Skip to content

Commit a6e533a

Browse files
martinuymartinuy
committed
RH1995150 - Disable non-FIPS crypto in SUN and SunEC security providers
RH2094027 - SunEC runtime permission for FIPS
1 parent 9087e80 commit a6e533a

File tree

4 files changed

+216
-199
lines changed

4 files changed

+216
-199
lines changed

src/java.base/share/classes/module-info.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -183,6 +183,7 @@
183183
java.sql,
184184
java.xml,
185185
jdk.crypto.cryptoki,
186+
jdk.crypto.ec,
186187
jdk.jartool,
187188
jdk.attach,
188189
jdk.charsets,

src/java.base/share/classes/sun/security/provider/SunEntries.java

Lines changed: 130 additions & 123 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@
3030
import java.util.*;
3131
import java.security.*;
3232

33+
import jdk.internal.misc.SharedSecrets;
3334
import jdk.internal.util.StaticProperty;
3435
import sun.security.action.GetPropertyAction;
3536

@@ -77,6 +78,10 @@
7778

7879
public final class SunEntries {
7980

81+
private static final boolean systemFipsEnabled =
82+
SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
83+
.isSystemFipsEnabled();
84+
8085
// the default algo used by SecureRandom class for new SecureRandom() calls
8186
public static final String DEF_SECURE_RANDOM_ALGO;
8287

@@ -100,136 +105,138 @@ public static List<String> createAliasesWithOid(String ... oids) {
100105
// common attribute map
101106
HashMap<String, String> attrs = new HashMap<>(3);
102107

103-
/*
104-
* SecureRandom engines
105-
*/
106-
attrs.put("ThreadSafe", "true");
107-
if (NativePRNG.isAvailable()) {
108-
add(p, "SecureRandom", "NativePRNG",
109-
"sun.security.provider.NativePRNG",
110-
null, attrs);
111-
}
112-
if (NativePRNG.Blocking.isAvailable()) {
113-
add(p, "SecureRandom", "NativePRNGBlocking",
114-
"sun.security.provider.NativePRNG$Blocking", null, attrs);
115-
}
116-
if (NativePRNG.NonBlocking.isAvailable()) {
117-
add(p, "SecureRandom", "NativePRNGNonBlocking",
118-
"sun.security.provider.NativePRNG$NonBlocking", null, attrs);
119-
}
120-
attrs.put("ImplementedIn", "Software");
121-
add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG",
122-
null, attrs);
123-
add(p, "SecureRandom", "SHA1PRNG",
124-
"sun.security.provider.SecureRandom", null, attrs);
125-
126-
/*
127-
* Signature engines
128-
*/
129-
attrs.clear();
130-
String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
131-
"|java.security.interfaces.DSAPrivateKey";
132-
attrs.put("SupportedKeyClasses", dsaKeyClasses);
133-
attrs.put("ImplementedIn", "Software");
134-
135-
attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
136-
137-
add(p, "Signature", "SHA1withDSA",
138-
"sun.security.provider.DSA$SHA1withDSA",
139-
createAliasesWithOid("1.2.840.10040.4.3", "DSA", "DSS",
140-
"SHA/DSA", "SHA-1/DSA", "SHA1/DSA", "SHAwithDSA",
141-
"DSAWithSHA1", "1.3.14.3.2.13", "1.3.14.3.2.27"), attrs);
142-
add(p, "Signature", "NONEwithDSA", "sun.security.provider.DSA$RawDSA",
143-
createAliases("RawDSA"), attrs);
144-
145-
attrs.put("KeySize", "2048"); // for SHA224 and SHA256 DSA signatures
146-
147-
add(p, "Signature", "SHA224withDSA",
148-
"sun.security.provider.DSA$SHA224withDSA",
149-
createAliasesWithOid("2.16.840.1.101.3.4.3.1"), attrs);
150-
add(p, "Signature", "SHA256withDSA",
151-
"sun.security.provider.DSA$SHA256withDSA",
152-
createAliasesWithOid("2.16.840.1.101.3.4.3.2"), attrs);
153-
154-
attrs.remove("KeySize");
108+
if (!systemFipsEnabled) {
109+
/*
110+
* SecureRandom engines
111+
*/
112+
attrs.put("ThreadSafe", "true");
113+
if (NativePRNG.isAvailable()) {
114+
add(p, "SecureRandom", "NativePRNG",
115+
"sun.security.provider.NativePRNG",
116+
null, attrs);
117+
}
118+
if (NativePRNG.Blocking.isAvailable()) {
119+
add(p, "SecureRandom", "NativePRNGBlocking",
120+
"sun.security.provider.NativePRNG$Blocking", null, attrs);
121+
}
122+
if (NativePRNG.NonBlocking.isAvailable()) {
123+
add(p, "SecureRandom", "NativePRNGNonBlocking",
124+
"sun.security.provider.NativePRNG$NonBlocking", null, attrs);
125+
}
126+
attrs.put("ImplementedIn", "Software");
127+
add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG",
128+
null, attrs);
129+
add(p, "SecureRandom", "SHA1PRNG",
130+
"sun.security.provider.SecureRandom", null, attrs);
155131

156-
add(p, "Signature", "SHA1withDSAinP1363Format",
157-
"sun.security.provider.DSA$SHA1withDSAinP1363Format",
158-
null, null);
159-
add(p, "Signature", "NONEwithDSAinP1363Format",
160-
"sun.security.provider.DSA$RawDSAinP1363Format",
161-
null, null);
162-
add(p, "Signature", "SHA224withDSAinP1363Format",
163-
"sun.security.provider.DSA$SHA224withDSAinP1363Format",
164-
null, null);
165-
add(p, "Signature", "SHA256withDSAinP1363Format",
166-
"sun.security.provider.DSA$SHA256withDSAinP1363Format",
167-
null, null);
132+
/*
133+
* Signature engines
134+
*/
135+
attrs.clear();
136+
String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
137+
"|java.security.interfaces.DSAPrivateKey";
138+
attrs.put("SupportedKeyClasses", dsaKeyClasses);
139+
attrs.put("ImplementedIn", "Software");
140+
141+
attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
142+
143+
add(p, "Signature", "SHA1withDSA",
144+
"sun.security.provider.DSA$SHA1withDSA",
145+
createAliasesWithOid("1.2.840.10040.4.3", "DSA", "DSS",
146+
"SHA/DSA", "SHA-1/DSA", "SHA1/DSA", "SHAwithDSA",
147+
"DSAWithSHA1", "1.3.14.3.2.13", "1.3.14.3.2.27"), attrs);
148+
add(p, "Signature", "NONEwithDSA", "sun.security.provider.DSA$RawDSA",
149+
createAliases("RawDSA"), attrs);
150+
151+
attrs.put("KeySize", "2048"); // for SHA224 and SHA256 DSA signatures
152+
153+
add(p, "Signature", "SHA224withDSA",
154+
"sun.security.provider.DSA$SHA224withDSA",
155+
createAliasesWithOid("2.16.840.1.101.3.4.3.1"), attrs);
156+
add(p, "Signature", "SHA256withDSA",
157+
"sun.security.provider.DSA$SHA256withDSA",
158+
createAliasesWithOid("2.16.840.1.101.3.4.3.2"), attrs);
159+
160+
attrs.remove("KeySize");
161+
162+
add(p, "Signature", "SHA1withDSAinP1363Format",
163+
"sun.security.provider.DSA$SHA1withDSAinP1363Format",
164+
null, null);
165+
add(p, "Signature", "NONEwithDSAinP1363Format",
166+
"sun.security.provider.DSA$RawDSAinP1363Format",
167+
null, null);
168+
add(p, "Signature", "SHA224withDSAinP1363Format",
169+
"sun.security.provider.DSA$SHA224withDSAinP1363Format",
170+
null, null);
171+
add(p, "Signature", "SHA256withDSAinP1363Format",
172+
"sun.security.provider.DSA$SHA256withDSAinP1363Format",
173+
null, null);
168174

169-
/*
170-
* Key Pair Generator engines
171-
*/
172-
attrs.clear();
173-
attrs.put("ImplementedIn", "Software");
174-
attrs.put("KeySize", "2048"); // for DSA KPG and APG only
175+
/*
176+
* Key Pair Generator engines
177+
*/
178+
attrs.clear();
179+
attrs.put("ImplementedIn", "Software");
180+
attrs.put("KeySize", "2048"); // for DSA KPG and APG only
175181

176-
String dsaOid = "1.2.840.10040.4.1";
177-
List<String> dsaAliases = createAliasesWithOid(dsaOid, "1.3.14.3.2.12");
178-
String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
179-
dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
180-
add(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, dsaAliases, attrs);
182+
String dsaOid = "1.2.840.10040.4.1";
183+
List<String> dsaAliases = createAliasesWithOid(dsaOid, "1.3.14.3.2.12");
184+
String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
185+
dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
186+
add(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, dsaAliases, attrs);
181187

182-
/*
183-
* Algorithm Parameter Generator engines
184-
*/
185-
add(p, "AlgorithmParameterGenerator", "DSA",
186-
"sun.security.provider.DSAParameterGenerator", dsaAliases,
187-
attrs);
188-
attrs.remove("KeySize");
188+
/*
189+
* Algorithm Parameter Generator engines
190+
*/
191+
add(p, "AlgorithmParameterGenerator", "DSA",
192+
"sun.security.provider.DSAParameterGenerator", dsaAliases,
193+
attrs);
194+
attrs.remove("KeySize");
189195

190-
/*
191-
* Algorithm Parameter engines
192-
*/
193-
add(p, "AlgorithmParameters", "DSA",
194-
"sun.security.provider.DSAParameters", dsaAliases, attrs);
196+
/*
197+
* Algorithm Parameter engines
198+
*/
199+
add(p, "AlgorithmParameters", "DSA",
200+
"sun.security.provider.DSAParameters", dsaAliases, attrs);
195201

196-
/*
197-
* Key factories
198-
*/
199-
add(p, "KeyFactory", "DSA", "sun.security.provider.DSAKeyFactory",
200-
dsaAliases, attrs);
202+
/*
203+
* Key factories
204+
*/
205+
add(p, "KeyFactory", "DSA", "sun.security.provider.DSAKeyFactory",
206+
dsaAliases, attrs);
201207

202-
/*
203-
* Digest engines
204-
*/
205-
add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", null, attrs);
206-
add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", null, attrs);
207-
add(p, "MessageDigest", "SHA", "sun.security.provider.SHA",
208-
createAliasesWithOid("1.3.14.3.2.26", "SHA-1", "SHA1"), attrs);
209-
210-
String sha2BaseOid = "2.16.840.1.101.3.4.2";
211-
add(p, "MessageDigest", "SHA-224", "sun.security.provider.SHA2$SHA224",
212-
createAliasesWithOid(sha2BaseOid + ".4"), attrs);
213-
add(p, "MessageDigest", "SHA-256", "sun.security.provider.SHA2$SHA256",
214-
createAliasesWithOid(sha2BaseOid + ".1"), attrs);
215-
add(p, "MessageDigest", "SHA-384", "sun.security.provider.SHA5$SHA384",
216-
createAliasesWithOid(sha2BaseOid + ".2"), attrs);
217-
add(p, "MessageDigest", "SHA-512", "sun.security.provider.SHA5$SHA512",
218-
createAliasesWithOid(sha2BaseOid + ".3"), attrs);
219-
add(p, "MessageDigest", "SHA-512/224",
220-
"sun.security.provider.SHA5$SHA512_224",
221-
createAliasesWithOid(sha2BaseOid + ".5"), attrs);
222-
add(p, "MessageDigest", "SHA-512/256",
223-
"sun.security.provider.SHA5$SHA512_256",
224-
createAliasesWithOid(sha2BaseOid + ".6"), attrs);
225-
add(p, "MessageDigest", "SHA3-224", "sun.security.provider.SHA3$SHA224",
226-
createAliasesWithOid(sha2BaseOid + ".7"), attrs);
227-
add(p, "MessageDigest", "SHA3-256", "sun.security.provider.SHA3$SHA256",
228-
createAliasesWithOid(sha2BaseOid + ".8"), attrs);
229-
add(p, "MessageDigest", "SHA3-384", "sun.security.provider.SHA3$SHA384",
230-
createAliasesWithOid(sha2BaseOid + ".9"), attrs);
231-
add(p, "MessageDigest", "SHA3-512", "sun.security.provider.SHA3$SHA512",
232-
createAliasesWithOid(sha2BaseOid + ".10"), attrs);
208+
/*
209+
* Digest engines
210+
*/
211+
add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", null, attrs);
212+
add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", null, attrs);
213+
add(p, "MessageDigest", "SHA", "sun.security.provider.SHA",
214+
createAliasesWithOid("1.3.14.3.2.26", "SHA-1", "SHA1"), attrs);
215+
216+
String sha2BaseOid = "2.16.840.1.101.3.4.2";
217+
add(p, "MessageDigest", "SHA-224", "sun.security.provider.SHA2$SHA224",
218+
createAliasesWithOid(sha2BaseOid + ".4"), attrs);
219+
add(p, "MessageDigest", "SHA-256", "sun.security.provider.SHA2$SHA256",
220+
createAliasesWithOid(sha2BaseOid + ".1"), attrs);
221+
add(p, "MessageDigest", "SHA-384", "sun.security.provider.SHA5$SHA384",
222+
createAliasesWithOid(sha2BaseOid + ".2"), attrs);
223+
add(p, "MessageDigest", "SHA-512", "sun.security.provider.SHA5$SHA512",
224+
createAliasesWithOid(sha2BaseOid + ".3"), attrs);
225+
add(p, "MessageDigest", "SHA-512/224",
226+
"sun.security.provider.SHA5$SHA512_224",
227+
createAliasesWithOid(sha2BaseOid + ".5"), attrs);
228+
add(p, "MessageDigest", "SHA-512/256",
229+
"sun.security.provider.SHA5$SHA512_256",
230+
createAliasesWithOid(sha2BaseOid + ".6"), attrs);
231+
add(p, "MessageDigest", "SHA3-224", "sun.security.provider.SHA3$SHA224",
232+
createAliasesWithOid(sha2BaseOid + ".7"), attrs);
233+
add(p, "MessageDigest", "SHA3-256", "sun.security.provider.SHA3$SHA256",
234+
createAliasesWithOid(sha2BaseOid + ".8"), attrs);
235+
add(p, "MessageDigest", "SHA3-384", "sun.security.provider.SHA3$SHA384",
236+
createAliasesWithOid(sha2BaseOid + ".9"), attrs);
237+
add(p, "MessageDigest", "SHA3-512", "sun.security.provider.SHA3$SHA512",
238+
createAliasesWithOid(sha2BaseOid + ".10"), attrs);
239+
}
233240

234241
/*
235242
* Certificates

src/java.base/share/lib/security/default.policy

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -115,6 +115,7 @@ grant codeBase "jrt:/jdk.charsets" {
115115
grant codeBase "jrt:/jdk.crypto.ec" {
116116
permission java.lang.RuntimePermission
117117
"accessClassInPackage.sun.security.*";
118+
permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
118119
permission java.lang.RuntimePermission "loadLibrary.sunec";
119120
permission java.security.SecurityPermission "putProviderProperty.SunEC";
120121
permission java.security.SecurityPermission "clearProviderProperties.SunEC";

0 commit comments

Comments
 (0)