rpms / java-latest-openjdk

Clone
Source Code
GIT

#64 Backported fedora changes - fips + July cpu
Closed 2 years ago by jvanek. Opened 2 years ago by jvanek.
Unknown source epel8  into  epel8

file modified
+2 
@@ -16,3 +16,5 @@
 

  /jdk-updates-jdk15u-jdk-15.0.2+7.tar.xz
 

  /openjdk-jdk16-jdk-16+36.tar.xz
 

  /openjdk-jdk16u-jdk-16.0.1+9.tar.xz
 

+ /openjdk-jdk16u-jdk-16.0.2-ga.tar.xz
 

+ /openjdk-jdk16u-jdk-16.0.2+7.tar.xz

file modified
+4 -2 
@@ -130,8 +130,10 @@
 

                  # get PR3823.patch (from http://icedtea.classpath.org/hg/icedtea16) from most correct tag
 

                  # Do not push it or publish it (see https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3823)
 

  		echo "PR3823 not found. Downloading..."
 

- 		wget https://icedtea.classpath.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch
 

- 	        echo "Applying ${PWD}/pr3823.patch"
 

+ 		# wget https://icedtea.classpath.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch
 

+ 		# now using backup server... not sure when it will die...
 

+ 		wget https://icedtea.wildebeest.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch
 

+ 		echo "Applying ${PWD}/pr3823.patch"
 

  		patch -Np1 < pr3823.patch
 

  		rm pr3823.patch
 

  	    else

file modified
+54 -13 
@@ -274,7 +274,7 @@
 

  # New Version-String scheme-style defines
 

  %global featurever 16
 

  %global interimver 0
 

- %global updatever 1
 

+ %global updatever 2
 

  %global patchver 0
 

  # If you bump featurever, you must bump also vendor_version_string
 

  # Used via new version scheme. JDK 16 was
 
@@ -297,8 +297,8 @@
 

  %global origin_nice     OpenJDK
 

  %global top_level_dir_name   %{origin}
 

  %global top_level_dir_name_backup %{top_level_dir_name}-backup
 

- %global buildver        9
 

- %global rpmrelease      3
 

+ %global buildver        7
 

+ %global rpmrelease      1
 

  # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 

  %if %is_system_jdk
 

  # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
 
@@ -754,8 +754,9 @@
 

  %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security
 

  %config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties
 

  %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg
 

+ %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg
 

  %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access
 

- # these are config templates, thus not config-noreplace
 

+ # this is conifg template, thus not config-noreplace
 

  %config  %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template
 

  %config  %{etcjavadir -- %{?1}}/conf/sdp/sdp.conf.template
 

  %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties
 
@@ -976,6 +977,8 @@
 

  %endif
 

  # for printing support
 

  Requires: cups-libs
 

+ # for FIPS PKCS11 provider
 

+ Requires: nss
 

  # Post requires alternatives to install tool alternatives
 

  Requires(post):   %{alternatives_requires}
 

  # Postun requires alternatives to uninstall tool alternatives
 
@@ -1143,8 +1146,11 @@
 

  # Ensure ECDSA is working
 

  Source14: TestECDSA.java
 

  

+ # nss fips configuration file
 

+ Source15: nss.fips.cfg.in
 

+ 

  # Verify system crypto (policy) can be disabled via a property
 

- Source15: TestSecurityProperties.java
 

+ Source17: TestSecurityProperties.java
 

  

  ############################################
 

  #
 
@@ -1152,21 +1158,30 @@
 

  #
 

  ############################################
 

  

- # NSS via SunPKCS11 Provider (disabled comment
 

- # due to memory leak).
 

- Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
 

- # enable build of speculative store bypass hardened alt-java
 

- Patch600: rh1750419-redhat_alt_java.patch
 

- 

  # Ignore AWTError when assistive technologies are loaded
 

  Patch1:    rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
 

  # Restrict access to java-atk-wrapper classes
 

  Patch2:    rh1648644-java_access_bridge_privileged_security.patch
 

+ # NSS via SunPKCS11 Provider (disabled due to memory leak).
 

+ Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
 

+ # enable build of speculative store bypass hardened alt-java
 

+ Patch600: rh1750419-redhat_alt_java.patch
 

  Patch3:    rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
 

  # Follow system wide crypto policy RHBZ#1249083
 

  Patch4:    pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
 

  # Depend on pcs-lite-libs instead of pcs-lite-devel as this is only in optional repo
 

  Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
 

+ Patch7: pr3695-toggle_system_crypto_policy.patch
 

+ 

+ # FIPS support patches
 

+ # RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
 

+ Patch1001: rh1655466-global_crypto_and_fips.patch
 

+ # RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
 

+ Patch1002: rh1818909-fips_default_keystore_type.patch
 

+ # RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
 

+ Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
 

+ # RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
 

+ Patch1007: rh1915071-always_initialise_configurator_access.patch
 

  

  #############################################
 

  #
 
@@ -1523,10 +1538,15 @@
 

  %patch3 -p1
 

  %patch4 -p1
 

  %patch6 -p1
 

+ %patch7 -p1
 

  popd # openjdk
 

  

  %patch1000
 

  %patch600
 

+ %patch1001
 

+ %patch1002
 

+ %patch1004
 

+ %patch1007
 

  

  # Extract systemtap tapsets
 

  %if %{with_systemtap}
 
@@ -1575,6 +1595,9 @@
 

  # Setup nss.cfg
 

  sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
 

  

+ # Setup nss.fips.cfg
 

+ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE15} > nss.fips.cfg
 

+ sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg
 

  

  %build
 

  # How many CPU's do we have?
 
@@ -1729,6 +1752,9 @@
 

  # Install nss.cfg right away as we will be using the JRE above
 

  install -m 644 nss.cfg $JAVA_HOME/conf/security/
 

  

+ # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
 

+ install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/
 

+ 

  # Use system-wide tzdata
 

  rm $JAVA_HOME/lib/tzdb.dat
 

  ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat
 
@@ -1769,8 +1795,8 @@
 

  $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
 

  

  # Check system crypto (policy) can be disabled
 

- $JAVA_HOME/bin/javac -d . %{SOURCE15}
 

- $JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||") ||  echo "crypto policy are now not honored i jdk15"
 

+ $JAVA_HOME/bin/javac -d . %{SOURCE17}
 

+ $JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE17})|sed "s|\.java||") ||  echo "crypto policy are now not honored i jdk15"
 

  

  # Check java launcher has no SSB mitigation
 

  if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
 
@@ -2229,10 +2255,25 @@
 

  %endif
 

  

  %changelog
 

+ * Fri Jul 23 2021 Jiri Vanek <jvanek@redhat.com> - 1:16.0.2.0.7-1.rolling
 

+ - bumped to security update of 16.0.2-ga
 

+ 

+ * Tue Jun 29 2021 Jiri Vanek <jvanek@redhat.com> - 1:16.0.1.0.9-5.rolling
 

+ - renamed source15 to source17 to match el8
 

+ - added fips support:
 

+ - added pr3695-toggle_system_crypto_policy.patch ; missing prerequisity
 

+ - removed rh1655466-global_crypto_and_fips.patch; jdk16 do not have default algorithm, it throws exception
 

+ - adapted rh1655466-global_crypto_and_fips.patch
 

+ - adapted rh1860986-disable_tlsv1.3_in_fips_mode.patch (?)
 

+ - adapted rh1915071-always_initialise_configurator_access.patch
 

+ 

  * Thu Jun 17 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:16.0.1.0.9-4.rolling
 

  - fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch which made the SunPKCS provider show up again
 

  - Resolves: rhbz#1971120
 

  

+ * Fri May 07 2021 Jiri Vanek <jvanek@redhat.com> - 1:16.0.1.0.9-2.rolling
 

+ - removed cjc backward comaptiblity, to fix when both rpm 4.16 and 4.17 are in transaction
 

+ 

  * Thu Apr 29 2021 Jiri Vanek <jvanek@redhat.com> -  1:16.0.1.0.9-2.rolling
 

  - adapted to debug handling  in newer cjc
 

  - The rest of the "rpm 4.17" patch must NOT be backported, as on rpm 4.16 and down, it would casue double execution

file added
+6 
@@ -0,0 +1,6 @@
 

+ name = NSS-FIPS
 

+ nssLibraryDirectory = @NSS_LIBDIR@
 

+ nssSecmodDirectory = @NSS_SECMOD@
 

+ nssDbMode = readOnly
 

+ nssModule = fips
 

+

file added
+78 
@@ -0,0 +1,78 @@
 

+ # HG changeset patch
 

+ # User andrew
 

+ # Date 1545198926 0
 

+ #      Wed Dec 19 05:55:26 2018 +0000
 

+ # Node ID f2cbd688824c128db7fa848c8732fb0ab3507776
 

+ # Parent  81f07f6d1f8b7b51b136d3974c61bc8bb513770c
 

+ PR3695: Allow use of system crypto policy to be disabled by the user
 

+ Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile
 

+ 

+ diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
 

+ --- a/src/java.base/share/classes/java/security/Security.java
 

+ +++ b/src/java.base/share/classes/java/security/Security.java
 

+ @@ -125,31 +125,6 @@
 

+          }
 

+  

+          if ("true".equalsIgnoreCase(props.getProperty
 

+ -                ("security.useSystemPropertiesFile"))) {
 

+ -
 

+ -            // now load the system file, if it exists, so its values
 

+ -            // will win if they conflict with the earlier values
 

+ -            try (BufferedInputStream bis =
 

+ -                 new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
 

+ -                props.load(bis);
 

+ -                loadedProps = true;
 

+ -
 

+ -                if (sdebug != null) {
 

+ -                    sdebug.println("reading system security properties file " +
 

+ -                                   SYSTEM_PROPERTIES);
 

+ -                    sdebug.println(props.toString());
 

+ -                }
 

+ -            } catch (IOException e) {
 

+ -                if (sdebug != null) {
 

+ -                    sdebug.println
 

+ -                        ("unable to load security properties from " +
 

+ -                         SYSTEM_PROPERTIES);
 

+ -                    e.printStackTrace();
 

+ -                }
 

+ -            }
 

+ -        }
 

+ -
 

+ -        if ("true".equalsIgnoreCase(props.getProperty
 

+                  ("security.overridePropertiesFile"))) {
 

+  

+              String extraPropFile = System.getProperty
 

+ @@ -215,6 +190,33 @@
 

+              }
 

+          }
 

+  

+ +        String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
 

+ +        if (disableSystemProps == null &&
 

+ +            "true".equalsIgnoreCase(props.getProperty
 

+ +                ("security.useSystemPropertiesFile"))) {
 

+ +
 

+ +            // now load the system file, if it exists, so its values
 

+ +            // will win if they conflict with the earlier values
 

+ +            try (BufferedInputStream bis =
 

+ +                 new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
 

+ +                props.load(bis);
 

+ +                loadedProps = true;
 

+ +
 

+ +                if (sdebug != null) {
 

+ +                    sdebug.println("reading system security properties file " +
 

+ +                                   SYSTEM_PROPERTIES);
 

+ +                    sdebug.println(props.toString());
 

+ +                }
 

+ +            } catch (IOException e) {
 

+ +                if (sdebug != null) {
 

+ +                    sdebug.println
 

+ +                        ("unable to load security properties from " +
 

+ +                         SYSTEM_PROPERTIES);
 

+ +                    e.printStackTrace();
 

+ +                }
 

+ +            }
 

+ +        }
 

+ +
 

+          if (!loadedProps) {
 

+              initializeStatic();
 

+              if (sdebug != null) {

file added
+205 
@@ -0,0 +1,205 @@
 

+ diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java
 

+ --- openjdk.orig/src/java.base/share/classes/java/security/Security.java
 

+ +++ openjdk/src/java.base/share/classes/java/security/Security.java
 

+ @@ -196,26 +196,8 @@
 

+          if (disableSystemProps == null &&
 

+              "true".equalsIgnoreCase(props.getProperty
 

+                  ("security.useSystemPropertiesFile"))) {
 

+ -
 

+ -            // now load the system file, if it exists, so its values
 

+ -            // will win if they conflict with the earlier values
 

+ -            try (BufferedInputStream bis =
 

+ -                 new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
 

+ -                props.load(bis);
 

+ +            if (SystemConfigurator.configure(props)) {
 

+                  loadedProps = true;
 

+ -
 

+ -                if (sdebug != null) {
 

+ -                    sdebug.println("reading system security properties file " +
 

+ -                                   SYSTEM_PROPERTIES);
 

+ -                    sdebug.println(props.toString());
 

+ -                }
 

+ -            } catch (IOException e) {
 

+ -                if (sdebug != null) {
 

+ -                    sdebug.println
 

+ -                        ("unable to load security properties from " +
 

+ -                         SYSTEM_PROPERTIES);
 

+ -                    e.printStackTrace();
 

+ -                }
 

+              }
 

+          }
 

+  

+ diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
 

+ new file mode 100644
 

+ --- /dev/null
 

+ +++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
 

+ @@ -0,0 +1,151 @@
 

+ +/*
 

+ + * Copyright (c) 2019, Red Hat, Inc.
 

+ + *
 

+ + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 

+ + *
 

+ + * This code is free software; you can redistribute it and/or modify it
 

+ + * under the terms of the GNU General Public License version 2 only, as
 

+ + * published by the Free Software Foundation.
 

+ + *
 

+ + * This code is distributed in the hope that it will be useful, but WITHOUT
 

+ + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 

+ + * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 

+ + * version 2 for more details (a copy is included in the LICENSE file that
 

+ + * accompanied this code).
 

+ + *
 

+ + * You should have received a copy of the GNU General Public License version
 

+ + * 2 along with this work; if not, write to the Free Software Foundation,
 

+ + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 

+ + *
 

+ + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 

+ + * or visit www.oracle.com if you need additional information or have any
 

+ + * questions.
 

+ + */
 

+ +
 

+ +package java.security;
 

+ +
 

+ +import java.io.BufferedInputStream;
 

+ +import java.io.FileInputStream;
 

+ +import java.io.IOException;
 

+ +
 

+ +import java.nio.file.Files;
 

+ +import java.nio.file.Path;
 

+ +
 

+ +import java.util.Iterator;
 

+ +import java.util.Map.Entry;
 

+ +import java.util.Properties;
 

+ +import java.util.function.Consumer;
 

+ +import java.util.regex.Matcher;
 

+ +import java.util.regex.Pattern;
 

+ +
 

+ +import sun.security.util.Debug;
 

+ +
 

+ +/**
 

+ + * Internal class to align OpenJDK with global crypto-policies.
 

+ + * Called from java.security.Security class initialization,
 

+ + * during startup.
 

+ + *
 

+ + */
 

+ +
 

+ +class SystemConfigurator {
 

+ +
 

+ +    private static final Debug sdebug =
 

+ +            Debug.getInstance("properties");
 

+ +
 

+ +    private static final String CRYPTO_POLICIES_BASE_DIR =
 

+ +            "/etc/crypto-policies";
 

+ +
 

+ +    private static final String CRYPTO_POLICIES_JAVA_CONFIG =
 

+ +            CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
 

+ +
 

+ +    private static final String CRYPTO_POLICIES_CONFIG =
 

+ +            CRYPTO_POLICIES_BASE_DIR + "/config";
 

+ +
 

+ +    private static final class SecurityProviderInfo {
 

+ +        int number;
 

+ +        String key;
 

+ +        String value;
 

+ +        SecurityProviderInfo(int number, String key, String value) {
 

+ +            this.number = number;
 

+ +            this.key = key;
 

+ +            this.value = value;
 

+ +        }
 

+ +    }
 

+ +
 

+ +    /*
 

+ +     * Invoked when java.security.Security class is initialized, if
 

+ +     * java.security.disableSystemPropertiesFile property is not set and
 

+ +     * security.useSystemPropertiesFile is true.
 

+ +     */
 

+ +    static boolean configure(Properties props) {
 

+ +        boolean loadedProps = false;
 

+ +
 

+ +        try (BufferedInputStream bis =
 

+ +                new BufferedInputStream(
 

+ +                        new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
 

+ +            props.load(bis);
 

+ +            loadedProps = true;
 

+ +            if (sdebug != null) {
 

+ +                sdebug.println("reading system security properties file " +
 

+ +                        CRYPTO_POLICIES_JAVA_CONFIG);
 

+ +                sdebug.println(props.toString());
 

+ +            }
 

+ +        } catch (IOException e) {
 

+ +            if (sdebug != null) {
 

+ +                sdebug.println("unable to load security properties from " +
 

+ +                        CRYPTO_POLICIES_JAVA_CONFIG);
 

+ +                e.printStackTrace();
 

+ +            }
 

+ +        }
 

+ +
 

+ +        try {
 

+ +            if (enableFips()) {
 

+ +                if (sdebug != null) { sdebug.println("FIPS mode detected"); }
 

+ +                loadedProps = false;
 

+ +                // Remove all security providers
 

+ +                Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
 

+ +                while (i.hasNext()) {
 

+ +                    Entry<Object, Object> e = i.next();
 

+ +                    if (((String) e.getKey()).startsWith("security.provider")) {
 

+ +                        if (sdebug != null) { sdebug.println("Removing provider: " + e); }
 

+ +                        i.remove();
 

+ +                    }
 

+ +                }
 

+ +                // Add FIPS security providers
 

+ +                String fipsProviderValue = null;
 

+ +                for (int n = 1;
 

+ +                     (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
 

+ +                    String fipsProviderKey = "security.provider." + n;
 

+ +                    if (sdebug != null) {
 

+ +                        sdebug.println("Adding provider " + n + ": " +
 

+ +                                fipsProviderKey + "=" + fipsProviderValue);
 

+ +                    }
 

+ +                    props.put(fipsProviderKey, fipsProviderValue);
 

+ +                }
 

+ +                loadedProps = true;
 

+ +            }
 

+ +        } catch (Exception e) {
 

+ +            if (sdebug != null) {
 

+ +                sdebug.println("unable to load FIPS configuration");
 

+ +                e.printStackTrace();
 

+ +            }
 

+ +        }
 

+ +        return loadedProps;
 

+ +    }
 

+ +
 

+ +    /*
 

+ +     * FIPS is enabled only if crypto-policies are set to "FIPS"
 

+ +     * and the com.redhat.fips property is true.
 

+ +     */
 

+ +    private static boolean enableFips() throws Exception {
 

+ +        boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
 

+ +        if (fipsEnabled) {
 

+ +            String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
 

+ +            if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
 

+ +            Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
 

+ +            return pattern.matcher(cryptoPoliciesConfig).find();
 

+ +        } else {
 

+ +            return false;
 

+ +        }
 

+ +    }
 

+ +}
 

+ diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security
 

+ --- openjdk.orig/src/java.base/share/conf/security/java.security
 

+ +++ openjdk/src/java.base/share/conf/security/java.security
 

+ @@ -87,6 +87,14 @@
 

+  #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
 

+  

+  #
 

+ +# Security providers used when global crypto-policies are set to FIPS.
 

+ +#
 

+ +fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
 

+ +fips.provider.2=SUN
 

+ +fips.provider.3=SunEC
 

+ +fips.provider.4=SunJSSE SunPKCS11-NSS-FIPS
 

+ +
 

+ +#
 

+  # A list of preferred providers for specific algorithms. These providers will
 

+  # be searched for matching algorithms before the list of registered providers.
 

+  # Entries containing errors (parsing, etc) will be ignored. Use the

file added
+52 
@@ -0,0 +1,52 @@
 

+ diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
 

+ --- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java	Thu Jan 23 18:22:31 2020 -0300
 

+ +++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java	Mon Mar 02 19:20:17 2020 -0300
 

+ @@ -123,6 +123,33 @@
 

+                      }
 

+                      props.put(fipsProviderKey, fipsProviderValue);
 

+                  }
 

+ +                // Add other security properties
 

+ +                String keystoreTypeValue = (String) props.get("fips.keystore.type");
 

+ +                if (keystoreTypeValue != null) {
 

+ +                    String nonFipsKeystoreType = props.getProperty("keystore.type");
 

+ +                    props.put("keystore.type", keystoreTypeValue);
 

+ +                    if (keystoreTypeValue.equals("PKCS11")) {
 

+ +                    	// If keystore.type is PKCS11, javax.net.ssl.keyStore
 

+ +                    	// must be "NONE". See JDK-8238264.
 

+ +                    	System.setProperty("javax.net.ssl.keyStore", "NONE");
 

+ +                    }
 

+ +                    if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
 

+ +                        // If no trustStoreType has been set, use the
 

+ +                        // previous keystore.type under FIPS mode. In
 

+ +                        // a default configuration, the Trust Store will
 

+ +                        // be 'cacerts' (JKS type).
 

+ +                        System.setProperty("javax.net.ssl.trustStoreType",
 

+ +                                nonFipsKeystoreType);
 

+ +                    }
 

+ +                    if (sdebug != null) {
 

+ +                        sdebug.println("FIPS mode default keystore.type = " +
 

+ +                                keystoreTypeValue);
 

+ +                        sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
 

+ +                        		System.getProperty("javax.net.ssl.keyStore", ""));
 

+ +                        sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
 

+ +                                System.getProperty("javax.net.ssl.trustStoreType", ""));
 

+ +                    }
 

+ +                }
 

+                  loadedProps = true;
 

+              }
 

+          } catch (Exception e) {
 

+ diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
 

+ --- openjdk.orig/src/java.base/share/conf/security/java.security	Thu Jan 23 18:22:31 2020 -0300
 

+ +++ openjdk/src/java.base/share/conf/security/java.security	Mon Mar 02 19:20:17 2020 -0300
 

+ @@ -299,6 +299,11 @@
 

+  keystore.type=pkcs12
 

+  

+  #
 

+ +# Default keystore type used when global crypto-policies are set to FIPS.
 

+ +#
 

+ +fips.keystore.type=PKCS11
 

+ +
 

+ +#
 

+  # Controls compatibility mode for JKS and PKCS12 keystore types.
 

+  #
 

+  # When set to 'true', both JKS and PKCS12 keystore types support loading

file added
+354 
@@ -0,0 +1,354 @@
 

+ diff -r bbc65dfa59d1 src/java.base/share/classes/java/security/SystemConfigurator.java
 

+ --- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java	Thu Jan 23 18:22:31 2020 -0300
 

+ +++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java	Sat Aug 01 23:16:51 2020 -0300
 

+ @@ -1,11 +1,13 @@
 

+  /*
 

+ - * Copyright (c) 2019, Red Hat, Inc.
 

+ + * Copyright (c) 2019, 2020, Red Hat, Inc.
 

+   *
 

+   * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 

+   *
 

+   * This code is free software; you can redistribute it and/or modify it
 

+   * under the terms of the GNU General Public License version 2 only, as
 

+ - * published by the Free Software Foundation.
 

+ + * published by the Free Software Foundation.  Oracle designates this
 

+ + * particular file as subject to the "Classpath" exception as provided
 

+ + * by Oracle in the LICENSE file that accompanied this code.
 

+   *
 

+   * This code is distributed in the hope that it will be useful, but WITHOUT
 

+   * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 

+ @@ -34,10 +36,10 @@
 

+  import java.util.Iterator;
 

+  import java.util.Map.Entry;
 

+  import java.util.Properties;
 

+ -import java.util.function.Consumer;
 

+ -import java.util.regex.Matcher;
 

+  import java.util.regex.Pattern;
 

+  

+ +import jdk.internal.misc.SharedSecrets;
 

+ +import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
 

+  import sun.security.util.Debug;
 

+  

+  /**
 

+ @@ -47,7 +49,7 @@
 

+   *
 

+   */
 

+  

+ -class SystemConfigurator {
 

+ +final class SystemConfigurator {
 

+  

+      private static final Debug sdebug =
 

+              Debug.getInstance("properties");
 

+ @@ -61,15 +63,16 @@
 

+      private static final String CRYPTO_POLICIES_CONFIG =
 

+              CRYPTO_POLICIES_BASE_DIR + "/config";
 

+  

+ -    private static final class SecurityProviderInfo {
 

+ -        int number;
 

+ -        String key;
 

+ -        String value;
 

+ -        SecurityProviderInfo(int number, String key, String value) {
 

+ -            this.number = number;
 

+ -            this.key = key;
 

+ -            this.value = value;
 

+ -        }
 

+ +    private static boolean systemFipsEnabled = false;
 

+ +
 

+ +    static {
 

+ +        SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
 

+ +            new JavaSecuritySystemConfiguratorAccess() {
 

+ +                @Override
 

+ +                public boolean isSystemFipsEnabled() {
 

+ +                    return SystemConfigurator.isSystemFipsEnabled();
 

+ +                }
 

+ +            });
 

+      }
 

+  

+      /*
 

+ @@ -128,9 +131,9 @@
 

+                      String nonFipsKeystoreType = props.getProperty("keystore.type");
 

+                      props.put("keystore.type", keystoreTypeValue);
 

+                      if (keystoreTypeValue.equals("PKCS11")) {
 

+ -                    	// If keystore.type is PKCS11, javax.net.ssl.keyStore
 

+ -                    	// must be "NONE". See JDK-8238264.
 

+ -                    	System.setProperty("javax.net.ssl.keyStore", "NONE");
 

+ +                        // If keystore.type is PKCS11, javax.net.ssl.keyStore
 

+ +                        // must be "NONE". See JDK-8238264.
 

+ +                        System.setProperty("javax.net.ssl.keyStore", "NONE");
 

+                      }
 

+                      if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
 

+                          // If no trustStoreType has been set, use the
 

+ @@ -144,12 +147,13 @@
 

+                          sdebug.println("FIPS mode default keystore.type = " +
 

+                                  keystoreTypeValue);
 

+                          sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
 

+ -                        		System.getProperty("javax.net.ssl.keyStore", ""));
 

+ +                                System.getProperty("javax.net.ssl.keyStore", ""));
 

+                          sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
 

+                                  System.getProperty("javax.net.ssl.trustStoreType", ""));
 

+                      }
 

+                  }
 

+                  loadedProps = true;
 

+ +                systemFipsEnabled = true;
 

+              }
 

+          } catch (Exception e) {
 

+              if (sdebug != null) {
 

+ @@ -160,13 +164,30 @@
 

+          return loadedProps;
 

+      }
 

+  

+ +    /**
 

+ +     * Returns whether or not global system FIPS alignment is enabled.
 

+ +     *
 

+ +     * Value is always 'false' before java.security.Security class is
 

+ +     * initialized.
 

+ +     *
 

+ +     * Call from out of this package through SharedSecrets:
 

+ +     *   SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
 

+ +     *           .isSystemFipsEnabled();
 

+ +     *
 

+ +     * @return  a boolean value indicating whether or not global
 

+ +     *          system FIPS alignment is enabled.
 

+ +     */
 

+ +    static boolean isSystemFipsEnabled() {
 

+ +        return systemFipsEnabled;
 

+ +    }
 

+ +
 

+      /*
 

+       * FIPS is enabled only if crypto-policies are set to "FIPS"
 

+       * and the com.redhat.fips property is true.
 

+       */
 

+      private static boolean enableFips() throws Exception {
 

+ -        boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
 

+ -        if (fipsEnabled) {
 

+ +        boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
 

+ +        if (shouldEnable) {
 

+              String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
 

+              if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
 

+              Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
 

+ diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
 

+ --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
 

+ +++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java	Sat Aug 01 23:16:51 2020 -0300
 

+ @@ -0,0 +1,30 @@
 

+ +/*
 

+ + * Copyright (c) 2020, Red Hat, Inc.
 

+ + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 

+ + *
 

+ + * This code is free software; you can redistribute it and/or modify it
 

+ + * under the terms of the GNU General Public License version 2 only, as
 

+ + * published by the Free Software Foundation.  Oracle designates this
 

+ + * particular file as subject to the "Classpath" exception as provided
 

+ + * by Oracle in the LICENSE file that accompanied this code.
 

+ + *
 

+ + * This code is distributed in the hope that it will be useful, but WITHOUT
 

+ + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 

+ + * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 

+ + * version 2 for more details (a copy is included in the LICENSE file that
 

+ + * accompanied this code).
 

+ + *
 

+ + * You should have received a copy of the GNU General Public License version
 

+ + * 2 along with this work; if not, write to the Free Software Foundation,
 

+ + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 

+ + *
 

+ + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 

+ + * or visit www.oracle.com if you need additional information or have any
 

+ + * questions.
 

+ + */
 

+ +
 

+ +package jdk.internal.misc;
 

+ +
 

+ +public interface JavaSecuritySystemConfiguratorAccess {
 

+ +    boolean isSystemFipsEnabled();
 

+ +}
 

+ diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
 

+ --- openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java	Thu Jan 23 18:22:31 2020 -0300
 

+ +++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java	Sat Aug 01 23:16:51 2020 -0300
 

+ @@ -38,6 +38,7 @@
 

+  import java.io.RandomAccessFile;
 

+  import java.security.ProtectionDomain;
 

+  import java.security.Signature;
 

+ +import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
 

+  

+  /** A repository of "shared secrets", which are a mechanism for
 

+      calling implementation-private methods in another package without
 

+ @@ -76,6 +76,7 @@
 

+      private static JavaSecurityAccess javaSecurityAccess;
 

+      private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
 

+      private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
 

+ +    private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
 

+  

+      public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) {
 

+          javaUtilCollectionAccess = juca;
 

+ @@ -361,4 +362,12 @@
 

+              MethodHandles.lookup().ensureInitialized(c);
 

+          } catch (IllegalAccessException e) {}
 

+      }
 

+ +
 

+ +    public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
 

+ +        javaSecuritySystemConfiguratorAccess = jssca;
 

+ +    }
 

+ +
 

+ +    public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
 

+ +        return javaSecuritySystemConfiguratorAccess;
 

+ +    }
 

+  }
 

+ diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
 

+ --- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java	Thu Jan 23 18:22:31 2020 -0300
 

+ +++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java	Sat Aug 01 23:16:51 2020 -0300
 

+ @@ -31,6 +31,7 @@
 

+  import java.util.*;
 

+  import java.util.concurrent.locks.ReentrantLock;
 

+  import javax.net.ssl.*;
 

+ +import jdk.internal.access.SharedSecrets;
 

+  import sun.security.action.GetPropertyAction;
 

+  import sun.security.provider.certpath.AlgorithmChecker;
 

+  import sun.security.validator.Validator;
 

+ @@ -536,22 +536,42 @@
 

+          private static final List<CipherSuite> serverDefaultCipherSuites;
 

+  

+          static {
 

+ -            supportedProtocols = Arrays.asList(
 

+ -                ProtocolVersion.TLS13,
 

+ -                ProtocolVersion.TLS12,
 

+ -                ProtocolVersion.TLS11,
 

+ -                ProtocolVersion.TLS10,
 

+ -                ProtocolVersion.SSL30,
 

+ -                ProtocolVersion.SSL20Hello
 

+ -            );
 

+ -
 

+ -            serverDefaultProtocols = getAvailableProtocols(
 

+ -                    new ProtocolVersion[] {
 

+ -                ProtocolVersion.TLS13,
 

+ -                ProtocolVersion.TLS12,
 

+ -                ProtocolVersion.TLS11,
 

+ -                ProtocolVersion.TLS10
 

+ -            });
 

+ +              if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
 

+ +                      .isSystemFipsEnabled()) {
 

+ +                  // RH1860986: TLSv1.3 key derivation not supported with
 

+ +                  // the Security Providers available in system FIPS mode.
 

+ +              supportedProtocols = Arrays.asList(
 

+ +                  ProtocolVersion.TLS12,
 

+ +                  ProtocolVersion.TLS11,
 

+ +                  ProtocolVersion.TLS10,
 

+ +                  ProtocolVersion.SSL30,
 

+ +                  ProtocolVersion.SSL20Hello
 

+ +              );
 

+ +
 

+ +              serverDefaultProtocols = getAvailableProtocols(
 

+ +                      new ProtocolVersion[] {
 

+ +                  ProtocolVersion.TLS12,
 

+ +                  ProtocolVersion.TLS11,
 

+ +                  ProtocolVersion.TLS10
 

+ +              });
 

+ +                } else {
 

+ +              supportedProtocols = Arrays.asList(
 

+ +                  ProtocolVersion.TLS13,
 

+ +                  ProtocolVersion.TLS12,
 

+ +                  ProtocolVersion.TLS11,
 

+ +                  ProtocolVersion.TLS10,
 

+ +                  ProtocolVersion.SSL30,
 

+ +                  ProtocolVersion.SSL20Hello
 

+ +              );
 

+ +
 

+ +              serverDefaultProtocols = getAvailableProtocols(
 

+ +                      new ProtocolVersion[] {
 

+ +                  ProtocolVersion.TLS13,
 

+ +                  ProtocolVersion.TLS12,
 

+ +                  ProtocolVersion.TLS11,
 

+ +                  ProtocolVersion.TLS10
 

+ +              });
 

+ +            }
 

+  

+              supportedCipherSuites = getApplicableSupportedCipherSuites(
 

+                      supportedProtocols);
 

+ @@ -699,13 +719,26 @@
 

+          private static final List<CipherSuite> clientDefaultCipherSuites;
 

+  

+          static {
 

+ -            clientDefaultProtocols = getAvailableProtocols(
 

+ -                    new ProtocolVersion[] {
 

+ -                ProtocolVersion.TLS13,
 

+ -                ProtocolVersion.TLS12,
 

+ -                ProtocolVersion.TLS11,
 

+ -                ProtocolVersion.TLS10
 

+ -            });
 

+ +            if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
 

+ +                    .isSystemFipsEnabled()) {
 

+ +                // RH1860986: TLSv1.3 key derivation not supported with
 

+ +                // the Security Providers available in system FIPS mode.
 

+ +              clientDefaultProtocols = getAvailableProtocols(
 

+ +                      new ProtocolVersion[] {
 

+ +                  ProtocolVersion.TLS12,
 

+ +                  ProtocolVersion.TLS11,
 

+ +                  ProtocolVersion.TLS10
 

+ +              });
 

+ +            } else {
 

+ +              clientDefaultProtocols = getAvailableProtocols(
 

+ +                      new ProtocolVersion[] {
 

+ +                  ProtocolVersion.TLS13,
 

+ +                  ProtocolVersion.TLS12,
 

+ +                  ProtocolVersion.TLS11,
 

+ +                  ProtocolVersion.TLS10
 

+ +              });
 

+ +            }
 

+ +
 

+  

+              clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
 

+                      clientDefaultProtocols, true);
 

+ @@ -842,12 +875,21 @@
 

+              ProtocolVersion[] candidates;
 

+              if (refactored.isEmpty()) {
 

+                  // Client and server use the same default protocols.
 

+ -                candidates = new ProtocolVersion[] {
 

+ -                        ProtocolVersion.TLS13,
 

+ -                        ProtocolVersion.TLS12,
 

+ -                        ProtocolVersion.TLS11,
 

+ -                        ProtocolVersion.TLS10
 

+ -                    };
 

+ +              if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
 

+ +                      .isSystemFipsEnabled()) {
 

+ +                 candidates = new ProtocolVersion[] {
 

+ +                          ProtocolVersion.TLS12,
 

+ +                          ProtocolVersion.TLS11,
 

+ +                          ProtocolVersion.TLS10
 

+ +                      };
 

+ +              } else {
 

+ +                  candidates = new ProtocolVersion[] {
 

+ +                          ProtocolVersion.TLS13,
 

+ +                          ProtocolVersion.TLS12,
 

+ +                          ProtocolVersion.TLS11,
 

+ +                          ProtocolVersion.TLS10
 

+ +                      };
 

+ +              }
 

+              } else {
 

+                  // Use the customized TLS protocols.
 

+                  candidates =
 

+ diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java
 

+ --- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java	Thu Jan 23 18:22:31 2020 -0300
 

+ +++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java	Sat Aug 01 23:16:51 2020 -0300
 

+ @@ -27,6 +27,8 @@
 

+  

+  import java.security.*;
 

+  import java.util.*;
 

+ +
 

+ +import jdk.internal.access.SharedSecrets;
 

+  import static sun.security.util.SecurityConstants.PROVIDER_VER;
 

+  

+  /**
 

+ @@ -195,8 +197,13 @@
 

+              "sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
 

+          ps("SSLContext", "TLSv1.2",
 

+              "sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
 

+ -        ps("SSLContext", "TLSv1.3",
 

+ -            "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
 

+ +        if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
 

+ +                .isSystemFipsEnabled()) {
 

+ +            // RH1860986: TLSv1.3 key derivation not supported with
 

+ +            // the Security Providers available in system FIPS mode.
 

+ +            ps("SSLContext", "TLSv1.3",
 

+ +                "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
 

+ +        }
 

+          ps("SSLContext", "TLS",
 

+              "sun.security.ssl.SSLContextImpl$TLSContext",
 

+              List.of("SSL"), null);

file added
+68 
@@ -0,0 +1,68 @@
 

+ diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
 

+ --- openjdk.orig/src/java.base/share/classes/java/security/Security.java
 

+ +++ openjdk/src/java.base/share/classes/java/security/Security.java
 

+ @@ -32,6 +32,7 @@
 

+  

+  import jdk.internal.event.EventHelper;
 

+  import jdk.internal.event.SecurityPropertyModificationEvent;
 

+ +import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
 

+  import jdk.internal.access.SharedSecrets;
 

+  import jdk.internal.util.StaticProperty;
 

+  import sun.security.util.Debug;
 

+ @@ -74,6 +75,15 @@
 

+      }
 

+  

+      static {
 

+ +        // Initialise here as used by code with system properties disabled
 

+ +        SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
 

+ +            new JavaSecuritySystemConfiguratorAccess() {
 

+ +                @Override
 

+ +                public boolean isSystemFipsEnabled() {
 

+ +                    return SystemConfigurator.isSystemFipsEnabled();
 

+ +                }
 

+ +            });
 

+ +
 

+          // doPrivileged here because there are multiple
 

+          // things in initialize that might require privs.
 

+          // (the FileInputStream call and the File.exists call,
 

+ @@ -193,9 +203,8 @@
 

+          }
 

+  

+          String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
 

+ -        if (disableSystemProps == null &&
 

+ -            "true".equalsIgnoreCase(props.getProperty
 

+ -                ("security.useSystemPropertiesFile"))) {
 

+ +        if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
 

+ +            "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
 

+              if (SystemConfigurator.configure(props)) {
 

+                  loadedProps = true;
 

+              }
 

+ diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
 

+ --- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
 

+ +++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
 

+ @@ -38,8 +38,6 @@
 

+  import java.util.Properties;
 

+  import java.util.regex.Pattern;
 

+  

+ -import jdk.internal.misc.SharedSecrets;
 

+ -import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
 

+  import sun.security.util.Debug;
 

+  

+  /**
 

+ @@ -65,16 +63,6 @@
 

+  

+      private static boolean systemFipsEnabled = false;
 

+  

+ -    static {
 

+ -        SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
 

+ -            new JavaSecuritySystemConfiguratorAccess() {
 

+ -                @Override
 

+ -                public boolean isSystemFipsEnabled() {
 

+ -                    return SystemConfigurator.isSystemFipsEnabled();
 

+ -                }
 

+ -            });
 

+ -    }
 

+ -
 

+      /*
 

+       * Invoked when java.security.Security class is initialized, if
 

+       * java.security.disableSystemPropertiesFile property is not set and

file modified
+1 -1 
@@ -1,2 +1,2 @@
 

  SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671
 

- SHA512 (openjdk-jdk16u-jdk-16.0.1+9.tar.xz) = ff06d5c97377cac4d5e8921766c61d4d96dc0c968913263b5371f0d3d0e98bb6a5ccf5b1cbb3ddaff3380bf4499ff6501e73f96e0e922b2294d1f7c1ec3eee23
 

+ SHA512 (openjdk-jdk16u-jdk-16.0.2+7.tar.xz) = 9f0db34edcb1ffcd7af159113133677c03edb75990a2f54e60f445942447c7615af799f3229527abe3306ff626fd1cee4afd1ba86a8c799d688802f0e4b6d0d3

no initial comment

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

Can we not do the bump change on its own and then the other three as one commit in their own PR? Hard to follow what is going on here and why the RSA patch is added and then removed again.

Hello! The I found the RSA patch usptreamed.

If you inisists, I wil split the PR, but the commits stay properlyh isolated.

If you inisists, I wil split the PR, but the commits stay properlyh isolated.

There should be one PR + commit for the bump, and one for FIPS.
From what you say about the RSA patch (we didn't upstream it, I guess upstream policy changed), it sounds like the FIPS commits won't build on their own, so why on earth would we want to preserve them?

so why on earth would we want to preserve them?

The overall change of them was very small. If that would be the removal of that only one patch than I would agree the commit is useless.

As you wish. I will rework it to two PRs. One with souerce bump, and one with fips. I would recomend to keep the split comments, but seing your attitude, I would rather squeez it to sngle coomit.

Thanx!

Btw, sometimes yo are angry on me to mix things in commits, sometimes you are angry I split commits to much. I hope, one day I will find a golden ratio to keep it according to your measurement :)

Pull-Request has been closed by jvanek
2 years ago
Metadata
None
No Tags
Changes Summary 10
+2 -0
file changed
.gitignore
+4 -2
file changed
generate_source_tarball.sh
+54 -13
file changed
java-latest-openjdk.spec
+6
file added
nss.fips.cfg.in
+78
file added
pr3695-toggle_system_crypto_policy.patch
+205
file added
rh1655466-global_crypto_and_fips.patch
+52
file added
rh1818909-fips_default_keystore_type.patch
+354
file added
rh1860986-disable_tlsv1.3_in_fips_mode.patch
+68
file added
rh1915071-always_initialise_configurator_access.patch
+1 -1
file changed
sources
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.