Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Java Restricted Security Mode #586

Merged
merged 1 commit into from
Mar 24, 2023
Merged

Conversation

taoliult
Copy link
Contributor

@taoliult taoliult commented Oct 18, 2022

Signed-off-by: Tao Liu [email protected]

This PR is for adding the codes of Java Restricted Security Mode.

The Java Restricted Security Mode is used to restrict the providers and algorithms, by the properties configured in the java.security file.

The properties will be of the following format:

RestrictedSecurity(n).desc.name = This string would be presented to the user when the audit setting is turned on, used to identify the policy in a helpful manner
RestrictedSecurity(n).desc.number = Security policy number
RestrictedSecurity(n).desc.policy = Policy details link
RestrictedSecurity(n).desc.sunsetDate = Date by which the policy will sunset

RestrictedSecurity(n).tls.disabledNamedCurves = Map to jdk.disabledNamedCurves
RestrictedSecurity(n).tls.disabledAlgorithms = Map to jdk.tls.disabledAlgorithms
RestrictedSecurity(n).tls.ephemeralDHKeySize = Map to jdk.tls.ephemeralDHKeySize
RestrictedSecurity(n).tls.legacyAlgorithms = Map to jdk.tls.legacyAlgorithms

RestrictedSecurity(n).jce.certpath.disabledAlgorithms = Map to jdk.certpath.disabledAlgorithms
RestrictedSecurity(n).jce.legacyAlgorithms = Map to jdk.security.legacyAlgorithm
RestrictedSecurity(n).jce.provider.1 = Map to security.provider
RestrictedSecurity(n).jce.provider.2 = Map to security.provider
RestrictedSecurity(n).jce.provider.3 = Map to security.provider
RestrictedSecurity(n).jce.provider.4 = Map to security.provider

RestrictedSecurity(n).keystore.type = Map to keystore.type 
RestrictedSecurity(n).javax.net.ssl.keyStore = System property javax.net.ssl.keyStore

RestrictedSecurity(n).securerandom.provider = Secure random provider
RestrictedSecurity(n).securerandom.algorithm = Secure random algorithm

The new runtime command line arguments:

-Dsemeru.restrictedsecurity = (n)
    This flag will select the settings for the user specified fips policy.
-Dsemeru.restrictedsecurity= audit 
    This will list the name and number of all configured fips policies. it will NOT cause the jvm to terminate after printing the fips policies.
-Dsemeru.restrictedsecurity = trace
    This will list all properties relevant to the fips mode, including the existing default properties and the FIPS restrictions.
-Dsemeru.restrictedsecurity = help
    This will print help message.

The options can be combined: e.g. -Dsemeru.restrictedsecurity=1,trace,audit

During the process of reading the java.security properties file, the JDK will detect if Restricted Security mode as selected and the selected policy. This detection will be done as a check in the JCA code to see if the flag "semeru.restrictedsecurity" was used, if it is used, the specific policy number will be extracted, the code will then check the properties file to see if such a policy number exist. If a valid policy is selected, two configuration steps will occur:

  1. JSSE Configuration during start up. If a valid policy was selected, the properties in java.security file will be read and mapped during the start up.

  2. Cryptography available. The existing providers will be removed and only the compliant providers (defined by “SecurityRestrict(n).jce.provider”) will be added. And also, a list of permitted services that each provider may provide. A provider without any additional constraints will have all its services enabled. A provider with the constraints will only register the allowed constraints. For example:

RestrictedSecurity1.jce.provider.3 = SunEC [{KeyFactory, EC, ImplementedIn=Software: \
SupportedKeyClasses=java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey: \
KeySize=256}, {AlgorithmParameters, EC, *}]

@taoliult taoliult force-pushed the fips branch 3 times, most recently from 1f66434 to 381be89 Compare October 18, 2022 17:57
@alon-sh
Copy link
Contributor

alon-sh commented Oct 18, 2022

thanks @taoliult - please provide a summary paragraph as to the content of this commit

@alon-sh
Copy link
Contributor

alon-sh commented Oct 18, 2022

fyi @mstoodle

@taoliult
Copy link
Contributor Author

@alon-sh The summary paragraph added.

@alon-sh
Copy link
Contributor

alon-sh commented Oct 19, 2022

@keithc-ca please review, updating FIPS code for both short and long term goals

@taoliult taoliult force-pushed the fips branch 2 times, most recently from 1ade2f0 to 955312b Compare October 20, 2022 17:48
@taoliult taoliult changed the title Java Security Restrict Mode Java Restricted Security Mode Oct 20, 2022
@taoliult
Copy link
Contributor Author

@keithc-ca @alon-sh
I updated the codes according to the review and also make other changes to make method names read more clearly. Please help to review.

@taoliult taoliult force-pushed the fips branch 7 times, most recently from 1a844e6 to db8d413 Compare October 28, 2022 15:58
@taoliult
Copy link
Contributor Author

@keithc-ca The codes updated according to the review suggestions. And I also replied those questions. Please help to review and advise.
@alon-sh fyi.

@taoliult taoliult force-pushed the fips branch 2 times, most recently from 02e754f to 50fe664 Compare November 1, 2022 15:12
@taoliult taoliult force-pushed the fips branch 4 times, most recently from 4a096c4 to 4e6ad2b Compare November 4, 2022 14:01
@taoliult taoliult force-pushed the fips branch 15 times, most recently from 691714e to ed047d1 Compare March 21, 2023 19:09
@taoliult
Copy link
Contributor Author

@keithc-ca

This PR on JDK11 is ready. It has all the code review updates from JDKNext PR ibmruntimes/openj9-openjdk-jdk#544

@jasonkatonica @WilburZjh FYI.

@keithc-ca
Copy link
Member

I will consider this after equivalent changes have been merged into jdk20, jdk19 and jdk17 (in that order).

@pshipton
Copy link
Member

I think we should skip jdk19, I don't plan to add the change to the 0.37 release branch, and the jdk19 head stream won't be used for another release.

@keithc-ca
Copy link
Member

we should skip jdk19

That works for me.

@taoliult
Copy link
Contributor Author

@keithc-ca @pshipton
Ok, then I will backport to jdk20, jdk17, jdk11(this PR) and jdk8.

@jasonkatonica @WilburZjh fyi.

@taoliult
Copy link
Contributor Author

@keithc-ca
Codes updated according to review suggestion. Please help to review and advise. Thanks.

@taoliult
Copy link
Contributor Author

@keithc-ca
Codes updated according to review suggestion. Please help to review and advise. Thanks.

@keithc-ca
Copy link
Member

Jenkins test sanity zlinux jdk11

@keithc-ca keithc-ca merged commit 225fd5e into ibmruntimes:openj9 Mar 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants