Skip to content

RH2023467: Enable FIPS keys export#6

Closed
franferrax wants to merge 8 commits intorh-openjdk:fipsfrom
franferrax:RH2023467
Closed

RH2023467: Enable FIPS keys export#6
franferrax wants to merge 8 commits intorh-openjdk:fipsfrom
franferrax:RH2023467

Conversation

@franferrax
Copy link

@franferrax franferrax commented Oct 11, 2022
edited
Loading

Search this PR in Red Hat Jira

Diff of this PR only Dependency chain
6afe961...0cb2359 (including ff26db7)
ff26db7...0cb2359 (excluding ff26db7)		 rh-openjdk:fips#1#5THIS PR

RH2023467: Enable the export of keys in plain from the NSS Software Token while in FIPS mode

A backport of rh-openjdk/jdk#1, which also includes rh-openjdk/jdk#14 (a follow-up issue found in the first PR).

NOTE: I've created the branch starting from #5's 6afe961 (which is a dependency for certain changes).

References

Pull request creation procedure

  1. Create branch starting from 6afe961 
    git switch --create=RH2023467 6afe961de4e757d798e0e38b49cf73e992afa39d
  2. Backport JDK-6676643: Improve current C_GetAttributeValue native implementation (it applies almost clean except for a trivial conflict in a copyright) 
    git fetch https://github.com/openjdk/jdk 7ab6dc83df2e19a57ff0dcdc87598c54cd949a7c
git cherry-pick --no-commit 7ab6dc83df2e19a57ff0dcdc87598c54cd949a7c

# Fix trivial copyright dates conflict in PKCS11.java and commit
sed -i '2,4d;6d' src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
git commit -a -m "Backport JDK-6676643: Improve current C_GetAttributeValue native implementation

openjdk/jdk@7ab6dc83df2e19a57ff0dcdc87598c54cd949a7c
https://bugs.openjdk.org/browse/JDK-6676643
"
  3. Backport rh-openjdk/jdk@bd324bd and rh-openjdk/jdk@7585508 
    git fetch https://github.com/rh-openjdk/jdk bd324bda437a924e58730cc67c133275e8203780 7585508387dc78ea6a04154ed3727e6f1fb4c9b4
git cherry-pick --edit bd324bda437a924e58730cc67c133275e8203780 7585508387dc78ea6a04154ed3727e6f1fb4c9b4
  4. Fix conflicts (see the Conflicts section below)
  5. Execute git cherry-pick --continue and edit commit messages to remove the original PR numbers from the rh-openjdk/jdk repo, and to add references to the back-ported commit hashes
  6. Adapt non-conflicted code to work in 11u (see the Additional required changes section below), commit changes
  7. Remove objects from foreign repositories: 
    git -c gc.pruneExpire=now -c gc.reflogExpire=now -c gc.reflogExpireUnreachable=now gc

Conflicts

  • src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
    • Can't remove errorCode-only PKCS11Exception constructor added in rh-openjdk/jdk@abcd095, because this constructor hadn't been added in 8e0ea91, since it was still part of upstream 11u code (since 11u doesn't have JDK-6676643: Improve current C_GetAttributeValue native implementation)
      • Just dropped any change with:
      git restore --ours src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
git add src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
  • src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java

Additional required changes

Once conflicts were solved, the following changes were required:

@franferrax franferrax mentioned this pull request Oct 25, 2022
Open
@franferrax franferrax marked this pull request as ready for review October 25, 2022 00:40
@franferrax
Copy link
Author

franferrax commented Oct 25, 2022

akashche/fips-whitebox tests have been successfully executed on a local build of this PR code.

I've also made some improvements to the test suite. That improved version also passed, see akashche/fips-whitebox#1.

@franferrax franferrax requested a review from martinuy October 25, 2022 02:28
@franferrax franferrax mentioned this pull request Oct 28, 2022
Closed
martinuy and others added 7 commits November 3, 2022 18:33
@martinuy
RH1995150 - Disable non-FIPS crypto in SUN and SunEC security providers
a6e533a 
RH2094027 - SunEC runtime permission for FIPS
@martinuy
RH2052070 - Enable AlgorithmParameters and AlgorithmParameterGenerato…
6afe961 
…r services in FIPS mode

RH2092507 - P11Key.getEncoded does not work for DH keys in FIPS mode
@franferrax
Backport JDK-6676643: Improve current C_GetAttributeValue native impl…
ff26db7 
…ementation

openjdk/jdk@7ab6dc8
https://bugs.openjdk.org/browse/JDK-6676643
@franferrax @martinuy @akashche
RH2023467: Enable FIPS keys export
46ffa10 
Backport-Of: rh-openjdk/jdk@bd324bd
Co-Authored-By: Martin Balao <mbalao@redhat.com>
Co-Authored-By: Alex Kashchenko <akashche@redhat.com>
@franferrax
RH2104724: Avoid import/export of DH private keys
1c68a80 
Backport-Of: rh-openjdk/jdk@7585508
@franferrax
Adjust code between 17u and 11u
833d9b3
@franferrax
Adjust code for 11u missing JDK-8023980: JCE doesn't provide any clas…
c9c517a 
…s to handle RSA private key in PKCS#1

openjdk/jdk@68cf65d
https://bugs.openjdk.org/browse/JDK-8023980
@martinuy martinuy mentioned this pull request Nov 4, 2022
Draft
@franferrax
Import required enum and remove unused variables
0cb2359 
Import PKCS11Exception return values enum, to adapt code for the local backport of openjdk/jdk@7ab6dc8

Remove unused variables forgotten in rh-openjdk/jdk#14 (see rh-openjdk/jdk#21)
@franferrax franferrax closed this by deleting the head repository Feb 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@martinuy martinuy Awaiting requested review from martinuy

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@franferrax @martinuy