Skip to content

Commit

Permalink
Update TLS tests to be run in FIPS 140-3 mode.
Browse files Browse the repository at this point in the history
Signed-off-by: Jinhang Zhang <Jinhang.Zhang@ibm.com>
  • Loading branch information
JinhangZhang committed Sep 9, 2024
1 parent 81ec611 commit 741b238
Show file tree
Hide file tree
Showing 71 changed files with 1,911 additions and 507 deletions.
166 changes: 1 addition & 165 deletions test/jdk/ProblemList-FIPS140_3_OpenJcePlus.txt

Large diffs are not rendered by default.

33 changes: 31 additions & 2 deletions test/jdk/javax/net/ssl/DTLS/CipherSuite.java
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,9 @@
import javax.net.ssl.SSLEngine;
import java.security.Security;

import jdk.test.lib.Utils;
import jdk.test.lib.security.SecurityUtils;

/**
* Test common DTLS cipher suites.
*/
Expand All @@ -61,14 +64,40 @@ public class CipherSuite extends DTLSOverDatagram {
volatile static String cipherSuite;

public static void main(String[] args) throws Exception {
if (args.length > 1 && "re-enable".equals(args[1])) {
if (args.length > 1 && "re-enable".equals(args[1])
&& !(Utils.isFIPS())) {
Security.setProperty("jdk.tls.disabledAlgorithms", "");
}

cipherSuite = args[0];

CipherSuite testCase = new CipherSuite();
testCase.runTest(testCase);
try {
testCase.runTest(testCase);
} catch (javax.net.ssl.SSLHandshakeException sslhe) {
if (Utils.isFIPS()) {
if(!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) {
if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) {
System.out.println("Expected exception msg: <No appropriate protocol (protocol is disabled or cipher suites are inappropriate)> is caught");
return;
} else {
System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught");
return;
}
} else {
System.out.println("Unexpected exception is caught");
sslhe.printStackTrace();
return;
}
} else {
System.out.println("Unexpected exception is caught in Non-FIPS mode");
sslhe.printStackTrace();
return;
}
} catch (Exception e) {
e.printStackTrace();
return;
}
}

@Override
Expand Down
25 changes: 24 additions & 1 deletion test/jdk/javax/net/ssl/DTLS/DTLSWontNegotiateV10.java
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
* questions.
*/

import jdk.test.lib.Utils;
import jdk.test.lib.security.SecurityUtils;

import javax.net.ssl.*;
Expand Down Expand Up @@ -51,7 +52,9 @@ public class DTLSWontNegotiateV10 {
private static final int READ_TIMEOUT_SECS = Integer.getInteger("readtimeout", 30);

public static void main(String[] args) throws Exception {
if (args[0].equals(DTLSV_1_0)) {

if (args[0].equals(DTLSV_1_0)
&& !(Utils.isFIPS())) {
SecurityUtils.removeFromDisabledTlsAlgs(DTLSV_1_0);
}

Expand All @@ -74,6 +77,26 @@ public static void main(String[] args) throws Exception {
break;
} catch (SocketTimeoutException exc) {
System.out.println("The server timed-out waiting for packets from the client.");
} catch (javax.net.ssl.SSLHandshakeException sslhe) {
if (Utils.isFIPS()) {
if(!SecurityUtils.TLS_PROTOCOLS.contains(args[0])) {
if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) {
System.out.println("Expected exception msg: <No appropriate protocol (protocol is disabled or cipher suites are inappropriate)> is caught");
return;
} else {
System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught");
return;
}
} else {
System.out.println("Unexpected exception is caught");
sslhe.printStackTrace();
return;
}
} else {
System.out.println("Unexpected exception is caught in Non-FIPS mode");
sslhe.printStackTrace();
return;
}
}
}
if (tries == totalAttempts) {
Expand Down
36 changes: 33 additions & 3 deletions test/jdk/javax/net/ssl/DTLS/WeakCipherSuite.java
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@
import javax.net.ssl.SSLEngine;
import java.security.Security;

import jdk.test.lib.Utils;
import jdk.test.lib.security.SecurityUtils;

/**
* Test common DTLS weak cipher suites.
*/
Expand All @@ -52,13 +55,40 @@ public class WeakCipherSuite extends DTLSOverDatagram {
public static void main(String[] args) throws Exception {
// reset security properties to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
Security.setProperty("jdk.certpath.disabledAlgorithms", "");
if (!(Utils.isFIPS())) {
Security.setProperty("jdk.tls.disabledAlgorithms", "");
Security.setProperty("jdk.certpath.disabledAlgorithms", "");
}

cipherSuite = args[0];

WeakCipherSuite testCase = new WeakCipherSuite();
testCase.runTest(testCase);
try {
testCase.runTest(testCase);
} catch (javax.net.ssl.SSLHandshakeException sslhe) {
if (Utils.isFIPS()) {
if(!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) {
if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) {
System.out.println("Expected exception msg: <No appropriate protocol (protocol is disabled or cipher suites are inappropriate)> is caught");
return;
} else {
System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught");
return;
}
} else {
System.out.println("Unexpected exception is caught");
sslhe.printStackTrace();
return;
}
} else {
System.out.println("Unexpected exception is caught in Non-FIPS mode");
sslhe.printStackTrace();
return;
}
} catch (Exception e) {
e.printStackTrace();
return;
}
}

@Override
Expand Down
40 changes: 40 additions & 0 deletions test/jdk/javax/net/ssl/FIPSFlag/FIPSFlagTests.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
/*
* Copyright (c) 2016, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/

/*
* @test
* @summary Test flags used for FIPS 140-2 and FIPS 140-3
* @run main/othervm
* TestFIPS false
* @run main/othervm
* -Dsemeru.fips=true
* TestFIPS true 140-2
* @run main/othervm
* -Dsemeru.fips=true
* -Dsemeru.customprofile=OpenJCEPlusFIPS.FIPS140-3
* TestFIPS true 140-3
* @run main/othervm
* -Dsemeru.fips=true
* -Dsemeru.customprofile=OpenJCEPlusFIPS
* TestFIPS true 140-3
*/
87 changes: 87 additions & 0 deletions test/jdk/javax/net/ssl/FIPSFlag/TestFIPS.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
/*
* Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/

import java.security.Provider;
import java.security.Security;

public class TestFIPS {

private static final String SEMERU_FIPS = System.getProperty("semeru.fips");
private static final String PROFILE = System.getProperty("semeru.customprofile");

public static void main(String[] args) throws Exception {

for (Provider.Service service : Security.getProvider("SUN").getServices()) {
System.out.println("Service: " + service.getType() + " Algorithm: " + service.getAlgorithm() + " Class: " + service.getClassName());
}

if (SEMERU_FIPS == null) {
if (args[0].equals("false")) {
System.out.println("PASS");
} else {
throw new FIPSException("FIPS mode should be opened before using.");
}
return;
}

if (PROFILE == null) {
if (SEMERU_FIPS.equals(args[0])) {
if (args[0].equals("true")) {
if (System.getProperty("com.ibm.fips.mode").equals("140-2") && args[1].equals("140-2")) {
System.out.println("PASS");
} else {
throw new FIPSException("If there is no custom profile specified, the FIPS 140-2 should be used as default.");
}
} else {
throw new FIPSException("FIPS mode is not opened.");
}
} else {
throw new FIPSException("FIPS mode and expected mode do not match.");
}
return;
}

System.out.println("profile is: " + PROFILE);
if (PROFILE.contains("OpenJCEPlusFIPS")) {
if (SEMERU_FIPS.equals(args[0])) {
if (args[0].equals("true")) {
if (System.getProperty("com.ibm.fips.mode").equals("140-3") && args[1].equals("140-3")) {
System.out.println("PASS");
} else {
throw new FIPSException("FIPS profile and fips mode do not match.");
}
} else {
throw new FIPSException("FIPS mode is not opened.");
}
}
} else {
throw new FIPSException("FIPS profile is not supported in FIPS 140-3 mode.");
}
}

public static class FIPSException extends Exception {
public FIPSException(String message) {
super(message);
}
}
}
7 changes: 7 additions & 0 deletions test/jdk/javax/net/ssl/FixingJavadocs/ImplicitHandshake.java
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
* @bug 4387882
* @summary Need to revisit the javadocs for JSSE, especially the
* promoted classes.
* @library /test/lib
* @run main/othervm ImplicitHandshake
*
* SunJSSE does not support dynamic system properties, no way to re-use
Expand All @@ -37,6 +38,8 @@
import java.net.*;
import javax.net.ssl.*;

import jdk.test.lib.Utils;

public class ImplicitHandshake {

/*
Expand Down Expand Up @@ -191,6 +194,10 @@ public static void main(String[] args) throws Exception {
System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + trustStoreFile;

if (Utils.isFIPS()) {
keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd);
trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd);
}
System.setProperty("javax.net.ssl.keyStore", keyFilename);
System.setProperty("javax.net.ssl.keyStorePassword", passwd);
System.setProperty("javax.net.ssl.trustStore", trustFilename);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
* @bug 6668231
* @summary Presence of a critical subjectAltName causes JSSE's SunX509 to
* fail trusted checks
* @library /test/lib
* @run main/othervm CriticalSubjectAltName
* @author Xuelei Fan
*/
Expand All @@ -53,6 +54,8 @@
import java.security.Security;
import java.security.cert.Certificate;

import jdk.test.lib.Utils;

public class CriticalSubjectAltName implements HostnameVerifier {
/*
* =============================================================
Expand Down Expand Up @@ -159,10 +162,12 @@ void doClientSide() throws Exception {

public static void main(String[] args) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty("jdk.certpath.disabledAlgorithms",
"MD2, RSA keySize < 1024");
Security.setProperty("jdk.tls.disabledAlgorithms",
"SSLv3, RC4, DH keySize < 768");
if (!(Utils.isFIPS())) {
Security.setProperty("jdk.certpath.disabledAlgorithms",
"MD2, RSA keySize < 1024");
Security.setProperty("jdk.tls.disabledAlgorithms",
"SSLv3, RC4, DH keySize < 768");
}

String keyFilename =
System.getProperty("test.src", "./") + "/" + pathToStores +
Expand All @@ -171,6 +176,11 @@ public static void main(String[] args) throws Exception {
System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + trustStoreFile;

if (Utils.isFIPS()) {
keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd);
trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd);
}

System.setProperty("javax.net.ssl.keyStore", keyFilename);
System.setProperty("javax.net.ssl.keyStorePassword", passwd);
System.setProperty("javax.net.ssl.trustStore", trustFilename);
Expand All @@ -182,7 +192,29 @@ public static void main(String[] args) throws Exception {
/*
* Start the tests.
*/
new CriticalSubjectAltName();
try {
new CriticalSubjectAltName();
} catch (Exception e) {
if (Utils.isFIPS()) {
if (e instanceof java.security.cert.CertPathValidatorException) {
if ("Algorithm constraints check failed on signature algorithm: MD5withRSA".equals(e.getMessage())) {
System.out.println("MD5withRSA is not a supported signature algorithm.");
return;
} else {
System.out.println("Unexpected exception msg: <" + e.getMessage() + "> is caught");
return;
}
} else {
System.out.println("Unexpected exception is caught");
e.printStackTrace();
return;
}
} else {
System.out.println("Unexpected exception is caught in Non-FIPS mode");
e.printStackTrace();
return;
}
}
}

Thread clientThread = null;
Expand Down
Loading

0 comments on commit 741b238

Please sign in to comment.