# HG changeset patch # User xuelei # Date 1550007375 28800 # Node ID cb1642ccc73259d2ee7166bc7fd8d634e1e17e24 # Parent b5d45c2fe8a0fcb019876a55635d729add2e449d 8217835: Remove the experimental SunJSSE FIPS compliant mode Reviewed-by: mullan diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/com/sun/net/ssl/internal/ssl/Provider.java --- a/src/java.base/share/classes/com/sun/net/ssl/internal/ssl/Provider.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/com/sun/net/ssl/internal/ssl/Provider.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2007, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -42,21 +42,6 @@ super(); } - // preferred constructor to enable FIPS mode at runtime - public Provider(java.security.Provider cryptoProvider) { - super(cryptoProvider); - } - - // constructor to enable FIPS mode from java.security file - public Provider(String cryptoProvider) { - super(cryptoProvider); - } - - // public for now, but we may want to change it or not document it. - public static synchronized boolean isFIPS() { - return SunJSSE.isFIPS(); - } - /** * Installs the JSSE provider. */ diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/Authenticator.java --- a/src/java.base/share/classes/sun/security/ssl/Authenticator.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/Authenticator.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2012, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -484,7 +484,7 @@ throw new RuntimeException("Unknown MacAlg " + macAlg); } - Mac m = JsseJce.getMac(algorithm); + Mac m = Mac.getInstance(algorithm); m.init(key); this.macAlg = macAlg; this.mac = m; diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/CertificateVerify.java --- a/src/java.base/share/classes/sun/security/ssl/CertificateVerify.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/CertificateVerify.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -196,13 +196,13 @@ Signature signer = null; switch (algorithm) { case "RSA": - signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA); + signer = Signature.getInstance(JsseJce.SIGNATURE_RAWRSA); break; case "DSA": - signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA); + signer = Signature.getInstance(JsseJce.SIGNATURE_RAWDSA); break; case "EC": - signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA); + signer = Signature.getInstance(JsseJce.SIGNATURE_RAWECDSA); break; default: throw new SignatureException("Unrecognized algorithm: " @@ -439,13 +439,13 @@ Signature signer = null; switch (algorithm) { case "RSA": - signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA); + signer = Signature.getInstance(JsseJce.SIGNATURE_RAWRSA); break; case "DSA": - signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA); + signer = Signature.getInstance(JsseJce.SIGNATURE_RAWDSA); break; case "EC": - signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA); + signer = Signature.getInstance(JsseJce.SIGNATURE_RAWECDSA); break; default: throw new SignatureException("Unrecognized algorithm: " diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/DHClientKeyExchange.java --- a/src/java.base/share/classes/sun/security/ssl/DHClientKeyExchange.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/DHClientKeyExchange.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -280,7 +280,7 @@ DHPublicKeySpec spec = new DHPublicKeySpec( new BigInteger(1, ckem.y), params.getP(), params.getG()); - KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman"); + KeyFactory kf = KeyFactory.getInstance("DiffieHellman"); DHPublicKey peerPublicKey = (DHPublicKey)kf.generatePublic(spec); diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java --- a/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java Tue Feb 12 13:36:15 2019 -0800 @@ -87,7 +87,7 @@ return null; } - KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman"); + KeyFactory kf = KeyFactory.getInstance("DiffieHellman"); DHPublicKeySpec spec = new DHPublicKeySpec( new BigInteger(1, encodedPublic), params.getP(), params.getG()); @@ -106,7 +106,7 @@ DHEPossession(NamedGroup namedGroup, SecureRandom random) { try { KeyPairGenerator kpg = - JsseJce.getKeyPairGenerator("DiffieHellman"); + KeyPairGenerator.getInstance("DiffieHellman"); DHParameterSpec params = (DHParameterSpec)namedGroup.getParameterSpec(); kpg.initialize(params, random); @@ -129,7 +129,7 @@ PredefinedDHParameterSpecs.definedParams.get(keyLength); try { KeyPairGenerator kpg = - JsseJce.getKeyPairGenerator("DiffieHellman"); + KeyPairGenerator.getInstance("DiffieHellman"); if (params != null) { kpg.initialize(params, random); } else { @@ -155,7 +155,7 @@ DHEPossession(DHECredentials credentials, SecureRandom random) { try { KeyPairGenerator kpg = - JsseJce.getKeyPairGenerator("DiffieHellman"); + KeyPairGenerator.getInstance("DiffieHellman"); kpg.initialize(credentials.popPublicKey.getParams(), random); KeyPair kp = generateDHKeyPair(kpg); if (kp == null) { @@ -208,7 +208,7 @@ params.getP(), params.getG()); } try { - KeyFactory factory = JsseJce.getKeyFactory("DiffieHellman"); + KeyFactory factory = KeyFactory.getInstance("DiffieHellman"); return factory.getKeySpec(key, DHPublicKeySpec.class); } catch (NoSuchAlgorithmException | InvalidKeySpecException e) { // unlikely @@ -473,7 +473,7 @@ private SecretKey t12DeriveKey(String algorithm, AlgorithmParameterSpec params) throws IOException { try { - KeyAgreement ka = JsseJce.getKeyAgreement("DiffieHellman"); + KeyAgreement ka = KeyAgreement.getInstance("DiffieHellman"); ka.init(localPrivateKey); ka.doPhase(peerPublicKey, true); SecretKey preMasterSecret = @@ -499,7 +499,7 @@ private SecretKey t13DeriveKey(String algorithm, AlgorithmParameterSpec params) throws IOException { try { - KeyAgreement ka = JsseJce.getKeyAgreement("DiffieHellman"); + KeyAgreement ka = KeyAgreement.getInstance("DiffieHellman"); ka.init(localPrivateKey); ka.doPhase(peerPublicKey, true); SecretKey sharedSecret = diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java --- a/src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -420,7 +420,7 @@ Signature signer = null; switch (keyAlgorithm) { case "DSA": - signer = JsseJce.getSignature(JsseJce.SIGNATURE_DSA); + signer = Signature.getInstance(JsseJce.SIGNATURE_DSA); break; case "RSA": signer = RSASignature.getInstance(); @@ -524,7 +524,7 @@ // check constraints of EC PublicKey DHPublicKey publicKey; try { - KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman"); + KeyFactory kf = KeyFactory.getInstance("DiffieHellman"); DHPublicKeySpec spec = new DHPublicKeySpec( new BigInteger(1, skem.y), new BigInteger(1, skem.p), diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java --- a/src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -49,6 +49,7 @@ import sun.security.ssl.SupportedGroupsExtension.NamedGroup; import sun.security.ssl.X509Authentication.X509Credentials; import sun.security.ssl.X509Authentication.X509Possession; +import sun.security.util.ECUtil; import sun.security.util.HexDumpEncoder; /** @@ -78,7 +79,7 @@ ECPoint point = publicKey.getW(); ECParameterSpec params = publicKey.getParams(); - encodedPoint = JsseJce.encodePoint(point, params.getCurve()); + encodedPoint = ECUtil.encodePoint(point, params.getCurve()); } ECDHClientKeyExchangeMessage(HandshakeContext handshakeContext, @@ -99,10 +100,10 @@ try { ECParameterSpec params = publicKey.getParams(); ECPoint point = - JsseJce.decodePoint(encodedPoint, params.getCurve()); + ECUtil.decodePoint(encodedPoint, params.getCurve()); ECPublicKeySpec spec = new ECPublicKeySpec(point, params); - KeyFactory kf = JsseJce.getKeyFactory("EC"); + KeyFactory kf = KeyFactory.getInstance("EC"); ECPublicKey peerPublicKey = (ECPublicKey)kf.generatePublic(spec); @@ -319,10 +320,10 @@ // create the credentials try { ECPoint point = - JsseJce.decodePoint(cke.encodedPoint, params.getCurve()); + ECUtil.decodePoint(cke.encodedPoint, params.getCurve()); ECPublicKeySpec spec = new ECPublicKeySpec(point, params); - KeyFactory kf = JsseJce.getKeyFactory("EC"); + KeyFactory kf = KeyFactory.getInstance("EC"); ECPublicKey peerPublicKey = (ECPublicKey)kf.generatePublic(spec); @@ -493,10 +494,10 @@ // create the credentials try { ECPoint point = - JsseJce.decodePoint(cke.encodedPoint, params.getCurve()); + ECUtil.decodePoint(cke.encodedPoint, params.getCurve()); ECPublicKeySpec spec = new ECPublicKeySpec(point, params); - KeyFactory kf = JsseJce.getKeyFactory("EC"); + KeyFactory kf = KeyFactory.getInstance("EC"); ECPublicKey peerPublicKey = (ECPublicKey)kf.generatePublic(spec); diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java --- a/src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -85,14 +85,14 @@ } ECParameterSpec parameters = - JsseJce.getECParameterSpec(namedGroup.oid); + ECUtil.getECParameterSpec(null, namedGroup.oid); if (parameters == null) { return null; } - ECPoint point = JsseJce.decodePoint( + ECPoint point = ECUtil.decodePoint( encodedPoint, parameters.getCurve()); - KeyFactory factory = JsseJce.getKeyFactory("EC"); + KeyFactory factory = KeyFactory.getInstance("EC"); ECPublicKey publicKey = (ECPublicKey)factory.generatePublic( new ECPublicKeySpec(point, parameters)); return new ECDHECredentials(publicKey, namedGroup); @@ -106,7 +106,7 @@ ECDHEPossession(NamedGroup namedGroup, SecureRandom random) { try { - KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("EC"); + KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC"); ECGenParameterSpec params = (ECGenParameterSpec)namedGroup.getParameterSpec(); kpg.initialize(params, random); @@ -124,7 +124,7 @@ ECDHEPossession(ECDHECredentials credentials, SecureRandom random) { ECParameterSpec params = credentials.popPublicKey.getParams(); try { - KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("EC"); + KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC"); kpg.initialize(params, random); KeyPair kp = kpg.generateKeyPair(); privateKey = kp.getPrivate(); @@ -149,7 +149,7 @@ PublicKey peerPublicKey) throws SSLHandshakeException { try { - KeyAgreement ka = JsseJce.getKeyAgreement("ECDH"); + KeyAgreement ka = KeyAgreement.getInstance("ECDH"); ka.init(privateKey); ka.doPhase(peerPublicKey, true); return ka.generateSecret("TlsPremasterSecret"); @@ -165,8 +165,8 @@ try { ECParameterSpec params = publicKey.getParams(); ECPoint point = - JsseJce.decodePoint(encodedPoint, params.getCurve()); - KeyFactory kf = JsseJce.getKeyFactory("EC"); + ECUtil.decodePoint(encodedPoint, params.getCurve()); + KeyFactory kf = KeyFactory.getInstance("EC"); ECPublicKeySpec spec = new ECPublicKeySpec(point, params); PublicKey peerPublicKey = kf.generatePublic(spec); return getAgreedSecret(peerPublicKey); @@ -183,10 +183,10 @@ ECParameterSpec params = publicKey.getParams(); ECPoint point = - JsseJce.decodePoint(encodedPoint, params.getCurve()); + ECUtil.decodePoint(encodedPoint, params.getCurve()); ECPublicKeySpec spec = new ECPublicKeySpec(point, params); - KeyFactory kf = JsseJce.getKeyFactory("EC"); + KeyFactory kf = KeyFactory.getInstance("EC"); ECPublicKey pubKey = (ECPublicKey)kf.generatePublic(spec); // check constraints of ECPublicKey @@ -424,7 +424,7 @@ private SecretKey t12DeriveKey(String algorithm, AlgorithmParameterSpec params) throws IOException { try { - KeyAgreement ka = JsseJce.getKeyAgreement("ECDH"); + KeyAgreement ka = KeyAgreement.getInstance("ECDH"); ka.init(localPrivateKey); ka.doPhase(peerPublicKey, true); SecretKey preMasterSecret = @@ -451,7 +451,7 @@ private SecretKey t13DeriveKey(String algorithm, AlgorithmParameterSpec params) throws IOException { try { - KeyAgreement ka = JsseJce.getKeyAgreement("ECDH"); + KeyAgreement ka = KeyAgreement.getInstance("ECDH"); ka.init(localPrivateKey); ka.doPhase(peerPublicKey, true); SecretKey sharedSecret = diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java --- a/src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -52,6 +52,7 @@ import sun.security.ssl.SupportedGroupsExtension.SupportedGroups; import sun.security.ssl.X509Authentication.X509Credentials; import sun.security.ssl.X509Authentication.X509Possession; +import sun.security.util.ECUtil; import sun.security.util.HexDumpEncoder; /** @@ -120,7 +121,7 @@ publicKey = ecdhePossession.publicKey; ECParameterSpec params = publicKey.getParams(); ECPoint point = publicKey.getW(); - publicPoint = JsseJce.encodePoint(point, params.getCurve()); + publicPoint = ECUtil.encodePoint(point, params.getCurve()); this.namedGroup = NamedGroup.valueOf(params); if ((namedGroup == null) || (namedGroup.oid == null) ) { @@ -221,7 +222,7 @@ } ECParameterSpec parameters = - JsseJce.getECParameterSpec(namedGroup.oid); + ECUtil.getECParameterSpec(null, namedGroup.oid); if (parameters == null) { throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER, "No supported EC parameter: " + namedGroup); @@ -236,8 +237,8 @@ ECPublicKey ecPublicKey = null; try { ECPoint point = - JsseJce.decodePoint(publicPoint, parameters.getCurve()); - KeyFactory factory = JsseJce.getKeyFactory("EC"); + ECUtil.decodePoint(publicPoint, parameters.getCurve()); + KeyFactory factory = KeyFactory.getInstance("EC"); ecPublicKey = (ECPublicKey)factory.generatePublic( new ECPublicKeySpec(point, parameters)); } catch (NoSuchAlgorithmException | @@ -446,7 +447,7 @@ Signature signer = null; switch (keyAlgorithm) { case "EC": - signer = JsseJce.getSignature(JsseJce.SIGNATURE_ECDSA); + signer = Signature.getInstance(JsseJce.SIGNATURE_ECDSA); break; case "RSA": signer = RSASignature.getInstance(); diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/EphemeralKeyManager.java --- a/src/java.base/share/classes/sun/security/ssl/EphemeralKeyManager.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/EphemeralKeyManager.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -69,7 +69,7 @@ KeyPair kp = keys[index].getKeyPair(); if (kp == null) { try { - KeyPairGenerator kgen = JsseJce.getKeyPairGenerator("RSA"); + KeyPairGenerator kgen = KeyPairGenerator.getInstance("RSA"); kgen.initialize(length, random); keys[index] = new EphemeralKeyPair(kgen.genKeyPair()); kp = keys[index].getKeyPair(); diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/Finished.java --- a/src/java.base/share/classes/sun/security/ssl/Finished.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/Finished.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -257,7 +257,7 @@ TlsPrfParameterSpec spec = new TlsPrfParameterSpec( masterSecretKey, tlsLabel, seed, 12, hashAlg.name, hashAlg.hashLength, hashAlg.blockSize); - KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg); + KeyGenerator kg = KeyGenerator.getInstance(prfAlg); kg.init(spec); SecretKey prfKey = kg.generateKey(); if (!"RAW".equals(prfKey.getFormat())) { @@ -309,7 +309,7 @@ TlsPrfParameterSpec spec = new TlsPrfParameterSpec( masterSecretKey, tlsLabel, seed, 12, hashAlg.name, hashAlg.hashLength, hashAlg.blockSize); - KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg); + KeyGenerator kg = KeyGenerator.getInstance(prfAlg); kg.init(spec); SecretKey prfKey = kg.generateKey(); if (!"RAW".equals(prfKey.getFormat())) { @@ -350,7 +350,7 @@ String hmacAlg = "Hmac" + hashAlg.name.replace("-", ""); try { - Mac hmac = JsseJce.getMac(hmacAlg); + Mac hmac = Mac.getInstance(hmacAlg); hmac.init(finishedSecret); return hmac.doFinal(context.handshakeHash.digest()); } catch (NoSuchAlgorithmException |InvalidKeyException ex) { diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/HKDF.java --- a/src/java.base/share/classes/sun/security/ssl/HKDF.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/HKDF.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -62,7 +62,7 @@ Objects.requireNonNull(hashAlg, "Must provide underlying HKDF Digest algorithm."); hmacAlg = "Hmac" + hashAlg.replace("-", ""); - hmacObj = JsseJce.getMac(hmacAlg); + hmacObj = Mac.getInstance(hmacAlg); hmacLen = hmacObj.getMacLength(); } diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/HandshakeHash.java --- a/src/java.base/share/classes/sun/security/ssl/HandshakeHash.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/HandshakeHash.java Tue Feb 12 13:36:15 2019 -0800 @@ -29,6 +29,7 @@ import java.io.IOException; import java.nio.ByteBuffer; import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; import java.util.Arrays; import java.util.LinkedList; import javax.crypto.SecretKey; @@ -269,8 +270,13 @@ private final ByteArrayOutputStream baos; S30HandshakeHash(CipherSuite cipherSuite) { - this.mdMD5 = JsseJce.getMessageDigest("MD5"); - this.mdSHA = JsseJce.getMessageDigest("SHA"); + try { + this.mdMD5 = MessageDigest.getInstance("MD5"); + this.mdSHA = MessageDigest.getInstance("SHA"); + } catch (NoSuchAlgorithmException nsae) { + throw new RuntimeException( + "Hash algorithm MD5 or SHA is not available", nsae); + } boolean hasArchived = false; if (mdMD5 instanceof Cloneable) { @@ -379,7 +385,12 @@ "MessageDigest does no support clone operation"); } } else { - md5Clone = JsseJce.getMessageDigest("MD5"); + try { + md5Clone = MessageDigest.getInstance("MD5"); + } catch (NoSuchAlgorithmException nsae) { + throw new RuntimeException( + "Hash algorithm MD5 is not available", nsae); + } md5Clone.update(md5.archived()); } @@ -396,7 +407,12 @@ "MessageDigest does no support clone operation"); } } else { - shaClone = JsseJce.getMessageDigest("SHA"); + try { + shaClone = MessageDigest.getInstance("SHA"); + } catch (NoSuchAlgorithmException nsae) { + throw new RuntimeException( + "Hash algorithm SHA is not available", nsae); + } shaClone.update(sha.archived()); } @@ -447,8 +463,15 @@ private final ByteArrayOutputStream baos; T10HandshakeHash(CipherSuite cipherSuite) { - MessageDigest mdMD5 = JsseJce.getMessageDigest("MD5"); - MessageDigest mdSHA = JsseJce.getMessageDigest("SHA"); + MessageDigest mdMD5; + MessageDigest mdSHA; + try { + mdMD5 = MessageDigest.getInstance("MD5"); + mdSHA = MessageDigest.getInstance("SHA"); + } catch (NoSuchAlgorithmException nsae) { + throw new RuntimeException( + "Hash algorithm MD5 or SHA is not available", nsae); + } boolean hasArchived = false; if (mdMD5 instanceof Cloneable) { @@ -514,8 +537,15 @@ private final ByteArrayOutputStream baos; T12HandshakeHash(CipherSuite cipherSuite) { - MessageDigest md = - JsseJce.getMessageDigest(cipherSuite.hashAlg.name); + MessageDigest md; + try { + md = MessageDigest.getInstance(cipherSuite.hashAlg.name); + } catch (NoSuchAlgorithmException nsae) { + throw new RuntimeException( + "Hash algorithm " + + cipherSuite.hashAlg.name + " is not available", nsae); + } + if (md instanceof Cloneable) { transcriptHash = new CloneableHash(md); this.baos = new ByteArrayOutputStream(); @@ -552,8 +582,15 @@ private final TranscriptHash transcriptHash; T13HandshakeHash(CipherSuite cipherSuite) { - MessageDigest md = - JsseJce.getMessageDigest(cipherSuite.hashAlg.name); + MessageDigest md; + try { + md = MessageDigest.getInstance(cipherSuite.hashAlg.name); + } catch (NoSuchAlgorithmException nsae) { + throw new RuntimeException( + "Hash algorithm " + + cipherSuite.hashAlg.name + " is not available", nsae); + } + if (md instanceof Cloneable) { transcriptHash = new CloneableHash(md); } else { diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/HelloCookieManager.java --- a/src/java.base/share/classes/sun/security/ssl/HelloCookieManager.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/HelloCookieManager.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,6 +27,7 @@ import java.io.IOException; import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; import java.util.Arrays; import static sun.security.ssl.ClientHello.ClientHelloMessage; @@ -143,7 +144,13 @@ cookieVersion++; } - MessageDigest md = JsseJce.getMessageDigest("SHA-256"); + MessageDigest md; + try { + md = MessageDigest.getInstance("SHA-256"); + } catch (NoSuchAlgorithmException nsae) { + throw new RuntimeException( + "MessageDigest algorithm SHA-256 is not available", nsae); + } byte[] helloBytes = clientHello.getHelloCookieBytes(); md.update(helloBytes); byte[] cookie = md.digest(secret); // 32 bytes @@ -169,7 +176,13 @@ } } - MessageDigest md = JsseJce.getMessageDigest("SHA-256"); + MessageDigest md; + try { + md = MessageDigest.getInstance("SHA-256"); + } catch (NoSuchAlgorithmException nsae) { + throw new RuntimeException( + "MessageDigest algorithm SHA-256 is not available", nsae); + } byte[] helloBytes = clientHello.getHelloCookieBytes(); md.update(helloBytes); byte[] target = md.digest(secret); // 32 bytes @@ -234,8 +247,16 @@ cookieVersion++; // allow wrapped version number } - MessageDigest md = JsseJce.getMessageDigest( + MessageDigest md; + try { + md = MessageDigest.getInstance( context.negotiatedCipherSuite.hashAlg.name); + } catch (NoSuchAlgorithmException nsae) { + throw new RuntimeException( + "MessageDigest algorithm " + + context.negotiatedCipherSuite.hashAlg.name + + " is not available", nsae); + } byte[] headerBytes = clientHello.getHeaderBytes(); md.update(headerBytes); byte[] headerCookie = md.digest(secret); @@ -300,7 +321,14 @@ } } - MessageDigest md = JsseJce.getMessageDigest(cs.hashAlg.name); + MessageDigest md; + try { + md = MessageDigest.getInstance(cs.hashAlg.name); + } catch (NoSuchAlgorithmException nsae) { + throw new RuntimeException( + "MessageDigest algorithm " + + cs.hashAlg.name + " is not available", nsae); + } byte[] headerBytes = clientHello.getHeaderBytes(); md.update(headerBytes); byte[] headerCookie = md.digest(secret); diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/JsseJce.java --- a/src/java.base/share/classes/sun/security/ssl/JsseJce.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/JsseJce.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2001, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,13 +29,7 @@ import java.security.*; import java.security.interfaces.RSAPublicKey; import java.security.spec.*; -import java.util.*; import javax.crypto.*; -import sun.security.jca.ProviderList; -import sun.security.jca.Providers; -import static sun.security.ssl.SunJSSE.cryptoProvider; -import sun.security.util.ECUtil; -import static sun.security.util.SecurityConstants.PROVIDER_VER; /** * This class contains a few static methods for interaction with the JCA/JCE @@ -47,54 +41,6 @@ static final boolean ALLOW_ECC = Utilities.getBooleanProperty("com.sun.net.ssl.enableECC", true); - private static final ProviderList fipsProviderList; - - static { - // force FIPS flag initialization - // Because isFIPS() is synchronized and cryptoProvider is not modified - // after it completes, this also eliminates the need for any further - // synchronization when accessing cryptoProvider - if (SunJSSE.isFIPS() == false) { - fipsProviderList = null; - } else { - // Setup a ProviderList that can be used by the trust manager - // during certificate chain validation. All the crypto must be - // from the FIPS provider, but we also allow the required - // certificate related services from the SUN provider. - Provider sun = Security.getProvider("SUN"); - if (sun == null) { - throw new RuntimeException - ("FIPS mode: SUN provider must be installed"); - } - Provider sunCerts = new SunCertificates(sun); - fipsProviderList = ProviderList.newList(cryptoProvider, sunCerts); - } - } - - private static final class SunCertificates extends Provider { - private static final long serialVersionUID = -3284138292032213752L; - - SunCertificates(final Provider p) { - super("SunCertificates", PROVIDER_VER, "SunJSSE internal"); - AccessController.doPrivileged(new PrivilegedAction() { - @Override - public Object run() { - // copy certificate related services from the Sun provider - for (Map.Entry entry : p.entrySet()) { - String key = (String)entry.getKey(); - if (key.startsWith("CertPathValidator.") - || key.startsWith("CertPathBuilder.") - || key.startsWith("CertStore.") - || key.startsWith("CertificateFactory.")) { - put(key, entry.getValue()); - } - } - return null; - } - }); - } - } - /** * JCE transformation string for RSA with PKCS#1 v1.5 padding. * Can be used for encryption, decryption, signing, verifying. @@ -180,153 +126,6 @@ return EcAvailability.isAvailable; } - /** - * Return an JCE cipher implementation for the specified algorithm. - */ - static Cipher getCipher(String transformation) - throws NoSuchAlgorithmException { - try { - if (cryptoProvider == null) { - return Cipher.getInstance(transformation); - } else { - return Cipher.getInstance(transformation, cryptoProvider); - } - } catch (NoSuchPaddingException e) { - throw new NoSuchAlgorithmException(e); - } - } - - /** - * Return an JCA signature implementation for the specified algorithm. - * The algorithm string should be one of the constants defined - * in this class. - */ - static Signature getSignature(String algorithm) - throws NoSuchAlgorithmException { - if (cryptoProvider == null) { - return Signature.getInstance(algorithm); - } else { - // reference equality - if (algorithm == SIGNATURE_SSLRSA) { - // The SunPKCS11 provider currently does not support this - // special algorithm. We allow a fallback in this case because - // the SunJSSE implementation does the actual crypto using - // a NONEwithRSA signature obtained from the cryptoProvider. - if (cryptoProvider.getService("Signature", algorithm) == null) { - // Calling Signature.getInstance() and catching the - // exception would be cleaner, but exceptions are a little - // expensive. So we check directly via getService(). - try { - return Signature.getInstance(algorithm, "SunJSSE"); - } catch (NoSuchProviderException e) { - throw new NoSuchAlgorithmException(e); - } - } - } - return Signature.getInstance(algorithm, cryptoProvider); - } - } - - static KeyGenerator getKeyGenerator(String algorithm) - throws NoSuchAlgorithmException { - if (cryptoProvider == null) { - return KeyGenerator.getInstance(algorithm); - } else { - return KeyGenerator.getInstance(algorithm, cryptoProvider); - } - } - - static KeyPairGenerator getKeyPairGenerator(String algorithm) - throws NoSuchAlgorithmException { - if (cryptoProvider == null) { - return KeyPairGenerator.getInstance(algorithm); - } else { - return KeyPairGenerator.getInstance(algorithm, cryptoProvider); - } - } - - static KeyAgreement getKeyAgreement(String algorithm) - throws NoSuchAlgorithmException { - if (cryptoProvider == null) { - return KeyAgreement.getInstance(algorithm); - } else { - return KeyAgreement.getInstance(algorithm, cryptoProvider); - } - } - - static Mac getMac(String algorithm) - throws NoSuchAlgorithmException { - if (cryptoProvider == null) { - return Mac.getInstance(algorithm); - } else { - return Mac.getInstance(algorithm, cryptoProvider); - } - } - - static KeyFactory getKeyFactory(String algorithm) - throws NoSuchAlgorithmException { - if (cryptoProvider == null) { - return KeyFactory.getInstance(algorithm); - } else { - return KeyFactory.getInstance(algorithm, cryptoProvider); - } - } - - static AlgorithmParameters getAlgorithmParameters(String algorithm) - throws NoSuchAlgorithmException { - if (cryptoProvider == null) { - return AlgorithmParameters.getInstance(algorithm); - } else { - return AlgorithmParameters.getInstance(algorithm, cryptoProvider); - } - } - - static SecureRandom getSecureRandom() throws KeyManagementException { - if (cryptoProvider == null) { - return new SecureRandom(); - } - // Try "PKCS11" first. If that is not supported, iterate through - // the provider and return the first working implementation. - try { - return SecureRandom.getInstance("PKCS11", cryptoProvider); - } catch (NoSuchAlgorithmException e) { - // ignore - } - for (Provider.Service s : cryptoProvider.getServices()) { - if (s.getType().equals("SecureRandom")) { - try { - return SecureRandom.getInstance( - s.getAlgorithm(), cryptoProvider); - } catch (NoSuchAlgorithmException ee) { - // ignore - } - } - } - throw new KeyManagementException("FIPS mode: no SecureRandom " - + " implementation found in provider " + cryptoProvider.getName()); - } - - static MessageDigest getMD5() { - return getMessageDigest("MD5"); - } - - static MessageDigest getSHA() { - return getMessageDigest("SHA"); - } - - static MessageDigest getMessageDigest(String algorithm) { - try { - if (cryptoProvider == null) { - return MessageDigest.getInstance(algorithm); - } else { - return MessageDigest.getInstance(algorithm, cryptoProvider); - } - } catch (NoSuchAlgorithmException e) { - throw new RuntimeException - ("Algorithm " + algorithm + " not available", e); - } - } - static int getRSAKeyLength(PublicKey key) { BigInteger modulus; if (key instanceof RSAPublicKey) { @@ -345,47 +144,13 @@ rsaKey.getPublicExponent()); } try { - KeyFactory factory = JsseJce.getKeyFactory("RSA"); + KeyFactory factory = KeyFactory.getInstance("RSA"); return factory.getKeySpec(key, RSAPublicKeySpec.class); } catch (Exception e) { throw new RuntimeException(e); } } - static ECParameterSpec getECParameterSpec(String namedCurveOid) { - return ECUtil.getECParameterSpec(cryptoProvider, namedCurveOid); - } - - static String getNamedCurveOid(ECParameterSpec params) { - return ECUtil.getCurveName(cryptoProvider, params); - } - - static ECPoint decodePoint(byte[] encoded, EllipticCurve curve) - throws java.io.IOException { - return ECUtil.decodePoint(encoded, curve); - } - - static byte[] encodePoint(ECPoint point, EllipticCurve curve) { - return ECUtil.encodePoint(point, curve); - } - - // In FIPS mode, set thread local providers; otherwise a no-op. - // Must be paired with endFipsProvider. - static Object beginFipsProvider() { - if (fipsProviderList == null) { - return null; - } else { - return Providers.beginThreadProviderList(fipsProviderList); - } - } - - static void endFipsProvider(Object o) { - if (fipsProviderList != null) { - Providers.endThreadProviderList((ProviderList)o); - } - } - - // lazy initialization holder class idiom for static default parameters // // See Effective Java Second Edition: Item 71. @@ -396,12 +161,12 @@ static { boolean mediator = true; try { - JsseJce.getSignature(SIGNATURE_ECDSA); - JsseJce.getSignature(SIGNATURE_RAWECDSA); - JsseJce.getKeyAgreement("ECDH"); - JsseJce.getKeyFactory("EC"); - JsseJce.getKeyPairGenerator("EC"); - JsseJce.getAlgorithmParameters("EC"); + Signature.getInstance(SIGNATURE_ECDSA); + Signature.getInstance(SIGNATURE_RAWECDSA); + KeyAgreement.getInstance("ECDH"); + KeyFactory.getInstance("EC"); + KeyPairGenerator.getInstance("EC"); + AlgorithmParameters.getInstance("EC"); } catch (Exception e) { mediator = false; } diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java --- a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -61,12 +61,6 @@ protected void engineInit(KeyStore ks, char[] password) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException { - if ((ks != null) && SunJSSE.isFIPS()) { - if (ks.getProvider() != SunJSSE.cryptoProvider) { - throw new KeyStoreException("FIPS mode: KeyStore must be " - + "from provider " + SunJSSE.cryptoProvider.getName()); - } - } keyManager = new SunX509KeyManagerImpl(ks, password); isInitialized = true; } @@ -91,12 +85,6 @@ keyManager = new X509KeyManagerImpl( Collections.emptyList()); } else { - if (SunJSSE.isFIPS() && - (ks.getProvider() != SunJSSE.cryptoProvider)) { - throw new KeyStoreException( - "FIPS mode: KeyStore must be " + - "from provider " + SunJSSE.cryptoProvider.getName()); - } try { Builder builder = Builder.newInstance(ks, new PasswordProtection(password)); @@ -115,10 +103,7 @@ throw new InvalidAlgorithmParameterException( "Parameters must be instance of KeyStoreBuilderParameters"); } - if (SunJSSE.isFIPS()) { - throw new InvalidAlgorithmParameterException - ("FIPS mode: KeyStoreBuilderParameters not supported"); - } + List builders = ((KeyStoreBuilderParameters)params).getParameters(); keyManager = new X509KeyManagerImpl(builders); diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java --- a/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java Tue Feb 12 13:36:15 2019 -0800 @@ -765,7 +765,7 @@ String hmacAlg = "Hmac" + hashAlg.name.replace("-", ""); try { - Mac hmac = JsseJce.getMac(hmacAlg); + Mac hmac = Mac.getInstance(hmacAlg); hmac.init(finishedKey); return hmac.doFinal(digest); } catch (NoSuchAlgorithmException | InvalidKeyException ex) { diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/RSAKeyExchange.java --- a/src/java.base/share/classes/sun/security/ssl/RSAKeyExchange.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/RSAKeyExchange.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -109,7 +109,7 @@ byte[] getEncoded(PublicKey publicKey, SecureRandom secureRandom) throws GeneralSecurityException { - Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1); + Cipher cipher = Cipher.getInstance(JsseJce.CIPHER_RSA_PKCS1); cipher.init(Cipher.WRAP_MODE, publicKey, secureRandom); return cipher.wrap(premasterSecret); } @@ -119,7 +119,7 @@ ClientHandshakeContext chc) throws GeneralSecurityException { String algorithm = chc.negotiatedProtocol.useTLS12PlusSpec() ? "SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret"; - KeyGenerator kg = JsseJce.getKeyGenerator(algorithm); + KeyGenerator kg = KeyGenerator.getInstance(algorithm); TlsRsaPremasterSecretParameterSpec spec = new TlsRsaPremasterSecretParameterSpec( chc.clientHelloVersion, @@ -136,7 +136,7 @@ byte[] encoded = null; boolean needFailover = false; - Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1); + Cipher cipher = Cipher.getInstance(JsseJce.CIPHER_RSA_PKCS1); try { // Try UNWRAP_MODE mode firstly. cipher.init(Cipher.UNWRAP_MODE, privateKey, @@ -163,7 +163,7 @@ if (needFailover) { // The cipher might be spoiled by unsuccessful call to init(), // so request a fresh instance - cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1); + cipher = Cipher.getInstance(JsseJce.CIPHER_RSA_PKCS1); // Use DECRYPT_MODE and dispose the previous initialization. cipher.init(Cipher.DECRYPT_MODE, privateKey); @@ -227,7 +227,7 @@ try { String s = ((clientVersion >= ProtocolVersion.TLS12.id) ? "SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret"); - KeyGenerator kg = JsseJce.getKeyGenerator(s); + KeyGenerator kg = KeyGenerator.getInstance(s); kg.init(new TlsRsaPremasterSecretParameterSpec( clientVersion, serverVersion, encodedSecret), generator); diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/RSAServerKeyExchange.java --- a/src/java.base/share/classes/sun/security/ssl/RSAServerKeyExchange.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/RSAServerKeyExchange.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -306,7 +306,7 @@ // check constraints of RSA PublicKey RSAPublicKey publicKey; try { - KeyFactory kf = JsseJce.getKeyFactory("RSA"); + KeyFactory kf = KeyFactory.getInstance("RSA"); RSAPublicKeySpec spec = new RSAPublicKeySpec( new BigInteger(1, skem.modulus), new BigInteger(1, skem.exponent)); diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/RSASignature.java --- a/src/java.base/share/classes/sun/security/ssl/RSASignature.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/RSASignature.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -53,9 +53,9 @@ public RSASignature() throws NoSuchAlgorithmException { super(); - rawRsa = JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA); - this.mdMD5 = JsseJce.getMessageDigest("MD5"); - this.mdSHA = JsseJce.getMessageDigest("SHA"); + rawRsa = Signature.getInstance(JsseJce.SIGNATURE_RAWRSA); + this.mdMD5 = MessageDigest.getInstance("MD5"); + this.mdSHA = MessageDigest.getInstance("SHA"); } /** @@ -66,7 +66,7 @@ * which may be this class. */ static Signature getInstance() throws NoSuchAlgorithmException { - return JsseJce.getSignature(JsseJce.SIGNATURE_SSLRSA); + return Signature.getInstance(JsseJce.SIGNATURE_SSLRSA); } @Override diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/SSLCipher.java --- a/src/java.base/share/classes/sun/security/ssl/SSLCipher.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/SSLCipher.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -851,7 +851,7 @@ Key key, AlgorithmParameterSpec params, SecureRandom random) throws GeneralSecurityException { super(authenticator, protocolVersion); - this.cipher = JsseJce.getCipher(algorithm); + this.cipher = Cipher.getInstance(algorithm); cipher.init(Cipher.DECRYPT_MODE, key, params, random); } @@ -933,7 +933,7 @@ Key key, AlgorithmParameterSpec params, SecureRandom random) throws GeneralSecurityException { super(authenticator, protocolVersion); - this.cipher = JsseJce.getCipher(algorithm); + this.cipher = Cipher.getInstance(algorithm); cipher.init(Cipher.ENCRYPT_MODE, key, params, random); } @@ -1023,7 +1023,7 @@ Key key, AlgorithmParameterSpec params, SecureRandom random) throws GeneralSecurityException { super(authenticator, protocolVersion); - this.cipher = JsseJce.getCipher(algorithm); + this.cipher = Cipher.getInstance(algorithm); cipher.init(Cipher.DECRYPT_MODE, key, params, random); } @@ -1175,7 +1175,7 @@ Key key, AlgorithmParameterSpec params, SecureRandom random) throws GeneralSecurityException { super(authenticator, protocolVersion); - this.cipher = JsseJce.getCipher(algorithm); + this.cipher = Cipher.getInstance(algorithm); cipher.init(Cipher.ENCRYPT_MODE, key, params, random); } @@ -1291,7 +1291,7 @@ Key key, AlgorithmParameterSpec params, SecureRandom random) throws GeneralSecurityException { super(authenticator, protocolVersion); - this.cipher = JsseJce.getCipher(algorithm); + this.cipher = Cipher.getInstance(algorithm); if (params == null) { params = new IvParameterSpec(new byte[sslCipher.ivSize]); } @@ -1455,7 +1455,7 @@ Key key, AlgorithmParameterSpec params, SecureRandom random) throws GeneralSecurityException { super(authenticator, protocolVersion); - this.cipher = JsseJce.getCipher(algorithm); + this.cipher = Cipher.getInstance(algorithm); this.random = random; if (params == null) { params = new IvParameterSpec(new byte[sslCipher.ivSize]); @@ -1590,7 +1590,7 @@ Key key, AlgorithmParameterSpec params, SecureRandom random) throws GeneralSecurityException { super(authenticator, protocolVersion); - this.cipher = JsseJce.getCipher(algorithm); + this.cipher = Cipher.getInstance(algorithm); this.tagSize = sslCipher.tagSize; this.key = key; this.fixedIv = ((IvParameterSpec)params).getIV(); @@ -1705,7 +1705,7 @@ Key key, AlgorithmParameterSpec params, SecureRandom random) throws GeneralSecurityException { super(authenticator, protocolVersion); - this.cipher = JsseJce.getCipher(algorithm); + this.cipher = Cipher.getInstance(algorithm); this.tagSize = sslCipher.tagSize; this.key = key; this.fixedIv = ((IvParameterSpec)params).getIV(); @@ -1838,7 +1838,7 @@ Key key, AlgorithmParameterSpec params, SecureRandom random) throws GeneralSecurityException { super(authenticator, protocolVersion); - this.cipher = JsseJce.getCipher(algorithm); + this.cipher = Cipher.getInstance(algorithm); this.tagSize = sslCipher.tagSize; this.key = key; this.iv = ((IvParameterSpec)params).getIV(); @@ -1992,7 +1992,7 @@ Key key, AlgorithmParameterSpec params, SecureRandom random) throws GeneralSecurityException { super(authenticator, protocolVersion); - this.cipher = JsseJce.getCipher(algorithm); + this.cipher = Cipher.getInstance(algorithm); this.tagSize = sslCipher.tagSize; this.key = key; this.iv = ((IvParameterSpec)params).getIV(); @@ -2133,7 +2133,7 @@ Key key, AlgorithmParameterSpec params, SecureRandom random) throws GeneralSecurityException { super(authenticator, protocolVersion); - this.cipher = JsseJce.getCipher(algorithm); + this.cipher = Cipher.getInstance(algorithm); this.tagSize = sslCipher.tagSize; this.key = key; this.iv = ((IvParameterSpec)params).getIV(); @@ -2252,7 +2252,7 @@ Key key, AlgorithmParameterSpec params, SecureRandom random) throws GeneralSecurityException { super(authenticator, protocolVersion); - this.cipher = JsseJce.getCipher(algorithm); + this.cipher = Cipher.getInstance(algorithm); this.tagSize = sslCipher.tagSize; this.key = key; this.iv = ((IvParameterSpec)params).getIV(); @@ -2392,7 +2392,7 @@ Key key, AlgorithmParameterSpec params, SecureRandom random) throws GeneralSecurityException { super(authenticator, protocolVersion); - this.cipher = JsseJce.getCipher(algorithm); + this.cipher = Cipher.getInstance(algorithm); this.tagSize = sslCipher.tagSize; this.key = key; this.iv = ((IvParameterSpec)params).getIV(); @@ -2534,7 +2534,7 @@ Key key, AlgorithmParameterSpec params, SecureRandom random) throws GeneralSecurityException { super(authenticator, protocolVersion); - this.cipher = JsseJce.getCipher(algorithm); + this.cipher = Cipher.getInstance(algorithm); this.tagSize = sslCipher.tagSize; this.key = key; this.iv = ((IvParameterSpec)params).getIV(); diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java --- a/src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -36,6 +36,7 @@ import java.util.HashMap; import java.util.List; import java.util.function.BiFunction; +import javax.crypto.KeyGenerator; import javax.net.ssl.HandshakeCompletedListener; import javax.net.ssl.SNIMatcher; import javax.net.ssl.SNIServerName; @@ -104,7 +105,7 @@ "jdk.tls.useExtendedMasterSecret", true); if (supportExtendedMasterSecret) { try { - JsseJce.getKeyGenerator("SunTlsExtendedMasterSecret"); + KeyGenerator.getInstance("SunTlsExtendedMasterSecret"); } catch (NoSuchAlgorithmException nae) { supportExtendedMasterSecret = false; } diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java --- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -94,14 +94,8 @@ trustManager = chooseTrustManager(tm); if (sr == null) { - secureRandom = JsseJce.getSecureRandom(); + secureRandom = new SecureRandom(); } else { - if (SunJSSE.isFIPS() && - (sr.getProvider() != SunJSSE.cryptoProvider)) { - throw new KeyManagementException - ("FIPS mode: SecureRandom must be from provider " - + SunJSSE.cryptoProvider.getName()); - } secureRandom = sr; } @@ -127,12 +121,6 @@ // We only use the first instance of X509TrustManager passed to us. for (int i = 0; tm != null && i < tm.length; i++) { if (tm[i] instanceof X509TrustManager) { - if (SunJSSE.isFIPS() && - !(tm[i] instanceof X509TrustManagerImpl)) { - throw new KeyManagementException - ("FIPS mode: only SunJSSE TrustManagers may be used"); - } - if (tm[i] instanceof X509ExtendedTrustManager) { return (X509TrustManager)tm[i]; } else { @@ -153,20 +141,7 @@ if (!(km instanceof X509KeyManager)) { continue; } - if (SunJSSE.isFIPS()) { - // In FIPS mode, require that one of SunJSSE's own keymanagers - // is used. Otherwise, we cannot be sure that only keys from - // the FIPS token are used. - if ((km instanceof X509KeyManagerImpl) - || (km instanceof SunX509KeyManagerImpl)) { - return (X509ExtendedKeyManager)km; - } else { - // throw exception, we don't want to silently use the - // dummy keymanager without telling the user. - throw new KeyManagementException - ("FIPS mode: only SunJSSE KeyManagers may be used"); - } - } + if (km instanceof X509ExtendedKeyManager) { return (X509ExtendedKeyManager)km; } @@ -548,41 +523,24 @@ private static final List serverDefaultCipherSuites; static { - if (SunJSSE.isFIPS()) { - supportedProtocols = Arrays.asList( - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, - ProtocolVersion.TLS11, - ProtocolVersion.TLS10 - ); + supportedProtocols = Arrays.asList( + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10, + ProtocolVersion.SSL30, + ProtocolVersion.SSL20Hello + ); - serverDefaultProtocols = getAvailableProtocols( - new ProtocolVersion[] { - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, - ProtocolVersion.TLS11, - ProtocolVersion.TLS10 - }); - } else { - supportedProtocols = Arrays.asList( - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, - ProtocolVersion.TLS11, - ProtocolVersion.TLS10, - ProtocolVersion.SSL30, - ProtocolVersion.SSL20Hello - ); - - serverDefaultProtocols = getAvailableProtocols( - new ProtocolVersion[] { - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, - ProtocolVersion.TLS11, - ProtocolVersion.TLS10, - ProtocolVersion.SSL30, - ProtocolVersion.SSL20Hello - }); - } + serverDefaultProtocols = getAvailableProtocols( + new ProtocolVersion[] { + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10, + ProtocolVersion.SSL30, + ProtocolVersion.SSL20Hello + }); supportedCipherSuites = getApplicableSupportedCipherSuites( supportedProtocols); @@ -626,23 +584,14 @@ } static ProtocolVersion[] getSupportedProtocols() { - if (SunJSSE.isFIPS()) { - return new ProtocolVersion[] { - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, - ProtocolVersion.TLS11, - ProtocolVersion.TLS10 - }; - } else { - return new ProtocolVersion[]{ - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, - ProtocolVersion.TLS11, - ProtocolVersion.TLS10, - ProtocolVersion.SSL30, - ProtocolVersion.SSL20Hello - }; - } + return new ProtocolVersion[]{ + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10, + ProtocolVersion.SSL30, + ProtocolVersion.SSL20Hello + }; } } @@ -656,18 +605,11 @@ private static final List clientDefaultCipherSuites; static { - if (SunJSSE.isFIPS()) { - clientDefaultProtocols = getAvailableProtocols( - new ProtocolVersion[] { - ProtocolVersion.TLS10 - }); - } else { - clientDefaultProtocols = getAvailableProtocols( - new ProtocolVersion[] { - ProtocolVersion.TLS10, - ProtocolVersion.SSL30 - }); - } + clientDefaultProtocols = getAvailableProtocols( + new ProtocolVersion[] { + ProtocolVersion.TLS10, + ProtocolVersion.SSL30 + }); clientDefaultCipherSuites = getApplicableEnabledCipherSuites( clientDefaultProtocols, true); @@ -694,20 +636,12 @@ private static final List clientDefaultCipherSuites; static { - if (SunJSSE.isFIPS()) { - clientDefaultProtocols = getAvailableProtocols( - new ProtocolVersion[] { - ProtocolVersion.TLS11, - ProtocolVersion.TLS10 - }); - } else { - clientDefaultProtocols = getAvailableProtocols( - new ProtocolVersion[] { - ProtocolVersion.TLS11, - ProtocolVersion.TLS10, - ProtocolVersion.SSL30 - }); - } + clientDefaultProtocols = getAvailableProtocols( + new ProtocolVersion[] { + ProtocolVersion.TLS11, + ProtocolVersion.TLS10, + ProtocolVersion.SSL30 + }); clientDefaultCipherSuites = getApplicableEnabledCipherSuites( clientDefaultProtocols, true); @@ -735,22 +669,13 @@ private static final List clientDefaultCipherSuites; static { - if (SunJSSE.isFIPS()) { - clientDefaultProtocols = getAvailableProtocols( - new ProtocolVersion[] { - ProtocolVersion.TLS12, - ProtocolVersion.TLS11, - ProtocolVersion.TLS10 - }); - } else { - clientDefaultProtocols = getAvailableProtocols( - new ProtocolVersion[] { - ProtocolVersion.TLS12, - ProtocolVersion.TLS11, - ProtocolVersion.TLS10, - ProtocolVersion.SSL30 - }); - } + clientDefaultProtocols = getAvailableProtocols( + new ProtocolVersion[] { + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10, + ProtocolVersion.SSL30 + }); clientDefaultCipherSuites = getApplicableEnabledCipherSuites( clientDefaultProtocols, true); @@ -777,24 +702,14 @@ private static final List clientDefaultCipherSuites; static { - if (SunJSSE.isFIPS()) { - clientDefaultProtocols = getAvailableProtocols( - new ProtocolVersion[] { - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, - ProtocolVersion.TLS11, - ProtocolVersion.TLS10 - }); - } else { - clientDefaultProtocols = getAvailableProtocols( - new ProtocolVersion[] { - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, - ProtocolVersion.TLS11, - ProtocolVersion.TLS10, - ProtocolVersion.SSL30 - }); - } + clientDefaultProtocols = getAvailableProtocols( + new ProtocolVersion[] { + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10, + ProtocolVersion.SSL30 + }); clientDefaultCipherSuites = getApplicableEnabledCipherSuites( clientDefaultProtocols, true); @@ -866,16 +781,6 @@ " is not a supported SSL protocol name"); } - if (SunJSSE.isFIPS() && - ((pv == ProtocolVersion.SSL30) || - (pv == ProtocolVersion.SSL20Hello))) { - reservedException = new IllegalArgumentException( - propname + ": " + pv + - " is not FIPS compliant"); - - break; - } - // ignore duplicated protocols if (!arrayList.contains(pv)) { arrayList.add(pv); @@ -955,22 +860,13 @@ } static ProtocolVersion[] getProtocols() { - if (SunJSSE.isFIPS()) { - return new ProtocolVersion[]{ - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, - ProtocolVersion.TLS11, - ProtocolVersion.TLS10 - }; - } else { - return new ProtocolVersion[]{ - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, - ProtocolVersion.TLS11, - ProtocolVersion.TLS10, - ProtocolVersion.SSL30 - }; - } + return new ProtocolVersion[]{ + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10, + ProtocolVersion.SSL30 + }; } protected CustomizedTLSContext() { diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/SSLMasterKeyDerivation.java --- a/src/java.base/share/classes/sun/security/ssl/SSLMasterKeyDerivation.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/SSLMasterKeyDerivation.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -145,7 +145,7 @@ } try { - KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg); + KeyGenerator kg = KeyGenerator.getInstance(masterAlg); kg.init(spec); return kg.generateKey(); } catch (InvalidAlgorithmParameterException | diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/SSLTrafficKeyDerivation.java --- a/src/java.base/share/classes/sun/security/ssl/SSLTrafficKeyDerivation.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/SSLTrafficKeyDerivation.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -280,7 +280,7 @@ hashAlg.name, hashAlg.hashLength, hashAlg.blockSize); try { - KeyGenerator kg = JsseJce.getKeyGenerator(keyMaterialAlg); + KeyGenerator kg = KeyGenerator.getInstance(keyMaterialAlg); kg.init(spec); this.keyMaterialSpec = (TlsKeyMaterialSpec)kg.generateKey(); diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/SignatureScheme.java --- a/src/java.base/share/classes/sun/security/ssl/SignatureScheme.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/SignatureScheme.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -194,7 +194,7 @@ boolean mediator = true; try { - Signature signer = JsseJce.getSignature("RSASSA-PSS"); + Signature signer = Signature.getInstance("RSASSA-PSS"); signer.setParameter(pssParamSpec); } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException exp) { @@ -275,7 +275,7 @@ mediator = signAlgParamSpec.isAvailable; } else { try { - JsseJce.getSignature(algorithm); + Signature.getInstance(algorithm); } catch (Exception e) { mediator = false; if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { @@ -466,7 +466,7 @@ return null; } - Signature signer = JsseJce.getSignature(algorithm); + Signature signer = Signature.getInstance(algorithm); if (key instanceof PublicKey) { signer.initVerify((PublicKey)(key)); } else { diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/SunJSSE.java --- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -66,97 +66,16 @@ "(PKCS12, SunX509/PKIX key/trust factories, " + "SSLv3/TLSv1/TLSv1.1/TLSv1.2/TLSv1.3/DTLSv1.0/DTLSv1.2)"; - private static String fipsInfo = - "Sun JSSE provider (FIPS mode, crypto provider "; - - // tri-valued flag: - // null := no final decision made - // false := data structures initialized in non-FIPS mode - // true := data structures initialized in FIPS mode - private static Boolean fips; - - // the FIPS certificate crypto provider that we use to perform all crypto - // operations. null in non-FIPS mode - static java.security.Provider cryptoProvider; - - protected static synchronized boolean isFIPS() { - if (fips == null) { - fips = false; - } - return fips; - } - - // ensure we can use FIPS mode using the specified crypto provider. - // enable FIPS mode if not already enabled. - private static synchronized void ensureFIPS(java.security.Provider p) { - if (fips == null) { - fips = true; - cryptoProvider = p; - } else { - if (fips == false) { - throw new ProviderException - ("SunJSSE already initialized in non-FIPS mode"); - } - if (cryptoProvider != p) { - throw new ProviderException - ("SunJSSE already initialized with FIPS crypto provider " - + cryptoProvider); - } - } - } - - // standard constructor protected SunJSSE() { super("SunJSSE", PROVIDER_VER, info); subclassCheck(); - if (Boolean.TRUE.equals(fips)) { - throw new ProviderException - ("SunJSSE is already initialized in FIPS mode"); - } - registerAlgorithms(false); - } - - // preferred constructor to enable FIPS mode at runtime - protected SunJSSE(java.security.Provider cryptoProvider){ - this(checkNull(cryptoProvider), cryptoProvider.getName()); - } - - // constructor to enable FIPS mode from java.security file - protected SunJSSE(String cryptoProvider){ - this(null, checkNull(cryptoProvider)); - } - - private static T checkNull(T t) { - if (t == null) { - throw new ProviderException("cryptoProvider must not be null"); - } - return t; + registerAlgorithms(); } - private SunJSSE(java.security.Provider cryptoProvider, - String providerName) { - super("SunJSSE", PROVIDER_VER, fipsInfo + providerName + ")"); - subclassCheck(); - if (cryptoProvider == null) { - // Calling Security.getProvider() will cause other providers to be - // loaded. That is not good but unavoidable here. - cryptoProvider = Security.getProvider(providerName); - if (cryptoProvider == null) { - throw new ProviderException - ("Crypto provider not installed: " + providerName); - } - } - ensureFIPS(cryptoProvider); - registerAlgorithms(true); - } - - private void registerAlgorithms(final boolean isfips) { - AccessController.doPrivileged(new PrivilegedAction() { - @Override - public Object run() { - doRegister(isfips); - return null; - } + private void registerAlgorithms() { + AccessController.doPrivileged((PrivilegedAction) () -> { + doRegister(); + return null; }); } @@ -165,14 +84,13 @@ putService(new Provider.Service(this, type, algo, cn, aliases, attrs)); } - private void doRegister(boolean isfips) { - if (isfips == false) { - Iterator rsaIter = - new SunRsaSignEntries(this).iterator(); - while (rsaIter.hasNext()) { - putService(rsaIter.next()); - } + private void doRegister() { + Iterator rsaIter = + new SunRsaSignEntries(this).iterator(); + while (rsaIter.hasNext()) { + putService(rsaIter.next()); } + ps("Signature", "MD5andSHA1withRSA", "sun.security.ssl.RSASignature", null, null); @@ -183,14 +101,15 @@ createAliases("PKIX"), null); ps("TrustManagerFactory", "SunX509", - "sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory", null, null); + "sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory", + null, null); ps("TrustManagerFactory", "PKIX", "sun.security.ssl.TrustManagerFactoryImpl$PKIXFactory", createAliases("SunPKIX", "X509", "X.509"), null); ps("SSLContext", "TLSv1", "sun.security.ssl.SSLContextImpl$TLS10Context", - (isfips? null : createAliases("SSLv3")), null); + createAliases("SSLv3"), null); ps("SSLContext", "TLSv1.1", "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); ps("SSLContext", "TLSv1.2", @@ -199,7 +118,7 @@ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ps("SSLContext", "TLS", "sun.security.ssl.SSLContextImpl$TLSContext", - (isfips? null : createAliases("SSL")), null); + createAliases("SSL"), null); ps("SSLContext", "DTLSv1.0", "sun.security.ssl.SSLContextImpl$DTLS10Context", null, null); @@ -225,12 +144,4 @@ throw new AssertionError("Illegal subclass: " + getClass()); } } - - @Override - @SuppressWarnings("deprecation") - protected final void finalize() throws Throwable { - // empty - super.finalize(); - } - } diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java --- a/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -52,6 +52,7 @@ import sun.security.ssl.SSLExtension.ExtensionConsumer; import sun.security.ssl.SSLExtension.SSLExtensionSpec; import sun.security.ssl.SSLHandshake.HandshakeMessage; +import sun.security.util.ECUtil; /** * Pack of the "supported_groups" extensions [RFC 4492/7919]. @@ -158,15 +159,23 @@ } static enum NamedGroupType { - NAMED_GROUP_ECDHE, // Elliptic Curve Groups (ECDHE) - NAMED_GROUP_FFDHE, // Finite Field Groups (DHE) - NAMED_GROUP_XDH, // Finite Field Groups (XDH) - NAMED_GROUP_ARBITRARY, // arbitrary prime and curves (ECDHE) - NAMED_GROUP_NONE; // Not predefined named group + NAMED_GROUP_ECDHE ("EC"), + NAMED_GROUP_FFDHE ("DiffieHellman"), + NAMED_GROUP_X25519 ("x25519"), + NAMED_GROUP_X448 ("x448"), + NAMED_GROUP_ARBITRARY ("EC"), + NAMED_GROUP_NONE (""); + + private final String algorithm; + + private NamedGroupType(String algorithm) { + this.algorithm = algorithm; + } boolean isSupported(List cipherSuites) { for (CipherSuite cs : cipherSuites) { - if (cs.keyExchange == null || cs.keyExchange.groupType == this) { + if (cs.keyExchange == null || + cs.keyExchange.groupType == this) { return true; } } @@ -180,108 +189,142 @@ // // See sun.security.util.CurveDB for the OIDs // NIST K-163 - SECT163_K1 (0x0001, "sect163k1", "1.3.132.0.1", true, + SECT163_K1 (0x0001, "sect163k1", "1.3.132.0.1", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), - SECT163_R1 (0x0002, "sect163r1", "1.3.132.0.2", false, + SECT163_R1 (0x0002, "sect163r1", "1.3.132.0.2", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), // NIST B-163 - SECT163_R2 (0x0003, "sect163r2", "1.3.132.0.15", true, + SECT163_R2 (0x0003, "sect163r2", "1.3.132.0.15", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), - SECT193_R1 (0x0004, "sect193r1", "1.3.132.0.24", false, + SECT193_R1 (0x0004, "sect193r1", "1.3.132.0.24", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), - SECT193_R2 (0x0005, "sect193r2", "1.3.132.0.25", false, + SECT193_R2 (0x0005, "sect193r2", "1.3.132.0.25", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), // NIST K-233 - SECT233_K1 (0x0006, "sect233k1", "1.3.132.0.26", true, + SECT233_K1 (0x0006, "sect233k1", "1.3.132.0.26", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), // NIST B-233 - SECT233_R1 (0x0007, "sect233r1", "1.3.132.0.27", true, + SECT233_R1 (0x0007, "sect233r1", "1.3.132.0.27", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), - SECT239_K1 (0x0008, "sect239k1", "1.3.132.0.3", false, + SECT239_K1 (0x0008, "sect239k1", "1.3.132.0.3", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), // NIST K-283 - SECT283_K1 (0x0009, "sect283k1", "1.3.132.0.16", true, + SECT283_K1 (0x0009, "sect283k1", "1.3.132.0.16", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), // NIST B-283 - SECT283_R1 (0x000A, "sect283r1", "1.3.132.0.17", true, + SECT283_R1 (0x000A, "sect283r1", "1.3.132.0.17", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), // NIST K-409 - SECT409_K1 (0x000B, "sect409k1", "1.3.132.0.36", true, + SECT409_K1 (0x000B, "sect409k1", "1.3.132.0.36", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), // NIST B-409 - SECT409_R1 (0x000C, "sect409r1", "1.3.132.0.37", true, + SECT409_R1 (0x000C, "sect409r1", "1.3.132.0.37", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), // NIST K-571 - SECT571_K1 (0x000D, "sect571k1", "1.3.132.0.38", true, + SECT571_K1 (0x000D, "sect571k1", "1.3.132.0.38", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), // NIST B-571 - SECT571_R1 (0x000E, "sect571r1", "1.3.132.0.39", true, + SECT571_R1 (0x000E, "sect571r1", "1.3.132.0.39", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), - SECP160_K1 (0x000F, "secp160k1", "1.3.132.0.9", false, + SECP160_K1 (0x000F, "secp160k1", "1.3.132.0.9", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), - SECP160_R1 (0x0010, "secp160r1", "1.3.132.0.8", false, + SECP160_R1 (0x0010, "secp160r1", "1.3.132.0.8", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), - SECP160_R2 (0x0011, "secp160r2", "1.3.132.0.30", false, + SECP160_R2 (0x0011, "secp160r2", "1.3.132.0.30", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), - SECP192_K1 (0x0012, "secp192k1", "1.3.132.0.31", false, + SECP192_K1 (0x0012, "secp192k1", "1.3.132.0.31", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), // NIST P-192 - SECP192_R1 (0x0013, "secp192r1", "1.2.840.10045.3.1.1", true, + SECP192_R1 (0x0013, "secp192r1", "1.2.840.10045.3.1.1", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), - SECP224_K1 (0x0014, "secp224k1", "1.3.132.0.32", false, + SECP224_K1 (0x0014, "secp224k1", "1.3.132.0.32", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), // NIST P-224 - SECP224_R1 (0x0015, "secp224r1", "1.3.132.0.33", true, + SECP224_R1 (0x0015, "secp224r1", "1.3.132.0.33", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), - SECP256_K1 (0x0016, "secp256k1", "1.3.132.0.10", false, + SECP256_K1 (0x0016, "secp256k1", "1.3.132.0.10", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_12), // NIST P-256 - SECP256_R1 (0x0017, "secp256r1", "1.2.840.10045.3.1.7", true, + SECP256_R1 (0x0017, "secp256r1", "1.2.840.10045.3.1.7", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_13), // NIST P-384 - SECP384_R1 (0x0018, "secp384r1", "1.3.132.0.34", true, + SECP384_R1 (0x0018, "secp384r1", "1.3.132.0.34", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_13), // NIST P-521 - SECP521_R1 (0x0019, "secp521r1", "1.3.132.0.35", true, + SECP521_R1 (0x0019, "secp521r1", "1.3.132.0.35", + NamedGroupType.NAMED_GROUP_ECDHE, ProtocolVersion.PROTOCOLS_TO_13), // x25519 and x448 - X25519 (0x001D, "x25519", true, "x25519", + X25519 (0x001D, "x25519", null, + NamedGroupType.NAMED_GROUP_X25519, ProtocolVersion.PROTOCOLS_TO_13), - X448 (0x001E, "x448", true, "x448", + X448 (0x001E, "x448", null, + NamedGroupType.NAMED_GROUP_X448, ProtocolVersion.PROTOCOLS_TO_13), // Finite Field Diffie-Hellman Ephemeral Parameters (RFC 7919) - FFDHE_2048 (0x0100, "ffdhe2048", true, + FFDHE_2048 (0x0100, "ffdhe2048", null, + NamedGroupType.NAMED_GROUP_FFDHE, ProtocolVersion.PROTOCOLS_TO_13), - FFDHE_3072 (0x0101, "ffdhe3072", true, + FFDHE_3072 (0x0101, "ffdhe3072", null, + NamedGroupType.NAMED_GROUP_FFDHE, ProtocolVersion.PROTOCOLS_TO_13), - FFDHE_4096 (0x0102, "ffdhe4096", true, + FFDHE_4096 (0x0102, "ffdhe4096", null, + NamedGroupType.NAMED_GROUP_FFDHE, ProtocolVersion.PROTOCOLS_TO_13), - FFDHE_6144 (0x0103, "ffdhe6144", true, + FFDHE_6144 (0x0103, "ffdhe6144", null, + NamedGroupType.NAMED_GROUP_FFDHE, ProtocolVersion.PROTOCOLS_TO_13), - FFDHE_8192 (0x0104, "ffdhe8192", true, + FFDHE_8192 (0x0104, "ffdhe8192", null, + NamedGroupType.NAMED_GROUP_FFDHE, ProtocolVersion.PROTOCOLS_TO_13), // Elliptic Curves (RFC 4492) // // arbitrary prime and characteristic-2 curves - ARBITRARY_PRIME (0xFF01, "arbitrary_explicit_prime_curves", + ARBITRARY_PRIME (0xFF01, "arbitrary_explicit_prime_curves", null, + NamedGroupType.NAMED_GROUP_ARBITRARY, ProtocolVersion.PROTOCOLS_TO_12), - ARBITRARY_CHAR2 (0xFF02, "arbitrary_explicit_char2_curves", + ARBITRARY_CHAR2 (0xFF02, "arbitrary_explicit_char2_curves", null, + NamedGroupType.NAMED_GROUP_ARBITRARY, ProtocolVersion.PROTOCOLS_TO_12); final int id; // hash + signature @@ -289,55 +332,16 @@ final String name; // literal name final String oid; // object identifier of the named group final String algorithm; // signature algorithm - final boolean isFips; // can be used in FIPS mode? final ProtocolVersion[] supportedProtocols; - // Constructor used for Elliptic Curve Groups (ECDHE) - private NamedGroup(int id, String name, String oid, boolean isFips, - ProtocolVersion[] supportedProtocols) { - this.id = id; - this.type = NamedGroupType.NAMED_GROUP_ECDHE; - this.name = name; - this.oid = oid; - this.algorithm = "EC"; - this.isFips = isFips; - this.supportedProtocols = supportedProtocols; - } - - // Constructor used for Elliptic Curve Groups (XDH) - private NamedGroup(int id, String name, - boolean isFips, String algorithm, + private NamedGroup(int id, String name, String oid, + NamedGroupType namedGroupType, ProtocolVersion[] supportedProtocols) { this.id = id; - this.type = NamedGroupType.NAMED_GROUP_XDH; - this.name = name; - this.oid = null; - this.algorithm = algorithm; - this.isFips = isFips; - this.supportedProtocols = supportedProtocols; - } - - // Constructor used for Finite Field Diffie-Hellman Groups (FFDHE) - private NamedGroup(int id, String name, boolean isFips, - ProtocolVersion[] supportedProtocols) { - this.id = id; - this.type = NamedGroupType.NAMED_GROUP_FFDHE; + this.type = namedGroupType; this.name = name; - this.oid = null; - this.algorithm = "DiffieHellman"; - this.isFips = isFips; - this.supportedProtocols = supportedProtocols; - } - - // Constructor used for arbitrary prime and curves (ECDHE) - private NamedGroup(int id, String name, - ProtocolVersion[] supportedProtocols) { - this.id = id; - this.type = NamedGroupType.NAMED_GROUP_ARBITRARY; - this.name = name; - this.oid = null; - this.algorithm = "EC"; - this.isFips = false; + this.oid = oid; + this.algorithm = namedGroupType.algorithm; this.supportedProtocols = supportedProtocols; } @@ -352,7 +356,7 @@ } static NamedGroup valueOf(ECParameterSpec params) { - String oid = JsseJce.getNamedCurveOid(params); + String oid = ECUtil.getCurveName(null, params); if ((oid != null) && (!oid.isEmpty())) { for (NamedGroup group : NamedGroup.values()) { if ((group.type == NamedGroupType.NAMED_GROUP_ECDHE) && @@ -472,8 +476,6 @@ static final NamedGroup[] supportedNamedGroups; static { - boolean requireFips = SunJSSE.isFIPS(); - // The value of the System Property defines a list of enabled named // groups in preference order, separated with comma. For example: // @@ -499,8 +501,7 @@ group = group.trim(); if (!group.isEmpty()) { NamedGroup namedGroup = NamedGroup.nameOf(group); - if (namedGroup != null && - (!requireFips || namedGroup.isFips)) { + if (namedGroup != null) { if (isAvailableGroup(namedGroup)) { groupList.add(namedGroup); } @@ -514,29 +515,7 @@ property + ") contains no supported named groups"); } } else { // default groups - NamedGroup[] groups; - if (requireFips) { - groups = new NamedGroup[] { - // only NIST curves in FIPS mode - NamedGroup.SECP256_R1, - NamedGroup.SECP384_R1, - NamedGroup.SECP521_R1, - NamedGroup.SECT283_K1, - NamedGroup.SECT283_R1, - NamedGroup.SECT409_K1, - NamedGroup.SECT409_R1, - NamedGroup.SECT571_K1, - NamedGroup.SECT571_R1, - - // FFDHE 2048 - NamedGroup.FFDHE_2048, - NamedGroup.FFDHE_3072, - NamedGroup.FFDHE_4096, - NamedGroup.FFDHE_6144, - NamedGroup.FFDHE_8192, - }; - } else { - groups = new NamedGroup[] { + NamedGroup[] groups = new NamedGroup[] { // NIST curves first NamedGroup.SECP256_R1, NamedGroup.SECP384_R1, @@ -558,7 +537,6 @@ NamedGroup.FFDHE_6144, NamedGroup.FFDHE_8192, }; - } groupList = new ArrayList<>(groups.length); for (NamedGroup group : groups) { @@ -587,7 +565,7 @@ if (namedGroup.type == NamedGroupType.NAMED_GROUP_ECDHE) { if (namedGroup.oid != null) { try { - params = JsseJce.getAlgorithmParameters("EC"); + params = AlgorithmParameters.getInstance("EC"); spec = new ECGenParameterSpec(namedGroup.oid); } catch (NoSuchAlgorithmException e) { return false; @@ -595,7 +573,7 @@ } } else if (namedGroup.type == NamedGroupType.NAMED_GROUP_FFDHE) { try { - params = JsseJce.getAlgorithmParameters("DiffieHellman"); + params = AlgorithmParameters.getInstance("DiffieHellman"); spec = getFFDHEDHParameterSpec(namedGroup); } catch (NoSuchAlgorithmException e) { return false; diff -r b5d45c2fe8a0 -r cb1642ccc732 src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java --- a/src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java Tue Feb 12 15:19:25 2019 -0500 +++ b/src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java Tue Feb 12 13:36:15 2019 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -218,7 +218,7 @@ responseList = ((ExtendedSSLSession)session).getStatusResponses(); } - trustedChain = validate(v, chain, responseList, + trustedChain = v.validate(chain, null, responseList, constraints, isClient ? null : authType); // check if EE certificate chains to a public root CA (as @@ -234,7 +234,7 @@ getRequestedServerNames(socket), chainsToPublicCA); } } else { - trustedChain = validate(v, chain, Collections.emptyList(), + trustedChain = v.validate(chain, null, Collections.emptyList(), null, isClient ? null : authType); } @@ -276,7 +276,7 @@ responseList = ((ExtendedSSLSession)session).getStatusResponses(); } - trustedChain = validate(v, chain, responseList, + trustedChain = v.validate(chain, null, responseList, constraints, isClient ? null : authType); // check if EE certificate chains to a public root CA (as @@ -292,7 +292,7 @@ getRequestedServerNames(engine), chainsToPublicCA); } } else { - trustedChain = validate(v, chain, Collections.emptyList(), + trustedChain = v.validate(chain, null, Collections.emptyList(), null, isClient ? null : authType); } @@ -312,18 +312,6 @@ return v; } - private static X509Certificate[] validate(Validator v, - X509Certificate[] chain, List responseList, - AlgorithmConstraints constraints, String authType) - throws CertificateException { - Object o = JsseJce.beginFipsProvider(); - try { - return v.validate(chain, null, responseList, constraints, authType); - } finally { - JsseJce.endFipsProvider(o); - } - } - // Get string representation of HostName from a list of server names. // // We are only accepting host_name name type in the list. diff -r b5d45c2fe8a0 -r cb1642ccc732 test/jdk/sun/security/pkcs11/fips/CipherTest.java --- a/test/jdk/sun/security/pkcs11/fips/CipherTest.java Tue Feb 12 15:19:25 2019 -0500 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,608 +0,0 @@ -/* - * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -import java.io.*; -import java.net.*; -import java.util.*; -import java.util.concurrent.*; - -import java.security.*; -import java.security.cert.*; -import java.security.cert.Certificate; - -import javax.net.ssl.*; - -/** - * Test that all ciphersuites work in all versions and all client - * authentication types. The way this is setup the server is stateless and - * all checking is done on the client side. - * - * The test is multithreaded to speed it up, especially on multiprocessor - * machines. To simplify debugging, run with -DnumThreads=1. - * - * @author Andreas Sterbenz - */ -public class CipherTest { - - // use any available port for the server socket - static int serverPort = 0; - - final int THREADS; - - // assume that if we do not read anything for 20 seconds, something - // has gone wrong - final static int TIMEOUT = 20 * 1000; - - static KeyStore /* trustStore, */ keyStore; - static X509ExtendedKeyManager keyManager; - static X509TrustManager trustManager; - static SecureRandom secureRandom; - - private static PeerFactory peerFactory; - - static abstract class Server implements Runnable { - - final CipherTest cipherTest; - - Server(CipherTest cipherTest) throws Exception { - this.cipherTest = cipherTest; - } - - public abstract void run(); - - void handleRequest(InputStream in, OutputStream out) throws IOException { - boolean newline = false; - StringBuilder sb = new StringBuilder(); - while (true) { - int ch = in.read(); - if (ch < 0) { - throw new EOFException(); - } - sb.append((char)ch); - if (ch == '\r') { - // empty - } else if (ch == '\n') { - if (newline) { - // 2nd newline in a row, end of request - break; - } - newline = true; - } else { - newline = false; - } - } - String request = sb.toString(); - if (request.startsWith("GET / HTTP/1.") == false) { - throw new IOException("Invalid request: " + request); - } - out.write("HTTP/1.0 200 OK\r\n\r\n".getBytes()); - } - - } - - public static class TestParameters { - - String cipherSuite; - String protocol; - String clientAuth; - - TestParameters(String cipherSuite, String protocol, - String clientAuth) { - this.cipherSuite = cipherSuite; - this.protocol = protocol; - this.clientAuth = clientAuth; - } - - boolean isEnabled() { - return TLSCipherStatus.isEnabled(cipherSuite, protocol); - } - - public String toString() { - String s = cipherSuite + " in " + protocol + " mode"; - if (clientAuth != null) { - s += " with " + clientAuth + " client authentication"; - } - return s; - } - - static enum TLSCipherStatus { - // cipher suites supported since TLS 1.2 - CS_01("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF), - CS_02("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF), - CS_03("TLS_RSA_WITH_AES_256_CBC_SHA256", 0x0303, 0xFFFF), - CS_04("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF), - CS_05("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF), - CS_06("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", 0x0303, 0xFFFF), - CS_07("TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", 0x0303, 0xFFFF), - - CS_08("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF), - CS_09("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF), - CS_10("TLS_RSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF), - CS_11("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF), - CS_12("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF), - CS_13("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF), - CS_14("TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF), - - CS_15("TLS_DH_anon_WITH_AES_256_CBC_SHA256", 0x0303, 0xFFFF), - CS_16("TLS_DH_anon_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF), - CS_17("TLS_RSA_WITH_NULL_SHA256", 0x0303, 0xFFFF), - - CS_20("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF), - CS_21("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF), - CS_22("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF), - CS_23("TLS_RSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF), - CS_24("TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF), - CS_25("TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF), - CS_26("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF), - CS_27("TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF), - - CS_28("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF), - CS_29("TLS_RSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF), - CS_30("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF), - CS_31("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF), - CS_32("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF), - CS_33("TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF), - - CS_34("TLS_DH_anon_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF), - CS_35("TLS_DH_anon_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF), - - // cipher suites obsoleted since TLS 1.2 - CS_50("SSL_RSA_WITH_DES_CBC_SHA", 0x0000, 0x0303), - CS_51("SSL_DHE_RSA_WITH_DES_CBC_SHA", 0x0000, 0x0303), - CS_52("SSL_DHE_DSS_WITH_DES_CBC_SHA", 0x0000, 0x0303), - CS_53("SSL_DH_anon_WITH_DES_CBC_SHA", 0x0000, 0x0303), - CS_54("TLS_KRB5_WITH_DES_CBC_SHA", 0x0000, 0x0303), - CS_55("TLS_KRB5_WITH_DES_CBC_MD5", 0x0000, 0x0303), - - // cipher suites obsoleted since TLS 1.1 - CS_60("SSL_RSA_EXPORT_WITH_RC4_40_MD5", 0x0000, 0x0302), - CS_61("SSL_DH_anon_EXPORT_WITH_RC4_40_MD5", 0x0000, 0x0302), - CS_62("SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", 0x0000, 0x0302), - CS_63("SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", 0x0000, 0x0302), - CS_64("SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", 0x0000, 0x0302), - CS_65("SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA", 0x0000, 0x0302), - CS_66("TLS_KRB5_EXPORT_WITH_RC4_40_SHA", 0x0000, 0x0302), - CS_67("TLS_KRB5_EXPORT_WITH_RC4_40_MD5", 0x0000, 0x0302), - CS_68("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", 0x0000, 0x0302), - CS_69("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", 0x0000, 0x0302), - - // ignore TLS_EMPTY_RENEGOTIATION_INFO_SCSV always - CS_99("TLS_EMPTY_RENEGOTIATION_INFO_SCSV", 0xFFFF, 0x0000); - - // the cipher suite name - final String cipherSuite; - - // supported since protocol version - final int supportedSince; - - // obsoleted since protocol version - final int obsoletedSince; - - TLSCipherStatus(String cipherSuite, - int supportedSince, int obsoletedSince) { - this.cipherSuite = cipherSuite; - this.supportedSince = supportedSince; - this.obsoletedSince = obsoletedSince; - } - - static boolean isEnabled(String cipherSuite, String protocol) { - int versionNumber = toVersionNumber(protocol); - - if (versionNumber < 0) { - return true; // unlikely to happen - } - - for (TLSCipherStatus status : TLSCipherStatus.values()) { - if (cipherSuite.equals(status.cipherSuite)) { - if ((versionNumber < status.supportedSince) || - (versionNumber >= status.obsoletedSince)) { - return false; - } - - return true; - } - } - - return true; - } - - private static int toVersionNumber(String protocol) { - int versionNumber = -1; - - switch (protocol) { - case "SSLv2Hello": - versionNumber = 0x0002; - break; - case "SSLv3": - versionNumber = 0x0300; - break; - case "TLSv1": - versionNumber = 0x0301; - break; - case "TLSv1.1": - versionNumber = 0x0302; - break; - case "TLSv1.2": - versionNumber = 0x0303; - break; - default: - // unlikely to happen - } - - return versionNumber; - } - } - } - - private List tests; - private Iterator testIterator; - private SSLSocketFactory factory; - private boolean failed; - - private CipherTest(PeerFactory peerFactory) throws IOException { - THREADS = Integer.parseInt(System.getProperty("numThreads", "4")); - factory = (SSLSocketFactory)SSLSocketFactory.getDefault(); - SSLSocket socket = (SSLSocket)factory.createSocket(); - String[] cipherSuites = socket.getSupportedCipherSuites(); - String[] protocols = socket.getSupportedProtocols(); -// String[] clientAuths = {null, "RSA", "DSA"}; - String[] clientAuths = {null}; - tests = new ArrayList( - cipherSuites.length * protocols.length * clientAuths.length); - for (int i = 0; i < cipherSuites.length; i++) { - String cipherSuite = cipherSuites[i]; - - for (int j = 0; j < protocols.length; j++) { - String protocol = protocols[j]; - - if (!peerFactory.isSupported(cipherSuite, protocol)) { - continue; - } - - for (int k = 0; k < clientAuths.length; k++) { - String clientAuth = clientAuths[k]; - if ((clientAuth != null) && - (cipherSuite.indexOf("DH_anon") != -1)) { - // no client with anonymous ciphersuites - continue; - } - tests.add(new TestParameters(cipherSuite, protocol, - clientAuth)); - } - } - } - testIterator = tests.iterator(); - } - - synchronized void setFailed() { - failed = true; - } - - public void run() throws Exception { - Thread[] threads = new Thread[THREADS]; - for (int i = 0; i < THREADS; i++) { - try { - threads[i] = new Thread(peerFactory.newClient(this), - "Client " + i); - } catch (Exception e) { - e.printStackTrace(); - return; - } - threads[i].start(); - } - try { - for (int i = 0; i < THREADS; i++) { - threads[i].join(); - } - } catch (InterruptedException e) { - setFailed(); - e.printStackTrace(); - } - if (failed) { - throw new Exception("*** Test '" + peerFactory.getName() + - "' failed ***"); - } else { - System.out.println("Test '" + peerFactory.getName() + - "' completed successfully"); - } - } - - synchronized TestParameters getTest() { - if (failed) { - return null; - } - if (testIterator.hasNext()) { - return (TestParameters)testIterator.next(); - } - return null; - } - - SSLSocketFactory getFactory() { - return factory; - } - - static abstract class Client implements Runnable { - - final CipherTest cipherTest; - - Client(CipherTest cipherTest) throws Exception { - this.cipherTest = cipherTest; - } - - public final void run() { - while (true) { - TestParameters params = cipherTest.getTest(); - if (params == null) { - // no more tests - break; - } - if (params.isEnabled() == false) { - System.out.println("Skipping disabled test " + params); - continue; - } - try { - runTest(params); - System.out.println("Passed " + params); - } catch (Exception e) { - cipherTest.setFailed(); - System.out.println("** Failed " + params + "**"); - e.printStackTrace(); - } - } - } - - abstract void runTest(TestParameters params) throws Exception; - - void sendRequest(InputStream in, OutputStream out) throws IOException { - out.write("GET / HTTP/1.0\r\n\r\n".getBytes()); - out.flush(); - StringBuilder sb = new StringBuilder(); - while (true) { - int ch = in.read(); - if (ch < 0) { - break; - } - sb.append((char)ch); - } - String response = sb.toString(); - if (response.startsWith("HTTP/1.0 200 ") == false) { - throw new IOException("Invalid response: " + response); - } - } - - } - - // for some reason, ${test.src} has a different value when the - // test is called from the script and when it is called directly... - static String pathToStores = "."; - static String pathToStoresSH = "."; - static String keyStoreFile = "keystore"; - static String trustStoreFile = "truststore"; - static char[] passwd = "passphrase".toCharArray(); - - static File PATH; - - private static KeyStore readKeyStore(String name) throws Exception { - File file = new File(PATH, name); - InputStream in = new FileInputStream(file); - KeyStore ks = KeyStore.getInstance("JKS"); - ks.load(in, passwd); - in.close(); - return ks; - } - - public static void main(PeerFactory peerFactory, KeyStore keyStore, - String[] args) throws Exception { - long time = System.currentTimeMillis(); - String relPath; - if ((args != null) && (args.length > 0) && args[0].equals("sh")) { - relPath = pathToStoresSH; - } else { - relPath = pathToStores; - } - PATH = new File(System.getProperty("test.src", "."), relPath); - CipherTest.peerFactory = peerFactory; - System.out.print( - "Initializing test '" + peerFactory.getName() + "'..."); -// secureRandom = new SecureRandom(); -// secureRandom.nextInt(); -// trustStore = readKeyStore(trustStoreFile); - CipherTest.keyStore = keyStore; -// keyStore = readKeyStore(keyStoreFile); - KeyManagerFactory keyFactory = - KeyManagerFactory.getInstance( - KeyManagerFactory.getDefaultAlgorithm()); - keyFactory.init(keyStore, "test12".toCharArray()); - keyManager = (X509ExtendedKeyManager)keyFactory.getKeyManagers()[0]; - - TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - tmf.init(keyStore); - trustManager = (X509TrustManager)tmf.getTrustManagers()[0]; - -// trustManager = new AlwaysTrustManager(); - SSLContext context = SSLContext.getInstance("TLS"); - context.init(new KeyManager[] {keyManager}, - new TrustManager[] {trustManager}, null); - SSLContext.setDefault(context); - - CipherTest cipherTest = new CipherTest(peerFactory); - Thread serverThread = new Thread(peerFactory.newServer(cipherTest), - "Server"); - serverThread.setDaemon(true); - serverThread.start(); - System.out.println("Done"); - cipherTest.run(); - time = System.currentTimeMillis() - time; - System.out.println("Done. (" + time + " ms)"); - } - - static abstract class PeerFactory { - - abstract String getName(); - - abstract Client newClient(CipherTest cipherTest) throws Exception; - - abstract Server newServer(CipherTest cipherTest) throws Exception; - - boolean isSupported(String cipherSuite, String protocol) { - // skip kerberos cipher suites - if (cipherSuite.startsWith("TLS_KRB5")) { - System.out.println("Skipping unsupported test for " + - cipherSuite + " of " + protocol); - return false; - } - - // No ECDH-capable certificate in key store. May restructure - // this in the future. - if (cipherSuite.contains("ECDHE_ECDSA") || - cipherSuite.contains("ECDH_ECDSA") || - cipherSuite.contains("ECDH_RSA")) { - System.out.println("Skipping unsupported test for " + - cipherSuite + " of " + protocol); - return false; - } - - // skip SSLv2Hello protocol - // - // skip TLSv1.2 protocol, we have not implement "SunTls12Prf" and - // SunTls12RsaPremasterSecret in SunPKCS11 provider - if (protocol.equals("SSLv2Hello") || protocol.equals("TLSv1.2")) { - System.out.println("Skipping unsupported test for " + - cipherSuite + " of " + protocol); - return false; - } - - // ignore exportable cipher suite for TLSv1.1 - if (protocol.equals("TLSv1.1")) { - if (cipherSuite.indexOf("_EXPORT_WITH") != -1) { - System.out.println("Skipping obsoleted test for " + - cipherSuite + " of " + protocol); - return false; - } - } - - return true; - } - } - -} - -// we currently don't do any chain verification. we assume that works ok -// and we can speed up the test. we could also just add a plain certificate -// chain comparision with our trusted certificates. -class AlwaysTrustManager implements X509TrustManager { - - public AlwaysTrustManager() { - - } - - public void checkClientTrusted(X509Certificate[] chain, String authType) - throws CertificateException { - // empty - } - - public void checkServerTrusted(X509Certificate[] chain, String authType) - throws CertificateException { - // empty - } - - public X509Certificate[] getAcceptedIssuers() { - return new X509Certificate[0]; - } -} - -class MyX509KeyManager extends X509ExtendedKeyManager { - - private final X509ExtendedKeyManager keyManager; - private String authType; - - MyX509KeyManager(X509ExtendedKeyManager keyManager) { - this.keyManager = keyManager; - } - - void setAuthType(String authType) { - this.authType = authType; - } - - public String[] getClientAliases(String keyType, Principal[] issuers) { - if (authType == null) { - return null; - } - return keyManager.getClientAliases(authType, issuers); - } - - public String chooseClientAlias(String[] keyType, Principal[] issuers, - Socket socket) { - if (authType == null) { - return null; - } - return keyManager.chooseClientAlias(new String[] {authType}, - issuers, socket); - } - - public String chooseEngineClientAlias(String[] keyType, - Principal[] issuers, SSLEngine engine) { - if (authType == null) { - return null; - } - return keyManager.chooseEngineClientAlias(new String[] {authType}, - issuers, engine); - } - - public String[] getServerAliases(String keyType, Principal[] issuers) { - throw new UnsupportedOperationException("Servers not supported"); - } - - public String chooseServerAlias(String keyType, Principal[] issuers, - Socket socket) { - throw new UnsupportedOperationException("Servers not supported"); - } - - public String chooseEngineServerAlias(String keyType, Principal[] issuers, - SSLEngine engine) { - throw new UnsupportedOperationException("Servers not supported"); - } - - public X509Certificate[] getCertificateChain(String alias) { - return keyManager.getCertificateChain(alias); - } - - public PrivateKey getPrivateKey(String alias) { - return keyManager.getPrivateKey(alias); - } - -} - -class DaemonThreadFactory implements ThreadFactory { - - final static ThreadFactory INSTANCE = new DaemonThreadFactory(); - - private final static ThreadFactory DEFAULT = Executors.defaultThreadFactory(); - - public Thread newThread(Runnable r) { - Thread t = DEFAULT.newThread(r); - t.setDaemon(true); - return t; - } - -} diff -r b5d45c2fe8a0 -r cb1642ccc732 test/jdk/sun/security/pkcs11/fips/ClientJSSEServerJSSE.java --- a/test/jdk/sun/security/pkcs11/fips/ClientJSSEServerJSSE.java Tue Feb 12 15:19:25 2019 -0500 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,92 +0,0 @@ -/* - * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -/* - * @test - * @bug 6313675 6323647 8028192 - * @summary Verify that all ciphersuites work in FIPS mode - * @library /test/lib .. - * @author Andreas Sterbenz - * @modules java.base/com.sun.net.ssl.internal.ssl - * @run main/manual ClientJSSEServerJSSE - */ - -/* - * JSSE supported cipher suites are changed with CR 6916074, - * need to update this test case in JDK 7 soon - */ - -import java.security.*; - -// This test belongs more in JSSE than here, but the JSSE workspace does not -// have the NSS test infrastructure. It will live here for the time being. - -public class ClientJSSEServerJSSE extends SecmodTest { - - public static void main(String[] args) throws Exception { - if (initSecmod() == false) { - return; - } - - String arch = System.getProperty("os.arch"); - if (!("sparc".equals(arch) || "sparcv9".equals(arch))) { - // we have not updated other platforms with the proper NSS - // libraries yet - System.out.println( - "Test currently works only on solaris-sparc " + - "and solaris-sparcv9. Skipping on " + arch); - return; - } - - String configName = BASE + SEP + "fips.cfg"; - Provider p = getSunPKCS11(configName); - - System.out.println(p); - Security.addProvider(p); - - Security.removeProvider("SunJSSE"); - Provider jsse = new com.sun.net.ssl.internal.ssl.Provider(p); - Security.addProvider(jsse); - System.out.println(jsse.getInfo()); - - KeyStore ks = KeyStore.getInstance("PKCS11", p); - ks.load(null, "test12".toCharArray()); - - CipherTest.main(new JSSEFactory(), ks, args); - } - - private static class JSSEFactory extends CipherTest.PeerFactory { - - String getName() { - return "Client JSSE - Server JSSE"; - } - - CipherTest.Client newClient(CipherTest cipherTest) throws Exception { - return new JSSEClient(cipherTest); - } - - CipherTest.Server newServer(CipherTest cipherTest) throws Exception { - return new JSSEServer(cipherTest); - } - } -} diff -r b5d45c2fe8a0 -r cb1642ccc732 test/jdk/sun/security/pkcs11/fips/ImportKeyStore.java --- a/test/jdk/sun/security/pkcs11/fips/ImportKeyStore.java Tue Feb 12 15:19:25 2019 -0500 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,90 +0,0 @@ -/* - * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -import java.io.*; -import java.util.*; - -import java.security.*; -import java.security.KeyStore.*; -import java.security.cert.*; - -/** - -This is an approximation of the process used to create the *.db files -in this directory. - -setenv LD_LIBRARY_PATH $WS/test/sun/security/pkcs11/nss/lib/solaris-sparc -modutil -create -dbdir . -modutil -changepw "NSS Internal PKCS #11 Module" -dbdir . - -$JHOME/bin/keytool -list -storetype PKCS11 -addprovider SunPKCS11 -providerarg "--name=NSS\nnssSecmodDirectory=." -v -storepass test12 - -modutil -fips true -dbdir . - -*/ - -public class ImportKeyStore { - - public static void main(String[] args) throws Exception { - String nssCfg = "--name=NSS\nnssSecmodDirectory=.\n "; -// "attributes(*,CKO_PRIVATE_KEY,CKK_DSA) = { CKA_NETSCAPE_DB = 0h00 }"; - Provider p = Security.getProvider("SunPKCS11"); - p.configure(nssCfg); - - KeyStore ks = KeyStore.getInstance("PKCS11", p); - ks.load(null, "test12".toCharArray()); - System.out.println("Aliases: " + Collections.list(ks.aliases())); - System.out.println(); - - char[] srcpw = "passphrase".toCharArray(); -// importKeyStore("truststore", srcpw, ks); - importKeyStore("keystore", srcpw, ks); - - System.out.println("OK."); - } - - private static void importKeyStore(String filename, char[] passwd, KeyStore dstks) throws Exception { - System.out.println("Importing JKS KeyStore " + filename); - InputStream in = new FileInputStream(filename); - KeyStore srcks = KeyStore.getInstance("JKS"); - srcks.load(in, passwd); - in.close(); - List aliases = Collections.list(srcks.aliases()); - for (String alias : aliases) { - System.out.println("Alias: " + alias); - if (srcks.isCertificateEntry(alias)) { - X509Certificate cert = (X509Certificate)srcks.getCertificate(alias); - System.out.println(" Certificate: " + cert.getSubjectX500Principal()); - dstks.setCertificateEntry(alias + "-cert", cert); - } else if (srcks.isKeyEntry(alias)) { - PrivateKeyEntry entry = (PrivateKeyEntry)srcks.getEntry(alias, new PasswordProtection(passwd)); - System.out.println(" Key: " + entry.getPrivateKey().toString().split("\n")[0]); - dstks.setEntry(alias, entry, null); - } else { - System.out.println(" Unknown entry: " + alias); - } - } - System.out.println(); - } - -} diff -r b5d45c2fe8a0 -r cb1642ccc732 test/jdk/sun/security/pkcs11/fips/JSSEClient.java --- a/test/jdk/sun/security/pkcs11/fips/JSSEClient.java Tue Feb 12 15:19:25 2019 -0500 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,93 +0,0 @@ -/* - * Copyright (c) 2002, 2005, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -import java.io.*; -import java.net.*; -import java.util.*; - -import java.security.*; -import java.security.cert.*; -import java.security.cert.Certificate; - -import javax.net.ssl.*; - -class JSSEClient extends CipherTest.Client { - - private final SSLContext sslContext; - private final MyX509KeyManager keyManager; - - JSSEClient(CipherTest cipherTest) throws Exception { - super(cipherTest); - this.keyManager = new MyX509KeyManager(CipherTest.keyManager); - sslContext = SSLContext.getInstance("TLS"); - } - - void runTest(CipherTest.TestParameters params) throws Exception { - SSLSocket socket = null; - try { - keyManager.setAuthType(params.clientAuth); - sslContext.init(new KeyManager[] {CipherTest.keyManager}, new TrustManager[] {cipherTest.trustManager}, cipherTest.secureRandom); - SSLSocketFactory factory = (SSLSocketFactory)sslContext.getSocketFactory(); - socket = (SSLSocket)factory.createSocket("127.0.0.1", cipherTest.serverPort); - socket.setSoTimeout(cipherTest.TIMEOUT); - socket.setEnabledCipherSuites(new String[] {params.cipherSuite}); - socket.setEnabledProtocols(new String[] {params.protocol}); - InputStream in = socket.getInputStream(); - OutputStream out = socket.getOutputStream(); - sendRequest(in, out); - socket.close(); - SSLSession session = socket.getSession(); - session.invalidate(); - String cipherSuite = session.getCipherSuite(); - if (params.cipherSuite.equals(cipherSuite) == false) { - throw new Exception("Negotiated ciphersuite mismatch: " + cipherSuite + " != " + params.cipherSuite); - } - String protocol = session.getProtocol(); - if (params.protocol.equals(protocol) == false) { - throw new Exception("Negotiated protocol mismatch: " + protocol + " != " + params.protocol); - } - if (cipherSuite.indexOf("DH_anon") == -1) { - session.getPeerCertificates(); - } - Certificate[] certificates = session.getLocalCertificates(); - if (params.clientAuth == null) { - if (certificates != null) { - throw new Exception("Local certificates should be null"); - } - } else { - if ((certificates == null) || (certificates.length == 0)) { - throw new Exception("Certificates missing"); - } - String keyAlg = certificates[0].getPublicKey().getAlgorithm(); - if (params.clientAuth != keyAlg) { - throw new Exception("Certificate type mismatch: " + keyAlg + " != " + params.clientAuth); - } - } - } finally { - if (socket != null) { - socket.close(); - } - } - } - -} diff -r b5d45c2fe8a0 -r cb1642ccc732 test/jdk/sun/security/pkcs11/fips/JSSEServer.java --- a/test/jdk/sun/security/pkcs11/fips/JSSEServer.java Tue Feb 12 15:19:25 2019 -0500 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,93 +0,0 @@ -/* - * Copyright (c) 2002, 2005, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -import java.io.*; -import java.net.*; -import java.util.*; -import java.util.concurrent.*; - -import java.security.*; -import java.security.cert.*; -import java.security.cert.Certificate; - -import javax.net.ssl.*; - -class JSSEServer extends CipherTest.Server { - - SSLServerSocket serverSocket; - - JSSEServer(CipherTest cipherTest) throws Exception { - super(cipherTest); - SSLContext serverContext = SSLContext.getInstance("TLS"); - serverContext.init(new KeyManager[] {cipherTest.keyManager}, new TrustManager[] {cipherTest.trustManager}, cipherTest.secureRandom); - - SSLServerSocketFactory factory = (SSLServerSocketFactory)serverContext.getServerSocketFactory(); - serverSocket = (SSLServerSocket)factory.createServerSocket(cipherTest.serverPort); - cipherTest.serverPort = serverSocket.getLocalPort(); - serverSocket.setEnabledCipherSuites(factory.getSupportedCipherSuites()); -// serverSocket.setWantClientAuth(true); - } - - public void run() { - System.out.println("JSSE Server listening on port " + cipherTest.serverPort); - Executor exec = Executors.newFixedThreadPool - (cipherTest.THREADS, DaemonThreadFactory.INSTANCE); - try { - while (true) { - final SSLSocket socket = (SSLSocket)serverSocket.accept(); - socket.setSoTimeout(cipherTest.TIMEOUT); - Runnable r = new Runnable() { - public void run() { - try { - InputStream in = socket.getInputStream(); - OutputStream out = socket.getOutputStream(); - handleRequest(in, out); - out.flush(); - socket.close(); - socket.getSession().invalidate(); - } catch (IOException e) { - cipherTest.setFailed(); - e.printStackTrace(); - } finally { - if (socket != null) { - try { - socket.close(); - } catch (IOException e) { - cipherTest.setFailed(); - System.out.println("Exception closing socket on server side:"); - e.printStackTrace(); - } - } - } - } - }; - exec.execute(r); - } - } catch (IOException e) { - cipherTest.setFailed(); - e.printStackTrace(); - // - } - } - -} diff -r b5d45c2fe8a0 -r cb1642ccc732 test/jdk/sun/security/pkcs11/fips/TestTLS12.java --- a/test/jdk/sun/security/pkcs11/fips/TestTLS12.java Tue Feb 12 15:19:25 2019 -0500 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,453 +0,0 @@ -/* - * Copyright (c) 2018, Red Hat, Inc. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -/* - * @test - * @bug 8029661 - * @summary Test TLS 1.2 - * @modules java.base/sun.security.internal.spec - * java.base/sun.security.util - * java.base/com.sun.net.ssl.internal.ssl - * java.base/com.sun.crypto.provider - * @library /test/lib .. - * @run main/othervm/timeout=120 TestTLS12 - */ - -import java.io.File; -import java.io.FileInputStream; -import java.io.InputStream; -import java.nio.ByteBuffer; - -import java.security.interfaces.RSAPrivateKey; -import java.security.interfaces.RSAPublicKey; -import java.security.KeyStore; -import java.security.NoSuchAlgorithmException; -import java.security.Provider; -import java.security.SecureRandom; -import java.security.Security; - -import java.util.Arrays; - -import javax.crypto.Cipher; -import javax.crypto.KeyGenerator; -import javax.crypto.SecretKey; -import javax.crypto.spec.SecretKeySpec; - -import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLEngine; -import javax.net.ssl.SSLEngineResult; -import javax.net.ssl.SSLEngineResult.HandshakeStatus; -import javax.net.ssl.SSLParameters; -import javax.net.ssl.SSLSession; -import javax.net.ssl.TrustManagerFactory; - -import sun.security.internal.spec.TlsMasterSecretParameterSpec; -import sun.security.internal.spec.TlsPrfParameterSpec; -import sun.security.internal.spec.TlsRsaPremasterSecretParameterSpec; - -public final class TestTLS12 extends SecmodTest { - - private static final boolean enableDebug = true; - - private static Provider sunPKCS11NSSProvider; - private static Provider sunJCEProvider; - private static com.sun.net.ssl.internal.ssl.Provider jsseProvider; - private static KeyStore ks; - private static KeyStore ts; - private static char[] passphrase = "JAHshj131@@".toCharArray(); - private static RSAPrivateKey privateKey; - private static RSAPublicKey publicKey; - - public static void main(String[] args) throws Exception { - try { - initialize(); - } catch (Exception e) { - System.out.println("Test skipped: failure during" + - " initialization"); - return; - } - - if (shouldRun()) { - // Test against JCE - testTlsAuthenticationCodeGeneration(); - - // Self-integrity test (complete TLS 1.2 communication) - new testTLS12SunPKCS11Communication().run(); - - System.out.println("Test PASS - OK"); - } else { - System.out.println("Test skipped: TLS 1.2 mechanisms" + - " not supported by current SunPKCS11 back-end"); - } - } - - private static boolean shouldRun() { - if (sunPKCS11NSSProvider == null) { - return false; - } - try { - KeyGenerator.getInstance("SunTls12MasterSecret", - sunPKCS11NSSProvider); - KeyGenerator.getInstance( - "SunTls12RsaPremasterSecret", sunPKCS11NSSProvider); - KeyGenerator.getInstance("SunTls12Prf", sunPKCS11NSSProvider); - } catch (NoSuchAlgorithmException e) { - return false; - } - return true; - } - - private static void testTlsAuthenticationCodeGeneration() - throws Exception { - // Generate RSA Pre-Master Secret in SunPKCS11 provider - SecretKey rsaPreMasterSecret = null; - @SuppressWarnings("deprecation") - TlsRsaPremasterSecretParameterSpec rsaPreMasterSecretSpec = - new TlsRsaPremasterSecretParameterSpec(0x0303, 0x0303); - { - KeyGenerator rsaPreMasterSecretKG = KeyGenerator.getInstance( - "SunTls12RsaPremasterSecret", sunPKCS11NSSProvider); - rsaPreMasterSecretKG.init(rsaPreMasterSecretSpec, null); - rsaPreMasterSecret = rsaPreMasterSecretKG.generateKey(); - } - - // Get RSA Pre-Master Secret in plain (from SunPKCS11 provider) - byte[] rsaPlainPreMasterSecret = null; - { - Cipher rsaPreMasterSecretWrapperCipher = - Cipher.getInstance("RSA/ECB/PKCS1Padding", - sunPKCS11NSSProvider); - rsaPreMasterSecretWrapperCipher.init(Cipher.WRAP_MODE, publicKey, - new SecureRandom()); - byte[] rsaEncryptedPreMasterSecret = - rsaPreMasterSecretWrapperCipher.wrap(rsaPreMasterSecret); - Cipher rsaPreMasterSecretUnwrapperCipher = - Cipher.getInstance("RSA/ECB/PKCS1Padding", sunJCEProvider); - rsaPreMasterSecretUnwrapperCipher.init(Cipher.UNWRAP_MODE, - privateKey, rsaPreMasterSecretSpec); - rsaPlainPreMasterSecret = rsaPreMasterSecretUnwrapperCipher.unwrap( - rsaEncryptedPreMasterSecret, "TlsRsaPremasterSecret", - Cipher.SECRET_KEY).getEncoded(); - - if (enableDebug) { - System.out.println("rsaPlainPreMasterSecret:"); - for (byte b : rsaPlainPreMasterSecret) { - System.out.printf("%02X, ", b); - } - System.out.println(""); - } - } - - // Generate Master Secret - SecretKey sunPKCS11MasterSecret = null; - SecretKey jceMasterSecret = null; - { - KeyGenerator sunPKCS11MasterSecretGenerator = - KeyGenerator.getInstance("SunTls12MasterSecret", - sunPKCS11NSSProvider); - KeyGenerator jceMasterSecretGenerator = KeyGenerator.getInstance( - "SunTls12MasterSecret", sunJCEProvider); - @SuppressWarnings("deprecation") - TlsMasterSecretParameterSpec sunPKCS11MasterSecretSpec = - new TlsMasterSecretParameterSpec(rsaPreMasterSecret, 3, 3, - new byte[32], new byte[32], "SHA-256", 32, 64); - @SuppressWarnings("deprecation") - TlsMasterSecretParameterSpec jceMasterSecretSpec = - new TlsMasterSecretParameterSpec( - new SecretKeySpec(rsaPlainPreMasterSecret, - "Generic"), 3, 3, new byte[32], - new byte[32], "SHA-256", 32, 64); - sunPKCS11MasterSecretGenerator.init(sunPKCS11MasterSecretSpec, - null); - jceMasterSecretGenerator.init(jceMasterSecretSpec, null); - sunPKCS11MasterSecret = - sunPKCS11MasterSecretGenerator.generateKey(); - jceMasterSecret = jceMasterSecretGenerator.generateKey(); - if (enableDebug) { - System.out.println("Master Secret (SunJCE):"); - if (jceMasterSecret != null) { - for (byte b : jceMasterSecret.getEncoded()) { - System.out.printf("%02X, ", b); - } - System.out.println(""); - } - } - } - - // Generate authentication codes - byte[] sunPKCS11AuthenticationCode = null; - byte[] jceAuthenticationCode = null; - { - // Generate SunPKCS11 authentication code - { - @SuppressWarnings("deprecation") - TlsPrfParameterSpec sunPKCS11AuthenticationCodeSpec = - new TlsPrfParameterSpec(sunPKCS11MasterSecret, - "client finished", "a".getBytes(), 12, - "SHA-256", 32, 64); - KeyGenerator sunPKCS11AuthCodeGenerator = - KeyGenerator.getInstance("SunTls12Prf", - sunPKCS11NSSProvider); - sunPKCS11AuthCodeGenerator.init( - sunPKCS11AuthenticationCodeSpec); - sunPKCS11AuthenticationCode = - sunPKCS11AuthCodeGenerator.generateKey().getEncoded(); - } - - // Generate SunJCE authentication code - { - @SuppressWarnings("deprecation") - TlsPrfParameterSpec jceAuthenticationCodeSpec = - new TlsPrfParameterSpec(jceMasterSecret, - "client finished", "a".getBytes(), 12, - "SHA-256", 32, 64); - KeyGenerator jceAuthCodeGenerator = - KeyGenerator.getInstance("SunTls12Prf", - sunJCEProvider); - jceAuthCodeGenerator.init(jceAuthenticationCodeSpec); - jceAuthenticationCode = - jceAuthCodeGenerator.generateKey().getEncoded(); - } - - if (enableDebug) { - System.out.println("SunPKCS11 Authentication Code: "); - for (byte b : sunPKCS11AuthenticationCode) { - System.out.printf("%02X, ", b); - } - System.out.println(""); - System.out.println("SunJCE Authentication Code: "); - for (byte b : jceAuthenticationCode) { - System.out.printf("%02X, ", b); - } - System.out.println(""); - } - } - - if (sunPKCS11AuthenticationCode == null || - jceAuthenticationCode == null || - sunPKCS11AuthenticationCode.length == 0 || - jceAuthenticationCode.length == 0 || - !Arrays.equals(sunPKCS11AuthenticationCode, - jceAuthenticationCode)) { - throw new Exception("Authentication codes from JCE" + - " and SunPKCS11 differ."); - } - } - - private static class testTLS12SunPKCS11Communication { - public static void run() throws Exception { - SSLEngine[][] enginesToTest = getSSLEnginesToTest(); - - for (SSLEngine[] engineToTest : enginesToTest) { - - SSLEngine clientSSLEngine = engineToTest[0]; - SSLEngine serverSSLEngine = engineToTest[1]; - - // SSLEngine code based on RedhandshakeFinished.java - - boolean dataDone = false; - - ByteBuffer clientOut = null; - ByteBuffer clientIn = null; - ByteBuffer serverOut = null; - ByteBuffer serverIn = null; - ByteBuffer cTOs; - ByteBuffer sTOc; - - SSLSession session = clientSSLEngine.getSession(); - int appBufferMax = session.getApplicationBufferSize(); - int netBufferMax = session.getPacketBufferSize(); - - clientIn = ByteBuffer.allocate(appBufferMax + 50); - serverIn = ByteBuffer.allocate(appBufferMax + 50); - - cTOs = ByteBuffer.allocateDirect(netBufferMax); - sTOc = ByteBuffer.allocateDirect(netBufferMax); - - clientOut = ByteBuffer.wrap( - "Hi Server, I'm Client".getBytes()); - serverOut = ByteBuffer.wrap( - "Hello Client, I'm Server".getBytes()); - - SSLEngineResult clientResult; - SSLEngineResult serverResult; - - while (!dataDone) { - clientResult = clientSSLEngine.wrap(clientOut, cTOs); - runDelegatedTasks(clientResult, clientSSLEngine); - serverResult = serverSSLEngine.wrap(serverOut, sTOc); - runDelegatedTasks(serverResult, serverSSLEngine); - cTOs.flip(); - sTOc.flip(); - - if (enableDebug) { - System.out.println("Client -> Network"); - printTlsNetworkPacket("", cTOs); - System.out.println(""); - System.out.println("Server -> Network"); - printTlsNetworkPacket("", sTOc); - System.out.println(""); - } - - clientResult = clientSSLEngine.unwrap(sTOc, clientIn); - runDelegatedTasks(clientResult, clientSSLEngine); - serverResult = serverSSLEngine.unwrap(cTOs, serverIn); - runDelegatedTasks(serverResult, serverSSLEngine); - - cTOs.compact(); - sTOc.compact(); - - if (!dataDone && - (clientOut.limit() == serverIn.position()) && - (serverOut.limit() == clientIn.position())) { - checkTransfer(serverOut, clientIn); - checkTransfer(clientOut, serverIn); - dataDone = true; - } - } - } - } - - static void printTlsNetworkPacket(String prefix, ByteBuffer bb) { - ByteBuffer slice = bb.slice(); - byte[] buffer = new byte[slice.remaining()]; - slice.get(buffer); - for (int i = 0; i < buffer.length; i++) { - System.out.printf("%02X, ", (byte)(buffer[i] & (byte)0xFF)); - if (i % 8 == 0 && i % 16 != 0) { - System.out.print(" "); - } - if (i % 16 == 0) { - System.out.println(""); - } - } - System.out.flush(); - } - - private static void checkTransfer(ByteBuffer a, ByteBuffer b) - throws Exception { - a.flip(); - b.flip(); - if (!a.equals(b)) { - throw new Exception("Data didn't transfer cleanly"); - } - a.position(a.limit()); - b.position(b.limit()); - a.limit(a.capacity()); - b.limit(b.capacity()); - } - - private static void runDelegatedTasks(SSLEngineResult result, - SSLEngine engine) throws Exception { - - if (result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) { - Runnable runnable; - while ((runnable = engine.getDelegatedTask()) != null) { - runnable.run(); - } - HandshakeStatus hsStatus = engine.getHandshakeStatus(); - if (hsStatus == HandshakeStatus.NEED_TASK) { - throw new Exception( - "handshake shouldn't need additional tasks"); - } - } - } - - private static SSLEngine[][] getSSLEnginesToTest() throws Exception { - SSLEngine[][] enginesToTest = new SSLEngine[2][2]; - String[][] preferredSuites = new String[][]{ new String[] { - "TLS_RSA_WITH_AES_128_CBC_SHA256" - }, new String[] { - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" - }}; - for (int i = 0; i < enginesToTest.length; i++) { - enginesToTest[i][0] = createSSLEngine(true); - enginesToTest[i][1] = createSSLEngine(false); - enginesToTest[i][0].setEnabledCipherSuites(preferredSuites[i]); - enginesToTest[i][1].setEnabledCipherSuites(preferredSuites[i]); - } - return enginesToTest; - } - - static private SSLEngine createSSLEngine(boolean client) - throws Exception { - SSLEngine ssle; - KeyManagerFactory kmf = KeyManagerFactory.getInstance("PKIX", - jsseProvider); - kmf.init(ks, passphrase); - - TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX", - jsseProvider); - tmf.init(ts); - - SSLContext sslCtx = SSLContext.getInstance("TLSv1.2", - jsseProvider); - sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); - ssle = sslCtx.createSSLEngine("localhost", 443); - ssle.setUseClientMode(client); - SSLParameters sslParameters = ssle.getSSLParameters(); - ssle.setSSLParameters(sslParameters); - - return ssle; - } - } - - private static void initialize() throws Exception { - if (initSecmod() == false) { - return; - } - String configName = BASE + SEP + "fips.cfg"; - sunPKCS11NSSProvider = getSunPKCS11(configName); - System.out.println("SunPKCS11 provider: " + sunPKCS11NSSProvider); - Security.addProvider(sunPKCS11NSSProvider); - - sunJCEProvider = new com.sun.crypto.provider.SunJCE(); - Security.addProvider(sunJCEProvider); - - Security.removeProvider("SunJSSE"); - jsseProvider =new com.sun.net.ssl.internal.ssl.Provider( - sunPKCS11NSSProvider); - Security.addProvider(jsseProvider); - System.out.println(jsseProvider.getInfo()); - - ks = KeyStore.getInstance("PKCS11", sunPKCS11NSSProvider); - ks.load(null, "test12".toCharArray()); - ts = ks; - - KeyStore ksPlain = readTestKeyStore(); - privateKey = (RSAPrivateKey)ksPlain.getKey("rh_rsa_sha256", - passphrase); - publicKey = (RSAPublicKey)ksPlain.getCertificate( - "rh_rsa_sha256").getPublicKey(); - } - - private static KeyStore readTestKeyStore() throws Exception { - File file = new File(System.getProperty("test.src", "."), "keystore"); - InputStream in = new FileInputStream(file); - KeyStore ks = KeyStore.getInstance("JKS"); - ks.load(in, "passphrase".toCharArray()); - in.close(); - return ks; - } -} \ No newline at end of file diff -r b5d45c2fe8a0 -r cb1642ccc732 test/jdk/sun/security/pkcs11/fips/TrustManagerTest.java --- a/test/jdk/sun/security/pkcs11/fips/TrustManagerTest.java Tue Feb 12 15:19:25 2019 -0500 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,111 +0,0 @@ -/* - * Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -/* - * @test - * @bug 6323647 - * @summary Verify that the SunJSSE trustmanager works correctly in FIPS mode - * @author Andreas Sterbenz - * @library /test/lib .. - * @modules java.base/com.sun.net.ssl.internal.ssl - * @run main/othervm TrustManagerTest - * @run main/othervm TrustManagerTest sm TrustManagerTest.policy - */ - -import java.io.File; -import java.io.FileInputStream; -import java.io.InputStream; -import java.security.KeyStore; -import java.security.Policy; -import java.security.Provider; -import java.security.Security; -import java.security.URIParameter; -import java.security.cert.CertificateFactory; -import java.security.cert.X509Certificate; -import javax.net.ssl.TrustManagerFactory; -import javax.net.ssl.X509TrustManager; - -// This test belongs more in JSSE than here, but the JSSE workspace does not -// have the NSS test infrastructure. It will live here for the time being. - -public class TrustManagerTest extends SecmodTest { - - public static void main(String[] args) throws Exception { - if (initSecmod() == false) { - return; - } - - if ("sparc".equals(System.getProperty("os.arch")) == false) { - // we have not updated other platforms with the proper NSS libraries yet - System.out.println("Test currently works only on solaris-sparc, skipping"); - return; - } - - String configName = BASE + SEP + "fips.cfg"; - Provider p = getSunPKCS11(configName); - - System.out.println(p); - Security.addProvider(p); - - Security.removeProvider("SunJSSE"); - Provider jsse = new com.sun.net.ssl.internal.ssl.Provider(p); - Security.addProvider(jsse); - System.out.println(jsse.getInfo()); - - KeyStore ks = KeyStore.getInstance("PKCS11", p); - ks.load(null, "test12".toCharArray()); - - X509Certificate server = loadCertificate("certs/server.cer"); - X509Certificate ca = loadCertificate("certs/ca.cer"); - X509Certificate anchor = loadCertificate("certs/anchor.cer"); - - if (args.length > 1 && "sm".equals(args[0])) { - Policy.setPolicy(Policy.getInstance("JavaPolicy", - new URIParameter(new File(BASE, args[1]).toURI()))); - System.setSecurityManager(new SecurityManager()); - } - - KeyStore trustStore = KeyStore.getInstance("JKS"); - trustStore.load(null, null); - trustStore.setCertificateEntry("anchor", anchor); - - TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX"); - tmf.init(trustStore); - - X509TrustManager tm = (X509TrustManager)tmf.getTrustManagers()[0]; - - X509Certificate[] chain = {server, ca, anchor}; - - tm.checkServerTrusted(chain, "RSA"); - - System.out.println("OK"); - } - - private static X509Certificate loadCertificate(String name) throws Exception { - try (InputStream in = new FileInputStream(BASE + SEP + name)) { - return (X509Certificate) CertificateFactory.getInstance("X.509") - .generateCertificate(in); - } - } - -} diff -r b5d45c2fe8a0 -r cb1642ccc732 test/jdk/sun/security/pkcs11/fips/TrustManagerTest.policy --- a/test/jdk/sun/security/pkcs11/fips/TrustManagerTest.policy Tue Feb 12 15:19:25 2019 -0500 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,3 +0,0 @@ -grant { - -}; \ No newline at end of file diff -r b5d45c2fe8a0 -r cb1642ccc732 test/jdk/sun/security/pkcs11/fips/cert8.db Binary file test/jdk/sun/security/pkcs11/fips/cert8.db has changed diff -r b5d45c2fe8a0 -r cb1642ccc732 test/jdk/sun/security/pkcs11/fips/certs/anchor.cer Binary file test/jdk/sun/security/pkcs11/fips/certs/anchor.cer has changed diff -r b5d45c2fe8a0 -r cb1642ccc732 test/jdk/sun/security/pkcs11/fips/certs/ca.cer Binary file test/jdk/sun/security/pkcs11/fips/certs/ca.cer has changed diff -r b5d45c2fe8a0 -r cb1642ccc732 test/jdk/sun/security/pkcs11/fips/certs/server.cer Binary file test/jdk/sun/security/pkcs11/fips/certs/server.cer has changed diff -r b5d45c2fe8a0 -r cb1642ccc732 test/jdk/sun/security/pkcs11/fips/fips.cfg --- a/test/jdk/sun/security/pkcs11/fips/fips.cfg Tue Feb 12 15:19:25 2019 -0500 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,19 +0,0 @@ - -name = NSSKeyStore - -nssSecmodDirectory = ${pkcs11test.nss.db} - -nssLibraryDirectory = ${pkcs11test.nss.libdir} - -nssModule = fips - -# NSS needs CKA_NETSCAPE_DB for DSA and DH private keys -# just put an arbitrary value in there to make it happy - -attributes(*,CKO_PRIVATE_KEY,CKK_DSA) = { - CKA_NETSCAPE_DB = 0h00 -} - -attributes(*,CKO_PRIVATE_KEY,CKK_DH) = { - CKA_NETSCAPE_DB = 0h00 -} diff -r b5d45c2fe8a0 -r cb1642ccc732 test/jdk/sun/security/pkcs11/fips/key3.db Binary file test/jdk/sun/security/pkcs11/fips/key3.db has changed diff -r b5d45c2fe8a0 -r cb1642ccc732 test/jdk/sun/security/pkcs11/fips/keystore Binary file test/jdk/sun/security/pkcs11/fips/keystore has changed diff -r b5d45c2fe8a0 -r cb1642ccc732 test/jdk/sun/security/pkcs11/fips/secmod.db Binary file test/jdk/sun/security/pkcs11/fips/secmod.db has changed diff -r b5d45c2fe8a0 -r cb1642ccc732 test/jdk/sun/security/pkcs11/fips/truststore Binary file test/jdk/sun/security/pkcs11/fips/truststore has changed