This task is to remove a group of downstream patches, identified as the patches that disable non-FIPS-compliant algorithms from the OpenJDK security providers that we must keep enabled. We make use of some services in these providers, which don't involve cryptographic operations and can be considered "safe" (this is allow-list is built by statically analyzing the provider's code). Patches in this family are plenty of if statements disabling providers code when FIPS-mode has been detected.

Every patch is listed as a sub-task, to be closed once we are able to remove this patch in a future OpenJDK 22 build, and in a OpenJDK 21 build assuming the work referred in this task is upstreamed. You can refer the full fips-21u-75ffdc48eda.patch list of included commits, which corresponds to java-21-openjdk-21.0.0.0.35-1.el8.

Upstream proposal status

The Security Providers Filter proposal has been discussed in the security-dev OpenJDK mail list. We have also created its corresponding Java Bug System issue, and a GitHub pull request. See Issue Links bellow for references.