From 136f963d68de226f19b50f1b4d4a63f44ecbe602 Mon Sep 17 00:00:00 2001 From: Hang Shao Date: Fri, 1 Mar 2024 14:29:08 -0500 Subject: [PATCH 1/2] Parse jar index when using SCC If a jarIndex exists, the JDK by default (i.e. SCC is off) uses the URLs in the JarIndex to search for resources, the class path in manifest is ignored. However, when SCC is on, the jarIndex is always ignored and the class path in manifest is used, which differs from the default JDK behavior. Change SCC code in URLClassPath to always use URLs in jarIndex if it exists. Add a property "com.ibm.oti.shared.disableJarIndex" that can be used to control the behavior. Signed-off-by: Hang Shao --- .../jdk/internal/loader/URLClassPath.java | 37 ++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/src/java.base/share/classes/jdk/internal/loader/URLClassPath.java b/src/java.base/share/classes/jdk/internal/loader/URLClassPath.java index 2f09cbf107c..af6e72e2e3c 100644 --- a/src/java.base/share/classes/jdk/internal/loader/URLClassPath.java +++ b/src/java.base/share/classes/jdk/internal/loader/URLClassPath.java @@ -25,7 +25,7 @@ /* * =========================================================================== - * (c) Copyright IBM Corp. 1997, 2020 All Rights Reserved + * (c) Copyright IBM Corp. 1997, 2024 All Rights Reserved * =========================================================================== */ @@ -101,6 +101,7 @@ public class URLClassPath { private static final boolean DISABLE_ACC_CHECKING; private static final boolean DISABLE_CP_URL_CHECK; private static final boolean DEBUG_CP_URL_CHECK; + private static final boolean DISABLE_JAR_INDEX; //OpenJ9-shared_classes_misc static { Properties props = GetPropertyAction.privilegedGetProperties(); @@ -120,6 +121,9 @@ public class URLClassPath { // the check is not disabled). p = props.getProperty("jdk.net.URLClassPath.showIgnoredClassPathEntries"); DEBUG_CP_URL_CHECK = p != null ? p.equals("true") || p.isEmpty() : false; + + p = props.getProperty("com.ibm.oti.shared.disableJarIndex"); //OpenJ9-shared_classes_misc + DISABLE_JAR_INDEX = p != null ? p.equals("true") || p.isEmpty() : false; //OpenJ9-shared_classes_misc } /* The original search path of URLs. */ @@ -1222,6 +1226,37 @@ URL[] getClassPath() throws IOException { ensureOpen(); + if (usingSharedClasses && !DISABLE_JAR_INDEX) { //OpenJ9-shared_classes_misc + /* If usingSharedClasses is true, ensureOpen() does not use and set jar index. //OpenJ9-shared_classes_misc + * If usingSharedClasses is false, ensureOpen() uses and sets jar index (if it exists). //OpenJ9-shared_classes_misc + * Go through jar index here so that class path in jar index is searched. //OpenJ9-shared_classes_misc + */ //OpenJ9-shared_classes_misc + JarIndex localIndex = JarIndex.getJarIndex(jar); //OpenJ9-shared_classes_misc + if (localIndex != null) { //OpenJ9-shared_classes_misc + String[] jarfiles = localIndex.getJarFiles(); //OpenJ9-shared_classes_misc + URL[] urls = new URL[jarfiles.length]; //OpenJ9-shared_classes_misc + int count = 0; //OpenJ9-shared_classes_misc + for (int i = 0; i < jarfiles.length; i++) { //OpenJ9-shared_classes_misc + try { //OpenJ9-shared_classes_misc + URL jarURL = new URL(csu, jarfiles[i]); //OpenJ9-shared_classes_misc + urls[count] = jarURL; //OpenJ9-shared_classes_misc + count++; //OpenJ9-shared_classes_misc + } catch (MalformedURLException e) { //OpenJ9-shared_classes_misc + continue; //OpenJ9-shared_classes_misc + } //OpenJ9-shared_classes_misc + } //OpenJ9-shared_classes_misc + if (count > 0) { //OpenJ9-shared_classes_misc + urls = Arrays.copyOf(urls, count); //OpenJ9-shared_classes_misc + } else { //OpenJ9-shared_classes_misc + urls = null; //OpenJ9-shared_classes_misc + } //OpenJ9-shared_classes_misc + /* //OpenJ9-shared_classes_misc + * If jar index exists, class path in manifest is ignored, directly return here. //OpenJ9-shared_classes_misc + * (See the check of index != null at the beginning of this function) //OpenJ9-shared_classes_misc + */ //OpenJ9-shared_classes_misc + return urls; //OpenJ9-shared_classes_misc + } //OpenJ9-shared_classes_misc + } //OpenJ9-shared_classes_misc // Only get manifest when necessary if (SharedSecrets.javaUtilJarAccess().jarFileHasClassPathAttribute(jar)) { Manifest man = jar.getManifest(); From ac28ba0b968c0871f56e2acace9ce1d57f41c379 Mon Sep 17 00:00:00 2001 From: Jason Katonica Date: Mon, 4 Mar 2024 17:08:35 -0500 Subject: [PATCH 2/2] Set property com.ibm.fips.mode based upon active profile When loading a restricted security mode profile we need to set the property value `com.ibm.fips.mode` to the value contained within the active profile. Signed-off-by: Jason Katonica --- .../openj9/internal/security/RestrictedSecurity.java | 12 ++++++++++++ src/java.base/share/conf/security/java.security | 3 +++ 2 files changed, 15 insertions(+) diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java index 67ed45c31a8..0d516cfe083 100644 --- a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java +++ b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java @@ -472,6 +472,12 @@ private static void setProperties(Properties props) { propsMapping.put("jdk.tls.legacyAlgorithms", restricts.jdkTlsLegacyAlgorithms); propsMapping.put("jdk.certpath.disabledAlgorithms", restricts.jdkCertpathDisabledAlgorithms); propsMapping.put("jdk.security.legacyAlgorithm", restricts.jdkSecurityLegacyAlgorithm); + String fipsMode = System.getProperty("com.ibm.fips.mode"); + if (fipsMode == null) { + System.setProperty("com.ibm.fips.mode", restricts.jdkFipsMode); + } else if (!fipsMode.equals(restricts.jdkFipsMode)) { + printStackTraceAndExit("Property com.ibm.fips.mode is incompatible with semeru.customprofile and semeru.fips properties"); + } for (Map.Entry entry : propsMapping.entrySet()) { String jdkPropsName = entry.getKey(); @@ -593,6 +599,8 @@ private static final class RestrictedSecurityProperties { String jdkSecureRandomProvider; String jdkSecureRandomAlgorithm; + String jdkFipsMode; + // Provider with argument (provider name + optional argument). private final List providers; // Provider without argument. @@ -749,6 +757,8 @@ private void initProperties() { securityProps.getProperty(profileID + ".securerandom.provider")); jdkSecureRandomAlgorithm = parseProperty( securityProps.getProperty(profileID + ".securerandom.algorithm")); + jdkFipsMode = parseProperty( + securityProps.getProperty(profileID + ".fips.mode")); if (debug != null) { debug.println("\tProperties of restricted security profile successfully loaded."); @@ -1064,6 +1074,8 @@ private void printProfile(String profileToPrint) { securityProps.getProperty(profileToPrint + ".desc.default")); printProperty(profileToPrint + ".desc.fips: ", securityProps.getProperty(profileToPrint + ".desc.fips")); + printProperty(profileToPrint + ".fips.mode: ", + securityProps.getProperty(profileToPrint + ".fips.mode")); printProperty(profileToPrint + ".desc.number: ", parseProperty(securityProps.getProperty(profileToPrint + ".desc.number"))); printProperty(profileToPrint + ".desc.policy: ", diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security index 21b78e28ec9..17b26bbbd19 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -94,6 +94,7 @@ RestrictedSecurity.NSS.140-2.desc.fips = true RestrictedSecurity.NSS.140-2.desc.number = Certificate #4413 RestrictedSecurity.NSS.140-2.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4413 RestrictedSecurity.NSS.140-2.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.NSS.140-2.fips.mode = 140-2 RestrictedSecurity.NSS.140-2.tls.disabledNamedCurves = RestrictedSecurity.NSS.140-2.tls.disabledAlgorithms = \ @@ -159,6 +160,8 @@ RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.fips = true RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.number = Certificate #XXX RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.fips.mode = 140-3 + RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.tls.disabledNamedCurves = RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.tls.disabledAlgorithms = \ 3DES_EDE_CBC, \