--- a/src/java.base/share/classes/com/sun/net/ssl/internal/ssl/Provider.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/com/sun/net/ssl/internal/ssl/Provider.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -42,21 +42,6 @@
super();
}
- // preferred constructor to enable FIPS mode at runtime
- public Provider(java.security.Provider cryptoProvider) {
- super(cryptoProvider);
- }
-
- // constructor to enable FIPS mode from java.security file
- public Provider(String cryptoProvider) {
- super(cryptoProvider);
- }
-
- // public for now, but we may want to change it or not document it.
- public static synchronized boolean isFIPS() {
- return SunJSSE.isFIPS();
- }
-
/**
* Installs the JSSE provider.
*/
--- a/src/java.base/share/classes/sun/security/ssl/Authenticator.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/Authenticator.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -484,7 +484,7 @@
throw new RuntimeException("Unknown MacAlg " + macAlg);
}
- Mac m = JsseJce.getMac(algorithm);
+ Mac m = Mac.getInstance(algorithm);
m.init(key);
this.macAlg = macAlg;
this.mac = m;
--- a/src/java.base/share/classes/sun/security/ssl/CertificateVerify.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateVerify.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -196,13 +196,13 @@
Signature signer = null;
switch (algorithm) {
case "RSA":
- signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA);
+ signer = Signature.getInstance(JsseJce.SIGNATURE_RAWRSA);
break;
case "DSA":
- signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA);
+ signer = Signature.getInstance(JsseJce.SIGNATURE_RAWDSA);
break;
case "EC":
- signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA);
+ signer = Signature.getInstance(JsseJce.SIGNATURE_RAWECDSA);
break;
default:
throw new SignatureException("Unrecognized algorithm: "
@@ -439,13 +439,13 @@
Signature signer = null;
switch (algorithm) {
case "RSA":
- signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA);
+ signer = Signature.getInstance(JsseJce.SIGNATURE_RAWRSA);
break;
case "DSA":
- signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA);
+ signer = Signature.getInstance(JsseJce.SIGNATURE_RAWDSA);
break;
case "EC":
- signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA);
+ signer = Signature.getInstance(JsseJce.SIGNATURE_RAWECDSA);
break;
default:
throw new SignatureException("Unrecognized algorithm: "
--- a/src/java.base/share/classes/sun/security/ssl/DHClientKeyExchange.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/DHClientKeyExchange.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -280,7 +280,7 @@
DHPublicKeySpec spec = new DHPublicKeySpec(
new BigInteger(1, ckem.y),
params.getP(), params.getG());
- KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
+ KeyFactory kf = KeyFactory.getInstance("DiffieHellman");
DHPublicKey peerPublicKey =
(DHPublicKey)kf.generatePublic(spec);
--- a/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java Tue Feb 12 13:36:15 2019 -0800
@@ -87,7 +87,7 @@
return null;
}
- KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
+ KeyFactory kf = KeyFactory.getInstance("DiffieHellman");
DHPublicKeySpec spec = new DHPublicKeySpec(
new BigInteger(1, encodedPublic),
params.getP(), params.getG());
@@ -106,7 +106,7 @@
DHEPossession(NamedGroup namedGroup, SecureRandom random) {
try {
KeyPairGenerator kpg =
- JsseJce.getKeyPairGenerator("DiffieHellman");
+ KeyPairGenerator.getInstance("DiffieHellman");
DHParameterSpec params =
(DHParameterSpec)namedGroup.getParameterSpec();
kpg.initialize(params, random);
@@ -129,7 +129,7 @@
PredefinedDHParameterSpecs.definedParams.get(keyLength);
try {
KeyPairGenerator kpg =
- JsseJce.getKeyPairGenerator("DiffieHellman");
+ KeyPairGenerator.getInstance("DiffieHellman");
if (params != null) {
kpg.initialize(params, random);
} else {
@@ -155,7 +155,7 @@
DHEPossession(DHECredentials credentials, SecureRandom random) {
try {
KeyPairGenerator kpg =
- JsseJce.getKeyPairGenerator("DiffieHellman");
+ KeyPairGenerator.getInstance("DiffieHellman");
kpg.initialize(credentials.popPublicKey.getParams(), random);
KeyPair kp = generateDHKeyPair(kpg);
if (kp == null) {
@@ -208,7 +208,7 @@
params.getP(), params.getG());
}
try {
- KeyFactory factory = JsseJce.getKeyFactory("DiffieHellman");
+ KeyFactory factory = KeyFactory.getInstance("DiffieHellman");
return factory.getKeySpec(key, DHPublicKeySpec.class);
} catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
// unlikely
@@ -473,7 +473,7 @@
private SecretKey t12DeriveKey(String algorithm,
AlgorithmParameterSpec params) throws IOException {
try {
- KeyAgreement ka = JsseJce.getKeyAgreement("DiffieHellman");
+ KeyAgreement ka = KeyAgreement.getInstance("DiffieHellman");
ka.init(localPrivateKey);
ka.doPhase(peerPublicKey, true);
SecretKey preMasterSecret =
@@ -499,7 +499,7 @@
private SecretKey t13DeriveKey(String algorithm,
AlgorithmParameterSpec params) throws IOException {
try {
- KeyAgreement ka = JsseJce.getKeyAgreement("DiffieHellman");
+ KeyAgreement ka = KeyAgreement.getInstance("DiffieHellman");
ka.init(localPrivateKey);
ka.doPhase(peerPublicKey, true);
SecretKey sharedSecret =
--- a/src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -420,7 +420,7 @@
Signature signer = null;
switch (keyAlgorithm) {
case "DSA":
- signer = JsseJce.getSignature(JsseJce.SIGNATURE_DSA);
+ signer = Signature.getInstance(JsseJce.SIGNATURE_DSA);
break;
case "RSA":
signer = RSASignature.getInstance();
@@ -524,7 +524,7 @@
// check constraints of EC PublicKey
DHPublicKey publicKey;
try {
- KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
+ KeyFactory kf = KeyFactory.getInstance("DiffieHellman");
DHPublicKeySpec spec = new DHPublicKeySpec(
new BigInteger(1, skem.y),
new BigInteger(1, skem.p),
--- a/src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -49,6 +49,7 @@
import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
import sun.security.ssl.X509Authentication.X509Credentials;
import sun.security.ssl.X509Authentication.X509Possession;
+import sun.security.util.ECUtil;
import sun.security.util.HexDumpEncoder;
/**
@@ -78,7 +79,7 @@
ECPoint point = publicKey.getW();
ECParameterSpec params = publicKey.getParams();
- encodedPoint = JsseJce.encodePoint(point, params.getCurve());
+ encodedPoint = ECUtil.encodePoint(point, params.getCurve());
}
ECDHClientKeyExchangeMessage(HandshakeContext handshakeContext,
@@ -99,10 +100,10 @@
try {
ECParameterSpec params = publicKey.getParams();
ECPoint point =
- JsseJce.decodePoint(encodedPoint, params.getCurve());
+ ECUtil.decodePoint(encodedPoint, params.getCurve());
ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
- KeyFactory kf = JsseJce.getKeyFactory("EC");
+ KeyFactory kf = KeyFactory.getInstance("EC");
ECPublicKey peerPublicKey =
(ECPublicKey)kf.generatePublic(spec);
@@ -319,10 +320,10 @@
// create the credentials
try {
ECPoint point =
- JsseJce.decodePoint(cke.encodedPoint, params.getCurve());
+ ECUtil.decodePoint(cke.encodedPoint, params.getCurve());
ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
- KeyFactory kf = JsseJce.getKeyFactory("EC");
+ KeyFactory kf = KeyFactory.getInstance("EC");
ECPublicKey peerPublicKey =
(ECPublicKey)kf.generatePublic(spec);
@@ -493,10 +494,10 @@
// create the credentials
try {
ECPoint point =
- JsseJce.decodePoint(cke.encodedPoint, params.getCurve());
+ ECUtil.decodePoint(cke.encodedPoint, params.getCurve());
ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
- KeyFactory kf = JsseJce.getKeyFactory("EC");
+ KeyFactory kf = KeyFactory.getInstance("EC");
ECPublicKey peerPublicKey =
(ECPublicKey)kf.generatePublic(spec);
--- a/src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -85,14 +85,14 @@
}
ECParameterSpec parameters =
- JsseJce.getECParameterSpec(namedGroup.oid);
+ ECUtil.getECParameterSpec(null, namedGroup.oid);
if (parameters == null) {
return null;
}
- ECPoint point = JsseJce.decodePoint(
+ ECPoint point = ECUtil.decodePoint(
encodedPoint, parameters.getCurve());
- KeyFactory factory = JsseJce.getKeyFactory("EC");
+ KeyFactory factory = KeyFactory.getInstance("EC");
ECPublicKey publicKey = (ECPublicKey)factory.generatePublic(
new ECPublicKeySpec(point, parameters));
return new ECDHECredentials(publicKey, namedGroup);
@@ -106,7 +106,7 @@
ECDHEPossession(NamedGroup namedGroup, SecureRandom random) {
try {
- KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("EC");
+ KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec params =
(ECGenParameterSpec)namedGroup.getParameterSpec();
kpg.initialize(params, random);
@@ -124,7 +124,7 @@
ECDHEPossession(ECDHECredentials credentials, SecureRandom random) {
ECParameterSpec params = credentials.popPublicKey.getParams();
try {
- KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("EC");
+ KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC");
kpg.initialize(params, random);
KeyPair kp = kpg.generateKeyPair();
privateKey = kp.getPrivate();
@@ -149,7 +149,7 @@
PublicKey peerPublicKey) throws SSLHandshakeException {
try {
- KeyAgreement ka = JsseJce.getKeyAgreement("ECDH");
+ KeyAgreement ka = KeyAgreement.getInstance("ECDH");
ka.init(privateKey);
ka.doPhase(peerPublicKey, true);
return ka.generateSecret("TlsPremasterSecret");
@@ -165,8 +165,8 @@
try {
ECParameterSpec params = publicKey.getParams();
ECPoint point =
- JsseJce.decodePoint(encodedPoint, params.getCurve());
- KeyFactory kf = JsseJce.getKeyFactory("EC");
+ ECUtil.decodePoint(encodedPoint, params.getCurve());
+ KeyFactory kf = KeyFactory.getInstance("EC");
ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
PublicKey peerPublicKey = kf.generatePublic(spec);
return getAgreedSecret(peerPublicKey);
@@ -183,10 +183,10 @@
ECParameterSpec params = publicKey.getParams();
ECPoint point =
- JsseJce.decodePoint(encodedPoint, params.getCurve());
+ ECUtil.decodePoint(encodedPoint, params.getCurve());
ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
- KeyFactory kf = JsseJce.getKeyFactory("EC");
+ KeyFactory kf = KeyFactory.getInstance("EC");
ECPublicKey pubKey = (ECPublicKey)kf.generatePublic(spec);
// check constraints of ECPublicKey
@@ -424,7 +424,7 @@
private SecretKey t12DeriveKey(String algorithm,
AlgorithmParameterSpec params) throws IOException {
try {
- KeyAgreement ka = JsseJce.getKeyAgreement("ECDH");
+ KeyAgreement ka = KeyAgreement.getInstance("ECDH");
ka.init(localPrivateKey);
ka.doPhase(peerPublicKey, true);
SecretKey preMasterSecret =
@@ -451,7 +451,7 @@
private SecretKey t13DeriveKey(String algorithm,
AlgorithmParameterSpec params) throws IOException {
try {
- KeyAgreement ka = JsseJce.getKeyAgreement("ECDH");
+ KeyAgreement ka = KeyAgreement.getInstance("ECDH");
ka.init(localPrivateKey);
ka.doPhase(peerPublicKey, true);
SecretKey sharedSecret =
--- a/src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -52,6 +52,7 @@
import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
import sun.security.ssl.X509Authentication.X509Credentials;
import sun.security.ssl.X509Authentication.X509Possession;
+import sun.security.util.ECUtil;
import sun.security.util.HexDumpEncoder;
/**
@@ -120,7 +121,7 @@
publicKey = ecdhePossession.publicKey;
ECParameterSpec params = publicKey.getParams();
ECPoint point = publicKey.getW();
- publicPoint = JsseJce.encodePoint(point, params.getCurve());
+ publicPoint = ECUtil.encodePoint(point, params.getCurve());
this.namedGroup = NamedGroup.valueOf(params);
if ((namedGroup == null) || (namedGroup.oid == null) ) {
@@ -221,7 +222,7 @@
}
ECParameterSpec parameters =
- JsseJce.getECParameterSpec(namedGroup.oid);
+ ECUtil.getECParameterSpec(null, namedGroup.oid);
if (parameters == null) {
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No supported EC parameter: " + namedGroup);
@@ -236,8 +237,8 @@
ECPublicKey ecPublicKey = null;
try {
ECPoint point =
- JsseJce.decodePoint(publicPoint, parameters.getCurve());
- KeyFactory factory = JsseJce.getKeyFactory("EC");
+ ECUtil.decodePoint(publicPoint, parameters.getCurve());
+ KeyFactory factory = KeyFactory.getInstance("EC");
ecPublicKey = (ECPublicKey)factory.generatePublic(
new ECPublicKeySpec(point, parameters));
} catch (NoSuchAlgorithmException |
@@ -446,7 +447,7 @@
Signature signer = null;
switch (keyAlgorithm) {
case "EC":
- signer = JsseJce.getSignature(JsseJce.SIGNATURE_ECDSA);
+ signer = Signature.getInstance(JsseJce.SIGNATURE_ECDSA);
break;
case "RSA":
signer = RSASignature.getInstance();
--- a/src/java.base/share/classes/sun/security/ssl/EphemeralKeyManager.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/EphemeralKeyManager.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -69,7 +69,7 @@
KeyPair kp = keys[index].getKeyPair();
if (kp == null) {
try {
- KeyPairGenerator kgen = JsseJce.getKeyPairGenerator("RSA");
+ KeyPairGenerator kgen = KeyPairGenerator.getInstance("RSA");
kgen.initialize(length, random);
keys[index] = new EphemeralKeyPair(kgen.genKeyPair());
kp = keys[index].getKeyPair();
--- a/src/java.base/share/classes/sun/security/ssl/Finished.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/Finished.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -257,7 +257,7 @@
TlsPrfParameterSpec spec = new TlsPrfParameterSpec(
masterSecretKey, tlsLabel, seed, 12,
hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
- KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg);
+ KeyGenerator kg = KeyGenerator.getInstance(prfAlg);
kg.init(spec);
SecretKey prfKey = kg.generateKey();
if (!"RAW".equals(prfKey.getFormat())) {
@@ -309,7 +309,7 @@
TlsPrfParameterSpec spec = new TlsPrfParameterSpec(
masterSecretKey, tlsLabel, seed, 12,
hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
- KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg);
+ KeyGenerator kg = KeyGenerator.getInstance(prfAlg);
kg.init(spec);
SecretKey prfKey = kg.generateKey();
if (!"RAW".equals(prfKey.getFormat())) {
@@ -350,7 +350,7 @@
String hmacAlg =
"Hmac" + hashAlg.name.replace("-", "");
try {
- Mac hmac = JsseJce.getMac(hmacAlg);
+ Mac hmac = Mac.getInstance(hmacAlg);
hmac.init(finishedSecret);
return hmac.doFinal(context.handshakeHash.digest());
} catch (NoSuchAlgorithmException |InvalidKeyException ex) {
--- a/src/java.base/share/classes/sun/security/ssl/HKDF.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/HKDF.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -62,7 +62,7 @@
Objects.requireNonNull(hashAlg,
"Must provide underlying HKDF Digest algorithm.");
hmacAlg = "Hmac" + hashAlg.replace("-", "");
- hmacObj = JsseJce.getMac(hmacAlg);
+ hmacObj = Mac.getInstance(hmacAlg);
hmacLen = hmacObj.getMacLength();
}
--- a/src/java.base/share/classes/sun/security/ssl/HandshakeHash.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/HandshakeHash.java Tue Feb 12 13:36:15 2019 -0800
@@ -29,6 +29,7 @@
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.LinkedList;
import javax.crypto.SecretKey;
@@ -269,8 +270,13 @@
private final ByteArrayOutputStream baos;
S30HandshakeHash(CipherSuite cipherSuite) {
- this.mdMD5 = JsseJce.getMessageDigest("MD5");
- this.mdSHA = JsseJce.getMessageDigest("SHA");
+ try {
+ this.mdMD5 = MessageDigest.getInstance("MD5");
+ this.mdSHA = MessageDigest.getInstance("SHA");
+ } catch (NoSuchAlgorithmException nsae) {
+ throw new RuntimeException(
+ "Hash algorithm MD5 or SHA is not available", nsae);
+ }
boolean hasArchived = false;
if (mdMD5 instanceof Cloneable) {
@@ -379,7 +385,12 @@
"MessageDigest does no support clone operation");
}
} else {
- md5Clone = JsseJce.getMessageDigest("MD5");
+ try {
+ md5Clone = MessageDigest.getInstance("MD5");
+ } catch (NoSuchAlgorithmException nsae) {
+ throw new RuntimeException(
+ "Hash algorithm MD5 is not available", nsae);
+ }
md5Clone.update(md5.archived());
}
@@ -396,7 +407,12 @@
"MessageDigest does no support clone operation");
}
} else {
- shaClone = JsseJce.getMessageDigest("SHA");
+ try {
+ shaClone = MessageDigest.getInstance("SHA");
+ } catch (NoSuchAlgorithmException nsae) {
+ throw new RuntimeException(
+ "Hash algorithm SHA is not available", nsae);
+ }
shaClone.update(sha.archived());
}
@@ -447,8 +463,15 @@
private final ByteArrayOutputStream baos;
T10HandshakeHash(CipherSuite cipherSuite) {
- MessageDigest mdMD5 = JsseJce.getMessageDigest("MD5");
- MessageDigest mdSHA = JsseJce.getMessageDigest("SHA");
+ MessageDigest mdMD5;
+ MessageDigest mdSHA;
+ try {
+ mdMD5 = MessageDigest.getInstance("MD5");
+ mdSHA = MessageDigest.getInstance("SHA");
+ } catch (NoSuchAlgorithmException nsae) {
+ throw new RuntimeException(
+ "Hash algorithm MD5 or SHA is not available", nsae);
+ }
boolean hasArchived = false;
if (mdMD5 instanceof Cloneable) {
@@ -514,8 +537,15 @@
private final ByteArrayOutputStream baos;
T12HandshakeHash(CipherSuite cipherSuite) {
- MessageDigest md =
- JsseJce.getMessageDigest(cipherSuite.hashAlg.name);
+ MessageDigest md;
+ try {
+ md = MessageDigest.getInstance(cipherSuite.hashAlg.name);
+ } catch (NoSuchAlgorithmException nsae) {
+ throw new RuntimeException(
+ "Hash algorithm " +
+ cipherSuite.hashAlg.name + " is not available", nsae);
+ }
+
if (md instanceof Cloneable) {
transcriptHash = new CloneableHash(md);
this.baos = new ByteArrayOutputStream();
@@ -552,8 +582,15 @@
private final TranscriptHash transcriptHash;
T13HandshakeHash(CipherSuite cipherSuite) {
- MessageDigest md =
- JsseJce.getMessageDigest(cipherSuite.hashAlg.name);
+ MessageDigest md;
+ try {
+ md = MessageDigest.getInstance(cipherSuite.hashAlg.name);
+ } catch (NoSuchAlgorithmException nsae) {
+ throw new RuntimeException(
+ "Hash algorithm " +
+ cipherSuite.hashAlg.name + " is not available", nsae);
+ }
+
if (md instanceof Cloneable) {
transcriptHash = new CloneableHash(md);
} else {
--- a/src/java.base/share/classes/sun/security/ssl/HelloCookieManager.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/HelloCookieManager.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -27,6 +27,7 @@
import java.io.IOException;
import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import static sun.security.ssl.ClientHello.ClientHelloMessage;
@@ -143,7 +144,13 @@
cookieVersion++;
}
- MessageDigest md = JsseJce.getMessageDigest("SHA-256");
+ MessageDigest md;
+ try {
+ md = MessageDigest.getInstance("SHA-256");
+ } catch (NoSuchAlgorithmException nsae) {
+ throw new RuntimeException(
+ "MessageDigest algorithm SHA-256 is not available", nsae);
+ }
byte[] helloBytes = clientHello.getHelloCookieBytes();
md.update(helloBytes);
byte[] cookie = md.digest(secret); // 32 bytes
@@ -169,7 +176,13 @@
}
}
- MessageDigest md = JsseJce.getMessageDigest("SHA-256");
+ MessageDigest md;
+ try {
+ md = MessageDigest.getInstance("SHA-256");
+ } catch (NoSuchAlgorithmException nsae) {
+ throw new RuntimeException(
+ "MessageDigest algorithm SHA-256 is not available", nsae);
+ }
byte[] helloBytes = clientHello.getHelloCookieBytes();
md.update(helloBytes);
byte[] target = md.digest(secret); // 32 bytes
@@ -234,8 +247,16 @@
cookieVersion++; // allow wrapped version number
}
- MessageDigest md = JsseJce.getMessageDigest(
+ MessageDigest md;
+ try {
+ md = MessageDigest.getInstance(
context.negotiatedCipherSuite.hashAlg.name);
+ } catch (NoSuchAlgorithmException nsae) {
+ throw new RuntimeException(
+ "MessageDigest algorithm " +
+ context.negotiatedCipherSuite.hashAlg.name +
+ " is not available", nsae);
+ }
byte[] headerBytes = clientHello.getHeaderBytes();
md.update(headerBytes);
byte[] headerCookie = md.digest(secret);
@@ -300,7 +321,14 @@
}
}
- MessageDigest md = JsseJce.getMessageDigest(cs.hashAlg.name);
+ MessageDigest md;
+ try {
+ md = MessageDigest.getInstance(cs.hashAlg.name);
+ } catch (NoSuchAlgorithmException nsae) {
+ throw new RuntimeException(
+ "MessageDigest algorithm " +
+ cs.hashAlg.name + " is not available", nsae);
+ }
byte[] headerBytes = clientHello.getHeaderBytes();
md.update(headerBytes);
byte[] headerCookie = md.digest(secret);
--- a/src/java.base/share/classes/sun/security/ssl/JsseJce.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/JsseJce.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -29,13 +29,7 @@
import java.security.*;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.*;
-import java.util.*;
import javax.crypto.*;
-import sun.security.jca.ProviderList;
-import sun.security.jca.Providers;
-import static sun.security.ssl.SunJSSE.cryptoProvider;
-import sun.security.util.ECUtil;
-import static sun.security.util.SecurityConstants.PROVIDER_VER;
/**
* This class contains a few static methods for interaction with the JCA/JCE
@@ -47,54 +41,6 @@
static final boolean ALLOW_ECC =
Utilities.getBooleanProperty("com.sun.net.ssl.enableECC", true);
- private static final ProviderList fipsProviderList;
-
- static {
- // force FIPS flag initialization
- // Because isFIPS() is synchronized and cryptoProvider is not modified
- // after it completes, this also eliminates the need for any further
- // synchronization when accessing cryptoProvider
- if (SunJSSE.isFIPS() == false) {
- fipsProviderList = null;
- } else {
- // Setup a ProviderList that can be used by the trust manager
- // during certificate chain validation. All the crypto must be
- // from the FIPS provider, but we also allow the required
- // certificate related services from the SUN provider.
- Provider sun = Security.getProvider("SUN");
- if (sun == null) {
- throw new RuntimeException
- ("FIPS mode: SUN provider must be installed");
- }
- Provider sunCerts = new SunCertificates(sun);
- fipsProviderList = ProviderList.newList(cryptoProvider, sunCerts);
- }
- }
-
- private static final class SunCertificates extends Provider {
- private static final long serialVersionUID = -3284138292032213752L;
-
- SunCertificates(final Provider p) {
- super("SunCertificates", PROVIDER_VER, "SunJSSE internal");
- AccessController.doPrivileged(new PrivilegedAction<Object>() {
- @Override
- public Object run() {
- // copy certificate related services from the Sun provider
- for (Map.Entry<Object,Object> entry : p.entrySet()) {
- String key = (String)entry.getKey();
- if (key.startsWith("CertPathValidator.")
- || key.startsWith("CertPathBuilder.")
- || key.startsWith("CertStore.")
- || key.startsWith("CertificateFactory.")) {
- put(key, entry.getValue());
- }
- }
- return null;
- }
- });
- }
- }
-
/**
* JCE transformation string for RSA with PKCS#1 v1.5 padding.
* Can be used for encryption, decryption, signing, verifying.
@@ -180,153 +126,6 @@
return EcAvailability.isAvailable;
}
- /**
- * Return an JCE cipher implementation for the specified algorithm.
- */
- static Cipher getCipher(String transformation)
- throws NoSuchAlgorithmException {
- try {
- if (cryptoProvider == null) {
- return Cipher.getInstance(transformation);
- } else {
- return Cipher.getInstance(transformation, cryptoProvider);
- }
- } catch (NoSuchPaddingException e) {
- throw new NoSuchAlgorithmException(e);
- }
- }
-
- /**
- * Return an JCA signature implementation for the specified algorithm.
- * The algorithm string should be one of the constants defined
- * in this class.
- */
- static Signature getSignature(String algorithm)
- throws NoSuchAlgorithmException {
- if (cryptoProvider == null) {
- return Signature.getInstance(algorithm);
- } else {
- // reference equality
- if (algorithm == SIGNATURE_SSLRSA) {
- // The SunPKCS11 provider currently does not support this
- // special algorithm. We allow a fallback in this case because
- // the SunJSSE implementation does the actual crypto using
- // a NONEwithRSA signature obtained from the cryptoProvider.
- if (cryptoProvider.getService("Signature", algorithm) == null) {
- // Calling Signature.getInstance() and catching the
- // exception would be cleaner, but exceptions are a little
- // expensive. So we check directly via getService().
- try {
- return Signature.getInstance(algorithm, "SunJSSE");
- } catch (NoSuchProviderException e) {
- throw new NoSuchAlgorithmException(e);
- }
- }
- }
- return Signature.getInstance(algorithm, cryptoProvider);
- }
- }
-
- static KeyGenerator getKeyGenerator(String algorithm)
- throws NoSuchAlgorithmException {
- if (cryptoProvider == null) {
- return KeyGenerator.getInstance(algorithm);
- } else {
- return KeyGenerator.getInstance(algorithm, cryptoProvider);
- }
- }
-
- static KeyPairGenerator getKeyPairGenerator(String algorithm)
- throws NoSuchAlgorithmException {
- if (cryptoProvider == null) {
- return KeyPairGenerator.getInstance(algorithm);
- } else {
- return KeyPairGenerator.getInstance(algorithm, cryptoProvider);
- }
- }
-
- static KeyAgreement getKeyAgreement(String algorithm)
- throws NoSuchAlgorithmException {
- if (cryptoProvider == null) {
- return KeyAgreement.getInstance(algorithm);
- } else {
- return KeyAgreement.getInstance(algorithm, cryptoProvider);
- }
- }
-
- static Mac getMac(String algorithm)
- throws NoSuchAlgorithmException {
- if (cryptoProvider == null) {
- return Mac.getInstance(algorithm);
- } else {
- return Mac.getInstance(algorithm, cryptoProvider);
- }
- }
-
- static KeyFactory getKeyFactory(String algorithm)
- throws NoSuchAlgorithmException {
- if (cryptoProvider == null) {
- return KeyFactory.getInstance(algorithm);
- } else {
- return KeyFactory.getInstance(algorithm, cryptoProvider);
- }
- }
-
- static AlgorithmParameters getAlgorithmParameters(String algorithm)
- throws NoSuchAlgorithmException {
- if (cryptoProvider == null) {
- return AlgorithmParameters.getInstance(algorithm);
- } else {
- return AlgorithmParameters.getInstance(algorithm, cryptoProvider);
- }
- }
-
- static SecureRandom getSecureRandom() throws KeyManagementException {
- if (cryptoProvider == null) {
- return new SecureRandom();
- }
- // Try "PKCS11" first. If that is not supported, iterate through
- // the provider and return the first working implementation.
- try {
- return SecureRandom.getInstance("PKCS11", cryptoProvider);
- } catch (NoSuchAlgorithmException e) {
- // ignore
- }
- for (Provider.Service s : cryptoProvider.getServices()) {
- if (s.getType().equals("SecureRandom")) {
- try {
- return SecureRandom.getInstance(
- s.getAlgorithm(), cryptoProvider);
- } catch (NoSuchAlgorithmException ee) {
- // ignore
- }
- }
- }
- throw new KeyManagementException("FIPS mode: no SecureRandom "
- + " implementation found in provider " + cryptoProvider.getName());
- }
-
- static MessageDigest getMD5() {
- return getMessageDigest("MD5");
- }
-
- static MessageDigest getSHA() {
- return getMessageDigest("SHA");
- }
-
- static MessageDigest getMessageDigest(String algorithm) {
- try {
- if (cryptoProvider == null) {
- return MessageDigest.getInstance(algorithm);
- } else {
- return MessageDigest.getInstance(algorithm, cryptoProvider);
- }
- } catch (NoSuchAlgorithmException e) {
- throw new RuntimeException
- ("Algorithm " + algorithm + " not available", e);
- }
- }
-
static int getRSAKeyLength(PublicKey key) {
BigInteger modulus;
if (key instanceof RSAPublicKey) {
@@ -345,47 +144,13 @@
rsaKey.getPublicExponent());
}
try {
- KeyFactory factory = JsseJce.getKeyFactory("RSA");
+ KeyFactory factory = KeyFactory.getInstance("RSA");
return factory.getKeySpec(key, RSAPublicKeySpec.class);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
- static ECParameterSpec getECParameterSpec(String namedCurveOid) {
- return ECUtil.getECParameterSpec(cryptoProvider, namedCurveOid);
- }
-
- static String getNamedCurveOid(ECParameterSpec params) {
- return ECUtil.getCurveName(cryptoProvider, params);
- }
-
- static ECPoint decodePoint(byte[] encoded, EllipticCurve curve)
- throws java.io.IOException {
- return ECUtil.decodePoint(encoded, curve);
- }
-
- static byte[] encodePoint(ECPoint point, EllipticCurve curve) {
- return ECUtil.encodePoint(point, curve);
- }
-
- // In FIPS mode, set thread local providers; otherwise a no-op.
- // Must be paired with endFipsProvider.
- static Object beginFipsProvider() {
- if (fipsProviderList == null) {
- return null;
- } else {
- return Providers.beginThreadProviderList(fipsProviderList);
- }
- }
-
- static void endFipsProvider(Object o) {
- if (fipsProviderList != null) {
- Providers.endThreadProviderList((ProviderList)o);
- }
- }
-
-
// lazy initialization holder class idiom for static default parameters
//
// See Effective Java Second Edition: Item 71.
@@ -396,12 +161,12 @@
static {
boolean mediator = true;
try {
- JsseJce.getSignature(SIGNATURE_ECDSA);
- JsseJce.getSignature(SIGNATURE_RAWECDSA);
- JsseJce.getKeyAgreement("ECDH");
- JsseJce.getKeyFactory("EC");
- JsseJce.getKeyPairGenerator("EC");
- JsseJce.getAlgorithmParameters("EC");
+ Signature.getInstance(SIGNATURE_ECDSA);
+ Signature.getInstance(SIGNATURE_RAWECDSA);
+ KeyAgreement.getInstance("ECDH");
+ KeyFactory.getInstance("EC");
+ KeyPairGenerator.getInstance("EC");
+ AlgorithmParameters.getInstance("EC");
} catch (Exception e) {
mediator = false;
}
--- a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -61,12 +61,6 @@
protected void engineInit(KeyStore ks, char[] password) throws
KeyStoreException, NoSuchAlgorithmException,
UnrecoverableKeyException {
- if ((ks != null) && SunJSSE.isFIPS()) {
- if (ks.getProvider() != SunJSSE.cryptoProvider) {
- throw new KeyStoreException("FIPS mode: KeyStore must be "
- + "from provider " + SunJSSE.cryptoProvider.getName());
- }
- }
keyManager = new SunX509KeyManagerImpl(ks, password);
isInitialized = true;
}
@@ -91,12 +85,6 @@
keyManager = new X509KeyManagerImpl(
Collections.<Builder>emptyList());
} else {
- if (SunJSSE.isFIPS() &&
- (ks.getProvider() != SunJSSE.cryptoProvider)) {
- throw new KeyStoreException(
- "FIPS mode: KeyStore must be " +
- "from provider " + SunJSSE.cryptoProvider.getName());
- }
try {
Builder builder = Builder.newInstance(ks,
new PasswordProtection(password));
@@ -115,10 +103,7 @@
throw new InvalidAlgorithmParameterException(
"Parameters must be instance of KeyStoreBuilderParameters");
}
- if (SunJSSE.isFIPS()) {
- throw new InvalidAlgorithmParameterException
- ("FIPS mode: KeyStoreBuilderParameters not supported");
- }
+
List<Builder> builders =
((KeyStoreBuilderParameters)params).getParameters();
keyManager = new X509KeyManagerImpl(builders);
--- a/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java Tue Feb 12 13:36:15 2019 -0800
@@ -765,7 +765,7 @@
String hmacAlg =
"Hmac" + hashAlg.name.replace("-", "");
try {
- Mac hmac = JsseJce.getMac(hmacAlg);
+ Mac hmac = Mac.getInstance(hmacAlg);
hmac.init(finishedKey);
return hmac.doFinal(digest);
} catch (NoSuchAlgorithmException | InvalidKeyException ex) {
--- a/src/java.base/share/classes/sun/security/ssl/RSAKeyExchange.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/RSAKeyExchange.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -109,7 +109,7 @@
byte[] getEncoded(PublicKey publicKey,
SecureRandom secureRandom) throws GeneralSecurityException {
- Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
+ Cipher cipher = Cipher.getInstance(JsseJce.CIPHER_RSA_PKCS1);
cipher.init(Cipher.WRAP_MODE, publicKey, secureRandom);
return cipher.wrap(premasterSecret);
}
@@ -119,7 +119,7 @@
ClientHandshakeContext chc) throws GeneralSecurityException {
String algorithm = chc.negotiatedProtocol.useTLS12PlusSpec() ?
"SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret";
- KeyGenerator kg = JsseJce.getKeyGenerator(algorithm);
+ KeyGenerator kg = KeyGenerator.getInstance(algorithm);
TlsRsaPremasterSecretParameterSpec spec =
new TlsRsaPremasterSecretParameterSpec(
chc.clientHelloVersion,
@@ -136,7 +136,7 @@
byte[] encoded = null;
boolean needFailover = false;
- Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
+ Cipher cipher = Cipher.getInstance(JsseJce.CIPHER_RSA_PKCS1);
try {
// Try UNWRAP_MODE mode firstly.
cipher.init(Cipher.UNWRAP_MODE, privateKey,
@@ -163,7 +163,7 @@
if (needFailover) {
// The cipher might be spoiled by unsuccessful call to init(),
// so request a fresh instance
- cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
+ cipher = Cipher.getInstance(JsseJce.CIPHER_RSA_PKCS1);
// Use DECRYPT_MODE and dispose the previous initialization.
cipher.init(Cipher.DECRYPT_MODE, privateKey);
@@ -227,7 +227,7 @@
try {
String s = ((clientVersion >= ProtocolVersion.TLS12.id) ?
"SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret");
- KeyGenerator kg = JsseJce.getKeyGenerator(s);
+ KeyGenerator kg = KeyGenerator.getInstance(s);
kg.init(new TlsRsaPremasterSecretParameterSpec(
clientVersion, serverVersion, encodedSecret),
generator);
--- a/src/java.base/share/classes/sun/security/ssl/RSAServerKeyExchange.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/RSAServerKeyExchange.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -306,7 +306,7 @@
// check constraints of RSA PublicKey
RSAPublicKey publicKey;
try {
- KeyFactory kf = JsseJce.getKeyFactory("RSA");
+ KeyFactory kf = KeyFactory.getInstance("RSA");
RSAPublicKeySpec spec = new RSAPublicKeySpec(
new BigInteger(1, skem.modulus),
new BigInteger(1, skem.exponent));
--- a/src/java.base/share/classes/sun/security/ssl/RSASignature.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/RSASignature.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -53,9 +53,9 @@
public RSASignature() throws NoSuchAlgorithmException {
super();
- rawRsa = JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA);
- this.mdMD5 = JsseJce.getMessageDigest("MD5");
- this.mdSHA = JsseJce.getMessageDigest("SHA");
+ rawRsa = Signature.getInstance(JsseJce.SIGNATURE_RAWRSA);
+ this.mdMD5 = MessageDigest.getInstance("MD5");
+ this.mdSHA = MessageDigest.getInstance("SHA");
}
/**
@@ -66,7 +66,7 @@
* which may be this class.
*/
static Signature getInstance() throws NoSuchAlgorithmException {
- return JsseJce.getSignature(JsseJce.SIGNATURE_SSLRSA);
+ return Signature.getInstance(JsseJce.SIGNATURE_SSLRSA);
}
@Override
--- a/src/java.base/share/classes/sun/security/ssl/SSLCipher.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/SSLCipher.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -851,7 +851,7 @@
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
- this.cipher = JsseJce.getCipher(algorithm);
+ this.cipher = Cipher.getInstance(algorithm);
cipher.init(Cipher.DECRYPT_MODE, key, params, random);
}
@@ -933,7 +933,7 @@
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
- this.cipher = JsseJce.getCipher(algorithm);
+ this.cipher = Cipher.getInstance(algorithm);
cipher.init(Cipher.ENCRYPT_MODE, key, params, random);
}
@@ -1023,7 +1023,7 @@
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
- this.cipher = JsseJce.getCipher(algorithm);
+ this.cipher = Cipher.getInstance(algorithm);
cipher.init(Cipher.DECRYPT_MODE, key, params, random);
}
@@ -1175,7 +1175,7 @@
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
- this.cipher = JsseJce.getCipher(algorithm);
+ this.cipher = Cipher.getInstance(algorithm);
cipher.init(Cipher.ENCRYPT_MODE, key, params, random);
}
@@ -1291,7 +1291,7 @@
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
- this.cipher = JsseJce.getCipher(algorithm);
+ this.cipher = Cipher.getInstance(algorithm);
if (params == null) {
params = new IvParameterSpec(new byte[sslCipher.ivSize]);
}
@@ -1455,7 +1455,7 @@
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
- this.cipher = JsseJce.getCipher(algorithm);
+ this.cipher = Cipher.getInstance(algorithm);
this.random = random;
if (params == null) {
params = new IvParameterSpec(new byte[sslCipher.ivSize]);
@@ -1590,7 +1590,7 @@
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
- this.cipher = JsseJce.getCipher(algorithm);
+ this.cipher = Cipher.getInstance(algorithm);
this.tagSize = sslCipher.tagSize;
this.key = key;
this.fixedIv = ((IvParameterSpec)params).getIV();
@@ -1705,7 +1705,7 @@
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
- this.cipher = JsseJce.getCipher(algorithm);
+ this.cipher = Cipher.getInstance(algorithm);
this.tagSize = sslCipher.tagSize;
this.key = key;
this.fixedIv = ((IvParameterSpec)params).getIV();
@@ -1838,7 +1838,7 @@
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
- this.cipher = JsseJce.getCipher(algorithm);
+ this.cipher = Cipher.getInstance(algorithm);
this.tagSize = sslCipher.tagSize;
this.key = key;
this.iv = ((IvParameterSpec)params).getIV();
@@ -1992,7 +1992,7 @@
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
- this.cipher = JsseJce.getCipher(algorithm);
+ this.cipher = Cipher.getInstance(algorithm);
this.tagSize = sslCipher.tagSize;
this.key = key;
this.iv = ((IvParameterSpec)params).getIV();
@@ -2133,7 +2133,7 @@
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
- this.cipher = JsseJce.getCipher(algorithm);
+ this.cipher = Cipher.getInstance(algorithm);
this.tagSize = sslCipher.tagSize;
this.key = key;
this.iv = ((IvParameterSpec)params).getIV();
@@ -2252,7 +2252,7 @@
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
- this.cipher = JsseJce.getCipher(algorithm);
+ this.cipher = Cipher.getInstance(algorithm);
this.tagSize = sslCipher.tagSize;
this.key = key;
this.iv = ((IvParameterSpec)params).getIV();
@@ -2392,7 +2392,7 @@
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
- this.cipher = JsseJce.getCipher(algorithm);
+ this.cipher = Cipher.getInstance(algorithm);
this.tagSize = sslCipher.tagSize;
this.key = key;
this.iv = ((IvParameterSpec)params).getIV();
@@ -2534,7 +2534,7 @@
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
- this.cipher = JsseJce.getCipher(algorithm);
+ this.cipher = Cipher.getInstance(algorithm);
this.tagSize = sslCipher.tagSize;
this.key = key;
this.iv = ((IvParameterSpec)params).getIV();
--- a/src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -36,6 +36,7 @@
import java.util.HashMap;
import java.util.List;
import java.util.function.BiFunction;
+import javax.crypto.KeyGenerator;
import javax.net.ssl.HandshakeCompletedListener;
import javax.net.ssl.SNIMatcher;
import javax.net.ssl.SNIServerName;
@@ -104,7 +105,7 @@
"jdk.tls.useExtendedMasterSecret", true);
if (supportExtendedMasterSecret) {
try {
- JsseJce.getKeyGenerator("SunTlsExtendedMasterSecret");
+ KeyGenerator.getInstance("SunTlsExtendedMasterSecret");
} catch (NoSuchAlgorithmException nae) {
supportExtendedMasterSecret = false;
}
--- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -94,14 +94,8 @@
trustManager = chooseTrustManager(tm);
if (sr == null) {
- secureRandom = JsseJce.getSecureRandom();
+ secureRandom = new SecureRandom();
} else {
- if (SunJSSE.isFIPS() &&
- (sr.getProvider() != SunJSSE.cryptoProvider)) {
- throw new KeyManagementException
- ("FIPS mode: SecureRandom must be from provider "
- + SunJSSE.cryptoProvider.getName());
- }
secureRandom = sr;
}
@@ -127,12 +121,6 @@
// We only use the first instance of X509TrustManager passed to us.
for (int i = 0; tm != null && i < tm.length; i++) {
if (tm[i] instanceof X509TrustManager) {
- if (SunJSSE.isFIPS() &&
- !(tm[i] instanceof X509TrustManagerImpl)) {
- throw new KeyManagementException
- ("FIPS mode: only SunJSSE TrustManagers may be used");
- }
-
if (tm[i] instanceof X509ExtendedTrustManager) {
return (X509TrustManager)tm[i];
} else {
@@ -153,20 +141,7 @@
if (!(km instanceof X509KeyManager)) {
continue;
}
- if (SunJSSE.isFIPS()) {
- // In FIPS mode, require that one of SunJSSE's own keymanagers
- // is used. Otherwise, we cannot be sure that only keys from
- // the FIPS token are used.
- if ((km instanceof X509KeyManagerImpl)
- || (km instanceof SunX509KeyManagerImpl)) {
- return (X509ExtendedKeyManager)km;
- } else {
- // throw exception, we don't want to silently use the
- // dummy keymanager without telling the user.
- throw new KeyManagementException
- ("FIPS mode: only SunJSSE KeyManagers may be used");
- }
- }
+
if (km instanceof X509ExtendedKeyManager) {
return (X509ExtendedKeyManager)km;
}
@@ -548,41 +523,24 @@
private static final List<CipherSuite> serverDefaultCipherSuites;
static {
- if (SunJSSE.isFIPS()) {
- supportedProtocols = Arrays.asList(
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- );
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10,
+ ProtocolVersion.SSL30,
+ ProtocolVersion.SSL20Hello
+ );
- serverDefaultProtocols = getAvailableProtocols(
- new ProtocolVersion[] {
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- });
- } else {
- supportedProtocols = Arrays.asList(
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10,
- ProtocolVersion.SSL30,
- ProtocolVersion.SSL20Hello
- );
-
- serverDefaultProtocols = getAvailableProtocols(
- new ProtocolVersion[] {
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10,
- ProtocolVersion.SSL30,
- ProtocolVersion.SSL20Hello
- });
- }
+ serverDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10,
+ ProtocolVersion.SSL30,
+ ProtocolVersion.SSL20Hello
+ });
supportedCipherSuites = getApplicableSupportedCipherSuites(
supportedProtocols);
@@ -626,23 +584,14 @@
}
static ProtocolVersion[] getSupportedProtocols() {
- if (SunJSSE.isFIPS()) {
- return new ProtocolVersion[] {
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- };
- } else {
- return new ProtocolVersion[]{
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10,
- ProtocolVersion.SSL30,
- ProtocolVersion.SSL20Hello
- };
- }
+ return new ProtocolVersion[]{
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10,
+ ProtocolVersion.SSL30,
+ ProtocolVersion.SSL20Hello
+ };
}
}
@@ -656,18 +605,11 @@
private static final List<CipherSuite> clientDefaultCipherSuites;
static {
- if (SunJSSE.isFIPS()) {
- clientDefaultProtocols = getAvailableProtocols(
- new ProtocolVersion[] {
- ProtocolVersion.TLS10
- });
- } else {
- clientDefaultProtocols = getAvailableProtocols(
- new ProtocolVersion[] {
- ProtocolVersion.TLS10,
- ProtocolVersion.SSL30
- });
- }
+ clientDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {
+ ProtocolVersion.TLS10,
+ ProtocolVersion.SSL30
+ });
clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
clientDefaultProtocols, true);
@@ -694,20 +636,12 @@
private static final List<CipherSuite> clientDefaultCipherSuites;
static {
- if (SunJSSE.isFIPS()) {
- clientDefaultProtocols = getAvailableProtocols(
- new ProtocolVersion[] {
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- });
- } else {
- clientDefaultProtocols = getAvailableProtocols(
- new ProtocolVersion[] {
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10,
- ProtocolVersion.SSL30
- });
- }
+ clientDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10,
+ ProtocolVersion.SSL30
+ });
clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
clientDefaultProtocols, true);
@@ -735,22 +669,13 @@
private static final List<CipherSuite> clientDefaultCipherSuites;
static {
- if (SunJSSE.isFIPS()) {
- clientDefaultProtocols = getAvailableProtocols(
- new ProtocolVersion[] {
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- });
- } else {
- clientDefaultProtocols = getAvailableProtocols(
- new ProtocolVersion[] {
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10,
- ProtocolVersion.SSL30
- });
- }
+ clientDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10,
+ ProtocolVersion.SSL30
+ });
clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
clientDefaultProtocols, true);
@@ -777,24 +702,14 @@
private static final List<CipherSuite> clientDefaultCipherSuites;
static {
- if (SunJSSE.isFIPS()) {
- clientDefaultProtocols = getAvailableProtocols(
- new ProtocolVersion[] {
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- });
- } else {
- clientDefaultProtocols = getAvailableProtocols(
- new ProtocolVersion[] {
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10,
- ProtocolVersion.SSL30
- });
- }
+ clientDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10,
+ ProtocolVersion.SSL30
+ });
clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
clientDefaultProtocols, true);
@@ -866,16 +781,6 @@
" is not a supported SSL protocol name");
}
- if (SunJSSE.isFIPS() &&
- ((pv == ProtocolVersion.SSL30) ||
- (pv == ProtocolVersion.SSL20Hello))) {
- reservedException = new IllegalArgumentException(
- propname + ": " + pv +
- " is not FIPS compliant");
-
- break;
- }
-
// ignore duplicated protocols
if (!arrayList.contains(pv)) {
arrayList.add(pv);
@@ -955,22 +860,13 @@
}
static ProtocolVersion[] getProtocols() {
- if (SunJSSE.isFIPS()) {
- return new ProtocolVersion[]{
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- };
- } else {
- return new ProtocolVersion[]{
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10,
- ProtocolVersion.SSL30
- };
- }
+ return new ProtocolVersion[]{
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10,
+ ProtocolVersion.SSL30
+ };
}
protected CustomizedTLSContext() {
--- a/src/java.base/share/classes/sun/security/ssl/SSLMasterKeyDerivation.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/SSLMasterKeyDerivation.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -145,7 +145,7 @@
}
try {
- KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg);
+ KeyGenerator kg = KeyGenerator.getInstance(masterAlg);
kg.init(spec);
return kg.generateKey();
} catch (InvalidAlgorithmParameterException |
--- a/src/java.base/share/classes/sun/security/ssl/SSLTrafficKeyDerivation.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/SSLTrafficKeyDerivation.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -280,7 +280,7 @@
hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
try {
- KeyGenerator kg = JsseJce.getKeyGenerator(keyMaterialAlg);
+ KeyGenerator kg = KeyGenerator.getInstance(keyMaterialAlg);
kg.init(spec);
this.keyMaterialSpec = (TlsKeyMaterialSpec)kg.generateKey();
--- a/src/java.base/share/classes/sun/security/ssl/SignatureScheme.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/SignatureScheme.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -194,7 +194,7 @@
boolean mediator = true;
try {
- Signature signer = JsseJce.getSignature("RSASSA-PSS");
+ Signature signer = Signature.getInstance("RSASSA-PSS");
signer.setParameter(pssParamSpec);
} catch (InvalidAlgorithmParameterException |
NoSuchAlgorithmException exp) {
@@ -275,7 +275,7 @@
mediator = signAlgParamSpec.isAvailable;
} else {
try {
- JsseJce.getSignature(algorithm);
+ Signature.getInstance(algorithm);
} catch (Exception e) {
mediator = false;
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@@ -466,7 +466,7 @@
return null;
}
- Signature signer = JsseJce.getSignature(algorithm);
+ Signature signer = Signature.getInstance(algorithm);
if (key instanceof PublicKey) {
signer.initVerify((PublicKey)(key));
} else {
--- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -66,97 +66,16 @@
"(PKCS12, SunX509/PKIX key/trust factories, " +
"SSLv3/TLSv1/TLSv1.1/TLSv1.2/TLSv1.3/DTLSv1.0/DTLSv1.2)";
- private static String fipsInfo =
- "Sun JSSE provider (FIPS mode, crypto provider ";
-
- // tri-valued flag:
- // null := no final decision made
- // false := data structures initialized in non-FIPS mode
- // true := data structures initialized in FIPS mode
- private static Boolean fips;
-
- // the FIPS certificate crypto provider that we use to perform all crypto
- // operations. null in non-FIPS mode
- static java.security.Provider cryptoProvider;
-
- protected static synchronized boolean isFIPS() {
- if (fips == null) {
- fips = false;
- }
- return fips;
- }
-
- // ensure we can use FIPS mode using the specified crypto provider.
- // enable FIPS mode if not already enabled.
- private static synchronized void ensureFIPS(java.security.Provider p) {
- if (fips == null) {
- fips = true;
- cryptoProvider = p;
- } else {
- if (fips == false) {
- throw new ProviderException
- ("SunJSSE already initialized in non-FIPS mode");
- }
- if (cryptoProvider != p) {
- throw new ProviderException
- ("SunJSSE already initialized with FIPS crypto provider "
- + cryptoProvider);
- }
- }
- }
-
- // standard constructor
protected SunJSSE() {
super("SunJSSE", PROVIDER_VER, info);
subclassCheck();
- if (Boolean.TRUE.equals(fips)) {
- throw new ProviderException
- ("SunJSSE is already initialized in FIPS mode");
- }
- registerAlgorithms(false);
- }
-
- // preferred constructor to enable FIPS mode at runtime
- protected SunJSSE(java.security.Provider cryptoProvider){
- this(checkNull(cryptoProvider), cryptoProvider.getName());
- }
-
- // constructor to enable FIPS mode from java.security file
- protected SunJSSE(String cryptoProvider){
- this(null, checkNull(cryptoProvider));
- }
-
- private static <T> T checkNull(T t) {
- if (t == null) {
- throw new ProviderException("cryptoProvider must not be null");
- }
- return t;
+ registerAlgorithms();
}
- private SunJSSE(java.security.Provider cryptoProvider,
- String providerName) {
- super("SunJSSE", PROVIDER_VER, fipsInfo + providerName + ")");
- subclassCheck();
- if (cryptoProvider == null) {
- // Calling Security.getProvider() will cause other providers to be
- // loaded. That is not good but unavoidable here.
- cryptoProvider = Security.getProvider(providerName);
- if (cryptoProvider == null) {
- throw new ProviderException
- ("Crypto provider not installed: " + providerName);
- }
- }
- ensureFIPS(cryptoProvider);
- registerAlgorithms(true);
- }
-
- private void registerAlgorithms(final boolean isfips) {
- AccessController.doPrivileged(new PrivilegedAction<Object>() {
- @Override
- public Object run() {
- doRegister(isfips);
- return null;
- }
+ private void registerAlgorithms() {
+ AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
+ doRegister();
+ return null;
});
}
@@ -165,14 +84,13 @@
putService(new Provider.Service(this, type, algo, cn, aliases, attrs));
}
- private void doRegister(boolean isfips) {
- if (isfips == false) {
- Iterator<Provider.Service> rsaIter =
- new SunRsaSignEntries(this).iterator();
- while (rsaIter.hasNext()) {
- putService(rsaIter.next());
- }
+ private void doRegister() {
+ Iterator<Provider.Service> rsaIter =
+ new SunRsaSignEntries(this).iterator();
+ while (rsaIter.hasNext()) {
+ putService(rsaIter.next());
}
+
ps("Signature", "MD5andSHA1withRSA",
"sun.security.ssl.RSASignature", null, null);
@@ -183,14 +101,15 @@
createAliases("PKIX"), null);
ps("TrustManagerFactory", "SunX509",
- "sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory", null, null);
+ "sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory",
+ null, null);
ps("TrustManagerFactory", "PKIX",
"sun.security.ssl.TrustManagerFactoryImpl$PKIXFactory",
createAliases("SunPKIX", "X509", "X.509"), null);
ps("SSLContext", "TLSv1",
"sun.security.ssl.SSLContextImpl$TLS10Context",
- (isfips? null : createAliases("SSLv3")), null);
+ createAliases("SSLv3"), null);
ps("SSLContext", "TLSv1.1",
"sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
ps("SSLContext", "TLSv1.2",
@@ -199,7 +118,7 @@
"sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
ps("SSLContext", "TLS",
"sun.security.ssl.SSLContextImpl$TLSContext",
- (isfips? null : createAliases("SSL")), null);
+ createAliases("SSL"), null);
ps("SSLContext", "DTLSv1.0",
"sun.security.ssl.SSLContextImpl$DTLS10Context", null, null);
@@ -225,12 +144,4 @@
throw new AssertionError("Illegal subclass: " + getClass());
}
}
-
- @Override
- @SuppressWarnings("deprecation")
- protected final void finalize() throws Throwable {
- // empty
- super.finalize();
- }
-
}
--- a/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -52,6 +52,7 @@
import sun.security.ssl.SSLExtension.ExtensionConsumer;
import sun.security.ssl.SSLExtension.SSLExtensionSpec;
import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.util.ECUtil;
/**
* Pack of the "supported_groups" extensions [RFC 4492/7919].
@@ -158,15 +159,23 @@
}
static enum NamedGroupType {
- NAMED_GROUP_ECDHE, // Elliptic Curve Groups (ECDHE)
- NAMED_GROUP_FFDHE, // Finite Field Groups (DHE)
- NAMED_GROUP_XDH, // Finite Field Groups (XDH)
- NAMED_GROUP_ARBITRARY, // arbitrary prime and curves (ECDHE)
- NAMED_GROUP_NONE; // Not predefined named group
+ NAMED_GROUP_ECDHE ("EC"),
+ NAMED_GROUP_FFDHE ("DiffieHellman"),
+ NAMED_GROUP_X25519 ("x25519"),
+ NAMED_GROUP_X448 ("x448"),
+ NAMED_GROUP_ARBITRARY ("EC"),
+ NAMED_GROUP_NONE ("");
+
+ private final String algorithm;
+
+ private NamedGroupType(String algorithm) {
+ this.algorithm = algorithm;
+ }
boolean isSupported(List<CipherSuite> cipherSuites) {
for (CipherSuite cs : cipherSuites) {
- if (cs.keyExchange == null || cs.keyExchange.groupType == this) {
+ if (cs.keyExchange == null ||
+ cs.keyExchange.groupType == this) {
return true;
}
}
@@ -180,108 +189,142 @@
//
// See sun.security.util.CurveDB for the OIDs
// NIST K-163
- SECT163_K1 (0x0001, "sect163k1", "1.3.132.0.1", true,
+ SECT163_K1 (0x0001, "sect163k1", "1.3.132.0.1",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
- SECT163_R1 (0x0002, "sect163r1", "1.3.132.0.2", false,
+ SECT163_R1 (0x0002, "sect163r1", "1.3.132.0.2",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST B-163
- SECT163_R2 (0x0003, "sect163r2", "1.3.132.0.15", true,
+ SECT163_R2 (0x0003, "sect163r2", "1.3.132.0.15",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
- SECT193_R1 (0x0004, "sect193r1", "1.3.132.0.24", false,
+ SECT193_R1 (0x0004, "sect193r1", "1.3.132.0.24",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
- SECT193_R2 (0x0005, "sect193r2", "1.3.132.0.25", false,
+ SECT193_R2 (0x0005, "sect193r2", "1.3.132.0.25",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST K-233
- SECT233_K1 (0x0006, "sect233k1", "1.3.132.0.26", true,
+ SECT233_K1 (0x0006, "sect233k1", "1.3.132.0.26",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST B-233
- SECT233_R1 (0x0007, "sect233r1", "1.3.132.0.27", true,
+ SECT233_R1 (0x0007, "sect233r1", "1.3.132.0.27",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
- SECT239_K1 (0x0008, "sect239k1", "1.3.132.0.3", false,
+ SECT239_K1 (0x0008, "sect239k1", "1.3.132.0.3",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST K-283
- SECT283_K1 (0x0009, "sect283k1", "1.3.132.0.16", true,
+ SECT283_K1 (0x0009, "sect283k1", "1.3.132.0.16",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST B-283
- SECT283_R1 (0x000A, "sect283r1", "1.3.132.0.17", true,
+ SECT283_R1 (0x000A, "sect283r1", "1.3.132.0.17",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST K-409
- SECT409_K1 (0x000B, "sect409k1", "1.3.132.0.36", true,
+ SECT409_K1 (0x000B, "sect409k1", "1.3.132.0.36",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST B-409
- SECT409_R1 (0x000C, "sect409r1", "1.3.132.0.37", true,
+ SECT409_R1 (0x000C, "sect409r1", "1.3.132.0.37",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST K-571
- SECT571_K1 (0x000D, "sect571k1", "1.3.132.0.38", true,
+ SECT571_K1 (0x000D, "sect571k1", "1.3.132.0.38",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST B-571
- SECT571_R1 (0x000E, "sect571r1", "1.3.132.0.39", true,
+ SECT571_R1 (0x000E, "sect571r1", "1.3.132.0.39",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
- SECP160_K1 (0x000F, "secp160k1", "1.3.132.0.9", false,
+ SECP160_K1 (0x000F, "secp160k1", "1.3.132.0.9",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
- SECP160_R1 (0x0010, "secp160r1", "1.3.132.0.8", false,
+ SECP160_R1 (0x0010, "secp160r1", "1.3.132.0.8",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
- SECP160_R2 (0x0011, "secp160r2", "1.3.132.0.30", false,
+ SECP160_R2 (0x0011, "secp160r2", "1.3.132.0.30",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
- SECP192_K1 (0x0012, "secp192k1", "1.3.132.0.31", false,
+ SECP192_K1 (0x0012, "secp192k1", "1.3.132.0.31",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST P-192
- SECP192_R1 (0x0013, "secp192r1", "1.2.840.10045.3.1.1", true,
+ SECP192_R1 (0x0013, "secp192r1", "1.2.840.10045.3.1.1",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
- SECP224_K1 (0x0014, "secp224k1", "1.3.132.0.32", false,
+ SECP224_K1 (0x0014, "secp224k1", "1.3.132.0.32",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST P-224
- SECP224_R1 (0x0015, "secp224r1", "1.3.132.0.33", true,
+ SECP224_R1 (0x0015, "secp224r1", "1.3.132.0.33",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
- SECP256_K1 (0x0016, "secp256k1", "1.3.132.0.10", false,
+ SECP256_K1 (0x0016, "secp256k1", "1.3.132.0.10",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST P-256
- SECP256_R1 (0x0017, "secp256r1", "1.2.840.10045.3.1.7", true,
+ SECP256_R1 (0x0017, "secp256r1", "1.2.840.10045.3.1.7",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_13),
// NIST P-384
- SECP384_R1 (0x0018, "secp384r1", "1.3.132.0.34", true,
+ SECP384_R1 (0x0018, "secp384r1", "1.3.132.0.34",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_13),
// NIST P-521
- SECP521_R1 (0x0019, "secp521r1", "1.3.132.0.35", true,
+ SECP521_R1 (0x0019, "secp521r1", "1.3.132.0.35",
+ NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_13),
// x25519 and x448
- X25519 (0x001D, "x25519", true, "x25519",
+ X25519 (0x001D, "x25519", null,
+ NamedGroupType.NAMED_GROUP_X25519,
ProtocolVersion.PROTOCOLS_TO_13),
- X448 (0x001E, "x448", true, "x448",
+ X448 (0x001E, "x448", null,
+ NamedGroupType.NAMED_GROUP_X448,
ProtocolVersion.PROTOCOLS_TO_13),
// Finite Field Diffie-Hellman Ephemeral Parameters (RFC 7919)
- FFDHE_2048 (0x0100, "ffdhe2048", true,
+ FFDHE_2048 (0x0100, "ffdhe2048", null,
+ NamedGroupType.NAMED_GROUP_FFDHE,
ProtocolVersion.PROTOCOLS_TO_13),
- FFDHE_3072 (0x0101, "ffdhe3072", true,
+ FFDHE_3072 (0x0101, "ffdhe3072", null,
+ NamedGroupType.NAMED_GROUP_FFDHE,
ProtocolVersion.PROTOCOLS_TO_13),
- FFDHE_4096 (0x0102, "ffdhe4096", true,
+ FFDHE_4096 (0x0102, "ffdhe4096", null,
+ NamedGroupType.NAMED_GROUP_FFDHE,
ProtocolVersion.PROTOCOLS_TO_13),
- FFDHE_6144 (0x0103, "ffdhe6144", true,
+ FFDHE_6144 (0x0103, "ffdhe6144", null,
+ NamedGroupType.NAMED_GROUP_FFDHE,
ProtocolVersion.PROTOCOLS_TO_13),
- FFDHE_8192 (0x0104, "ffdhe8192", true,
+ FFDHE_8192 (0x0104, "ffdhe8192", null,
+ NamedGroupType.NAMED_GROUP_FFDHE,
ProtocolVersion.PROTOCOLS_TO_13),
// Elliptic Curves (RFC 4492)
//
// arbitrary prime and characteristic-2 curves
- ARBITRARY_PRIME (0xFF01, "arbitrary_explicit_prime_curves",
+ ARBITRARY_PRIME (0xFF01, "arbitrary_explicit_prime_curves", null,
+ NamedGroupType.NAMED_GROUP_ARBITRARY,
ProtocolVersion.PROTOCOLS_TO_12),
- ARBITRARY_CHAR2 (0xFF02, "arbitrary_explicit_char2_curves",
+ ARBITRARY_CHAR2 (0xFF02, "arbitrary_explicit_char2_curves", null,
+ NamedGroupType.NAMED_GROUP_ARBITRARY,
ProtocolVersion.PROTOCOLS_TO_12);
final int id; // hash + signature
@@ -289,55 +332,16 @@
final String name; // literal name
final String oid; // object identifier of the named group
final String algorithm; // signature algorithm
- final boolean isFips; // can be used in FIPS mode?
final ProtocolVersion[] supportedProtocols;
- // Constructor used for Elliptic Curve Groups (ECDHE)
- private NamedGroup(int id, String name, String oid, boolean isFips,
- ProtocolVersion[] supportedProtocols) {
- this.id = id;
- this.type = NamedGroupType.NAMED_GROUP_ECDHE;
- this.name = name;
- this.oid = oid;
- this.algorithm = "EC";
- this.isFips = isFips;
- this.supportedProtocols = supportedProtocols;
- }
-
- // Constructor used for Elliptic Curve Groups (XDH)
- private NamedGroup(int id, String name,
- boolean isFips, String algorithm,
+ private NamedGroup(int id, String name, String oid,
+ NamedGroupType namedGroupType,
ProtocolVersion[] supportedProtocols) {
this.id = id;
- this.type = NamedGroupType.NAMED_GROUP_XDH;
- this.name = name;
- this.oid = null;
- this.algorithm = algorithm;
- this.isFips = isFips;
- this.supportedProtocols = supportedProtocols;
- }
-
- // Constructor used for Finite Field Diffie-Hellman Groups (FFDHE)
- private NamedGroup(int id, String name, boolean isFips,
- ProtocolVersion[] supportedProtocols) {
- this.id = id;
- this.type = NamedGroupType.NAMED_GROUP_FFDHE;
+ this.type = namedGroupType;
this.name = name;
- this.oid = null;
- this.algorithm = "DiffieHellman";
- this.isFips = isFips;
- this.supportedProtocols = supportedProtocols;
- }
-
- // Constructor used for arbitrary prime and curves (ECDHE)
- private NamedGroup(int id, String name,
- ProtocolVersion[] supportedProtocols) {
- this.id = id;
- this.type = NamedGroupType.NAMED_GROUP_ARBITRARY;
- this.name = name;
- this.oid = null;
- this.algorithm = "EC";
- this.isFips = false;
+ this.oid = oid;
+ this.algorithm = namedGroupType.algorithm;
this.supportedProtocols = supportedProtocols;
}
@@ -352,7 +356,7 @@
}
static NamedGroup valueOf(ECParameterSpec params) {
- String oid = JsseJce.getNamedCurveOid(params);
+ String oid = ECUtil.getCurveName(null, params);
if ((oid != null) && (!oid.isEmpty())) {
for (NamedGroup group : NamedGroup.values()) {
if ((group.type == NamedGroupType.NAMED_GROUP_ECDHE) &&
@@ -472,8 +476,6 @@
static final NamedGroup[] supportedNamedGroups;
static {
- boolean requireFips = SunJSSE.isFIPS();
-
// The value of the System Property defines a list of enabled named
// groups in preference order, separated with comma. For example:
//
@@ -499,8 +501,7 @@
group = group.trim();
if (!group.isEmpty()) {
NamedGroup namedGroup = NamedGroup.nameOf(group);
- if (namedGroup != null &&
- (!requireFips || namedGroup.isFips)) {
+ if (namedGroup != null) {
if (isAvailableGroup(namedGroup)) {
groupList.add(namedGroup);
}
@@ -514,29 +515,7 @@
property + ") contains no supported named groups");
}
} else { // default groups
- NamedGroup[] groups;
- if (requireFips) {
- groups = new NamedGroup[] {
- // only NIST curves in FIPS mode
- NamedGroup.SECP256_R1,
- NamedGroup.SECP384_R1,
- NamedGroup.SECP521_R1,
- NamedGroup.SECT283_K1,
- NamedGroup.SECT283_R1,
- NamedGroup.SECT409_K1,
- NamedGroup.SECT409_R1,
- NamedGroup.SECT571_K1,
- NamedGroup.SECT571_R1,
-
- // FFDHE 2048
- NamedGroup.FFDHE_2048,
- NamedGroup.FFDHE_3072,
- NamedGroup.FFDHE_4096,
- NamedGroup.FFDHE_6144,
- NamedGroup.FFDHE_8192,
- };
- } else {
- groups = new NamedGroup[] {
+ NamedGroup[] groups = new NamedGroup[] {
// NIST curves first
NamedGroup.SECP256_R1,
NamedGroup.SECP384_R1,
@@ -558,7 +537,6 @@
NamedGroup.FFDHE_6144,
NamedGroup.FFDHE_8192,
};
- }
groupList = new ArrayList<>(groups.length);
for (NamedGroup group : groups) {
@@ -587,7 +565,7 @@
if (namedGroup.type == NamedGroupType.NAMED_GROUP_ECDHE) {
if (namedGroup.oid != null) {
try {
- params = JsseJce.getAlgorithmParameters("EC");
+ params = AlgorithmParameters.getInstance("EC");
spec = new ECGenParameterSpec(namedGroup.oid);
} catch (NoSuchAlgorithmException e) {
return false;
@@ -595,7 +573,7 @@
}
} else if (namedGroup.type == NamedGroupType.NAMED_GROUP_FFDHE) {
try {
- params = JsseJce.getAlgorithmParameters("DiffieHellman");
+ params = AlgorithmParameters.getInstance("DiffieHellman");
spec = getFFDHEDHParameterSpec(namedGroup);
} catch (NoSuchAlgorithmException e) {
return false;
--- a/src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -218,7 +218,7 @@
responseList =
((ExtendedSSLSession)session).getStatusResponses();
}
- trustedChain = validate(v, chain, responseList,
+ trustedChain = v.validate(chain, null, responseList,
constraints, isClient ? null : authType);
// check if EE certificate chains to a public root CA (as
@@ -234,7 +234,7 @@
getRequestedServerNames(socket), chainsToPublicCA);
}
} else {
- trustedChain = validate(v, chain, Collections.emptyList(),
+ trustedChain = v.validate(chain, null, Collections.emptyList(),
null, isClient ? null : authType);
}
@@ -276,7 +276,7 @@
responseList =
((ExtendedSSLSession)session).getStatusResponses();
}
- trustedChain = validate(v, chain, responseList,
+ trustedChain = v.validate(chain, null, responseList,
constraints, isClient ? null : authType);
// check if EE certificate chains to a public root CA (as
@@ -292,7 +292,7 @@
getRequestedServerNames(engine), chainsToPublicCA);
}
} else {
- trustedChain = validate(v, chain, Collections.emptyList(),
+ trustedChain = v.validate(chain, null, Collections.emptyList(),
null, isClient ? null : authType);
}
@@ -312,18 +312,6 @@
return v;
}
- private static X509Certificate[] validate(Validator v,
- X509Certificate[] chain, List<byte[]> responseList,
- AlgorithmConstraints constraints, String authType)
- throws CertificateException {
- Object o = JsseJce.beginFipsProvider();
- try {
- return v.validate(chain, null, responseList, constraints, authType);
- } finally {
- JsseJce.endFipsProvider(o);
- }
- }
-
// Get string representation of HostName from a list of server names.
//
// We are only accepting host_name name type in the list.
--- a/test/jdk/sun/security/pkcs11/fips/CipherTest.java Tue Feb 12 15:19:25 2019 -0500
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,608 +0,0 @@
-/*
- * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-import java.io.*;
-import java.net.*;
-import java.util.*;
-import java.util.concurrent.*;
-
-import java.security.*;
-import java.security.cert.*;
-import java.security.cert.Certificate;
-
-import javax.net.ssl.*;
-
-/**
- * Test that all ciphersuites work in all versions and all client
- * authentication types. The way this is setup the server is stateless and
- * all checking is done on the client side.
- *
- * The test is multithreaded to speed it up, especially on multiprocessor
- * machines. To simplify debugging, run with -DnumThreads=1.
- *
- * @author Andreas Sterbenz
- */
-public class CipherTest {
-
- // use any available port for the server socket
- static int serverPort = 0;
-
- final int THREADS;
-
- // assume that if we do not read anything for 20 seconds, something
- // has gone wrong
- final static int TIMEOUT = 20 * 1000;
-
- static KeyStore /* trustStore, */ keyStore;
- static X509ExtendedKeyManager keyManager;
- static X509TrustManager trustManager;
- static SecureRandom secureRandom;
-
- private static PeerFactory peerFactory;
-
- static abstract class Server implements Runnable {
-
- final CipherTest cipherTest;
-
- Server(CipherTest cipherTest) throws Exception {
- this.cipherTest = cipherTest;
- }
-
- public abstract void run();
-
- void handleRequest(InputStream in, OutputStream out) throws IOException {
- boolean newline = false;
- StringBuilder sb = new StringBuilder();
- while (true) {
- int ch = in.read();
- if (ch < 0) {
- throw new EOFException();
- }
- sb.append((char)ch);
- if (ch == '\r') {
- // empty
- } else if (ch == '\n') {
- if (newline) {
- // 2nd newline in a row, end of request
- break;
- }
- newline = true;
- } else {
- newline = false;
- }
- }
- String request = sb.toString();
- if (request.startsWith("GET / HTTP/1.") == false) {
- throw new IOException("Invalid request: " + request);
- }
- out.write("HTTP/1.0 200 OK\r\n\r\n".getBytes());
- }
-
- }
-
- public static class TestParameters {
-
- String cipherSuite;
- String protocol;
- String clientAuth;
-
- TestParameters(String cipherSuite, String protocol,
- String clientAuth) {
- this.cipherSuite = cipherSuite;
- this.protocol = protocol;
- this.clientAuth = clientAuth;
- }
-
- boolean isEnabled() {
- return TLSCipherStatus.isEnabled(cipherSuite, protocol);
- }
-
- public String toString() {
- String s = cipherSuite + " in " + protocol + " mode";
- if (clientAuth != null) {
- s += " with " + clientAuth + " client authentication";
- }
- return s;
- }
-
- static enum TLSCipherStatus {
- // cipher suites supported since TLS 1.2
- CS_01("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF),
- CS_02("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF),
- CS_03("TLS_RSA_WITH_AES_256_CBC_SHA256", 0x0303, 0xFFFF),
- CS_04("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF),
- CS_05("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF),
- CS_06("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", 0x0303, 0xFFFF),
- CS_07("TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", 0x0303, 0xFFFF),
-
- CS_08("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
- CS_09("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
- CS_10("TLS_RSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
- CS_11("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
- CS_12("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
- CS_13("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
- CS_14("TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
-
- CS_15("TLS_DH_anon_WITH_AES_256_CBC_SHA256", 0x0303, 0xFFFF),
- CS_16("TLS_DH_anon_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
- CS_17("TLS_RSA_WITH_NULL_SHA256", 0x0303, 0xFFFF),
-
- CS_20("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
- CS_21("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
- CS_22("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
- CS_23("TLS_RSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
- CS_24("TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
- CS_25("TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
- CS_26("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
- CS_27("TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
-
- CS_28("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
- CS_29("TLS_RSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
- CS_30("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
- CS_31("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
- CS_32("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
- CS_33("TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
-
- CS_34("TLS_DH_anon_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
- CS_35("TLS_DH_anon_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
-
- // cipher suites obsoleted since TLS 1.2
- CS_50("SSL_RSA_WITH_DES_CBC_SHA", 0x0000, 0x0303),
- CS_51("SSL_DHE_RSA_WITH_DES_CBC_SHA", 0x0000, 0x0303),
- CS_52("SSL_DHE_DSS_WITH_DES_CBC_SHA", 0x0000, 0x0303),
- CS_53("SSL_DH_anon_WITH_DES_CBC_SHA", 0x0000, 0x0303),
- CS_54("TLS_KRB5_WITH_DES_CBC_SHA", 0x0000, 0x0303),
- CS_55("TLS_KRB5_WITH_DES_CBC_MD5", 0x0000, 0x0303),
-
- // cipher suites obsoleted since TLS 1.1
- CS_60("SSL_RSA_EXPORT_WITH_RC4_40_MD5", 0x0000, 0x0302),
- CS_61("SSL_DH_anon_EXPORT_WITH_RC4_40_MD5", 0x0000, 0x0302),
- CS_62("SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", 0x0000, 0x0302),
- CS_63("SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", 0x0000, 0x0302),
- CS_64("SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", 0x0000, 0x0302),
- CS_65("SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA", 0x0000, 0x0302),
- CS_66("TLS_KRB5_EXPORT_WITH_RC4_40_SHA", 0x0000, 0x0302),
- CS_67("TLS_KRB5_EXPORT_WITH_RC4_40_MD5", 0x0000, 0x0302),
- CS_68("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", 0x0000, 0x0302),
- CS_69("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", 0x0000, 0x0302),
-
- // ignore TLS_EMPTY_RENEGOTIATION_INFO_SCSV always
- CS_99("TLS_EMPTY_RENEGOTIATION_INFO_SCSV", 0xFFFF, 0x0000);
-
- // the cipher suite name
- final String cipherSuite;
-
- // supported since protocol version
- final int supportedSince;
-
- // obsoleted since protocol version
- final int obsoletedSince;
-
- TLSCipherStatus(String cipherSuite,
- int supportedSince, int obsoletedSince) {
- this.cipherSuite = cipherSuite;
- this.supportedSince = supportedSince;
- this.obsoletedSince = obsoletedSince;
- }
-
- static boolean isEnabled(String cipherSuite, String protocol) {
- int versionNumber = toVersionNumber(protocol);
-
- if (versionNumber < 0) {
- return true; // unlikely to happen
- }
-
- for (TLSCipherStatus status : TLSCipherStatus.values()) {
- if (cipherSuite.equals(status.cipherSuite)) {
- if ((versionNumber < status.supportedSince) ||
- (versionNumber >= status.obsoletedSince)) {
- return false;
- }
-
- return true;
- }
- }
-
- return true;
- }
-
- private static int toVersionNumber(String protocol) {
- int versionNumber = -1;
-
- switch (protocol) {
- case "SSLv2Hello":
- versionNumber = 0x0002;
- break;
- case "SSLv3":
- versionNumber = 0x0300;
- break;
- case "TLSv1":
- versionNumber = 0x0301;
- break;
- case "TLSv1.1":
- versionNumber = 0x0302;
- break;
- case "TLSv1.2":
- versionNumber = 0x0303;
- break;
- default:
- // unlikely to happen
- }
-
- return versionNumber;
- }
- }
- }
-
- private List<TestParameters> tests;
- private Iterator<TestParameters> testIterator;
- private SSLSocketFactory factory;
- private boolean failed;
-
- private CipherTest(PeerFactory peerFactory) throws IOException {
- THREADS = Integer.parseInt(System.getProperty("numThreads", "4"));
- factory = (SSLSocketFactory)SSLSocketFactory.getDefault();
- SSLSocket socket = (SSLSocket)factory.createSocket();
- String[] cipherSuites = socket.getSupportedCipherSuites();
- String[] protocols = socket.getSupportedProtocols();
-// String[] clientAuths = {null, "RSA", "DSA"};
- String[] clientAuths = {null};
- tests = new ArrayList<TestParameters>(
- cipherSuites.length * protocols.length * clientAuths.length);
- for (int i = 0; i < cipherSuites.length; i++) {
- String cipherSuite = cipherSuites[i];
-
- for (int j = 0; j < protocols.length; j++) {
- String protocol = protocols[j];
-
- if (!peerFactory.isSupported(cipherSuite, protocol)) {
- continue;
- }
-
- for (int k = 0; k < clientAuths.length; k++) {
- String clientAuth = clientAuths[k];
- if ((clientAuth != null) &&
- (cipherSuite.indexOf("DH_anon") != -1)) {
- // no client with anonymous ciphersuites
- continue;
- }
- tests.add(new TestParameters(cipherSuite, protocol,
- clientAuth));
- }
- }
- }
- testIterator = tests.iterator();
- }
-
- synchronized void setFailed() {
- failed = true;
- }
-
- public void run() throws Exception {
- Thread[] threads = new Thread[THREADS];
- for (int i = 0; i < THREADS; i++) {
- try {
- threads[i] = new Thread(peerFactory.newClient(this),
- "Client " + i);
- } catch (Exception e) {
- e.printStackTrace();
- return;
- }
- threads[i].start();
- }
- try {
- for (int i = 0; i < THREADS; i++) {
- threads[i].join();
- }
- } catch (InterruptedException e) {
- setFailed();
- e.printStackTrace();
- }
- if (failed) {
- throw new Exception("*** Test '" + peerFactory.getName() +
- "' failed ***");
- } else {
- System.out.println("Test '" + peerFactory.getName() +
- "' completed successfully");
- }
- }
-
- synchronized TestParameters getTest() {
- if (failed) {
- return null;
- }
- if (testIterator.hasNext()) {
- return (TestParameters)testIterator.next();
- }
- return null;
- }
-
- SSLSocketFactory getFactory() {
- return factory;
- }
-
- static abstract class Client implements Runnable {
-
- final CipherTest cipherTest;
-
- Client(CipherTest cipherTest) throws Exception {
- this.cipherTest = cipherTest;
- }
-
- public final void run() {
- while (true) {
- TestParameters params = cipherTest.getTest();
- if (params == null) {
- // no more tests
- break;
- }
- if (params.isEnabled() == false) {
- System.out.println("Skipping disabled test " + params);
- continue;
- }
- try {
- runTest(params);
- System.out.println("Passed " + params);
- } catch (Exception e) {
- cipherTest.setFailed();
- System.out.println("** Failed " + params + "**");
- e.printStackTrace();
- }
- }
- }
-
- abstract void runTest(TestParameters params) throws Exception;
-
- void sendRequest(InputStream in, OutputStream out) throws IOException {
- out.write("GET / HTTP/1.0\r\n\r\n".getBytes());
- out.flush();
- StringBuilder sb = new StringBuilder();
- while (true) {
- int ch = in.read();
- if (ch < 0) {
- break;
- }
- sb.append((char)ch);
- }
- String response = sb.toString();
- if (response.startsWith("HTTP/1.0 200 ") == false) {
- throw new IOException("Invalid response: " + response);
- }
- }
-
- }
-
- // for some reason, ${test.src} has a different value when the
- // test is called from the script and when it is called directly...
- static String pathToStores = ".";
- static String pathToStoresSH = ".";
- static String keyStoreFile = "keystore";
- static String trustStoreFile = "truststore";
- static char[] passwd = "passphrase".toCharArray();
-
- static File PATH;
-
- private static KeyStore readKeyStore(String name) throws Exception {
- File file = new File(PATH, name);
- InputStream in = new FileInputStream(file);
- KeyStore ks = KeyStore.getInstance("JKS");
- ks.load(in, passwd);
- in.close();
- return ks;
- }
-
- public static void main(PeerFactory peerFactory, KeyStore keyStore,
- String[] args) throws Exception {
- long time = System.currentTimeMillis();
- String relPath;
- if ((args != null) && (args.length > 0) && args[0].equals("sh")) {
- relPath = pathToStoresSH;
- } else {
- relPath = pathToStores;
- }
- PATH = new File(System.getProperty("test.src", "."), relPath);
- CipherTest.peerFactory = peerFactory;
- System.out.print(
- "Initializing test '" + peerFactory.getName() + "'...");
-// secureRandom = new SecureRandom();
-// secureRandom.nextInt();
-// trustStore = readKeyStore(trustStoreFile);
- CipherTest.keyStore = keyStore;
-// keyStore = readKeyStore(keyStoreFile);
- KeyManagerFactory keyFactory =
- KeyManagerFactory.getInstance(
- KeyManagerFactory.getDefaultAlgorithm());
- keyFactory.init(keyStore, "test12".toCharArray());
- keyManager = (X509ExtendedKeyManager)keyFactory.getKeyManagers()[0];
-
- TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
- tmf.init(keyStore);
- trustManager = (X509TrustManager)tmf.getTrustManagers()[0];
-
-// trustManager = new AlwaysTrustManager();
- SSLContext context = SSLContext.getInstance("TLS");
- context.init(new KeyManager[] {keyManager},
- new TrustManager[] {trustManager}, null);
- SSLContext.setDefault(context);
-
- CipherTest cipherTest = new CipherTest(peerFactory);
- Thread serverThread = new Thread(peerFactory.newServer(cipherTest),
- "Server");
- serverThread.setDaemon(true);
- serverThread.start();
- System.out.println("Done");
- cipherTest.run();
- time = System.currentTimeMillis() - time;
- System.out.println("Done. (" + time + " ms)");
- }
-
- static abstract class PeerFactory {
-
- abstract String getName();
-
- abstract Client newClient(CipherTest cipherTest) throws Exception;
-
- abstract Server newServer(CipherTest cipherTest) throws Exception;
-
- boolean isSupported(String cipherSuite, String protocol) {
- // skip kerberos cipher suites
- if (cipherSuite.startsWith("TLS_KRB5")) {
- System.out.println("Skipping unsupported test for " +
- cipherSuite + " of " + protocol);
- return false;
- }
-
- // No ECDH-capable certificate in key store. May restructure
- // this in the future.
- if (cipherSuite.contains("ECDHE_ECDSA") ||
- cipherSuite.contains("ECDH_ECDSA") ||
- cipherSuite.contains("ECDH_RSA")) {
- System.out.println("Skipping unsupported test for " +
- cipherSuite + " of " + protocol);
- return false;
- }
-
- // skip SSLv2Hello protocol
- //
- // skip TLSv1.2 protocol, we have not implement "SunTls12Prf" and
- // SunTls12RsaPremasterSecret in SunPKCS11 provider
- if (protocol.equals("SSLv2Hello") || protocol.equals("TLSv1.2")) {
- System.out.println("Skipping unsupported test for " +
- cipherSuite + " of " + protocol);
- return false;
- }
-
- // ignore exportable cipher suite for TLSv1.1
- if (protocol.equals("TLSv1.1")) {
- if (cipherSuite.indexOf("_EXPORT_WITH") != -1) {
- System.out.println("Skipping obsoleted test for " +
- cipherSuite + " of " + protocol);
- return false;
- }
- }
-
- return true;
- }
- }
-
-}
-
-// we currently don't do any chain verification. we assume that works ok
-// and we can speed up the test. we could also just add a plain certificate
-// chain comparision with our trusted certificates.
-class AlwaysTrustManager implements X509TrustManager {
-
- public AlwaysTrustManager() {
-
- }
-
- public void checkClientTrusted(X509Certificate[] chain, String authType)
- throws CertificateException {
- // empty
- }
-
- public void checkServerTrusted(X509Certificate[] chain, String authType)
- throws CertificateException {
- // empty
- }
-
- public X509Certificate[] getAcceptedIssuers() {
- return new X509Certificate[0];
- }
-}
-
-class MyX509KeyManager extends X509ExtendedKeyManager {
-
- private final X509ExtendedKeyManager keyManager;
- private String authType;
-
- MyX509KeyManager(X509ExtendedKeyManager keyManager) {
- this.keyManager = keyManager;
- }
-
- void setAuthType(String authType) {
- this.authType = authType;
- }
-
- public String[] getClientAliases(String keyType, Principal[] issuers) {
- if (authType == null) {
- return null;
- }
- return keyManager.getClientAliases(authType, issuers);
- }
-
- public String chooseClientAlias(String[] keyType, Principal[] issuers,
- Socket socket) {
- if (authType == null) {
- return null;
- }
- return keyManager.chooseClientAlias(new String[] {authType},
- issuers, socket);
- }
-
- public String chooseEngineClientAlias(String[] keyType,
- Principal[] issuers, SSLEngine engine) {
- if (authType == null) {
- return null;
- }
- return keyManager.chooseEngineClientAlias(new String[] {authType},
- issuers, engine);
- }
-
- public String[] getServerAliases(String keyType, Principal[] issuers) {
- throw new UnsupportedOperationException("Servers not supported");
- }
-
- public String chooseServerAlias(String keyType, Principal[] issuers,
- Socket socket) {
- throw new UnsupportedOperationException("Servers not supported");
- }
-
- public String chooseEngineServerAlias(String keyType, Principal[] issuers,
- SSLEngine engine) {
- throw new UnsupportedOperationException("Servers not supported");
- }
-
- public X509Certificate[] getCertificateChain(String alias) {
- return keyManager.getCertificateChain(alias);
- }
-
- public PrivateKey getPrivateKey(String alias) {
- return keyManager.getPrivateKey(alias);
- }
-
-}
-
-class DaemonThreadFactory implements ThreadFactory {
-
- final static ThreadFactory INSTANCE = new DaemonThreadFactory();
-
- private final static ThreadFactory DEFAULT = Executors.defaultThreadFactory();
-
- public Thread newThread(Runnable r) {
- Thread t = DEFAULT.newThread(r);
- t.setDaemon(true);
- return t;
- }
-
-}
--- a/test/jdk/sun/security/pkcs11/fips/ClientJSSEServerJSSE.java Tue Feb 12 15:19:25 2019 -0500
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,92 +0,0 @@
-/*
- * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- * @test
- * @bug 6313675 6323647 8028192
- * @summary Verify that all ciphersuites work in FIPS mode
- * @library /test/lib ..
- * @author Andreas Sterbenz
- * @modules java.base/com.sun.net.ssl.internal.ssl
- * @run main/manual ClientJSSEServerJSSE
- */
-
-/*
- * JSSE supported cipher suites are changed with CR 6916074,
- * need to update this test case in JDK 7 soon
- */
-
-import java.security.*;
-
-// This test belongs more in JSSE than here, but the JSSE workspace does not
-// have the NSS test infrastructure. It will live here for the time being.
-
-public class ClientJSSEServerJSSE extends SecmodTest {
-
- public static void main(String[] args) throws Exception {
- if (initSecmod() == false) {
- return;
- }
-
- String arch = System.getProperty("os.arch");
- if (!("sparc".equals(arch) || "sparcv9".equals(arch))) {
- // we have not updated other platforms with the proper NSS
- // libraries yet
- System.out.println(
- "Test currently works only on solaris-sparc " +
- "and solaris-sparcv9. Skipping on " + arch);
- return;
- }
-
- String configName = BASE + SEP + "fips.cfg";
- Provider p = getSunPKCS11(configName);
-
- System.out.println(p);
- Security.addProvider(p);
-
- Security.removeProvider("SunJSSE");
- Provider jsse = new com.sun.net.ssl.internal.ssl.Provider(p);
- Security.addProvider(jsse);
- System.out.println(jsse.getInfo());
-
- KeyStore ks = KeyStore.getInstance("PKCS11", p);
- ks.load(null, "test12".toCharArray());
-
- CipherTest.main(new JSSEFactory(), ks, args);
- }
-
- private static class JSSEFactory extends CipherTest.PeerFactory {
-
- String getName() {
- return "Client JSSE - Server JSSE";
- }
-
- CipherTest.Client newClient(CipherTest cipherTest) throws Exception {
- return new JSSEClient(cipherTest);
- }
-
- CipherTest.Server newServer(CipherTest cipherTest) throws Exception {
- return new JSSEServer(cipherTest);
- }
- }
-}
--- a/test/jdk/sun/security/pkcs11/fips/ImportKeyStore.java Tue Feb 12 15:19:25 2019 -0500
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,90 +0,0 @@
-/*
- * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-import java.io.*;
-import java.util.*;
-
-import java.security.*;
-import java.security.KeyStore.*;
-import java.security.cert.*;
-
-/**
-
-This is an approximation of the process used to create the *.db files
-in this directory.
-
-setenv LD_LIBRARY_PATH $WS/test/sun/security/pkcs11/nss/lib/solaris-sparc
-modutil -create -dbdir .
-modutil -changepw "NSS Internal PKCS #11 Module" -dbdir .
-
-$JHOME/bin/keytool -list -storetype PKCS11 -addprovider SunPKCS11 -providerarg "--name=NSS\nnssSecmodDirectory=." -v -storepass test12
-
-modutil -fips true -dbdir .
-
-*/
-
-public class ImportKeyStore {
-
- public static void main(String[] args) throws Exception {
- String nssCfg = "--name=NSS\nnssSecmodDirectory=.\n ";
-// "attributes(*,CKO_PRIVATE_KEY,CKK_DSA) = { CKA_NETSCAPE_DB = 0h00 }";
- Provider p = Security.getProvider("SunPKCS11");
- p.configure(nssCfg);
-
- KeyStore ks = KeyStore.getInstance("PKCS11", p);
- ks.load(null, "test12".toCharArray());
- System.out.println("Aliases: " + Collections.list(ks.aliases()));
- System.out.println();
-
- char[] srcpw = "passphrase".toCharArray();
-// importKeyStore("truststore", srcpw, ks);
- importKeyStore("keystore", srcpw, ks);
-
- System.out.println("OK.");
- }
-
- private static void importKeyStore(String filename, char[] passwd, KeyStore dstks) throws Exception {
- System.out.println("Importing JKS KeyStore " + filename);
- InputStream in = new FileInputStream(filename);
- KeyStore srcks = KeyStore.getInstance("JKS");
- srcks.load(in, passwd);
- in.close();
- List<String> aliases = Collections.list(srcks.aliases());
- for (String alias : aliases) {
- System.out.println("Alias: " + alias);
- if (srcks.isCertificateEntry(alias)) {
- X509Certificate cert = (X509Certificate)srcks.getCertificate(alias);
- System.out.println(" Certificate: " + cert.getSubjectX500Principal());
- dstks.setCertificateEntry(alias + "-cert", cert);
- } else if (srcks.isKeyEntry(alias)) {
- PrivateKeyEntry entry = (PrivateKeyEntry)srcks.getEntry(alias, new PasswordProtection(passwd));
- System.out.println(" Key: " + entry.getPrivateKey().toString().split("\n")[0]);
- dstks.setEntry(alias, entry, null);
- } else {
- System.out.println(" Unknown entry: " + alias);
- }
- }
- System.out.println();
- }
-
-}
--- a/test/jdk/sun/security/pkcs11/fips/JSSEClient.java Tue Feb 12 15:19:25 2019 -0500
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,93 +0,0 @@
-/*
- * Copyright (c) 2002, 2005, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-import java.io.*;
-import java.net.*;
-import java.util.*;
-
-import java.security.*;
-import java.security.cert.*;
-import java.security.cert.Certificate;
-
-import javax.net.ssl.*;
-
-class JSSEClient extends CipherTest.Client {
-
- private final SSLContext sslContext;
- private final MyX509KeyManager keyManager;
-
- JSSEClient(CipherTest cipherTest) throws Exception {
- super(cipherTest);
- this.keyManager = new MyX509KeyManager(CipherTest.keyManager);
- sslContext = SSLContext.getInstance("TLS");
- }
-
- void runTest(CipherTest.TestParameters params) throws Exception {
- SSLSocket socket = null;
- try {
- keyManager.setAuthType(params.clientAuth);
- sslContext.init(new KeyManager[] {CipherTest.keyManager}, new TrustManager[] {cipherTest.trustManager}, cipherTest.secureRandom);
- SSLSocketFactory factory = (SSLSocketFactory)sslContext.getSocketFactory();
- socket = (SSLSocket)factory.createSocket("127.0.0.1", cipherTest.serverPort);
- socket.setSoTimeout(cipherTest.TIMEOUT);
- socket.setEnabledCipherSuites(new String[] {params.cipherSuite});
- socket.setEnabledProtocols(new String[] {params.protocol});
- InputStream in = socket.getInputStream();
- OutputStream out = socket.getOutputStream();
- sendRequest(in, out);
- socket.close();
- SSLSession session = socket.getSession();
- session.invalidate();
- String cipherSuite = session.getCipherSuite();
- if (params.cipherSuite.equals(cipherSuite) == false) {
- throw new Exception("Negotiated ciphersuite mismatch: " + cipherSuite + " != " + params.cipherSuite);
- }
- String protocol = session.getProtocol();
- if (params.protocol.equals(protocol) == false) {
- throw new Exception("Negotiated protocol mismatch: " + protocol + " != " + params.protocol);
- }
- if (cipherSuite.indexOf("DH_anon") == -1) {
- session.getPeerCertificates();
- }
- Certificate[] certificates = session.getLocalCertificates();
- if (params.clientAuth == null) {
- if (certificates != null) {
- throw new Exception("Local certificates should be null");
- }
- } else {
- if ((certificates == null) || (certificates.length == 0)) {
- throw new Exception("Certificates missing");
- }
- String keyAlg = certificates[0].getPublicKey().getAlgorithm();
- if (params.clientAuth != keyAlg) {
- throw new Exception("Certificate type mismatch: " + keyAlg + " != " + params.clientAuth);
- }
- }
- } finally {
- if (socket != null) {
- socket.close();
- }
- }
- }
-
-}
--- a/test/jdk/sun/security/pkcs11/fips/JSSEServer.java Tue Feb 12 15:19:25 2019 -0500
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,93 +0,0 @@
-/*
- * Copyright (c) 2002, 2005, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-import java.io.*;
-import java.net.*;
-import java.util.*;
-import java.util.concurrent.*;
-
-import java.security.*;
-import java.security.cert.*;
-import java.security.cert.Certificate;
-
-import javax.net.ssl.*;
-
-class JSSEServer extends CipherTest.Server {
-
- SSLServerSocket serverSocket;
-
- JSSEServer(CipherTest cipherTest) throws Exception {
- super(cipherTest);
- SSLContext serverContext = SSLContext.getInstance("TLS");
- serverContext.init(new KeyManager[] {cipherTest.keyManager}, new TrustManager[] {cipherTest.trustManager}, cipherTest.secureRandom);
-
- SSLServerSocketFactory factory = (SSLServerSocketFactory)serverContext.getServerSocketFactory();
- serverSocket = (SSLServerSocket)factory.createServerSocket(cipherTest.serverPort);
- cipherTest.serverPort = serverSocket.getLocalPort();
- serverSocket.setEnabledCipherSuites(factory.getSupportedCipherSuites());
-// serverSocket.setWantClientAuth(true);
- }
-
- public void run() {
- System.out.println("JSSE Server listening on port " + cipherTest.serverPort);
- Executor exec = Executors.newFixedThreadPool
- (cipherTest.THREADS, DaemonThreadFactory.INSTANCE);
- try {
- while (true) {
- final SSLSocket socket = (SSLSocket)serverSocket.accept();
- socket.setSoTimeout(cipherTest.TIMEOUT);
- Runnable r = new Runnable() {
- public void run() {
- try {
- InputStream in = socket.getInputStream();
- OutputStream out = socket.getOutputStream();
- handleRequest(in, out);
- out.flush();
- socket.close();
- socket.getSession().invalidate();
- } catch (IOException e) {
- cipherTest.setFailed();
- e.printStackTrace();
- } finally {
- if (socket != null) {
- try {
- socket.close();
- } catch (IOException e) {
- cipherTest.setFailed();
- System.out.println("Exception closing socket on server side:");
- e.printStackTrace();
- }
- }
- }
- }
- };
- exec.execute(r);
- }
- } catch (IOException e) {
- cipherTest.setFailed();
- e.printStackTrace();
- //
- }
- }
-
-}
--- a/test/jdk/sun/security/pkcs11/fips/TestTLS12.java Tue Feb 12 15:19:25 2019 -0500
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,453 +0,0 @@
-/*
- * Copyright (c) 2018, Red Hat, Inc.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- * @test
- * @bug 8029661
- * @summary Test TLS 1.2
- * @modules java.base/sun.security.internal.spec
- * java.base/sun.security.util
- * java.base/com.sun.net.ssl.internal.ssl
- * java.base/com.sun.crypto.provider
- * @library /test/lib ..
- * @run main/othervm/timeout=120 TestTLS12
- */
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.InputStream;
-import java.nio.ByteBuffer;
-
-import java.security.interfaces.RSAPrivateKey;
-import java.security.interfaces.RSAPublicKey;
-import java.security.KeyStore;
-import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
-import java.security.SecureRandom;
-import java.security.Security;
-
-import java.util.Arrays;
-
-import javax.crypto.Cipher;
-import javax.crypto.KeyGenerator;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLEngineResult;
-import javax.net.ssl.SSLEngineResult.HandshakeStatus;
-import javax.net.ssl.SSLParameters;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.TrustManagerFactory;
-
-import sun.security.internal.spec.TlsMasterSecretParameterSpec;
-import sun.security.internal.spec.TlsPrfParameterSpec;
-import sun.security.internal.spec.TlsRsaPremasterSecretParameterSpec;
-
-public final class TestTLS12 extends SecmodTest {
-
- private static final boolean enableDebug = true;
-
- private static Provider sunPKCS11NSSProvider;
- private static Provider sunJCEProvider;
- private static com.sun.net.ssl.internal.ssl.Provider jsseProvider;
- private static KeyStore ks;
- private static KeyStore ts;
- private static char[] passphrase = "JAHshj131@@".toCharArray();
- private static RSAPrivateKey privateKey;
- private static RSAPublicKey publicKey;
-
- public static void main(String[] args) throws Exception {
- try {
- initialize();
- } catch (Exception e) {
- System.out.println("Test skipped: failure during" +
- " initialization");
- return;
- }
-
- if (shouldRun()) {
- // Test against JCE
- testTlsAuthenticationCodeGeneration();
-
- // Self-integrity test (complete TLS 1.2 communication)
- new testTLS12SunPKCS11Communication().run();
-
- System.out.println("Test PASS - OK");
- } else {
- System.out.println("Test skipped: TLS 1.2 mechanisms" +
- " not supported by current SunPKCS11 back-end");
- }
- }
-
- private static boolean shouldRun() {
- if (sunPKCS11NSSProvider == null) {
- return false;
- }
- try {
- KeyGenerator.getInstance("SunTls12MasterSecret",
- sunPKCS11NSSProvider);
- KeyGenerator.getInstance(
- "SunTls12RsaPremasterSecret", sunPKCS11NSSProvider);
- KeyGenerator.getInstance("SunTls12Prf", sunPKCS11NSSProvider);
- } catch (NoSuchAlgorithmException e) {
- return false;
- }
- return true;
- }
-
- private static void testTlsAuthenticationCodeGeneration()
- throws Exception {
- // Generate RSA Pre-Master Secret in SunPKCS11 provider
- SecretKey rsaPreMasterSecret = null;
- @SuppressWarnings("deprecation")
- TlsRsaPremasterSecretParameterSpec rsaPreMasterSecretSpec =
- new TlsRsaPremasterSecretParameterSpec(0x0303, 0x0303);
- {
- KeyGenerator rsaPreMasterSecretKG = KeyGenerator.getInstance(
- "SunTls12RsaPremasterSecret", sunPKCS11NSSProvider);
- rsaPreMasterSecretKG.init(rsaPreMasterSecretSpec, null);
- rsaPreMasterSecret = rsaPreMasterSecretKG.generateKey();
- }
-
- // Get RSA Pre-Master Secret in plain (from SunPKCS11 provider)
- byte[] rsaPlainPreMasterSecret = null;
- {
- Cipher rsaPreMasterSecretWrapperCipher =
- Cipher.getInstance("RSA/ECB/PKCS1Padding",
- sunPKCS11NSSProvider);
- rsaPreMasterSecretWrapperCipher.init(Cipher.WRAP_MODE, publicKey,
- new SecureRandom());
- byte[] rsaEncryptedPreMasterSecret =
- rsaPreMasterSecretWrapperCipher.wrap(rsaPreMasterSecret);
- Cipher rsaPreMasterSecretUnwrapperCipher =
- Cipher.getInstance("RSA/ECB/PKCS1Padding", sunJCEProvider);
- rsaPreMasterSecretUnwrapperCipher.init(Cipher.UNWRAP_MODE,
- privateKey, rsaPreMasterSecretSpec);
- rsaPlainPreMasterSecret = rsaPreMasterSecretUnwrapperCipher.unwrap(
- rsaEncryptedPreMasterSecret, "TlsRsaPremasterSecret",
- Cipher.SECRET_KEY).getEncoded();
-
- if (enableDebug) {
- System.out.println("rsaPlainPreMasterSecret:");
- for (byte b : rsaPlainPreMasterSecret) {
- System.out.printf("%02X, ", b);
- }
- System.out.println("");
- }
- }
-
- // Generate Master Secret
- SecretKey sunPKCS11MasterSecret = null;
- SecretKey jceMasterSecret = null;
- {
- KeyGenerator sunPKCS11MasterSecretGenerator =
- KeyGenerator.getInstance("SunTls12MasterSecret",
- sunPKCS11NSSProvider);
- KeyGenerator jceMasterSecretGenerator = KeyGenerator.getInstance(
- "SunTls12MasterSecret", sunJCEProvider);
- @SuppressWarnings("deprecation")
- TlsMasterSecretParameterSpec sunPKCS11MasterSecretSpec =
- new TlsMasterSecretParameterSpec(rsaPreMasterSecret, 3, 3,
- new byte[32], new byte[32], "SHA-256", 32, 64);
- @SuppressWarnings("deprecation")
- TlsMasterSecretParameterSpec jceMasterSecretSpec =
- new TlsMasterSecretParameterSpec(
- new SecretKeySpec(rsaPlainPreMasterSecret,
- "Generic"), 3, 3, new byte[32],
- new byte[32], "SHA-256", 32, 64);
- sunPKCS11MasterSecretGenerator.init(sunPKCS11MasterSecretSpec,
- null);
- jceMasterSecretGenerator.init(jceMasterSecretSpec, null);
- sunPKCS11MasterSecret =
- sunPKCS11MasterSecretGenerator.generateKey();
- jceMasterSecret = jceMasterSecretGenerator.generateKey();
- if (enableDebug) {
- System.out.println("Master Secret (SunJCE):");
- if (jceMasterSecret != null) {
- for (byte b : jceMasterSecret.getEncoded()) {
- System.out.printf("%02X, ", b);
- }
- System.out.println("");
- }
- }
- }
-
- // Generate authentication codes
- byte[] sunPKCS11AuthenticationCode = null;
- byte[] jceAuthenticationCode = null;
- {
- // Generate SunPKCS11 authentication code
- {
- @SuppressWarnings("deprecation")
- TlsPrfParameterSpec sunPKCS11AuthenticationCodeSpec =
- new TlsPrfParameterSpec(sunPKCS11MasterSecret,
- "client finished", "a".getBytes(), 12,
- "SHA-256", 32, 64);
- KeyGenerator sunPKCS11AuthCodeGenerator =
- KeyGenerator.getInstance("SunTls12Prf",
- sunPKCS11NSSProvider);
- sunPKCS11AuthCodeGenerator.init(
- sunPKCS11AuthenticationCodeSpec);
- sunPKCS11AuthenticationCode =
- sunPKCS11AuthCodeGenerator.generateKey().getEncoded();
- }
-
- // Generate SunJCE authentication code
- {
- @SuppressWarnings("deprecation")
- TlsPrfParameterSpec jceAuthenticationCodeSpec =
- new TlsPrfParameterSpec(jceMasterSecret,
- "client finished", "a".getBytes(), 12,
- "SHA-256", 32, 64);
- KeyGenerator jceAuthCodeGenerator =
- KeyGenerator.getInstance("SunTls12Prf",
- sunJCEProvider);
- jceAuthCodeGenerator.init(jceAuthenticationCodeSpec);
- jceAuthenticationCode =
- jceAuthCodeGenerator.generateKey().getEncoded();
- }
-
- if (enableDebug) {
- System.out.println("SunPKCS11 Authentication Code: ");
- for (byte b : sunPKCS11AuthenticationCode) {
- System.out.printf("%02X, ", b);
- }
- System.out.println("");
- System.out.println("SunJCE Authentication Code: ");
- for (byte b : jceAuthenticationCode) {
- System.out.printf("%02X, ", b);
- }
- System.out.println("");
- }
- }
-
- if (sunPKCS11AuthenticationCode == null ||
- jceAuthenticationCode == null ||
- sunPKCS11AuthenticationCode.length == 0 ||
- jceAuthenticationCode.length == 0 ||
- !Arrays.equals(sunPKCS11AuthenticationCode,
- jceAuthenticationCode)) {
- throw new Exception("Authentication codes from JCE" +
- " and SunPKCS11 differ.");
- }
- }
-
- private static class testTLS12SunPKCS11Communication {
- public static void run() throws Exception {
- SSLEngine[][] enginesToTest = getSSLEnginesToTest();
-
- for (SSLEngine[] engineToTest : enginesToTest) {
-
- SSLEngine clientSSLEngine = engineToTest[0];
- SSLEngine serverSSLEngine = engineToTest[1];
-
- // SSLEngine code based on RedhandshakeFinished.java
-
- boolean dataDone = false;
-
- ByteBuffer clientOut = null;
- ByteBuffer clientIn = null;
- ByteBuffer serverOut = null;
- ByteBuffer serverIn = null;
- ByteBuffer cTOs;
- ByteBuffer sTOc;
-
- SSLSession session = clientSSLEngine.getSession();
- int appBufferMax = session.getApplicationBufferSize();
- int netBufferMax = session.getPacketBufferSize();
-
- clientIn = ByteBuffer.allocate(appBufferMax + 50);
- serverIn = ByteBuffer.allocate(appBufferMax + 50);
-
- cTOs = ByteBuffer.allocateDirect(netBufferMax);
- sTOc = ByteBuffer.allocateDirect(netBufferMax);
-
- clientOut = ByteBuffer.wrap(
- "Hi Server, I'm Client".getBytes());
- serverOut = ByteBuffer.wrap(
- "Hello Client, I'm Server".getBytes());
-
- SSLEngineResult clientResult;
- SSLEngineResult serverResult;
-
- while (!dataDone) {
- clientResult = clientSSLEngine.wrap(clientOut, cTOs);
- runDelegatedTasks(clientResult, clientSSLEngine);
- serverResult = serverSSLEngine.wrap(serverOut, sTOc);
- runDelegatedTasks(serverResult, serverSSLEngine);
- cTOs.flip();
- sTOc.flip();
-
- if (enableDebug) {
- System.out.println("Client -> Network");
- printTlsNetworkPacket("", cTOs);
- System.out.println("");
- System.out.println("Server -> Network");
- printTlsNetworkPacket("", sTOc);
- System.out.println("");
- }
-
- clientResult = clientSSLEngine.unwrap(sTOc, clientIn);
- runDelegatedTasks(clientResult, clientSSLEngine);
- serverResult = serverSSLEngine.unwrap(cTOs, serverIn);
- runDelegatedTasks(serverResult, serverSSLEngine);
-
- cTOs.compact();
- sTOc.compact();
-
- if (!dataDone &&
- (clientOut.limit() == serverIn.position()) &&
- (serverOut.limit() == clientIn.position())) {
- checkTransfer(serverOut, clientIn);
- checkTransfer(clientOut, serverIn);
- dataDone = true;
- }
- }
- }
- }
-
- static void printTlsNetworkPacket(String prefix, ByteBuffer bb) {
- ByteBuffer slice = bb.slice();
- byte[] buffer = new byte[slice.remaining()];
- slice.get(buffer);
- for (int i = 0; i < buffer.length; i++) {
- System.out.printf("%02X, ", (byte)(buffer[i] & (byte)0xFF));
- if (i % 8 == 0 && i % 16 != 0) {
- System.out.print(" ");
- }
- if (i % 16 == 0) {
- System.out.println("");
- }
- }
- System.out.flush();
- }
-
- private static void checkTransfer(ByteBuffer a, ByteBuffer b)
- throws Exception {
- a.flip();
- b.flip();
- if (!a.equals(b)) {
- throw new Exception("Data didn't transfer cleanly");
- }
- a.position(a.limit());
- b.position(b.limit());
- a.limit(a.capacity());
- b.limit(b.capacity());
- }
-
- private static void runDelegatedTasks(SSLEngineResult result,
- SSLEngine engine) throws Exception {
-
- if (result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) {
- Runnable runnable;
- while ((runnable = engine.getDelegatedTask()) != null) {
- runnable.run();
- }
- HandshakeStatus hsStatus = engine.getHandshakeStatus();
- if (hsStatus == HandshakeStatus.NEED_TASK) {
- throw new Exception(
- "handshake shouldn't need additional tasks");
- }
- }
- }
-
- private static SSLEngine[][] getSSLEnginesToTest() throws Exception {
- SSLEngine[][] enginesToTest = new SSLEngine[2][2];
- String[][] preferredSuites = new String[][]{ new String[] {
- "TLS_RSA_WITH_AES_128_CBC_SHA256"
- }, new String[] {
- "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"
- }};
- for (int i = 0; i < enginesToTest.length; i++) {
- enginesToTest[i][0] = createSSLEngine(true);
- enginesToTest[i][1] = createSSLEngine(false);
- enginesToTest[i][0].setEnabledCipherSuites(preferredSuites[i]);
- enginesToTest[i][1].setEnabledCipherSuites(preferredSuites[i]);
- }
- return enginesToTest;
- }
-
- static private SSLEngine createSSLEngine(boolean client)
- throws Exception {
- SSLEngine ssle;
- KeyManagerFactory kmf = KeyManagerFactory.getInstance("PKIX",
- jsseProvider);
- kmf.init(ks, passphrase);
-
- TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX",
- jsseProvider);
- tmf.init(ts);
-
- SSLContext sslCtx = SSLContext.getInstance("TLSv1.2",
- jsseProvider);
- sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
- ssle = sslCtx.createSSLEngine("localhost", 443);
- ssle.setUseClientMode(client);
- SSLParameters sslParameters = ssle.getSSLParameters();
- ssle.setSSLParameters(sslParameters);
-
- return ssle;
- }
- }
-
- private static void initialize() throws Exception {
- if (initSecmod() == false) {
- return;
- }
- String configName = BASE + SEP + "fips.cfg";
- sunPKCS11NSSProvider = getSunPKCS11(configName);
- System.out.println("SunPKCS11 provider: " + sunPKCS11NSSProvider);
- Security.addProvider(sunPKCS11NSSProvider);
-
- sunJCEProvider = new com.sun.crypto.provider.SunJCE();
- Security.addProvider(sunJCEProvider);
-
- Security.removeProvider("SunJSSE");
- jsseProvider =new com.sun.net.ssl.internal.ssl.Provider(
- sunPKCS11NSSProvider);
- Security.addProvider(jsseProvider);
- System.out.println(jsseProvider.getInfo());
-
- ks = KeyStore.getInstance("PKCS11", sunPKCS11NSSProvider);
- ks.load(null, "test12".toCharArray());
- ts = ks;
-
- KeyStore ksPlain = readTestKeyStore();
- privateKey = (RSAPrivateKey)ksPlain.getKey("rh_rsa_sha256",
- passphrase);
- publicKey = (RSAPublicKey)ksPlain.getCertificate(
- "rh_rsa_sha256").getPublicKey();
- }
-
- private static KeyStore readTestKeyStore() throws Exception {
- File file = new File(System.getProperty("test.src", "."), "keystore");
- InputStream in = new FileInputStream(file);
- KeyStore ks = KeyStore.getInstance("JKS");
- ks.load(in, "passphrase".toCharArray());
- in.close();
- return ks;
- }
-}
\ No newline at end of file
--- a/test/jdk/sun/security/pkcs11/fips/TrustManagerTest.java Tue Feb 12 15:19:25 2019 -0500
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,111 +0,0 @@
-/*
- * Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- * @test
- * @bug 6323647
- * @summary Verify that the SunJSSE trustmanager works correctly in FIPS mode
- * @author Andreas Sterbenz
- * @library /test/lib ..
- * @modules java.base/com.sun.net.ssl.internal.ssl
- * @run main/othervm TrustManagerTest
- * @run main/othervm TrustManagerTest sm TrustManagerTest.policy
- */
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.InputStream;
-import java.security.KeyStore;
-import java.security.Policy;
-import java.security.Provider;
-import java.security.Security;
-import java.security.URIParameter;
-import java.security.cert.CertificateFactory;
-import java.security.cert.X509Certificate;
-import javax.net.ssl.TrustManagerFactory;
-import javax.net.ssl.X509TrustManager;
-
-// This test belongs more in JSSE than here, but the JSSE workspace does not
-// have the NSS test infrastructure. It will live here for the time being.
-
-public class TrustManagerTest extends SecmodTest {
-
- public static void main(String[] args) throws Exception {
- if (initSecmod() == false) {
- return;
- }
-
- if ("sparc".equals(System.getProperty("os.arch")) == false) {
- // we have not updated other platforms with the proper NSS libraries yet
- System.out.println("Test currently works only on solaris-sparc, skipping");
- return;
- }
-
- String configName = BASE + SEP + "fips.cfg";
- Provider p = getSunPKCS11(configName);
-
- System.out.println(p);
- Security.addProvider(p);
-
- Security.removeProvider("SunJSSE");
- Provider jsse = new com.sun.net.ssl.internal.ssl.Provider(p);
- Security.addProvider(jsse);
- System.out.println(jsse.getInfo());
-
- KeyStore ks = KeyStore.getInstance("PKCS11", p);
- ks.load(null, "test12".toCharArray());
-
- X509Certificate server = loadCertificate("certs/server.cer");
- X509Certificate ca = loadCertificate("certs/ca.cer");
- X509Certificate anchor = loadCertificate("certs/anchor.cer");
-
- if (args.length > 1 && "sm".equals(args[0])) {
- Policy.setPolicy(Policy.getInstance("JavaPolicy",
- new URIParameter(new File(BASE, args[1]).toURI())));
- System.setSecurityManager(new SecurityManager());
- }
-
- KeyStore trustStore = KeyStore.getInstance("JKS");
- trustStore.load(null, null);
- trustStore.setCertificateEntry("anchor", anchor);
-
- TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
- tmf.init(trustStore);
-
- X509TrustManager tm = (X509TrustManager)tmf.getTrustManagers()[0];
-
- X509Certificate[] chain = {server, ca, anchor};
-
- tm.checkServerTrusted(chain, "RSA");
-
- System.out.println("OK");
- }
-
- private static X509Certificate loadCertificate(String name) throws Exception {
- try (InputStream in = new FileInputStream(BASE + SEP + name)) {
- return (X509Certificate) CertificateFactory.getInstance("X.509")
- .generateCertificate(in);
- }
- }
-
-}
--- a/test/jdk/sun/security/pkcs11/fips/TrustManagerTest.policy Tue Feb 12 15:19:25 2019 -0500
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,3 +0,0 @@
-grant {
-
-};
\ No newline at end of file
Binary file test/jdk/sun/security/pkcs11/fips/cert8.db has changed
Binary file test/jdk/sun/security/pkcs11/fips/certs/anchor.cer has changed
Binary file test/jdk/sun/security/pkcs11/fips/certs/ca.cer has changed
Binary file test/jdk/sun/security/pkcs11/fips/certs/server.cer has changed
--- a/test/jdk/sun/security/pkcs11/fips/fips.cfg Tue Feb 12 15:19:25 2019 -0500
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,19 +0,0 @@
-
-name = NSSKeyStore
-
-nssSecmodDirectory = ${pkcs11test.nss.db}
-
-nssLibraryDirectory = ${pkcs11test.nss.libdir}
-
-nssModule = fips
-
-# NSS needs CKA_NETSCAPE_DB for DSA and DH private keys
-# just put an arbitrary value in there to make it happy
-
-attributes(*,CKO_PRIVATE_KEY,CKK_DSA) = {
- CKA_NETSCAPE_DB = 0h00
-}
-
-attributes(*,CKO_PRIVATE_KEY,CKK_DH) = {
- CKA_NETSCAPE_DB = 0h00
-}
Binary file test/jdk/sun/security/pkcs11/fips/key3.db has changed
Binary file test/jdk/sun/security/pkcs11/fips/keystore has changed
Binary file test/jdk/sun/security/pkcs11/fips/secmod.db has changed
Binary file test/jdk/sun/security/pkcs11/fips/truststore has changed