|
|
|
@ -1,5 +1,5 @@
|
|
|
|
|
diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
|
|
|
|
|
index 16e906bdc6..1a352e5a32 100644
|
|
|
|
|
index a73c0f38181..80710886ed8 100644
|
|
|
|
|
--- a/make/autoconf/libraries.m4
|
|
|
|
|
+++ b/make/autoconf/libraries.m4
|
|
|
|
|
@@ -101,6 +101,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES],
|
|
|
|
@ -74,10 +74,10 @@ index 16e906bdc6..1a352e5a32 100644
|
|
|
|
|
+ AC_SUBST(USE_SYSCONF_NSS)
|
|
|
|
|
+])
|
|
|
|
|
diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
|
|
|
|
|
index 3787b12600..dab108a82b 100644
|
|
|
|
|
index 0ae23b93167..a242acc1234 100644
|
|
|
|
|
--- a/make/autoconf/spec.gmk.in
|
|
|
|
|
+++ b/make/autoconf/spec.gmk.in
|
|
|
|
|
@@ -848,6 +848,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@
|
|
|
|
|
@@ -826,6 +826,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@
|
|
|
|
|
# Libraries
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
@ -89,10 +89,10 @@ index 3787b12600..dab108a82b 100644
|
|
|
|
|
LCMS_CFLAGS:=@LCMS_CFLAGS@
|
|
|
|
|
LCMS_LIBS:=@LCMS_LIBS@
|
|
|
|
|
diff --git a/make/lib/Lib-java.base.gmk b/make/lib/Lib-java.base.gmk
|
|
|
|
|
index b40d3114b9..0d1d83cf3e 100644
|
|
|
|
|
index a529768f39e..daf9c947172 100644
|
|
|
|
|
--- a/make/lib/Lib-java.base.gmk
|
|
|
|
|
+++ b/make/lib/Lib-java.base.gmk
|
|
|
|
|
@@ -178,6 +178,31 @@ ifeq ($(call isTargetOsType, unix), true)
|
|
|
|
|
@@ -178,6 +178,31 @@ ifeq ($(OPENJDK_TARGET_OS_TYPE), unix)
|
|
|
|
|
endif
|
|
|
|
|
endif
|
|
|
|
|
|
|
|
|
@ -125,7 +125,7 @@ index b40d3114b9..0d1d83cf3e 100644
|
|
|
|
|
# Create the symbols file for static builds.
|
|
|
|
|
|
|
|
|
|
diff --git a/make/nb_native/nbproject/configurations.xml b/make/nb_native/nbproject/configurations.xml
|
|
|
|
|
index fb07d54c1f..c5813e2b7a 100644
|
|
|
|
|
index fb07d54c1f0..c5813e2b7aa 100644
|
|
|
|
|
--- a/make/nb_native/nbproject/configurations.xml
|
|
|
|
|
+++ b/make/nb_native/nbproject/configurations.xml
|
|
|
|
|
@@ -2950,6 +2950,9 @@
|
|
|
|
@ -151,7 +151,7 @@ index fb07d54c1f..c5813e2b7a 100644
|
|
|
|
|
ex="false"
|
|
|
|
|
tool="3"
|
|
|
|
|
diff --git a/make/scripts/compare_exceptions.sh.incl b/make/scripts/compare_exceptions.sh.incl
|
|
|
|
|
index 6327040964..6b3780123b 100644
|
|
|
|
|
index 6327040964d..6b3780123b6 100644
|
|
|
|
|
--- a/make/scripts/compare_exceptions.sh.incl
|
|
|
|
|
+++ b/make/scripts/compare_exceptions.sh.incl
|
|
|
|
|
@@ -179,6 +179,7 @@ if [ "$OPENJDK_TARGET_OS" = "solaris" ] && [ "$OPENJDK_TARGET_CPU" = "x86_64" ];
|
|
|
|
@ -172,7 +172,7 @@ index 6327040964..6b3780123b 100644
|
|
|
|
|
./lib/libzip.so
|
|
|
|
|
diff --git a/src/java.base/linux/native/libsystemconf/systemconf.c b/src/java.base/linux/native/libsystemconf/systemconf.c
|
|
|
|
|
new file mode 100644
|
|
|
|
|
index 0000000000..8dcb7d9073
|
|
|
|
|
index 00000000000..8dcb7d9073f
|
|
|
|
|
--- /dev/null
|
|
|
|
|
+++ b/src/java.base/linux/native/libsystemconf/systemconf.c
|
|
|
|
|
@@ -0,0 +1,224 @@
|
|
|
|
@ -401,7 +401,7 @@ index 0000000000..8dcb7d9073
|
|
|
|
|
+ }
|
|
|
|
|
+}
|
|
|
|
|
diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
|
|
|
|
|
index 5b9552058b..b46de49211 100644
|
|
|
|
|
index b36510a376b..ad5182e1e7c 100644
|
|
|
|
|
--- a/src/java.base/share/classes/java/security/Security.java
|
|
|
|
|
+++ b/src/java.base/share/classes/java/security/Security.java
|
|
|
|
|
@@ -32,6 +32,7 @@ import java.net.URL;
|
|
|
|
@ -412,17 +412,16 @@ index 5b9552058b..b46de49211 100644
|
|
|
|
|
import jdk.internal.misc.SharedSecrets;
|
|
|
|
|
import jdk.internal.util.StaticProperty;
|
|
|
|
|
import sun.security.util.Debug;
|
|
|
|
|
@@ -47,6 +48,9 @@ import sun.security.jca.*;
|
|
|
|
|
@@ -47,12 +48,20 @@ import sun.security.jca.*;
|
|
|
|
|
* implementation-specific location, which is typically the properties file
|
|
|
|
|
* {@code conf/security/java.security} in the Java installation directory.
|
|
|
|
|
*
|
|
|
|
|
+ * <p>Additional default values of security properties are read from a
|
|
|
|
|
+ * system-specific location, if available.</p>
|
|
|
|
|
+ *
|
|
|
|
|
* @implNote If the properties file fails to load, the JDK implementation will
|
|
|
|
|
* throw an unspecified error when initializing the {@code Security} class.
|
|
|
|
|
*
|
|
|
|
|
@@ -56,6 +60,11 @@ import sun.security.jca.*;
|
|
|
|
|
* @author Benjamin Renaud
|
|
|
|
|
* @since 1.1
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
public final class Security {
|
|
|
|
|
|
|
|
|
@ -434,7 +433,7 @@ index 5b9552058b..b46de49211 100644
|
|
|
|
|
/* Are we debugging? -- for developers */
|
|
|
|
|
private static final Debug sdebug =
|
|
|
|
|
Debug.getInstance("properties");
|
|
|
|
|
@@ -70,6 +79,19 @@ public final class Security {
|
|
|
|
|
@@ -67,6 +76,19 @@ public final class Security {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static {
|
|
|
|
@ -454,19 +453,26 @@ index 5b9552058b..b46de49211 100644
|
|
|
|
|
// doPrivileged here because there are multiple
|
|
|
|
|
// things in initialize that might require privs.
|
|
|
|
|
// (the FileInputStream call and the File.exists call,
|
|
|
|
|
@@ -85,6 +107,7 @@ public final class Security {
|
|
|
|
|
private static void initialize() {
|
|
|
|
|
@@ -83,6 +105,7 @@ public final class Security {
|
|
|
|
|
props = new Properties();
|
|
|
|
|
boolean loadedProps = false;
|
|
|
|
|
boolean overrideAll = false;
|
|
|
|
|
+ boolean systemSecPropsEnabled = false;
|
|
|
|
|
|
|
|
|
|
// first load the system properties file
|
|
|
|
|
// to determine the value of security.overridePropertiesFile
|
|
|
|
|
@@ -105,9 +128,63 @@ public final class Security {
|
|
|
|
|
@@ -98,6 +121,7 @@ public final class Security {
|
|
|
|
|
if (sdebug != null) {
|
|
|
|
|
sdebug.println("reading security properties file: " +
|
|
|
|
|
propFile);
|
|
|
|
|
+ sdebug.println(props.toString());
|
|
|
|
|
}
|
|
|
|
|
} catch (IOException e) {
|
|
|
|
|
if (sdebug != null) {
|
|
|
|
|
@@ -192,6 +216,61 @@ public final class Security {
|
|
|
|
|
}
|
|
|
|
|
loadProps(null, extraPropFile, overrideAll);
|
|
|
|
|
}
|
|
|
|
|
+
|
|
|
|
|
|
|
|
|
|
+ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
|
|
|
|
|
+ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
|
|
|
|
|
+ if (sdebug != null) {
|
|
|
|
@ -486,7 +492,9 @@ index 5b9552058b..b46de49211 100644
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ if (systemSecPropsEnabled) {
|
|
|
|
|
+ // FIPS support depends on the contents of java.security so
|
|
|
|
|
+ // ensure it has loaded first
|
|
|
|
|
+ if (loadedProps && systemSecPropsEnabled) {
|
|
|
|
|
+ boolean shouldEnable;
|
|
|
|
|
+ String sysProp = System.getProperty("com.redhat.fips");
|
|
|
|
|
+ if (sysProp == null) {
|
|
|
|
@ -522,19 +530,15 @@ index 5b9552058b..b46de49211 100644
|
|
|
|
|
+ }
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) {
|
|
|
|
|
+ static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) {
|
|
|
|
|
InputStream is = null;
|
|
|
|
|
try {
|
|
|
|
|
if (masterFile != null && masterFile.exists()) {
|
|
|
|
|
/*
|
|
|
|
|
diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java
|
|
|
|
|
new file mode 100644
|
|
|
|
|
index 0000000000..49bf17ea17
|
|
|
|
|
index 00000000000..90f6dd2ebc0
|
|
|
|
|
--- /dev/null
|
|
|
|
|
+++ b/src/java.base/share/classes/java/security/SystemConfigurator.java
|
|
|
|
|
@@ -0,0 +1,231 @@
|
|
|
|
|
@@ -0,0 +1,248 @@
|
|
|
|
|
+/*
|
|
|
|
|
+ * Copyright (c) 2019, 2023, Red Hat, Inc.
|
|
|
|
|
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
|
|
|
|
|
+ *
|
|
|
|
|
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
|
|
+ *
|
|
|
|
@ -612,9 +616,26 @@ index 0000000000..49bf17ea17
|
|
|
|
|
+ * security.useSystemPropertiesFile is true.
|
|
|
|
|
+ */
|
|
|
|
|
+ static boolean configureSysProps(Properties props) {
|
|
|
|
|
+ // now load the system file, if it exists, so its values
|
|
|
|
|
+ // will win if they conflict with the earlier values
|
|
|
|
|
+ return Security.loadProps(null, CRYPTO_POLICIES_JAVA_CONFIG, false);
|
|
|
|
|
+ boolean systemSecPropsLoaded = false;
|
|
|
|
|
+
|
|
|
|
|
+ try (BufferedInputStream bis =
|
|
|
|
|
+ new BufferedInputStream(
|
|
|
|
|
+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
|
|
|
|
|
+ props.load(bis);
|
|
|
|
|
+ systemSecPropsLoaded = true;
|
|
|
|
|
+ if (sdebug != null) {
|
|
|
|
|
+ sdebug.println("reading system security properties file " +
|
|
|
|
|
+ CRYPTO_POLICIES_JAVA_CONFIG);
|
|
|
|
|
+ sdebug.println(props.toString());
|
|
|
|
|
+ }
|
|
|
|
|
+ } catch (IOException e) {
|
|
|
|
|
+ if (sdebug != null) {
|
|
|
|
|
+ sdebug.println("unable to load security properties from " +
|
|
|
|
|
+ CRYPTO_POLICIES_JAVA_CONFIG);
|
|
|
|
|
+ e.printStackTrace();
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
+ return systemSecPropsLoaded;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ /*
|
|
|
|
@ -766,7 +787,7 @@ index 0000000000..49bf17ea17
|
|
|
|
|
+}
|
|
|
|
|
diff --git a/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
|
|
|
|
|
new file mode 100644
|
|
|
|
|
index 0000000000..21bc6d0b59
|
|
|
|
|
index 00000000000..21bc6d0b591
|
|
|
|
|
--- /dev/null
|
|
|
|
|
+++ b/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
|
|
|
|
|
@@ -0,0 +1,31 @@
|
|
|
|
@ -802,7 +823,7 @@ index 0000000000..21bc6d0b59
|
|
|
|
|
+ boolean isPlainKeySupportEnabled();
|
|
|
|
|
+}
|
|
|
|
|
diff --git a/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
|
|
|
|
|
index 688ec9f091..8489b940c4 100644
|
|
|
|
|
index 688ec9f0915..8489b940c43 100644
|
|
|
|
|
--- a/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
|
|
|
|
|
+++ b/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
|
|
|
|
|
@@ -36,6 +36,7 @@ import java.io.FilePermission;
|
|
|
|
@ -838,7 +859,7 @@ index 688ec9f091..8489b940c4 100644
|
|
|
|
|
+ }
|
|
|
|
|
}
|
|
|
|
|
diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
|
|
|
|
|
index 7351627db3..859591890d 100644
|
|
|
|
|
index 5460efcf8c5..f08dc2fafc5 100644
|
|
|
|
|
--- a/src/java.base/share/classes/module-info.java
|
|
|
|
|
+++ b/src/java.base/share/classes/module-info.java
|
|
|
|
|
@@ -182,6 +182,7 @@ module java.base {
|
|
|
|
@ -850,7 +871,7 @@ index 7351627db3..859591890d 100644
|
|
|
|
|
jdk.attach,
|
|
|
|
|
jdk.charsets,
|
|
|
|
|
diff --git a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
|
|
|
|
|
index ffee2c1603..ff3d5e0e4a 100644
|
|
|
|
|
index ffee2c1603b..ff3d5e0e4ab 100644
|
|
|
|
|
--- a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
|
|
|
|
|
+++ b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
|
|
|
|
|
@@ -33,8 +33,13 @@ import java.security.KeyStore.*;
|
|
|
|
@ -889,7 +910,7 @@ index ffee2c1603..ff3d5e0e4a 100644
|
|
|
|
|
"FIPS mode: KeyStore must be " +
|
|
|
|
|
"from provider " + SunJSSE.cryptoProvider.getName());
|
|
|
|
|
diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
|
|
|
|
|
index e06b2a588c..315a2ce370 100644
|
|
|
|
|
index de7da5c3379..5c3813dda7b 100644
|
|
|
|
|
--- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
|
|
|
|
|
+++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
|
|
|
|
|
@@ -31,6 +31,7 @@ import java.security.*;
|
|
|
|
@ -910,14 +931,6 @@ index e06b2a588c..315a2ce370 100644
|
|
|
|
|
- ProtocolVersion.TLS11,
|
|
|
|
|
- ProtocolVersion.TLS10
|
|
|
|
|
- );
|
|
|
|
|
-
|
|
|
|
|
- serverDefaultProtocols = getAvailableProtocols(
|
|
|
|
|
- new ProtocolVersion[] {
|
|
|
|
|
- ProtocolVersion.TLS13,
|
|
|
|
|
- ProtocolVersion.TLS12,
|
|
|
|
|
- ProtocolVersion.TLS11,
|
|
|
|
|
- ProtocolVersion.TLS10
|
|
|
|
|
- });
|
|
|
|
|
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
|
|
|
|
|
+ .isSystemFipsEnabled()) {
|
|
|
|
|
+ // RH1860986: TLSv1.3 key derivation not supported with
|
|
|
|
@ -927,7 +940,14 @@ index e06b2a588c..315a2ce370 100644
|
|
|
|
|
+ ProtocolVersion.TLS11,
|
|
|
|
|
+ ProtocolVersion.TLS10
|
|
|
|
|
+ );
|
|
|
|
|
+
|
|
|
|
|
|
|
|
|
|
- serverDefaultProtocols = getAvailableProtocols(
|
|
|
|
|
- new ProtocolVersion[] {
|
|
|
|
|
- ProtocolVersion.TLS13,
|
|
|
|
|
- ProtocolVersion.TLS12,
|
|
|
|
|
- ProtocolVersion.TLS11,
|
|
|
|
|
- ProtocolVersion.TLS10
|
|
|
|
|
- });
|
|
|
|
|
+ serverDefaultProtocols = getAvailableProtocols(
|
|
|
|
|
+ new ProtocolVersion[] {
|
|
|
|
|
+ ProtocolVersion.TLS12,
|
|
|
|
@ -953,68 +973,42 @@ index e06b2a588c..315a2ce370 100644
|
|
|
|
|
} else {
|
|
|
|
|
supportedProtocols = Arrays.asList(
|
|
|
|
|
ProtocolVersion.TLS13,
|
|
|
|
|
@@ -910,12 +929,23 @@ public abstract class SSLContextImpl extends SSLContextSpi {
|
|
|
|
|
if (client) {
|
|
|
|
|
// default client protocols
|
|
|
|
|
if (SunJSSE.isFIPS()) {
|
|
|
|
|
- candidates = new ProtocolVersion[] {
|
|
|
|
|
- ProtocolVersion.TLS13,
|
|
|
|
|
- ProtocolVersion.TLS12,
|
|
|
|
|
- ProtocolVersion.TLS11,
|
|
|
|
|
- ProtocolVersion.TLS10
|
|
|
|
|
- };
|
|
|
|
|
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
|
|
|
|
|
+ .isSystemFipsEnabled()) {
|
|
|
|
|
+ // RH1860986: TLSv1.3 key derivation not supported with
|
|
|
|
|
+ // the Security Providers available in system FIPS mode.
|
|
|
|
|
+ candidates = new ProtocolVersion[] {
|
|
|
|
|
+ ProtocolVersion.TLS12,
|
|
|
|
|
+ ProtocolVersion.TLS11,
|
|
|
|
|
+ ProtocolVersion.TLS10
|
|
|
|
|
+ };
|
|
|
|
|
+ } else {
|
|
|
|
|
+ candidates = new ProtocolVersion[] {
|
|
|
|
|
+ ProtocolVersion.TLS13,
|
|
|
|
|
+ ProtocolVersion.TLS12,
|
|
|
|
|
+ ProtocolVersion.TLS11,
|
|
|
|
|
+ ProtocolVersion.TLS10
|
|
|
|
|
+ };
|
|
|
|
|
+ }
|
|
|
|
|
} else {
|
|
|
|
|
candidates = new ProtocolVersion[] {
|
|
|
|
|
ProtocolVersion.TLS13,
|
|
|
|
|
@@ -927,12 +957,23 @@ public abstract class SSLContextImpl extends SSLContextSpi {
|
|
|
|
|
} else {
|
|
|
|
|
// default server protocols
|
|
|
|
|
if (SunJSSE.isFIPS()) {
|
|
|
|
|
- candidates = new ProtocolVersion[] {
|
|
|
|
|
- ProtocolVersion.TLS13,
|
|
|
|
|
- ProtocolVersion.TLS12,
|
|
|
|
|
- ProtocolVersion.TLS11,
|
|
|
|
|
- ProtocolVersion.TLS10
|
|
|
|
|
- };
|
|
|
|
|
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
|
|
|
|
|
+ .isSystemFipsEnabled()) {
|
|
|
|
|
+ // RH1860986: TLSv1.3 key derivation not supported with
|
|
|
|
|
+ // the Security Providers available in system FIPS mode.
|
|
|
|
|
+ candidates = new ProtocolVersion[] {
|
|
|
|
|
+ ProtocolVersion.TLS12,
|
|
|
|
|
+ ProtocolVersion.TLS11,
|
|
|
|
|
+ ProtocolVersion.TLS10
|
|
|
|
|
+ };
|
|
|
|
|
+ } else {
|
|
|
|
|
+ candidates = new ProtocolVersion[] {
|
|
|
|
|
+ ProtocolVersion.TLS13,
|
|
|
|
|
+ ProtocolVersion.TLS12,
|
|
|
|
|
+ ProtocolVersion.TLS11,
|
|
|
|
|
+ ProtocolVersion.TLS10
|
|
|
|
|
+ };
|
|
|
|
|
+ }
|
|
|
|
|
} else {
|
|
|
|
|
candidates = new ProtocolVersion[] {
|
|
|
|
|
ProtocolVersion.TLS13,
|
|
|
|
|
@@ -620,6 +639,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
|
|
|
|
|
|
|
|
|
|
static ProtocolVersion[] getSupportedProtocols() {
|
|
|
|
|
if (SunJSSE.isFIPS()) {
|
|
|
|
|
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
|
|
|
|
|
+ .isSystemFipsEnabled()) {
|
|
|
|
|
+ // RH1860986: TLSv1.3 key derivation not supported with
|
|
|
|
|
+ // the Security Providers available in system FIPS mode.
|
|
|
|
|
+ return new ProtocolVersion[] {
|
|
|
|
|
+ ProtocolVersion.TLS12,
|
|
|
|
|
+ ProtocolVersion.TLS11,
|
|
|
|
|
+ ProtocolVersion.TLS10
|
|
|
|
|
+ };
|
|
|
|
|
+ }
|
|
|
|
|
return new ProtocolVersion[] {
|
|
|
|
|
ProtocolVersion.TLS13,
|
|
|
|
|
ProtocolVersion.TLS12,
|
|
|
|
|
@@ -949,6 +978,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
|
|
|
|
|
|
|
|
|
|
static ProtocolVersion[] getProtocols() {
|
|
|
|
|
if (SunJSSE.isFIPS()) {
|
|
|
|
|
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
|
|
|
|
|
+ .isSystemFipsEnabled()) {
|
|
|
|
|
+ // RH1860986: TLSv1.3 key derivation not supported with
|
|
|
|
|
+ // the Security Providers available in system FIPS mode.
|
|
|
|
|
+ return new ProtocolVersion[] {
|
|
|
|
|
+ ProtocolVersion.TLS12,
|
|
|
|
|
+ ProtocolVersion.TLS11,
|
|
|
|
|
+ ProtocolVersion.TLS10
|
|
|
|
|
+ };
|
|
|
|
|
+ }
|
|
|
|
|
return new ProtocolVersion[]{
|
|
|
|
|
ProtocolVersion.TLS13,
|
|
|
|
|
ProtocolVersion.TLS12,
|
|
|
|
|
diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
|
|
|
|
|
index 2a2b5d7568..891796f19b 100644
|
|
|
|
|
index c50ba93ecfc..de2a91a478c 100644
|
|
|
|
|
--- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
|
|
|
|
|
+++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
|
|
|
|
|
@@ -27,6 +27,8 @@ package sun.security.ssl;
|
|
|
|
@ -1025,7 +1019,7 @@ index 2a2b5d7568..891796f19b 100644
|
|
|
|
|
+import jdk.internal.misc.SharedSecrets;
|
|
|
|
|
import sun.security.rsa.SunRsaSignEntries;
|
|
|
|
|
import static sun.security.util.SecurityConstants.PROVIDER_VER;
|
|
|
|
|
import static sun.security.util.SecurityProviderConstants.*;
|
|
|
|
|
import static sun.security.provider.SunEntries.createAliases;
|
|
|
|
|
@@ -195,8 +197,13 @@ public abstract class SunJSSE extends java.security.Provider {
|
|
|
|
|
"sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
|
|
|
|
|
ps("SSLContext", "TLSv1.2",
|
|
|
|
@ -1041,12 +1035,12 @@ index 2a2b5d7568..891796f19b 100644
|
|
|
|
|
+ }
|
|
|
|
|
ps("SSLContext", "TLS",
|
|
|
|
|
"sun.security.ssl.SSLContextImpl$TLSContext",
|
|
|
|
|
(isfips? null : List.of("SSL")), null);
|
|
|
|
|
(isfips? null : createAliases("SSL")), null);
|
|
|
|
|
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
|
|
|
|
|
index c0eed3f884..b03bd9f896 100644
|
|
|
|
|
index 097517926d1..474fe6f401f 100644
|
|
|
|
|
--- a/src/java.base/share/conf/security/java.security
|
|
|
|
|
+++ b/src/java.base/share/conf/security/java.security
|
|
|
|
|
@@ -88,6 +88,14 @@ security.provider.tbd=Apple
|
|
|
|
|
@@ -85,6 +85,14 @@ security.provider.tbd=Apple
|
|
|
|
|
security.provider.tbd=SunPKCS11
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
@ -1061,7 +1055,7 @@ index c0eed3f884..b03bd9f896 100644
|
|
|
|
|
#
|
|
|
|
|
# A list of preferred providers for specific algorithms. These providers will
|
|
|
|
|
# be searched for matching algorithms before the list of registered providers.
|
|
|
|
|
@@ -301,6 +309,11 @@ policy.ignoreIdentityScope=false
|
|
|
|
|
@@ -298,6 +306,11 @@ policy.ignoreIdentityScope=false
|
|
|
|
|
#
|
|
|
|
|
keystore.type=pkcs12
|
|
|
|
|
|
|
|
|
@ -1073,7 +1067,7 @@ index c0eed3f884..b03bd9f896 100644
|
|
|
|
|
#
|
|
|
|
|
# Controls compatibility mode for JKS and PKCS12 keystore types.
|
|
|
|
|
#
|
|
|
|
|
@@ -338,6 +351,13 @@ package.definition=sun.misc.,\
|
|
|
|
|
@@ -335,6 +348,13 @@ package.definition=sun.misc.,\
|
|
|
|
|
#
|
|
|
|
|
security.overridePropertiesFile=true
|
|
|
|
|
|
|
|
|
@ -1089,7 +1083,7 @@ index c0eed3f884..b03bd9f896 100644
|
|
|
|
|
# the javax.net.ssl package.
|
|
|
|
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
|
|
|
|
|
new file mode 100644
|
|
|
|
|
index 0000000000..b848a1fd78
|
|
|
|
|
index 00000000000..b848a1fd783
|
|
|
|
|
--- /dev/null
|
|
|
|
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
|
|
|
|
|
@@ -0,0 +1,290 @@
|
|
|
|
@ -1384,7 +1378,7 @@ index 0000000000..b848a1fd78
|
|
|
|
|
+ }
|
|
|
|
|
+}
|
|
|
|
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
|
|
|
|
index ffbd671246..bdaad67e06 100644
|
|
|
|
|
index 099caac605f..977e5332bd1 100644
|
|
|
|
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
|
|
|
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
|
|
|
|
@@ -26,6 +26,9 @@
|
|
|
|
@ -1406,7 +1400,7 @@ index ffbd671246..bdaad67e06 100644
|
|
|
|
|
import sun.security.util.Debug;
|
|
|
|
|
import sun.security.util.ResourcesMgr;
|
|
|
|
|
import static sun.security.util.SecurityConstants.PROVIDER_VER;
|
|
|
|
|
@@ -61,6 +66,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
|
|
|
|
|
@@ -60,6 +65,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
|
|
|
|
|
*/
|
|
|
|
|
public final class SunPKCS11 extends AuthProvider {
|
|
|
|
|
|
|
|
|
@ -1436,7 +1430,7 @@ index ffbd671246..bdaad67e06 100644
|
|
|
|
|
private static final long serialVersionUID = -1354835039035306505L;
|
|
|
|
|
|
|
|
|
|
static final Debug debug = Debug.getInstance("sunpkcs11");
|
|
|
|
|
@@ -318,10 +346,15 @@ public final class SunPKCS11 extends AuthProvider {
|
|
|
|
|
@@ -317,10 +345,15 @@ public final class SunPKCS11 extends AuthProvider {
|
|
|
|
|
// request multithreaded access first
|
|
|
|
|
initArgs.flags = CKF_OS_LOCKING_OK;
|
|
|
|
|
PKCS11 tmpPKCS11;
|
|
|
|
@ -1453,7 +1447,7 @@ index ffbd671246..bdaad67e06 100644
|
|
|
|
|
} catch (PKCS11Exception e) {
|
|
|
|
|
if (debug != null) {
|
|
|
|
|
debug.println("Multi-threaded initialization failed: " + e);
|
|
|
|
|
@@ -337,7 +370,7 @@ public final class SunPKCS11 extends AuthProvider {
|
|
|
|
|
@@ -336,7 +369,7 @@ public final class SunPKCS11 extends AuthProvider {
|
|
|
|
|
initArgs.flags = 0;
|
|
|
|
|
}
|
|
|
|
|
tmpPKCS11 = PKCS11.getInstance(library,
|
|
|
|
@ -1462,7 +1456,7 @@ index ffbd671246..bdaad67e06 100644
|
|
|
|
|
}
|
|
|
|
|
p11 = tmpPKCS11;
|
|
|
|
|
|
|
|
|
|
@@ -377,6 +410,24 @@ public final class SunPKCS11 extends AuthProvider {
|
|
|
|
|
@@ -376,6 +409,24 @@ public final class SunPKCS11 extends AuthProvider {
|
|
|
|
|
if (nssModule != null) {
|
|
|
|
|
nssModule.setProvider(this);
|
|
|
|
|
}
|
|
|
|
@ -1488,7 +1482,7 @@ index ffbd671246..bdaad67e06 100644
|
|
|
|
|
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
|
|
|
|
|
throw new UnsupportedOperationException
|
|
|
|
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
|
|
|
|
|
index 04a369f453..f033fe4759 100644
|
|
|
|
|
index 04a369f453c..f033fe47593 100644
|
|
|
|
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
|
|
|
|
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
|
|
|
|
|
@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
|