From f3b5fafcd9c650ad1e0045d59e0c85cc808a5795 Mon Sep 17 00:00:00 2001 From: JinhangZhang Date: Mon, 29 Jul 2024 01:08:04 -0400 Subject: [PATCH] u --- test/jdk/javax/net/ssl/DTLS/CipherSuite.java | 6 +- ...TLSHandshakeWithReplicatedPacketsTest.java | 2 +- .../ssl/DTLS/DTLSIncorrectAppDataTest.java | 2 +- .../net/ssl/DTLS/DTLSSequenceNumberTest.java | 2 +- .../net/ssl/DTLS/DTLSWontNegotiateV10.java | 20 +++--- .../javax/net/ssl/DTLS/WeakCipherSuite.java | 5 +- test/jdk/javax/net/ssl/FIPSFlag/TestFIPS.java | 9 +-- .../ssl/FixingJavadocs/ImplicitHandshake.java | 2 +- .../CriticalSubjectAltName.java | 4 +- .../HttpsURLConnection/GetResponseCode.java | 2 +- test/jdk/javax/net/ssl/SSLEngine/Arrays.java | 2 +- test/jdk/javax/net/ssl/SSLEngine/Basics.java | 4 +- .../ssl/SSLEngine/CheckTlsEngineResults.java | 2 +- .../net/ssl/SSLEngine/ConnectionTest.java | 2 +- .../net/ssl/SSLEngine/EngineCloseOnAlert.java | 2 +- .../javax/net/ssl/SSLEngine/LargeBufs.java | 29 +++------ .../net/ssl/SSLEngine/NoAuthClientAuth.java | 2 +- .../net/ssl/SSLEngine/TestAllSuites.java | 2 +- .../SSLParameters/UseCipherSuitesOrder.java | 6 +- ...tpsURLConnectionLocalCertificateChain.java | 2 +- .../net/ssl/SSLSession/JSSERenegotiate.java | 5 +- .../net/ssl/SSLSession/RenegotiateTLS13.java | 7 +-- .../ssl/SSLSession/ResumeTLS13withSNI.java | 5 -- .../ssl/SSLSession/SSLCtxAccessToSessCtx.java | 2 +- .../ssl/SSLSession/SessionCacheSizeTests.java | 2 +- .../ssl/SSLSession/SessionTimeOutTests.java | 2 +- .../ssl/SSLSession/TestEnabledProtocols.java | 2 +- .../ServerName/BestEffortOnLazyConnected.java | 2 +- .../net/ssl/ServerName/SSLEngineExplorer.java | 2 +- .../ServerName/SSLSocketConsistentSNI.java | 2 +- .../net/ssl/ServerName/SSLSocketExplorer.java | 4 +- .../ServerName/SSLSocketExplorerFailure.java | 2 +- .../SSLSocketExplorerMatchedSNI.java | 2 +- .../SSLSocketExplorerWithCliSNI.java | 2 +- .../SSLSocketExplorerWithSrvSNI.java | 2 +- .../ssl/ServerName/SSLSocketSNISensitive.java | 34 ++++++++--- .../javax/net/ssl/TLS/CipherTestUtils.java | 17 +----- test/jdk/javax/net/ssl/TLS/JSSEClient.java | 3 + test/jdk/javax/net/ssl/TLS/TestJSSE.java | 39 +++++------- .../TLSCommon/ConcurrentClientAccessTest.java | 2 +- test/jdk/javax/net/ssl/TLSCommon/TLSTest.java | 2 +- .../javax/net/ssl/TLSCommon/TLSWithEdDSA.java | 6 +- .../TLSCommon/TestSessionLocalPrincipal.java | 2 +- test/jdk/javax/net/ssl/TLSTest_java.security | 5 -- .../TLSv11/EmptyCertificateAuthorities.java | 4 +- .../net/ssl/TLSv11/GenericBlockCipher.java | 4 +- .../net/ssl/TLSv11/GenericStreamCipher.java | 4 +- .../net/ssl/TLSv12/DisabledShortDSAKeys.java | 2 +- .../net/ssl/TLSv12/DisabledShortRSAKeys.java | 6 +- .../javax/net/ssl/TLSv12/ProtocolFilter.java | 4 +- .../javax/net/ssl/TLSv12/ShortRSAKey512.java | 4 +- .../javax/net/ssl/TLSv12/ShortRSAKeyGCM.java | 6 +- .../net/ssl/TLSv12/SignatureAlgorithms.java | 4 +- .../net/ssl/TLSv13/ClientHelloKeyShares.java | 61 ++++++++++++------- .../javax/net/ssl/TLSv13/HRRKeyShares.java | 2 +- .../ssl/ciphersuites/DisabledAlgorithms.java | 2 +- .../ssl/finalize/SSLSessionFinalizeTest.java | 2 +- .../ciphersuites/CheckCipherSuites.java | 2 +- .../SystemPropCipherSuitesOrder.java | 27 ++++++-- .../ciphersuites/TLSCipherSuitesOrder.java | 2 +- .../sanity/interop/ClientJSSEServerJSSE.java | 2 +- .../pluggability/CheckSSLContextExport.java | 4 +- test/jdk/javax/net/ssl/templates/TLSBase.java | 2 +- 63 files changed, 201 insertions(+), 203 deletions(-) diff --git a/test/jdk/javax/net/ssl/DTLS/CipherSuite.java b/test/jdk/javax/net/ssl/DTLS/CipherSuite.java index 5c8dae0145e..dca01a346a0 100644 --- a/test/jdk/javax/net/ssl/DTLS/CipherSuite.java +++ b/test/jdk/javax/net/ssl/DTLS/CipherSuite.java @@ -65,8 +65,7 @@ public class CipherSuite extends DTLSOverDatagram { public static void main(String[] args) throws Exception { if (args.length > 1 && "re-enable".equals(args[1]) - && !(Utils.isFIPS() - && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + && !(Utils.isFIPS())) { Security.setProperty("jdk.tls.disabledAlgorithms", ""); } @@ -76,8 +75,7 @@ public static void main(String[] args) throws Exception { try { testCase.runTest(testCase); } catch (javax.net.ssl.SSLHandshakeException sslhe) { - if ((Utils.isFIPS() - && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) + if (Utils.isFIPS() && !SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) { if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { System.out.println("Expected exception msg: is caught"); diff --git a/test/jdk/javax/net/ssl/DTLS/DTLSHandshakeWithReplicatedPacketsTest.java b/test/jdk/javax/net/ssl/DTLS/DTLSHandshakeWithReplicatedPacketsTest.java index 6541c9b80f7..d3e8933a006 100644 --- a/test/jdk/javax/net/ssl/DTLS/DTLSHandshakeWithReplicatedPacketsTest.java +++ b/test/jdk/javax/net/ssl/DTLS/DTLSHandshakeWithReplicatedPacketsTest.java @@ -62,7 +62,7 @@ public class DTLSHandshakeWithReplicatedPacketsTest extends SSLEngineTestCase { public static void main(String[] args) { DTLSHandshakeWithReplicatedPacketsTest test = new DTLSHandshakeWithReplicatedPacketsTest(); - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { setUpAndStartKDCIfNeeded(); } test.runTests(); diff --git a/test/jdk/javax/net/ssl/DTLS/DTLSIncorrectAppDataTest.java b/test/jdk/javax/net/ssl/DTLS/DTLSIncorrectAppDataTest.java index 03e42908546..9165e4fe17a 100644 --- a/test/jdk/javax/net/ssl/DTLS/DTLSIncorrectAppDataTest.java +++ b/test/jdk/javax/net/ssl/DTLS/DTLSIncorrectAppDataTest.java @@ -66,7 +66,7 @@ public class DTLSIncorrectAppDataTest extends SSLEngineTestCase { public static void main(String[] s) { DTLSIncorrectAppDataTest test = new DTLSIncorrectAppDataTest(); - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { setUpAndStartKDCIfNeeded(); } test.runTests(); diff --git a/test/jdk/javax/net/ssl/DTLS/DTLSSequenceNumberTest.java b/test/jdk/javax/net/ssl/DTLS/DTLSSequenceNumberTest.java index a239513e649..fbd13e7f957 100644 --- a/test/jdk/javax/net/ssl/DTLS/DTLSSequenceNumberTest.java +++ b/test/jdk/javax/net/ssl/DTLS/DTLSSequenceNumberTest.java @@ -72,7 +72,7 @@ public class DTLSSequenceNumberTest extends SSLEngineTestCase { public static void main(String[] args) { DTLSSequenceNumberTest test = new DTLSSequenceNumberTest(); - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { setUpAndStartKDCIfNeeded(); } test.runTests(); diff --git a/test/jdk/javax/net/ssl/DTLS/DTLSWontNegotiateV10.java b/test/jdk/javax/net/ssl/DTLS/DTLSWontNegotiateV10.java index a26669001e4..54e7a3863f6 100644 --- a/test/jdk/javax/net/ssl/DTLS/DTLSWontNegotiateV10.java +++ b/test/jdk/javax/net/ssl/DTLS/DTLSWontNegotiateV10.java @@ -54,8 +54,7 @@ public class DTLSWontNegotiateV10 { public static void main(String[] args) throws Exception { if (args[0].equals(DTLSV_1_0) - && !(Utils.isFIPS() - && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + && !(Utils.isFIPS())) { SecurityUtils.removeFromDisabledTlsAlgs(DTLSV_1_0); } @@ -78,6 +77,13 @@ public static void main(String[] args) throws Exception { break; } catch (SocketTimeoutException exc) { System.out.println("The server timed-out waiting for packets from the client."); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (Utils.isFIPS() && !SecurityUtils.TLS_PROTOCOLS.contains(args[0])) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } + } } } if (tries == totalAttempts) { @@ -102,15 +108,7 @@ private static void runServer(String protocol) throws Exception { clientProcess = builder.inheritIO().start(); server.run(); System.out.println("Success: DTLSv1.0 connection was not established."); - // } catch (javax.net.ssl.SSLHandshakeException sslhe) { - // if ((Utils.isFIPS() - // && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) - // && !SecurityUtils.TLS_PROTOCOLS.contains(args[0])) { - // if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { - // System.out.println("Expected exception msg: is caught"); - // return; - // } - // } + } finally { if (clientProcess != null) { clientProcess.destroy(); diff --git a/test/jdk/javax/net/ssl/DTLS/WeakCipherSuite.java b/test/jdk/javax/net/ssl/DTLS/WeakCipherSuite.java index df12a4a4824..f87ee56e13f 100644 --- a/test/jdk/javax/net/ssl/DTLS/WeakCipherSuite.java +++ b/test/jdk/javax/net/ssl/DTLS/WeakCipherSuite.java @@ -55,7 +55,7 @@ public class WeakCipherSuite extends DTLSOverDatagram { public static void main(String[] args) throws Exception { // reset security properties to make sure that the algorithms // and keys used in this test are not disabled. - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.tls.disabledAlgorithms", ""); Security.setProperty("jdk.certpath.disabledAlgorithms", ""); } @@ -66,8 +66,7 @@ public static void main(String[] args) throws Exception { try { testCase.runTest(testCase); } catch (javax.net.ssl.SSLHandshakeException sslhe) { - if ((Utils.isFIPS() - && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) + if (Utils.isFIPS() && !SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) { if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { System.out.println("Expected exception msg: is caught"); diff --git a/test/jdk/javax/net/ssl/FIPSFlag/TestFIPS.java b/test/jdk/javax/net/ssl/FIPSFlag/TestFIPS.java index bff2402ed41..219a2b07043 100644 --- a/test/jdk/javax/net/ssl/FIPSFlag/TestFIPS.java +++ b/test/jdk/javax/net/ssl/FIPSFlag/TestFIPS.java @@ -23,11 +23,12 @@ public class TestFIPS { - private static final String FIPSFlag = System.getProperty("semeru.fips"); + private static final String SEMERU_FIPS = System.getProperty("semeru.fips"); + // private static final String IBM_FIPS = System.getProperty("com.ibm.fips.mode"); private static final String PROFILE = System.getProperty("semeru.customprofile"); public static void main(String[] args) throws Exception { - if (FIPSFlag == null) { + if (SEMERU_FIPS == null) { if (args.length == 1 && args[0].equals("false")) { System.out.println("PASS"); } else { @@ -36,8 +37,8 @@ public static void main(String[] args) throws Exception { return; } - if (FIPSFlag.equals(args[0])) { - System.out.println("com.ibm.fips.mode is: " + System.getProperty("com.ibm.fips.mode")); + if (SEMERU_FIPS.equals(args[0])) { + System.out.println("Customprofile is: " + PROFILE); if (PROFILE.equals(args[1])) { System.out.println("PASS"); } else { diff --git a/test/jdk/javax/net/ssl/FixingJavadocs/ImplicitHandshake.java b/test/jdk/javax/net/ssl/FixingJavadocs/ImplicitHandshake.java index 18ed8883adb..9bf77e7b50e 100644 --- a/test/jdk/javax/net/ssl/FixingJavadocs/ImplicitHandshake.java +++ b/test/jdk/javax/net/ssl/FixingJavadocs/ImplicitHandshake.java @@ -195,7 +195,7 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); } diff --git a/test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java b/test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java index c61f0ae8256..8c40bae320c 100644 --- a/test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java +++ b/test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java @@ -163,7 +163,7 @@ void doClientSide() throws Exception { public static void main(String[] args) throws Exception { // MD5 is used in this test case, don't disable MD5 algorithm. - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); Security.setProperty("jdk.tls.disabledAlgorithms", @@ -177,7 +177,7 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); } diff --git a/test/jdk/javax/net/ssl/HttpsURLConnection/GetResponseCode.java b/test/jdk/javax/net/ssl/HttpsURLConnection/GetResponseCode.java index 6d3cdb8e6bb..85f29bb6666 100644 --- a/test/jdk/javax/net/ssl/HttpsURLConnection/GetResponseCode.java +++ b/test/jdk/javax/net/ssl/HttpsURLConnection/GetResponseCode.java @@ -153,7 +153,7 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); } diff --git a/test/jdk/javax/net/ssl/SSLEngine/Arrays.java b/test/jdk/javax/net/ssl/SSLEngine/Arrays.java index 11c043e1965..7e9c6e30f62 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/Arrays.java +++ b/test/jdk/javax/net/ssl/SSLEngine/Arrays.java @@ -189,7 +189,7 @@ public static void main(String args[]) throws Exception { contextVersion = args[0]; // Re-enable context version if it is disabled. // If context version is SSLv3, TLSv1 needs to be re-enabled. - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { if (contextVersion.equals("SSLv3")) { SecurityUtils.removeFromDisabledTlsAlgs("TLSv1"); } else if (contextVersion.equals("TLSv1") || diff --git a/test/jdk/javax/net/ssl/SSLEngine/Basics.java b/test/jdk/javax/net/ssl/SSLEngine/Basics.java index e75908c0302..e0786c95e91 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/Basics.java +++ b/test/jdk/javax/net/ssl/SSLEngine/Basics.java @@ -58,13 +58,13 @@ public class Basics { "/" + TRUSTSTORE_FILE; public static void main(String[] args) throws Exception { - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1"); runTest("TLSv1.1", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"); } runTest("TLSv1.3", "TLS_AES_256_GCM_SHA384"); - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { runTest("TLSv1.2", "TLS_RSA_WITH_AES_256_GCM_SHA384"); } } diff --git a/test/jdk/javax/net/ssl/SSLEngine/CheckTlsEngineResults.java b/test/jdk/javax/net/ssl/SSLEngine/CheckTlsEngineResults.java index 1aea6f4cdb5..d009a6a17cc 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/CheckTlsEngineResults.java +++ b/test/jdk/javax/net/ssl/SSLEngine/CheckTlsEngineResults.java @@ -135,7 +135,7 @@ private void test() throws Exception { SSLEngineResult result1; // clientEngine's results from last operation SSLEngineResult result2; // serverEngine's results from last operation String[] suite1; - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { suite1 = new String [] { "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" }; } else { diff --git a/test/jdk/javax/net/ssl/SSLEngine/ConnectionTest.java b/test/jdk/javax/net/ssl/SSLEngine/ConnectionTest.java index 0dabeceb524..593fdcf9dc6 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/ConnectionTest.java +++ b/test/jdk/javax/net/ssl/SSLEngine/ConnectionTest.java @@ -601,7 +601,7 @@ private static void log(Object msg) { public static void main(String args[]) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.tls.disabledAlgorithms", ""); } diff --git a/test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java b/test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java index 285a0d64169..a5be775d9ee 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java +++ b/test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java @@ -57,7 +57,7 @@ public class EngineCloseOnAlert { private static KeyManagerFactory KMF; private static TrustManagerFactory TMF; - private static final String[] ONECIPHER = (Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) ? + private static final String[] ONECIPHER = (Utils.isFIPS()) ? new String[] { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" } : new String[] { "TLS_RSA_WITH_AES_128_CBC_SHA" }; diff --git a/test/jdk/javax/net/ssl/SSLEngine/LargeBufs.java b/test/jdk/javax/net/ssl/SSLEngine/LargeBufs.java index d72dd47f648..b8d776d5ba0 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/LargeBufs.java +++ b/test/jdk/javax/net/ssl/SSLEngine/LargeBufs.java @@ -111,8 +111,6 @@ private void runTest(String cipher) throws Exception { result1 = ssle1.wrap(appOut1, oneToTwo); result2 = ssle2.wrap(appOut2, twoToOne); - System.out.println("result1.bytesConsumed() is: " + result1.bytesConsumed()); - if ((result1.bytesConsumed() != 0) && (result1.bytesConsumed() != appBufferMax) && (result1.bytesConsumed() != OFFSET)) { @@ -143,8 +141,6 @@ private void runTest(String cipher) throws Exception { result1 = ssle1.unwrap(twoToOne, appIn1); result2 = ssle2.unwrap(oneToTwo, appIn2); - System.out.println("result1.bytesProduced() is: " + result1.bytesProduced()); - if ((result1.bytesProduced() != 0) && (result1.bytesProduced() != appBufferMax) && (result1.bytesProduced() != 2 * OFFSET)) { @@ -188,29 +184,21 @@ private void runTest(String cipher) throws Exception { } public static void main(String args[]) throws Exception { - // reset the security property to make sure that the algorithms - // and keys used in this test are not disabled. - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { - Security.setProperty("jdk.tls.disabledAlgorithms", ""); - } - LargeBufs test; - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); test = new LargeBufs(); test.runTest("SSL_RSA_WITH_RC4_128_MD5"); - } - - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { test = new LargeBufs(); test.runTest("SSL_RSA_WITH_3DES_EDE_CBC_SHA"); - } - - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + } else { test = new LargeBufs(); test.runTest("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"); test = new LargeBufs(); - test.runTest("TLS_AES_128_GCM_SHA256"); + test.runTest("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"); } System.out.println("Test Passed."); @@ -264,7 +252,6 @@ private void createBuffers() { // that the ability to concume or produce applicaton data upto // the size. 16384 is the default JSSE implementation maximum // application size that could be consumed and produced. - // appBufferMax = 16384; appBufferMax = 16384; netBufferMax = session.getPacketBufferSize(); @@ -329,5 +316,5 @@ private static void log(String str) { if (debug) { System.out.println(str); } - } -} + } +} \ No newline at end of file diff --git a/test/jdk/javax/net/ssl/SSLEngine/NoAuthClientAuth.java b/test/jdk/javax/net/ssl/SSLEngine/NoAuthClientAuth.java index 1cbff6e4752..9252d5f4253 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/NoAuthClientAuth.java +++ b/test/jdk/javax/net/ssl/SSLEngine/NoAuthClientAuth.java @@ -144,7 +144,7 @@ public class NoAuthClientAuth { * Main entry point for this test. */ public static void main(String args[]) throws Exception { - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.tls.disabledAlgorithms", ""); tlsProtocol = args[0]; } else { diff --git a/test/jdk/javax/net/ssl/SSLEngine/TestAllSuites.java b/test/jdk/javax/net/ssl/SSLEngine/TestAllSuites.java index 8b571110ad2..cbda8e46ecf 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/TestAllSuites.java +++ b/test/jdk/javax/net/ssl/SSLEngine/TestAllSuites.java @@ -243,7 +243,7 @@ public static void main(String args[]) throws Exception { if (args.length < 1) { throw new RuntimeException("Missing TLS protocol parameter."); } - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { switch(args[0]) { case "TLSv1.1" -> SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1"); case "TLSv1.3" -> SecurityUtils.addToDisabledTlsAlgs("TLSv1.2"); diff --git a/test/jdk/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java b/test/jdk/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java index b454e7cc899..fb7eaa7c60f 100644 --- a/test/jdk/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java +++ b/test/jdk/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java @@ -178,7 +178,7 @@ private static void parseArguments(String[] args) throws Exception { throw new Exception("Need to enable at least two cipher suites"); } - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { cliEnabledCipherSuites = new String[] { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"}; } @@ -205,7 +205,7 @@ private static void parseArguments(String[] args) throws Exception { public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.tls.disabledAlgorithms", ""); } @@ -219,7 +219,7 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); } diff --git a/test/jdk/javax/net/ssl/SSLSession/HttpsURLConnectionLocalCertificateChain.java b/test/jdk/javax/net/ssl/SSLSession/HttpsURLConnectionLocalCertificateChain.java index 84d277fa563..6cf0bdf6456 100644 --- a/test/jdk/javax/net/ssl/SSLSession/HttpsURLConnectionLocalCertificateChain.java +++ b/test/jdk/javax/net/ssl/SSLSession/HttpsURLConnectionLocalCertificateChain.java @@ -248,7 +248,7 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); } diff --git a/test/jdk/javax/net/ssl/SSLSession/JSSERenegotiate.java b/test/jdk/javax/net/ssl/SSLSession/JSSERenegotiate.java index b65c8206edd..ead62a7d310 100644 --- a/test/jdk/javax/net/ssl/SSLSession/JSSERenegotiate.java +++ b/test/jdk/javax/net/ssl/SSLSession/JSSERenegotiate.java @@ -197,7 +197,7 @@ void doClientSide() throws Exception { public static void main(String[] args) throws Exception { // reset the security property to make sure that the cipher suites // used in this test are not disabled - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.tls.disabledAlgorithms", ""); } @@ -208,7 +208,7 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); suite1 = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"; @@ -225,7 +225,6 @@ public static void main(String[] args) throws Exception { if (debug) System.setProperty("javax.net.debug", "all"); - /* * Start the tests. */ diff --git a/test/jdk/javax/net/ssl/SSLSession/RenegotiateTLS13.java b/test/jdk/javax/net/ssl/SSLSession/RenegotiateTLS13.java index aeaea5afb2d..9d5d8772919 100644 --- a/test/jdk/javax/net/ssl/SSLSession/RenegotiateTLS13.java +++ b/test/jdk/javax/net/ssl/SSLSession/RenegotiateTLS13.java @@ -63,8 +63,6 @@ public class RenegotiateTLS13 { // Server done flag static boolean done = false; - static String keystoreType = System.getProperty("javax.net.ssl.keyStore"); - // Main server code void doServerSide() throws Exception { @@ -145,10 +143,9 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); - keystoreType = "PKCS12"; } System.setProperty("javax.net.ssl.keyStore", keyFilename); @@ -290,7 +287,7 @@ SSLContext initContext() throws Exception { System.out.println("Using TLS13"); SSLContext sc = SSLContext.getInstance("TLSv1.3"); KeyStore ks = KeyStore.getInstance( - new File(keystoreType), + new File(System.getProperty("javax.net.ssl.keyStore")), passwd.toCharArray()); KeyManagerFactory kmf = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm()); diff --git a/test/jdk/javax/net/ssl/SSLSession/ResumeTLS13withSNI.java b/test/jdk/javax/net/ssl/SSLSession/ResumeTLS13withSNI.java index 6bef0440702..2c3470b0336 100644 --- a/test/jdk/javax/net/ssl/SSLSession/ResumeTLS13withSNI.java +++ b/test/jdk/javax/net/ssl/SSLSession/ResumeTLS13withSNI.java @@ -93,11 +93,6 @@ public static void main(String args[]) throws Exception { System.setProperty("javax.net.debug", "ssl:handshake"); } - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { - keyFilename = Utils.revertJKSToPKCS12(keyFilename, "passphrase"); - trustFilename = Utils.revertJKSToPKCS12(trustFilename, "passphrase"); - } - KeyManagerFactory kmf = makeKeyManagerFactory(keyFilename, passphrase); TrustManagerFactory tmf = makeTrustManagerFactory(trustFilename, diff --git a/test/jdk/javax/net/ssl/SSLSession/SSLCtxAccessToSessCtx.java b/test/jdk/javax/net/ssl/SSLSession/SSLCtxAccessToSessCtx.java index 03d212b61f9..6715eba5237 100644 --- a/test/jdk/javax/net/ssl/SSLSession/SSLCtxAccessToSessCtx.java +++ b/test/jdk/javax/net/ssl/SSLSession/SSLCtxAccessToSessCtx.java @@ -176,7 +176,7 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); } diff --git a/test/jdk/javax/net/ssl/SSLSession/SessionCacheSizeTests.java b/test/jdk/javax/net/ssl/SSLSession/SessionCacheSizeTests.java index 82d209cea7f..c73dbcf44e5 100644 --- a/test/jdk/javax/net/ssl/SSLSession/SessionCacheSizeTests.java +++ b/test/jdk/javax/net/ssl/SSLSession/SessionCacheSizeTests.java @@ -309,7 +309,7 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); } diff --git a/test/jdk/javax/net/ssl/SSLSession/SessionTimeOutTests.java b/test/jdk/javax/net/ssl/SSLSession/SessionTimeOutTests.java index d147ed158a6..33b614f49d9 100644 --- a/test/jdk/javax/net/ssl/SSLSession/SessionTimeOutTests.java +++ b/test/jdk/javax/net/ssl/SSLSession/SessionTimeOutTests.java @@ -336,7 +336,7 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); } diff --git a/test/jdk/javax/net/ssl/SSLSession/TestEnabledProtocols.java b/test/jdk/javax/net/ssl/SSLSession/TestEnabledProtocols.java index 80f98781a95..c4aa2c915a9 100644 --- a/test/jdk/javax/net/ssl/SSLSession/TestEnabledProtocols.java +++ b/test/jdk/javax/net/ssl/SSLSession/TestEnabledProtocols.java @@ -169,7 +169,7 @@ private void failTest(Exception e, String message) { } public static void main(String[] args) throws Exception { - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.tls.disabledAlgorithms", ""); runCase(new String[] { "TLSv1" }, new String[] { "TLSv1" }, diff --git a/test/jdk/javax/net/ssl/ServerName/BestEffortOnLazyConnected.java b/test/jdk/javax/net/ssl/ServerName/BestEffortOnLazyConnected.java index 50013f56c8b..0bca9ccbba0 100644 --- a/test/jdk/javax/net/ssl/ServerName/BestEffortOnLazyConnected.java +++ b/test/jdk/javax/net/ssl/ServerName/BestEffortOnLazyConnected.java @@ -175,7 +175,7 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); } diff --git a/test/jdk/javax/net/ssl/ServerName/SSLEngineExplorer.java b/test/jdk/javax/net/ssl/ServerName/SSLEngineExplorer.java index 8ef17483cec..4a3ad7efd57 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLEngineExplorer.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLEngineExplorer.java @@ -253,7 +253,7 @@ private static void parseArguments(String[] args) { public static void main(String args[]) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.tls.disabledAlgorithms", ""); } diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketConsistentSNI.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketConsistentSNI.java index 4d4da348acb..766a75b8b9a 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketConsistentSNI.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketConsistentSNI.java @@ -222,7 +222,7 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); } diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorer.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorer.java index 619148fcaaa..cd0f0fc179b 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorer.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorer.java @@ -241,7 +241,7 @@ private static void parseArguments(String[] args) { public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.tls.disabledAlgorithms", ""); } @@ -252,7 +252,7 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); } diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerFailure.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerFailure.java index 154b22095ba..a1c0c4d873f 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerFailure.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerFailure.java @@ -237,7 +237,7 @@ private static void parseArguments(String[] args) { volatile Exception clientException = null; public static void main(String[] args) throws Exception { - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.tls.disabledAlgorithms", ""); Security.setProperty("jdk.certpath.disabledAlgorithms", ""); } diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerMatchedSNI.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerMatchedSNI.java index 01f733efb45..c05a454f902 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerMatchedSNI.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerMatchedSNI.java @@ -295,7 +295,7 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); } diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithCliSNI.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithCliSNI.java index 56eb284c88e..40b39ba9267 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithCliSNI.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithCliSNI.java @@ -272,7 +272,7 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); } diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithSrvSNI.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithSrvSNI.java index 1584c8caa88..7897b9825e0 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithSrvSNI.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithSrvSNI.java @@ -255,7 +255,7 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); } diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketSNISensitive.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketSNISensitive.java index 7c0c44de57e..28f75802608 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketSNISensitive.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketSNISensitive.java @@ -254,6 +254,8 @@ public class SSLSocketSNISensitive { */ static boolean debug = false; + static String[] signatureAlgos = new String[5]; + /* * Define the server side of the test. * @@ -366,7 +368,7 @@ private static void parseArguments(String[] args) { clientRequestedHostname = args[1]; } - private static void printCert(String trustedCertStr) { + private static void printCert(String trustedCertStr, int index) { try { // Remove the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines and any whitespace String cleanedCert = trustedCertStr.replace("-----BEGIN CERTIFICATE-----", "") @@ -391,6 +393,7 @@ private static void printCert(String trustedCertStr) { System.out.println("Signature Algorithm: " + cert.getSigAlgName()); System.out.println("Version: " + cert.getVersion()); + signatureAlgos[index] = cert.getSigAlgName(); } catch (Exception e) { e.printStackTrace(); } @@ -470,7 +473,7 @@ private static SSLContext generateSSLContext(boolean isClient) public static void main(String[] args) throws Exception { // MD5 is used in this test case, don't disable MD5 algorithm. - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); Security.setProperty("jdk.tls.disabledAlgorithms", @@ -486,19 +489,34 @@ public static void main(String[] args) throws Exception { parseArguments(args); System.out.println("Now printing trustedCertStr=================="); - printCert(trustedCertStr); + printCert(trustedCertStr, 0); System.out.println("Now printing targetCertStr_A=================="); - printCert(targetCertStr_A); + printCert(targetCertStr_A, 1); System.out.println("Now printing targetCertStr_B=================="); - printCert(targetCertStr_B); + printCert(targetCertStr_B, 2); System.out.println("Now printing targetCertStr_C=================="); - printCert(targetCertStr_C); + printCert(targetCertStr_C, 3); System.out.println("Now printing targetCertStr_D=================="); - printCert(targetCertStr_D); + printCert(targetCertStr_D, 4); /* * Start the tests. */ - new SSLSocketSNISensitive(); + try { + new SSLSocketSNISensitive(); + } catch (Exception e) { + if (Utils.isFIPS()) { + for (int i=0; i is caught."); + return; + } + } + } + e.printStackTrace(); + return; + } } Thread clientThread = null; diff --git a/test/jdk/javax/net/ssl/TLS/CipherTestUtils.java b/test/jdk/javax/net/ssl/TLS/CipherTestUtils.java index 8fffada9093..826faf50b69 100644 --- a/test/jdk/javax/net/ssl/TLS/CipherTestUtils.java +++ b/test/jdk/javax/net/ssl/TLS/CipherTestUtils.java @@ -74,7 +74,7 @@ public class CipherTestUtils { public static final SecureRandom secureRandom = new SecureRandom(); public static char[] PASSWORD = "passphrase".toCharArray(); private static final List TESTS = new ArrayList<>(3); - private static final List EXCEPTIONS + public static final List EXCEPTIONS = Collections.synchronizedList(new ArrayList<>(1)); private static final String CLIENT_PUBLIC_KEY @@ -316,21 +316,6 @@ private CipherTestUtils() throws Exception { TLS_PROTOCOLS.add("TLSv1.2"); TLS_PROTOCOLS.add("TLSv1.3"); - TLS_CIPHERSUITES.put("TLS_AES_128_GCM_SHA256", "TLSv1.3"); - TLS_CIPHERSUITES.put("TLS_AES_256_GCM_SHA384", "TLSv1.3"); - TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLSv1.2"); - TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLSv1.2"); - TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLSv1.2"); - TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLSv1.2"); - TLS_CIPHERSUITES.put("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLSv1.2"); - TLS_CIPHERSUITES.put("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLSv1.2"); - TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLSv1.2"); - TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLSv1.2"); - TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLSv1.2"); - TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLSv1.2"); - TLS_CIPHERSUITES.put("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLSv1.2"); - TLS_CIPHERSUITES.put("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLSv1.2"); - factory = (SSLSocketFactory) SSLSocketFactory.getDefault(); KeyStore serverKeyStore = createServerKeyStore(SERVER_PUBLIC_KEY, SERVER_PRIVATE_KEY); diff --git a/test/jdk/javax/net/ssl/TLS/JSSEClient.java b/test/jdk/javax/net/ssl/TLS/JSSEClient.java index 00a8ad0671c..be2ea12f8ff 100644 --- a/test/jdk/javax/net/ssl/TLS/JSSEClient.java +++ b/test/jdk/javax/net/ssl/TLS/JSSEClient.java @@ -30,6 +30,7 @@ import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManager; +import java.util.*; class JSSEClient extends CipherTestUtils.Client { @@ -42,6 +43,8 @@ class JSSEClient extends CipherTestUtils.Client { private final String host; private final String protocol; + private static final Map TLS_CIPHERSUITES = new HashMap<>(); + JSSEClient(CipherTestUtils cipherTest, String host, int port, String protocols, String ciphersuite) throws Exception { super(cipherTest, ciphersuite); diff --git a/test/jdk/javax/net/ssl/TLS/TestJSSE.java b/test/jdk/javax/net/ssl/TLS/TestJSSE.java index 4af7557e206..69e487d14c4 100644 --- a/test/jdk/javax/net/ssl/TLS/TestJSSE.java +++ b/test/jdk/javax/net/ssl/TLS/TestJSSE.java @@ -21,6 +21,8 @@ * questions. */ +import java.lang.reflect.Field; + import java.util.List; import java.util.ArrayList; import java.util.Arrays; @@ -35,7 +37,6 @@ public class TestJSSE { private static final String LOCAL_IP = InetAddress.getLoopbackAddress().getHostAddress(); private static boolean isFIPS = Boolean.parseBoolean(System.getProperty("semeru.fips")); - private static String customProfile = System.getProperty("semeru.customprofile"); private static final Map TLS_CIPHERSUITES = new HashMap<>(); private static String checkIfProtocolIsUsedInCommonFIPS(String srvProtocol, String clnProtocol) { @@ -66,7 +67,7 @@ private static String checkIfProtocolIsUsedInCommonFIPS(String srvProtocol, Stri public static void main(String... args) throws Exception { // enable debug output - System.setProperty("javax.net.debug", "ssl,record"); + // System.setProperty("javax.net.debug", "ssl,record"); String srvProtocol = System.getProperty("SERVER_PROTOCOL"); String clnProtocol = System.getProperty("CLIENT_PROTOCOL"); @@ -74,10 +75,8 @@ public static void main(String... args) throws Exception { if (srvProtocol == null || clnProtocol == null || cipher == null) { throw new IllegalArgumentException("Incorrect parameters"); } - String contextProtocol = null; if (System.getProperty("jdk.tls.client.protocols") != null) { - System.setProperty("jdk.tls.client.protocols", contextProtocol); - clnProtocol = contextProtocol; + clnProtocol = System.getProperty("jdk.tls.client.protocols"); } System.out.println("ServerProtocol = " + srvProtocol); @@ -87,7 +86,7 @@ public static void main(String... args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. String protocolUsedInHandShake = null; - if (!(isFIPS && customProfile.equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(isFIPS)) { Security.setProperty("jdk.tls.disabledAlgorithms", ""); } else { TLS_CIPHERSUITES.put("TLS_AES_128_GCM_SHA256", "TLSv1.3"); @@ -96,33 +95,27 @@ public static void main(String... args) throws Exception { TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLSv1.2"); TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLSv1.2"); TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLSv1.2"); - TLS_CIPHERSUITES.put("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLSv1.2"); - TLS_CIPHERSUITES.put("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLSv1.2"); TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLSv1.2"); TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLSv1.2"); TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLSv1.2"); TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLSv1.2"); - TLS_CIPHERSUITES.put("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLSv1.2"); - TLS_CIPHERSUITES.put("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLSv1.2"); protocolUsedInHandShake = checkIfProtocolIsUsedInCommonFIPS(srvProtocol, clnProtocol); } try (CipherTestUtils.Server srv = server(srvProtocol, cipher, args)) { client(srv.getPort(), clnProtocol, cipher, args); } catch (Exception e) { - if (isFIPS && customProfile.equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) { - System.out.println("1"); - if ((protocolUsedInHandShake == null - || !TLS_CIPHERSUITES.containsKey(cipher) - || !TLS_CIPHERSUITES.get(cipher).equals(protocolUsedInHandShake)) - && e instanceof javax.net.ssl.SSLHandshakeException - && "No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(e.getMessage())) { - if (args.length >= 1 && args[0].equals("javax.net.ssl.SSLHandshakeException")) { - System.out.println("Expected exception msg: is caught"); - return; - } else { - System.out.println("Expected exception msg: is caught"); - return; + if (isFIPS) { + if (protocolUsedInHandShake == null || !TLS_CIPHERSUITES.containsKey(cipher) + || (protocolUsedInHandShake != null && !TLS_CIPHERSUITES.get(cipher).equals(protocolUsedInHandShake))) { + if (CipherTestUtils.EXCEPTIONS.get(0) instanceof javax.net.ssl.SSLHandshakeException) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(CipherTestUtils.EXCEPTIONS.get(0).getMessage())) { + if (args.length >= 1 && args[0].equals("javax.net.ssl.SSLHandshakeException")) { + System.out.println("Expected exception msg from client: is caught"); + } else { + System.out.println("Expected exception msg from client: is caught"); + } + } } } } diff --git a/test/jdk/javax/net/ssl/TLSCommon/ConcurrentClientAccessTest.java b/test/jdk/javax/net/ssl/TLSCommon/ConcurrentClientAccessTest.java index 8fffd1b6ffa..f3ffc3ddd14 100644 --- a/test/jdk/javax/net/ssl/TLSCommon/ConcurrentClientAccessTest.java +++ b/test/jdk/javax/net/ssl/TLSCommon/ConcurrentClientAccessTest.java @@ -63,7 +63,7 @@ public class ConcurrentClientAccessTest { public static void main(String[] args) throws Exception { String[] protocols = new String[]{"TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1"}; - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.tls.disabledAlgorithms", ""); } else { protocols = new String[]{"TLSv1.3", "TLSv1.2"}; diff --git a/test/jdk/javax/net/ssl/TLSCommon/TLSTest.java b/test/jdk/javax/net/ssl/TLSCommon/TLSTest.java index bcd7249a95e..e2883ff98f6 100644 --- a/test/jdk/javax/net/ssl/TLSCommon/TLSTest.java +++ b/test/jdk/javax/net/ssl/TLSCommon/TLSTest.java @@ -165,7 +165,7 @@ public static void main(String[] args) throws Exception { String tlsProtocol = args[0]; final KeyType keyType = KeyType.valueOf(args[1]); String cipher = args[2]; - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.tls.disabledAlgorithms", ""); } else { if (!SecurityUtils.TLS_PROTOCOLS.contains(tlsProtocol)) { diff --git a/test/jdk/javax/net/ssl/TLSCommon/TLSWithEdDSA.java b/test/jdk/javax/net/ssl/TLSCommon/TLSWithEdDSA.java index bb9798e98b4..ced4d622f19 100644 --- a/test/jdk/javax/net/ssl/TLSCommon/TLSWithEdDSA.java +++ b/test/jdk/javax/net/ssl/TLSCommon/TLSWithEdDSA.java @@ -558,7 +558,7 @@ protected void runClientApplication(SSLSocket socket) throws Exception { } public static void main(String[] args) throws Exception { - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1", "TLSv1"); } certFac = CertificateFactory.getInstance("X.509"); @@ -569,7 +569,7 @@ public static void main(String[] args) throws Exception { testKeyManager(DEF_ALL_EE, "EdDSA", new String[] {"ee_ed25519", "ee_ed448"}); } catch (NoSuchAlgorithmException nsae) { - if (Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) { + if (Utils.isFIPS()) { if ("EdDSA KeyFactory not available".equals(nsae.getMessage())){ System.out.println("Expected exception msg: is caught."); return; @@ -639,7 +639,7 @@ private static void testKeyManager(String keyStoreSpec, String keyType, private static void runtest(String testNameFmt, SessionChecker cliChk, Class cliExpExc, SessionChecker servChk, Class servExpExc) { - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { TEST_PROTOS = List.of( "TLSv1.3", "TLSv1.2"); } diff --git a/test/jdk/javax/net/ssl/TLSCommon/TestSessionLocalPrincipal.java b/test/jdk/javax/net/ssl/TLSCommon/TestSessionLocalPrincipal.java index bee914b82f5..b39056454c8 100644 --- a/test/jdk/javax/net/ssl/TLSCommon/TestSessionLocalPrincipal.java +++ b/test/jdk/javax/net/ssl/TLSCommon/TestSessionLocalPrincipal.java @@ -60,7 +60,7 @@ public class TestSessionLocalPrincipal { public static void main(String[] args) throws Exception { String[] protocols = new String[]{"TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1"}; - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.tls.disabledAlgorithms", ""); } else { protocols = new String[]{"TLSv1.3", "TLSv1.2"}; diff --git a/test/jdk/javax/net/ssl/TLSTest_java.security b/test/jdk/javax/net/ssl/TLSTest_java.security index 0463d0204ef..3b7b200d5fe 100644 --- a/test/jdk/javax/net/ssl/TLSTest_java.security +++ b/test/jdk/javax/net/ssl/TLSTest_java.security @@ -5,11 +5,6 @@ RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Test-TLS.desc.name = Test-TLS OpenJCEPlusFIPS Cryptographic Module FIPS 140-3 RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Test-TLS.desc.default = false RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Test-TLS.extends = RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3 -RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Test-TLS.tls.disabledAlgorithms = + \ - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, \ - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, \ - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, \ - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Test-TLS.jce.provider.2 = sun.security.provider.Sun [+ \ {KeyStore, JKS, *}, \ diff --git a/test/jdk/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java b/test/jdk/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java index f0f78945f99..7741cde0efc 100644 --- a/test/jdk/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java +++ b/test/jdk/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java @@ -254,7 +254,7 @@ private void initialize() throws CertificateException { public static void main(String[] args) throws Exception { // MD5 is used in this test case, don't disable MD5 algorithm. - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); Security.setProperty("jdk.tls.disabledAlgorithms", @@ -282,7 +282,7 @@ public static void main(String[] args) throws Exception { try { new EmptyCertificateAuthorities(); } catch (javax.net.ssl.SSLHandshakeException sslhe) { - if (Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) { + if (Utils.isFIPS()) { if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { System.out.println("Expected exception msg: is caught"); return; diff --git a/test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java b/test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java index c289491d2cf..91a81be9765 100644 --- a/test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java +++ b/test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java @@ -176,7 +176,7 @@ void doClientSide() throws Exception { public static void main(String[] args) throws Exception { // Re-enable TLSv1.1 since test depends on it. - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1"); } @@ -201,7 +201,7 @@ public static void main(String[] args) throws Exception { try { new GenericBlockCipher(); } catch (javax.net.ssl.SSLHandshakeException sslhe) { - if (Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) { + if (Utils.isFIPS()) { if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { System.out.println("Expected exception msg: is caught"); return; diff --git a/test/jdk/javax/net/ssl/TLSv11/GenericStreamCipher.java b/test/jdk/javax/net/ssl/TLSv11/GenericStreamCipher.java index a80d7cbd63c..6394e80c6fc 100644 --- a/test/jdk/javax/net/ssl/TLSv11/GenericStreamCipher.java +++ b/test/jdk/javax/net/ssl/TLSv11/GenericStreamCipher.java @@ -182,7 +182,7 @@ void doClientSide() throws Exception { public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.tls.disabledAlgorithms", ""); } @@ -207,7 +207,7 @@ public static void main(String[] args) throws Exception { try { new GenericStreamCipher(); } catch (javax.net.ssl.SSLHandshakeException sslhe) { - if (Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) { + if (Utils.isFIPS()) { if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { System.out.println("Expected exception msg: is caught"); return; diff --git a/test/jdk/javax/net/ssl/TLSv12/DisabledShortDSAKeys.java b/test/jdk/javax/net/ssl/TLSv12/DisabledShortDSAKeys.java index 2da55279adc..6de3768863b 100644 --- a/test/jdk/javax/net/ssl/TLSv12/DisabledShortDSAKeys.java +++ b/test/jdk/javax/net/ssl/TLSv12/DisabledShortDSAKeys.java @@ -178,7 +178,7 @@ protected ContextParameters getClientContextParameters() { volatile Exception clientException = null; public static void main(String[] args) throws Exception { - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.certpath.disabledAlgorithms", "DSA keySize < 1024"); Security.setProperty("jdk.tls.disabledAlgorithms", diff --git a/test/jdk/javax/net/ssl/TLSv12/DisabledShortRSAKeys.java b/test/jdk/javax/net/ssl/TLSv12/DisabledShortRSAKeys.java index ca712127e11..36e4c61aab6 100644 --- a/test/jdk/javax/net/ssl/TLSv12/DisabledShortRSAKeys.java +++ b/test/jdk/javax/net/ssl/TLSv12/DisabledShortRSAKeys.java @@ -67,7 +67,7 @@ public DisabledShortRSAKeys(String tmAlgorithm, String enabledProtocol) { @Override public SSLContext createClientSSLContext() throws Exception { - if (Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) { + if (Utils.isFIPS()) { return createSSLContext(new Cert[]{Cert.CA_RSA_2048}, null, new ContextParameters(enabledProtocol, tmAlgorithm, "NewSunX509")); } else { @@ -78,7 +78,7 @@ public SSLContext createClientSSLContext() throws Exception { @Override public SSLContext createServerSSLContext() throws Exception { - if (Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) { + if (Utils.isFIPS()) { return createSSLContext(new Cert[]{Cert.EE_RSA_2048}, null, new ContextParameters(enabledProtocol, tmAlgorithm, "NewSunX509")); } else { @@ -123,7 +123,7 @@ protected void runClientApplication(SSLSocket socket) throws Exception { } public static void main(String[] args) throws Exception { - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.certpath.disabledAlgorithms", "RSA keySize < 1024"); Security.setProperty("jdk.tls.disabledAlgorithms", diff --git a/test/jdk/javax/net/ssl/TLSv12/ProtocolFilter.java b/test/jdk/javax/net/ssl/TLSv12/ProtocolFilter.java index c68b72f5e34..152ac7aed87 100644 --- a/test/jdk/javax/net/ssl/TLSv12/ProtocolFilter.java +++ b/test/jdk/javax/net/ssl/TLSv12/ProtocolFilter.java @@ -94,7 +94,7 @@ void doServerSide() throws Exception { (SSLServerSocket) sslssf.createServerSocket(serverPort); // Only enable cipher suites for TLS v1.2. - if (Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) { + if (Utils.isFIPS()) { sslServerSocket.setEnabledCipherSuites( new String[]{"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}); } else { @@ -172,7 +172,7 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); } diff --git a/test/jdk/javax/net/ssl/TLSv12/ShortRSAKey512.java b/test/jdk/javax/net/ssl/TLSv12/ShortRSAKey512.java index 171d2e0cb08..c53ae0dd9b2 100644 --- a/test/jdk/javax/net/ssl/TLSv12/ShortRSAKey512.java +++ b/test/jdk/javax/net/ssl/TLSv12/ShortRSAKey512.java @@ -173,7 +173,7 @@ private static void parseArguments(String[] args) { public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); Security.setProperty("jdk.tls.disabledAlgorithms", "SSLv3, RC4, DH keySize < 768"); @@ -193,7 +193,7 @@ public static void main(String[] args) throws Exception { try { new ShortRSAKey512(); } catch (java.security.spec.InvalidKeySpecException ikse) { - if (Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) { + if (Utils.isFIPS()) { System.out.println("Inappropriate key specification: RSA keys must be at least 1024 bits long"); return; } diff --git a/test/jdk/javax/net/ssl/TLSv12/ShortRSAKeyGCM.java b/test/jdk/javax/net/ssl/TLSv12/ShortRSAKeyGCM.java index 0d5b8c8170e..d5b38ad67f1 100644 --- a/test/jdk/javax/net/ssl/TLSv12/ShortRSAKeyGCM.java +++ b/test/jdk/javax/net/ssl/TLSv12/ShortRSAKeyGCM.java @@ -199,7 +199,7 @@ protected ContextParameters getClientContextParameters() { public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); Security.setProperty("jdk.tls.disabledAlgorithms", "SSLv3, RC4, DH keySize < 768"); @@ -214,7 +214,7 @@ public static void main(String[] args) throws Exception { */ parseArguments(args); - if (Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) { + if (Utils.isFIPS()) { if (!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) { System.out.println(cipherSuite + " is not supported."); return; @@ -227,7 +227,7 @@ public static void main(String[] args) throws Exception { try { new ShortRSAKeyGCM(); } catch (java.security.spec.InvalidKeySpecException ikse) { - if (Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) { + if (Utils.isFIPS()) { if ("Inappropriate key specification: RSA keys must be at least 1024 bits long".equals(ikse.getMessage())) { System.out.println("Expected exception msg: is caught"); return; diff --git a/test/jdk/javax/net/ssl/TLSv12/SignatureAlgorithms.java b/test/jdk/javax/net/ssl/TLSv12/SignatureAlgorithms.java index 61e88181418..ac8c5d986ca 100644 --- a/test/jdk/javax/net/ssl/TLSv12/SignatureAlgorithms.java +++ b/test/jdk/javax/net/ssl/TLSv12/SignatureAlgorithms.java @@ -139,7 +139,7 @@ void doClientSide() throws Exception { } Cert[] trustedCerts; - if (Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) { + if (Utils.isFIPS()) { trustedCerts = new Cert[]{Cert.CA_RSA_2048}; } else { trustedCerts = new Cert[]{Cert.CA_DSA_SHA1_1024}; @@ -273,7 +273,7 @@ public static void main(String[] args) throws Exception { return; } - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { /* * Expose the target algorithms by diabling unexpected algorithms. */ diff --git a/test/jdk/javax/net/ssl/TLSv13/ClientHelloKeyShares.java b/test/jdk/javax/net/ssl/TLSv13/ClientHelloKeyShares.java index bcbfcba0d83..bcc8950e9a6 100644 --- a/test/jdk/javax/net/ssl/TLSv13/ClientHelloKeyShares.java +++ b/test/jdk/javax/net/ssl/TLSv13/ClientHelloKeyShares.java @@ -76,29 +76,22 @@ public static void main(String args[]) throws Exception { List expectedKeyShares = new ArrayList<>(); Arrays.stream(args).forEach(arg -> expectedKeyShares.add(Integer.valueOf(arg))); - - if (Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) { - String namedGroups = System.getProperty("jdk.tls.namedGroups"); + if (Utils.isFIPS()) { expectedKeyShares.clear(); - if (namedGroups == null) { - expectedKeyShares.add(23); - expectedKeyShares.add(256); - } else if (namedGroups.equals("secp384r1,secp521r1,x448,ffdhe2048")){ - expectedKeyShares.add(24); - expectedKeyShares.add(256); - } else if (namedGroups.equals("sect163k1,sect163r1,x25519")){ - System.out.println("System property jdk.tls.namedGroups(sect163k1,sect163r1,x25519) contains no supported named groups"); - return; - } else if (namedGroups.equals("sect163k1,sect163r1,secp256r1")){ - expectedKeyShares.add(23); - } else if (namedGroups.equals("sect163k1,sect163r1,ffdhe2048,ffdhe3072,ffdhe4096")){ - expectedKeyShares.add(256); - } else if (namedGroups.equals("sect163k1,ffdhe2048,x25519,secp256r1")){ - expectedKeyShares.add(256); - expectedKeyShares.add(23); - } else if (namedGroups.equals("secp256r1,secp384r1,ffdhe2048,x25519")){ + Map supportKeyShares = new HashMap<>(); + supportKeyShares.put("secp256r1", 23); + supportKeyShares.put("secp384r1", 24); + supportKeyShares.put("secp521r1", 25); + + if (System.getProperty("jdk.tls.namedGroups") == null) { expectedKeyShares.add(23); - expectedKeyShares.add(256); + } else { + for (String nameGroup: System.getProperty("jdk.tls.namedGroups").split(",")) { + if (supportKeyShares.containsKey(nameGroup)) { + expectedKeyShares.add(supportKeyShares.get(nameGroup)); + break; + } + } } } @@ -111,7 +104,19 @@ public static void main(String args[]) throws Exception { ByteBuffer.allocateDirect(session.getPacketBufferSize()); // Create and check the ClientHello message - SSLEngineResult clientResult = engine.wrap(clientOut, cTOs); + SSLEngineResult clientResult = null; + try { + clientResult = engine.wrap(clientOut, cTOs); + } catch (java.lang.ExceptionInInitializerError eiie) { + Throwable cause = eiie.getCause(); + if (cause instanceof java.lang.IllegalArgumentException) { + if (Utils.isFIPS() + && ("System property jdk.tls.namedGroups(" + System.getProperty("jdk.tls.namedGroups") + ") contains no supported named groups").equals(cause.getMessage())) { + System.out.println("Expected msg is caught."); + return; + } + } + } logResult("client wrap: ", clientResult); if (clientResult.getStatus() != SSLEngineResult.Status.OK) { throw new RuntimeException("Client wrap got status: " + @@ -184,6 +189,7 @@ private static void checkClientHello(ByteBuffer data, int ver_major = Byte.toUnsignedInt(data.get()); int ver_minor = Byte.toUnsignedInt(data.get()); int recLen = Short.toUnsignedInt(data.getShort()); + System.out.println("TLS record header length: " + recLen); // Simple sanity checks if (type != 22) { @@ -198,6 +204,7 @@ private static void checkClientHello(ByteBuffer data, int msgHdr = data.getInt(); int msgType = (msgHdr >> 24) & 0x000000FF; int msgLen = msgHdr & 0x00FFFFFF; + System.out.println("handshake message header length: " + msgLen); // More simple sanity checks if (msgType != 1) { @@ -210,18 +217,21 @@ private static void checkClientHello(ByteBuffer data, // Jump past the session ID (if there is one) int sessLen = Byte.toUnsignedInt(data.get()); if (sessLen != 0) { + System.out.println("session ID is not null, length is: " + sessLen); data.position(data.position() + sessLen); } // Jump past the cipher suites int csLen = Short.toUnsignedInt(data.getShort()); if (csLen != 0) { + System.out.println("cipher suites ID is not null, length is: " + csLen); data.position(data.position() + csLen); } // ...and the compression int compLen = Byte.toUnsignedInt(data.get()); if (compLen != 0) { + System.out.println("compression is not null, length is: " + compLen); data.position(data.position() + compLen); } @@ -231,22 +241,26 @@ private static void checkClientHello(ByteBuffer data, boolean foundSupVer = false; boolean foundKeyShare = false; int extsLen = Short.toUnsignedInt(data.getShort()); + System.out.println("extsLen is: " + extsLen); List supGrpList = new ArrayList<>(); List chKeyShares = new ArrayList<>(); while (data.hasRemaining()) { int extType = Short.toUnsignedInt(data.getShort()); int extLen = Short.toUnsignedInt(data.getShort()); boolean foundTLS13 = false; + System.out.println("extension type is: " + extType); switch (extType) { case HELLO_EXT_SUPP_GROUPS: + System.out.println("This extType is HELLO_EXT_SUPP_GROUPS. extension type is: " + extType); int supGrpLen = Short.toUnsignedInt(data.getShort()); for (int remain = supGrpLen; remain > 0; remain -= 2) { supGrpList.add(Short.toUnsignedInt(data.getShort())); } break; case HELLO_EXT_SUPP_VERS: + System.out.println("This extType is HELLO_EXT_SUPP_VERS. extension type is: " + extType); foundSupVer = true; - int supVerLen = Byte.toUnsignedInt(data.get()); + int supVerLen = Byte.toUnsignedInt(data.get()); // 04 for (int remain = supVerLen; remain > 0; remain -= 2) { foundTLS13 |= (Short.toUnsignedInt(data.getShort()) == TLS_PROT_VER_13); @@ -258,6 +272,7 @@ private static void checkClientHello(ByteBuffer data, } break; case HELLO_EXT_KEY_SHARE: + System.out.println("This extType is HELLO_EXT_KEY_SHARE. extension type is: " + extType); foundKeyShare = true; int ksListLen = Short.toUnsignedInt(data.getShort()); System.out.println("ksListLen before while-loop is: " + ksListLen); diff --git a/test/jdk/javax/net/ssl/TLSv13/HRRKeyShares.java b/test/jdk/javax/net/ssl/TLSv13/HRRKeyShares.java index 25ba7504793..cf5ab2224b4 100644 --- a/test/jdk/javax/net/ssl/TLSv13/HRRKeyShares.java +++ b/test/jdk/javax/net/ssl/TLSv13/HRRKeyShares.java @@ -312,7 +312,7 @@ private static void hrrKeyShareTest(int hrrNamedGroup, boolean expectedPass) if (!initialCh.suppVersions.contains(TLS_PROT_VER_13)) { throw new RuntimeException( "Missing TLSv1.3 protocol in supported_versions"); - } else if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) && + } else if (!(Utils.isFIPS()) && (!initialCh.keyShares.containsKey(NG_X25519) || !initialCh.keyShares.containsKey(NG_SECP256R1))) { throw new RuntimeException( diff --git a/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java b/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java index 361db15efd3..aef00a6e65a 100644 --- a/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java +++ b/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java @@ -133,7 +133,7 @@ public static void main(String[] args) throws Exception { checkFailure(disabled_ciphersuites); break; case "empty": - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { return; } // reset jdk.tls.disabledAlgorithms diff --git a/test/jdk/javax/net/ssl/finalize/SSLSessionFinalizeTest.java b/test/jdk/javax/net/ssl/finalize/SSLSessionFinalizeTest.java index 79d7fb56e33..261e287da18 100644 --- a/test/jdk/javax/net/ssl/finalize/SSLSessionFinalizeTest.java +++ b/test/jdk/javax/net/ssl/finalize/SSLSessionFinalizeTest.java @@ -201,7 +201,7 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; - if ((Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (Utils.isFIPS()) { keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); } diff --git a/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java b/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java index 3412217763e..09a36ced12c 100644 --- a/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java +++ b/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java @@ -279,7 +279,7 @@ public static void main(String[] args) throws Exception { String[] SUPPORTED; String[] FIPS; - if (Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) { + if (Utils.isFIPS()) { ENABLED = ENABLED_FIPS; SUPPORTED = SUPPORTED_FIPS; } else if (args[0].equals("default")) { diff --git a/test/jdk/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java b/test/jdk/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java index 24648673938..c43279527f8 100644 --- a/test/jdk/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java +++ b/test/jdk/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java @@ -78,12 +78,12 @@ public class SystemPropCipherSuitesOrder extends SSLSocketTemplate { private final String protocol; - private static String[] servercipherSuites; - private static String[] clientcipherSuites; + private static String[] servercipherSuites = null; + private static String[] clientcipherSuites = null; public static void main(String[] args) { - if (Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) { + if (Utils.isFIPS()) { // if (!SecurityUtils.TLS_PROTOCOLS.contains(args[0])) { // System.out.println(args[0] + " is not supported in FIPS 140-3."); // return; @@ -106,8 +106,13 @@ public static void main(String[] args) { } } } - servercipherSuites = tmpServer.toArray(new String[0]); - clientcipherSuites = tmpClient.toArray(new String[0]); + if (tmpClient.size() != 0) { + clientcipherSuites = tmpClient.toArray(new String[0]); + } + if (tmpServer.size() != 0) { + servercipherSuites = tmpServer.toArray(new String[0]); + } + } else { servercipherSuites = toArray(System.getProperty("jdk.tls.server.cipherSuites")); @@ -120,6 +125,16 @@ public static void main(String[] args) { try { new SystemPropCipherSuitesOrder(args[0]).run(); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (Utils.isFIPS()) { + if (!SecurityUtils.TLS_PROTOCOLS.contains(args[0]) + || (servercipherSuites == null && clientcipherSuites == null)) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught."); + return; + } + } + } } catch (Exception e) { throw new RuntimeException(e); } @@ -129,7 +144,7 @@ private SystemPropCipherSuitesOrder(String protocol) { this.protocol = protocol; // Re-enable protocol if disabled. if (protocol.equals("TLSv1") || protocol.equals("TLSv1.1")) { - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS"))) { + if (!(Utils.isFIPS())) { SecurityUtils.removeFromDisabledTlsAlgs(protocol); } } diff --git a/test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java b/test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java index f20c87950eb..87371ae3122 100644 --- a/test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java +++ b/test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java @@ -60,7 +60,7 @@ public class TLSCipherSuitesOrder extends SSLSocketTemplate { public static void main(String[] args) { PROTOCOL protocol = PROTOCOL.valueOf(args[0]); - if (Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) { + if (Utils.isFIPS()) { if (!SecurityUtils.TLS_PROTOCOLS.contains(args[0])) { System.out.println(args[0] + " is not supported in FIPS 140-3."); return; diff --git a/test/jdk/javax/net/ssl/sanity/interop/ClientJSSEServerJSSE.java b/test/jdk/javax/net/ssl/sanity/interop/ClientJSSEServerJSSE.java index fb41a704027..179ab260d5a 100644 --- a/test/jdk/javax/net/ssl/sanity/interop/ClientJSSEServerJSSE.java +++ b/test/jdk/javax/net/ssl/sanity/interop/ClientJSSEServerJSSE.java @@ -39,7 +39,7 @@ public class ClientJSSEServerJSSE { public static void main(String[] args) throws Exception { // reset security properties to make sure that the algorithms // and keys used in this test are not disabled. - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { Security.setProperty("jdk.tls.disabledAlgorithms", ""); Security.setProperty("jdk.certpath.disabledAlgorithms", ""); } diff --git a/test/jdk/javax/net/ssl/sanity/pluggability/CheckSSLContextExport.java b/test/jdk/javax/net/ssl/sanity/pluggability/CheckSSLContextExport.java index fe877efcfa2..8a4e9e6afe1 100644 --- a/test/jdk/javax/net/ssl/sanity/pluggability/CheckSSLContextExport.java +++ b/test/jdk/javax/net/ssl/sanity/pluggability/CheckSSLContextExport.java @@ -49,7 +49,7 @@ public static void test(String protocol) throws Exception { String providerName = mySSLContext.getProvider().getName(); if (!providerName.equals("TestJSSEPluggability")) { - if (!(Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (!(Utils.isFIPS())) { System.out.println(providerName + "'s SSLContext is used"); throw new Exception("...used the wrong provider: " + providerName); } else { @@ -123,7 +123,7 @@ public static void main(String[] argv) throws Exception { try { test(protocols[i]); } catch (java.lang.IllegalStateException ise) { - if (Utils.isFIPS() && Utils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS")) { + if (Utils.isFIPS()) { if (protocols[i].equals("SSL") && "SSLContext is not initialized".equals(ise.getMessage())) { System.out.println("SSL is not supported in FIPS140-3."); continue; diff --git a/test/jdk/javax/net/ssl/templates/TLSBase.java b/test/jdk/javax/net/ssl/templates/TLSBase.java index d8a26efff7d..38557a0550c 100644 --- a/test/jdk/javax/net/ssl/templates/TLSBase.java +++ b/test/jdk/javax/net/ssl/templates/TLSBase.java @@ -72,7 +72,7 @@ abstract public class TLSBase { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; - if ((NetSslUtils.isFIPS() && NetSslUtils.getFipsProfile().equals("OpenJCEPlusFIPS.FIPS140-3-Test-TLS"))) { + if (NetSslUtils.isFIPS()) { keyFilename = NetSslUtils.revertJKSToPKCS12(keyFilename, passwd); trustFilename = NetSslUtils.revertJKSToPKCS12(trustFilename, passwd); }