-
Task
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
None
-
False
-
-
False
-
-
This task is to remove a group of downstream patches, identified as the patches that make OpenJDK honor the RHEL crypto-policies in place, including the FIPS crypto-policy, which is a special case requiring a special automation on the Java Security Providers configuration.
Alternatives have been explored in OPENJDK-1686, with Alternative #2 already implemented and Alternative #1 proposed upstream. In parallel, a third alternative has also been proposed upstream, and is liked here for reference.
Every patch is listed as a sub-task, to be closed once we are able to remove this patch in a future OpenJDK 22 build, and in a OpenJDK 21 build assuming the work referred in this task is upstreamed. You can refer the full fips-21u-75ffdc48eda.patch list of included commits, which corresponds to java-21-openjdk-21.0.0.0.35-1.el8.
Following is a design for the Red Hat build of OpenJDK 25, to implement the crypto-policies and FIPS setup, leveraging the upstream JDK-8319332: Security properties files inclusion enhancement.
An interactive diagram has been created for this setup, to open it, click on the following image (and use the two top buttons to interact):
Red Hat build of OpenJDK 25 crypto-policies bootstrapping (OPENJDK-1686, alternative #1)
Red Hat build of OpenJDK 25 should include the following configuration changes.
# [...] CONTENT FROM UPSTREAM java.security # # System-wide crypto-policies # # All the FIPS-mode setup is controlled by the FIPS crypto policy. In order # to disable the FIPS-mode alignment between RHEL and OpenJDK, just disable # the crypto-policies, which are enabled by default. # # The jdk.security.useSystemCryptoPolicies system property controls the # crypto-policies (and the FIPS alignment) on a per-run basis. Pass # -Djdk.security.useSystemCryptoPolicies=false to disable the system # policies. # # The $JAVA_HOME/conf/security directory contains the following symlinks: # useSystemCryptoPolicies=false -> /dev/null # useSystemCryptoPolicies=true -> /etc/crypto-policies/back-ends/java.config # useSystemCryptoPolicies= -> useSystemCryptoPolicies=true # The last symlink is used when the jdk.security.useSystemCryptoPolicies # system property isn't defined, determining the default-choice (true). # # To disable the system policies for any application running on this JDK # deployment, change the default-choice symlink as follows: # useSystemCryptoPolicies= -> useSystemCryptoPolicies=false # This can be achieved with the following command: # ln -fs "useSystemCryptoPolicies=false" \ # "$JAVA_HOME/conf/security/useSystemCryptoPolicies=" # With that change, applications can still re-enable the system policies, # by passing -Djdk.security.useSystemCryptoPolicies=true. # # To disable the jdk.security.useSystemCryptoPolicies system property, # modify the following include directive as appropriate. Directly include # /etc/crypto-policies/back-ends/java.config to force-enable the system # policies. Remove or comment out the include directive to force-disable # the system policies. # include useSystemCryptoPolicies=${jdk.security.useSystemCryptoPolicies} # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # WARNING: anything placed after this include directive will apply on top # of the system-wide crypto-policies. Adding properties below this section # is strongly discouraged, as it poses a risk of overriding the system # policies or invalidating the FIPS deployment.
Absolute symlink -> '/dev/null' # Alternative (requires adapting the java.security documentation): an empty file
Absolute symlink -> '/etc/crypto-policies/back-ends/java.config' # Alternative (requires adapting the java.security documentation): include /etc/crypto-policies/back-ends/java.config
Relative symlink -> 'useSystemCryptoPolicies=true' # Alternative (requires adapting the java.security documentation): include useSystemCryptoPolicies=true
Crypto policies changes (RHEL-107438)
/usr/share/crypto-policies/DEFAULT/java.txt, /usr/share/crypto-policies/FUTURE/java.txt and /usr/share/crypto-policies/LEGACY/java.txt remain unchanged.
# Trigger OpenJDK FIPS setup include ${java.home}/conf/security/java.security.fips # [...] REST OF THE FILE CONTENT UNCHANGED
This means that when the system FIPS-mode is on, the FIPS crypto policy is applied (by pointing /etc/crypto-policies/back-ends/java.config to /usr/share/crypto-policies/FIPS/java.txt) and it includes ${java.home}/conf/security/java.security.fips. This allows having a per-JDK specific FIPS setup with a single crypto-policies file.
NOTE: for older JDKs, the include directive in /usr/share/crypto-policies/FIPS/java.txt is innocuous: it just defines an unused include=${java.home}/conf/security/java.security.fips security property.
Red Hat build of OpenJDK 25 FIPS setup
Red Hat build of OpenJDK 25 should include the following configuration changes.
# # Let the downstream-specific code know that FIPS-mode is turned on # $fips$=true # # FIPS-mode on Security Providers List # security.provider.1=SunPKCS11 ${java.home}/conf/security/SunPKCS11-FIPS.cfg security.provider.2=SUN security.provider.3=SunEC security.provider.4=SunJSSE security.provider.5=SunJCE security.provider.6=SunRsaSign security.provider.7=XMLDSig security.provider.8= # ^ empty on purpose, to finish the Providers List # # FIPS-mode on default keystore type # keystore.type=pkcs12
name = FIPS
library = ${java.home}/lib/libnssadapter.so
slot = 3
nssUseSecmod = false
attributes(*,CKO_SECRET_KEY,*)={ CKA_SIGN=true CKA_ENCRYPT=true }
NSS Native FIPS Key Import Export Adapter (OPENJDK-2135)
${java.home}/lib/libnssadapter.so is built from the OPENJDK-2135 development, and would be shipped along other Red Hat build of OpenJDK 25 libraries.
Remaining Red Hat build of OpenJDK 25 FIPS patch
Since the JDK-8315487: Security Providers Filter work is still pending, we need to keep a reduced version of the downstream FIPS patch. A preview version of this patch can be found at franferrax/jdk@4aa519c: Algorithms lockdown.
- is blocked by
-
-
- Closed
-
- is related to
-
-
- Closed
-
- links to
-
JDK-8309330 Allow java.security to be extended via a properties directory
-
-
openjdk/jdk#14277
8309330: Allow java.security to be extended via a properties directory
-
openjdk/jdk#16483
8319332: Security properties files inclusion
