check the sslcontext

src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java

@@ -909,9 +909,13 @@ private static final class DefaultManagersHolder {
  Exception reserved = null;
  TrustManager[] tmMediator = null;
  try {
+ System.out.println("start getTrustManagers in DefaultManagersHolder.");
  tmMediator = getTrustManagers();
  } catch (Exception e) {
+ System.out.println("start getTrustManagers in DefaultManagersHolder but failed");
  reserved = e;
+ System.out.println("Exception message is: ");
+ reserved.printStackTrace();
  if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
  SSLLogger.warning(
  "Failed to load default trust managers", e);
@@ -920,6 +924,7 @@ private static final class DefaultManagersHolder {
 
  KeyManager[] kmMediator = null;
  if (reserved == null) {
+ System.out.println("reserved is null");
  try {
  kmMediator = getKeyManagers();
  } catch (Exception e) {
@@ -932,6 +937,7 @@ private static final class DefaultManagersHolder {
  }
 
  if (reserved != null) {
+ System.out.println("reserved is not null");
  trustManagers = new TrustManager[0];
  keyManagers = new KeyManager[0];
 
@@ -951,14 +957,17 @@ private static final class DefaultManagersHolder {
  private static TrustManager[] getTrustManagers() throws Exception {
  TrustManagerFactory tmf = TrustManagerFactory.getInstance(
  TrustManagerFactory.getDefaultAlgorithm());
+ System.out.println("The TrustManagerFactory provider is: " + tmf.getProvider().getName());
  if ("SunJSSE".equals(tmf.getProvider().getName())) {
  // The implementation will load the default KeyStore
  // automatically. Cached trust materials may be used
  // for performance improvement.
+ System.out.println("It's SunJSSE.");
  tmf.init((KeyStore)null);
  } else {
  // Use the explicitly specified KeyStore for third party's
  // TrustManagerFactory implementation.
+ System.out.println("It's not SunJSSE.");
  KeyStore ks = TrustStoreManager.getTrustedKeyStore();
  tmf.init(ks);
  }

src/java.base/share/conf/security/java.security

@@ -201,8 +201,15 @@ RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.jce.provider.2 = SUN [{CertificateF
  {CertStore, Collection, ImplementedIn=Software}, \
  {CertStore, com.sun.security.IndexedCollection, ImplementedIn=Software}, \
  {Configuration, JavaLoginConfig, *}, \
+ {KeyStore, PKCS12, *}, \
  {Policy, JavaPolicy, *}]
 RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.jce.provider.3 = SunJSSE
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.jce.provider.4 = SunJCE [{AlgorithmParameters, PBES2, *}, \
+ {AlgorithmParameters, PBEWithHmacSHA256AndAES_256, *}, \
+ {SecretKeyFactory, PBEWithMD5AndDES, *}, \
+ {SecretKeyFactory, PBKDF2WithHmacSHA256, *}, \
+ {Cipher, PBEWithHmacSHA256AndAES_256, *}, \
+ {Mac, HmacPBESHA256, *}]
 RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.javax.net.ssl.keyStore = NONE
 RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.securerandom.provider = OpenJCEPlusFIPS
 RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.securerandom.algorithm = SHA512DRBG

test/jdk/javax/net/ssl/DTLS/CipherSuite.java

@@ -61,10 +61,15 @@ public class CipherSuite extends DTLSOverDatagram {
  volatile static String cipherSuite;
 
  public static void main(String[] args) throws Exception {
- if (args.length > 1 && "re-enable".equals(args[1])) {
- Security.setProperty("jdk.tls.disabledAlgorithms", "");
+ if (!NetSslUtils.isFIPS_140_3()) {
+ if (args.length > 1 && "re-enable".equals(args[1])) {
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
+ }
  }
 
+ if (!NetSslUtils.TLS_CIPHERSUITES.contains(args[0])) {
+ return;
+ }
  cipherSuite = args[0];
 
  CipherSuite testCase = new CipherSuite();

test/jdk/javax/net/ssl/DTLS/NetSslUtils.java

@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+ import java.security.Security;
+ import java.security.Provider;
+ import java.util.List;
+ import java.util.ArrayList;
+
+ public class NetSslUtils {
+
+ private static boolean isFIPS = false;
+
+ public static final List<String> TLS_PROTOCOLS = new ArrayList<>();
+ public static final List<String> TLS_CIPHERSUITES = new ArrayList<>();
+
+ public static boolean isFIPS_140_3() {
+ for (Provider p : Security.getProviders()) {
+ System.out.println(p.getName());
+ if (p.getName().equals("OpenJCEPlusFIPS")) {
+ isFIPS = true;
+ }
+ }
+ return isFIPS;
+ }
+
+ static {
+ TLS_PROTOCOLS.add("TLSv1.2");
+ TLS_PROTOCOLS.add("TLSv1.3");
+
+ TLS_CIPHERSUITES.add("TLS_AES_128_GCM_SHA256");
+ TLS_CIPHERSUITES.add("TLS_AES_256_GCM_SHA384");
+ TLS_CIPHERSUITES.add("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384");
+ TLS_CIPHERSUITES.add("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");
+ TLS_CIPHERSUITES.add("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384");
+ TLS_CIPHERSUITES.add("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
+ TLS_CIPHERSUITES.add("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384");
+ TLS_CIPHERSUITES.add("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256");
+ TLS_CIPHERSUITES.add("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384");
+ TLS_CIPHERSUITES.add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384");
+ TLS_CIPHERSUITES.add("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256");
+ TLS_CIPHERSUITES.add("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256");
+ TLS_CIPHERSUITES.add("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256");
+ TLS_CIPHERSUITES.add("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256");
+ TLS_CIPHERSUITES.add("TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384");
+ TLS_CIPHERSUITES.add("TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384");
+ TLS_CIPHERSUITES.add("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256");
+ TLS_CIPHERSUITES.add("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256");
+ TLS_CIPHERSUITES.add("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384");
+ TLS_CIPHERSUITES.add("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384");
+ TLS_CIPHERSUITES.add("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256");
+ TLS_CIPHERSUITES.add("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256");
+ }
+ }

test/jdk/javax/net/ssl/SSLEngine/ArgCheck.java

@@ -255,8 +255,17 @@ static private SSLEngine createSSLEngine(String keyFile, String trustFile)
 
  SSLEngine ssle;
 
- KeyStore ks = KeyStore.getInstance("JKS");
- KeyStore ts = KeyStore.getInstance("JKS");
+ KeyStore ks;
+ KeyStore ts;
+
+ if (!NetSslUtils.isFIPS_140_3()) {
+ ks = KeyStore.getInstance("JKS");
+ ts = KeyStore.getInstance("JKS");
+ } else {
+ ks = KeyStore.getInstance("PKCS12");
+ ts = KeyStore.getInstance("PKCS12");
+ }
+ ks.load(null, null);
 
  char[] passphrase = "passphrase".toCharArray();
 

test/jdk/javax/net/ssl/SSLEngine/Arrays.java

@@ -221,8 +221,17 @@ public Arrays() throws Exception {
  private SSLContext getSSLContext(String keyFile, String trustFile)
  throws Exception {
 
- KeyStore ks = KeyStore.getInstance("JKS");
- KeyStore ts = KeyStore.getInstance("JKS");
+
+ KeyStore ks;
+ KeyStore ts;
+
+ if (!NetSslUtils.isFIPS_140_3()) {
+ ks = KeyStore.getInstance("JKS");
+ ts = KeyStore.getInstance("JKS");
+ } else {
+ ks = KeyStore.getInstance("PKCS12");
+ ts = KeyStore.getInstance("PKCS12");
+ }
 
  char[] passphrase = "passphrase".toCharArray();
 

test/jdk/javax/net/ssl/SSLEngine/Basics.java

@@ -57,18 +57,29 @@ public class Basics {
  "/" + TRUSTSTORE_FILE;
 
  public static void main(String[] args) throws Exception {
- SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1");
+ if (!NetSslUtils.isFIPS_140_3()) {
+ SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1");
+ runTest("TLSv1.1", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA");
+ }
 
  runTest("TLSv1.3", "TLS_AES_256_GCM_SHA384");
  runTest("TLSv1.2", "TLS_RSA_WITH_AES_256_GCM_SHA384");
- runTest("TLSv1.1", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA");
  }
 
  private static void runTest(String protocol, String cipherSuite) throws Exception {
  System.out.printf("Testing %s with %s%n", protocol, cipherSuite);
 
- KeyStore ks = KeyStore.getInstance("JKS");
- KeyStore ts = KeyStore.getInstance("JKS");
+ KeyStore ks;
+ KeyStore ts;
+
+ if (!NetSslUtils.isFIPS_140_3()) {
+ ks = KeyStore.getInstance("JKS");
+ ts = KeyStore.getInstance("JKS");
+ } else {
+ ks = KeyStore.getInstance("PKCS12");
+ ts = KeyStore.getInstance("PKCS12");
+ }
+
  char[] passphrase = "passphrase".toCharArray();
 
  ks.load(new FileInputStream(KEYSTORE_PATH), passphrase);

test/jdk/javax/net/ssl/SSLEngine/CheckTlsEngineResults.java

@@ -652,8 +652,16 @@ public CheckTlsEngineResults() throws Exception {
  private SSLContext getSSLContext(String keyFile, String trustFile)
  throws Exception {
 
- KeyStore ks = KeyStore.getInstance("JKS");
- KeyStore ts = KeyStore.getInstance("JKS");
+ KeyStore ks;
+ KeyStore ts;
+
+ if (!NetSslUtils.isFIPS_140_3()) {
+ ks = KeyStore.getInstance("JKS");
+ ts = KeyStore.getInstance("JKS");
+ } else {
+ ks = KeyStore.getInstance("PKCS12");
+ ts = KeyStore.getInstance("PKCS12");
+ }
 
  char[] passphrase = "passphrase".toCharArray();
 

test/jdk/javax/net/ssl/SSLEngine/ConnectionTest.java

@@ -91,8 +91,17 @@ public ConnectionTest(String enabledProtocol, String enabledCipherSuite)
  }
 
  private SSLContext getSSLContext() throws Exception {
- KeyStore ks = KeyStore.getInstance("JKS");
- KeyStore ts = KeyStore.getInstance("JKS");
+ KeyStore ks;
+ KeyStore ts;
+
+ if (!NetSslUtils.isFIPS_140_3()) {
+ ks = KeyStore.getInstance("JKS");
+ ts = KeyStore.getInstance("JKS");
+ } else {
+ ks = KeyStore.getInstance("PKCS12");
+ ts = KeyStore.getInstance("PKCS12");
+ }
+
  char[] passphrase = "passphrase".toCharArray();
 
  ks.load(new FileInputStream(KEYSTORE_PATH), passphrase);
@@ -597,7 +606,9 @@ private static void log(Object msg) {
  public static void main(String args[]) throws Exception {
  // reset the security property to make sure that the algorithms
  // and keys used in this test are not disabled.
- Security.setProperty("jdk.tls.disabledAlgorithms", "");
+ if(!NetSslUtils.isFIPS_140_3()) {
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
+ }
 
  log(String.format("Running with %s and %s%n", args[0], args[1]));
  ConnectionTest ct = new ConnectionTest(args[0], args[1]);

test/jdk/javax/net/ssl/SSLEngine/ExtendedKeyEngine.java

@@ -181,8 +181,16 @@ public ExtendedKeyEngine(boolean abs) throws Exception {
  private SSLContext getSSLContext(String keyFile, String trustFile,
  boolean abs) throws Exception {
 
- KeyStore ks = KeyStore.getInstance("JKS");
- KeyStore ts = KeyStore.getInstance("JKS");
+ KeyStore ks;
+ KeyStore ts;
+
+ if (!NetSslUtils.isFIPS_140_3()) {
+ ks = KeyStore.getInstance("JKS");
+ ts = KeyStore.getInstance("JKS");
+ } else {
+ ks = KeyStore.getInstance("PKCS12");
+ ts = KeyStore.getInstance("PKCS12");
+ }
 
  char[] passphrase = "passphrase".toCharArray();
 

test/jdk/javax/net/ssl/SSLEngine/ExtendedKeySocket.java

@@ -89,10 +89,18 @@ public class ExtendedKeySocket {
  SSLContext getSSLContext(boolean abs) throws Exception {
  SSLContext ctx = SSLContext.getInstance("TLS");
 
- KeyStore keyKS = KeyStore.getInstance("JKS");
- keyKS.load(new FileInputStream(keyFilename), passwd);
+ KeyStore keyKS;
+ KeyStore trustKS;
 
- KeyStore trustKS = KeyStore.getInstance("JKS");
+ if (!NetSslUtils.isFIPS_140_3()) {
+ keyKS = KeyStore.getInstance("JKS");
+ trustKS = KeyStore.getInstance("JKS");
+ } else {
+ keyKS = KeyStore.getInstance("PKCS12");
+ trustKS = KeyStore.getInstance("PKCS12");
+ }
+
+ keyKS.load(new FileInputStream(keyFilename), passwd);
  trustKS.load(new FileInputStream(trustFilename), passwd);
 
  KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");

test/jdk/javax/net/ssl/SSLEngine/FinishedPresent.java

@@ -106,8 +106,16 @@ public static void main(String args[]) throws Exception {
  */
  public FinishedPresent() throws Exception {
 
- KeyStore ks = KeyStore.getInstance("JKS");
- KeyStore ts = KeyStore.getInstance("JKS");
+ KeyStore ks;
+ KeyStore ts;
+
+ if (!NetSslUtils.isFIPS_140_3()) {
+ ks = KeyStore.getInstance("JKS");
+ ts = KeyStore.getInstance("JKS");
+ } else {
+ ks = KeyStore.getInstance("PKCS12");
+ ts = KeyStore.getInstance("PKCS12");
+ }
 
  ks.load(new FileInputStream(keyFilename), passphrase);
  ts.load(new FileInputStream(trustFilename), passphrase);

test/jdk/javax/net/ssl/SSLEngine/LargeBufs.java

@@ -183,7 +183,9 @@ private void runTest(String cipher) throws Exception {
  public static void main(String args[]) throws Exception {
  // reset the security property to make sure that the algorithms
  // and keys used in this test are not disabled.
- Security.setProperty("jdk.tls.disabledAlgorithms", "");
+ if (!NetSslUtils.isFIPS_140_3()) {
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
+ }
 
  LargeBufs test;
 
@@ -212,8 +214,16 @@ public LargeBufs() throws Exception {
  private SSLContext getSSLContext(String keyFile, String trustFile)
  throws Exception {
 
- KeyStore ks = KeyStore.getInstance("JKS");
- KeyStore ts = KeyStore.getInstance("JKS");
+ KeyStore ks;
+ KeyStore ts;
+
+ if (!NetSslUtils.isFIPS_140_3()) {
+ ks = KeyStore.getInstance("JKS");
+ ts = KeyStore.getInstance("JKS");
+ } else {
+ ks = KeyStore.getInstance("PKCS12");
+ ts = KeyStore.getInstance("PKCS12");
+ }
 
  char[] passphrase = "passphrase".toCharArray();