check the sslcontext

JinhangZhang · May 22, 2024 · 9a31fab · 9a31fab
1 parent efa0b7d
commit 9a31fab
Show file tree

Hide file tree

Showing 26 changed files with 580 additions and 51 deletions.
diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
@@ -909,9 +909,13 @@ private static final class DefaultManagersHolder {
             Exception reserved = null;
             TrustManager[] tmMediator = null;
             try {
+                System.out.println("start getTrustManagers in DefaultManagersHolder.");
                 tmMediator = getTrustManagers();
             } catch (Exception e) {
+                System.out.println("start getTrustManagers in DefaultManagersHolder but failed");
                 reserved = e;
+                System.out.println("Exception message is: ");
+                reserved.printStackTrace();
                 if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
                     SSLLogger.warning(
                             "Failed to load default trust managers", e);
@@ -920,6 +924,7 @@ private static final class DefaultManagersHolder {
 
             KeyManager[] kmMediator = null;
             if (reserved == null) {
+                System.out.println("reserved is null");
                 try {
                     kmMediator = getKeyManagers();
                 } catch (Exception e) {
@@ -932,6 +937,7 @@ private static final class DefaultManagersHolder {
             }
 
             if (reserved != null) {
+                System.out.println("reserved is not null");
                 trustManagers = new TrustManager[0];
                 keyManagers = new KeyManager[0];
 
@@ -951,14 +957,17 @@ private static final class DefaultManagersHolder {
         private static TrustManager[] getTrustManagers() throws Exception {
             TrustManagerFactory tmf = TrustManagerFactory.getInstance(
                     TrustManagerFactory.getDefaultAlgorithm());
+            System.out.println("The TrustManagerFactory provider is: " + tmf.getProvider().getName());
             if ("SunJSSE".equals(tmf.getProvider().getName())) {
                 // The implementation will load the default KeyStore
                 // automatically.  Cached trust materials may be used
                 // for performance improvement.
+                System.out.println("It's SunJSSE.");
                 tmf.init((KeyStore)null);
             } else {
                 // Use the explicitly specified KeyStore for third party's
                 // TrustManagerFactory implementation.
+                System.out.println("It's not SunJSSE.");
                 KeyStore ks = TrustStoreManager.getTrustedKeyStore();
                 tmf.init(ks);
             }

diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
@@ -201,8 +201,15 @@ RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.jce.provider.2 = SUN [{CertificateF
     {CertStore, Collection, ImplementedIn=Software}, \
     {CertStore, com.sun.security.IndexedCollection, ImplementedIn=Software}, \
     {Configuration, JavaLoginConfig, *}, \
+    {KeyStore, PKCS12, *}, \
     {Policy, JavaPolicy, *}]
 RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.jce.provider.3 = SunJSSE
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.jce.provider.4 = SunJCE [{AlgorithmParameters, PBES2, *}, \
+    {AlgorithmParameters, PBEWithHmacSHA256AndAES_256, *}, \
+    {SecretKeyFactory, PBEWithMD5AndDES, *}, \
+    {SecretKeyFactory, PBKDF2WithHmacSHA256, *}, \
+    {Cipher, PBEWithHmacSHA256AndAES_256, *}, \
+    {Mac, HmacPBESHA256, *}]
 RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.javax.net.ssl.keyStore = NONE
 RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.securerandom.provider = OpenJCEPlusFIPS
 RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.securerandom.algorithm = SHA512DRBG

diff --git a/test/jdk/javax/net/ssl/DTLS/CipherSuite.java b/test/jdk/javax/net/ssl/DTLS/CipherSuite.java
@@ -61,10 +61,15 @@ public class CipherSuite extends DTLSOverDatagram {
     volatile static String cipherSuite;
 
     public static void main(String[] args) throws Exception {
-        if (args.length > 1 && "re-enable".equals(args[1])) {
-            Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        if (!NetSslUtils.isFIPS_140_3()) {
+            if (args.length > 1 && "re-enable".equals(args[1])) {
+                Security.setProperty("jdk.tls.disabledAlgorithms", "");
+            }
         }
 
+        if (!NetSslUtils.TLS_CIPHERSUITES.contains(args[0])) {
+            return;
+        }
         cipherSuite = args[0];
 
         CipherSuite testCase = new CipherSuite();

diff --git a/test/jdk/javax/net/ssl/DTLS/NetSslUtils.java b/test/jdk/javax/net/ssl/DTLS/NetSslUtils.java
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+ import java.security.Security;
+ import java.security.Provider;
+ import java.util.List;
+ import java.util.ArrayList;
+
+ public class NetSslUtils {
+
+     private static boolean isFIPS = false;
+
+     public static final List<String> TLS_PROTOCOLS = new ArrayList<>();
+     public static final List<String> TLS_CIPHERSUITES = new ArrayList<>();
+
+     public static boolean isFIPS_140_3() {
+         for (Provider p : Security.getProviders()) {
+             System.out.println(p.getName());
+             if (p.getName().equals("OpenJCEPlusFIPS")) {
+                 isFIPS = true;
+             }
+         }
+         return isFIPS;
+     }
+
+     static {
+         TLS_PROTOCOLS.add("TLSv1.2");
+         TLS_PROTOCOLS.add("TLSv1.3");
+
+         TLS_CIPHERSUITES.add("TLS_AES_128_GCM_SHA256");
+         TLS_CIPHERSUITES.add("TLS_AES_256_GCM_SHA384");
+         TLS_CIPHERSUITES.add("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384");
+         TLS_CIPHERSUITES.add("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");
+         TLS_CIPHERSUITES.add("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384");
+         TLS_CIPHERSUITES.add("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
+         TLS_CIPHERSUITES.add("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384");
+         TLS_CIPHERSUITES.add("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256");
+         TLS_CIPHERSUITES.add("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384");
+         TLS_CIPHERSUITES.add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384");
+         TLS_CIPHERSUITES.add("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256");
+         TLS_CIPHERSUITES.add("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256");
+         TLS_CIPHERSUITES.add("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256");
+         TLS_CIPHERSUITES.add("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256");
+         TLS_CIPHERSUITES.add("TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384");
+         TLS_CIPHERSUITES.add("TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384");
+         TLS_CIPHERSUITES.add("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256");
+         TLS_CIPHERSUITES.add("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256");
+         TLS_CIPHERSUITES.add("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384");
+         TLS_CIPHERSUITES.add("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384");
+         TLS_CIPHERSUITES.add("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256");
+         TLS_CIPHERSUITES.add("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256");
+     }
+  }
diff --git a/test/jdk/javax/net/ssl/SSLEngine/ArgCheck.java b/test/jdk/javax/net/ssl/SSLEngine/ArgCheck.java
@@ -255,8 +255,17 @@ static private SSLEngine createSSLEngine(String keyFile, String trustFile)
 
         SSLEngine ssle;
 
-        KeyStore ks = KeyStore.getInstance("JKS");
-        KeyStore ts = KeyStore.getInstance("JKS");
+        KeyStore ks;
+        KeyStore ts;
+
+        if (!NetSslUtils.isFIPS_140_3()) {
+            ks = KeyStore.getInstance("JKS");
+            ts = KeyStore.getInstance("JKS");
+        } else {
+            ks = KeyStore.getInstance("PKCS12");
+            ts = KeyStore.getInstance("PKCS12");
+        }
+        ks.load(null, null);
 
         char[] passphrase = "passphrase".toCharArray();
 

diff --git a/test/jdk/javax/net/ssl/SSLEngine/Arrays.java b/test/jdk/javax/net/ssl/SSLEngine/Arrays.java
@@ -221,8 +221,17 @@ public Arrays() throws Exception {
     private SSLContext getSSLContext(String keyFile, String trustFile)
             throws Exception {
 
-        KeyStore ks = KeyStore.getInstance("JKS");
-        KeyStore ts = KeyStore.getInstance("JKS");
+
+        KeyStore ks;
+        KeyStore ts;
+
+        if (!NetSslUtils.isFIPS_140_3()) {
+            ks = KeyStore.getInstance("JKS");
+            ts = KeyStore.getInstance("JKS");
+        } else {
+            ks = KeyStore.getInstance("PKCS12");
+            ts = KeyStore.getInstance("PKCS12");
+        }
 
         char[] passphrase = "passphrase".toCharArray();
 

diff --git a/test/jdk/javax/net/ssl/SSLEngine/Basics.java b/test/jdk/javax/net/ssl/SSLEngine/Basics.java
@@ -57,18 +57,29 @@ public class Basics {
                 "/" + TRUSTSTORE_FILE;
 
     public static void main(String[] args) throws Exception {
-        SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1");
+        if (!NetSslUtils.isFIPS_140_3()) {
+            SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1");
+            runTest("TLSv1.1", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA");
+        }
 
         runTest("TLSv1.3", "TLS_AES_256_GCM_SHA384");
         runTest("TLSv1.2", "TLS_RSA_WITH_AES_256_GCM_SHA384");
-        runTest("TLSv1.1", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA");
     }
 
     private static void runTest(String protocol, String cipherSuite) throws Exception {
         System.out.printf("Testing %s with %s%n", protocol, cipherSuite);
 
-        KeyStore ks = KeyStore.getInstance("JKS");
-        KeyStore ts = KeyStore.getInstance("JKS");
+        KeyStore ks;
+        KeyStore ts;
+
+        if (!NetSslUtils.isFIPS_140_3()) {
+            ks = KeyStore.getInstance("JKS");
+            ts = KeyStore.getInstance("JKS");
+        } else {
+            ks = KeyStore.getInstance("PKCS12");
+            ts = KeyStore.getInstance("PKCS12");
+        }
+
         char[] passphrase = "passphrase".toCharArray();
 
         ks.load(new FileInputStream(KEYSTORE_PATH), passphrase);

diff --git a/test/jdk/javax/net/ssl/SSLEngine/CheckTlsEngineResults.java b/test/jdk/javax/net/ssl/SSLEngine/CheckTlsEngineResults.java
@@ -652,8 +652,16 @@ public CheckTlsEngineResults() throws Exception {
     private SSLContext getSSLContext(String keyFile, String trustFile)
             throws Exception {
 
-        KeyStore ks = KeyStore.getInstance("JKS");
-        KeyStore ts = KeyStore.getInstance("JKS");
+        KeyStore ks;
+        KeyStore ts;
+
+        if (!NetSslUtils.isFIPS_140_3()) {
+            ks = KeyStore.getInstance("JKS");
+            ts = KeyStore.getInstance("JKS");
+        } else {
+            ks = KeyStore.getInstance("PKCS12");
+            ts = KeyStore.getInstance("PKCS12");
+        }
 
         char[] passphrase = "passphrase".toCharArray();
 

diff --git a/test/jdk/javax/net/ssl/SSLEngine/ConnectionTest.java b/test/jdk/javax/net/ssl/SSLEngine/ConnectionTest.java
@@ -91,8 +91,17 @@ public ConnectionTest(String enabledProtocol, String enabledCipherSuite)
     }
 
     private SSLContext getSSLContext() throws Exception {
-        KeyStore ks = KeyStore.getInstance("JKS");
-        KeyStore ts = KeyStore.getInstance("JKS");
+        KeyStore ks;
+        KeyStore ts;
+
+        if (!NetSslUtils.isFIPS_140_3()) {
+            ks = KeyStore.getInstance("JKS");
+            ts = KeyStore.getInstance("JKS");
+        } else {
+            ks = KeyStore.getInstance("PKCS12");
+            ts = KeyStore.getInstance("PKCS12");
+        }
+
         char[] passphrase = "passphrase".toCharArray();
 
         ks.load(new FileInputStream(KEYSTORE_PATH), passphrase);
@@ -597,7 +606,9 @@ private static void log(Object msg) {
     public static void main(String args[]) throws Exception {
         // reset the security property to make sure that the algorithms
         // and keys used in this test are not disabled.
-        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        if(!NetSslUtils.isFIPS_140_3()) {
+            Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        }
 
         log(String.format("Running with %s and %s%n", args[0], args[1]));
         ConnectionTest ct = new ConnectionTest(args[0], args[1]);

diff --git a/test/jdk/javax/net/ssl/SSLEngine/ExtendedKeyEngine.java b/test/jdk/javax/net/ssl/SSLEngine/ExtendedKeyEngine.java
@@ -181,8 +181,16 @@ public ExtendedKeyEngine(boolean abs) throws Exception {
     private SSLContext getSSLContext(String keyFile, String trustFile,
             boolean abs) throws Exception {
 
-        KeyStore ks = KeyStore.getInstance("JKS");
-        KeyStore ts = KeyStore.getInstance("JKS");
+        KeyStore ks;
+        KeyStore ts;
+
+        if (!NetSslUtils.isFIPS_140_3()) {
+            ks = KeyStore.getInstance("JKS");
+            ts = KeyStore.getInstance("JKS");
+        } else {
+            ks = KeyStore.getInstance("PKCS12");
+            ts = KeyStore.getInstance("PKCS12");
+        }
 
         char[] passphrase = "passphrase".toCharArray();
 

diff --git a/test/jdk/javax/net/ssl/SSLEngine/ExtendedKeySocket.java b/test/jdk/javax/net/ssl/SSLEngine/ExtendedKeySocket.java
@@ -89,10 +89,18 @@ public class ExtendedKeySocket {
     SSLContext getSSLContext(boolean abs) throws Exception {
         SSLContext ctx = SSLContext.getInstance("TLS");
 
-        KeyStore keyKS = KeyStore.getInstance("JKS");
-        keyKS.load(new FileInputStream(keyFilename), passwd);
+        KeyStore keyKS;
+        KeyStore trustKS;
 
-        KeyStore trustKS = KeyStore.getInstance("JKS");
+        if (!NetSslUtils.isFIPS_140_3()) {
+            keyKS = KeyStore.getInstance("JKS");
+            trustKS = KeyStore.getInstance("JKS");
+        } else {
+            keyKS = KeyStore.getInstance("PKCS12");
+            trustKS = KeyStore.getInstance("PKCS12");
+        }
+
+        keyKS.load(new FileInputStream(keyFilename), passwd);
         trustKS.load(new FileInputStream(trustFilename), passwd);
 
         KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");

diff --git a/test/jdk/javax/net/ssl/SSLEngine/FinishedPresent.java b/test/jdk/javax/net/ssl/SSLEngine/FinishedPresent.java
@@ -106,8 +106,16 @@ public static void main(String args[]) throws Exception {
      */
     public FinishedPresent() throws Exception {
 
-        KeyStore ks = KeyStore.getInstance("JKS");
-        KeyStore ts = KeyStore.getInstance("JKS");
+        KeyStore ks;
+        KeyStore ts;
+
+        if (!NetSslUtils.isFIPS_140_3()) {
+            ks = KeyStore.getInstance("JKS");
+            ts = KeyStore.getInstance("JKS");
+        } else {
+            ks = KeyStore.getInstance("PKCS12");
+            ts = KeyStore.getInstance("PKCS12");
+        }
 
         ks.load(new FileInputStream(keyFilename), passphrase);
         ts.load(new FileInputStream(trustFilename), passphrase);

diff --git a/test/jdk/javax/net/ssl/SSLEngine/LargeBufs.java b/test/jdk/javax/net/ssl/SSLEngine/LargeBufs.java
@@ -183,7 +183,9 @@ private void runTest(String cipher) throws Exception {
     public static void main(String args[]) throws Exception {
         // reset the security property to make sure that the algorithms
         // and keys used in this test are not disabled.
-        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        if (!NetSslUtils.isFIPS_140_3()) {
+            Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        }
 
         LargeBufs test;
 
@@ -212,8 +214,16 @@ public LargeBufs() throws Exception {
     private SSLContext getSSLContext(String keyFile, String trustFile)
             throws Exception {
 
-        KeyStore ks = KeyStore.getInstance("JKS");
-        KeyStore ts = KeyStore.getInstance("JKS");
+        KeyStore ks;
+        KeyStore ts;
+
+        if (!NetSslUtils.isFIPS_140_3()) {
+            ks = KeyStore.getInstance("JKS");
+            ts = KeyStore.getInstance("JKS");
+        } else {
+            ks = KeyStore.getInstance("PKCS12");
+            ts = KeyStore.getInstance("PKCS12");
+        }
 
         char[] passphrase = "passphrase".toCharArray();