = new X509KeyManagerImpl( + Collections.emptyList()); + } else { +- if (SunJSSE.isFIPS() && +- (ks.getProvider() != SunJSSE.cryptoProvider)) { ++ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider) ++ && !plainKeySupportEnabled) { + throw new KeyStoreException( + "FIPS mode: KeyStore must be " + + "from provider " + SunJSSE.cryptoProvider.getName()); +diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +index e06b2a588c..315a2ce370 100644 +--- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java ++++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +@@ -31,6 +31,7 @@ import java.security.*; + import java.security.cert.*; + import java.util.*; + import javax.net.ssl.*; ++import jdk.internal.misc.SharedSecrets; + import sun.security.action.GetPropertyAction; + import sun.security.provider.certpath.AlgorithmChecker; + import sun.security.validator.Validator; +@@ -542,20 +543,38 @@ public abstract class SSLContextImpl extends SSLContextSpi { + + static { + if (SunJSSE.isFIPS()) { +- supportedProtocols = Arrays.asList( +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- ); +- +- serverDefaultProtocols = getAvailableProtocols( +- new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }); ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } else { ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } + } else { + supportedProtocols = Arrays.asList( + ProtocolVersion.TLS13, +@@ -910,12 +929,23 @@ public abstract class SSLContextImpl extends SSLContextSpi { + if (client) { + // default client protocols + if (SunJSSE.isFIPS()) { +- candidates = new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }; ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } else { ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + } else { + candidates = new ProtocolVersion[] { + ProtocolVersion.TLS13, +@@ -927,12 +957,23 @@ public abstract class SSLContextImpl extends SSLContextSpi { + } else { + // default server protocols + if (SunJSSE.isFIPS()) { +- candidates = new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }; ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } else { ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + } else { + candidates = new ProtocolVersion[] { + ProtocolVersion.TLS13, +diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java +index 2a2b5d7568..891796f19b 100644 +--- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java ++++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java +@@ -27,6 +27,8 @@ package sun.security.ssl; + + import java.security.*; + import java.util.*; ++ ++import jdk.internal.misc.SharedSecrets; + import sun.security.rsa.SunRsaSignEntries; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + import static sun.security.util.SecurityProviderConstants.*; +@@ -195,8 +197,13 @@ public abstract class SunJSSE extends java.security.Provider { + "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); + ps("SSLContext", "TLSv1.2", + "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); +- ps("SSLContext", "TLSv1.3", +- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ ps("SSLContext", "TLSv1.3", ++ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ } + ps("SSLContext", "TLS", + "sun.security.ssl.SSLContextImpl$TLSContext", + (isfips? null : List.of("SSL")), null); +diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security +index c0eed3f884..b03bd9f896 100644 +--- a/src/java.base/share/conf/security/java.security ++++ b/src/java.base/share/conf/security/java.security +@@ -88,6 +88,14 @@ security.provider.tbd=Apple + security.provider.tbd=SunPKCS11 + #endif + ++# ++# Security providers used when FIPS mode support is active ++# ++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg ++fips.provider.2=SUN ++fips.provider.3=SunEC ++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS ++ + # + # A list of preferred providers for specific algorithms. These providers will + # be searched for matching algorithms before the list of registered providers. +@@ -301,6 +309,11 @@ policy.ignoreIdentityScope=false + # + keystore.type=pkcs12 + ++# ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=PKCS11 ++ + # + # Controls compatibility mode for JKS and PKCS12 keystore types. + # +@@ -338,6 +351,13 @@ package.definition=sun.misc.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +new file mode 100644 +index 0000000000..b848a1fd78 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +@@ -0,0 +1,290 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.math.BigInteger; ++import java.security.KeyFactory; ++import java.security.Provider; ++import java.security.Security; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.concurrent.locks.ReentrantLock; ++ ++import javax.crypto.Cipher; ++import javax.crypto.spec.DHPrivateKeySpec; ++import javax.crypto.spec.IvParameterSpec; ++ ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.TemplateManager; ++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; ++import sun.security.pkcs11.wrapper.CK_MECHANISM; ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAUtil.KeyType; ++import sun.security.util.Debug; ++import sun.security.util.ECUtil; ++ ++final class FIPSKeyImporter { ++ ++ private static final Debug debug = ++ Debug.getInstance("sunpkcs11"); ++ ++ private static P11Key importerKey = null; ++ private static final ReentrantLock importerKeyLock = new ReentrantLock(); ++ private static CK_MECHANISM importerKeyMechanism = null; ++ private static Cipher importerCipher = null; ++ ++ private static Provider sunECProvider = null; ++ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); ++ ++ private static KeyFactory DHKF = null; ++ private static final ReentrantLock DHKFLock = new ReentrantLock(); ++ ++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) ++ throws PKCS11Exception { ++ long keyID = -1; ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be imported in" + ++ " system FIPS mode."); ++ } ++ if (importerKey == null) { ++ importerKeyLock.lock(); ++ try { ++ if (importerKey == null) { ++ if (importerKeyMechanism == null) { ++ // Importer Key creation has not been tried yet. Try it. ++ createImporterKey(token); ++ } ++ if (importerKey == null || importerCipher == null) { ++ if (debug != null) { ++ debug.println("Importer Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ if (debug != null) { ++ debug.println("Importer Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ } ++ long importerKeyID = importerKey.getKeyID(); ++ try { ++ byte[] keyBytes = null; ++ byte[] encKeyBytes = null; ++ long keyClass = 0L; ++ long keyType = 0L; ++ Map attrsMap = new HashMap<>(); ++ for (CK_ATTRIBUTE attr : attributes) { ++ if (attr.type == CKA_CLASS) { ++ keyClass = attr.getLong(); ++ } else if (attr.type == CKA_KEY_TYPE) { ++ keyType = attr.getLong(); ++ } ++ attrsMap.put(attr.type, attr); ++ } ++ BigInteger v = null; ++ if (keyClass == CKO_PRIVATE_KEY) { ++ if (keyType == CKK_RSA) { ++ if (debug != null) { ++ debug.println("Importing an RSA private key..."); ++ } ++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( ++ KeyType.RSA, ++ null, ++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ } else if (keyType == CKK_DSA) { ++ if (debug != null) { ++ debug.println("Importing a DSA private key..."); ++ } ++ keyBytes = new sun.security.provider.DSAPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_EC) { ++ if (debug != null) { ++ debug.println("Importing an EC private key..."); ++ } ++ if (sunECProvider == null) { ++ sunECProviderLock.lock(); ++ try { ++ if (sunECProvider == null) { ++ sunECProvider = Security.getProvider("SunEC"); ++ } ++ } finally { ++ sunECProviderLock.unlock(); ++ } ++ } ++ keyBytes = ECUtil.generateECPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ECUtil.getECParameterSpec(sunECProvider, ++ attrsMap.get(CKA_EC_PARAMS).getByteArray())) ++ .getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_DH) { ++ if (debug != null) { ++ debug.println("Importing a Diffie-Hellman private key..."); ++ } ++ if (DHKF == null) { ++ DHKFLock.lock(); ++ try { ++ if (DHKF == null) { ++ DHKF = KeyFactory.getInstance( ++ "DH", P11Util.getSunJceProvider()); ++ } ++ } finally { ++ DHKFLock.unlock(); ++ } ++ } ++ DHPrivateKeySpec spec = new DHPrivateKeySpec ++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO); ++ keyBytes = DHKF.generatePrivate(spec).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else { ++ if (debug != null) { ++ debug.println("Unrecognized private key type."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } else if (keyClass == CKO_SECRET_KEY) { ++ if (debug != null) { ++ debug.println("Importing a secret key..."); ++ } ++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); ++ } ++ if (keyBytes == null || keyBytes.length == 0) { ++ if (debug != null) { ++ debug.println("Private or secret key plain bytes could" + ++ " not be obtained. Import failed."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec((byte[])importerKeyMechanism.pParameter), ++ null); ++ attributes = new CK_ATTRIBUTE[attrsMap.size()]; ++ attrsMap.values().toArray(attributes); ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ attributes = token.getAttributes(TemplateManager.O_IMPORT, ++ keyClass, keyType, attributes); ++ keyID = token.p11.C_UnwrapKey(hSession, ++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); ++ if (debug != null) { ++ debug.println("Imported key ID: " + keyID); ++ } ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } finally { ++ importerKey.releaseKeyID(); ++ } ++ return Long.valueOf(keyID); ++ } ++ ++ private static void createImporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Importer Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ try { ++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, ++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { ++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), ++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); ++ Session s = null; ++ try { ++ s = token.getObjSession(); ++ long keyID = token.p11.C_GenerateKey( ++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), ++ attributes); ++ if (debug != null) { ++ debug.println("Importer Key ID: " + keyID); ++ } ++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", ++ 256 >> 3, null); ++ } catch (PKCS11Exception e) { ++ // best effort ++ } finally { ++ token.releaseSession(s); ++ } ++ if (importerKey != null) { ++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ } ++ } catch (Throwable t) { ++ // best effort ++ importerKey = null; ++ importerCipher = null; ++ // importerKeyMechanism value is kept initialized to indicate that ++ // Importer Key creation has been tried and failed. ++ } ++ } ++} +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index ffbd671246..bdaad67e06 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -26,6 +26,9 @@ + package sun.security.pkcs11; + + import java.io.*; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.*; +@@ -43,6 +46,8 @@ import javax.security.auth.callback.PasswordCallback; + import com.sun.crypto.provider.ChaCha20Poly1305Parameters; + + import jdk.internal.misc.InnocuousThread; ++import jdk.internal.misc.SharedSecrets; ++ + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; + import static sun.security.util.SecurityConstants.PROVIDER_VER; +@@ -61,6 +66,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ ++ private static final MethodHandle fipsImportKey; ++ static { ++ MethodHandle fipsImportKeyTmp = null; ++ if (plainKeySupportEnabled) { ++ try { ++ fipsImportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "importKey", ++ MethodType.methodType(Long.class, SunPKCS11.class, ++ long.class, CK_ATTRIBUTE[].class)); ++ } catch (Throwable t) { ++ throw new SecurityException("FIPS key importer initialization" + ++ " failed", t); ++ } ++ } ++ fipsImportKey = fipsImportKeyTmp; ++ } ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -318,10 +346,15 @@ public final class SunPKCS11 extends AuthProvider { + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; ++ MethodHandle fipsKeyImporter = null; ++ if (plainKeySupportEnabled) { ++ fipsKeyImporter = MethodHandles.insertArguments( ++ fipsImportKey, 0, this); ++ } + try { + tmpPKCS11 = PKCS11.getInstance( + library, functionList, initArgs, +- config.getOmitInitialize()); ++ config.getOmitInitialize(), fipsKeyImporter); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); +@@ -337,7 +370,7 @@ public final class SunPKCS11 extends AuthProvider { + initArgs.flags = 0; + } + tmpPKCS11 = PKCS11.getInstance(library, +- functionList, initArgs, config.getOmitInitialize()); ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); + } + p11 = tmpPKCS11; + +@@ -377,6 +410,24 @@ public final class SunPKCS11 extends AuthProvider { + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +index 04a369f453..f033fe4759 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper; + + import java.io.File; + import java.io.IOException; ++import java.lang.invoke.MethodHandle; + import java.util.*; + + import java.security.AccessController; +@@ -148,18 +149,41 @@ public class PKCS11 { + this.pkcs11ModulePath = pkcs11ModulePath; + } + ++ /* ++ * Compatibility wrapper to allow this method to work as before ++ * when FIPS mode support is not active. ++ */ ++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, ++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs, ++ boolean omitInitialize) throws IOException, PKCS11Exception { ++ return getInstance(pkcs11ModulePath, functionList, ++ pInitArgs, omitInitialize, null); ++ } ++ + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, + String functionList, CK_C_INITIALIZE_ARGS pInitArgs, +- boolean omitInitialize) throws IOException, PKCS11Exception { ++ boolean omitInitialize, MethodHandle fipsKeyImporter) ++ throws IOException, PKCS11Exception { + // we may only call C_Initialize once per native .so/.dll + // so keep a cache using the (non-canonicalized!) path + PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); + if (pkcs11 == null) { ++ boolean nssFipsMode = fipsKeyImporter != null; + if ((pInitArgs != null) + && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { +- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, ++ fipsKeyImporter); ++ } else { ++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ } + } else { +- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, ++ functionList, fipsKeyImporter); ++ } else { ++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ } + } + if (omitInitialize == false) { + try { +@@ -1909,4 +1933,69 @@ static class SynchronizedPKCS11 extends PKCS11 { + super.C_GenerateRandom(hSession, randomData); + } + } ++ ++// PKCS11 subclass that allows using plain private or secret keys in ++// FIPS-configured NSS Software Tokens. Only used when System FIPS ++// is enabled. ++static class FIPSPKCS11 extends PKCS11 { ++ private MethodHandle fipsKeyImporter; ++ FIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // Creating sensitive key objects from plain key material in a ++ // FIPS-configured NSS Software Token is not allowed. We apply ++ // a key-unwrapping scheme to achieve so. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++// FIPSPKCS11 synchronized counterpart. ++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { ++ private MethodHandle fipsKeyImporter; ++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // See FIPSPKCS11::C_CreateObject. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++private static class FIPSPKCS11Helper { ++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ if (attr.type == CKA_CLASS && ++ (attr.getLong() == CKO_PRIVATE_KEY || ++ attr.getLong() == CKO_SECRET_KEY)) { ++ return true; ++ } ++ } ++ return false; ++ } ++} + } diff --git a/SOURCES/jdk8242332-rh2108712-sha3-sunpkcs11.patch b/SOURCES/jdk8242332-rh2108712-sha3-sunpkcs11.patch index a6192a4..cc28540 100644 --- a/SOURCES/jdk8242332-rh2108712-sha3-sunpkcs11.patch +++ b/SOURCES/jdk8242332-rh2108712-sha3-sunpkcs11.patch @@ -1,11 +1,11 @@ -commit 81c2107a9188680f7c35ebc7697b292d5972436e +commit b8711800e3cd9132ad2b195c82cf816210feb77d Author: Andrew Hughes -Date: Mon Feb 27 13:22:43 2023 +0000 +Date: Thu Oct 5 03:13:01 2023 +0100 Backport 78be334c3817a1b5840922a9bf1339a40dcc5185 diff --git a/src/java.base/share/classes/sun/security/util/KnownOIDs.java b/src/java.base/share/classes/sun/security/util/KnownOIDs.java -index 92ecb9adc0c..a5848c96aad 100644 +index b5cc3b05f1..7e235c90dd 100644 --- a/src/java.base/share/classes/sun/security/util/KnownOIDs.java +++ b/src/java.base/share/classes/sun/security/util/KnownOIDs.java @@ -155,6 +155,14 @@ public enum KnownOIDs { @@ -24,7 +24,7 @@ index 92ecb9adc0c..a5848c96aad 100644 SHA3_256withRSA("2.16.840.1.101.3.4.3.14", "SHA3-256withRSA"), SHA3_384withRSA("2.16.840.1.101.3.4.3.15", "SHA3-384withRSA"), diff --git a/src/java.base/share/classes/sun/security/util/SignatureUtil.java b/src/java.base/share/classes/sun/security/util/SignatureUtil.java -index 32c089fd96d..7d5c0c7e299 100644 +index 32c089fd96..7d5c0c7e29 100644 --- a/src/java.base/share/classes/sun/security/util/SignatureUtil.java +++ b/src/java.base/share/classes/sun/security/util/SignatureUtil.java @@ -168,4 +168,22 @@ public class SignatureUtil { @@ -51,7 +51,7 @@ index 32c089fd96d..7d5c0c7e299 100644 + } } diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java -index 41fe61b8a16..daf0bc9f69c 100644 +index 41fe61b8a1..daf0bc9f69 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java @@ -1,5 +1,5 @@ @@ -93,7 +93,7 @@ index 41fe61b8a16..daf0bc9f69c 100644 break; default: diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java -index 926414608cb..f343e6025e1 100644 +index 926414608c..f343e6025e 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java @@ -36,7 +36,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; @@ -428,7 +428,7 @@ index 926414608cb..f343e6025e1 100644 - } diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java -index c88e4a6ace5..29b26651c39 100644 +index c88e4a6ace..29b26651c3 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java @@ -39,8 +39,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; @@ -465,7 +465,7 @@ index c88e4a6ace5..29b26651c39 100644 break; case (int)CKM_SSL3_MD5_MAC: diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java -index 26eaa4735f1..905b6ea9562 100644 +index 1419be3754..18e00a544b 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java @@ -38,6 +38,7 @@ import java.security.spec.MGF1ParameterSpec; @@ -738,7 +738,7 @@ index 26eaa4735f1..905b6ea9562 100644 // see JCA spec diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java -index e3af106d05a..e49edf32c29 100644 +index e3af106d05..e49edf32c2 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java @@ -51,8 +51,15 @@ import sun.security.util.KeyUtil; @@ -970,111 +970,88 @@ index e3af106d05a..e49edf32c29 100644 // return RSASignature.decodeSignature(digestOID, signature); // } diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index cf7cd19b689..7a8bcffb92c 100644 +index ffbd671246..d191831dab 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -550,6 +550,18 @@ public final class SunPKCS11 extends AuthProvider { - d(MD, "SHA-512/256", P11Digest, - s("2.16.840.1.101.3.4.2.6", "OID.2.16.840.1.101.3.4.2.6"), +@@ -546,6 +546,14 @@ public final class SunPKCS11 extends AuthProvider { + m(CKM_SHA512_224)); + dA(MD, "SHA-512/256", P11Digest, m(CKM_SHA512_256)); -+ d(MD, "SHA3-224", P11Digest, -+ s("2.16.840.1.101.3.4.2.7", "OID.2.16.840.1.101.3.4.2.7"), ++ dA(MD, "SHA3-224", P11Digest, + m(CKM_SHA3_224)); -+ d(MD, "SHA3-256", P11Digest, -+ s("2.16.840.1.101.3.4.2.8", "OID.2.16.840.1.101.3.4.2.8"), ++ dA(MD, "SHA3-256", P11Digest, + m(CKM_SHA3_256)); -+ d(MD, "SHA3-384", P11Digest, -+ s("2.16.840.1.101.3.4.2.9", "OID.2.16.840.1.101.3.4.2.9"), ++ dA(MD, "SHA3-384", P11Digest, + m(CKM_SHA3_384)); -+ d(MD, "SHA3-512", P11Digest, -+ s("2.16.840.1.101.3.4.2.10", "OID.2.16.840.1.101.3.4.2.10"), ++ dA(MD, "SHA3-512", P11Digest, + m(CKM_SHA3_512)); d(MAC, "HmacMD5", P11MAC, m(CKM_MD5_HMAC)); -@@ -574,7 +586,18 @@ public final class SunPKCS11 extends AuthProvider { - d(MAC, "HmacSHA512/256", P11MAC, - s("1.2.840.113549.2.13", "OID.1.2.840.113549.2.13"), +@@ -563,7 +571,14 @@ public final class SunPKCS11 extends AuthProvider { + m(CKM_SHA512_224_HMAC)); + dA(MAC, "HmacSHA512/256", P11MAC, m(CKM_SHA512_256_HMAC)); - -+ d(MAC, "HmacSHA3-224", P11MAC, -+ s("2.16.840.1.101.3.4.2.13", "OID.2.16.840.1.101.3.4.2.13"), ++ dA(MAC, "HmacSHA3-224", P11MAC, + m(CKM_SHA3_224_HMAC)); -+ d(MAC, "HmacSHA3-256", P11MAC, -+ s("2.16.840.1.101.3.4.2.14", "OID.2.16.840.1.101.3.4.2.14"), ++ dA(MAC, "HmacSHA3-256", P11MAC, + m(CKM_SHA3_256_HMAC)); -+ d(MAC, "HmacSHA3-384", P11MAC, -+ s("2.16.840.1.101.3.4.2.15", "OID.2.16.840.1.101.3.4.2.15"), ++ dA(MAC, "HmacSHA3-384", P11MAC, + m(CKM_SHA3_384_HMAC)); -+ d(MAC, "HmacSHA3-512", P11MAC, -+ s("2.16.840.1.101.3.4.2.16", "OID.2.16.840.1.101.3.4.2.16"), ++ dA(MAC, "HmacSHA3-512", P11MAC, + m(CKM_SHA3_512_HMAC)); d(MAC, "SslMacMD5", P11MAC, m(CKM_SSL3_MD5_MAC)); d(MAC, "SslMacSHA1", P11MAC, -@@ -604,6 +627,41 @@ public final class SunPKCS11 extends AuthProvider { +@@ -595,6 +610,30 @@ public final class SunPKCS11 extends AuthProvider { m(CKM_BLOWFISH_KEY_GEN)); d(KG, "ChaCha20", P11KeyGenerator, m(CKM_CHACHA20_KEY_GEN)); + d(KG, "HmacMD5", P11KeyGenerator, // 1.3.6.1.5.5.8.1.1 + m(CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA1", P11KeyGenerator, -+ s("1.2.840.113549.2.7", "OID.1.2.840.113549.2.7"), ++ dA(KG, "HmacSHA1", P11KeyGenerator, + m(CKM_SHA_1_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA224", P11KeyGenerator, -+ s("1.2.840.113549.2.8", "OID.1.2.840.113549.2.8"), ++ dA(KG, "HmacSHA224", P11KeyGenerator, + m(CKM_SHA224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA256", P11KeyGenerator, -+ s("1.2.840.113549.2.9", "OID.1.2.840.113549.2.9"), ++ dA(KG, "HmacSHA256", P11KeyGenerator, + m(CKM_SHA256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA384", P11KeyGenerator, -+ s("1.2.840.113549.2.10", "OID.1.2.840.113549.2.10"), ++ dA(KG, "HmacSHA384", P11KeyGenerator, + m(CKM_SHA384_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA512", P11KeyGenerator, -+ s("1.2.840.113549.2.11", "OID.1.2.840.113549.2.11"), ++ dA(KG, "HmacSHA512", P11KeyGenerator, + m(CKM_SHA512_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA512/224", P11KeyGenerator, -+ s("1.2.840.113549.2.12", "OID.1.2.840.113549.2.12"), ++ dA(KG, "HmacSHA512/224", P11KeyGenerator, + m(CKM_SHA512_224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA512/256", P11KeyGenerator, -+ s("1.2.840.113549.2.13", "OID.1.2.840.113549.2.13"), ++ dA(KG, "HmacSHA512/256", P11KeyGenerator, + m(CKM_SHA512_256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA3-224", P11KeyGenerator, -+ s("2.16.840.1.101.3.4.2.13", "OID.2.16.840.1.101.3.4.2.13"), ++ dA(KG, "HmacSHA3-224", P11KeyGenerator, + m(CKM_SHA3_224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA3-256", P11KeyGenerator, -+ s("2.16.840.1.101.3.4.2.14", "OID.2.16.840.1.101.3.4.2.14"), ++ dA(KG, "HmacSHA3-256", P11KeyGenerator, + m(CKM_SHA3_256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA3-384", P11KeyGenerator, -+ s("2.16.840.1.101.3.4.2.15", "OID.2.16.840.1.101.3.4.2.15"), ++ dA(KG, "HmacSHA3-384", P11KeyGenerator, + m(CKM_SHA3_384_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA3-512", P11KeyGenerator, -+ s("2.16.840.1.101.3.4.2.16", "OID.2.16.840.1.101.3.4.2.16"), ++ dA(KG, "HmacSHA3-512", P11KeyGenerator, + m(CKM_SHA3_512_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); // register (Secret)KeyFactories if there are any mechanisms // for a particular algorithm that we support -@@ -747,13 +805,40 @@ public final class SunPKCS11 extends AuthProvider { - d(SIG, "SHA512withDSA", P11Signature, - s("2.16.840.1.101.3.4.3.4", "OID.2.16.840.1.101.3.4.3.4"), +@@ -725,37 +764,77 @@ public final class SunPKCS11 extends AuthProvider { + m(CKM_DSA_SHA384)); + dA(SIG, "SHA512withDSA", P11Signature, m(CKM_DSA_SHA512)); -+ d(SIG, "SHA3-224withDSA", P11Signature, -+ s("2.16.840.1.101.3.4.3.5", "OID.2.16.840.1.101.3.4.3.5"), ++ dA(SIG, "SHA3-224withDSA", P11Signature, + m(CKM_DSA_SHA3_224)); -+ d(SIG, "SHA3-256withDSA", P11Signature, -+ s("2.16.840.1.101.3.4.3.6", "OID.2.16.840.1.101.3.4.3.6"), ++ dA(SIG, "SHA3-256withDSA", P11Signature, + m(CKM_DSA_SHA3_256)); -+ d(SIG, "SHA3-384withDSA", P11Signature, -+ s("2.16.840.1.101.3.4.3.7", "OID.2.16.840.1.101.3.4.3.7"), ++ dA(SIG, "SHA3-384withDSA", P11Signature, + m(CKM_DSA_SHA3_384)); -+ d(SIG, "SHA3-512withDSA", P11Signature, -+ s("2.16.840.1.101.3.4.3.8", "OID.2.16.840.1.101.3.4.3.8"), ++ dA(SIG, "SHA3-512withDSA", P11Signature, + m(CKM_DSA_SHA3_512)); d(SIG, "RawDSAinP1363Format", P11Signature, - s("NONEwithDSAinP1363Format"), + List.of("NONEwithDSAinP1363Format"), m(CKM_DSA)); d(SIG, "DSAinP1363Format", P11Signature, - s("SHA1withDSAinP1363Format"), + List.of("SHA1withDSAinP1363Format"), m(CKM_DSA_SHA1, CKM_DSA)); - + d(SIG, "SHA224withDSAinP1363Format", P11Signature, @@ -1095,36 +1072,27 @@ index cf7cd19b689..7a8bcffb92c 100644 + m(CKM_DSA_SHA3_512)); d(SIG, "NONEwithECDSA", P11Signature, m(CKM_ECDSA)); - d(SIG, "SHA1withECDSA", P11Signature, -@@ -761,28 +846,49 @@ public final class SunPKCS11 extends AuthProvider { + dA(SIG, "SHA1withECDSA", P11Signature, m(CKM_ECDSA_SHA1, CKM_ECDSA)); - d(SIG, "SHA224withECDSA", P11Signature, - s("1.2.840.10045.4.3.1", "OID.1.2.840.10045.4.3.1"), + dA(SIG, "SHA224withECDSA", P11Signature, - m(CKM_ECDSA)); + m(CKM_ECDSA_SHA224, CKM_ECDSA)); - d(SIG, "SHA256withECDSA", P11Signature, - s("1.2.840.10045.4.3.2", "OID.1.2.840.10045.4.3.2"), + dA(SIG, "SHA256withECDSA", P11Signature, - m(CKM_ECDSA)); + m(CKM_ECDSA_SHA256, CKM_ECDSA)); - d(SIG, "SHA384withECDSA", P11Signature, - s("1.2.840.10045.4.3.3", "OID.1.2.840.10045.4.3.3"), + dA(SIG, "SHA384withECDSA", P11Signature, - m(CKM_ECDSA)); + m(CKM_ECDSA_SHA384, CKM_ECDSA)); - d(SIG, "SHA512withECDSA", P11Signature, - s("1.2.840.10045.4.3.4", "OID.1.2.840.10045.4.3.4"), + dA(SIG, "SHA512withECDSA", P11Signature, - m(CKM_ECDSA)); + m(CKM_ECDSA_SHA512, CKM_ECDSA)); -+ d(SIG, "SHA3-224withECDSA", P11Signature, -+ s("1.2.840.10045.4.3.9", "OID.1.2.840.10045.4.3.9"), ++ dA(SIG, "SHA3-224withECDSA", P11Signature, + m(CKM_ECDSA_SHA3_224, CKM_ECDSA)); -+ d(SIG, "SHA3-256withECDSA", P11Signature, -+ s("1.2.840.10045.4.3.10", "OID.1.2.840.10045.4.3.10"), ++ dA(SIG, "SHA3-256withECDSA", P11Signature, + m(CKM_ECDSA_SHA3_256, CKM_ECDSA)); -+ d(SIG, "SHA3-384withECDSA", P11Signature, -+ s("1.2.840.10045.4.3.11", "OID.1.2.840.10045.4.3.11"), ++ dA(SIG, "SHA3-384withECDSA", P11Signature, + m(CKM_ECDSA_SHA3_384, CKM_ECDSA)); -+ d(SIG, "SHA3-512withECDSA", P11Signature, -+ s("1.2.840.10045.4.3.12", "OID.1.2.840.10045.4.3.12"), ++ dA(SIG, "SHA3-512withECDSA", P11Signature, + m(CKM_ECDSA_SHA3_512, CKM_ECDSA)); d(SIG, "NONEwithECDSAinP1363Format", P11Signature, m(CKM_ECDSA)); @@ -1151,29 +1119,25 @@ index cf7cd19b689..7a8bcffb92c 100644 + d(SIG, "SHA3-512withECDSAinP1363Format", P11Signature, + m(CKM_ECDSA_SHA3_512, CKM_ECDSA)); + - d(SIG, "MD2withRSA", P11Signature, - s("1.2.840.113549.1.1.2", "OID.1.2.840.113549.1.1.2"), + dA(SIG, "MD2withRSA", P11Signature, m(CKM_MD2_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); -@@ -805,6 +911,18 @@ public final class SunPKCS11 extends AuthProvider { - d(SIG, "SHA512withRSA", P11Signature, - s("1.2.840.113549.1.1.13", "OID.1.2.840.113549.1.1.13"), + dA(SIG, "MD5withRSA", P11Signature, +@@ -770,6 +849,14 @@ public final class SunPKCS11 extends AuthProvider { + m(CKM_SHA384_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); + dA(SIG, "SHA512withRSA", P11Signature, m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); -+ d(SIG, "SHA3-224withRSA", P11Signature, -+ s("2.16.840.1.101.3.4.3.13", "OID.2.16.840.1.101.3.4.3.13"), ++ dA(SIG, "SHA3-224withRSA", P11Signature, + m(CKM_SHA3_224_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); -+ d(SIG, "SHA3-256withRSA", P11Signature, -+ s("2.16.840.1.101.3.4.3.14", "OID.2.16.840.1.101.3.4.3.14"), ++ dA(SIG, "SHA3-256withRSA", P11Signature, + m(CKM_SHA3_256_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); -+ d(SIG, "SHA3-384withRSA", P11Signature, -+ s("2.16.840.1.101.3.4.3.15", "OID.2.16.840.1.101.3.4.3.15"), ++ dA(SIG, "SHA3-384withRSA", P11Signature, + m(CKM_SHA3_384_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); -+ d(SIG, "SHA3-512withRSA", P11Signature, -+ s("2.16.840.1.101.3.4.3.16", "OID.2.16.840.1.101.3.4.3.16"), ++ dA(SIG, "SHA3-512withRSA", P11Signature, + m(CKM_SHA3_512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); - d(SIG, "RSASSA-PSS", P11PSSSignature, - s("1.2.840.113549.1.1.10", "OID.1.2.840.113549.1.1.10"), + dA(SIG, "RSASSA-PSS", P11PSSSignature, m(CKM_RSA_PKCS_PSS)); -@@ -818,6 +936,14 @@ public final class SunPKCS11 extends AuthProvider { + d(SIG, "SHA1withRSASSA-PSS", P11PSSSignature, +@@ -782,6 +869,14 @@ public final class SunPKCS11 extends AuthProvider { m(CKM_SHA384_RSA_PKCS_PSS)); d(SIG, "SHA512withRSASSA-PSS", P11PSSSignature, m(CKM_SHA512_RSA_PKCS_PSS)); @@ -1189,7 +1153,7 @@ index cf7cd19b689..7a8bcffb92c 100644 d(KG, "SunTlsRsaPremasterSecret", "sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator", diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java -index e077943bbc2..cb04b95304d 100644 +index e077943bbc..cb04b95304 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java @@ -1,5 +1,5 @@ @@ -1215,7 +1179,7 @@ index e077943bbc2..cb04b95304d 100644 diff --git a/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java b/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java new file mode 100644 -index 00000000000..d6707028d96 +index 0000000000..d6707028d9 --- /dev/null +++ b/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java @@ -0,0 +1,84 @@ @@ -1304,7 +1268,7 @@ index 00000000000..d6707028d96 + } +} diff --git a/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java b/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java -index b61d10beece..78b7d857e8e 100644 +index b61d10beec..78b7d857e8 100644 --- a/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java +++ b/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java @@ -23,7 +23,7 @@ @@ -1336,7 +1300,7 @@ index b61d10beece..78b7d857e8e 100644 test("ARCFOUR", 1024, p, TestResult.TBD); } else if (p.getName().equals("SunPKCS11-NSS")) { diff --git a/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java b/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java -index 59af327c1f2..64c42a6dd06 100644 +index 59af327c1f..64c42a6dd0 100644 --- a/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java +++ b/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java @@ -23,7 +23,7 @@ @@ -1421,7 +1385,7 @@ index 59af327c1f2..64c42a6dd06 100644 mac.reset(); diff --git a/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java b/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java -index 5cad8859840..7e045232e3a 100644 +index 5cad885984..7e045232e3 100644 --- a/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java +++ b/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java @@ -1,5 +1,5 @@ @@ -1514,7 +1478,7 @@ index 5cad8859840..7e045232e3a 100644 } } diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java b/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java -index 7ced00630cc..a7a72e8ea3d 100644 +index 7ced00630c..a7a72e8ea3 100644 --- a/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java +++ b/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java @@ -1,5 +1,5 @@ @@ -1574,7 +1538,7 @@ index 7ced00630cc..a7a72e8ea3d 100644 byte[] d1 = md.digest(data); diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java b/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java -index ea7909bc397..268f698276b 100644 +index ea7909bc39..268f698276 100644 --- a/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java +++ b/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java @@ -1,5 +1,5 @@ @@ -1655,7 +1619,7 @@ index ea7909bc397..268f698276b 100644 private static void check(byte[] d1, byte[] d2) throws Exception { diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java b/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java -index b931c8564b2..ace601c7233 100644 +index b931c8564b..ace601c723 100644 --- a/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java +++ b/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java @@ -1,5 +1,5 @@ @@ -1744,7 +1708,7 @@ index b931c8564b2..ace601c7233 100644 MessageDigest mdCopy0 = (MessageDigest) mdObj.clone(); diff --git a/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java b/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java -index 26eeacffed9..f5de994779c 100644 +index 26eeacffed..f5de994779 100644 --- a/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java +++ b/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java @@ -23,7 +23,7 @@ @@ -1770,7 +1734,7 @@ index 26eeacffed9..f5de994779c 100644 sig.update(t); byte[] signature = sig.sign(); diff --git a/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java b/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java -index ccd66599fb0..a2fa7294977 100644 +index ccd66599fb..a2fa729497 100644 --- a/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java +++ b/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java @@ -1,5 +1,5 @@ @@ -1816,7 +1780,7 @@ index ccd66599fb0..a2fa7294977 100644 PSSParameterSpec params = new PSSParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-256"), 32, diff --git a/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java b/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java -index 2e4fedbf1d5..f1c0492b5fc 100644 +index 2e4fedbf1d..f1c0492b5f 100644 --- a/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java +++ b/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java @@ -1,5 +1,5 @@ @@ -1910,7 +1874,7 @@ index 2e4fedbf1d5..f1c0492b5fc 100644 System.out.println("test#4: pass"); } diff --git a/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java b/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java -index 42ca7fa203d..8c132ca7e4f 100644 +index 42ca7fa203..8c132ca7e4 100644 --- a/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java +++ b/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java @@ -23,312 +23,13 @@ @@ -2242,7 +2206,7 @@ index 42ca7fa203d..8c132ca7e4f 100644 new Random().nextBytes(data); sig.initSign(privateKey); diff --git a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java -index 3c3edb5aa6a..11147022771 100644 +index 3c3edb5aa6..1114702277 100644 --- a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java +++ b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java @@ -1,5 +1,5 @@ @@ -2263,7 +2227,7 @@ index 3c3edb5aa6a..11147022771 100644 * @library /test/lib .. diff --git a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java new file mode 100644 -index 00000000000..b8ea9863327 +index 0000000000..b8ea986332 --- /dev/null +++ b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java @@ -0,0 +1,98 @@ @@ -2366,7 +2330,7 @@ index 00000000000..b8ea9863327 + } +} diff --git a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java -index 3a6dbe345e9..4c1f7284bbc 100644 +index 3a6dbe345e..4c1f7284bb 100644 --- a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java +++ b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java @@ -1,5 +1,5 @@ @@ -2424,7 +2388,7 @@ index 3a6dbe345e9..4c1f7284bbc 100644 hash, "MGF1", new MGF1ParameterSpec(mgfHash), 0, 1); diff --git a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java new file mode 100644 -index 00000000000..516b17972e5 +index 0000000000..516b17972e --- /dev/null +++ b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java @@ -0,0 +1,140 @@ @@ -2569,7 +2533,7 @@ index 00000000000..516b17972e5 + } +} diff --git a/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java b/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java -index 222f8a2a5ed..3161de6fc50 100644 +index 222f8a2a5e..3161de6fc5 100644 --- a/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java +++ b/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java @@ -1,5 +1,5 @@ @@ -2664,7 +2628,7 @@ index 222f8a2a5ed..3161de6fc50 100644 } } diff --git a/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java b/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java -index f469ca17b65..7e5a012a5ec 100644 +index f469ca17b6..7e5a012a5e 100644 --- a/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java +++ b/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java @@ -22,8 +22,8 @@ @@ -2697,7 +2661,7 @@ index f469ca17b65..7e5a012a5ec 100644 kpg.initialize(512); KeyPair kp = kpg.generateKeyPair(); diff --git a/test/jdk/sun/security/pkcs11/nss/p11-nss.txt b/test/jdk/sun/security/pkcs11/nss/p11-nss.txt -index 49778ea954c..576b1dc4d69 100644 +index 49778ea954..576b1dc4d6 100644 --- a/test/jdk/sun/security/pkcs11/nss/p11-nss.txt +++ b/test/jdk/sun/security/pkcs11/nss/p11-nss.txt @@ -11,12 +11,23 @@ library = ${pkcs11test.nss.lib} diff --git a/SOURCES/jdk8312489-max_sig_default_increase.patch b/SOURCES/jdk8312489-max_sig_default_increase.patch new file mode 100644 index 0000000..e0c4eeb --- /dev/null +++ b/SOURCES/jdk8312489-max_sig_default_increase.patch @@ -0,0 +1,50 @@ +commit 50074a04e62f91faa080b831d9ce343396ead252 +Author: Andrew John Hughes +Date: Tue Sep 5 20:48:42 2023 +0000 + + 8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar + + Backport-of: e47a84f23dd2608c6f5748093eefe301fb5bf750 + +diff --git a/src/java.base/share/classes/java/util/jar/JarFile.java b/src/java.base/share/classes/java/util/jar/JarFile.java +index cb7e308e0d..cce897c0d3 100644 +--- a/src/java.base/share/classes/java/util/jar/JarFile.java ++++ b/src/java.base/share/classes/java/util/jar/JarFile.java +@@ -809,7 +809,9 @@ class JarFile extends ZipFile { + throw new IOException("Unsupported size: " + uncompressedSize + + " for JarEntry " + ze.getName() + + ". Allowed max size: " + +- SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes"); ++ SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes. " + ++ "You can use the jdk.jar.maxSignatureFileSize " + ++ "system property to increase the default value."); + } + int len = (int)uncompressedSize; + int bytesRead; +diff --git a/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java b/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java +index cb477fc134..a766b8249f 100644 +--- a/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java ++++ b/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java +@@ -852,16 +852,16 @@ public class SignatureFileVerifier { + * the maximum allowed number of bytes for the signature-related files + * in a JAR file. + */ +- Integer tmp = GetIntegerAction.privilegedGetProperty( +- "jdk.jar.maxSignatureFileSize", 8000000); ++ int tmp = GetIntegerAction.privilegedGetProperty( ++ "jdk.jar.maxSignatureFileSize", 16000000); + if (tmp < 0 || tmp > MAX_ARRAY_SIZE) { + if (debug != null) { +- debug.println("Default signature file size 8000000 bytes " + +- "is used as the specified size for the " + +- "jdk.jar.maxSignatureFileSize system property " + ++ debug.println("The default signature file size of 16000000 bytes " + ++ "will be used for the jdk.jar.maxSignatureFileSize " + ++ "system property since the specified value " + + "is out of range: " + tmp); + } +- tmp = 8000000; ++ tmp = 16000000; + } + return tmp; + }