From 8dcc499cb597d899f245343c7e146df8661f91c0 Mon Sep 17 00:00:00 2001 From: Jason Katonica Date: Mon, 4 Mar 2024 17:08:35 -0500 Subject: [PATCH] Set property com.ibm.fips.mode based upon active profile When loading a restricted security mode profile we need to set the property value `com.ibm.fips.mode` to the value contained within the active profile. Signed-off-by: Jason Katonica --- .../openj9/internal/security/RestrictedSecurity.java | 12 ++++++++++++ src/java.base/share/conf/security/java.security | 3 +++ 2 files changed, 15 insertions(+) diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java index 43024f9f87f..f0cd0810c4f 100644 --- a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java +++ b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java @@ -474,6 +474,12 @@ private static void setProperties(Properties props) { propsMapping.put("jdk.tls.legacyAlgorithms", restricts.jdkTlsLegacyAlgorithms); propsMapping.put("jdk.certpath.disabledAlgorithms", restricts.jdkCertpathDisabledAlgorithms); propsMapping.put("jdk.security.legacyAlgorithm", restricts.jdkSecurityLegacyAlgorithm); + String fipsMode = System.getProperty("com.ibm.fips.mode"); + if (fipsMode == null) { + System.setProperty("com.ibm.fips.mode", restricts.jdkFipsMode); + } else if (!fipsMode.equals(restricts.jdkFipsMode)) { + printStackTraceAndExit("Property com.ibm.fips.mode is incompatible with semeru.customprofile and semeru.fips properties"); + } for (Map.Entry entry : propsMapping.entrySet()) { String jdkPropsName = entry.getKey(); @@ -595,6 +601,8 @@ private static final class RestrictedSecurityProperties { String jdkSecureRandomProvider; String jdkSecureRandomAlgorithm; + String jdkFipsMode; + // Provider with argument (provider name + optional argument). private final List providers; // Provider without argument. @@ -751,6 +759,8 @@ private void initProperties() { securityProps.getProperty(profileID + ".securerandom.provider")); jdkSecureRandomAlgorithm = parseProperty( securityProps.getProperty(profileID + ".securerandom.algorithm")); + jdkFipsMode = parseProperty( + securityProps.getProperty(profileID + ".fips.mode")); if (debug != null) { debug.println("\tProperties of restricted security profile successfully loaded."); @@ -1067,6 +1077,8 @@ private void printProfile(String profileToPrint) { securityProps.getProperty(profileToPrint + ".desc.default")); printProperty(profileToPrint + ".desc.fips: ", securityProps.getProperty(profileToPrint + ".desc.fips")); + printProperty(profileToPrint + ".fips.mode: ", + securityProps.getProperty(profileToPrint + ".fips.mode")); printProperty(profileToPrint + ".desc.number: ", parseProperty(securityProps.getProperty(profileToPrint + ".desc.number"))); printProperty(profileToPrint + ".desc.policy: ", diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security index ea48981a371..86842a3f240 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -100,6 +100,7 @@ RestrictedSecurity.NSS.140-2.desc.fips = true RestrictedSecurity.NSS.140-2.desc.number = Certificate #4413 RestrictedSecurity.NSS.140-2.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4413 RestrictedSecurity.NSS.140-2.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.NSS.140-2.fips.mode = 140-2 RestrictedSecurity.NSS.140-2.tls.disabledNamedCurves = RestrictedSecurity.NSS.140-2.tls.disabledAlgorithms = \ @@ -165,6 +166,8 @@ RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.fips = true RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.number = Certificate #XXX RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.fips.mode = 140-3 + RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.tls.disabledNamedCurves = RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.tls.disabledAlgorithms = \ 3DES_EDE_CBC, \