diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java index 67ed45c31a8..0d516cfe083 100644 --- a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java +++ b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java @@ -472,6 +472,12 @@ private static void setProperties(Properties props) { propsMapping.put("jdk.tls.legacyAlgorithms", restricts.jdkTlsLegacyAlgorithms); propsMapping.put("jdk.certpath.disabledAlgorithms", restricts.jdkCertpathDisabledAlgorithms); propsMapping.put("jdk.security.legacyAlgorithm", restricts.jdkSecurityLegacyAlgorithm); + String fipsMode = System.getProperty("com.ibm.fips.mode"); + if (fipsMode == null) { + System.setProperty("com.ibm.fips.mode", restricts.jdkFipsMode); + } else if (!fipsMode.equals(restricts.jdkFipsMode)) { + printStackTraceAndExit("Property com.ibm.fips.mode is incompatible with semeru.customprofile and semeru.fips properties"); + } for (Map.Entry entry : propsMapping.entrySet()) { String jdkPropsName = entry.getKey(); @@ -593,6 +599,8 @@ private static final class RestrictedSecurityProperties { String jdkSecureRandomProvider; String jdkSecureRandomAlgorithm; + String jdkFipsMode; + // Provider with argument (provider name + optional argument). private final List providers; // Provider without argument. @@ -749,6 +757,8 @@ private void initProperties() { securityProps.getProperty(profileID + ".securerandom.provider")); jdkSecureRandomAlgorithm = parseProperty( securityProps.getProperty(profileID + ".securerandom.algorithm")); + jdkFipsMode = parseProperty( + securityProps.getProperty(profileID + ".fips.mode")); if (debug != null) { debug.println("\tProperties of restricted security profile successfully loaded."); @@ -1064,6 +1074,8 @@ private void printProfile(String profileToPrint) { securityProps.getProperty(profileToPrint + ".desc.default")); printProperty(profileToPrint + ".desc.fips: ", securityProps.getProperty(profileToPrint + ".desc.fips")); + printProperty(profileToPrint + ".fips.mode: ", + securityProps.getProperty(profileToPrint + ".fips.mode")); printProperty(profileToPrint + ".desc.number: ", parseProperty(securityProps.getProperty(profileToPrint + ".desc.number"))); printProperty(profileToPrint + ".desc.policy: ", diff --git a/src/java.base/share/classes/jdk/internal/loader/URLClassPath.java b/src/java.base/share/classes/jdk/internal/loader/URLClassPath.java index 2f09cbf107c..af6e72e2e3c 100644 --- a/src/java.base/share/classes/jdk/internal/loader/URLClassPath.java +++ b/src/java.base/share/classes/jdk/internal/loader/URLClassPath.java @@ -25,7 +25,7 @@ /* * =========================================================================== - * (c) Copyright IBM Corp. 1997, 2020 All Rights Reserved + * (c) Copyright IBM Corp. 1997, 2024 All Rights Reserved * =========================================================================== */ @@ -101,6 +101,7 @@ public class URLClassPath { private static final boolean DISABLE_ACC_CHECKING; private static final boolean DISABLE_CP_URL_CHECK; private static final boolean DEBUG_CP_URL_CHECK; + private static final boolean DISABLE_JAR_INDEX; //OpenJ9-shared_classes_misc static { Properties props = GetPropertyAction.privilegedGetProperties(); @@ -120,6 +121,9 @@ public class URLClassPath { // the check is not disabled). p = props.getProperty("jdk.net.URLClassPath.showIgnoredClassPathEntries"); DEBUG_CP_URL_CHECK = p != null ? p.equals("true") || p.isEmpty() : false; + + p = props.getProperty("com.ibm.oti.shared.disableJarIndex"); //OpenJ9-shared_classes_misc + DISABLE_JAR_INDEX = p != null ? p.equals("true") || p.isEmpty() : false; //OpenJ9-shared_classes_misc } /* The original search path of URLs. */ @@ -1222,6 +1226,37 @@ URL[] getClassPath() throws IOException { ensureOpen(); + if (usingSharedClasses && !DISABLE_JAR_INDEX) { //OpenJ9-shared_classes_misc + /* If usingSharedClasses is true, ensureOpen() does not use and set jar index. //OpenJ9-shared_classes_misc + * If usingSharedClasses is false, ensureOpen() uses and sets jar index (if it exists). //OpenJ9-shared_classes_misc + * Go through jar index here so that class path in jar index is searched. //OpenJ9-shared_classes_misc + */ //OpenJ9-shared_classes_misc + JarIndex localIndex = JarIndex.getJarIndex(jar); //OpenJ9-shared_classes_misc + if (localIndex != null) { //OpenJ9-shared_classes_misc + String[] jarfiles = localIndex.getJarFiles(); //OpenJ9-shared_classes_misc + URL[] urls = new URL[jarfiles.length]; //OpenJ9-shared_classes_misc + int count = 0; //OpenJ9-shared_classes_misc + for (int i = 0; i < jarfiles.length; i++) { //OpenJ9-shared_classes_misc + try { //OpenJ9-shared_classes_misc + URL jarURL = new URL(csu, jarfiles[i]); //OpenJ9-shared_classes_misc + urls[count] = jarURL; //OpenJ9-shared_classes_misc + count++; //OpenJ9-shared_classes_misc + } catch (MalformedURLException e) { //OpenJ9-shared_classes_misc + continue; //OpenJ9-shared_classes_misc + } //OpenJ9-shared_classes_misc + } //OpenJ9-shared_classes_misc + if (count > 0) { //OpenJ9-shared_classes_misc + urls = Arrays.copyOf(urls, count); //OpenJ9-shared_classes_misc + } else { //OpenJ9-shared_classes_misc + urls = null; //OpenJ9-shared_classes_misc + } //OpenJ9-shared_classes_misc + /* //OpenJ9-shared_classes_misc + * If jar index exists, class path in manifest is ignored, directly return here. //OpenJ9-shared_classes_misc + * (See the check of index != null at the beginning of this function) //OpenJ9-shared_classes_misc + */ //OpenJ9-shared_classes_misc + return urls; //OpenJ9-shared_classes_misc + } //OpenJ9-shared_classes_misc + } //OpenJ9-shared_classes_misc // Only get manifest when necessary if (SharedSecrets.javaUtilJarAccess().jarFileHasClassPathAttribute(jar)) { Manifest man = jar.getManifest(); diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security index 21b78e28ec9..17b26bbbd19 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -94,6 +94,7 @@ RestrictedSecurity.NSS.140-2.desc.fips = true RestrictedSecurity.NSS.140-2.desc.number = Certificate #4413 RestrictedSecurity.NSS.140-2.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4413 RestrictedSecurity.NSS.140-2.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.NSS.140-2.fips.mode = 140-2 RestrictedSecurity.NSS.140-2.tls.disabledNamedCurves = RestrictedSecurity.NSS.140-2.tls.disabledAlgorithms = \ @@ -159,6 +160,8 @@ RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.fips = true RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.number = Certificate #XXX RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.fips.mode = 140-3 + RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.tls.disabledNamedCurves = RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.tls.disabledAlgorithms = \ 3DES_EDE_CBC, \