RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support

gnu-andrew · gnu-andrew · commit c22974728bd0 · 2022-03-16T17:23:27.000Z
diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
@@ -61,10 +61,6 @@ public final class Security {
     private static final Debug sdebug =
                         Debug.getInstance("properties");
 
-    /* System property file*/
-    private static final String SYSTEM_PROPERTIES =
-        "/etc/crypto-policies/back-ends/java.config";
-
     /* The java.security properties */
     private static Properties props;
 
@@ -206,22 +202,36 @@ private static void initialize() {
             }
         }
 
+        if (!loadedProps) {
+            initializeStatic();
+            if (sdebug != null) {
+                sdebug.println("unable to load security properties " +
+                        "-- using defaults");
+            }
+        }
+
         String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
         if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
             "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
-            if (SystemConfigurator.configure(props)) {
-                loadedProps = true;
+            if (!SystemConfigurator.configureSysProps(props)) {
+                if (sdebug != null) {
+                    sdebug.println("WARNING: System properties could not be loaded.");
+                }
             }
         }
 
-        if (!loadedProps) {
-            initializeStatic();
+        // FIPS support depends on the contents of java.security so
+        // ensure it has loaded first
+        if (loadedProps) {
+            boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
             if (sdebug != null) {
-                sdebug.println("unable to load security properties " +
-                        "-- using defaults");
+                if (fipsEnabled) {
+                    sdebug.println("FIPS support enabled.");
+                } else {
+                    sdebug.println("FIPS support disabled.");
+                }
             }
         }
-
     }
 
     /*
diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -76,7 +76,7 @@ public Void run() {
      * java.security.disableSystemPropertiesFile property is not set and
      * security.useSystemPropertiesFile is true.
      */
-    static boolean configure(Properties props) {
+    static boolean configureSysProps(Properties props) {
         boolean loadedProps = false;
 
         try (BufferedInputStream bis =
@@ -96,11 +96,19 @@ static boolean configure(Properties props) {
                 e.printStackTrace();
             }
         }
+        return loadedProps;
+    }
+
+    /*
+     * Invoked at the end of java.security.Security initialisation
+     * if java.security properties have been loaded
+     */
+    static boolean configureFIPS(Properties props) {
+        boolean loadedProps = false;
 
         try {
             if (enableFips()) {
                 if (sdebug != null) { sdebug.println("FIPS mode detected"); }
-                loadedProps = false;
                 // Remove all security providers
                 Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
                 while (i.hasNext()) {
