diff --git a/.gitignore b/.gitignore index ccfc525..013fe09 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u345-b01-4curve.tar.xz +SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b08-4curve.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata index 493f497..8f03300 100644 --- a/.java-1.8.0-openjdk.metadata +++ b/.java-1.8.0-openjdk.metadata @@ -1,2 +1,2 @@ -d02d3af23d61532c9695fb83f73126ab0b82f5d1 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u345-b01-4curve.tar.xz +71e5a111b66d7a8e4234d35117e0fd663d39f9ce SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b08-4curve.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index a45c520..b87597c 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,6 +3,359 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 8u362 (2023-01-17): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk8u362 + * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u362.html + +* CVEs + - CVE-2023-21830 + - CVE-2023-21843 +* Security fixes + - JDK-8285021: Improve CORBA communication + - JDK-8286496: Improve Thread labels + - JDK-8288516: Enhance font creation + - JDK-8289350: Better media supports + - JDK-8293554: Enhanced DH Key Exchanges + - JDK-8293598: Enhance InetAddress address handling + - JDK-8293717: Objective view of ObjectView + - JDK-8293734: Improve BMP image handling + - JDK-8293742: Better Banking of Sounds + - JDK-8295687: Better BMP bounds +* Other changes + - JDK-6885993: Named Thread: introduce print() and print_on(outputStream* st) methods + - JDK-7124218: [TEST_BUG] [macosx] Space should select cell in the JTable + - JDK-8054066: com/sun/jdi/DoubleAgentTest.java fails with timeout + - JDK-8067941: [TESTBUG] Fix tests for OS with 64K page size. + - JDK-8071530: Update OS detection code to reflect Windows 10 version change + - JDK-8073464: GC workers do not have thread names + - JDK-8079255: [TEST_BUG] [macosx] Test closed/java/awt/Robot/RobotWheelTest/RobotWheelTest fails for Mac only + - JDK-8129827: [TEST_BUG] Test java/awt/Robot/RobotWheelTest/RobotWheelTest.java fails + - JDK-8148005: One byte may be corrupted by get_datetime_string() + - JDK-8159599: [TEST_BUG] java/awt/Modal/ModalInternalFrameTest/ModalInternalFrameTest.java + - JDK-8159720: Failure of C2 compilation with tiered prevents some C1 compilations + - JDK-8195607: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1 + - JDK-8197859: VS2017 Complains about UINTPTR_MAX definition in globalDefinitions_VisCPP.hpp + - JDK-8206456: [TESTBUG] docker jtreg tests fail on systems without cpuset.effective_cpus / cpuset.effective_mems + - JDK-8221529: [TESTBUG] Docker tests use old/deprecated image on AArch64 + - JDK-8224506: [TESTBUG] TestDockerMemoryMetrics.java fails with exitValue = 137 + - JDK-8233551: [TESTBUG] SelectEditTableCell.java fails on MacOS + - JDK-8241086: Test runtime/NMT/HugeArenaTracking.java is failing on 32bit Windows + - JDK-8253702: BigSur version number reported as 10.16, should be 11.nn + - JDK-8255559: Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI() + - JDK-8265527: tools/javac/diags/CheckExamples.java fails after JDK-8078024 8u backport + - JDK-8269039: Disable SHA-1 Signed JARs + - JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0 + - JDK-8270344: Session resumption errors + - JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity + - JDK-8273176: handle latest VS2019 in abstract_vm_version + - JDK-8274563: jfr/event/oldobject/TestClassLoaderLeak.java fails when GC cycles are not happening + - JDK-8274840: Update OS detection code to recognize Windows 11 + - JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled + - JDK-8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR + - JDK-8283277: ISO 4217 Amendment 171 Update + - JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode + - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer + - JDK-8284622: Update versions of some Github Actions used in JDK workflow + - JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled + - JDK-8288928: Incorrect GPL header in pnglibconf.h (backport of JDK-8185041) + - JDK-8289549: ISO 4217 Amendment 172 Update + - JDK-8292762: Remove .jcheck directories from jdk8u subcomponents + - JDK-8293181: Bump update version of OpenJDK: 8u362 + - JDK-8293461: Add a test for JDK-8290832 + - JDK-8293828: JFR: jfr/event/oldobject/TestClassLoaderLeak.java still fails when GC cycles are not happening + - JDK-8294307: ISO 4217 Amendment 173 Update + - JDK-8294357: (tz) Update Timezone Data to 2022d + - JDK-8294863: Enable partial tier1 testing in GHA for JDK8 + - JDK-8295164: JDK 8 jdi tests should not use tasklist command on Windows + - JDK-8295173: (tz) Update Timezone Data to 2022e + - JDK-8295288: Some vm_flags tests associate with a wrong BugID + - JDK-8295714: GHA ::set-output is deprecated and will be removed + - JDK-8295723: security/infra/wycheproof/RunWycheproof.java fails with Assertion Error + - JDK-8295915: Problemlist compiler/rtm failures specific to 8u + - JDK-8295950: Enable langtools/tier1 in GHA for 8u + - JDK-8296108: (tz) Update Timezone Data to 2022f + - JDK-8296239: ISO 4217 Amendment 174 Update + - JDK-8296555: Enable hotspot/tier1 for 64-bit builds in GHA for 8u + - JDK-8296715: CLDR v42 update for tzdata 2022f + - JDK-8296959: Fix hotspot shell tests of 8u on multilib systems + - JDK-8297141: Fix hotspot/test/runtime/SharedArchiveFile/DefaultUseWithClient.java for 8u + - JDK-8297804: (tz) Update Timezone Data to 2022g + - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR + - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java + +Notes on individual issues: +=========================== + +client-libs/javax.imageio: + +JDK-8295687: Better BMP bounds +============================== +Loading a linked ICC profile within a BMP image is now disabled by +default. To re-enable it, set the new system property +`sun.imageio.bmp.enabledLinkedProfiles` to `true`. This new property +replaces the old property, +`sun.imageio.plugins.bmp.disableLinkedProfiles`. + +client-libs/javax.sound: + +JDK-8293742: Better Banking of Sounds +===================================== +Previously, the SoundbankReader implementation, +`com.sun.media.sound.JARSoundbankReader`, would download a JAR +soundbank from a URL. This behaviour is now disabled by default. To +re-enable it, set the new system property `jdk.sound.jarsoundbank` to +`true`. + +hotspot/runtime: + +JDK-8274840: Release Now Recognises Windows 11 +============================================== +This release now correctly sets the `os.name` property to `Windows +11`, as would be expected. + +other-libs/corba:idl: + +JDK-8285021: Improve CORBA communication +======================================== +The JDK's CORBA implementation now refuses by default to deserialize +objects, unless they have the "IOR:" prefix. The previous behaviour +can be re-enabled by setting the new property +`com.sun.CORBA.ORBAllowDeserializeObject` to `true`. + +security-libs/java.security: + +JDK-8269039: Disabled SHA-1 Signed JARs +======================================= +JARs signed with SHA-1 algorithms are now restricted by default and +treated as if they were unsigned. This applies to the algorithms used +to digest, sign, and optionally timestamp the JAR. It also applies to +the signature and digest algorithms of the certificates in the +certificate chain of the code signer and the Timestamp Authority, and +any CRLs or OCSP responses that are used to verify if those +certificates have been revoked. These restrictions also apply to +signed JCE providers. + +To reduce the compatibility risk for JARs that have been previously +timestamped, there is one exception to this policy: + +- Any JAR signed with SHA-1 algorithms and timestamped prior to + January 01, 2019 will not be restricted. + +This exception may be removed in a future JDK release. To determine if +your signed JARs are affected by this change, run: + +$ jarsigner -verify -verbose -certs` + +on the signed JAR, and look for instances of "SHA1" or "SHA-1" and +"disabled" and a warning that the JAR will be treated as unsigned in +the output. + +For example: + + Signed by "CN="Signer"" + Digest algorithm: SHA-1 (disabled) + Signature algorithm: SHA1withRSA (disabled), 2048-bit key + + WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property: + + jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01 + +JARs affected by these new restrictions should be replaced or +re-signed with stronger algorithms. + +Users can, *at their own risk*, remove these restrictions by modifying +the `java.security` configuration file (or override it by using the +`java.security.properties` system property) and removing "SHA1 usage +SignedJAR & denyAfter 2019-01-01" from the +`jdk.certpath.disabledAlgorithms` security property and "SHA1 +denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security +property. + +New in release OpenJDK 8u352 (2022-10-18): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk8u352 + * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u352.txt + +* Security fixes + - JDK-8282252: Improve BigInteger/Decimal validation + - JDK-8285662: Better permission resolution + - JDK-8286511: Improve macro allocation + - JDK-8286519: Better memory handling + - JDK-8286526, CVE-2022-21619: Improve NTLM support + - JDK-8286533, CVE-2022-21626: Key X509 usages + - JDK-8286910, CVE-2022-21624: Improve JNDI lookups + - JDK-8286918, CVE-2022-21628: Better HttpServer service + - JDK-8288508: Enhance ECDSA usage +* Other changes + - JDK-7131823: bug in GIFImageReader + - JDK-7186258: InetAddress$Cache should replace currentTimeMillis with nanoTime for more precise and accurate + - JDK-8028265: Add legacy tz tests to OpenJDK + - JDK-8039955: [TESTBUG] jdk/lambda/LambdaTranslationTest1 - java.lang.AssertionError: expected [d:1234.000000] but found [d:1234,000000] + - JDK-8049228: Improve multithreaded scalability of InetAddress cache + - JDK-8071507: (ref) Clear phantom reference as soft and weak references do + - JDK-8087283: Add support for the XML Signature here() function to the JDK XPath implementation + - JDK-8130895: Test javax/swing/system/6799345/TestShutdown.java fails on Solaris11 Sparcv9 + - JDK-8136354: [TEST_BUG] Test java/awt/image/RescaleOp/RescaleAlphaTest.java with Bad action for script + - JDK-8139668: Generate README-build.html from markdown + - JDK-8143847: Remove REF_CLEANER reference category + - JDK-8147862: Null check too late in sun.net.httpserver.ServerImpl + - JDK-8150669: C1 intrinsic for Class.isPrimitive + - JDK-8155742: [Windows] robot.keyPress(KeyEvent.VK_ALT_GRAPH) throws java.lang.IllegalArgumentException in windows + - JDK-8173339: AArch64: Fix minimum stack size computations + - JDK-8173361: various crashes in JvmtiExport::post_compiled_method_load + - JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing + - JDK-8178832: (ref) jdk.lang.ref.disableClearBeforeEnqueue property is ignored + - JDK-8183107: PKCS11 regression regarding checkKeySize + - JDK-8193780: (ref) Remove the undocumented "jdk.lang.ref.disableClearBeforeEnqueue" system property + - JDK-8194873: right ALT key hotkeys no longer work in Swing components + - JDK-8201793: (ref) Reference object should not support cloning + - JDK-8214427: probable bug in logic of ConcurrentHashMap.addCount() + - JDK-8232950: SUNPKCS11 Provider incorrectly check key length for PSS Signatures. + - JDK-8233019: java.lang.Class.isPrimitive() (C1) returns wrong result if Klass* is aligned to 32bit + - JDK-8235218: Minimal VM is broken after JDK-8173361 + - JDK-8235385: Crash on aarch64 JDK due to long offset + - JDK-8245263: Enable TLSv1.3 by default on JDK 8u for Client roles + - JDK-8254178: Remove .hgignore + - JDK-8254318: Remove .hgtags + - JDK-8256722: handle VC++:1927 VS2019 in abstract_vm_version + - JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*) + - JDK-8280963: Incorrect PrintFlags formatting on Windows + - JDK-8282538: PKCS11 tests fail on CentOS Stream 9 + - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee + - JDK-8285400: Add '@apiNote' to the APIs defined in Java SE 8 MR 3 + - JDK-8285497: Add system property for Java SE specification maintenance version + - JDK-8287132: Retire Runtime.runFinalizersOnExit so that it always throws UOE + - JDK-8287508: The tests added to jdk-8 by 8235385 are to be ported to jdk-11 + - JDK-8287521: Bump update version of OpenJDK: 8u352 + - JDK-8288763: Pack200 extraction failure with invalid size + - JDK-8288865: [aarch64] LDR instructions must use legitimized addresses + - JDK-8290000: Bump macOS GitHub actions to macOS 11 + - JDK-8292579: (tz) Update Timezone Data to 2022c + - JDK-8292688: Support Security properties in security.testlibrary.Proc + +Notes on individual issues: +=========================== + +core-libs/java.lang: + +JDK-8201793: (ref) Reference object should not support cloning +============================================================== +`java.lang.ref.Reference::clone` method always throws +`CloneNotSupportedException`. `Reference` objects cannot be +meaningfully cloned. To create a new Reference object, call the +constructor to create a `Reference` object with the same referent and +reference queue instead. + +JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing +=============================================================================================== +`java.lang.ref.Reference.enqueue` method clears the reference object +before it is added to the registered queue. When the `enqueue` method +is called, the reference object is cleared and `get()` method will +return null in OpenJDK 8u352. + +Typically when a reference object is enqueued, it is expected that the +reference object is cleared explicitly via the `clear` method to avoid +memory leak because its referent is no longer referenced. In other +words the `get` method is expected not to be called in common cases +once the `enqueue`method is called. In the case when the `get` method +from an enqueued reference object and existing code attempts to access +members of the referent, `NullPointerException` may be thrown. Such +code will need to be updated. + +JDK-8071507: (ref) Clear phantom reference as soft and weak references do +========================================================================= +This enhancement changes phantom references to be automatically +cleared by the garbage collector as soft and weak references. + +An object becomes phantom reachable after it has been finalized. This +change may cause the phantom reachable objects to be GC'ed earlier - +previously the referent is kept alive until PhantomReference objects +are GC'ed or cleared by the application. This potential behavioral +change might only impact existing code that would depend on +PhantomReference being enqueued rather than when the referent be freed +from the heap. + +core-libs/java.net: + +JDK-8286918: Better HttpServer service +====================================== +The HttpServer can be optionally configured with a maximum connection +limit by setting the jdk.httpserver.maxConnections system property. A +value of 0 or a negative integer is ignored and considered to +represent no connection limit. In the case of a positive integer +value, any newly accepted connections will be first checked against +the current count of established connections and, if the configured +limit has been reached, then the newly accepted connection will be +closed immediately. + +core-libs/java.net: + +JDK-8286918: Better HttpServer service +====================================== +The HttpServer can be optionally configured with a maximum connection +limit by setting the jdk.httpserver.maxConnections system property. A +value of 0 or a negative integer is ignored and considered to +represent no connection limit. In the case of a positive integer +value, any newly accepted connections will be first checked against +the current count of established connections and, if the configured +limit has been reached, then the newly accepted connection will be +closed immediately. + +security-libs/javax.net.ssl: + +JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles +================================================================ +The TLSv1.3 implementation is now enabled by default for client roles +in 8u352. It has been enabled by default for server roles since 8u272. + +Note that TLS 1.3 is not directly compatible with previous +versions. Enabling it on the client may introduce compatibility issues +on either the server or the client side. Here are some more details on +potential compatibility issues that you should be aware of: + +* TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions + use a duplex-close policy. For applications that depend on the + duplex-close policy, there may be compatibility issues when + upgrading to TLS 1.3. + +* The signature_algorithms_cert extension requires that pre-defined + signature algorithms are used for certificate authentication. In + practice, however, an application may use non-supported signature + algorithms. + +* The DSA signature algorithm is not supported in TLS 1.3. If a server + is configured to only use DSA certificates, it cannot upgrade to TLS + 1.3. + +* The supported cipher suites for TLS 1.3 are not the same as TLS 1.2 + and prior versions. If an application hard-codes cipher suites which + are no longer supported, it may not be able to use TLS 1.3 without + modifying the application code. + +* The TLS 1.3 session resumption and key update behaviors are + different from TLS 1.2 and prior versions. The compatibility should + be minimal, but it could be a risk if an application depends on the + handshake details of the TLS protocols. + +The TLS 1.3 protocol can be disabled by using the jdk.tls.client.protocols +system property: + +java -Djdk.tls.client.protocols="TLSv1.2" ... + +Alternatively, an application can explicitly set the enabled protocols +with the javax.net.ssl APIs e.g. + +sslSocket.setEnabledProtocols(new String[] {"TLSv1.2"}); + +or: + +SSLParameters params = sslSocket.getSSLParameters(); +params.setProtocols(new String[] {"TLSv1.2"}); +sslSocket.setSSLParameters(params); + New in release OpenJDK 8u345 (2022-08-01): =========================================== Live versions of these release notes can be found at: @@ -32,7 +385,7 @@ versions of OpenJDK 8. As a result, we have reverted this change in New in release OpenJDK 8u342 (2022-07-19): =========================================== Live versions of these release notes can be found at: - * https://bitly.com/openjdk8u342 + * https://bit.ly/openjdk8u342 * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u342.txt * Security fixes @@ -212,7 +565,7 @@ Live versions of these release notes can be found at: New in release OpenJDK 8u322 (2022-01-18): =========================================== Live versions of these release notes can be found at: - * https://bitly.com/openjdk8u322 + * https://bit.ly/openjdk8u322 * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u322.txt * Security fixes diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java index 552bd0f..2967a32 100644 --- a/SOURCES/TestSecurityProperties.java +++ b/SOURCES/TestSecurityProperties.java @@ -1,3 +1,20 @@ +/* TestSecurityProperties -- Ensure system security properties can be used to + enable the crypto policies. + Copyright (C) 2022 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ import java.io.File; import java.io.FileInputStream; import java.security.Security; diff --git a/SOURCES/TestTranslations.java b/SOURCES/TestTranslations.java new file mode 100644 index 0000000..199d765 --- /dev/null +++ b/SOURCES/TestTranslations.java @@ -0,0 +1,160 @@ +/* TestTranslations -- Ensure translations are available for new timezones + Copyright (C) 2022 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.text.DateFormatSymbols; + +import java.time.ZoneId; +import java.time.format.TextStyle; + +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; +import java.util.Locale; +import java.util.Objects; +import java.util.TimeZone; + +public class TestTranslations { + + private static Map KYIV, CIUDAD_JUAREZ; + + static { + Map map = new HashMap(); + map.put(Locale.US, new String[] { "Eastern European Time", "GMT+02:00", "EET", + "Eastern European Summer Time", "GMT+03:00", "EEST", + "Eastern European Time", "GMT+02:00", "EET"}); + map.put(Locale.FRANCE, new String[] { "Heure d'Europe de l'Est", "UTC+02:00", "EET", + "Heure d'\u00e9t\u00e9 d'Europe de l'Est", "UTC+03:00", "EEST", + "Heure d'Europe de l'Est", "UTC+02:00", "EET"}); + map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Zeit", "OEZ", "OEZ", + "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ", + "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"}); + KYIV = Collections.unmodifiableMap(map); + + map = new HashMap(); + map.put(Locale.US, new String[] { "Mountain Standard Time", "MST", "MST", + "Mountain Daylight Time", "MDT", "MDT", + "Mountain Time", "MT", "MT"}); + map.put(Locale.FRANCE, new String[] { "Heure normale des Rocheuses", "UTC\u221207:00", "MST", + "Heure avanc\u00e9e des Rocheuses", "UTC\u221206:00", "MDT", + "Rocheuses", "UTC\u221207:00", "MT"}); + map.put(Locale.GERMANY, new String[] { "Rocky Mountains Normalzeit", "GMT-07:00", "MST", + "Rocky Mountains Sommerzeit", "GMT-06:00", "MDT", + "Zeitzone Mountain", "GMT-07:00", "MT"}); + CIUDAD_JUAREZ = Collections.unmodifiableMap(map); + } + + + public static void main(String[] args) { + if (args.length < 1) { + System.err.println("Test must be started with the name of the locale provider."); + System.exit(1); + } + + System.out.println("Checking sanity of full zone string set..."); + boolean invalid = Arrays.stream(Locale.getAvailableLocales()) + .peek(l -> System.out.println("Locale: " + l)) + .map(l -> DateFormatSymbols.getInstance(l).getZoneStrings()) + .flatMap(zs -> Arrays.stream(zs)) + .flatMap(names -> Arrays.stream(names)) + .filter(name -> Objects.isNull(name) || name.isEmpty()) + .findAny() + .isPresent(); + if (invalid) { + System.err.println("Zone string for a locale returned null or empty string"); + System.exit(2); + } + + String localeProvider = args[0]; + testZone(localeProvider, KYIV, + new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }); + testZone(localeProvider, CIUDAD_JUAREZ, + new String[] { "America/Cambridge_Bay", "America/Ciudad_Juarez" }); + } + + private static void testZone(String localeProvider, Map exp, String[] ids) { + for (Locale l : exp.keySet()) { + String[] expected = exp.get(l); + System.out.printf("Expected values for %s are %s\n", l, Arrays.toString(expected)); + for (String id : ids) { + String expectedShortStd = null; + String expectedShortDST = null; + String expectedShortGen = null; + + System.out.printf("Checking locale %s for %s...\n", l, id); + + if ("JRE".equals(localeProvider)) { + expectedShortStd = expected[2]; + expectedShortDST = expected[5]; + expectedShortGen = expected[8]; + } else if ("CLDR".equals(localeProvider)) { + expectedShortStd = expected[1]; + expectedShortDST = expected[4]; + expectedShortGen = expected[7]; + } else { + System.err.printf("Invalid locale provider %s\n", localeProvider); + System.exit(3); + } + System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n", + localeProvider, expectedShortStd, expectedShortDST, expectedShortGen); + + String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l); + String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l); + String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l); + String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l); + String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l); + String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l); + + if (!expected[0].equals(longStd)) { + System.err.printf("Long standard display name for %s in %s was %s, expected %s\n", + id, l, longStd, expected[0]); + System.exit(4); + } + + if (!expectedShortStd.equals(shortStd)) { + System.err.printf("Short standard display name for %s in %s was %s, expected %s\n", + id, l, shortStd, expectedShortStd); + System.exit(5); + } + + if (!expected[3].equals(longDST)) { + System.err.printf("Long DST display name for %s in %s was %s, expected %s\n", + id, l, longDST, expected[3]); + System.exit(6); + } + + if (!expectedShortDST.equals(shortDST)) { + System.err.printf("Short DST display name for %s in %s was %s, expected %s\n", + id, l, shortDST, expectedShortDST); + System.exit(7); + } + + if (!expected[6].equals(longGen)) { + System.err.printf("Long generic display name for %s in %s was %s, expected %s\n", + id, l, longGen, expected[6]); + System.exit(8); + } + + if (!expectedShortGen.equals(shortGen)) { + System.err.printf("Short generic display name for %s in %s was %s, expected %s\n", + id, l, shortGen, expectedShortGen); + System.exit(9); + } + } + } + } +} diff --git a/SOURCES/fips-8u-6d1aade0648.patch b/SOURCES/fips-8u-6d1aade0648.patch new file mode 100644 index 0000000..58ab6e5 --- /dev/null +++ b/SOURCES/fips-8u-6d1aade0648.patch @@ -0,0 +1,2007 @@ +diff --git a/common/autoconf/configure.ac b/common/autoconf/configure.ac +index 151e5a109f8..a8761b500e0 100644 +--- a/common/autoconf/configure.ac ++++ b/common/autoconf/configure.ac +@@ -212,6 +212,7 @@ LIB_SETUP_FREETYPE + LIB_SETUP_ALSA + LIB_SETUP_FONTCONFIG + LIB_SETUP_MISC_LIBS ++LIB_SETUP_SYSCONF_LIBS + LIB_SETUP_STATIC_LINK_LIBSTDCPP + LIB_SETUP_ON_WINDOWS + +diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh +index 71fabf4dbb3..17f4f50673d 100644 +--- a/common/autoconf/generated-configure.sh ++++ b/common/autoconf/generated-configure.sh +@@ -651,6 +651,9 @@ LLVM_CONFIG + LIBFFI_LIBS + LIBFFI_CFLAGS + STATIC_CXX_SETTING ++USE_SYSCONF_NSS ++NSS_LIBS ++NSS_CFLAGS + LIBDL + LIBM + LIBZIP_CAN_USE_MMAP +@@ -1111,6 +1114,7 @@ with_fontconfig + with_fontconfig_include + with_giflib + with_zlib ++enable_sysconf_nss + with_stdc__lib + with_msvcr_dll + with_msvcp_dll +@@ -1218,6 +1222,8 @@ FREETYPE_CFLAGS + FREETYPE_LIBS + ALSA_CFLAGS + ALSA_LIBS ++NSS_CFLAGS ++NSS_LIBS + LIBFFI_CFLAGS + LIBFFI_LIBS + CCACHE' +@@ -1871,6 +1877,8 @@ Optional Features: + disable bundling of the freetype library with the + build result [enabled on Windows or when using + --with-freetype, disabled otherwise] ++ --enable-sysconf-nss build the System Configurator (libsysconf) using the ++ system NSS library if available [disabled] + --enable-sjavac use sjavac to do fast incremental compiles + [disabled] + --disable-precompiled-headers +@@ -2115,6 +2123,8 @@ Some influential environment variables: + linker flags for FREETYPE, overriding pkg-config + ALSA_CFLAGS C compiler flags for ALSA, overriding pkg-config + ALSA_LIBS linker flags for ALSA, overriding pkg-config ++ NSS_CFLAGS C compiler flags for NSS, overriding pkg-config ++ NSS_LIBS linker flags for NSS, overriding pkg-config + LIBFFI_CFLAGS + C compiler flags for LIBFFI, overriding pkg-config + LIBFFI_LIBS linker flags for LIBFFI, overriding pkg-config +@@ -2879,6 +2889,52 @@ $as_echo "$ac_res" >&6; } + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + + } # ac_fn_c_check_header_compile ++ ++# ac_fn_c_try_link LINENO ++# ----------------------- ++# Try to link conftest.$ac_ext, and return whether this succeeded. ++ac_fn_c_try_link () ++{ ++ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack ++ rm -f conftest.$ac_objext conftest$ac_exeext ++ if { { ac_try="$ac_link" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" ++$as_echo "$ac_try_echo"; } >&5 ++ (eval "$ac_link") 2>conftest.err ++ ac_status=$? ++ if test -s conftest.err; then ++ grep -v '^ *+' conftest.err >conftest.er1 ++ cat conftest.er1 >&5 ++ mv -f conftest.er1 conftest.err ++ fi ++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++ test $ac_status = 0; } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest$ac_exeext && { ++ test "$cross_compiling" = yes || ++ test -x conftest$ac_exeext ++ }; then : ++ ac_retval=0 ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ac_retval=1 ++fi ++ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information ++ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would ++ # interfere with the next link command; also delete a directory that is ++ # left behind by Apple's compiler. We do this before executing the actions. ++ rm -rf conftest.dSYM conftest_ipa8_conftest.oo ++ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno ++ as_fn_set_status $ac_retval ++ ++} # ac_fn_c_try_link + cat >config.log <<_ACEOF + This file contains any messages produced by compilers while + running configure, to aid debugging if configure makes a mistake. +@@ -4049,6 +4105,11 @@ fi + + + ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++ ++ + # + # Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. + # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +@@ -49304,6 +49365,157 @@ fi + LIBS="$save_LIBS" + + ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use the system NSS library with the System Configurator (libsysconf)" >&5 ++$as_echo_n "checking whether to use the system NSS library with the System Configurator (libsysconf)... " >&6; } ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ # Check whether --enable-sysconf-nss was given. ++if test "${enable_sysconf_nss+set}" = set; then : ++ enableval=$enable_sysconf_nss; ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ++else ++ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ++fi ++ ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sysconf_nss" >&5 ++$as_echo "$sysconf_nss" >&6; } ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ ++pkg_failed=no ++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for NSS" >&5 ++$as_echo_n "checking for NSS... " >&6; } ++ ++if test -n "$NSS_CFLAGS"; then ++ pkg_cv_NSS_CFLAGS="$NSS_CFLAGS" ++ elif test -n "$PKG_CONFIG"; then ++ if test -n "$PKG_CONFIG" && \ ++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5 ++ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5 ++ ac_status=$? ++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++ test $ac_status = 0; }; then ++ pkg_cv_NSS_CFLAGS=`$PKG_CONFIG --cflags "nss >= 3.53" 2>/dev/null` ++else ++ pkg_failed=yes ++fi ++ else ++ pkg_failed=untried ++fi ++if test -n "$NSS_LIBS"; then ++ pkg_cv_NSS_LIBS="$NSS_LIBS" ++ elif test -n "$PKG_CONFIG"; then ++ if test -n "$PKG_CONFIG" && \ ++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5 ++ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5 ++ ac_status=$? ++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++ test $ac_status = 0; }; then ++ pkg_cv_NSS_LIBS=`$PKG_CONFIG --libs "nss >= 3.53" 2>/dev/null` ++else ++ pkg_failed=yes ++fi ++ else ++ pkg_failed=untried ++fi ++ ++ ++ ++if test $pkg_failed = yes; then ++ ++if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then ++ _pkg_short_errors_supported=yes ++else ++ _pkg_short_errors_supported=no ++fi ++ if test $_pkg_short_errors_supported = yes; then ++ NSS_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "nss >= 3.53" 2>&1` ++ else ++ NSS_PKG_ERRORS=`$PKG_CONFIG --print-errors "nss >= 3.53" 2>&1` ++ fi ++ # Put the nasty error message in config.log where it belongs ++ echo "$NSS_PKG_ERRORS" >&5 ++ ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++$as_echo "no" >&6; } ++ NSS_FOUND=no ++elif test $pkg_failed = untried; then ++ NSS_FOUND=no ++else ++ NSS_CFLAGS=$pkg_cv_NSS_CFLAGS ++ NSS_LIBS=$pkg_cv_NSS_LIBS ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 ++$as_echo "yes" >&6; } ++ NSS_FOUND=yes ++fi ++ if test "x${NSS_FOUND}" = "xyes"; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for system FIPS support in NSS" >&5 ++$as_echo_n "checking for system FIPS support in NSS... " >&6; } ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ ac_ext=c ++ac_cpp='$CPP $CPPFLAGS' ++ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ++ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ++ac_compiler_gnu=$ac_cv_c_compiler_gnu ++ ++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext ++/* end confdefs.h. */ ++#include ++int ++main () ++{ ++SECMOD_GetSystemFIPSEnabled() ++ ; ++ return 0; ++} ++_ACEOF ++if ac_fn_c_try_link "$LINENO"; then : ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 ++$as_echo "yes" >&6; } ++else ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++$as_echo "no" >&6; } ++ as_fn_error $? "System NSS FIPS detection unavailable" "$LINENO" 5 ++fi ++rm -f core conftest.err conftest.$ac_objext \ ++ conftest$ac_exeext conftest.$ac_ext ++ ac_ext=cpp ++ac_cpp='$CXXCPP $CPPFLAGS' ++ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' ++ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ++ac_compiler_gnu=$ac_cv_cxx_compiler_gnu ++ ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ as_fn_error $? "--enable-sysconf-nss specified, but NSS 3.53 or above not found." "$LINENO" 5 ++ fi ++ fi ++ ++ ++ + ############################################################################### + # + # statically link libstdc++ before C++ ABI is stablized on Linux unless +diff --git a/common/autoconf/libraries.m4 b/common/autoconf/libraries.m4 +index 6efae578ea9..0080846255b 100644 +--- a/common/autoconf/libraries.m4 ++++ b/common/autoconf/libraries.m4 +@@ -1067,3 +1067,63 @@ AC_DEFUN_ONCE([LIB_SETUP_ON_WINDOWS], + BASIC_DEPRECATED_ARG_WITH([dxsdk-include]) + fi + ]) ++ ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++]) +diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in +index 506cf617087..7241593b1a4 100644 +--- a/common/autoconf/spec.gmk.in ++++ b/common/autoconf/spec.gmk.in +@@ -312,6 +312,10 @@ CUPS_CFLAGS:=@CUPS_CFLAGS@ + ALSA_LIBS:=@ALSA_LIBS@ + ALSA_CFLAGS:=@ALSA_CFLAGS@ + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++ + PACKAGE_PATH=@PACKAGE_PATH@ + + # Source file for cacerts +diff --git a/common/bin/compare_exceptions.sh.incl b/common/bin/compare_exceptions.sh.incl +index 3b79a526f56..d2a0e39b206 100644 +--- a/common/bin/compare_exceptions.sh.incl ++++ b/common/bin/compare_exceptions.sh.incl +@@ -280,6 +280,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" + ./jre/lib/i386/libsplashscreen.so + ./jre/lib/i386/libsunec.so + ./jre/lib/i386/libsunwjdga.so ++./jre/lib/i386/libsystemconf.so + ./jre/lib/i386/libt2k.so + ./jre/lib/i386/libunpack.so + ./jre/lib/i386/libverify.so +@@ -433,6 +434,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" + ./jre/lib/amd64/libsplashscreen.so + ./jre/lib/amd64/libsunec.so + ./jre/lib/amd64/libsunwjdga.so ++//jre/lib/amd64/libsystemconf.so + ./jre/lib/amd64/libt2k.so + ./jre/lib/amd64/libunpack.so + ./jre/lib/amd64/libverify.so +@@ -587,6 +589,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" + ./jre/lib/sparc/libsplashscreen.so + ./jre/lib/sparc/libsunec.so + ./jre/lib/sparc/libsunwjdga.so ++./jre/lib/sparc/libsystemconf.so + ./jre/lib/sparc/libt2k.so + ./jre/lib/sparc/libunpack.so + ./jre/lib/sparc/libverify.so +@@ -741,6 +744,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" + ./jre/lib/sparcv9/libsplashscreen.so + ./jre/lib/sparcv9/libsunec.so + ./jre/lib/sparcv9/libsunwjdga.so ++./jre/lib/sparcv9/libsystemconf.so + ./jre/lib/sparcv9/libt2k.so + ./jre/lib/sparcv9/libunpack.so + ./jre/lib/sparcv9/libverify.so +diff --git a/common/nb_native/nbproject/configurations.xml b/common/nb_native/nbproject/configurations.xml +index d2beed0b93a..3b6aef98d9a 100644 +--- a/common/nb_native/nbproject/configurations.xml ++++ b/common/nb_native/nbproject/configurations.xml +@@ -53,6 +53,9 @@ + jvmtiEnterTrace.cpp + + ++ ++ systemconf.c ++ + + + +@@ -12772,6 +12775,11 @@ + tool="0" + flavor2="0"> + ++ ++ + Additional default values of security properties are read from a ++ * system-specific location, if available.

++ * + * @author Benjamin Renaud + */ + + public final class Security { + ++ private static final String SYS_PROP_SWITCH = ++ "java.security.disableSystemPropertiesFile"; ++ private static final String SEC_PROP_SWITCH = ++ "security.useSystemPropertiesFile"; ++ + /* Are we debugging? -- for developers */ + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -62,6 +72,19 @@ public final class Security { + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -78,6 +101,7 @@ public final class Security { + props = new Properties(); + boolean loadedProps = false; + boolean overrideAll = false; ++ boolean systemSecPropsEnabled = false; + + // first load the system properties file + // to determine the value of security.overridePropertiesFile +@@ -93,6 +117,7 @@ public final class Security { + if (sdebug != null) { + sdebug.println("reading security properties file: " + + propFile); ++ sdebug.println(props.toString()); + } + } catch (IOException e) { + if (sdebug != null) { +@@ -187,6 +212,61 @@ public final class Security { + } + } + ++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); ++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); ++ if (sdebug != null) { ++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); ++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); ++ } ++ if (!sysUseProps && secUseProps) { ++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); ++ if (!systemSecPropsEnabled) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System security properties could not be loaded."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("System security property support disabled by user."); ++ } ++ } ++ ++ // FIPS support depends on the contents of java.security so ++ // ensure it has loaded first ++ if (loadedProps && systemSecPropsEnabled) { ++ boolean shouldEnable; ++ String sysProp = System.getProperty("com.redhat.fips"); ++ if (sysProp == null) { ++ shouldEnable = true; ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips unset, using default value of true"); ++ } ++ } else { ++ shouldEnable = Boolean.valueOf(sysProp); ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); ++ } ++ } ++ if (shouldEnable) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS mode support configured and enabled."); ++ } else { ++ sdebug.println("FIPS mode support disabled."); ++ } ++ } ++ } else { ++ if (sdebug != null ) { ++ sdebug.println("FIPS mode support disabled by user."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("WARNING: FIPS mode support can not be enabled without " + ++ "system security properties being enabled."); ++ } ++ } + } + + /* +diff --git a/jdk/src/share/classes/java/security/SystemConfigurator.java b/jdk/src/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +index 00000000000..a24a0445db2 +--- /dev/null ++++ b/jdk/src/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,248 @@ ++/* ++ * Copyright (c) 2019, 2021, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++final class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configureSysProps(Properties props) { ++ boolean systemSecPropsLoaded = false; ++ ++ try (BufferedInputStream bis = ++ new BufferedInputStream( ++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { ++ props.load(bis); ++ systemSecPropsLoaded = true; ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties from " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ e.printStackTrace(); ++ } ++ } ++ return systemSecPropsLoaded; ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } ++ loadedProps = true; ++ systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } ++ } else { ++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.redhat.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ ++ /** ++ * Determines whether FIPS mode should be enabled. ++ * ++ * OpenJDK FIPS mode will be enabled only if the system is in ++ * FIPS mode. ++ * ++ * Calls to this method only occur if the system property ++ * com.redhat.fips is not set to false. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. ++ * ++ * @return true if the system is in FIPS mode ++ */ ++ private static boolean enableFips() throws IOException { ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ boolean fipsEnabled = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + fipsEnabled); ++ } ++ return fipsEnabled; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } ++ } ++} +diff --git a/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java +new file mode 100644 +index 00000000000..5c30a8b29c7 +--- /dev/null ++++ b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java +@@ -0,0 +1,31 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.misc; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); ++} +diff --git a/jdk/src/share/classes/sun/misc/SharedSecrets.java b/jdk/src/share/classes/sun/misc/SharedSecrets.java +index f065a2c685d..0dafe6f59cf 100644 +--- a/jdk/src/share/classes/sun/misc/SharedSecrets.java ++++ b/jdk/src/share/classes/sun/misc/SharedSecrets.java +@@ -31,6 +31,7 @@ import java.io.Console; + import java.io.FileDescriptor; + import java.io.ObjectInputStream; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + import java.security.AccessController; +@@ -63,6 +64,7 @@ public class SharedSecrets { + private static JavaObjectInputStreamReadString javaObjectInputStreamReadString; + private static JavaObjectInputStreamAccess javaObjectInputStreamAccess; + private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static JavaUtilJarAccess javaUtilJarAccess() { + if (javaUtilJarAccess == null) { +@@ -248,4 +250,15 @@ public class SharedSecrets { + } + return javaxCryptoSealedObjectAccess; + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ unsafe.ensureClassInitialized(Security.class); ++ } ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff --git a/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +new file mode 100644 +index 00000000000..14d19450390 +--- /dev/null ++++ b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +@@ -0,0 +1,290 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.math.BigInteger; ++import java.security.KeyFactory; ++import java.security.Provider; ++import java.security.Security; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.concurrent.locks.ReentrantLock; ++ ++import javax.crypto.Cipher; ++import javax.crypto.spec.DHPrivateKeySpec; ++import javax.crypto.spec.IvParameterSpec; ++ ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.TemplateManager; ++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; ++import sun.security.pkcs11.wrapper.CK_MECHANISM; ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAUtil.KeyType; ++import sun.security.util.Debug; ++import sun.security.util.ECUtil; ++ ++final class FIPSKeyImporter { ++ ++ private static final Debug debug = ++ Debug.getInstance("sunpkcs11"); ++ ++ private static P11Key importerKey = null; ++ private static final ReentrantLock importerKeyLock = new ReentrantLock(); ++ private static CK_MECHANISM importerKeyMechanism = null; ++ private static Cipher importerCipher = null; ++ ++ private static Provider sunECProvider = null; ++ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); ++ ++ private static KeyFactory DHKF = null; ++ private static final ReentrantLock DHKFLock = new ReentrantLock(); ++ ++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) ++ throws PKCS11Exception { ++ long keyID = -1; ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be imported in" + ++ " system FIPS mode."); ++ } ++ if (importerKey == null) { ++ importerKeyLock.lock(); ++ try { ++ if (importerKey == null) { ++ if (importerKeyMechanism == null) { ++ // Importer Key creation has not been tried yet. Try it. ++ createImporterKey(token); ++ } ++ if (importerKey == null || importerCipher == null) { ++ if (debug != null) { ++ debug.println("Importer Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ if (debug != null) { ++ debug.println("Importer Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ } ++ long importerKeyID = importerKey.getKeyID(); ++ try { ++ byte[] keyBytes = null; ++ byte[] encKeyBytes = null; ++ long keyClass = 0L; ++ long keyType = 0L; ++ Map attrsMap = new HashMap<>(); ++ for (CK_ATTRIBUTE attr : attributes) { ++ if (attr.type == CKA_CLASS) { ++ keyClass = attr.getLong(); ++ } else if (attr.type == CKA_KEY_TYPE) { ++ keyType = attr.getLong(); ++ } ++ attrsMap.put(attr.type, attr); ++ } ++ BigInteger v = null; ++ if (keyClass == CKO_PRIVATE_KEY) { ++ if (keyType == CKK_RSA) { ++ if (debug != null) { ++ debug.println("Importing an RSA private key..."); ++ } ++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( ++ KeyType.RSA, ++ null, ++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ } else if (keyType == CKK_DSA) { ++ if (debug != null) { ++ debug.println("Importing a DSA private key..."); ++ } ++ keyBytes = new sun.security.provider.DSAPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_EC) { ++ if (debug != null) { ++ debug.println("Importing an EC private key..."); ++ } ++ if (sunECProvider == null) { ++ sunECProviderLock.lock(); ++ try { ++ if (sunECProvider == null) { ++ sunECProvider = Security.getProvider("SunEC"); ++ } ++ } finally { ++ sunECProviderLock.unlock(); ++ } ++ } ++ keyBytes = P11ECUtil.generateECPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ECUtil.getECParameterSpec(sunECProvider, ++ attrsMap.get(CKA_EC_PARAMS).getByteArray())) ++ .getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_DH) { ++ if (debug != null) { ++ debug.println("Importing a Diffie-Hellman private key..."); ++ } ++ if (DHKF == null) { ++ DHKFLock.lock(); ++ try { ++ if (DHKF == null) { ++ DHKF = KeyFactory.getInstance( ++ "DH", P11Util.getSunJceProvider()); ++ } ++ } finally { ++ DHKFLock.unlock(); ++ } ++ } ++ DHPrivateKeySpec spec = new DHPrivateKeySpec ++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO); ++ keyBytes = DHKF.generatePrivate(spec).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else { ++ if (debug != null) { ++ debug.println("Unrecognized private key type."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } else if (keyClass == CKO_SECRET_KEY) { ++ if (debug != null) { ++ debug.println("Importing a secret key..."); ++ } ++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); ++ } ++ if (keyBytes == null || keyBytes.length == 0) { ++ if (debug != null) { ++ debug.println("Private or secret key plain bytes could" + ++ " not be obtained. Import failed."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec((byte[])importerKeyMechanism.pParameter), ++ null); ++ attributes = new CK_ATTRIBUTE[attrsMap.size()]; ++ attrsMap.values().toArray(attributes); ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ attributes = token.getAttributes(TemplateManager.O_IMPORT, ++ keyClass, keyType, attributes); ++ keyID = token.p11.C_UnwrapKey(hSession, ++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); ++ if (debug != null) { ++ debug.println("Imported key ID: " + keyID); ++ } ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } finally { ++ importerKey.releaseKeyID(); ++ } ++ return Long.valueOf(keyID); ++ } ++ ++ private static void createImporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Importer Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ try { ++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, ++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { ++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), ++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); ++ Session s = null; ++ try { ++ s = token.getObjSession(); ++ long keyID = token.p11.C_GenerateKey( ++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), ++ attributes); ++ if (debug != null) { ++ debug.println("Importer Key ID: " + keyID); ++ } ++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", ++ 256 >> 3, null); ++ } catch (PKCS11Exception e) { ++ // best effort ++ } finally { ++ token.releaseSession(s); ++ } ++ if (importerKey != null) { ++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ } ++ } catch (Throwable t) { ++ // best effort ++ importerKey = null; ++ importerCipher = null; ++ // importerKeyMechanism value is kept initialized to indicate that ++ // Importer Key creation has been tried and failed. ++ } ++ } ++} +diff --git a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java +index fedcd7743ef..f9d70863bd1 100644 +--- a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -26,6 +26,9 @@ + package sun.security.pkcs11; + + import java.io.*; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.*; +@@ -42,6 +45,8 @@ import javax.security.auth.callback.ConfirmationCallback; + import javax.security.auth.callback.PasswordCallback; + import javax.security.auth.callback.TextOutputCallback; + ++import sun.misc.SharedSecrets; ++ + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; + +@@ -58,6 +63,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ ++ private static final MethodHandle fipsImportKey; ++ static { ++ MethodHandle fipsImportKeyTmp = null; ++ if (plainKeySupportEnabled) { ++ try { ++ fipsImportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "importKey", ++ MethodType.methodType(Long.class, SunPKCS11.class, ++ long.class, CK_ATTRIBUTE[].class)); ++ } catch (Throwable t) { ++ throw new SecurityException("FIPS key importer initialization" + ++ " failed", t); ++ } ++ } ++ fipsImportKey = fipsImportKeyTmp; ++ } ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -309,10 +337,15 @@ public final class SunPKCS11 extends AuthProvider { + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; ++ MethodHandle fipsKeyImporter = null; ++ if (plainKeySupportEnabled) { ++ fipsKeyImporter = MethodHandles.insertArguments( ++ fipsImportKey, 0, this); ++ } + try { + tmpPKCS11 = PKCS11.getInstance( + library, functionList, initArgs, +- config.getOmitInitialize()); ++ config.getOmitInitialize(), fipsKeyImporter); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); +@@ -328,7 +361,7 @@ public final class SunPKCS11 extends AuthProvider { + initArgs.flags = 0; + } + tmpPKCS11 = PKCS11.getInstance(library, +- functionList, initArgs, config.getOmitInitialize()); ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); + } + p11 = tmpPKCS11; + +@@ -368,6 +401,24 @@ public final class SunPKCS11 extends AuthProvider { + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException +diff --git a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +index 2e42d1d9fb0..1b7eed1c656 100644 +--- a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java ++++ b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper; + + import java.io.File; + import java.io.IOException; ++import java.lang.invoke.MethodHandle; + import java.util.*; + + import java.security.AccessController; +@@ -145,18 +146,41 @@ public class PKCS11 { + this.pkcs11ModulePath = pkcs11ModulePath; + } + ++ /* ++ * Compatibility wrapper to allow this method to work as before ++ * when FIPS mode support is not active. ++ */ ++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, ++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs, ++ boolean omitInitialize) throws IOException, PKCS11Exception { ++ return getInstance(pkcs11ModulePath, functionList, ++ pInitArgs, omitInitialize, null); ++ } ++ + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, + String functionList, CK_C_INITIALIZE_ARGS pInitArgs, +- boolean omitInitialize) throws IOException, PKCS11Exception { ++ boolean omitInitialize, MethodHandle fipsKeyImporter) ++ throws IOException, PKCS11Exception { + // we may only call C_Initialize once per native .so/.dll + // so keep a cache using the (non-canonicalized!) path + PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); + if (pkcs11 == null) { ++ boolean nssFipsMode = fipsKeyImporter != null; + if ((pInitArgs != null) + && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { +- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, ++ fipsKeyImporter); ++ } else { ++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ } + } else { +- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, ++ functionList, fipsKeyImporter); ++ } else { ++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ } + } + if (omitInitialize == false) { + try { +@@ -1905,4 +1929,69 @@ static class SynchronizedPKCS11 extends PKCS11 { + super.C_GenerateRandom(hSession, randomData); + } + } ++ ++// PKCS11 subclass that allows using plain private or secret keys in ++// FIPS-configured NSS Software Tokens. Only used when System FIPS ++// is enabled. ++static class FIPSPKCS11 extends PKCS11 { ++ private MethodHandle fipsKeyImporter; ++ FIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // Creating sensitive key objects from plain key material in a ++ // FIPS-configured NSS Software Token is not allowed. We apply ++ // a key-unwrapping scheme to achieve so. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++// FIPSPKCS11 synchronized counterpart. ++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { ++ private MethodHandle fipsKeyImporter; ++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // See FIPSPKCS11::C_CreateObject. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++private static class FIPSPKCS11Helper { ++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ if (attr.type == CKA_CLASS && ++ (attr.getLong() == CKO_PRIVATE_KEY || ++ attr.getLong() == CKO_SECRET_KEY)) { ++ return true; ++ } ++ } ++ return false; ++ } ++} + } +diff --git a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java +index ffee2c1603b..98119479823 100644 +--- a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java ++++ b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java +@@ -33,8 +33,13 @@ import java.security.KeyStore.*; + + import javax.net.ssl.*; + ++import sun.misc.SharedSecrets; ++ + abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ + X509ExtendedKeyManager keyManager; + boolean isInitialized; + +@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + KeyStoreException, NoSuchAlgorithmException, + UnrecoverableKeyException { + if ((ks != null) && SunJSSE.isFIPS()) { +- if (ks.getProvider() != SunJSSE.cryptoProvider) { ++ if (ks.getProvider() != SunJSSE.cryptoProvider && ++ !plainKeySupportEnabled) { + throw new KeyStoreException("FIPS mode: KeyStore must be " + + "from provider " + SunJSSE.cryptoProvider.getName()); + } +@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + keyManager = new X509KeyManagerImpl( + Collections.emptyList()); + } else { +- if (SunJSSE.isFIPS() && +- (ks.getProvider() != SunJSSE.cryptoProvider)) { ++ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider) ++ && !plainKeySupportEnabled) { + throw new KeyStoreException( + "FIPS mode: KeyStore must be " + + "from provider " + SunJSSE.cryptoProvider.getName()); +diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java +index 820e10164fc..6fe2c29389f 100644 +--- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java ++++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java +@@ -31,6 +31,7 @@ import java.security.*; + import java.security.cert.*; + import java.util.*; + import javax.net.ssl.*; ++import sun.misc.SharedSecrets; + import sun.security.action.GetPropertyAction; + import sun.security.provider.certpath.AlgorithmChecker; + import sun.security.validator.Validator; +@@ -539,20 +540,38 @@ public abstract class SSLContextImpl extends SSLContextSpi { + + static { + if (SunJSSE.isFIPS()) { +- supportedProtocols = Arrays.asList( +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- ); ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); + +- serverDefaultProtocols = getAvailableProtocols( +- new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }); ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } else { ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } + } else { + supportedProtocols = Arrays.asList( + ProtocolVersion.TLS13, +@@ -612,6 +631,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { + + static ProtocolVersion[] getSupportedProtocols() { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ return new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + return new ProtocolVersion[] { + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, +@@ -939,6 +968,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { + + static ProtocolVersion[] getProtocols() { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ return new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + return new ProtocolVersion[]{ + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, +diff --git a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java +index 2845dc37938..52337a7b6cf 100644 +--- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java ++++ b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java +@@ -30,6 +30,8 @@ import static sun.security.util.SecurityConstants.PROVIDER_VER; + + import java.security.*; + ++import sun.misc.SharedSecrets; ++ + /** + * The JSSE provider. + * +@@ -215,8 +217,13 @@ public abstract class SunJSSE extends java.security.Provider { + "sun.security.ssl.SSLContextImpl$TLS11Context"); + put("SSLContext.TLSv1.2", + "sun.security.ssl.SSLContextImpl$TLS12Context"); +- put("SSLContext.TLSv1.3", +- "sun.security.ssl.SSLContextImpl$TLS13Context"); ++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ put("SSLContext.TLSv1.3", ++ "sun.security.ssl.SSLContextImpl$TLS13Context"); ++ } + put("SSLContext.TLS", + "sun.security.ssl.SSLContextImpl$TLSContext"); + if (isfips == false) { +diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix +index 7a93d4e6b59..681a24b905d 100644 +--- a/jdk/src/share/lib/security/java.security-aix ++++ b/jdk/src/share/lib/security/java.security-aix +@@ -287,6 +287,13 @@ package.definition=sun.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux +index 145a84f94cf..789c19a8cba 100644 +--- a/jdk/src/share/lib/security/java.security-linux ++++ b/jdk/src/share/lib/security/java.security-linux +@@ -75,6 +75,14 @@ security.provider.7=com.sun.security.sasl.Provider + security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI + security.provider.9=sun.security.smartcardio.SunPCSC + ++# ++# Security providers used when FIPS mode support is active ++# ++fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg ++fips.provider.2=sun.security.provider.Sun ++fips.provider.3=sun.security.ec.SunEC ++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS ++ + # + # Sun Provider SecureRandom seed source. + # +@@ -170,6 +178,11 @@ policy.ignoreIdentityScope=false + # + keystore.type=jks + ++# ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=PKCS11 ++ + # + # Controls compatibility mode for the JKS keystore type. + # +@@ -287,6 +300,13 @@ package.definition=sun.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx +index 35fa140d7a5..d4da666af3b 100644 +--- a/jdk/src/share/lib/security/java.security-macosx ++++ b/jdk/src/share/lib/security/java.security-macosx +@@ -290,6 +290,13 @@ package.definition=sun.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris +index f79ba37ddb9..300132384a1 100644 +--- a/jdk/src/share/lib/security/java.security-solaris ++++ b/jdk/src/share/lib/security/java.security-solaris +@@ -288,6 +288,13 @@ package.definition=sun.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows +index d70503ce95f..64db5a5cd1e 100644 +--- a/jdk/src/share/lib/security/java.security-windows ++++ b/jdk/src/share/lib/security/java.security-windows +@@ -290,6 +290,13 @@ package.definition=sun.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/solaris/native/java/security/systemconf.c b/jdk/src/solaris/native/java/security/systemconf.c +new file mode 100644 +index 00000000000..8dcb7d9073f +--- /dev/null ++++ b/jdk/src/solaris/native/java/security/systemconf.c +@@ -0,0 +1,224 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#include ++#include ++#include "jvm_md.h" ++#include ++ ++#ifdef SYSCONF_NSS ++#include ++#else ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ } else { ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ } ++} diff --git a/SOURCES/fips-8u-8e8bbf0ff74.patch b/SOURCES/fips-8u-8e8bbf0ff74.patch deleted file mode 100644 index 2379d45..0000000 --- a/SOURCES/fips-8u-8e8bbf0ff74.patch +++ /dev/null @@ -1,2007 +0,0 @@ -diff --git a/common/autoconf/configure.ac b/common/autoconf/configure.ac -index 151e5a109f8..a8761b500e0 100644 ---- a/common/autoconf/configure.ac -+++ b/common/autoconf/configure.ac -@@ -212,6 +212,7 @@ LIB_SETUP_FREETYPE - LIB_SETUP_ALSA - LIB_SETUP_FONTCONFIG - LIB_SETUP_MISC_LIBS -+LIB_SETUP_SYSCONF_LIBS - LIB_SETUP_STATIC_LINK_LIBSTDCPP - LIB_SETUP_ON_WINDOWS - -diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh -index e77ce854dc5..ec6e9b27ca5 100644 ---- a/common/autoconf/generated-configure.sh -+++ b/common/autoconf/generated-configure.sh -@@ -651,6 +651,9 @@ LLVM_CONFIG - LIBFFI_LIBS - LIBFFI_CFLAGS - STATIC_CXX_SETTING -+USE_SYSCONF_NSS -+NSS_LIBS -+NSS_CFLAGS - LIBDL - LIBM - LIBZIP_CAN_USE_MMAP -@@ -1111,6 +1114,7 @@ with_fontconfig - with_fontconfig_include - with_giflib - with_zlib -+enable_sysconf_nss - with_stdc__lib - with_msvcr_dll - with_msvcp_dll -@@ -1218,6 +1222,8 @@ FREETYPE_CFLAGS - FREETYPE_LIBS - ALSA_CFLAGS - ALSA_LIBS -+NSS_CFLAGS -+NSS_LIBS - LIBFFI_CFLAGS - LIBFFI_LIBS - CCACHE' -@@ -1871,6 +1877,8 @@ Optional Features: - disable bundling of the freetype library with the - build result [enabled on Windows or when using - --with-freetype, disabled otherwise] -+ --enable-sysconf-nss build the System Configurator (libsysconf) using the -+ system NSS library if available [disabled] - --enable-sjavac use sjavac to do fast incremental compiles - [disabled] - --disable-precompiled-headers -@@ -2115,6 +2123,8 @@ Some influential environment variables: - linker flags for FREETYPE, overriding pkg-config - ALSA_CFLAGS C compiler flags for ALSA, overriding pkg-config - ALSA_LIBS linker flags for ALSA, overriding pkg-config -+ NSS_CFLAGS C compiler flags for NSS, overriding pkg-config -+ NSS_LIBS linker flags for NSS, overriding pkg-config - LIBFFI_CFLAGS - C compiler flags for LIBFFI, overriding pkg-config - LIBFFI_LIBS linker flags for LIBFFI, overriding pkg-config -@@ -2879,6 +2889,52 @@ $as_echo "$ac_res" >&6; } - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - - } # ac_fn_c_check_header_compile -+ -+# ac_fn_c_try_link LINENO -+# ----------------------- -+# Try to link conftest.$ac_ext, and return whether this succeeded. -+ac_fn_c_try_link () -+{ -+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ rm -f conftest.$ac_objext conftest$ac_exeext -+ if { { ac_try="$ac_link" -+case "(($ac_try" in -+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -+ *) ac_try_echo=$ac_try;; -+esac -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_link") 2>conftest.err -+ ac_status=$? -+ if test -s conftest.err; then -+ grep -v '^ *+' conftest.err >conftest.er1 -+ cat conftest.er1 >&5 -+ mv -f conftest.er1 conftest.err -+ fi -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; } && { -+ test -z "$ac_c_werror_flag" || -+ test ! -s conftest.err -+ } && test -s conftest$ac_exeext && { -+ test "$cross_compiling" = yes || -+ test -x conftest$ac_exeext -+ }; then : -+ ac_retval=0 -+else -+ $as_echo "$as_me: failed program was:" >&5 -+sed 's/^/| /' conftest.$ac_ext >&5 -+ -+ ac_retval=1 -+fi -+ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information -+ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would -+ # interfere with the next link command; also delete a directory that is -+ # left behind by Apple's compiler. We do this before executing the actions. -+ rm -rf conftest.dSYM conftest_ipa8_conftest.oo -+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno -+ as_fn_set_status $ac_retval -+ -+} # ac_fn_c_try_link - cat >config.log <<_ACEOF - This file contains any messages produced by compilers while - running configure, to aid debugging if configure makes a mistake. -@@ -4049,6 +4105,11 @@ fi - - - -+################################################################################ -+# Setup system configuration libraries -+################################################################################ -+ -+ - # - # Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. - # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -@@ -49290,6 +49351,157 @@ fi - LIBS="$save_LIBS" - - -+ ############################################################################### -+ # -+ # Check for the NSS library -+ # -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use the system NSS library with the System Configurator (libsysconf)" >&5 -+$as_echo_n "checking whether to use the system NSS library with the System Configurator (libsysconf)... " >&6; } -+ -+ # default is not available -+ DEFAULT_SYSCONF_NSS=no -+ -+ # Check whether --enable-sysconf-nss was given. -+if test "${enable_sysconf_nss+set}" = set; then : -+ enableval=$enable_sysconf_nss; -+ case "${enableval}" in -+ yes) -+ sysconf_nss=yes -+ ;; -+ *) -+ sysconf_nss=no -+ ;; -+ esac -+ -+else -+ -+ sysconf_nss=${DEFAULT_SYSCONF_NSS} -+ -+fi -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sysconf_nss" >&5 -+$as_echo "$sysconf_nss" >&6; } -+ -+ USE_SYSCONF_NSS=false -+ if test "x${sysconf_nss}" = "xyes"; then -+ -+pkg_failed=no -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for NSS" >&5 -+$as_echo_n "checking for NSS... " >&6; } -+ -+if test -n "$NSS_CFLAGS"; then -+ pkg_cv_NSS_CFLAGS="$NSS_CFLAGS" -+ elif test -n "$PKG_CONFIG"; then -+ if test -n "$PKG_CONFIG" && \ -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5 -+ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5 -+ ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; then -+ pkg_cv_NSS_CFLAGS=`$PKG_CONFIG --cflags "nss >= 3.53" 2>/dev/null` -+else -+ pkg_failed=yes -+fi -+ else -+ pkg_failed=untried -+fi -+if test -n "$NSS_LIBS"; then -+ pkg_cv_NSS_LIBS="$NSS_LIBS" -+ elif test -n "$PKG_CONFIG"; then -+ if test -n "$PKG_CONFIG" && \ -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5 -+ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5 -+ ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; then -+ pkg_cv_NSS_LIBS=`$PKG_CONFIG --libs "nss >= 3.53" 2>/dev/null` -+else -+ pkg_failed=yes -+fi -+ else -+ pkg_failed=untried -+fi -+ -+ -+ -+if test $pkg_failed = yes; then -+ -+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then -+ _pkg_short_errors_supported=yes -+else -+ _pkg_short_errors_supported=no -+fi -+ if test $_pkg_short_errors_supported = yes; then -+ NSS_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "nss >= 3.53" 2>&1` -+ else -+ NSS_PKG_ERRORS=`$PKG_CONFIG --print-errors "nss >= 3.53" 2>&1` -+ fi -+ # Put the nasty error message in config.log where it belongs -+ echo "$NSS_PKG_ERRORS" >&5 -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+ NSS_FOUND=no -+elif test $pkg_failed = untried; then -+ NSS_FOUND=no -+else -+ NSS_CFLAGS=$pkg_cv_NSS_CFLAGS -+ NSS_LIBS=$pkg_cv_NSS_LIBS -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -+$as_echo "yes" >&6; } -+ NSS_FOUND=yes -+fi -+ if test "x${NSS_FOUND}" = "xyes"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for system FIPS support in NSS" >&5 -+$as_echo_n "checking for system FIPS support in NSS... " >&6; } -+ saved_libs="${LIBS}" -+ saved_cflags="${CFLAGS}" -+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" -+ LIBS="${LIBS} ${NSS_LIBS}" -+ ac_ext=c -+ac_cpp='$CPP $CPPFLAGS' -+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -+ac_compiler_gnu=$ac_cv_c_compiler_gnu -+ -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include -+int -+main () -+{ -+SECMOD_GetSystemFIPSEnabled() -+ ; -+ return 0; -+} -+_ACEOF -+if ac_fn_c_try_link "$LINENO"; then : -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -+$as_echo "yes" >&6; } -+else -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+ as_fn_error $? "System NSS FIPS detection unavailable" "$LINENO" 5 -+fi -+rm -f core conftest.err conftest.$ac_objext \ -+ conftest$ac_exeext conftest.$ac_ext -+ ac_ext=cpp -+ac_cpp='$CXXCPP $CPPFLAGS' -+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' -+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu -+ -+ CFLAGS="${saved_cflags}" -+ LIBS="${saved_libs}" -+ USE_SYSCONF_NSS=true -+ else -+ as_fn_error $? "--enable-sysconf-nss specified, but NSS 3.53 or above not found." "$LINENO" 5 -+ fi -+ fi -+ -+ -+ - ############################################################################### - # - # statically link libstdc++ before C++ ABI is stablized on Linux unless -diff --git a/common/autoconf/libraries.m4 b/common/autoconf/libraries.m4 -index 6efae578ea9..0080846255b 100644 ---- a/common/autoconf/libraries.m4 -+++ b/common/autoconf/libraries.m4 -@@ -1067,3 +1067,63 @@ AC_DEFUN_ONCE([LIB_SETUP_ON_WINDOWS], - BASIC_DEPRECATED_ARG_WITH([dxsdk-include]) - fi - ]) -+ -+################################################################################ -+# Setup system configuration libraries -+################################################################################ -+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], -+[ -+ ############################################################################### -+ # -+ # Check for the NSS library -+ # -+ -+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) -+ -+ # default is not available -+ DEFAULT_SYSCONF_NSS=no -+ -+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], -+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], -+ [ -+ case "${enableval}" in -+ yes) -+ sysconf_nss=yes -+ ;; -+ *) -+ sysconf_nss=no -+ ;; -+ esac -+ ], -+ [ -+ sysconf_nss=${DEFAULT_SYSCONF_NSS} -+ ]) -+ AC_MSG_RESULT([$sysconf_nss]) -+ -+ USE_SYSCONF_NSS=false -+ if test "x${sysconf_nss}" = "xyes"; then -+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) -+ if test "x${NSS_FOUND}" = "xyes"; then -+ AC_MSG_CHECKING([for system FIPS support in NSS]) -+ saved_libs="${LIBS}" -+ saved_cflags="${CFLAGS}" -+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" -+ LIBS="${LIBS} ${NSS_LIBS}" -+ AC_LANG_PUSH([C]) -+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], -+ [[SECMOD_GetSystemFIPSEnabled()]])], -+ [AC_MSG_RESULT([yes])], -+ [AC_MSG_RESULT([no]) -+ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) -+ AC_LANG_POP([C]) -+ CFLAGS="${saved_cflags}" -+ LIBS="${saved_libs}" -+ USE_SYSCONF_NSS=true -+ else -+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API -+ dnl in nss3/pk11pub.h. -+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) -+ fi -+ fi -+ AC_SUBST(USE_SYSCONF_NSS) -+]) -diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in -index 506cf617087..7241593b1a4 100644 ---- a/common/autoconf/spec.gmk.in -+++ b/common/autoconf/spec.gmk.in -@@ -312,6 +312,10 @@ CUPS_CFLAGS:=@CUPS_CFLAGS@ - ALSA_LIBS:=@ALSA_LIBS@ - ALSA_CFLAGS:=@ALSA_CFLAGS@ - -+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ -+NSS_LIBS:=@NSS_LIBS@ -+NSS_CFLAGS:=@NSS_CFLAGS@ -+ - PACKAGE_PATH=@PACKAGE_PATH@ - - # Source file for cacerts -diff --git a/common/bin/compare_exceptions.sh.incl b/common/bin/compare_exceptions.sh.incl -index 3b79a526f56..d2a0e39b206 100644 ---- a/common/bin/compare_exceptions.sh.incl -+++ b/common/bin/compare_exceptions.sh.incl -@@ -280,6 +280,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" - ./jre/lib/i386/libsplashscreen.so - ./jre/lib/i386/libsunec.so - ./jre/lib/i386/libsunwjdga.so -+./jre/lib/i386/libsystemconf.so - ./jre/lib/i386/libt2k.so - ./jre/lib/i386/libunpack.so - ./jre/lib/i386/libverify.so -@@ -433,6 +434,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" - ./jre/lib/amd64/libsplashscreen.so - ./jre/lib/amd64/libsunec.so - ./jre/lib/amd64/libsunwjdga.so -+//jre/lib/amd64/libsystemconf.so - ./jre/lib/amd64/libt2k.so - ./jre/lib/amd64/libunpack.so - ./jre/lib/amd64/libverify.so -@@ -587,6 +589,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" - ./jre/lib/sparc/libsplashscreen.so - ./jre/lib/sparc/libsunec.so - ./jre/lib/sparc/libsunwjdga.so -+./jre/lib/sparc/libsystemconf.so - ./jre/lib/sparc/libt2k.so - ./jre/lib/sparc/libunpack.so - ./jre/lib/sparc/libverify.so -@@ -741,6 +744,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" - ./jre/lib/sparcv9/libsplashscreen.so - ./jre/lib/sparcv9/libsunec.so - ./jre/lib/sparcv9/libsunwjdga.so -+./jre/lib/sparcv9/libsystemconf.so - ./jre/lib/sparcv9/libt2k.so - ./jre/lib/sparcv9/libunpack.so - ./jre/lib/sparcv9/libverify.so -diff --git a/common/nb_native/nbproject/configurations.xml b/common/nb_native/nbproject/configurations.xml -index d2beed0b93a..3b6aef98d9a 100644 ---- a/common/nb_native/nbproject/configurations.xml -+++ b/common/nb_native/nbproject/configurations.xml -@@ -53,6 +53,9 @@ - jvmtiEnterTrace.cpp - - -+ -+ systemconf.c -+ - - - -@@ -12772,6 +12775,11 @@ - tool="0" - flavor2="0"> - -+ -+ - Additional default values of security properties are read from a -+ * system-specific location, if available.

-+ * - * @author Benjamin Renaud - */ - - public final class Security { - -+ private static final String SYS_PROP_SWITCH = -+ "java.security.disableSystemPropertiesFile"; -+ private static final String SEC_PROP_SWITCH = -+ "security.useSystemPropertiesFile"; -+ - /* Are we debugging? -- for developers */ - private static final Debug sdebug = - Debug.getInstance("properties"); -@@ -62,6 +72,19 @@ public final class Security { - } - - static { -+ // Initialise here as used by code with system properties disabled -+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -+ new JavaSecuritySystemConfiguratorAccess() { -+ @Override -+ public boolean isSystemFipsEnabled() { -+ return SystemConfigurator.isSystemFipsEnabled(); -+ } -+ @Override -+ public boolean isPlainKeySupportEnabled() { -+ return SystemConfigurator.isPlainKeySupportEnabled(); -+ } -+ }); -+ - // doPrivileged here because there are multiple - // things in initialize that might require privs. - // (the FileInputStream call and the File.exists call, -@@ -78,6 +101,7 @@ public final class Security { - props = new Properties(); - boolean loadedProps = false; - boolean overrideAll = false; -+ boolean systemSecPropsEnabled = false; - - // first load the system properties file - // to determine the value of security.overridePropertiesFile -@@ -93,6 +117,7 @@ public final class Security { - if (sdebug != null) { - sdebug.println("reading security properties file: " + - propFile); -+ sdebug.println(props.toString()); - } - } catch (IOException e) { - if (sdebug != null) { -@@ -187,6 +212,61 @@ public final class Security { - } - } - -+ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); -+ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); -+ if (sdebug != null) { -+ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); -+ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); -+ } -+ if (!sysUseProps && secUseProps) { -+ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); -+ if (!systemSecPropsEnabled) { -+ if (sdebug != null) { -+ sdebug.println("WARNING: System security properties could not be loaded."); -+ } -+ } -+ } else { -+ if (sdebug != null) { -+ sdebug.println("System security property support disabled by user."); -+ } -+ } -+ -+ // FIPS support depends on the contents of java.security so -+ // ensure it has loaded first -+ if (loadedProps && systemSecPropsEnabled) { -+ boolean shouldEnable; -+ String sysProp = System.getProperty("com.redhat.fips"); -+ if (sysProp == null) { -+ shouldEnable = true; -+ if (sdebug != null) { -+ sdebug.println("com.redhat.fips unset, using default value of true"); -+ } -+ } else { -+ shouldEnable = Boolean.valueOf(sysProp); -+ if (sdebug != null) { -+ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); -+ } -+ } -+ if (shouldEnable) { -+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); -+ if (sdebug != null) { -+ if (fipsEnabled) { -+ sdebug.println("FIPS mode support configured and enabled."); -+ } else { -+ sdebug.println("FIPS mode support disabled."); -+ } -+ } -+ } else { -+ if (sdebug != null ) { -+ sdebug.println("FIPS mode support disabled by user."); -+ } -+ } -+ } else { -+ if (sdebug != null) { -+ sdebug.println("WARNING: FIPS mode support can not be enabled without " + -+ "system security properties being enabled."); -+ } -+ } - } - - /* -diff --git a/jdk/src/share/classes/java/security/SystemConfigurator.java b/jdk/src/share/classes/java/security/SystemConfigurator.java -new file mode 100644 -index 00000000000..a24a0445db2 ---- /dev/null -+++ b/jdk/src/share/classes/java/security/SystemConfigurator.java -@@ -0,0 +1,248 @@ -+/* -+ * Copyright (c) 2019, 2021, Red Hat, Inc. -+ * -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package java.security; -+ -+import java.io.BufferedInputStream; -+import java.io.FileInputStream; -+import java.io.IOException; -+ -+import java.util.Iterator; -+import java.util.Map.Entry; -+import java.util.Properties; -+ -+import sun.security.util.Debug; -+ -+/** -+ * Internal class to align OpenJDK with global crypto-policies. -+ * Called from java.security.Security class initialization, -+ * during startup. -+ * -+ */ -+ -+final class SystemConfigurator { -+ -+ private static final Debug sdebug = -+ Debug.getInstance("properties"); -+ -+ private static final String CRYPTO_POLICIES_BASE_DIR = -+ "/etc/crypto-policies"; -+ -+ private static final String CRYPTO_POLICIES_JAVA_CONFIG = -+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; -+ -+ private static boolean systemFipsEnabled = false; -+ private static boolean plainKeySupportEnabled = false; -+ -+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; -+ -+ private static native boolean getSystemFIPSEnabled() -+ throws IOException; -+ -+ static { -+ AccessController.doPrivileged(new PrivilegedAction() { -+ public Void run() { -+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); -+ return null; -+ } -+ }); -+ } -+ -+ /* -+ * Invoked when java.security.Security class is initialized, if -+ * java.security.disableSystemPropertiesFile property is not set and -+ * security.useSystemPropertiesFile is true. -+ */ -+ static boolean configureSysProps(Properties props) { -+ boolean systemSecPropsLoaded = false; -+ -+ try (BufferedInputStream bis = -+ new BufferedInputStream( -+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { -+ props.load(bis); -+ systemSecPropsLoaded = true; -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load security properties from " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ e.printStackTrace(); -+ } -+ } -+ return systemSecPropsLoaded; -+ } -+ -+ /* -+ * Invoked at the end of java.security.Security initialisation -+ * if java.security properties have been loaded -+ */ -+ static boolean configureFIPS(Properties props) { -+ boolean loadedProps = false; -+ -+ try { -+ if (enableFips()) { -+ if (sdebug != null) { sdebug.println("FIPS mode detected"); } -+ // Remove all security providers -+ Iterator> i = props.entrySet().iterator(); -+ while (i.hasNext()) { -+ Entry e = i.next(); -+ if (((String) e.getKey()).startsWith("security.provider")) { -+ if (sdebug != null) { sdebug.println("Removing provider: " + e); } -+ i.remove(); -+ } -+ } -+ // Add FIPS security providers -+ String fipsProviderValue = null; -+ for (int n = 1; -+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { -+ String fipsProviderKey = "security.provider." + n; -+ if (sdebug != null) { -+ sdebug.println("Adding provider " + n + ": " + -+ fipsProviderKey + "=" + fipsProviderValue); -+ } -+ props.put(fipsProviderKey, fipsProviderValue); -+ } -+ // Add other security properties -+ String keystoreTypeValue = (String) props.get("fips.keystore.type"); -+ if (keystoreTypeValue != null) { -+ String nonFipsKeystoreType = props.getProperty("keystore.type"); -+ props.put("keystore.type", keystoreTypeValue); -+ if (keystoreTypeValue.equals("PKCS11")) { -+ // If keystore.type is PKCS11, javax.net.ssl.keyStore -+ // must be "NONE". See JDK-8238264. -+ System.setProperty("javax.net.ssl.keyStore", "NONE"); -+ } -+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { -+ // If no trustStoreType has been set, use the -+ // previous keystore.type under FIPS mode. In -+ // a default configuration, the Trust Store will -+ // be 'cacerts' (JKS type). -+ System.setProperty("javax.net.ssl.trustStoreType", -+ nonFipsKeystoreType); -+ } -+ if (sdebug != null) { -+ sdebug.println("FIPS mode default keystore.type = " + -+ keystoreTypeValue); -+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + -+ System.getProperty("javax.net.ssl.keyStore", "")); -+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + -+ System.getProperty("javax.net.ssl.trustStoreType", "")); -+ } -+ } -+ loadedProps = true; -+ systemFipsEnabled = true; -+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", -+ "true"); -+ plainKeySupportEnabled = !"false".equals(plainKeySupport); -+ if (sdebug != null) { -+ if (plainKeySupportEnabled) { -+ sdebug.println("FIPS support enabled with plain key support"); -+ } else { -+ sdebug.println("FIPS support enabled without plain key support"); -+ } -+ } -+ } else { -+ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } -+ } -+ } catch (Exception e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load FIPS configuration"); -+ e.printStackTrace(); -+ } -+ } -+ return loadedProps; -+ } -+ -+ /** -+ * Returns whether or not global system FIPS alignment is enabled. -+ * -+ * Value is always 'false' before java.security.Security class is -+ * initialized. -+ * -+ * Call from out of this package through SharedSecrets: -+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ * .isSystemFipsEnabled(); -+ * -+ * @return a boolean value indicating whether or not global -+ * system FIPS alignment is enabled. -+ */ -+ static boolean isSystemFipsEnabled() { -+ return systemFipsEnabled; -+ } -+ -+ /** -+ * Returns {@code true} if system FIPS alignment is enabled -+ * and plain key support is allowed. Plain key support is -+ * enabled by default but can be disabled with -+ * {@code -Dcom.redhat.fips.plainKeySupport=false}. -+ * -+ * @return a boolean indicating whether plain key support -+ * should be enabled. -+ */ -+ static boolean isPlainKeySupportEnabled() { -+ return plainKeySupportEnabled; -+ } -+ -+ /** -+ * Determines whether FIPS mode should be enabled. -+ * -+ * OpenJDK FIPS mode will be enabled only if the system is in -+ * FIPS mode. -+ * -+ * Calls to this method only occur if the system property -+ * com.redhat.fips is not set to false. -+ * -+ * There are 2 possible ways in which OpenJDK detects that the system -+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is -+ * available at OpenJDK's built-time, it is called; 2) otherwise, the -+ * /proc/sys/crypto/fips_enabled file is read. -+ * -+ * @return true if the system is in FIPS mode -+ */ -+ private static boolean enableFips() throws IOException { -+ if (sdebug != null) { -+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); -+ } -+ try { -+ boolean fipsEnabled = getSystemFIPSEnabled(); -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " -+ + fipsEnabled); -+ } -+ return fipsEnabled; -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); -+ sdebug.println(e.getMessage()); -+ } -+ throw e; -+ } -+ } -+} -diff --git a/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java -new file mode 100644 -index 00000000000..5c30a8b29c7 ---- /dev/null -+++ b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java -@@ -0,0 +1,31 @@ -+/* -+ * Copyright (c) 2020, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.misc; -+ -+public interface JavaSecuritySystemConfiguratorAccess { -+ boolean isSystemFipsEnabled(); -+ boolean isPlainKeySupportEnabled(); -+} -diff --git a/jdk/src/share/classes/sun/misc/SharedSecrets.java b/jdk/src/share/classes/sun/misc/SharedSecrets.java -index f065a2c685d..0dafe6f59cf 100644 ---- a/jdk/src/share/classes/sun/misc/SharedSecrets.java -+++ b/jdk/src/share/classes/sun/misc/SharedSecrets.java -@@ -31,6 +31,7 @@ import java.io.Console; - import java.io.FileDescriptor; - import java.io.ObjectInputStream; - import java.security.ProtectionDomain; -+import java.security.Security; - import java.security.Signature; - - import java.security.AccessController; -@@ -63,6 +64,7 @@ public class SharedSecrets { - private static JavaObjectInputStreamReadString javaObjectInputStreamReadString; - private static JavaObjectInputStreamAccess javaObjectInputStreamAccess; - private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; -+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; - - public static JavaUtilJarAccess javaUtilJarAccess() { - if (javaUtilJarAccess == null) { -@@ -248,4 +250,15 @@ public class SharedSecrets { - } - return javaxCryptoSealedObjectAccess; - } -+ -+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { -+ javaSecuritySystemConfiguratorAccess = jssca; -+ } -+ -+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { -+ if (javaSecuritySystemConfiguratorAccess == null) { -+ unsafe.ensureClassInitialized(Security.class); -+ } -+ return javaSecuritySystemConfiguratorAccess; -+ } - } -diff --git a/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -new file mode 100644 -index 00000000000..14d19450390 ---- /dev/null -+++ b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -@@ -0,0 +1,290 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.pkcs11; -+ -+import java.math.BigInteger; -+import java.security.KeyFactory; -+import java.security.Provider; -+import java.security.Security; -+import java.util.HashMap; -+import java.util.Map; -+import java.util.concurrent.locks.ReentrantLock; -+ -+import javax.crypto.Cipher; -+import javax.crypto.spec.DHPrivateKeySpec; -+import javax.crypto.spec.IvParameterSpec; -+ -+import sun.security.jca.JCAUtil; -+import sun.security.pkcs11.TemplateManager; -+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; -+import sun.security.pkcs11.wrapper.CK_MECHANISM; -+import static sun.security.pkcs11.wrapper.PKCS11Constants.*; -+import sun.security.pkcs11.wrapper.PKCS11Exception; -+import sun.security.rsa.RSAUtil.KeyType; -+import sun.security.util.Debug; -+import sun.security.util.ECUtil; -+ -+final class FIPSKeyImporter { -+ -+ private static final Debug debug = -+ Debug.getInstance("sunpkcs11"); -+ -+ private static P11Key importerKey = null; -+ private static final ReentrantLock importerKeyLock = new ReentrantLock(); -+ private static CK_MECHANISM importerKeyMechanism = null; -+ private static Cipher importerCipher = null; -+ -+ private static Provider sunECProvider = null; -+ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); -+ -+ private static KeyFactory DHKF = null; -+ private static final ReentrantLock DHKFLock = new ReentrantLock(); -+ -+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) -+ throws PKCS11Exception { -+ long keyID = -1; -+ Token token = sunPKCS11.getToken(); -+ if (debug != null) { -+ debug.println("Private or Secret key will be imported in" + -+ " system FIPS mode."); -+ } -+ if (importerKey == null) { -+ importerKeyLock.lock(); -+ try { -+ if (importerKey == null) { -+ if (importerKeyMechanism == null) { -+ // Importer Key creation has not been tried yet. Try it. -+ createImporterKey(token); -+ } -+ if (importerKey == null || importerCipher == null) { -+ if (debug != null) { -+ debug.println("Importer Key could not be" + -+ " generated."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ if (debug != null) { -+ debug.println("Importer Key successfully" + -+ " generated."); -+ } -+ } -+ } finally { -+ importerKeyLock.unlock(); -+ } -+ } -+ long importerKeyID = importerKey.getKeyID(); -+ try { -+ byte[] keyBytes = null; -+ byte[] encKeyBytes = null; -+ long keyClass = 0L; -+ long keyType = 0L; -+ Map attrsMap = new HashMap<>(); -+ for (CK_ATTRIBUTE attr : attributes) { -+ if (attr.type == CKA_CLASS) { -+ keyClass = attr.getLong(); -+ } else if (attr.type == CKA_KEY_TYPE) { -+ keyType = attr.getLong(); -+ } -+ attrsMap.put(attr.type, attr); -+ } -+ BigInteger v = null; -+ if (keyClass == CKO_PRIVATE_KEY) { -+ if (keyType == CKK_RSA) { -+ if (debug != null) { -+ debug.println("Importing an RSA private key..."); -+ } -+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( -+ KeyType.RSA, -+ null, -+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ } else if (keyType == CKK_DSA) { -+ if (debug != null) { -+ debug.println("Importing a DSA private key..."); -+ } -+ keyBytes = new sun.security.provider.DSAPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_EC) { -+ if (debug != null) { -+ debug.println("Importing an EC private key..."); -+ } -+ if (sunECProvider == null) { -+ sunECProviderLock.lock(); -+ try { -+ if (sunECProvider == null) { -+ sunECProvider = Security.getProvider("SunEC"); -+ } -+ } finally { -+ sunECProviderLock.unlock(); -+ } -+ } -+ keyBytes = P11ECUtil.generateECPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ECUtil.getECParameterSpec(sunECProvider, -+ attrsMap.get(CKA_EC_PARAMS).getByteArray())) -+ .getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_DH) { -+ if (debug != null) { -+ debug.println("Importing a Diffie-Hellman private key..."); -+ } -+ if (DHKF == null) { -+ DHKFLock.lock(); -+ try { -+ if (DHKF == null) { -+ DHKF = KeyFactory.getInstance( -+ "DH", P11Util.getSunJceProvider()); -+ } -+ } finally { -+ DHKFLock.unlock(); -+ } -+ } -+ DHPrivateKeySpec spec = new DHPrivateKeySpec -+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO); -+ keyBytes = DHKF.generatePrivate(spec).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else { -+ if (debug != null) { -+ debug.println("Unrecognized private key type."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } else if (keyClass == CKO_SECRET_KEY) { -+ if (debug != null) { -+ debug.println("Importing a secret key..."); -+ } -+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); -+ } -+ if (keyBytes == null || keyBytes.length == 0) { -+ if (debug != null) { -+ debug.println("Private or secret key plain bytes could" + -+ " not be obtained. Import failed."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, -+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter), -+ null); -+ attributes = new CK_ATTRIBUTE[attrsMap.size()]; -+ attrsMap.values().toArray(attributes); -+ encKeyBytes = importerCipher.doFinal(keyBytes); -+ attributes = token.getAttributes(TemplateManager.O_IMPORT, -+ keyClass, keyType, attributes); -+ keyID = token.p11.C_UnwrapKey(hSession, -+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); -+ if (debug != null) { -+ debug.println("Imported key ID: " + keyID); -+ } -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } finally { -+ importerKey.releaseKeyID(); -+ } -+ return Long.valueOf(keyID); -+ } -+ -+ private static void createImporterKey(Token token) { -+ if (debug != null) { -+ debug.println("Generating Importer Key..."); -+ } -+ byte[] iv = new byte[16]; -+ JCAUtil.getSecureRandom().nextBytes(iv); -+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); -+ try { -+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, -+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { -+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), -+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); -+ Session s = null; -+ try { -+ s = token.getObjSession(); -+ long keyID = token.p11.C_GenerateKey( -+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), -+ attributes); -+ if (debug != null) { -+ debug.println("Importer Key ID: " + keyID); -+ } -+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", -+ 256 >> 3, null); -+ } catch (PKCS11Exception e) { -+ // best effort -+ } finally { -+ token.releaseSession(s); -+ } -+ if (importerKey != null) { -+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); -+ } -+ } catch (Throwable t) { -+ // best effort -+ importerKey = null; -+ importerCipher = null; -+ // importerKeyMechanism value is kept initialized to indicate that -+ // Importer Key creation has been tried and failed. -+ } -+ } -+} -diff --git a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java -index fedcd7743ef..f9d70863bd1 100644 ---- a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java -+++ b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -26,6 +26,9 @@ - package sun.security.pkcs11; - - import java.io.*; -+import java.lang.invoke.MethodHandle; -+import java.lang.invoke.MethodHandles; -+import java.lang.invoke.MethodType; - import java.util.*; - - import java.security.*; -@@ -42,6 +45,8 @@ import javax.security.auth.callback.ConfirmationCallback; - import javax.security.auth.callback.PasswordCallback; - import javax.security.auth.callback.TextOutputCallback; - -+import sun.misc.SharedSecrets; -+ - import sun.security.util.Debug; - import sun.security.util.ResourcesMgr; - -@@ -58,6 +63,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - */ - public final class SunPKCS11 extends AuthProvider { - -+ private static final boolean systemFipsEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); -+ -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ -+ private static final MethodHandle fipsImportKey; -+ static { -+ MethodHandle fipsImportKeyTmp = null; -+ if (plainKeySupportEnabled) { -+ try { -+ fipsImportKeyTmp = MethodHandles.lookup().findStatic( -+ FIPSKeyImporter.class, "importKey", -+ MethodType.methodType(Long.class, SunPKCS11.class, -+ long.class, CK_ATTRIBUTE[].class)); -+ } catch (Throwable t) { -+ throw new SecurityException("FIPS key importer initialization" + -+ " failed", t); -+ } -+ } -+ fipsImportKey = fipsImportKeyTmp; -+ } -+ - private static final long serialVersionUID = -1354835039035306505L; - - static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -309,10 +337,15 @@ public final class SunPKCS11 extends AuthProvider { - // request multithreaded access first - initArgs.flags = CKF_OS_LOCKING_OK; - PKCS11 tmpPKCS11; -+ MethodHandle fipsKeyImporter = null; -+ if (plainKeySupportEnabled) { -+ fipsKeyImporter = MethodHandles.insertArguments( -+ fipsImportKey, 0, this); -+ } - try { - tmpPKCS11 = PKCS11.getInstance( - library, functionList, initArgs, -- config.getOmitInitialize()); -+ config.getOmitInitialize(), fipsKeyImporter); - } catch (PKCS11Exception e) { - if (debug != null) { - debug.println("Multi-threaded initialization failed: " + e); -@@ -328,7 +361,7 @@ public final class SunPKCS11 extends AuthProvider { - initArgs.flags = 0; - } - tmpPKCS11 = PKCS11.getInstance(library, -- functionList, initArgs, config.getOmitInitialize()); -+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); - } - p11 = tmpPKCS11; - -@@ -368,6 +401,24 @@ public final class SunPKCS11 extends AuthProvider { - if (nssModule != null) { - nssModule.setProvider(this); - } -+ if (systemFipsEnabled) { -+ // The NSS Software Token in FIPS 140-2 mode requires a user -+ // login for most operations. See sftk_fipsCheck. The NSS DB -+ // (/etc/pki/nssdb) PIN is empty. -+ Session session = null; -+ try { -+ session = token.getOpSession(); -+ p11.C_Login(session.id(), CKU_USER, new char[] {}); -+ } catch (PKCS11Exception p11e) { -+ if (debug != null) { -+ debug.println("Error during token login: " + -+ p11e.getMessage()); -+ } -+ throw p11e; -+ } finally { -+ token.releaseSession(session); -+ } -+ } - } catch (Exception e) { - if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { - throw new UnsupportedOperationException -diff --git a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -index 2e42d1d9fb0..1b7eed1c656 100644 ---- a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -+++ b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper; - - import java.io.File; - import java.io.IOException; -+import java.lang.invoke.MethodHandle; - import java.util.*; - - import java.security.AccessController; -@@ -145,18 +146,41 @@ public class PKCS11 { - this.pkcs11ModulePath = pkcs11ModulePath; - } - -+ /* -+ * Compatibility wrapper to allow this method to work as before -+ * when FIPS mode support is not active. -+ */ -+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, -+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs, -+ boolean omitInitialize) throws IOException, PKCS11Exception { -+ return getInstance(pkcs11ModulePath, functionList, -+ pInitArgs, omitInitialize, null); -+ } -+ - public static synchronized PKCS11 getInstance(String pkcs11ModulePath, - String functionList, CK_C_INITIALIZE_ARGS pInitArgs, -- boolean omitInitialize) throws IOException, PKCS11Exception { -+ boolean omitInitialize, MethodHandle fipsKeyImporter) -+ throws IOException, PKCS11Exception { - // we may only call C_Initialize once per native .so/.dll - // so keep a cache using the (non-canonicalized!) path - PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); - if (pkcs11 == null) { -+ boolean nssFipsMode = fipsKeyImporter != null; - if ((pInitArgs != null) - && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { -- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); -+ if (nssFipsMode) { -+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, -+ fipsKeyImporter); -+ } else { -+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); -+ } - } else { -- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); -+ if (nssFipsMode) { -+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, -+ functionList, fipsKeyImporter); -+ } else { -+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); -+ } - } - if (omitInitialize == false) { - try { -@@ -1905,4 +1929,69 @@ static class SynchronizedPKCS11 extends PKCS11 { - super.C_GenerateRandom(hSession, randomData); - } - } -+ -+// PKCS11 subclass that allows using plain private or secret keys in -+// FIPS-configured NSS Software Tokens. Only used when System FIPS -+// is enabled. -+static class FIPSPKCS11 extends PKCS11 { -+ private MethodHandle fipsKeyImporter; -+ FIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter) throws IOException { -+ super(pkcs11ModulePath, functionListName); -+ this.fipsKeyImporter = fipsKeyImporter; -+ } -+ -+ public synchronized long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ // Creating sensitive key objects from plain key material in a -+ // FIPS-configured NSS Software Token is not allowed. We apply -+ // a key-unwrapping scheme to achieve so. -+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { -+ try { -+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) -+ .longValue(); -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } -+ return super.C_CreateObject(hSession, pTemplate); -+ } -+} -+ -+// FIPSPKCS11 synchronized counterpart. -+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { -+ private MethodHandle fipsKeyImporter; -+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter) throws IOException { -+ super(pkcs11ModulePath, functionListName); -+ this.fipsKeyImporter = fipsKeyImporter; -+ } -+ -+ public synchronized long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ // See FIPSPKCS11::C_CreateObject. -+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { -+ try { -+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) -+ .longValue(); -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } -+ return super.C_CreateObject(hSession, pTemplate); -+ } -+} -+ -+private static class FIPSPKCS11Helper { -+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { -+ for (CK_ATTRIBUTE attr : pTemplate) { -+ if (attr.type == CKA_CLASS && -+ (attr.getLong() == CKO_PRIVATE_KEY || -+ attr.getLong() == CKO_SECRET_KEY)) { -+ return true; -+ } -+ } -+ return false; -+ } -+} - } -diff --git a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java -index ffee2c1603b..98119479823 100644 ---- a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java -+++ b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java -@@ -33,8 +33,13 @@ import java.security.KeyStore.*; - - import javax.net.ssl.*; - -+import sun.misc.SharedSecrets; -+ - abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { - -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ - X509ExtendedKeyManager keyManager; - boolean isInitialized; - -@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { - KeyStoreException, NoSuchAlgorithmException, - UnrecoverableKeyException { - if ((ks != null) && SunJSSE.isFIPS()) { -- if (ks.getProvider() != SunJSSE.cryptoProvider) { -+ if (ks.getProvider() != SunJSSE.cryptoProvider && -+ !plainKeySupportEnabled) { - throw new KeyStoreException("FIPS mode: KeyStore must be " - + "from provider " + SunJSSE.cryptoProvider.getName()); - } -@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { - keyManager = new X509KeyManagerImpl( - Collections.emptyList()); - } else { -- if (SunJSSE.isFIPS() && -- (ks.getProvider() != SunJSSE.cryptoProvider)) { -+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider) -+ && !plainKeySupportEnabled) { - throw new KeyStoreException( - "FIPS mode: KeyStore must be " + - "from provider " + SunJSSE.cryptoProvider.getName()); -diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java -index cd0e9e98df9..fba760187c0 100644 ---- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java -+++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java -@@ -31,6 +31,7 @@ import java.security.*; - import java.security.cert.*; - import java.util.*; - import javax.net.ssl.*; -+import sun.misc.SharedSecrets; - import sun.security.action.GetPropertyAction; - import sun.security.provider.certpath.AlgorithmChecker; - import sun.security.validator.Validator; -@@ -539,20 +540,38 @@ public abstract class SSLContextImpl extends SSLContextSpi { - - static { - if (SunJSSE.isFIPS()) { -- supportedProtocols = Arrays.asList( -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- ); -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ ); - -- serverDefaultProtocols = getAvailableProtocols( -- new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }); -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } else { -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ ); -+ -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } - } else { - supportedProtocols = Arrays.asList( - ProtocolVersion.TLS13, -@@ -612,6 +631,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { - - static ProtocolVersion[] getSupportedProtocols() { - if (SunJSSE.isFIPS()) { -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ return new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } - return new ProtocolVersion[] { - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, -@@ -939,6 +968,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { - - static ProtocolVersion[] getProtocols() { - if (SunJSSE.isFIPS()) { -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ return new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } - return new ProtocolVersion[]{ - ProtocolVersion.TLS12, - ProtocolVersion.TLS11, -diff --git a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java -index 2845dc37938..52337a7b6cf 100644 ---- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java -+++ b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java -@@ -30,6 +30,8 @@ import static sun.security.util.SecurityConstants.PROVIDER_VER; - - import java.security.*; - -+import sun.misc.SharedSecrets; -+ - /** - * The JSSE provider. - * -@@ -215,8 +217,13 @@ public abstract class SunJSSE extends java.security.Provider { - "sun.security.ssl.SSLContextImpl$TLS11Context"); - put("SSLContext.TLSv1.2", - "sun.security.ssl.SSLContextImpl$TLS12Context"); -- put("SSLContext.TLSv1.3", -- "sun.security.ssl.SSLContextImpl$TLS13Context"); -+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ put("SSLContext.TLSv1.3", -+ "sun.security.ssl.SSLContextImpl$TLS13Context"); -+ } - put("SSLContext.TLS", - "sun.security.ssl.SSLContextImpl$TLSContext"); - if (isfips == false) { -diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix -index d3d64b3facd..bfe0c593adb 100644 ---- a/jdk/src/share/lib/security/java.security-aix -+++ b/jdk/src/share/lib/security/java.security-aix -@@ -287,6 +287,13 @@ package.definition=sun.,\ - # - security.overridePropertiesFile=true - -+# -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux -index db610d4bfbb..9d1c8fe8a8e 100644 ---- a/jdk/src/share/lib/security/java.security-linux -+++ b/jdk/src/share/lib/security/java.security-linux -@@ -75,6 +75,14 @@ security.provider.7=com.sun.security.sasl.Provider - security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI - security.provider.9=sun.security.smartcardio.SunPCSC - -+# -+# Security providers used when FIPS mode support is active -+# -+fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg -+fips.provider.2=sun.security.provider.Sun -+fips.provider.3=sun.security.ec.SunEC -+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS -+ - # - # Sun Provider SecureRandom seed source. - # -@@ -170,6 +178,11 @@ policy.ignoreIdentityScope=false - # - keystore.type=jks - -+# -+# Default keystore type used when global crypto-policies are set to FIPS. -+# -+fips.keystore.type=PKCS11 -+ - # - # Controls compatibility mode for the JKS keystore type. - # -@@ -287,6 +300,13 @@ package.definition=sun.,\ - # - security.overridePropertiesFile=true - -+# -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx -index a919ba3d5cd..19047c61097 100644 ---- a/jdk/src/share/lib/security/java.security-macosx -+++ b/jdk/src/share/lib/security/java.security-macosx -@@ -290,6 +290,13 @@ package.definition=sun.,\ - # - security.overridePropertiesFile=true - -+# -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris -index 86265ba5fb6..7eda556ae13 100644 ---- a/jdk/src/share/lib/security/java.security-solaris -+++ b/jdk/src/share/lib/security/java.security-solaris -@@ -288,6 +288,13 @@ package.definition=sun.,\ - # - security.overridePropertiesFile=true - -+# -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows -index 9b4bda23cbe..dfa1a669aa9 100644 ---- a/jdk/src/share/lib/security/java.security-windows -+++ b/jdk/src/share/lib/security/java.security-windows -@@ -290,6 +290,13 @@ package.definition=sun.,\ - # - security.overridePropertiesFile=true - -+# -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/jdk/src/solaris/native/java/security/systemconf.c b/jdk/src/solaris/native/java/security/systemconf.c -new file mode 100644 -index 00000000000..8dcb7d9073f ---- /dev/null -+++ b/jdk/src/solaris/native/java/security/systemconf.c -@@ -0,0 +1,224 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+#include -+#include -+#include "jvm_md.h" -+#include -+ -+#ifdef SYSCONF_NSS -+#include -+#else -+#include -+#endif //SYSCONF_NSS -+ -+#include "java_security_SystemConfigurator.h" -+ -+#define MSG_MAX_SIZE 256 -+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" -+ -+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); -+ -+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; -+static jmethodID debugPrintlnMethodID = NULL; -+static jobject debugObj = NULL; -+ -+static void dbgPrint(JNIEnv *env, const char* msg) -+{ -+ jstring jMsg; -+ if (debugObj != NULL) { -+ jMsg = (*env)->NewStringUTF(env, msg); -+ CHECK_NULL(jMsg); -+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); -+ } -+} -+ -+static void throwIOException(JNIEnv *env, const char *msg) -+{ -+ jclass cls = (*env)->FindClass(env, "java/io/IOException"); -+ if (cls != 0) -+ (*env)->ThrowNew(env, cls, msg); -+} -+ -+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) -+{ -+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { -+ dbgPrint(env, msg); -+ } else { -+ dbgPrint(env, "systemconf: cannot render message"); -+ } -+} -+ -+// Only used when NSS is not linked at build time -+#ifndef SYSCONF_NSS -+ -+static void *nss_handle; -+ -+static jboolean loadNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); -+ if (nss_handle == NULL) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ dlerror(); /* Clear errors */ -+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); -+ if ((errmsg = dlerror()) != NULL) { -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ return JNI_TRUE; -+} -+ -+static void closeNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ if (dlclose(nss_handle) != 0) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ } -+} -+ -+#endif -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnLoad -+ */ -+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ jclass sysConfCls, debugCls; -+ jfieldID sdebugFld; -+ -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return JNI_EVERSION; /* JNI version not supported */ -+ } -+ -+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); -+ if (sysConfCls == NULL) { -+ printf("libsystemconf: SystemConfigurator class not found\n"); -+ return JNI_ERR; -+ } -+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, -+ "sdebug", "Lsun/security/util/Debug;"); -+ if (sdebugFld == NULL) { -+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); -+ if (debugObj != NULL) { -+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); -+ if (debugCls == NULL) { -+ printf("libsystemconf: Debug class not found\n"); -+ return JNI_ERR; -+ } -+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, -+ "println", "(Ljava/lang/String;)V"); -+ if (debugPrintlnMethodID == NULL) { -+ printf("libsystemconf: Debug::println(String) method not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->NewGlobalRef(env, debugObj); -+ } -+ -+#ifdef SYSCONF_NSS -+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; -+#else -+ if (loadNSS(env) == JNI_FALSE) { -+ dbgPrint(env, "libsystemconf: Failed to load NSS library."); -+ } -+#endif -+ -+ return (*env)->GetVersion(env); -+} -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnUnload -+ */ -+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ -+ if (debugObj != NULL) { -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return; /* Should not happen */ -+ } -+#ifndef SYSCONF_NSS -+ closeNSS(env); -+#endif -+ (*env)->DeleteGlobalRef(env, debugObj); -+ } -+} -+ -+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled -+ (JNIEnv *env, jclass cls) -+{ -+ int fips_enabled; -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ -+ if (getSystemFIPSEnabled != NULL) { -+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); -+ fips_enabled = (*getSystemFIPSEnabled)(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); -+ } else { -+ FILE *fe; -+ -+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); -+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { -+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ fips_enabled = fgetc(fe); -+ fclose(fe); -+ if (fips_enabled == EOF) { -+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " read character is '%c'", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); -+ } -+} diff --git a/SOURCES/jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch b/SOURCES/jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch deleted file mode 100644 index ddab642..0000000 --- a/SOURCES/jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch +++ /dev/null @@ -1,125 +0,0 @@ -# HG changeset patch -# User mbalao -# Date 1529971845 -28800 -# Tue Jun 26 08:10:45 2018 +0800 -# Node ID e9c20b7250cd98d16a67f2a30b34284c2caa01dc -# Parent 9f1aa2e38d90dd60522237d7414af6bdcf03c4ff -8195607, PR3776: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1 -Reviewed-by: valeriep, weijun - -diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java -@@ -197,7 +197,7 @@ - - if (configDir != null) { - String configDirPath = null; -- String sqlPrefix = "sql:/"; -+ String sqlPrefix = "sql:"; - if (!configDir.startsWith(sqlPrefix)) { - configDirPath = configDir; - } else { -diff --git openjdk.orig/jdk/src/share/native/sun/security/pkcs11/j2secmod.c openjdk/jdk/src/share/native/sun/security/pkcs11/j2secmod.c ---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/j2secmod.c -+++ openjdk/jdk/src/share/native/sun/security/pkcs11/j2secmod.c -@@ -69,9 +69,14 @@ - int res = 0; - FPTR_Initialize initialize = - (FPTR_Initialize)findFunction(env, jHandle, "NSS_Initialize"); -+ #ifdef SECMOD_DEBUG -+ FPTR_GetError getError = -+ (FPTR_GetError)findFunction(env, jHandle, "PORT_GetError"); -+ #endif // SECMOD_DEBUG - unsigned int flags = 0x00; - const char *configDir = NULL; - const char *functionName = NULL; -+ const char *configFile = NULL; - - /* If we cannot initialize, exit now */ - if (initialize == NULL) { -@@ -97,13 +102,18 @@ - flags = 0x20; // NSS_INIT_OPTIMIZESPACE flag - } - -+ configFile = "secmod.db"; -+ if (configDir != NULL && strncmp("sql:", configDir, 4U) == 0) { -+ configFile = "pkcs11.txt"; -+ } -+ - /* - * If the NSS_Init function is requested then call NSS_Initialize to - * open the Cert, Key and Security Module databases, read only. - */ - if (strcmp("NSS_Init", functionName) == 0) { - flags = flags | 0x01; // NSS_INIT_READONLY flag -- res = initialize(configDir, "", "", "secmod.db", flags); -+ res = initialize(configDir, "", "", configFile, flags); - - /* - * If the NSS_InitReadWrite function is requested then call -@@ -111,7 +121,7 @@ - * read/write. - */ - } else if (strcmp("NSS_InitReadWrite", functionName) == 0) { -- res = initialize(configDir, "", "", "secmod.db", flags); -+ res = initialize(configDir, "", "", configFile, flags); - - /* - * If the NSS_NoDB_Init function is requested then call -@@ -137,6 +147,13 @@ - (*env)->ReleaseStringUTFChars(env, jConfigDir, configDir); - } - dprintf1("-res: %d\n", res); -+ #ifdef SECMOD_DEBUG -+ if (res == -1) { -+ if (getError != NULL) { -+ dprintf1("-NSS error: %d\n", getError()); -+ } -+ } -+ #endif // SECMOD_DEBUG - - return (res == 0) ? JNI_TRUE : JNI_FALSE; - } -diff --git openjdk.orig/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h openjdk/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h ---- openjdk.orig/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h -+++ openjdk/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h -@@ -34,6 +34,10 @@ - const char *certPrefix, const char *keyPrefix, - const char *secmodName, unsigned int flags); - -+#ifdef SECMOD_DEBUG -+typedef int (*FPTR_GetError)(void); -+#endif //SECMOD_DEBUG -+ - // in secmod.h - //extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent, - // PRBool recurse); -diff --git openjdk.orig/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt openjdk/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt -new file mode 100644 ---- /dev/null -+++ openjdk/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt -@@ -0,0 +1,4 @@ -+library= -+name=NSS Internal PKCS #11 Module -+parameters=configdir='sql:./tmpdb' certPrefix='' keyPrefix='' secmod='' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' -+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) -diff --git openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java ---- openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java -+++ openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java -@@ -55,7 +55,7 @@ - - DBDIR = System.getProperty("test.classes", ".") + SEP + "tmpdb"; - if (useSqlite) { -- System.setProperty("pkcs11test.nss.db", "sql:/" + DBDIR); -+ System.setProperty("pkcs11test.nss.db", "sql:" + DBDIR); - } else { - System.setProperty("pkcs11test.nss.db", DBDIR); - } -@@ -67,6 +67,7 @@ - if (useSqlite) { - copyFile("key4.db", BASE, DBDIR); - copyFile("cert9.db", BASE, DBDIR); -+ copyFile("pkcs11.txt", BASE, DBDIR); - } else { - copyFile("secmod.db", BASE, DBDIR); - copyFile("key3.db", BASE, DBDIR); diff --git a/SOURCES/pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch b/SOURCES/pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch deleted file mode 100644 index a42688d..0000000 --- a/SOURCES/pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch +++ /dev/null @@ -1,63 +0,0 @@ -# HG changeset patch -# User andrew -# Date 1459487045 -3600 -# Fri Apr 01 06:04:05 2016 +0100 -# Node ID 3334efeacd8327a14b7d2f392f4546e3c29c594b -# Parent 6b81fd2227d14226f2121f2d51b464536925686e -PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts) -PR3575: System cacerts database handling should not affect jssecacerts - -diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java ---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java -+++ openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java -@@ -72,7 +72,7 @@ - * The preference of the default trusted KeyStore is: - * javax.net.ssl.trustStore - * jssecacerts -- * cacerts -+ * cacerts (system and local) - */ - private static final class TrustStoreDescriptor { - private static final String fileSep = File.separator; -@@ -83,6 +83,10 @@ - defaultStorePath + fileSep + "cacerts"; - private static final String jsseDefaultStore = - defaultStorePath + fileSep + "jssecacerts"; -+ /* Check system cacerts DB: /etc/pki/java/cacerts */ -+ private static final String systemStore = -+ fileSep + "etc" + fileSep + "pki" + -+ fileSep + "java" + fileSep + "cacerts"; - - // the trust store name - private final String storeName; -@@ -146,7 +150,8 @@ - long temporaryTime = 0L; - if (!"NONE".equals(storePropName)) { - String[] fileNames = -- new String[] {storePropName, defaultStore}; -+ new String[] {storePropName, -+ systemStore, defaultStore}; - for (String fileName : fileNames) { - File f = new File(fileName); - if (f.isFile() && f.canRead()) { -diff --git openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java ---- openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java -+++ openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java -@@ -108,9 +108,14 @@ - throws Exception - { - String sep = File.separator; -- File file = new File(System.getProperty("java.home") + sep -- + "lib" + sep + "security" + sep -- + "cacerts"); -+ /* Check system cacerts DB first; /etc/pki/java/cacerts */ -+ File file = new File(sep + "etc" + sep + "pki" + sep -+ + "java" + sep + "cacerts"); -+ if (!file.exists()) { -+ file = new File(System.getProperty("java.home") + sep -+ + "lib" + sep + "security" + sep -+ + "cacerts"); -+ } - if (!file.exists()) { - return null; - } diff --git a/SOURCES/pr2888-rh2055274-support_system_cacerts.patch b/SOURCES/pr2888-rh2055274-support_system_cacerts.patch new file mode 100644 index 0000000..1b88f2a --- /dev/null +++ b/SOURCES/pr2888-rh2055274-support_system_cacerts.patch @@ -0,0 +1,263 @@ +diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java +index e7b4763db53..e8ec8467e6a 100644 +--- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java ++++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java +@@ -31,6 +31,7 @@ import java.security.*; + import java.security.cert.*; + import java.util.*; + import sun.security.action.*; ++import sun.security.tools.KeyStoreUtil; + import sun.security.validator.TrustStoreUtil; + + /** +@@ -68,7 +69,7 @@ final class TrustStoreManager { + * The preference of the default trusted KeyStore is: + * javax.net.ssl.trustStore + * jssecacerts +- * cacerts ++ * cacerts (system and local) + */ + private static final class TrustStoreDescriptor { + private static final String fileSep = File.separator; +@@ -76,7 +77,7 @@ final class TrustStoreManager { + GetPropertyAction.privilegedGetProperty("java.home") + + fileSep + "lib" + fileSep + "security"; + private static final String defaultStore = +- defaultStorePath + fileSep + "cacerts"; ++ KeyStoreUtil.getCacertsKeyStoreFile().getPath(); + private static final String jsseDefaultStore = + defaultStorePath + fileSep + "jssecacerts"; + +@@ -139,6 +140,10 @@ final class TrustStoreManager { + String storePropPassword = System.getProperty( + "javax.net.ssl.trustStorePassword", ""); + ++ if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) { ++ SSLLogger.fine("Default store: " + defaultStore); ++ } ++ + String temporaryName = ""; + File temporaryFile = null; + long temporaryTime = 0L; +@@ -146,21 +151,22 @@ final class TrustStoreManager { + String[] fileNames = + new String[] {storePropName, defaultStore}; + for (String fileName : fileNames) { +- File f = new File(fileName); +- if (f.isFile() && f.canRead()) { +- temporaryName = fileName;; +- temporaryFile = f; +- temporaryTime = f.lastModified(); +- +- break; +- } +- +- // Not break, the file is inaccessible. +- if (SSLLogger.isOn && ++ if (fileName != null && !"".equals(fileName)) { ++ File f = new File(fileName); ++ if (f.isFile() && f.canRead()) { ++ temporaryName = fileName;; ++ temporaryFile = f; ++ temporaryTime = f.lastModified(); ++ ++ break; ++ } ++ // Not break, the file is inaccessible. ++ if (SSLLogger.isOn && + SSLLogger.isOn("trustmanager")) { +- SSLLogger.fine( +- "Inaccessible trust store: " + +- storePropName); ++ SSLLogger.fine( ++ "Inaccessible trust store: " + ++ fileName); ++ } + } + } + } else { +diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java +index fcc77786da1..f554f83a8b4 100644 +--- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java ++++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java +@@ -33,7 +33,10 @@ import java.io.InputStreamReader; + + import java.net.URL; + ++import java.security.AccessController; + import java.security.KeyStore; ++import java.security.PrivilegedAction; ++import java.security.Security; + + import java.security.cert.X509Certificate; + import java.text.Collator; +@@ -54,6 +57,33 @@ public class KeyStoreUtil { + + private static final String JKS = "jks"; + ++ private static final String PROP_NAME = "security.systemCACerts"; ++ ++ /** ++ * Returns the value of the security property propName, which can be overridden ++ * by a system property of the same name ++ * ++ * @param propName the name of the system or security property ++ * @return the value of the system or security property ++ */ ++ @SuppressWarnings("removal") ++ public static String privilegedGetOverridable(String propName) { ++ if (System.getSecurityManager() == null) { ++ return getOverridableProperty(propName); ++ } else { ++ return AccessController.doPrivileged((PrivilegedAction) () -> getOverridableProperty(propName)); ++ } ++ } ++ ++ private static String getOverridableProperty(String propName) { ++ String val = System.getProperty(propName); ++ if (val == null) { ++ return Security.getProperty(propName); ++ } else { ++ return val; ++ } ++ } ++ + /** + * Returns true if the certificate is self-signed, false otherwise. + */ +@@ -96,20 +126,38 @@ public class KeyStoreUtil { + } + } + ++ /** ++ * Returns the path to the cacerts DB ++ */ ++ public static File getCacertsKeyStoreFile() ++ { ++ String sep = File.separator; ++ File file = null; ++ /* Check system cacerts DB first, preferring system property over security property */ ++ String systemDB = privilegedGetOverridable(PROP_NAME); ++ if (systemDB != null && !"".equals(systemDB)) { ++ file = new File(systemDB); ++ } ++ if (file == null || !file.exists()) { ++ file = new File(System.getProperty("java.home") + sep ++ + "lib" + sep + "security" + sep ++ + "cacerts"); ++ } ++ if (file.exists()) { ++ return file; ++ } ++ return null; ++ } ++ + /** + * Returns the keystore with the configured CA certificates. + */ + public static KeyStore getCacertsKeyStore() + throws Exception + { +- String sep = File.separator; +- File file = new File(System.getProperty("java.home") + sep +- + "lib" + sep + "security" + sep +- + "cacerts"); +- if (!file.exists()) { +- return null; +- } + KeyStore caks = null; ++ File file = getCacertsKeyStoreFile(); ++ if (file == null) { return null; } + try (FileInputStream fis = new FileInputStream(file)) { + caks = KeyStore.getInstance(JKS); + caks.load(fis, null); +diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix +index bfe0c593adb..093bc09bf95 100644 +--- a/jdk/src/share/lib/security/java.security-aix ++++ b/jdk/src/share/lib/security/java.security-aix +@@ -294,6 +294,13 @@ security.overridePropertiesFile=true + # + security.useSystemPropertiesFile=false + ++# ++# Specifies the system certificate store ++# This property may be disabled using ++# -Djava.security.disableSystemCACerts=true ++# ++security.systemCACerts=${java.home}/lib/security/cacerts ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux +index 9d1c8fe8a8e..16c9281cc1f 100644 +--- a/jdk/src/share/lib/security/java.security-linux ++++ b/jdk/src/share/lib/security/java.security-linux +@@ -307,6 +307,13 @@ security.overridePropertiesFile=true + # + security.useSystemPropertiesFile=false + ++# ++# Specifies the system certificate store ++# This property may be disabled using ++# -Djava.security.disableSystemCACerts=true ++# ++security.systemCACerts=${java.home}/lib/security/cacerts ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx +index 19047c61097..43e034cdeaf 100644 +--- a/jdk/src/share/lib/security/java.security-macosx ++++ b/jdk/src/share/lib/security/java.security-macosx +@@ -297,6 +297,13 @@ security.overridePropertiesFile=true + # + security.useSystemPropertiesFile=false + ++# ++# Specifies the system certificate store ++# This property may be disabled using ++# -Djava.security.disableSystemCACerts=true ++# ++security.systemCACerts=${java.home}/lib/security/cacerts ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris +index 7eda556ae13..325937e97fb 100644 +--- a/jdk/src/share/lib/security/java.security-solaris ++++ b/jdk/src/share/lib/security/java.security-solaris +@@ -295,6 +295,13 @@ security.overridePropertiesFile=true + # + security.useSystemPropertiesFile=false + ++# ++# Specifies the system certificate store ++# This property may be disabled using ++# -Djava.security.disableSystemCACerts=true ++# ++security.systemCACerts=${java.home}/lib/security/cacerts ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows +index dfa1a669aa9..92ef777e065 100644 +--- a/jdk/src/share/lib/security/java.security-windows ++++ b/jdk/src/share/lib/security/java.security-windows +@@ -297,6 +297,13 @@ security.overridePropertiesFile=true + # + security.useSystemPropertiesFile=false + ++# ++# Specifies the system certificate store ++# This property may be disabled using ++# -Djava.security.disableSystemCACerts=true ++# ++security.systemCACerts=${java.home}/lib/security/cacerts ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. diff --git a/SOURCES/rh1163501-increase_2048_bit_dh_upper_bound_fedora_infrastructure_in_dhparametergenerator.patch b/SOURCES/rh1163501-increase_2048_bit_dh_upper_bound_fedora_infrastructure_in_dhparametergenerator.patch deleted file mode 100644 index d9cbac4..0000000 --- a/SOURCES/rh1163501-increase_2048_bit_dh_upper_bound_fedora_infrastructure_in_dhparametergenerator.patch +++ /dev/null @@ -1,66 +0,0 @@ -diff --git a/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java b/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java ---- openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java -@@ -1,5 +1,6 @@ - /* - * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2014 Red Hat Inc. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -61,13 +62,13 @@ - - private static void checkKeySize(int keysize) - throws InvalidParameterException { -- boolean supported = ((keysize == 2048) || (keysize == 3072) || -+ boolean supported = ((keysize == 2048) || (keysize == 3072) || (keysize == 4096) || - ((keysize >= 512) && (keysize <= 1024) && ((keysize & 0x3F) == 0))); - - if (!supported) { - throw new InvalidParameterException( - "DH key size must be multiple of 64 and range " + -- "from 512 to 1024 (inclusive), or 2048, 3072. " + -+ "from 512 to 1024 (inclusive), or 2048, 3072, 4096. " + - "The specific key size " + keysize + " is not supported"); - } - } -diff --git a/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java b/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java ---- openjdk/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java -+++ openjdk/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java -@@ -1,5 +1,6 @@ - /* - * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2014 Red Hat Inc. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -58,7 +59,7 @@ - */ - private enum Sizes { - two56(256), three84(384), five12(512), seven68(768), ten24(1024), -- twenty48(2048); -+ twenty48(2048), forty96(4096); - - private final int intSize; - private final BigInteger bigIntValue; -@@ -130,6 +131,19 @@ - kp = kpg.generateKeyPair(); - checkKeyPair(kp, Sizes.twenty48, Sizes.five12); - -+ kpg.initialize(Sizes.forty96.getIntSize()); -+ kp = kpg.generateKeyPair(); -+ checkKeyPair(kp, Sizes.forty96, Sizes.twenty48); -+ -+ publicKey = (DHPublicKey)kp.getPublic(); -+ p = publicKey.getParams().getP(); -+ g = publicKey.getParams().getG(); -+ -+ // test w/ all values specified -+ kpg.initialize(new DHParameterSpec(p, g, Sizes.ten24.getIntSize())); -+ kp = kpg.generateKeyPair(); -+ checkKeyPair(kp, Sizes.forty96, Sizes.ten24); -+ - System.out.println("OK"); - } - - diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec index 5733069..ccf9e8e 100644 --- a/SPECS/java-1.8.0-openjdk.spec +++ b/SPECS/java-1.8.0-openjdk.spec @@ -26,6 +26,8 @@ %bcond_with artifacts # Build a fresh libjvm.so for use in a copy of the bootstrap JDK %bcond_without fresh_libjvm +# Build with system libraries +%bcond_with system_libs # Define whether to use the bootstrap JDK directly or with a fresh libjvm.so %if %{with fresh_libjvm} @@ -34,6 +36,16 @@ %global build_hotspot_first 0 %endif +%if %{with system_libs} +%global system_libs 1 +%global link_type system +%global jpeg_lib |libjavajpeg[.]so.* +%else +%global system_libs 0 +%global link_type bundled +%global jpeg_lib |libjpeg[.]so.* +%endif + # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 @@ -158,11 +170,15 @@ # Build and test slowdebug first as it provides the best diagnostics %global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} +%if 0%{?flatpak} +%global bootstrap_build false +%else %ifarch %{bootstrap_arches} %global bootstrap_build true %else %global bootstrap_build false %endif +%endif %global bootstrap_targets images %global release_targets images docs-zip @@ -281,13 +297,17 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 3.15.0 # Define current Git revision for the FIPS support patches -%global fipsver 8e8bbf0ff74 +%global fipsver 6d1aade0648 # Standard JPackage naming and versioning defines %global origin openjdk %global origin_nice OpenJDK %global top_level_dir_name %{origin} +# Settings for local security configuration +%global security_file %{top_level_dir_name}/jdk/src/share/lib/security/java.security-%{_target_os} +%global cacerts_file /etc/pki/java/cacerts + # Define vendor information used by OpenJDK %global oj_vendor Red Hat, Inc. %global oj_vendor_url "https://www.redhat.com/" @@ -311,7 +331,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project openjdk %global shenandoah_repo shenandoah-jdk8u -%global openjdk_revision jdk8u345-b01 +%global openjdk_revision jdk8u362-b08 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} @@ -327,7 +347,7 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 2 +%global rpmrelease 3 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, @@ -371,7 +391,7 @@ # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 # https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 # https://bugzilla.redhat.com/show_bug.cgi?id=1655938 -%global _privatelibs libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.* +%global _privatelibs libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.*%{jpeg_lib} %global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* %if %is_system_jdk %global __provides_exclude ^(%{_privatelibs})$ @@ -813,6 +833,7 @@ exit 0 %{_jvmdir}/%{jrelnk -- %{?1}} %dir %{_jvmdir}/%{jredir -- %{?1}}/lib/security %{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts +%{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts.upstream %dir %{_jvmdir}/%{jredir -- %{?1}} %dir %{_jvmdir}/%{jredir -- %{?1}}/bin %dir %{_jvmdir}/%{jredir -- %{?1}}/lib @@ -895,7 +916,11 @@ exit 0 %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjaas_unix.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava_crw_demo.so +%if %{system_libs} %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjavajpeg.so +%else +%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjpeg.so +%endif %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjdwp.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsdt.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsig.so @@ -937,6 +962,7 @@ exit 0 %{_jvmdir}/%{jredir -- %{?1}}/lib/rt.jar %{_jvmdir}/%{jredir -- %{?1}}/lib/sound.properties %{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat +%{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat.upstream %{_jvmdir}/%{jredir -- %{?1}}/lib/management-agent.jar %{_jvmdir}/%{jredir -- %{?1}}/lib/management/* %{_jvmdir}/%{jredir -- %{?1}}/lib/cmm/* @@ -1210,17 +1236,18 @@ Provides: jre%{?1} = %{epoch}:%{version}-%{release} Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros Requires: javapackages-filesystem -# Require zoneinfo data provided by tzdata-java subpackage. -# 2022a required as of JDK-8283350 in 8u342 -Requires: tzdata-java >= 2022a +# 2022g required as of JDK-8297804 +Requires: tzdata-java >= 2022g # for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} +%if ! 0%{?flatpak} # tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, # not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be # considered as regression Requires: copy-jdk-configs >= 4.0 OrderWithRequires: copy-jdk-configs +%endif # for printing support Requires: cups-libs # for system security properties @@ -1389,13 +1416,15 @@ Source16: CheckVendor.java # nss fips configuration file Source17: nss.fips.cfg.in +# Ensure translations are available for new timezones +Source18: TestTranslations.java + Source20: repackReproduciblePolycies.sh # New versions of config files with aarch64 support. This is not upstream yet. Source100: config.guess Source101: config.sub - ############################################ # # RPM/distribution specific patches @@ -1443,8 +1472,6 @@ Patch1001: fips-8u-%{fipsver}.patch ############################################# # PR2737: Allow multiple initialization of PKCS11 libraries Patch5: pr2737-allow_multiple_pkcs11_library_initialisation_to_be_a_non_critical_error.patch -# PR2095, RH1163501: 2048-bit DH upper bound too small for Fedora infrastructure (sync with IcedTea 2.x) -Patch504: rh1163501-increase_2048_bit_dh_upper_bound_fedora_infrastructure_in_dhparametergenerator.patch # Turn off strict overflow on IndicRearrangementProcessor{,2}.cpp following 8140543: Arrange font actions Patch512: rh1649664-awt2dlibraries_compiled_with_no_strict_overflow.patch # RH1337583, PR2974: PKCS#10 certificate requests now use CRLF line endings rather than system line endings @@ -1453,7 +1480,9 @@ Patch523: pr2974-rh1337583-add_systemlineendings_option_to_keytool_and_use_line_ Patch528: pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_theres_no_ecc_provider.patch # PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts) # PR3575, RH1567204: System cacerts database handling should not affect jssecacerts -Patch539: pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch +# RH2055274: Revert default keystore to JAVA_HOME/jre/lib/security/cacerts in portable builds +# Must be applied after FIPS patch as it also changes java.security +Patch539: pr2888-rh2055274-support_system_cacerts.patch # enable build of speculative store bypass hardened alt-java Patch600: rh1750419-redhat_alt_java.patch # JDK-8218811: replace open by os::open in hotspot coding @@ -1505,14 +1534,12 @@ Patch202: jdk8035341-allow_using_system_installed_libpng.patch # 8042159: Allow using a system-installed lcms2 Patch203: jdk8042159-allow_using_system_installed_lcms2-root.patch Patch204: jdk8042159-allow_using_system_installed_lcms2-jdk.patch -# JDK-8195607, PR3776, RH1760437: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1 -Patch580: jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch # JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32 Patch581: jdk8257794-remove_broken_assert.patch ############################################# # -# Patches appearing in 8u282 +# Patches appearing in 8u362 # # This section includes patches which are present # in the listed OpenJDK 8u release and should be @@ -1564,12 +1591,8 @@ BuildRequires: desktop-file-utils BuildRequires: elfutils-devel BuildRequires: fontconfig-devel BuildRequires: freetype-devel -BuildRequires: giflib-devel BuildRequires: gcc-c++ BuildRequires: gdb -BuildRequires: lcms2-devel -BuildRequires: libjpeg-devel -BuildRequires: libpng-devel BuildRequires: libxslt BuildRequires: libX11-devel BuildRequires: libXext-devel @@ -1592,8 +1615,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3 %ifarch %{zero_arches} BuildRequires: libffi-devel %endif -# 2022a required as of JDK-8283350 in 8u342 -BuildRequires: tzdata-java >= 2022a +# 2022g required as of JDK-8297804 +BuildRequires: tzdata-java >= 2022g # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1601,6 +1624,24 @@ BuildRequires: gcc >= 4.8.3-8 BuildRequires: systemtap-sdt-devel %endif +%if %{system_libs} +BuildRequires: giflib-devel +BuildRequires: lcms2-devel +BuildRequires: libjpeg-devel +BuildRequires: libpng-devel +%else +# Version in jdk/src/share/native/sun/awt/giflib/gif_lib.h +Provides: bundled(giflib) = 5.2.1 +# Version in jdk/src/share/native/sun/java2d/cmm/lcms/lcms2.h +Provides: bundled(lcms2) = 2.10.0 +# Version in jdk/src/share/native/sun/awt/image/jpeg/jpeglib.h +Provides: bundled(libjpeg) = 6b +# Version in jdk/src/share/native/sun/awt/libpng/png.h +Provides: bundled(libpng) = 1.6.37 +# We link statically against libstdc++ to increase portability +BuildRequires: libstdc++-static +%endif + # this is always built, also during debug-only build # when it is built in debug-only this package is just placeholder %{java_rpo %{nil}} @@ -1853,14 +1894,18 @@ cp %{SOURCE101} %{top_level_dir_name}/common/autoconf/build-aux/ # OpenJDK patches +%if %{system_libs} # Remove libraries that are linked sh %{SOURCE12} +%endif # System library fixes +%if %{system_libs} %patch201 %patch202 %patch203 %patch204 +%endif %patch5 @@ -1876,7 +1921,6 @@ sh %{SOURCE12} # Upstreamable fixes %patch502 -%patch504 %patch512 %patch523 %patch528 @@ -1884,7 +1928,6 @@ sh %{SOURCE12} %patch574 %patch111 %patch112 -%patch580 %patch581 %patch113 @@ -1893,10 +1936,11 @@ pushd %{top_level_dir_name} %patch1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security %patch1000 -p1 +# cacerts patch; must follow FIPS patch as it also alters java.security +%patch539 -p1 popd # RPM-only fixes -%patch539 %patch600 %patch1003 @@ -1960,7 +2004,11 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg # Setup nss.fips.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg +# Setup security policy +sed -i -e "s:^security.systemCACerts=.*:security.systemCACerts=%{cacerts_file}:" %{security_file} + %build + # How many CPU's do we have? export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=${NUM_PROC:-1} @@ -1998,11 +2046,18 @@ function buildjdk() { local buildjdk=${2} local maketargets="${3}" local debuglevel=${4} + local link_opt=${5} local top_srcdir_abs_path=$(pwd)/%{top_level_dir_name} # Variable used in hs_err hook on build failures local top_builddir_abs_path=$(pwd)/${outputdir} + if [ "x${link_opt}" = "xbundled" ] ; then + libc_link_opt="static"; + else + libc_link_opt="dynamic"; + fi + echo "Checking build JDK ${buildjdk} is operational..." ${buildjdk}/bin/java -version echo "Building 8u%{updatever}-%{buildver}, milestone %{milestone}" @@ -2031,12 +2086,14 @@ function buildjdk() { --with-debug-level=${debuglevel} \ --disable-sysconf-nss \ --enable-unlimited-crypto \ - --with-zlib=system \ - --with-libjpeg=system \ - --with-giflib=system \ - --with-libpng=system \ - --with-lcms=system \ - --with-stdc++lib=dynamic \ + --with-zlib=${link_opt} \ + --with-giflib=${link_opt} \ +%if %{with system_libs} + --with-libjpeg=${link_opt} \ + --with-libpng=${link_opt} \ + --with-lcms=${link_opt} \ +%endif + --with-stdc++lib=${libc_link_opt} \ --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ --with-extra-cflags="$EXTRA_CFLAGS" \ --with-extra-asflags="$EXTRA_ASFLAGS" \ @@ -2105,8 +2162,13 @@ function installjdk() { ${imagepath}/jre/lib/security/java.security # Use system-wide tzdata - rm ${imagepath}/jre/lib/tzdb.dat - ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat + mv ${imagepath}/jre/lib/tzdb.dat{,.upstream} + ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat + + # Rename OpenJDK cacerts database + mv ${imagepath}/jre/lib/security/cacerts{,.upstream} + # Install cacerts symlink needed by some apps which hard-code the path + ln -sv %{cacerts_file} ${imagepath}/jre/lib/security # add alt-java man page pushd ${imagepath} @@ -2142,6 +2204,7 @@ builddir=%{buildoutputdir -- $suffix} bootbuilddir=boot${builddir} installdir=%{installoutputdir -- $suffix} bootinstalldir=boot${installdir} +link_opt="%{link_type}" # Debug builds don't need same targets as release for # build speed-up. We also avoid bootstrapping these @@ -2155,13 +2218,13 @@ else fi if ${run_bootstrap} ; then - buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} + buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} installjdk ${bootbuilddir} ${bootinstalldir} - buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} + buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} installjdk ${builddir} ${installdir} %{!?with_artifacts:rm -rf ${bootinstalldir}} else - buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} installjdk ${builddir} ${installdir} fi @@ -2202,11 +2265,14 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi %endif - # Check correct vendor values have been set $JAVA_HOME/bin/javac -d . %{SOURCE16} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" %{oj_vendor_url} %{oj_vendor_bug_url} +# Check translations are available for new timezones +$JAVA_HOME/bin/javac -d . %{SOURCE18} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE + # Check debug symbols are present and can identify code find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib do @@ -2322,13 +2388,6 @@ mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/%{archinstall}/clien done %endif - # Remove empty cacerts database - rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/security/cacerts - # Install cacerts symlink needed by some apps which hardcode the path - pushd $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/security - ln -sf /etc/pki/java/cacerts . - popd - # Install versioned symlinks pushd $RPM_BUILD_ROOT%{_jvmdir} ln -sf %{jredir -- $suffix} %{jrelnk -- $suffix} @@ -2658,6 +2717,61 @@ cjc.mainProgram(args) %endif %changelog +* Fri Jan 13 2023 Andrew Hughes - 1:1.8.0.362.b08-3 +- Update to shenandoah-jdk8u352-b08 (GA) +- Update release notes for shenandoah-8u352-b08. +- Fix broken links and missing release notes in older releases. +- Drop RH1163501 patch which is not upstream or in 11, 17 & 19 packages and seems obsolete + - Patch was broken by inclusion of "JDK-8293554: Enhanced DH Key Exchanges" + - Patch was added for a specific corner case of a 4096-bit DH key on a Fedora host that no longer exists + - Fedora now appears to be using RSA and the JDK now supports ECC in preference to large DH keys +- Resolves: rhbz#2160111 + +* Wed Jan 11 2023 Andrew Hughes - 1:1.8.0.362.b07-0.3.ea +- Update to shenandoah-jdk8u362-b07 (EA) +- Update release notes for shenandoah-8u362-b07. +- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804 +- Drop tzdata patches for 2022d & 2022e (JDK-8294357 & JDK-8295173) which are now upstream +- Update TestTranslations.java to test the new America/Ciudad_Juarez zone +- Resolves: rhbz#2150196 + +* Tue Jan 10 2023 Andrew Hughes - 1:1.8.0.362.b01-0.3.ea +- Update to shenandoah-jdk8u362-b01 (EA) +- Update release notes for shenandoah-8u362-b01. +- Switch to EA mode for 8u362 pre-release builds. +- Drop JDK-8195607/PR3776/RH1760437 now this is upstream +- Related: rhbz#2150196 + +* Wed Oct 19 2022 Andrew Hughes - 1:1.8.0.352.b08-2 +- Update to shenandoah-jdk8u352-b08 (GA) +- Update release notes for shenandoah-8u352-b08. +- Switch to GA mode for final release. +- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173 +- Add test to ensure timezones can be translated +- Resolves: rhbz#2133695 + +* Wed Oct 12 2022 Andrew Hughes - 1:1.8.0.352.b07-0.2.ea +- Update to shenandoah-jdk8u352-b07 (EA) +- Update release notes for shenandoah-8u352-b07. +- Switch to EA mode for 8u352 pre-release builds. +- Rebase FIPS patch against 8u352-b07 +- Resolves: rhbz#2130623 + +* Tue Aug 30 2022 Andrew Hughes - 1:1.8.0.345.b01-5 +- Allow the default keystore to be configured using security.systemCACerts +- Use of the property can now be disabled using -Dsecurity.systemCACerts= +- Move cacerts replacement to install section and retain original of this and tzdb.dat +- Resolves: rhbz#2077006 + +* Tue Aug 30 2022 Andrew Hughes - 1:1.8.0.345.b01-4 +- Switch to static builds, reducing system dependencies and making build more portable +- Resolves: rhbz#2121273 + +* Mon Aug 29 2022 Stephan Bergmann - 1:1.8.0.345.b01-3 +- Disable copy-jdk-configs for Flatpak builds +- Fix flatpak builds by exempting them from bootstrap +- Resolves: rhbz#2102727 + * Wed Aug 03 2022 Andrew Hughes - 1:1.8.0.345.b01-2 - Update to shenandoah-jdk8u345-b01 (GA) - Update release notes for 8u345-b01.