Implement OpenJDK 25 FIPS patch (for OPENJDK-4184) #40
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fitzsim
reviewed
Nov 12, 2025
src/java.base/share/classes/sun/security/util/PropertyExpander.java
Outdated
Show resolved
Hide resolved
Introduce an 'include'-directives-only __redhat_fips__ magic property that expands as either true or false depending on the System FIPS status, reported by the /proc/sys/crypto/fips_enabled kernel file.
Introduce RedHatFIPSFilter, a lightweight Security Providers Filter that uses an allow-list approach to enable non-cryptographic utilities from the providers that also implement uncertified cryptographic primitives, which should be avoided in a FIPS setup. RedHatFIPSFilter is enabled through the __redhat_fips_filter__ boolean security property.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
OPENJDK-4184: Include new FIPS patch in OpenJDK 25 portable build
Hi,
This pull request re-implements a reduced version of the previous releases' FIPS patch-set, adapted to OpenJDK 25 and relying on the JDK-8319332: Security properties files inclusion proposal (introduced in OpenJDK 24).
This patch-set is one of the three pieces of the OPENJDK-2108: Remove crypto-policies and FIPS automation related patches design. The remaining two pieces are the configuration files (to be included in the RPM package) and the nss-native-fips-key-import-export-adapter (to be built in the RPM package).
Changes summary
ae176fa: OPENJDK-2108: Internal __redhat_fips__ property
Introduce an
include-directives-only__redhat_fips__magic property that expands as either true or false depending on the System FIPS status, reported by the/proc/sys/crypto/fips_enabledkernel file.This patch is intended to be temporary, while we explore other alternatives (both upstream and binary-compatible ideas for downstream).
81e2bc0: OPENJDK-2123: Algorithms lockdown
Introduce
RedHatFIPSFilter, a lightweight Security Providers Filter that uses an allow-list approach to enable non-cryptographic utilities from the providers that also implement uncertified cryptographic primitives, which should be avoided in a FIPS setup.RedHatFIPSFilteris enabled through the__redhat_fips_filter__boolean security property.When the JDK-8315487: Security Providers Filter work is ready, this patch can be replaced by a
jdk.security.providers.filtervalue, as planned under OPENJDK-2123.This patch was created in an effort to reduce the pre-existing algorithms-lockdown patch, taking advantage of the lessons learned during the JDK-8315487 development. NOTE: the patch is based on the fact that all the OpenJDK 25 bundled providers use
java.security.Provider::putService()instead of the legacy services registration API (hashtable methods).