Merge openj9 into openj9-staging

Signed-off-by: Peter Shipton <Peter_Shipton@ca.ibm.com>
ibmruntimes · Mar 21, 2024 · ea48af2 · ea48af2
2 parents 2f241a5 + 1ce0727
commit ea48af2
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 1 deletion.
diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java
@@ -472,6 +472,12 @@ private static void setProperties(Properties props) {
  propsMapping.put("jdk.tls.legacyAlgorithms", restricts.jdkTlsLegacyAlgorithms);
  propsMapping.put("jdk.certpath.disabledAlgorithms", restricts.jdkCertpathDisabledAlgorithms);
  propsMapping.put("jdk.security.legacyAlgorithm", restricts.jdkSecurityLegacyAlgorithm);
+ String fipsMode = System.getProperty("com.ibm.fips.mode");
+ if (fipsMode == null) {
+ System.setProperty("com.ibm.fips.mode", restricts.jdkFipsMode);
+ } else if (!fipsMode.equals(restricts.jdkFipsMode)) {
+ printStackTraceAndExit("Property com.ibm.fips.mode is incompatible with semeru.customprofile and semeru.fips properties");
+ }
 
  for (Map.Entry<String, String> entry : propsMapping.entrySet()) {
  String jdkPropsName = entry.getKey();
@@ -593,6 +599,8 @@ private static final class RestrictedSecurityProperties {
  String jdkSecureRandomProvider;
  String jdkSecureRandomAlgorithm;
 
+ String jdkFipsMode;
+
  // Provider with argument (provider name + optional argument).
  private final List<String> providers;
  // Provider without argument.
@@ -749,6 +757,8 @@ private void initProperties() {
  securityProps.getProperty(profileID + ".securerandom.provider"));
  jdkSecureRandomAlgorithm = parseProperty(
  securityProps.getProperty(profileID + ".securerandom.algorithm"));
+ jdkFipsMode = parseProperty(
+ securityProps.getProperty(profileID + ".fips.mode"));
 
  if (debug != null) {
  debug.println("\tProperties of restricted security profile successfully loaded.");
@@ -1064,6 +1074,8 @@ private void printProfile(String profileToPrint) {
  securityProps.getProperty(profileToPrint + ".desc.default"));
  printProperty(profileToPrint + ".desc.fips: ",
  securityProps.getProperty(profileToPrint + ".desc.fips"));
+ printProperty(profileToPrint + ".fips.mode: ",
+ securityProps.getProperty(profileToPrint + ".fips.mode"));
  printProperty(profileToPrint + ".desc.number: ",
  parseProperty(securityProps.getProperty(profileToPrint + ".desc.number")));
  printProperty(profileToPrint + ".desc.policy: ",

diff --git a/src/java.base/share/classes/jdk/internal/loader/URLClassPath.java b/src/java.base/share/classes/jdk/internal/loader/URLClassPath.java
@@ -25,7 +25,7 @@
 
 /*
  * ===========================================================================
- * (c) Copyright IBM Corp. 1997, 2020 All Rights Reserved
+ * (c) Copyright IBM Corp. 1997, 2024 All Rights Reserved
  * ===========================================================================
  */
 
@@ -101,6 +101,7 @@ public class URLClassPath {
  private static final boolean DISABLE_ACC_CHECKING;
  private static final boolean DISABLE_CP_URL_CHECK;
  private static final boolean DEBUG_CP_URL_CHECK;
+ private static final boolean DISABLE_JAR_INDEX; //OpenJ9-shared_classes_misc
 
  static {
  Properties props = GetPropertyAction.privilegedGetProperties();
@@ -120,6 +121,9 @@ public class URLClassPath {
  // the check is not disabled).
  p = props.getProperty("jdk.net.URLClassPath.showIgnoredClassPathEntries");
  DEBUG_CP_URL_CHECK = p != null ? p.equals("true") || p.isEmpty() : false;
+
+ p = props.getProperty("com.ibm.oti.shared.disableJarIndex"); //OpenJ9-shared_classes_misc
+ DISABLE_JAR_INDEX = p != null ? p.equals("true") || p.isEmpty() : false; //OpenJ9-shared_classes_misc
  }
 
  /* The original search path of URLs. */
@@ -1222,6 +1226,37 @@ URL[] getClassPath() throws IOException {
 
  ensureOpen();
 
+ if (usingSharedClasses && !DISABLE_JAR_INDEX) { //OpenJ9-shared_classes_misc
+ /* If usingSharedClasses is true, ensureOpen() does not use and set jar index. //OpenJ9-shared_classes_misc
+ * If usingSharedClasses is false, ensureOpen() uses and sets jar index (if it exists). //OpenJ9-shared_classes_misc
+ * Go through jar index here so that class path in jar index is searched. //OpenJ9-shared_classes_misc
+ */ //OpenJ9-shared_classes_misc
+ JarIndex localIndex = JarIndex.getJarIndex(jar); //OpenJ9-shared_classes_misc
+ if (localIndex != null) { //OpenJ9-shared_classes_misc
+ String[] jarfiles = localIndex.getJarFiles(); //OpenJ9-shared_classes_misc
+ URL[] urls = new URL[jarfiles.length]; //OpenJ9-shared_classes_misc
+ int count = 0; //OpenJ9-shared_classes_misc
+ for (int i = 0; i < jarfiles.length; i++) { //OpenJ9-shared_classes_misc
+ try { //OpenJ9-shared_classes_misc
+ URL jarURL = new URL(csu, jarfiles[i]); //OpenJ9-shared_classes_misc
+ urls[count] = jarURL; //OpenJ9-shared_classes_misc
+ count++; //OpenJ9-shared_classes_misc
+ } catch (MalformedURLException e) { //OpenJ9-shared_classes_misc
+ continue; //OpenJ9-shared_classes_misc
+ } //OpenJ9-shared_classes_misc
+ } //OpenJ9-shared_classes_misc
+ if (count > 0) { //OpenJ9-shared_classes_misc
+ urls = Arrays.copyOf(urls, count); //OpenJ9-shared_classes_misc
+ } else { //OpenJ9-shared_classes_misc
+ urls = null; //OpenJ9-shared_classes_misc
+ } //OpenJ9-shared_classes_misc
+ /* //OpenJ9-shared_classes_misc
+ * If jar index exists, class path in manifest is ignored, directly return here. //OpenJ9-shared_classes_misc
+ * (See the check of index != null at the beginning of this function) //OpenJ9-shared_classes_misc
+ */ //OpenJ9-shared_classes_misc
+ return urls; //OpenJ9-shared_classes_misc
+ } //OpenJ9-shared_classes_misc
+ } //OpenJ9-shared_classes_misc
  // Only get manifest when necessary
  if (SharedSecrets.javaUtilJarAccess().jarFileHasClassPathAttribute(jar)) {
  Manifest man = jar.getManifest();

diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
@@ -94,6 +94,7 @@ RestrictedSecurity.NSS.140-2.desc.fips = true
 RestrictedSecurity.NSS.140-2.desc.number = Certificate #4413
 RestrictedSecurity.NSS.140-2.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4413
 RestrictedSecurity.NSS.140-2.desc.sunsetDate = 2026-09-21
+RestrictedSecurity.NSS.140-2.fips.mode = 140-2
 
 RestrictedSecurity.NSS.140-2.tls.disabledNamedCurves =
 RestrictedSecurity.NSS.140-2.tls.disabledAlgorithms = \
@@ -159,6 +160,8 @@ RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.fips = true
 RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.number = Certificate #XXX
 RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/
 RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.sunsetDate = 2026-09-21
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.fips.mode = 140-3
+
 RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.tls.disabledNamedCurves =
 RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.tls.disabledAlgorithms = \
  3DES_EDE_CBC, \