Update TLS tests to be run in FIPS 140-3 mode.

Signed-off-by: Jinhang Zhang <Jinhang.Zhang@ibm.com>
JinhangZhang · Sep 9, 2024 · cbbe1bb · cbbe1bb
1 parent 81ec611
commit cbbe1bb
Show file tree

Hide file tree

Showing 71 changed files with 1,910 additions and 1,255 deletions.
diff --git a/test/jdk/ProblemList-FIPS140_3_OpenJcePlus.txt b/test/jdk/ProblemList-FIPS140_3_OpenJcePlus.txt
diff --git a/test/jdk/javax/net/ssl/DTLS/CipherSuite.java b/test/jdk/javax/net/ssl/DTLS/CipherSuite.java
@@ -52,6 +52,9 @@
 import javax.net.ssl.SSLEngine;
 import java.security.Security;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 /**
  * Test common DTLS cipher suites.
  */
@@ -61,14 +64,40 @@ public class CipherSuite extends DTLSOverDatagram {
  volatile static String cipherSuite;
 
  public static void main(String[] args) throws Exception {
- if (args.length > 1 && "re-enable".equals(args[1])) {
+ if (args.length > 1 && "re-enable".equals(args[1]) 
+ && !(Utils.isFIPS())) {
  Security.setProperty("jdk.tls.disabledAlgorithms", "");
  }
 
  cipherSuite = args[0];
 
  CipherSuite testCase = new CipherSuite();
- testCase.runTest(testCase);
+ try {
+ testCase.runTest(testCase);
+ } catch (javax.net.ssl.SSLHandshakeException sslhe) {
+ if (Utils.isFIPS()) {
+ if(!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) {
+ if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) {
+ System.out.println("Expected exception msg: <No appropriate protocol (protocol is disabled or cipher suites are inappropriate)> is caught");
+ return;
+ } else {
+ System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught");
+ return;
+ }
+ } else {
+ System.out.println("Unexpected exception is caught");
+ sslhe.printStackTrace();
+ return;
+ }
+ } else {
+ System.out.println("Unexpected exception is caught in Non-FIPS mode");
+ sslhe.printStackTrace();
+ return;
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ return;
+ }
  }
 
  @Override

diff --git a/test/jdk/javax/net/ssl/DTLS/DTLSWontNegotiateV10.java b/test/jdk/javax/net/ssl/DTLS/DTLSWontNegotiateV10.java
@@ -21,6 +21,7 @@
  * questions.
  */
 
+import jdk.test.lib.Utils;
 import jdk.test.lib.security.SecurityUtils;
 
 import javax.net.ssl.*;
@@ -51,7 +52,9 @@ public class DTLSWontNegotiateV10 {
  private static final int READ_TIMEOUT_SECS = Integer.getInteger("readtimeout", 30);
 
  public static void main(String[] args) throws Exception {
- if (args[0].equals(DTLSV_1_0)) {
+
+ if (args[0].equals(DTLSV_1_0) 
+ && !(Utils.isFIPS())) {
  SecurityUtils.removeFromDisabledTlsAlgs(DTLSV_1_0);
  }
 
@@ -74,6 +77,26 @@ public static void main(String[] args) throws Exception {
  break;
  } catch (SocketTimeoutException exc) {
  System.out.println("The server timed-out waiting for packets from the client.");
+ } catch (javax.net.ssl.SSLHandshakeException sslhe) {
+ if (Utils.isFIPS()) {
+ if(!SecurityUtils.TLS_PROTOCOLS.contains(args[0])) {
+ if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) {
+ System.out.println("Expected exception msg: <No appropriate protocol (protocol is disabled or cipher suites are inappropriate)> is caught");
+ return;
+ } else {
+ System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught");
+ return;
+ }
+ } else {
+ System.out.println("Unexpected exception is caught");
+ sslhe.printStackTrace();
+ return;
+ }
+ } else {
+ System.out.println("Unexpected exception is caught in Non-FIPS mode");
+ sslhe.printStackTrace();
+ return;
+ }
  }
  }
  if (tries == totalAttempts) {

diff --git a/test/jdk/javax/net/ssl/DTLS/WeakCipherSuite.java b/test/jdk/javax/net/ssl/DTLS/WeakCipherSuite.java
@@ -41,6 +41,9 @@
 import javax.net.ssl.SSLEngine;
 import java.security.Security;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 /**
  * Test common DTLS weak cipher suites.
  */
@@ -52,13 +55,40 @@ public class WeakCipherSuite extends DTLSOverDatagram {
  public static void main(String[] args) throws Exception {
  // reset security properties to make sure that the algorithms
  // and keys used in this test are not disabled.
- Security.setProperty("jdk.tls.disabledAlgorithms", "");
- Security.setProperty("jdk.certpath.disabledAlgorithms", "");
+ if (!(Utils.isFIPS())) {
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
+ Security.setProperty("jdk.certpath.disabledAlgorithms", "");
+ }
 
  cipherSuite = args[0];
 
  WeakCipherSuite testCase = new WeakCipherSuite();
- testCase.runTest(testCase);
+ try {
+ testCase.runTest(testCase);
+ } catch (javax.net.ssl.SSLHandshakeException sslhe) {
+ if (Utils.isFIPS()) {
+ if(!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) {
+ if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) {
+ System.out.println("Expected exception msg: <No appropriate protocol (protocol is disabled or cipher suites are inappropriate)> is caught");
+ return;
+ } else {
+ System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught");
+ return;
+ }
+ } else {
+ System.out.println("Unexpected exception is caught");
+ sslhe.printStackTrace();
+ return;
+ }
+ } else {
+ System.out.println("Unexpected exception is caught in Non-FIPS mode");
+ sslhe.printStackTrace();
+ return;
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ return;
+ }
  }
 
  @Override

diff --git a/test/jdk/javax/net/ssl/FIPSFlag/FIPSFlagTests.java b/test/jdk/javax/net/ssl/FIPSFlag/FIPSFlagTests.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright (c) 2016, 2019, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @summary Test flags used for FIPS 140-2 and FIPS 140-3
+ * @run main/othervm
+ * TestFIPS false
+ * @run main/othervm
+ * -Dsemeru.fips=true
+ * TestFIPS true 140-2
+ * @run main/othervm
+ * -Dsemeru.fips=true
+ * -Dsemeru.customprofile=OpenJCEPlusFIPS.FIPS140-3
+ * TestFIPS true 140-3
+ * @run main/othervm
+ * -Dsemeru.fips=true
+ * -Dsemeru.customprofile=OpenJCEPlusFIPS
+ * TestFIPS true 140-3
+ */
diff --git a/test/jdk/javax/net/ssl/FIPSFlag/TestFIPS.java b/test/jdk/javax/net/ssl/FIPSFlag/TestFIPS.java
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.security.Provider;
+import java.security.Security;
+
+public class TestFIPS {
+
+ private static final String SEMERU_FIPS = System.getProperty("semeru.fips");
+ private static final String PROFILE = System.getProperty("semeru.customprofile");
+
+ public static void main(String[] args) throws Exception {
+
+ for (Provider.Service service : Security.getProvider("SUN").getServices()) {
+ System.out.println("Service: " + service.getType() + " Algorithm: " + service.getAlgorithm() + " Class: " + service.getClassName());
+ }
+
+ if (SEMERU_FIPS == null) {
+ if (args[0].equals("false")) {
+ System.out.println("PASS");
+ } else {
+ throw new FIPSException("FIPS mode should be opened before using.");
+ }
+ return;
+ }
+
+ if (PROFILE == null) {
+ if (SEMERU_FIPS.equals(args[0])) {
+ if (args[0].equals("true")) {
+ if (System.getProperty("com.ibm.fips.mode").equals("140-2") && args[1].equals("140-2")) {
+ System.out.println("PASS");
+ } else {
+ throw new FIPSException("If there is no custom profile specified, the FIPS 140-2 should be used as default.");
+ }
+ } else {
+ throw new FIPSException("FIPS mode is not opened.");
+ }
+ } else {
+ throw new FIPSException("FIPS mode and expected mode do not match.");
+ }
+ return;
+ }
+
+ System.out.println("profile is: " + PROFILE);
+ if (PROFILE.contains("OpenJCEPlusFIPS")) {
+ if (SEMERU_FIPS.equals(args[0])) {
+ if (args[0].equals("true")) {
+ if (System.getProperty("com.ibm.fips.mode").equals("140-3") && args[1].equals("140-3")) {
+ System.out.println("PASS");
+ } else {
+ throw new FIPSException("FIPS profile and fips mode do not match.");
+ }
+ } else {
+ throw new FIPSException("FIPS mode is not opened.");
+ }
+ }
+ } else {
+ throw new FIPSException("FIPS profile is not supported in FIPS 140-3 mode.");
+ }
+ }
+
+ public static class FIPSException extends Exception {
+ public FIPSException(String message) {
+ super(message);
+ }
+ }
+}
diff --git a/test/jdk/javax/net/ssl/FixingJavadocs/ImplicitHandshake.java b/test/jdk/javax/net/ssl/FixingJavadocs/ImplicitHandshake.java
@@ -26,6 +26,7 @@
  * @bug 4387882
  * @summary Need to revisit the javadocs for JSSE, especially the
  * promoted classes.
+ * @library /test/lib
  * @run main/othervm ImplicitHandshake
  *
  * SunJSSE does not support dynamic system properties, no way to re-use
@@ -37,6 +38,8 @@
 import java.net.*;
 import javax.net.ssl.*;
 
+import jdk.test.lib.Utils;
+
 public class ImplicitHandshake {
 
  /*
@@ -191,6 +194,10 @@ public static void main(String[] args) throws Exception {
  System.getProperty("test.src", "./") + "/" + pathToStores +
  "/" + trustStoreFile;
 
+ if (Utils.isFIPS()) {
+ keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd);
+ trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd);
+ }
  System.setProperty("javax.net.ssl.keyStore", keyFilename);
  System.setProperty("javax.net.ssl.keyStorePassword", passwd);
  System.setProperty("javax.net.ssl.trustStore", trustFilename);

diff --git a/test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java b/test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java
@@ -31,6 +31,7 @@
  * @bug 6668231
  * @summary Presence of a critical subjectAltName causes JSSE's SunX509 to
  * fail trusted checks
+ * @library /test/lib
  * @run main/othervm CriticalSubjectAltName
  * @author Xuelei Fan
  */
@@ -53,6 +54,8 @@
 import java.security.Security;
 import java.security.cert.Certificate;
 
+import jdk.test.lib.Utils;
+
 public class CriticalSubjectAltName implements HostnameVerifier {
  /*
  * =============================================================
@@ -159,10 +162,12 @@ void doClientSide() throws Exception {
 
  public static void main(String[] args) throws Exception {
  // MD5 is used in this test case, don't disable MD5 algorithm.
- Security.setProperty("jdk.certpath.disabledAlgorithms",
- "MD2, RSA keySize < 1024");
- Security.setProperty("jdk.tls.disabledAlgorithms",
- "SSLv3, RC4, DH keySize < 768");
+ if (!(Utils.isFIPS())) {
+ Security.setProperty("jdk.certpath.disabledAlgorithms",
+ "MD2, RSA keySize < 1024");
+ Security.setProperty("jdk.tls.disabledAlgorithms",
+ "SSLv3, RC4, DH keySize < 768");
+ }
 
  String keyFilename =
  System.getProperty("test.src", "./") + "/" + pathToStores +
@@ -171,6 +176,11 @@ public static void main(String[] args) throws Exception {
  System.getProperty("test.src", "./") + "/" + pathToStores +
  "/" + trustStoreFile;
 
+ if (Utils.isFIPS()) {
+ keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd);
+ trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd);
+ }
+
  System.setProperty("javax.net.ssl.keyStore", keyFilename);
  System.setProperty("javax.net.ssl.keyStorePassword", passwd);
  System.setProperty("javax.net.ssl.trustStore", trustFilename);
@@ -182,7 +192,29 @@ public static void main(String[] args) throws Exception {
  /*
  * Start the tests.
  */
- new CriticalSubjectAltName();
+ try {
+ new CriticalSubjectAltName();
+ } catch (Exception e) {
+ if (Utils.isFIPS()) {
+ if (e instanceof java.security.cert.CertPathValidatorException) {
+ if ("Algorithm constraints check failed on signature algorithm: MD5withRSA".equals(e.getMessage())) {
+ System.out.println("MD5withRSA is not a supported signature algorithm.");
+ return;
+ } else {
+ System.out.println("Unexpected exception msg: <" + e.getMessage() + "> is caught");
+ return;
+ }
+ } else {
+ System.out.println("Unexpected exception is caught");
+ e.printStackTrace();
+ return;
+ }
+ } else {
+ System.out.println("Unexpected exception is caught in Non-FIPS mode");
+ e.printStackTrace();
+ return;
+ }
+ }
  }
 
  Thread clientThread = null;