Skip to content

Commit

Permalink
Merge openj9 into openj9-staging
Browse files Browse the repository at this point in the history
Signed-off-by: Peter Shipton <Peter_Shipton@ca.ibm.com>
  • Loading branch information
pshipton committed Mar 21, 2024
2 parents 2f241a5 + 1ce0727 commit ea48af2
Show file tree
Hide file tree
Showing 3 changed files with 51 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -472,6 +472,12 @@ private static void setProperties(Properties props) {
propsMapping.put("jdk.tls.legacyAlgorithms", restricts.jdkTlsLegacyAlgorithms);
propsMapping.put("jdk.certpath.disabledAlgorithms", restricts.jdkCertpathDisabledAlgorithms);
propsMapping.put("jdk.security.legacyAlgorithm", restricts.jdkSecurityLegacyAlgorithm);
String fipsMode = System.getProperty("com.ibm.fips.mode");
if (fipsMode == null) {
System.setProperty("com.ibm.fips.mode", restricts.jdkFipsMode);
} else if (!fipsMode.equals(restricts.jdkFipsMode)) {
printStackTraceAndExit("Property com.ibm.fips.mode is incompatible with semeru.customprofile and semeru.fips properties");
}

for (Map.Entry<String, String> entry : propsMapping.entrySet()) {
String jdkPropsName = entry.getKey();
Expand Down Expand Up @@ -593,6 +599,8 @@ private static final class RestrictedSecurityProperties {
String jdkSecureRandomProvider;
String jdkSecureRandomAlgorithm;

String jdkFipsMode;

// Provider with argument (provider name + optional argument).
private final List<String> providers;
// Provider without argument.
Expand Down Expand Up @@ -749,6 +757,8 @@ private void initProperties() {
securityProps.getProperty(profileID + ".securerandom.provider"));
jdkSecureRandomAlgorithm = parseProperty(
securityProps.getProperty(profileID + ".securerandom.algorithm"));
jdkFipsMode = parseProperty(
securityProps.getProperty(profileID + ".fips.mode"));

if (debug != null) {
debug.println("\tProperties of restricted security profile successfully loaded.");
Expand Down Expand Up @@ -1064,6 +1074,8 @@ private void printProfile(String profileToPrint) {
securityProps.getProperty(profileToPrint + ".desc.default"));
printProperty(profileToPrint + ".desc.fips: ",
securityProps.getProperty(profileToPrint + ".desc.fips"));
printProperty(profileToPrint + ".fips.mode: ",
securityProps.getProperty(profileToPrint + ".fips.mode"));
printProperty(profileToPrint + ".desc.number: ",
parseProperty(securityProps.getProperty(profileToPrint + ".desc.number")));
printProperty(profileToPrint + ".desc.policy: ",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@

/*
* ===========================================================================
* (c) Copyright IBM Corp. 1997, 2020 All Rights Reserved
* (c) Copyright IBM Corp. 1997, 2024 All Rights Reserved
* ===========================================================================
*/

Expand Down Expand Up @@ -101,6 +101,7 @@ public class URLClassPath {
private static final boolean DISABLE_ACC_CHECKING;
private static final boolean DISABLE_CP_URL_CHECK;
private static final boolean DEBUG_CP_URL_CHECK;
private static final boolean DISABLE_JAR_INDEX; //OpenJ9-shared_classes_misc

static {
Properties props = GetPropertyAction.privilegedGetProperties();
Expand All @@ -120,6 +121,9 @@ public class URLClassPath {
// the check is not disabled).
p = props.getProperty("jdk.net.URLClassPath.showIgnoredClassPathEntries");
DEBUG_CP_URL_CHECK = p != null ? p.equals("true") || p.isEmpty() : false;

p = props.getProperty("com.ibm.oti.shared.disableJarIndex"); //OpenJ9-shared_classes_misc
DISABLE_JAR_INDEX = p != null ? p.equals("true") || p.isEmpty() : false; //OpenJ9-shared_classes_misc
}

/* The original search path of URLs. */
Expand Down Expand Up @@ -1222,6 +1226,37 @@ URL[] getClassPath() throws IOException {

ensureOpen();

if (usingSharedClasses && !DISABLE_JAR_INDEX) { //OpenJ9-shared_classes_misc
/* If usingSharedClasses is true, ensureOpen() does not use and set jar index. //OpenJ9-shared_classes_misc
* If usingSharedClasses is false, ensureOpen() uses and sets jar index (if it exists). //OpenJ9-shared_classes_misc
* Go through jar index here so that class path in jar index is searched. //OpenJ9-shared_classes_misc
*/ //OpenJ9-shared_classes_misc
JarIndex localIndex = JarIndex.getJarIndex(jar); //OpenJ9-shared_classes_misc
if (localIndex != null) { //OpenJ9-shared_classes_misc
String[] jarfiles = localIndex.getJarFiles(); //OpenJ9-shared_classes_misc
URL[] urls = new URL[jarfiles.length]; //OpenJ9-shared_classes_misc
int count = 0; //OpenJ9-shared_classes_misc
for (int i = 0; i < jarfiles.length; i++) { //OpenJ9-shared_classes_misc
try { //OpenJ9-shared_classes_misc
URL jarURL = new URL(csu, jarfiles[i]); //OpenJ9-shared_classes_misc
urls[count] = jarURL; //OpenJ9-shared_classes_misc
count++; //OpenJ9-shared_classes_misc
} catch (MalformedURLException e) { //OpenJ9-shared_classes_misc
continue; //OpenJ9-shared_classes_misc
} //OpenJ9-shared_classes_misc
} //OpenJ9-shared_classes_misc
if (count > 0) { //OpenJ9-shared_classes_misc
urls = Arrays.copyOf(urls, count); //OpenJ9-shared_classes_misc
} else { //OpenJ9-shared_classes_misc
urls = null; //OpenJ9-shared_classes_misc
} //OpenJ9-shared_classes_misc
/* //OpenJ9-shared_classes_misc
* If jar index exists, class path in manifest is ignored, directly return here. //OpenJ9-shared_classes_misc
* (See the check of index != null at the beginning of this function) //OpenJ9-shared_classes_misc
*/ //OpenJ9-shared_classes_misc
return urls; //OpenJ9-shared_classes_misc
} //OpenJ9-shared_classes_misc
} //OpenJ9-shared_classes_misc
// Only get manifest when necessary
if (SharedSecrets.javaUtilJarAccess().jarFileHasClassPathAttribute(jar)) {
Manifest man = jar.getManifest();
Expand Down
3 changes: 3 additions & 0 deletions src/java.base/share/conf/security/java.security
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@ RestrictedSecurity.NSS.140-2.desc.fips = true
RestrictedSecurity.NSS.140-2.desc.number = Certificate #4413
RestrictedSecurity.NSS.140-2.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4413
RestrictedSecurity.NSS.140-2.desc.sunsetDate = 2026-09-21
RestrictedSecurity.NSS.140-2.fips.mode = 140-2

RestrictedSecurity.NSS.140-2.tls.disabledNamedCurves =
RestrictedSecurity.NSS.140-2.tls.disabledAlgorithms = \
Expand Down Expand Up @@ -159,6 +160,8 @@ RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.fips = true
RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.number = Certificate #XXX
RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/
RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.sunsetDate = 2026-09-21
RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.fips.mode = 140-3

RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.tls.disabledNamedCurves =
RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.tls.disabledAlgorithms = \
3DES_EDE_CBC, \
Expand Down

0 comments on commit ea48af2

Please sign in to comment.