From 5c9beb7793a803490d475ee706bb5eb3afc121f5 Mon Sep 17 00:00:00 2001 From: Francisco Ferrari Bihurriet Date: Tue, 17 Feb 2026 22:26:07 +0100 Subject: [PATCH] OPENJDK-4559: relax RedHatFIPSFilter constrains Only restrict the SUN, SunEC, SunJCE and SunRsaSign services. This makes the fips-25u patch behave as the fips-21u patch, but with fewer changes. --- .../share/classes/java/security/Provider.java | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/src/java.base/share/classes/java/security/Provider.java b/src/java.base/share/classes/java/security/Provider.java index b1e416b90f417..60eeab678ca64 100644 --- a/src/java.base/share/classes/java/security/Provider.java +++ b/src/java.base/share/classes/java/security/Provider.java @@ -1207,9 +1207,7 @@ public Set getServices() { private static final class RedHatFIPSFilter { static final boolean IS_ON = Boolean.parseBoolean( Security.getProperty("__redhat_fips_filter__")); - private static final Set ANY_SERVICE_TYPE = Set.of(); private static final Map> ALLOW_LIST = Map.of( - "SunPKCS11-FIPS", ANY_SERVICE_TYPE, "SUN", Set.of( "AlgorithmParameterGenerator", "AlgorithmParameters", "CertificateFactory", @@ -1217,21 +1215,18 @@ private static final class RedHatFIPSFilter { "Configuration", "KeyStore"), "SunEC", Set.of( "AlgorithmParameters", "KeyFactory"), - "SunJSSE", ANY_SERVICE_TYPE, "SunJCE", Set.of( "AlgorithmParameters", "AlgorithmParameterGenerator", "KeyFactory", "SecretKeyFactory"), "SunRsaSign", Set.of( - "KeyFactory", "AlgorithmParameters"), - "XMLDSig", ANY_SERVICE_TYPE + "KeyFactory", "AlgorithmParameters") ); static boolean isAllowed(String provName, String serviceType) { Set allowedServiceTypes = ALLOW_LIST.get(provName); - return allowedServiceTypes != null && - (allowedServiceTypes == ANY_SERVICE_TYPE || - allowedServiceTypes.contains(serviceType)); + return allowedServiceTypes == null || + allowedServiceTypes.contains(serviceType); } } /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ */