Skip to content

Commit

Permalink
Merge pull request #332 from jasonkatonica/katonica/feature/setfipsprops
Browse files Browse the repository at this point in the history
Set property com.ibm.fips.mode based upon active profile
  • Loading branch information
keithc-ca authored Mar 19, 2024
2 parents c86cd88 + ac28ba0 commit 1ce0727
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -472,6 +472,12 @@ private static void setProperties(Properties props) {
propsMapping.put("jdk.tls.legacyAlgorithms", restricts.jdkTlsLegacyAlgorithms);
propsMapping.put("jdk.certpath.disabledAlgorithms", restricts.jdkCertpathDisabledAlgorithms);
propsMapping.put("jdk.security.legacyAlgorithm", restricts.jdkSecurityLegacyAlgorithm);
String fipsMode = System.getProperty("com.ibm.fips.mode");
if (fipsMode == null) {
System.setProperty("com.ibm.fips.mode", restricts.jdkFipsMode);
} else if (!fipsMode.equals(restricts.jdkFipsMode)) {
printStackTraceAndExit("Property com.ibm.fips.mode is incompatible with semeru.customprofile and semeru.fips properties");
}

for (Map.Entry<String, String> entry : propsMapping.entrySet()) {
String jdkPropsName = entry.getKey();
Expand Down Expand Up @@ -593,6 +599,8 @@ private static final class RestrictedSecurityProperties {
String jdkSecureRandomProvider;
String jdkSecureRandomAlgorithm;

String jdkFipsMode;

// Provider with argument (provider name + optional argument).
private final List<String> providers;
// Provider without argument.
Expand Down Expand Up @@ -749,6 +757,8 @@ private void initProperties() {
securityProps.getProperty(profileID + ".securerandom.provider"));
jdkSecureRandomAlgorithm = parseProperty(
securityProps.getProperty(profileID + ".securerandom.algorithm"));
jdkFipsMode = parseProperty(
securityProps.getProperty(profileID + ".fips.mode"));

if (debug != null) {
debug.println("\tProperties of restricted security profile successfully loaded.");
Expand Down Expand Up @@ -1064,6 +1074,8 @@ private void printProfile(String profileToPrint) {
securityProps.getProperty(profileToPrint + ".desc.default"));
printProperty(profileToPrint + ".desc.fips: ",
securityProps.getProperty(profileToPrint + ".desc.fips"));
printProperty(profileToPrint + ".fips.mode: ",
securityProps.getProperty(profileToPrint + ".fips.mode"));
printProperty(profileToPrint + ".desc.number: ",
parseProperty(securityProps.getProperty(profileToPrint + ".desc.number")));
printProperty(profileToPrint + ".desc.policy: ",
Expand Down
3 changes: 3 additions & 0 deletions src/java.base/share/conf/security/java.security
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@ RestrictedSecurity.NSS.140-2.desc.fips = true
RestrictedSecurity.NSS.140-2.desc.number = Certificate #4413
RestrictedSecurity.NSS.140-2.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4413
RestrictedSecurity.NSS.140-2.desc.sunsetDate = 2026-09-21
RestrictedSecurity.NSS.140-2.fips.mode = 140-2

RestrictedSecurity.NSS.140-2.tls.disabledNamedCurves =
RestrictedSecurity.NSS.140-2.tls.disabledAlgorithms = \
Expand Down Expand Up @@ -159,6 +160,8 @@ RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.fips = true
RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.number = Certificate #XXX
RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/
RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.sunsetDate = 2026-09-21
RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.fips.mode = 140-3

RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.tls.disabledNamedCurves =
RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.tls.disabledAlgorithms = \
3DES_EDE_CBC, \
Expand Down

0 comments on commit 1ce0727

Please sign in to comment.