Skip to content

RH2134669: Add missing attributes when registering services in FIPS mode. #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jan 13, 2023
Merged

RH2134669: Add missing attributes when registering services in FIPS mode. #19

merged 3 commits into from
Jan 13, 2023

Conversation

@martinuy
Copy link

@martinuy martinuy commented Oct 20, 2022
edited by franferrax
Loading

Search this PR in Red Hat Jira

As described in RH2134669 [1], I'd like to propose a fix for this issue that keeps the attributes for registered services and algorithms aligned between FIPS and non-FIPS modes. According to my assessment, the only security providers affected by this issue were SUN (SunEntries.java) and SunRsaSign (SunRsaSignEntries.java).

--
[1] - https://bugzilla.redhat.com/show_bug.cgi?id=2134669

@martinuy martinuy marked this pull request as ready for review October 25, 2022 00:58
@martinuy martinuy requested a review from franferrax October 25, 2022 00:58
franferrax
franferrax previously approved these changes Oct 27, 2022
View reviewed changes
Copy link

@franferrax franferrax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @martinuy,

This looks good to me, I've also checked similar systemFipsEnabled lock-down usages in other providers but everything seems fine.

I left a comment in the test, but it doesn't block the approval, it's up to you if you want to simplify the code or not.

Just for reference, here is the comment where we identified this issue: rh-openjdk/jdk11u#5 (comment)

@martinuy
Copy link
Author

martinuy commented Nov 3, 2022

@franferrax please have a look again. Thanks.

franferrax
franferrax approved these changes Nov 3, 2022
View reviewed changes
Copy link

@franferrax franferrax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've reviewed the new 1970368 changes, everything looks fine, thanks @martinuy for implementing the suggestions.

@martinuy martinuy mentioned this pull request Nov 4, 2022
Draft
gnu-andrew
gnu-andrew approved these changes Nov 16, 2022
View reviewed changes
Copy link

@gnu-andrew gnu-andrew left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me too. We only need to block provider additions that would allow non-FIPS crypto to take place.

@franferrax franferrax mentioned this pull request Dec 29, 2022
Merged
@gnu-andrew
Copy link

gnu-andrew commented Jan 13, 2023

Test failures seem to be just a download issue on Windows and the known issue due to debugging output that was since resolved when we merged 17.0.5. Merging this.

@gnu-andrew gnu-andrew merged commit cc67466 into rh-openjdk:fips-17u Jan 13, 2023
gnu-andrew pushed a commit that referenced this pull request Aug 22, 2023
@martinuy @gnu-andrew
RH2134669: Add missing attributes when registering services in FIPS m…
aec0008 
…ode. (#19)

Reviewed-by: @franferrax, @gnu-andrew
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gnu-andrew gnu-andrew gnu-andrew approved these changes

@franferrax franferrax franferrax approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@martinuy @gnu-andrew @franferrax