From 6b5a717bfbf4553ae70e7d4bf4d411be98371d05 Mon Sep 17 00:00:00 2001 From: Santiago Gala Date: Thu, 31 Aug 2023 12:57:37 +0200 Subject: [PATCH] Keep test security properties for FIPS in sync with OS --- .../self_signed_fips/java.security.openjdk-11 | 27 ++++++++++++------- .../self_signed_fips/java.security.openjdk-17 | 15 ++++++----- 2 files changed, 26 insertions(+), 16 deletions(-) diff --git a/core/src/main/resources/ssl/self_signed_fips/java.security.openjdk-11 b/core/src/main/resources/ssl/self_signed_fips/java.security.openjdk-11 index f3a04c65..c331e8c1 100644 --- a/core/src/main/resources/ssl/self_signed_fips/java.security.openjdk-11 +++ b/core/src/main/resources/ssl/self_signed_fips/java.security.openjdk-11 @@ -22,6 +22,9 @@ # the command line, set the key security.overridePropertiesFile # to false in the master security properties file. It is set to true # by default. +# +# If this properties file fails to load, the JDK implementation will throw +# an unspecified error when initializing the java.security.Security class. # In this file, various security properties are set for use by # java.security classes. This is where users can statically register @@ -306,9 +309,7 @@ keystore.type.compat=true # RuntimePermission("accessClassInPackage."+package) has been granted. # package.access=sun.misc.,\ - sun.reflect.,\ - org.GNOME.Accessibility.,\ - org.GNOME.Bonobo. + sun.reflect. # # List of comma-separated packages that start with or equal this string @@ -320,9 +321,7 @@ package.access=sun.misc.,\ # checkPackageDefinition. # package.definition=sun.misc.,\ - sun.reflect.,\ - org.GNOME.Accessibility.,\ - org.GNOME.Bonobo. + sun.reflect. # # Determines whether this properties file can be appended to @@ -507,7 +506,16 @@ sun.security.krb5.maxReferrals=5 # in the jdk.[tls|certpath|jar].disabledAlgorithms properties. To include this # list in any of the disabledAlgorithms properties, add the property name as # an entry. -jdk.disabled.namedCurves = secp256k1 +jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \ + secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \ + secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \ + sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \ + sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \ + sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, \ + X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, \ + X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, \ + X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, \ + brainpoolP320r1, brainpoolP384r1, brainpoolP512r1 # # Algorithm restrictions for certification path (CertPath) processing @@ -745,7 +753,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \ -# rsa_pkcs1_sha1 +# rsa_pkcs1_sha1, secp224r1 jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves @@ -903,7 +911,8 @@ jdk.tls.legacyAlgorithms= \ # Note: This property is currently used by OpenJDK's JSSE implementation. It # is not guaranteed to be examined and used by other implementations. # -jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37 +jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37, \ + ChaCha20-Poly1305 KeyUpdate 2^37 # # Cryptographic Jurisdiction Policy defaults diff --git a/core/src/main/resources/ssl/self_signed_fips/java.security.openjdk-17 b/core/src/main/resources/ssl/self_signed_fips/java.security.openjdk-17 index 0094e853..ee1fffee 100644 --- a/core/src/main/resources/ssl/self_signed_fips/java.security.openjdk-17 +++ b/core/src/main/resources/ssl/self_signed_fips/java.security.openjdk-17 @@ -22,6 +22,9 @@ # the command line, set the key security.overridePropertiesFile # to false in the master security properties file. It is set to true # by default. +# +# If this properties file fails to load, the JDK implementation will throw +# an unspecified error when initializing the java.security.Security class. # In this file, various security properties are set for use by # java.security classes. This is where users can statically register @@ -83,6 +86,7 @@ fips.provider.3=SunEC fips.provider.4=SunJSSE fips.provider.5=SunJCE fips.provider.6=SunRsaSign +fips.provider.7=XMLDSig # # A list of preferred providers for specific algorithms. These providers will @@ -347,9 +351,7 @@ keystore.type.compat=true # RuntimePermission("accessClassInPackage."+package) has been granted. # package.access=sun.misc.,\ - sun.reflect.,\ - org.GNOME.Accessibility.,\ - org.GNOME.Bonobo. + sun.reflect. # # List of comma-separated packages that start with or equal this string @@ -361,9 +363,7 @@ package.access=sun.misc.,\ # checkPackageDefinition. # package.definition=sun.misc.,\ - sun.reflect.,\ - org.GNOME.Accessibility.,\ - org.GNOME.Bonobo. + sun.reflect. # # Determines whether this properties file can be appended to @@ -937,7 +937,8 @@ jdk.tls.legacyAlgorithms=NULL, anon, RC4, DES, 3DES_EDE_CBC # Note: This property is currently used by OpenJDK's JSSE implementation. It # is not guaranteed to be examined and used by other implementations. # -jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37 +jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37, \ + ChaCha20-Poly1305 KeyUpdate 2^37 # # Cryptographic Jurisdiction Policy defaults