RH2052070 - Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode

[martinuy]

Search this PR in Red Hat Jira

Diff of this PR only	Dependency chain
a6e533a...6afe961	rh-openjdk:fips ← #1 ← THIS PR

A 11u backport of RH2052070 (Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode) is required for a 11u backport of RH2048582 (Support PKCS#12 keystores in FIPS mode).

Conflicts when applying the 17u RH2052070 to 11u:

• src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java

  • Hunk 0
    • Import should be of jdk.internal.misc.SharedSecrets in 11u.
  • Hunk 1 (failed)
    • 11u does not have 8229999 (Apply java.io.Serial annotations to security types in java.base).
      • Orthogonal to this backport, manually applied.
  • Hunk 2 (failed)
    • 11u does not have 8242151 (Improve OID mapping and reuse among JDK security providers for aliases registration).
    • 11u does not have 8248268 (Support KWP in addition to KW).
    • 11u does not have 8255557 (Decouple GCM from CipherCore).
    • 11u does not have 8172680 (Support SHA-3 based Hmac algorithms).
      • Orthogonal to this backport, manually applied.

• src/java.base/share/classes/sun/security/provider/SunEntries.java

  • Hunk 1 (failed)
    • 11u does not have 8242151 (Improve OID mapping and reuse among JDK security providers for aliases registration).
      • Orthogonal to this backport, manually applied.
  • Moved dsaAliases to be available for FIPS and non-FIPS scopes

• src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java

  • Hunk 1 (failed)
    • 11u does not have 8242151 (Improve OID mapping and reuse among JDK security providers for aliases registration).
    • Import in 11u has to be of jdk.internal.misc.SharedSecrets, and not jdk.internal.access.SharedSecrets.
      • Manually applied change.
  • Hunk 2 (failed)
    • 11u does not have 8242151 (Improve OID mapping and reuse among JDK security providers for aliases registration).
    • 11u does not have 8172680 (Support SHA-3 based Hmac algorithms).
      • Orthogonal to this backport, manually applied change.

• src/java.base/share/conf/security/java.security

  • Hunk 1 (failed)
    • 11u has the FIPS Experimental mode in SunJSSE so the security provider receives a parameter. The context for this change is different. Manually applied.

The proposed patch also includes the 11u backport of RH2092507 (P11Key.getEncoded does not work for DH keys in FIPS mode), a minor follow-up fix of RH2052070.

Conflicts when applying the 17u RH2092507 patch to 11u:

• src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
  • Hunk 1 (failed)
    • 11u does not have 8242151 (Improve OID mapping and reuse among JDK security providers for aliases registration), so the context is different. Manually applied.

Notice for Reviewers: this PR depends on #1 (RH1995150), which is under review now. I've committed the proposed RH1995150 changes for 11u and will rebase if necessary.

[franferrax]

Backport-wise, this looks good to me:

• I didn't review a6e533a, since it is #1
• Regarding 6afe961:
  • It enables the same providers in java.security as rh-openjdk/jdk@6e74f28
  • Lock-down: it leaves the same algorithms and services enabled in SunJCE.java / SunEntries.java / SunRsaSignEntries.java as rh-openjdk/jdk@6e74f28 + rh-openjdk/jdk@84266ee
  • I agree with the dsaAliases move in SunEntries.java

However, I think I found a little problem in the original rh-openjdk/jdk@6e74f28 patch, see the comments inline with the code.

[franferrax]

Given that:

• The original rh-openjdk/jdk@6e74f28 patch issues have been split out to #8
• After the force-push, the code is exactly the same, as shown in the d93549a..6afe961 comparison

This looks ready to me.