From ed16d53ae5298a9c4f2976cbc31de7162002e358 Mon Sep 17 00:00:00 2001 From: Alex Kashchenko Date: Aug 31 2021 18:45:16 +0000 Subject: 8u302 update --- diff --git a/.gitignore b/.gitignore index adef725..9b758c0 100644 --- a/.gitignore +++ b/.gitignore @@ -26,3 +26,4 @@ /aarch32-port-jdk8u-jdk8u275-ga-aarch32-20201109-4curve.tar.xz /aarch32-port-jdk8u-jdk8u282-ga-aarch32-20210125-4curve.tar.xz /aarch32-port-jdk8u-jdk8u292-ga-aarch32-20210423-4curve.tar.xz +/aarch32-port-jdk8u-jdk8u302-ga-aarch32-20210726-4curve.tar.xz diff --git a/java-1.8.0-openjdk-aarch32.spec b/java-1.8.0-openjdk-aarch32.spec index 32ac58b..b433fe2 100644 --- a/java-1.8.0-openjdk-aarch32.spec +++ b/java-1.8.0-openjdk-aarch32.spec @@ -138,10 +138,8 @@ %global bootstrap_build 1 # If you disable both builds, then the build fails -# Note that the debug build requires the normal build for docs -%global build_loop %{normal_build} %{fastdebug_build} %{slowdebug_build} -# Test slowdebug first as it provides the best diagnostics -%global rev_build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} +# Build and test slowdebug first as it provides the best diagnostics +%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} %global bootstrap_targets images %global release_targets images docs-zip @@ -296,11 +294,11 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project aarch64-port %global shenandoah_repo jdk8u-shenandoah -%global shenandoah_revision aarch64-shenandoah-jdk8u292-b10 +%global shenandoah_revision aarch64-shenandoah-jdk8u302-b08 # Define old aarch64/jdk8u tree variables for compatibility %global project aarch32-port %global repo jdk8u -%global revision jdk8u292-ga-aarch32-20210423 +%global revision jdk8u302-ga-aarch32-20210726 # e.g. aarch64-shenandoah-jdk8u212-b04-shenandoah-merge-2019-04-30 -> aarch64-shenandoah-jdk8u212-b04 @@ -760,7 +758,9 @@ exit 0 %{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/policytool-%{uniquesuffix -- %{?1}}.1* %{_jvmdir}/%{jredir -- %{?1}}/lib/security/nss.cfg +%{_jvmdir}/%{jredir -- %{?1}}/lib/security/nss.fips.cfg %config(noreplace) %{etcjavadir -- %{?1}}/lib/security/nss.cfg +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/nss.fips.cfg %ifarch %{share_arches} %attr(444, root, root) %ghost %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/server/classes.jsa %attr(444, root, root) %ghost %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/client/classes.jsa @@ -1153,6 +1153,8 @@ Requires: copy-jdk-configs >= 3.3 OrderWithRequires: copy-jdk-configs # for printing support Requires: cups-libs +# for FIPS PKCS11 provider +Requires: nss # Post requires alternatives to install tool alternatives Requires(post): %{alternatives_requires} # Postun requires alternatives to uninstall tool alternatives @@ -1277,7 +1279,7 @@ URL: http://openjdk.java.net/ # FILE_NAME_ROOT=%%{shenandoah_project}-%%{shenandoah_repo}-${VERSION} # REPO_ROOT= generate_source_tarball.sh # where the source is obtained from http://hg.openjdk.java.net/%%{project}/%%{repo} -Source0: %{project}-%{repo}-jdk8u292-ga-aarch32-20210423-4curve.tar.xz +Source0: %{project}-%{repo}-jdk8u302-ga-aarch32-20210726-4curve.tar.xz # Custom README for -src subpackage Source2: README.md @@ -1309,14 +1311,18 @@ Source14: TestECDSA.java # Verify system crypto (policy) can be disabled via a property Source15: TestSecurityProperties.java +# Ensure vendor settings are correct +Source16: CheckVendor.java + +# nss fips configuration file +Source17: nss.fips.cfg.in + Source20: repackReproduciblePolycies.sh # New versions of config files with aarch64 support. This is not upstream yet. Source100: config.guess Source101: config.sub -# Ensure vendor settings are correct -Source16: CheckVendor.java ############################################ # @@ -1332,6 +1338,18 @@ Patch534: rh1648246-always_instruct_vm_to_assume_multiple_processors_are_availab # RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY Patch1003: rh1582504-rsa_default_for_keytool.patch +# FIPS support patches +# RH1648249: Add PKCS11 provider to java.security +Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider +Patch1001: rh1655466-global_crypto_and_fips.patch +# RH1760838: No ciphersuites available for SSLSocket in FIPS mode +Patch1002: rh1760838-fips_default_keystore_type.patch +# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available +Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch +# RH1906862: Always initialise JavaSecuritySystemConfiguratorAccess +Patch1005: rh1906862-always_initialise_configurator_access.patch + ############################################# # # Upstreamable patches @@ -1406,6 +1424,8 @@ Patch202: jdk8035341-allow_using_system_installed_libpng.patch # 8042159: Allow using a system-installed lcms2 Patch203: jdk8042159-allow_using_system_installed_lcms2-root.patch Patch204: jdk8042159-allow_using_system_installed_lcms2-jdk.patch +# JDK-8195607, PR3776, RH1760437: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1 +Patch580: jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch ############################################# # @@ -1444,7 +1464,6 @@ Patch201: jdk8043805-allow_using_system_installed_libjpeg.patch # This section includes patches to code other # that from OpenJDK. ############################################# -Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch ############################################# # @@ -1509,6 +1528,15 @@ BuildRequires: systemtap-sdt-devel ExclusiveArch: %{arm} +# Fix upgrade path after removal of accessibility subpackage +# on commit 0c79c1451ef42c540682fb75329a92bb110609e7 +# As main accessibility was requiring main package, main package now have to +# obsolete java-1.8.0-openjdk-accessibility-{release, slowdebug, fastdebug} < 1:1.8.0.292.b06 +# otherwise update fails +#Obsoletes: java-1.8.0-openjdk-accessibility < 1:1.8.0.292.b06 +#Obsoletes: java-1.8.0-openjdk-accessibility-slowdebug < 1:1.8.0.292.b06 +#Obsoletes: java-1.8.0-openjdk-accessibility-fastdebug < 1:1.8.0.292.b06 + %description A preview release of the upstream OpenJDK AArch32 porting project. The OpenJDK runtime environment. @@ -1839,12 +1867,17 @@ sh %{SOURCE12} #%patch574 %patch111 %patch112 +%patch580 # RPM-only fixes %patch539 %patch600 %patch1000 +%patch1001 +%patch1002 %patch1003 +%patch1004 +%patch1005 # RHEL-only patches %if ! 0%{?fedora} && 0%{?rhel} <= 7 @@ -1903,6 +1936,9 @@ done # Setup nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg +# Setup nss.fips.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg +sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg %build # How many CPU's do we have? @@ -2044,6 +2080,9 @@ export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage} # Install nss.cfg right away as we will be using the JRE above install -m 644 nss.cfg $JAVA_HOME/jre/lib/security/ +# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) +install -m 644 nss.fips.cfg $JAVA_HOME/jre/lib/security/ + # Use system-wide tzdata rm $JAVA_HOME/jre/lib/tzdb.dat ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/jre/lib/tzdb.dat @@ -2060,7 +2099,7 @@ done %check # We test debug first as it will give better diagnostics on a crash -for suffix in %{rev_build_loop} ; do +for suffix in %{build_loop} ; do export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage} @@ -2400,7 +2439,7 @@ touch -t 201401010000 $RPM_BUILD_ROOT/%{_jvmdir}/%{jredir -- $suffix}/lib/securi # moving config files to /etc mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib/security/policy/unlimited/ mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib/security/policy/limited/ -for file in lib/security/cacerts lib/security/policy/unlimited/US_export_policy.jar lib/security/policy/unlimited/local_policy.jar lib/security/policy/limited/US_export_policy.jar lib/security/policy/limited/local_policy.jar lib/security/java.policy lib/security/java.security lib/security/blacklisted.certs lib/logging.properties lib/calendars.properties lib/security/nss.cfg lib/net.properties ; do +for file in lib/security/cacerts lib/security/policy/unlimited/US_export_policy.jar lib/security/policy/unlimited/local_policy.jar lib/security/policy/limited/US_export_policy.jar lib/security/policy/limited/local_policy.jar lib/security/java.policy lib/security/java.security lib/security/blacklisted.certs lib/logging.properties lib/calendars.properties lib/security/nss.cfg lib/security/nss.fips.cfg lib/net.properties ; do mv $RPM_BUILD_ROOT/%{_jvmdir}/%{jredir -- $suffix}/$file $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/$file ln -sf %{etcjavadir -- $suffix}/$file $RPM_BUILD_ROOT/%{_jvmdir}/%{jredir -- $suffix}/$file done @@ -2426,7 +2465,13 @@ done -- whether copy-jdk-configs is installed or not. If so, then configs are copied -- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all local posix = require "posix" -local debug = false + +if (os.getenv("debug") == "true") then + debug = true; + print("cjc: in spec debug is on") +else + debug = false; +end SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua" SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua" @@ -2454,9 +2499,10 @@ else return end end --- run content of included file with fake args -arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} -require "copy_jdk_configs.lua" +arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua" +cjc = require "copy_jdk_configs.lua" +args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} +cjc.mainProgram(args) %post %{post_script %{nil}} @@ -2634,6 +2680,10 @@ require "copy_jdk_configs.lua" %endif %changelog +* Tue Aug 31 2021 Alex Kashchenko - 1:1.8.0.302.b08-1 +- update sources to 8u302 +- sync with mainline package + * Thu Jul 22 2021 Fedora Release Engineering - 1:1.8.0.292.b10-1.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild diff --git a/jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch b/jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch new file mode 100644 index 0000000..ddab642 --- /dev/null +++ b/jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch @@ -0,0 +1,125 @@ +# HG changeset patch +# User mbalao +# Date 1529971845 -28800 +# Tue Jun 26 08:10:45 2018 +0800 +# Node ID e9c20b7250cd98d16a67f2a30b34284c2caa01dc +# Parent 9f1aa2e38d90dd60522237d7414af6bdcf03c4ff +8195607, PR3776: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1 +Reviewed-by: valeriep, weijun + +diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java +--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java ++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java +@@ -197,7 +197,7 @@ + + if (configDir != null) { + String configDirPath = null; +- String sqlPrefix = "sql:/"; ++ String sqlPrefix = "sql:"; + if (!configDir.startsWith(sqlPrefix)) { + configDirPath = configDir; + } else { +diff --git openjdk.orig/jdk/src/share/native/sun/security/pkcs11/j2secmod.c openjdk/jdk/src/share/native/sun/security/pkcs11/j2secmod.c +--- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/j2secmod.c ++++ openjdk/jdk/src/share/native/sun/security/pkcs11/j2secmod.c +@@ -69,9 +69,14 @@ + int res = 0; + FPTR_Initialize initialize = + (FPTR_Initialize)findFunction(env, jHandle, "NSS_Initialize"); ++ #ifdef SECMOD_DEBUG ++ FPTR_GetError getError = ++ (FPTR_GetError)findFunction(env, jHandle, "PORT_GetError"); ++ #endif // SECMOD_DEBUG + unsigned int flags = 0x00; + const char *configDir = NULL; + const char *functionName = NULL; ++ const char *configFile = NULL; + + /* If we cannot initialize, exit now */ + if (initialize == NULL) { +@@ -97,13 +102,18 @@ + flags = 0x20; // NSS_INIT_OPTIMIZESPACE flag + } + ++ configFile = "secmod.db"; ++ if (configDir != NULL && strncmp("sql:", configDir, 4U) == 0) { ++ configFile = "pkcs11.txt"; ++ } ++ + /* + * If the NSS_Init function is requested then call NSS_Initialize to + * open the Cert, Key and Security Module databases, read only. + */ + if (strcmp("NSS_Init", functionName) == 0) { + flags = flags | 0x01; // NSS_INIT_READONLY flag +- res = initialize(configDir, "", "", "secmod.db", flags); ++ res = initialize(configDir, "", "", configFile, flags); + + /* + * If the NSS_InitReadWrite function is requested then call +@@ -111,7 +121,7 @@ + * read/write. + */ + } else if (strcmp("NSS_InitReadWrite", functionName) == 0) { +- res = initialize(configDir, "", "", "secmod.db", flags); ++ res = initialize(configDir, "", "", configFile, flags); + + /* + * If the NSS_NoDB_Init function is requested then call +@@ -137,6 +147,13 @@ + (*env)->ReleaseStringUTFChars(env, jConfigDir, configDir); + } + dprintf1("-res: %d\n", res); ++ #ifdef SECMOD_DEBUG ++ if (res == -1) { ++ if (getError != NULL) { ++ dprintf1("-NSS error: %d\n", getError()); ++ } ++ } ++ #endif // SECMOD_DEBUG + + return (res == 0) ? JNI_TRUE : JNI_FALSE; + } +diff --git openjdk.orig/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h openjdk/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h +--- openjdk.orig/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h ++++ openjdk/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h +@@ -34,6 +34,10 @@ + const char *certPrefix, const char *keyPrefix, + const char *secmodName, unsigned int flags); + ++#ifdef SECMOD_DEBUG ++typedef int (*FPTR_GetError)(void); ++#endif //SECMOD_DEBUG ++ + // in secmod.h + //extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent, + // PRBool recurse); +diff --git openjdk.orig/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt openjdk/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt +new file mode 100644 +--- /dev/null ++++ openjdk/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt +@@ -0,0 +1,4 @@ ++library= ++name=NSS Internal PKCS #11 Module ++parameters=configdir='sql:./tmpdb' certPrefix='' keyPrefix='' secmod='' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' ++NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) +diff --git openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java +--- openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java ++++ openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java +@@ -55,7 +55,7 @@ + + DBDIR = System.getProperty("test.classes", ".") + SEP + "tmpdb"; + if (useSqlite) { +- System.setProperty("pkcs11test.nss.db", "sql:/" + DBDIR); ++ System.setProperty("pkcs11test.nss.db", "sql:" + DBDIR); + } else { + System.setProperty("pkcs11test.nss.db", DBDIR); + } +@@ -67,6 +67,7 @@ + if (useSqlite) { + copyFile("key4.db", BASE, DBDIR); + copyFile("cert9.db", BASE, DBDIR); ++ copyFile("pkcs11.txt", BASE, DBDIR); + } else { + copyFile("secmod.db", BASE, DBDIR); + copyFile("key3.db", BASE, DBDIR); diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in new file mode 100644 index 0000000..ead27be --- /dev/null +++ b/nss.fips.cfg.in @@ -0,0 +1,6 @@ +name = NSS-FIPS +nssLibraryDirectory = @NSS_LIBDIR@ +nssSecmodDirectory = @NSS_SECMOD@ +nssDbMode = readOnly +nssModule = fips + diff --git a/rh1655466-global_crypto_and_fips.patch b/rh1655466-global_crypto_and_fips.patch new file mode 100644 index 0000000..58d77b3 --- /dev/null +++ b/rh1655466-global_crypto_and_fips.patch @@ -0,0 +1,208 @@ +diff --git a/src/share/classes/javopenjdk.orig/jdk/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java +--- openjdk.orig/jdk/src/share/classes/java/security/Security.java ++++ openjdk/jdk/src/share/classes/java/security/Security.java +@@ -191,27 +191,7 @@ + if (disableSystemProps == null && + "true".equalsIgnoreCase(props.getProperty + ("security.useSystemPropertiesFile"))) { +- +- // now load the system file, if it exists, so its values +- // will win if they conflict with the earlier values +- try (BufferedInputStream bis = +- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { +- props.load(bis); +- loadedProps = true; +- +- if (sdebug != null) { +- sdebug.println("reading system security properties file " + +- SYSTEM_PROPERTIES); +- sdebug.println(props.toString()); +- } +- } catch (IOException e) { +- if (sdebug != null) { +- sdebug.println +- ("unable to load security properties from " + +- SYSTEM_PROPERTIES); +- e.printStackTrace(); +- } +- } ++ loadedProps = loadedProps && SystemConfigurator.configure(props); + } + + if (!loadedProps) { +diff --git a/src/share/classes/javopenjdk.orig/jdk/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +--- /dev/null ++++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,153 @@ ++/* ++ * Copyright (c) 2019, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.nio.file.Files; ++import java.nio.file.FileSystems; ++import java.nio.file.Path; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++import java.util.function.Consumer; ++import java.util.regex.Matcher; ++import java.util.regex.Pattern; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static final String CRYPTO_POLICIES_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/config"; ++ ++ private static final class SecurityProviderInfo { ++ int number; ++ String key; ++ String value; ++ SecurityProviderInfo(int number, String key, String value) { ++ this.number = number; ++ this.key = key; ++ this.value = value; ++ } ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configure(Properties props) { ++ boolean loadedProps = false; ++ ++ try (BufferedInputStream bis = ++ new BufferedInputStream( ++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { ++ props.load(bis); ++ loadedProps = true; ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties from " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ e.printStackTrace(); ++ } ++ } ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ loadedProps = false; ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ loadedProps = true; ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /* ++ * FIPS is enabled only if crypto-policies are set to "FIPS" ++ * and the com.redhat.fips property is true. ++ */ ++ private static boolean enableFips() throws Exception { ++ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); ++ if (fipsEnabled) { ++ Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG); ++ String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath)); ++ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } ++ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); ++ return pattern.matcher(cryptoPoliciesConfig).find(); ++ } else { ++ return false; ++ } ++ } ++} +diff --git openjdk.orig/jdk/src/share/lib/security/java.security-linux openjdk/jdk/src/share/lib/security/java.security-linux +--- openjdk.orig/jdk/src/share/lib/security/java.security-linux ++++ openjdk/jdk/src/share/lib/security/java.security-linux +@@ -77,6 +77,14 @@ + #security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg + + # ++# Security providers used when global crypto-policies are set to FIPS. ++# ++fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg ++fips.provider.2=sun.security.provider.Sun ++fips.provider.3=sun.security.ec.SunEC ++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS ++ ++# + # Sun Provider SecureRandom seed source. + # + # Select the primary source of seed data for the "SHA1PRNG" and diff --git a/rh1760838-fips_default_keystore_type.patch b/rh1760838-fips_default_keystore_type.patch new file mode 100644 index 0000000..bedc8ea --- /dev/null +++ b/rh1760838-fips_default_keystore_type.patch @@ -0,0 +1,52 @@ +diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java +--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300 +@@ -123,6 +123,33 @@ + } + props.put(fipsProviderKey, fipsProviderValue); + } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } + loadedProps = true; + } + } catch (Exception e) { +diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux +--- openjdk.orig/jdk/src/share/lib/security/java.security-linux Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/jdk/src/share/lib/security/java.security-linux Mon Mar 02 19:20:17 2020 -0300 +@@ -179,6 +179,11 @@ + keystore.type=jks + + # ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=PKCS11 ++ ++# + # Controls compatibility mode for the JKS keystore type. + # + # When set to 'true', the JKS keystore type supports loading diff --git a/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/rh1860986-disable_tlsv1.3_in_fips_mode.patch new file mode 100644 index 0000000..91e3705 --- /dev/null +++ b/rh1860986-disable_tlsv1.3_in_fips_mode.patch @@ -0,0 +1,327 @@ +diff -r bbc65dfa59d1 src/share/classes/java/security/SystemConfigurator.java +--- openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Sat Aug 01 23:16:51 2020 -0300 +@@ -1,11 +1,13 @@ + /* +- * Copyright (c) 2019, Red Hat, Inc. ++ * Copyright (c) 2019, 2020, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as +- * published by the Free Software Foundation. ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +@@ -34,10 +36,10 @@ + import java.util.Iterator; + import java.util.Map.Entry; + import java.util.Properties; +-import java.util.function.Consumer; +-import java.util.regex.Matcher; + import java.util.regex.Pattern; + ++import sun.misc.SharedSecrets; ++import sun.misc.JavaSecuritySystemConfiguratorAccess; + import sun.security.util.Debug; + + /** +@@ -47,7 +49,7 @@ + * + */ + +-class SystemConfigurator { ++final class SystemConfigurator { + + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -61,15 +63,16 @@ + private static final String CRYPTO_POLICIES_CONFIG = + CRYPTO_POLICIES_BASE_DIR + "/config"; + +- private static final class SecurityProviderInfo { +- int number; +- String key; +- String value; +- SecurityProviderInfo(int number, String key, String value) { +- this.number = number; +- this.key = key; +- this.value = value; +- } ++ private static boolean systemFipsEnabled = false; ++ ++ static { ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ }); + } + + /* +@@ -128,9 +131,9 @@ + String nonFipsKeystoreType = props.getProperty("keystore.type"); + props.put("keystore.type", keystoreTypeValue); + if (keystoreTypeValue.equals("PKCS11")) { +- // If keystore.type is PKCS11, javax.net.ssl.keyStore +- // must be "NONE". See JDK-8238264. +- System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); + } + if (System.getProperty("javax.net.ssl.trustStoreType") == null) { + // If no trustStoreType has been set, use the +@@ -144,12 +147,13 @@ + sdebug.println("FIPS mode default keystore.type = " + + keystoreTypeValue); + sdebug.println("FIPS mode javax.net.ssl.keyStore = " + +- System.getProperty("javax.net.ssl.keyStore", "")); ++ System.getProperty("javax.net.ssl.keyStore", "")); + sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + + System.getProperty("javax.net.ssl.trustStoreType", "")); + } + } + loadedProps = true; ++ systemFipsEnabled = true; + } + } catch (Exception e) { + if (sdebug != null) { +@@ -165,20 +165,37 @@ + return loadedProps; + } + ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ + /* + * FIPS is enabled only if crypto-policies are set to "FIPS" + * and the com.redhat.fips property is true. + */ + private static boolean enableFips() throws Exception { +- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); +- if (fipsEnabled) { +- Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG); +- String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath)); +- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } +- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); +- return pattern.matcher(cryptoPoliciesConfig).find(); +- } else { +- return false; +- } ++ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); ++ if (shouldEnable) { ++ Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG); ++ String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath)); ++ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } ++ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); ++ return pattern.matcher(cryptoPoliciesConfig).find(); ++ } else { ++ return false; ++ } + } + } +diff --git openjdk.orig/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java +new file mode 100644 +--- /dev/null ++++ openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java +@@ -0,0 +1,30 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.misc; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++} +diff --git openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java +--- openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java ++++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java +@@ -63,6 +63,7 @@ + private static JavaObjectInputStreamReadString javaObjectInputStreamReadString; + private static JavaObjectInputStreamAccess javaObjectInputStreamAccess; + private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static JavaUtilJarAccess javaUtilJarAccess() { + if (javaUtilJarAccess == null) { +@@ -248,4 +249,12 @@ + } + return javaxCryptoSealedObjectAccess; + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java +--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java ++++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java +@@ -31,6 +31,7 @@ + import java.security.cert.*; + import java.util.*; + import javax.net.ssl.*; ++import sun.misc.SharedSecrets; + import sun.security.action.GetPropertyAction; + import sun.security.provider.certpath.AlgorithmChecker; + import sun.security.validator.Validator; +@@ -539,20 +540,38 @@ + + static { + if (SunJSSE.isFIPS()) { +- supportedProtocols = Arrays.asList( +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- ); ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); + +- serverDefaultProtocols = getAvailableProtocols( +- new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }); ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } else { ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } + } else { + supportedProtocols = Arrays.asList( + ProtocolVersion.TLS13, +@@ -612,6 +631,16 @@ + + static ProtocolVersion[] getSupportedProtocols() { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ return new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + return new ProtocolVersion[] { + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, +@@ -939,6 +968,16 @@ + + static ProtocolVersion[] getProtocols() { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ return new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + return new ProtocolVersion[]{ + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, +diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/SunJSSE.java openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java +--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SunJSSE.java ++++ openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java +@@ -30,6 +30,8 @@ + + import java.security.*; + ++import sun.misc.SharedSecrets; ++ + /** + * The JSSE provider. + * +@@ -215,8 +217,13 @@ + "sun.security.ssl.SSLContextImpl$TLS11Context"); + put("SSLContext.TLSv1.2", + "sun.security.ssl.SSLContextImpl$TLS12Context"); +- put("SSLContext.TLSv1.3", +- "sun.security.ssl.SSLContextImpl$TLS13Context"); ++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ put("SSLContext.TLSv1.3", ++ "sun.security.ssl.SSLContextImpl$TLS13Context"); ++ } + put("SSLContext.TLS", + "sun.security.ssl.SSLContextImpl$TLSContext"); + if (isfips == false) { diff --git a/rh1906862-always_initialise_configurator_access.patch b/rh1906862-always_initialise_configurator_access.patch new file mode 100644 index 0000000..82116ad --- /dev/null +++ b/rh1906862-always_initialise_configurator_access.patch @@ -0,0 +1,65 @@ +# HG changeset patch +# User andrew +# Date 1608219816 0 +# Thu Dec 17 15:43:36 2020 +0000 +# Node ID db5d1b28bfce04352b3a48960bf836f6eb20804b +# Parent a2cfa397150e99b813354226d536eb8509b5850b +RH1906862: Always initialise JavaSecuritySystemConfiguratorAccess + +diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java +--- openjdk.orig/jdk/src/share/classes/java/security/Security.java ++++ openjdk/jdk/src/share/classes/java/security/Security.java +@@ -30,6 +30,8 @@ + import java.util.concurrent.ConcurrentHashMap; + import java.io.*; + import java.net.URL; ++import sun.misc.SharedSecrets; ++import sun.misc.JavaSecuritySystemConfiguratorAccess; + import sun.security.util.Debug; + import sun.security.util.PropertyExpander; + +@@ -69,6 +71,15 @@ + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java +--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java ++++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java +@@ -39,8 +39,6 @@ + import java.util.Properties; + import java.util.regex.Pattern; + +-import sun.misc.SharedSecrets; +-import sun.misc.JavaSecuritySystemConfiguratorAccess; + import sun.security.util.Debug; + + /** +@@ -66,16 +64,6 @@ + + private static boolean systemFipsEnabled = false; + +- static { +- SharedSecrets.setJavaSecuritySystemConfiguratorAccess( +- new JavaSecuritySystemConfiguratorAccess() { +- @Override +- public boolean isSystemFipsEnabled() { +- return SystemConfigurator.isSystemFipsEnabled(); +- } +- }); +- } +- + /* + * Invoked when java.security.Security class is initialized, if + * java.security.disableSystemPropertiesFile property is not set and diff --git a/sources b/sources index effc7d2..283d3ba 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (aarch32-port-jdk8u-jdk8u292-ga-aarch32-20210423-4curve.tar.xz) = a6a3bb82f11e5efd5a1779479b10c81d75fd26887551c58f755ba6563855673aab9f46dbafe728ea44bee676734d125bfeccb42737a6ce4ec493de37ff670204 +SHA512 (aarch32-port-jdk8u-jdk8u302-ga-aarch32-20210726-4curve.tar.xz) = c72362b61fb7121da4480a59381a40d92834c29097915f9aefb8e231011747e38be9bd34e2e20489134c7de140602e7cd59e24ca0c5f1456e910dc25f44e12dc SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671