Merge pull request #103 from WilburZjh/enable-fips

FIPS Mode for RHEL x86

Author: keithc-ca

closed/custom/modules/java.base/Copy.gmk

@@ -240,3 +240,15 @@ ifneq ($(OPENSSL_BUNDLE_LIB_PATH), )
   endif # OPENJ9_ENABLE_JITSERVER
 endif # OPENSSL_BUNDLE_LIB_PATH
 ################################################################################
+# Copy the nss.fips.cfg only on x86 linux
+
+ifeq ($(OPENJDK_TARGET_OS)-$(OPENJDK_TARGET_CPU_ARCH), linux-x86)
+  NSS_FIPS_CFG_SRC := $(TOPDIR)/closed/src/java.base/share/conf/security/nss.fips.cfg
+  NSS_FIPS_CFG_DST := $(CONF_DST_DIR)/security/nss.fips.cfg
+
+  $(NSS_FIPS_CFG_DST) : $(NSS_FIPS_CFG_SRC)
+	$(call install-file)
+
+  TARGETS += $(NSS_FIPS_CFG_DST)
+endif
+################################################################################

closed/src/java.base/share/classes/openj9/internal/security/FIPSConfigurator.java

@@ -0,0 +1,159 @@
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved
+ * ===========================================================================
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * IBM designates this particular file as subject to the "Classpath" exception
+ * as provided by IBM in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * ===========================================================================
+ */
+
+package openj9.internal.security;
+
+import java.util.Iterator;
+import java.util.Map.Entry;
+import java.util.Properties;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+import sun.security.util.Debug;
+
+/**
+ * Configures the security providers when in FIPS mode.
+ */
+public final class FIPSConfigurator {
+
+    private static final Debug debug = Debug.getInstance("semerufips");
+
+    // FIPS mode enable check, only supported on Linux x64.
+    private static final boolean userEnabledFIPS;
+    private static final boolean isFIPSSupported;
+    private static final boolean shouldEnableFIPS;
+
+    static {
+        String[] props = AccessController.doPrivileged(
+                new PrivilegedAction<>() {
+                    @Override
+                    public String[] run() {
+                        return new String[] {System.getProperty("semeru.fips"),
+                                System.getProperty("os.name"),
+                                System.getProperty("os.arch")};
+                    }
+                });
+        userEnabledFIPS = Boolean.parseBoolean(props[0]);
+        isFIPSSupported = "Linux".equalsIgnoreCase(props[1])
+                && "amd64".equalsIgnoreCase(props[2]);
+        shouldEnableFIPS = userEnabledFIPS && isFIPSSupported;
+    }
+
+    private FIPSConfigurator() {
+        super();
+    }
+
+    /**
+     * FIPS mode will be enabled only if the semeru.fips system
+     * property is true (default as false).
+     *
+     * @return true if FIPS is enabled
+     */
+    public static boolean enableFIPS() {
+        return shouldEnableFIPS;
+    }
+
+    /**
+     * Remove the security providers and only add the FIPS security providers.
+     *
+     * @param props the java.security properties
+     * @return true if the FIPS properties loaded successfully
+     */
+    public static boolean configureFIPS(Properties props) {
+        boolean loadedProps = false;
+
+        // Check if FIPS is supported on this platform.
+        if (userEnabledFIPS && !isFIPSSupported) {
+            throw new RuntimeException("FIPS is not supported on this platform.");
+        }
+
+        try {
+            if (shouldEnableFIPS) {
+                if (debug != null) {
+                    debug.println("FIPS mode detected, loading properties");
+                }
+
+                // Remove all security providers.
+                Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
+                while (i.hasNext()) {
+                    Entry<Object, Object> e = i.next();
+                    if (((String) e.getKey()).startsWith("security.provider")) {
+                        if (debug != null) {
+                            debug.println("Removing provider: " + e);
+                        }
+                        i.remove();
+                    }
+                }
+
+                // Add FIPS security providers.
+                props.put("security.provider.1", "SunPKCS11 ${java.home}/conf/security/nss.fips.cfg");
+                props.put("security.provider.2", "SUN");
+                props.put("security.provider.3", "SunEC");
+                props.put("security.provider.4", "SunJSSE");
+
+                // Add FIPS security properties.
+                props.put("keystore.type", "PKCS11");
+                System.setProperty("javax.net.ssl.keyStore", "NONE");
+
+                // Add FIPS disabled algorithms.
+                String disabledAlgorithms = props.get("jdk.tls.disabledAlgorithms")
+                        + ", X25519, X448"
+                        + ", SSLv3, TLSv1, TLSv1.1"
+                        + ", TLS_CHACHA20_POLY1305_SHA256"
+                        + ", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384"
+                        + ", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"
+                        + ", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256"
+                        + ", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"
+                        + ", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA"
+                        + ", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
+                        + ", TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256"
+                        + ", TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256"
+                        + ", TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA"
+                        + ", TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256"
+                        + ", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+                        + ", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+                        + ", TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"
+                        + ", TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
+                        + ", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
+                        + ", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
+                        + ", TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
+                        + ", TLS_EMPTY_RENEGOTIATION_INFO_SCSV";
+                props.put("jdk.tls.disabledAlgorithms", disabledAlgorithms);
+
+                if (debug != null) {
+                    debug.println("FIPS mode properties loaded");
+                    debug.println(props.toString());
+                }
+
+                loadedProps = true;
+            }
+        } catch (Exception e) {
+            if (debug != null) {
+                debug.println("Unable to load FIPS configuration");
+                e.printStackTrace();
+            }
+        }
+        return loadedProps;
+    }
+}

closed/src/java.base/share/conf/security/nss.fips.cfg

@@ -0,0 +1,25 @@
+# ===========================================================================
+# (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved
+# ===========================================================================
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# IBM designates this particular file as subject to the "Classpath" exception
+# as provided by IBM in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, see <http://www.gnu.org/licenses/>.
+# ===========================================================================
+
+name = NSS-FIPS
+nssLibraryDirectory = /usr/lib64
+nssSecmodDirectory = /etc/pki/nssdb
+nssDbMode = readOnly
+nssModule = fips

src/java.base/share/classes/java/security/SecureRandom.java

@@ -23,6 +23,12 @@
  * questions.
  */
 
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved
+ * ===========================================================================
+ */
+
 package java.security;
 
 import java.math.BigInteger;
@@ -37,6 +43,8 @@
 import sun.security.provider.SunEntries;
 import sun.security.util.Debug;
 
+import openj9.internal.security.FIPSConfigurator;
+
 /**
  * This class provides a cryptographically strong random number
  * generator (RNG).
@@ -267,23 +275,38 @@ public SecureRandom(byte[] seed) {
     private void getDefaultPRNG(boolean setSeed, byte[] seed) {
         Service prngService = null;
         String prngAlgorithm = null;
-        for (Provider p : Providers.getProviderList().providers()) {
-            // SUN provider uses the SunEntries.DEF_SECURE_RANDOM_ALGO
-            // as the default SecureRandom algorithm; for other providers,
-            // Provider.getDefaultSecureRandom() will use the 1st
-            // registered SecureRandom algorithm
-            if (p.getName().equals("SUN")) {
-                prngAlgorithm = SunEntries.DEF_SECURE_RANDOM_ALGO;
-                prngService = p.getService("SecureRandom", prngAlgorithm);
-                break;
-            } else {
-                prngService = p.getDefaultSecureRandomService();
-                if (prngService != null) {
-                    prngAlgorithm = prngService.getAlgorithm();
+
+        // If in FIPS mode, use the SecureRandom from the FIPS provider.
+        if (FIPSConfigurator.enableFIPS()) {
+            Provider p = Security.getProvider("SunPKCS11-NSS-FIPS");
+            prngAlgorithm = "PKCS11";
+            if (p == null) {
+                throw new RuntimeException("could not find SunPKCS11-NSS-FIPS provider for FIPS mode");
+            }
+            prngService = p.getService("SecureRandom", prngAlgorithm);
+            if (prngService == null) {
+                throw new RuntimeException("could not find SecureRandom implementation from SunPKCS11-NSS-FIPS");
+            }
+        } else {
+            for (Provider p : Providers.getProviderList().providers()) {
+                // SUN provider uses the SunEntries.DEF_SECURE_RANDOM_ALGO
+                // as the default SecureRandom algorithm; for other providers,
+                // Provider.getDefaultSecureRandom() will use the 1st
+                // registered SecureRandom algorithm
+                if (p.getName().equals("SUN")) {
+                    prngAlgorithm = SunEntries.DEF_SECURE_RANDOM_ALGO;
+                    prngService = p.getService("SecureRandom", prngAlgorithm);
                     break;
+                } else {
+                    prngService = p.getDefaultSecureRandomService();
+                    if (prngService != null) {
+                        prngAlgorithm = prngService.getAlgorithm();
+                        break;
+                    }
                 }
             }
         }
+
         // per javadoc, if none of the Providers support a RNG algorithm,
         // then an implementation-specific default is returned.
         if (prngService == null) {

src/java.base/share/classes/java/security/Security.java

@@ -50,6 +50,8 @@
 import openj9.internal.criu.security.CRIUConfigurator;
 /*[ENDIF] CRIU_SUPPORT*/
 
+import openj9.internal.security.FIPSConfigurator;
+
 /**
  * <p>This class centralizes all security properties and common security
  * methods. One of its primary uses is to manage providers.
@@ -211,6 +213,17 @@ private static void initialize() {
         }
 /*[ENDIF] CRIU_SUPPORT*/
 
+        // Load FIPS properties
+        if (loadedProps) {
+            boolean fipsEnabled = FIPSConfigurator.configureFIPS(props);
+            if (sdebug != null) {
+                if (fipsEnabled) {
+                    sdebug.println("FIPS mode enabled.");
+                } else {
+                    sdebug.println("FIPS mode disabled.");
+                }
+            }
+        }
     }
 
     /*

src/java.base/share/classes/module-info.java

@@ -23,6 +23,12 @@
  * questions.
  */
 
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved
+ * ===========================================================================
+ */
+
 /**
  * Defines the foundational APIs of the Java SE Platform.
  *
@@ -363,6 +369,8 @@
         jdk.localedata;
     exports jdk.internal.invoke to
         jdk.incubator.foreign;
+    exports openj9.internal.security to
+        jdk.crypto.ec;
 
     // the service types defined by the APIs in this module