check the sslcontext

src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java

@@ -909,9 +909,13 @@ private static final class DefaultManagersHolder {
  Exception reserved = null;
  TrustManager[] tmMediator = null;
  try {
+ System.out.println("start getTrustManagers in DefaultManagersHolder.");
  tmMediator = getTrustManagers();
  } catch (Exception e) {
+ System.out.println("start getTrustManagers in DefaultManagersHolder but failed");
  reserved = e;
+ System.out.println("Exception message is: ");
+ reserved.printStackTrace();
  if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
  SSLLogger.warning(
  "Failed to load default trust managers", e);
@@ -920,6 +924,7 @@ private static final class DefaultManagersHolder {
 
  KeyManager[] kmMediator = null;
  if (reserved == null) {
+ System.out.println("reserved is null");
  try {
  kmMediator = getKeyManagers();
  } catch (Exception e) {
@@ -932,6 +937,7 @@ private static final class DefaultManagersHolder {
  }
 
  if (reserved != null) {
+ System.out.println("reserved is not null");
  trustManagers = new TrustManager[0];
  keyManagers = new KeyManager[0];
 
@@ -951,14 +957,17 @@ private static final class DefaultManagersHolder {
  private static TrustManager[] getTrustManagers() throws Exception {
  TrustManagerFactory tmf = TrustManagerFactory.getInstance(
  TrustManagerFactory.getDefaultAlgorithm());
+ System.out.println("The TrustManagerFactory provider is: " + tmf.getProvider().getName());
  if ("SunJSSE".equals(tmf.getProvider().getName())) {
  // The implementation will load the default KeyStore
  // automatically. Cached trust materials may be used
  // for performance improvement.
+ System.out.println("It's SunJSSE.");
  tmf.init((KeyStore)null);
  } else {
  // Use the explicitly specified KeyStore for third party's
  // TrustManagerFactory implementation.
+ System.out.println("It's not SunJSSE.");
  KeyStore ks = TrustStoreManager.getTrustedKeyStore();
  tmf.init(ks);
  }

test/jdk/javax/net/ssl/DTLS/CipherSuite.java

@@ -52,6 +52,9 @@
 import javax.net.ssl.SSLEngine;
 import java.security.Security;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 /**
  * Test common DTLS cipher suites.
  */
@@ -61,14 +64,30 @@ public class CipherSuite extends DTLSOverDatagram {
  volatile static String cipherSuite;
 
  public static void main(String[] args) throws Exception {
- if (args.length > 1 && "re-enable".equals(args[1])) {
+ if (args.length > 1 && "re-enable".equals(args[1]) 
+ && !(Utils.isFIPS() 
+ && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) {
  Security.setProperty("jdk.tls.disabledAlgorithms", "");
  }
 
  cipherSuite = args[0];
 
  CipherSuite testCase = new CipherSuite();
- testCase.runTest(testCase);
+ try {
+ testCase.runTest(testCase);
+ } catch (javax.net.ssl.SSLHandshakeException sslhe) {
+ if ((Utils.isFIPS() 
+ && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))
+ && !SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) {
+ if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) {
+ System.out.println("Expected exception msg: <No appropriate protocol (protocol is disabled or cipher suites are inappropriate)> is caught");
+ return;
+ }
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ return;
+ }
  }
 
  @Override
@@ -81,4 +100,4 @@ SSLEngine createSSLEngine(boolean isClient) throws Exception {
 
  return engine;
  }
-}
+}

test/jdk/javax/net/ssl/DTLS/DTLSHandshakeWithReplicatedPacketsTest.java

@@ -48,6 +48,9 @@
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLException;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 /**
  * Testing DTLS engines handshake using each of the supported cipher suites with
  * replicated packets check.
@@ -59,7 +62,9 @@ public class DTLSHandshakeWithReplicatedPacketsTest extends SSLEngineTestCase {
  public static void main(String[] args) {
  DTLSHandshakeWithReplicatedPacketsTest test
  = new DTLSHandshakeWithReplicatedPacketsTest();
- setUpAndStartKDCIfNeeded();
+ if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) {
+ setUpAndStartKDCIfNeeded();
+ }
  test.runTests();
  }
 

test/jdk/javax/net/ssl/DTLS/DTLSIncorrectAppDataTest.java

@@ -53,6 +53,9 @@
 import java.util.Random;
 import jdk.test.lib.RandomFactory;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 /**
  * Testing DTLS incorrect app data packages unwrapping. Incorrect application
  * data packages should be ignored by DTLS SSLEngine.
@@ -63,7 +66,9 @@ public class DTLSIncorrectAppDataTest extends SSLEngineTestCase {
 
  public static void main(String[] s) {
  DTLSIncorrectAppDataTest test = new DTLSIncorrectAppDataTest();
- setUpAndStartKDCIfNeeded();
+ if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) {
+ setUpAndStartKDCIfNeeded();
+ }
  test.runTests();
  }
 

test/jdk/javax/net/ssl/DTLS/DTLSOverDatagram.java

@@ -46,6 +46,7 @@
 import java.util.concurrent.atomic.AtomicBoolean;
 
 import jdk.test.lib.hexdump.HexPrinter;
+import jdk.test.lib.Utils;
 
 /**
  * An example to show the way to use SSLEngine in datagram connections.
@@ -63,10 +64,10 @@ public class DTLSOverDatagram {
  private static final String KEY_STORE_FILE = "keystore";
  private static final String TRUST_STORE_FILE = "truststore";
 
- private static final String KEY_FILENAME =
+ private static String KEY_FILENAME =
  System.getProperty("test.src", ".") + "/" + PATH_TO_STORES +
  "/" + KEY_STORE_FILE;
- private static final String TRUST_FILENAME =
+ private static String TRUST_FILENAME =
  System.getProperty("test.src", ".") + "/" + PATH_TO_STORES +
  "/" + TRUST_STORE_FILE;
 
@@ -505,11 +506,12 @@ boolean onReceiveTimeout(SSLEngine engine, SocketAddress socketAddr,
  // get DTSL context
  SSLContext getDTLSContext() throws Exception {
  String passphrase = "passphrase";
+ String protocol = "DTLS";
  return SSLContextBuilder.builder()
  .trustStore(KeyStoreUtils.loadKeyStore(TRUST_FILENAME, passphrase))
  .keyStore(KeyStoreUtils.loadKeyStore(KEY_FILENAME, passphrase))
  .kmfPassphrase(passphrase)
- .protocol("DTLS")
+ .protocol(protocol)
  .build();
  }
 

test/jdk/javax/net/ssl/DTLS/DTLSSequenceNumberTest.java

@@ -55,6 +55,9 @@
 import java.util.Random;
 import jdk.test.lib.RandomFactory;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 /**
  * Testing DTLS records sequence number property support in application data
  * exchange.
@@ -69,7 +72,9 @@ public class DTLSSequenceNumberTest extends SSLEngineTestCase {
 
  public static void main(String[] args) {
  DTLSSequenceNumberTest test = new DTLSSequenceNumberTest();
- setUpAndStartKDCIfNeeded();
+ if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) {
+ setUpAndStartKDCIfNeeded();
+ }
  test.runTests();
  }
 

test/jdk/javax/net/ssl/DTLS/DTLSWontNegotiateV10.java

@@ -21,6 +21,7 @@
  * questions.
  */
 
+import jdk.test.lib.Utils;
 import jdk.test.lib.security.SecurityUtils;
 
 import javax.net.ssl.*;
@@ -49,7 +50,10 @@ public class DTLSWontNegotiateV10 {
  private static final String DTLSV_1_2 = "DTLSv1.2";
 
  public static void main(String[] args) throws Exception {
- if (args[0].equals(DTLSV_1_0)) {
+
+ if (args[0].equals(DTLSV_1_0) 
+ && !(Utils.isFIPS() 
+ && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) {
  SecurityUtils.removeFromDisabledTlsAlgs(DTLSV_1_0);
  }
 
@@ -77,6 +81,18 @@ public static void main(String[] args) throws Exception {
  server.run();
  p.destroy();
  System.out.println("Success: DTLSv1.0 connection was not established.");
+ } catch (javax.net.ssl.SSLHandshakeException sslhe) {
+ if ((Utils.isFIPS() 
+ && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))
+ && !SecurityUtils.TLS_PROTOCOLS.contains(args[0])) {
+ if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) {
+ System.out.println("Expected exception msg: <No appropriate protocol (protocol is disabled or cipher suites are inappropriate)> is caught");
+ return;
+ }
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ return;
  }
  }
  }

test/jdk/javax/net/ssl/DTLS/WeakCipherSuite.java

@@ -41,6 +41,9 @@
 import javax.net.ssl.SSLEngine;
 import java.security.Security;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 /**
  * Test common DTLS weak cipher suites.
  */
@@ -52,13 +55,29 @@ public class WeakCipherSuite extends DTLSOverDatagram {
  public static void main(String[] args) throws Exception {
  // reset security properties to make sure that the algorithms
  // and keys used in this test are not disabled.
- Security.setProperty("jdk.tls.disabledAlgorithms", "");
- Security.setProperty("jdk.certpath.disabledAlgorithms", "");
+ if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) {
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
+ Security.setProperty("jdk.certpath.disabledAlgorithms", "");
+ }
 
  cipherSuite = args[0];
 
  WeakCipherSuite testCase = new WeakCipherSuite();
- testCase.runTest(testCase);
+ try {
+ testCase.runTest(testCase);
+ } catch (javax.net.ssl.SSLHandshakeException sslhe) {
+ if ((Utils.isFIPS() 
+ && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))
+ && !SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) {
+ if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) {
+ System.out.println("Expected exception msg: <No appropriate protocol (protocol is disabled or cipher suites are inappropriate)> is caught");
+ return;
+ }
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ return;
+ }
  }
 
  @Override
@@ -68,4 +87,4 @@ SSLEngine createSSLEngine(boolean isClient) throws Exception {
 
  return engine;
  }
-}
+}

test/jdk/javax/net/ssl/FixingJavadocs/ImplicitHandshake.java

@@ -26,6 +26,7 @@
  * @bug 4387882
  * @summary Need to revisit the javadocs for JSSE, especially the
  * promoted classes.
+ * @library /test/lib
  * @run main/othervm ImplicitHandshake
  *
  * SunJSSE does not support dynamic system properties, no way to re-use
@@ -37,6 +38,9 @@
 import java.net.*;
 import javax.net.ssl.*;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 public class ImplicitHandshake {
 
  /*
@@ -191,6 +195,10 @@ public static void main(String[] args) throws Exception {
  System.getProperty("test.src", "./") + "/" + pathToStores +
  "/" + trustStoreFile;
 
+ if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) {
+ keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd);
+ trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd);
+ }
  System.setProperty("javax.net.ssl.keyStore", keyFilename);
  System.setProperty("javax.net.ssl.keyStorePassword", passwd);
  System.setProperty("javax.net.ssl.trustStore", trustFilename);

test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java

@@ -31,6 +31,7 @@
  * @bug 6668231
  * @summary Presence of a critical subjectAltName causes JSSE's SunX509 to
  * fail trusted checks
+ * @library /test/lib
  * @run main/othervm CriticalSubjectAltName
  * @author Xuelei Fan
  */
@@ -53,6 +54,9 @@
 import java.security.Security;
 import java.security.cert.Certificate;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 public class CriticalSubjectAltName implements HostnameVerifier {
  /*
  * =============================================================
@@ -159,10 +163,12 @@ void doClientSide() throws Exception {
 
  public static void main(String[] args) throws Exception {
  // MD5 is used in this test case, don't disable MD5 algorithm.
- Security.setProperty("jdk.certpath.disabledAlgorithms",
- "MD2, RSA keySize < 1024");
- Security.setProperty("jdk.tls.disabledAlgorithms",
- "SSLv3, RC4, DH keySize < 768");
+ if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS-HttpsURLConnection"))) {
+ Security.setProperty("jdk.certpath.disabledAlgorithms",
+ "MD2, RSA keySize < 1024");
+ Security.setProperty("jdk.tls.disabledAlgorithms",
+ "SSLv3, RC4, DH keySize < 768");
+ }
 
  String keyFilename =
  System.getProperty("test.src", "./") + "/" + pathToStores +
@@ -171,6 +177,11 @@ public static void main(String[] args) throws Exception {
  System.getProperty("test.src", "./") + "/" + pathToStores +
  "/" + trustStoreFile;
 
+ if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS-HttpsURLConnection"))) {
+ keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd);
+ trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd);
+ }
+
  System.setProperty("javax.net.ssl.keyStore", keyFilename);
  System.setProperty("javax.net.ssl.keyStorePassword", passwd);
  System.setProperty("javax.net.ssl.trustStore", trustFilename);

test/jdk/javax/net/ssl/HttpsURLConnection/GetResponseCode.java

@@ -25,6 +25,7 @@
  * @test
  * @bug 4482187
  * @summary HttpsClient tests are failing for build 71
+ * @library /test/lib
  * @run main/othervm GetResponseCode
  *
  * SunJSSE does not support dynamic system properties, no way to re-use
@@ -37,6 +38,9 @@
 import javax.net.ssl.*;
 import java.security.cert.Certificate;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 public class GetResponseCode implements HostnameVerifier {
  /*
  * =============================================================
@@ -149,6 +153,11 @@ public static void main(String[] args) throws Exception {
  System.getProperty("test.src", "./") + "/" + pathToStores +
  "/" + trustStoreFile;
 
+ if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) {
+ keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd);
+ trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd);
+ }
+
  System.setProperty("javax.net.ssl.keyStore", keyFilename);
  System.setProperty("javax.net.ssl.keyStorePassword", passwd);
  System.setProperty("javax.net.ssl.trustStore", trustFilename);