RH1995150 - Disable non-FIPS crypto in SUN and SunEC security providers

[martinuy]

Search this PR in Red Hat Jira

Diff of this PR only	Dependency chain
9087e80...a6e533a	rh-openjdk:fips ← THIS PR

A 11u backport of RH1995150 (Disable non-FIPS crypto in SUN and SunEC security providers) is required for a 11u backport of RH2052070 (Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode).

This backport includes the following 17u RPM patches:

• RH1995150 (Disable non-FIPS crypto in SUN and SunEC security providers)
• RH2094027 (SunEC runtime permission for FIPS)

Bugzillas:

• Disable non-FIPS crypto in SUN and SunEC security providers
  • 17u: RH1995150 (Disable non-FIPS crypto in SUN and SunEC security providers [java-17-openjdk, RHEL 8])
  • 11u: RH2094143 (Disable non-FIPS crypto in SUN and SunEC security providers [java-11-openjdk, RHEL 8])

Conflicts when applying the 17u RH1995150 to 11u:

• src/java.base/share/classes/module-info.java

  • In 11u, SharedSecrets is in the jdk.internal.misc package (instead of jdk.internal.access.)
  • Manually added the export of the package jdk.internal.misc to the jdk.crypto.ec module

• src/java.base/share/classes/sun/security/provider/SunEntries.java

  • Hunk 1 (failed)
    • In 11u, SharedSecrets is in the package jdk.internal.misc.
    • Manually modified the import.
  • Hunk 2 (failed)
    • 11u does not have 8242151 (Improve OID mapping and reuse among JDK security providers for aliases registration).
    • 11u does not have 8172366 (Support SHA-3 based signatures).
      • Orthogonal to this backport, applied the change manually.

• src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java

  • Hunk 1 (failed)
    • Imports context is different in 11u. In addition, the import must be of jdk.internal.misc.SharedSecrets.
    • Manually applied the change.
  • Hunk 2 (failed)
    • 11u does not have 8242151 (Improve OID mapping and reuse among JDK security providers for aliases registration).
    • 11u does not have 8237219 (Disable native SunEC implementation by default).
      • Orthogonal to this backport, applied the change manually.
  • Hunk 3 (failed)
    • 11u does not have 8242151 (Improve OID mapping and reuse among JDK security providers for aliases registration).
    • 11u does not have 8166597 (Crypto support for the EdDSA Signature Algorithm).
    • 11u does not have 8172366 (Support SHA-3 based signatures).
      • Orthogonal to this backport, applied the change manually.
  • Hunk 4 (failed)
    • 11u does not have 8242151 (Improve OID mapping and reuse among JDK security providers for aliases registration).
      • Orthogonal to this backport, applied the change manually.
  • Hunk 5 (failed)
    • N/A because 11u does not have 8166597 (Crypto support for the EdDSA Signature Algorithm).

[franferrax]

This looks good to me:

• It leaves the same algorithms and services enabled in SunEntries.java / SunEC.java as rh-openjdk/jdk@765baf2
  • Except for putEdDSAEntries() ones, since we don't have JDK-8166597, as explained in the description (we'll have to be vigilant and disable the KeyPairGenerator / KeyAgreement entries if that backport is done)
• It fixes the same issue as the one fixed in rh-openjdk/jdk@da9988c, by granting the accessClassInPackage runtime permission on the jdk.internal.misc package to the jdk.crypto.ec module (for 17u, the package was jdk.internal.access)

[franferrax]

Files modified in this pull request didn't change in the last force-push, the following command gives no output:

git diff 675c3b9582c1e159b09f9cb06d14cceff46f8082 a6e533a37276fefc27f13a342fa43acc9d425f7c -- \
  src/java.base/share/classes/module-info.java                      \
  src/java.base/share/classes/sun/security/provider/SunEntries.java \
  src/java.base/share/lib/security/default.policy                   \
  src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java

Also, the Files changed section shows the same files, no new files were added. So the previous review still applies.