From 8a57641d3bb466ef3c6072d44f63f47d734872a7 Mon Sep 17 00:00:00 2001 From: Tao Liu Date: Sun, 11 Sep 2022 12:26:47 -0400 Subject: [PATCH 1/2] Java Restricted Security Mode Signed-off-by: Tao Liu --- .../internal/security/FIPSConfigurator.java | 159 ---- .../RestrictedSecurityConfigurator.java | 320 ++++++++ .../RestrictedSecurityProperties.java | 697 ++++++++++++++++++ .../share/classes/java/security/Provider.java | 16 + .../classes/java/security/SecureRandom.java | 43 +- .../share/classes/java/security/Security.java | 12 +- .../classes/java/util/ServiceLoader.java | 33 + .../sun/security/jca/ProviderConfig.java | 15 + .../sun/security/provider/SunEntries.java | 458 +++++------- .../share/conf/security/java.security | 52 ++ .../sun/security/pkcs11/SunPKCS11.java | 12 +- .../sun/security/pkcs11/wrapper/PKCS11.java | 10 +- .../share/classes/sun/security/ec/SunEC.java | 203 ++--- 13 files changed, 1451 insertions(+), 579 deletions(-) delete mode 100644 closed/src/java.base/share/classes/openj9/internal/security/FIPSConfigurator.java create mode 100644 closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java create mode 100644 closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityProperties.java diff --git a/closed/src/java.base/share/classes/openj9/internal/security/FIPSConfigurator.java b/closed/src/java.base/share/classes/openj9/internal/security/FIPSConfigurator.java deleted file mode 100644 index 395d8138c96..00000000000 --- a/closed/src/java.base/share/classes/openj9/internal/security/FIPSConfigurator.java +++ /dev/null @@ -1,159 +0,0 @@ -/* - * =========================================================================== - * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved - * =========================================================================== - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * IBM designates this particular file as subject to the "Classpath" exception - * as provided by IBM in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, see . - * - * =========================================================================== - */ - -package openj9.internal.security; - -import java.util.Iterator; -import java.util.Map.Entry; -import java.util.Properties; -import java.security.AccessController; -import java.security.PrivilegedAction; - -import sun.security.util.Debug; - -/** - * Configures the security providers when in FIPS mode. - */ -public final class FIPSConfigurator { - - private static final Debug debug = Debug.getInstance("semerufips"); - - // FIPS mode enable check, only supported on Linux x64. - private static final boolean userEnabledFIPS; - private static final boolean isFIPSSupported; - private static final boolean shouldEnableFIPS; - - static { - String[] props = AccessController.doPrivileged( - new PrivilegedAction<>() { - @Override - public String[] run() { - return new String[] {System.getProperty("semeru.fips"), - System.getProperty("os.name"), - System.getProperty("os.arch")}; - } - }); - userEnabledFIPS = Boolean.parseBoolean(props[0]); - isFIPSSupported = "Linux".equalsIgnoreCase(props[1]) - && "amd64".equalsIgnoreCase(props[2]); - shouldEnableFIPS = userEnabledFIPS && isFIPSSupported; - } - - private FIPSConfigurator() { - super(); - } - - /** - * FIPS mode will be enabled only if the semeru.fips system - * property is true (default as false). - * - * @return true if FIPS is enabled - */ - public static boolean enableFips() { - return shouldEnableFIPS; - } - - /** - * Remove the security providers and only add the FIPS security providers. - * - * @param props the java.security properties - * @return true if the FIPS properties loaded successfully - */ - public static boolean configureFIPS(Properties props) { - boolean loadedProps = false; - - // Check if FIPS is supported on this platform. - if (userEnabledFIPS && !isFIPSSupported) { - throw new RuntimeException("FIPS is not supported on this platform."); - } - - try { - if (shouldEnableFIPS) { - if (debug != null) { - debug.println("FIPS mode detected, loading properties"); - } - - // Remove all security providers. - Iterator> i = props.entrySet().iterator(); - while (i.hasNext()) { - Entry e = i.next(); - if (((String) e.getKey()).startsWith("security.provider")) { - if (debug != null) { - debug.println("Removing provider: " + e); - } - i.remove(); - } - } - - // Add FIPS security providers. - props.put("security.provider.1", "SunPKCS11 ${java.home}/conf/security/nss.fips.cfg"); - props.put("security.provider.2", "SUN"); - props.put("security.provider.3", "SunEC"); - props.put("security.provider.4", "SunJSSE"); - - // Add FIPS security properties. - props.put("keystore.type", "PKCS11"); - System.setProperty("javax.net.ssl.keyStore", "NONE"); - - // Add FIPS disabled algorithms. - String disabledAlgorithms = props.get("jdk.tls.disabledAlgorithms") - + ", X25519, X448" - + ", SSLv3, TLSv1, TLSv1.1" - + ", TLS_CHACHA20_POLY1305_SHA256" - + ", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" - + ", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" - + ", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" - + ", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" - + ", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA" - + ", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" - + ", TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256" - + ", TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256" - + ", TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA" - + ", TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256" - + ", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - + ", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" - + ", TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" - + ", TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" - + ", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" - + ", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" - + ", TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" - + ", TLS_EMPTY_RENEGOTIATION_INFO_SCSV"; - props.put("jdk.tls.disabledAlgorithms", disabledAlgorithms); - - if (debug != null) { - debug.println("FIPS mode properties loaded"); - debug.println(props.toString()); - } - - loadedProps = true; - } - } catch (Exception e) { - if (debug != null) { - debug.println("Unable to load FIPS configuration"); - e.printStackTrace(); - } - } - return loadedProps; - } -} diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java new file mode 100644 index 00000000000..6ff528b4f02 --- /dev/null +++ b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java @@ -0,0 +1,320 @@ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved + * =========================================================================== + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * IBM designates this particular file as subject to the "Classpath" exception + * as provided by IBM in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, see . + * + * =========================================================================== + */ +package openj9.internal.security; + +import java.security.AccessController; +import java.security.PrivilegedAction; +import java.time.LocalDate; +import java.time.format.DateTimeFormatter; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.Iterator; +import java.util.List; +import java.util.Map; +import java.util.Map.Entry; +import java.util.Properties; + +import sun.security.util.Debug; + +/** + * Configures the security providers when in restricted security mode. + */ +public final class RestrictedSecurityConfigurator { + + private static final Debug debug = Debug.getInstance("semerufips"); + + // Restricted security mode enable check, only supported on Linux x64. + private static final boolean userEnabledFIPS; + private static final boolean userEnabledSecurity; + private static final boolean isSecuritySupported; + private static final boolean shouldEnableSecurity; + private static final String userSecuritySetting; + + private static boolean securityEnabled = false; + + private static int userSecurityNum = 0; + private static boolean userSecurityTrace; + private static boolean userSecurityAudit; + private static boolean userSecurityHelp; + + private static final List supportPlatforms = List.of("amd64"); + + static { + String[] props = AccessController.doPrivileged( + new PrivilegedAction<>() { + @Override + public String[] run() { + return new String[] { System.getProperty("semeru.fips"), + System.getProperty("semeru.restrictedsecurity"), + System.getProperty("os.name"), + System.getProperty("os.arch") }; + } + }); + userEnabledFIPS = Boolean.parseBoolean(props[0]); + // If semeru.fips is true, then ignore semeru.restrictedsecurity, use userSecurityNum 1. + userSecuritySetting = userEnabledFIPS ? "1" : props[1]; + userEnabledSecurity = !isNullOrBlank(userSecuritySetting); + isSecuritySupported = "Linux".equalsIgnoreCase(props[2]) + && supportPlatforms.contains(props[3]); + shouldEnableSecurity = (userEnabledFIPS || userEnabledSecurity) && isSecuritySupported; + } + + private RestrictedSecurityConfigurator() { + super(); + } + + /** + * Restricted security mode will be enabled only if the semeru.fips system + * property is true (default as false). + * + * @return true if restricted security is enabled + */ + public static boolean isEnabled() { + return securityEnabled; + } + + /** + * Remove the security providers and only add the restricted security providers. + * + * @param props the java.security properties + * @return true if the restricted security properties loaded successfully + */ + public static boolean configure(Properties props) { + + // Check if restricted security is supported on this platform. + if ((userEnabledFIPS || userEnabledSecurity) && !isSecuritySupported) { + new RuntimeException("Restricted security mode is not supported on this platform.") + .printStackTrace(); + System.exit(1); + } + + try { + if (shouldEnableSecurity) { + if (debug != null) { + debug.println("Restricted security mode detected, loading..."); + } + + // Read and set user restricted security settings. + initUserSetting(); + + // Initialize the restricted security properties from java.security file. + RestrictedSecurityProperties restricts = RestrictedSecurityProperties.createInstance(userSecurityNum, + props, userSecurityTrace, userSecurityAudit, userSecurityHelp); + restricts.init(); + + // Check if the SunsetDate expired. + if (isPolicySunset(restricts.getDescSunsetDate())) { + new RuntimeException("Restricted security policy expired.").printStackTrace(); + System.exit(1); + } + + // Check secure random settings. + if (isNullOrBlank(restricts.getJdkSecureRandomProvider()) + || isNullOrBlank(restricts.getJdkSecureRandomAlgorithm())) { + new RuntimeException("Restricted security mode secure random is null.") + .printStackTrace(); + System.exit(1); + } + + // Remove all security providers. + Iterator> i = props.entrySet().iterator(); + while (i.hasNext()) { + Entry e = i.next(); + if (((String) e.getKey()).startsWith("security.provider")) { + if (debug != null) { + debug.println("Removing provider: " + e); + } + i.remove(); + } + } + + // Add restricted security providers. + setProviders(props, restricts.getProviders()); + + // Add restricted security Properties. + setProperties(props, restricts); + + if (debug != null) { + debug.println("Restricted security mode loaded."); + debug.println("Restricted security mode properties: " + props.toString()); + } + + securityEnabled = true; + } + + } catch (Exception e) { + if (debug != null) { + debug.println("Unable to load restricted security mode configurations."); + } + e.printStackTrace(); + } + return securityEnabled; + } + + /** + * Load user restricted security settings from system property. + */ + private static void initUserSetting() { + + if (debug != null) { + debug.println("Loading user restricted security settings."); + } + + String[] inputs = userSecuritySetting.split(","); + + // For input ",," + if (inputs.length == 0) { + new RuntimeException("user restricted security setting " + userSecuritySetting + " incorrect.") + .printStackTrace(); + System.exit(1); + } + + for (String input : inputs) { + String in = input.trim(); + if (in.equalsIgnoreCase("audit")) { + userSecurityAudit = true; + } else if (in.equalsIgnoreCase("help")) { + userSecurityHelp = true; + } else if (in.equalsIgnoreCase("trace")) { + userSecurityTrace = true; + } else { + try { + userSecurityNum = Integer.parseInt(in); + } catch (NumberFormatException e) { + new RuntimeException("user restricted security setting " + userSecuritySetting + " incorrect.") + .printStackTrace(); + System.exit(1); + } + } + } + + if (debug != null) { + debug.println("Loaded user restricted security settings, with userSecurityNum: " + + String.valueOf(userSecurityNum) + " userSecurityTrace: " + userSecurityTrace + + " userSecurityAudit: " + userSecurityAudit + " userSecurityHelp: " + userSecurityHelp); + } + } + + /** + * Add restricted security providers. + * + * @param providers the provider name array + */ + private static void setProviders(Properties props, ArrayList providers) { + + if (debug != null) { + debug.println("Adding restricted security provider."); + } + + int pNum = 1; + for (String provider : providers) { + props.setProperty("security.provider." + pNum, provider); + pNum ++; + if (debug != null) { + debug.println("Added restricted security provider: " + provider); + } + } + } + + /** + * Add restricted security properties. + * + * @param props the java.security properties + */ + private static void setProperties(Properties props, RestrictedSecurityProperties properties) { + + if (debug != null) { + debug.println("Adding restricted security properties."); + } + + Map propsMapping = new HashMap<>(); + + // JDK properties name as Key, restricted security properties vaule as value. + propsMapping.put("jdk.tls.disabledNamedCurves", properties.getJdkTlsDisabledNamedCurves()); + propsMapping.put("jdk.tls.disabledAlgorithms", properties.getJdkTlsDisabledAlgorithms()); + propsMapping.put("jdk.tls.ephemeralDHKeySize", properties.getJdkTlsDphemeralDHKeySize()); + propsMapping.put("jdk.tls.legacyAlgorithms", properties.getJdkTlsLegacyAlgorithms()); + propsMapping.put("jdk.certpath.disabledAlgorithms", properties.getJdkCertpathDisabledAlgorithms()); + propsMapping.put("jdk.security.legacyAlgorithm", properties.getJdkSecurityLegacyAlgorithm()); + + for (Map.Entry entry : propsMapping.entrySet()) { + String jdkPropsName = entry.getKey(); + String propsNewValue = entry.getValue(); + + String propsOldValue = !isNullOrBlank(props.getProperty(jdkPropsName)) ? props.getProperty(jdkPropsName) : ""; + + if (!isNullOrBlank(propsNewValue)) { + String values = !isNullOrBlank(propsOldValue) ? propsOldValue + ", " + propsNewValue : propsNewValue; + props.setProperty(jdkPropsName, values); + if (debug != null) { + debug.println("Added restricted security properties, with property: " + jdkPropsName + " values: " + + values); + } + } + } + + // For keyStore and keystore.type, old value not needed, just set the new value. + if (!isNullOrBlank(properties.getKeyStoreType())) { + props.setProperty("keystore.type", properties.getKeyStoreType()); + } + if (!isNullOrBlank(properties.getKeyStore())) { + System.setProperty("javax.net.ssl.keyStore", properties.getKeyStore()); + } + } + + /** + * Check if restricted security policy sunset. + * + * @param descSunsetDate the sun set date from java.security + * @return true if the restricted security policy sunset + */ + private static boolean isPolicySunset(String descSunsetDate) { + + boolean isSunset = false; + try { + isSunset = LocalDate.parse(descSunsetDate, DateTimeFormatter.ofPattern("yyyy-MM-dd")) + .isBefore(LocalDate.now()); + } catch (Exception except) { + new RuntimeException( + "Restricted security policy sunset date is inccorect, the correct format is yyyy-MM-dd.") + .printStackTrace(); + System.exit(1); + } + + if (debug != null) { + debug.println("Restricted security policy is sunset: " + isSunset); + } + return isSunset; + } + + /** + * Check if the input string is null and empty. + * + * @param string the input string + * @return true if the input string is null and emtpy + */ + private static boolean isNullOrBlank(String string) { + return (string == null) || string.isBlank(); + } +} diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityProperties.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityProperties.java new file mode 100644 index 00000000000..59054b7e44a --- /dev/null +++ b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityProperties.java @@ -0,0 +1,697 @@ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved + * =========================================================================== + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * IBM designates this particular file as subject to the "Classpath" exception + * as provided by IBM in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, see . + * + * =========================================================================== + */ + +package openj9.internal.security; + +import java.security.Provider.Service; +import java.util.ArrayDeque; +import java.util.ArrayList; +import java.util.Deque; +import java.util.HashMap; +import java.util.Map; +import java.util.NoSuchElementException; +import java.util.Properties; + +import sun.security.util.Debug; + +public final class RestrictedSecurityProperties { + + private static final Debug debug = Debug.getInstance("semerufips"); + + private static RestrictedSecurityProperties instance; + + private static String descName; + private static String descNumber; + private static String descPolicy; + private static String descSunsetDate; + + // Security properties. + private static String jdkTlsDisabledNamedCurves; + private static String jdkTlsDisabledAlgorithms; + private static String jdkTlsDphemeralDHKeySize; + private static String jdkTlsLegacyAlgorithms; + private static String jdkCertpathDisabledAlgorithms; + private static String jdkSecurityLegacyAlgorithm; + private static String keyStoreType; + private static String keyStore; + + // For Secure Random. + private static String jdkSecureRandomProvider; + private static String jdkSecureRandomAlgorithm; + + // Provider with argument (provider name + optional argument). + private static ArrayList providers = new ArrayList();; + // Provider without argument. + private static ArrayList providersSN = new ArrayList();; + // Constraints for each provider. Key is the Provider Name, Value is the Constraints. + private static Map providerConstraints = new HashMap(); + + private final int userSecurityNum; + private final boolean userSecurityTrace; + private final boolean userSecurityAudit; + private final boolean userSecurityHelp; + + private final String propsPrefix; + + // The java.security properties. + private final Properties securityProps; + + /** + * + * @param num the restricted security setting number + * @param props the java.security properties + * @param trace the user security trace + * @param audit the user security audit + * @param help the user security help + */ + private RestrictedSecurityProperties(int num, Properties props, boolean trace, boolean audit, boolean help) { + + userSecurityNum = num; + userSecurityTrace = trace; + userSecurityAudit = audit; + userSecurityHelp = help; + securityProps = props; + + propsPrefix = "RestrictedSecurity" + String.valueOf(userSecurityNum); + } + + /** + * Get instance of RestrictedSecurityProperties. + * + * @param num the restricted security setting number + * @param props the java.security properties + * @param trace the user security trace + * @param audit the user security audit + * @param help the user security help + * @return the created RestrictedSecurityProperties instance + */ + public static RestrictedSecurityProperties createInstance(int num, Properties props, boolean trace, + boolean audit, boolean help) { + if (instance != null) { + throw new RuntimeException( + "Restricted security mode is already initialized. Can't be initialized twice."); + } + instance = new RestrictedSecurityProperties(num, props, trace, audit, help); + return instance; + } + + /** + * Get instance of RestrictedSecurityProperties. + * + * @return the created RestrictedSecurityProperties instance + */ + public static RestrictedSecurityProperties getInstance() { + if (instance == null) { + throw new RuntimeException( + "Restricted security mode initialization error, call createInstance() first."); + } + return instance; + } + + /** + * Initialize the restricted security properties. + */ + public void init() { + if (debug != null) { + debug.println("Initializing restricted security mode."); + } + + if (securityProps == null) { + throw new RuntimeException( + "Restricted security mode initialization error, call getInstance with variables first."); + } + + try { + + // Print out the Help and Audit info. + if (userSecurityHelp) { + printHelp(); + if (userSecurityNum == 0) { + if (debug != null) { + debug.println("Print out the help info and exit."); + } + System.exit(0); + } + } + if (userSecurityAudit) { + listAudit(); + if (userSecurityNum == 0) { + if (debug != null) { + debug.println("Print out the audit info and exit."); + } + System.exit(0); + } + } + + // Load the restricted security providers from java.security properties. + initProviders(); + // Load the restricted security properties from java.security properties. + initProperties(); + // Load the restricted security provider constraints from java.security properties. + initConstraints(); + + // Print out the Trace info. + if (userSecurityTrace) { + listTrace(); + } + + if (debug != null) { + debug.println("Initialized restricted security mode."); + } + } catch (Exception e) { + if (debug != null) { + debug.println("Unable to initialize restricted security mode."); + } + e.printStackTrace(); + } + } + + /** + * Load restricted security provider. + */ + private void initProviders() { + + if (debug != null) { + debug.println("Loading restricted security providers."); + } + + for (int pNum = 1;; ++pNum) { + String providerInfo = securityProps + .getProperty(propsPrefix + ".jce.provider." + pNum); + + if (providerInfo == null || providerInfo.trim().isEmpty()) { + break; + } + + if (!areBracketsBalanced(providerInfo)) { + new RuntimeException("Restricted security provider format is inccorect: " + providerInfo) + .printStackTrace(); + System.exit(1); + } + + int pos = providerInfo.indexOf('['); + String providerName = (pos < 0) ? providerInfo.trim() : providerInfo.substring(0, pos).trim(); + // Provider with argument (provider name + optional argument). + providers.add(pNum - 1, providerName); + + pos = providerName.indexOf(' '); + providerName = (pos < 0) ? providerName.trim() : providerName.substring(0, pos).trim(); + // Provider without argument. + providersSN.add(pNum - 1, providerName); + + if (debug != null) { + debug.println("Loaded restricted security provider: " + providers.get(pNum - 1) + " with short name: " + + providersSN.get(pNum - 1)); + } + } + + if (providers.isEmpty()) { + new RuntimeException("Restricted security mode provider list empty, " + + "or no such restricted security policy in java.security file.").printStackTrace(); + System.exit(1); + } + } + + /** + * Load restricted security properties. + */ + private void initProperties() { + + if (debug != null) { + debug.println("Loading restricted security properties."); + } + + descName = securityProps.getProperty(propsPrefix + ".desc.name"); + descNumber = securityProps.getProperty(propsPrefix + ".desc.number"); + descPolicy = securityProps.getProperty(propsPrefix + ".desc.policy"); + descSunsetDate = securityProps.getProperty(propsPrefix + ".desc.sunsetDate"); + + jdkTlsDisabledNamedCurves = securityProps + .getProperty(propsPrefix + ".tls.disabledNamedCurves"); + jdkTlsDisabledAlgorithms = securityProps + .getProperty(propsPrefix + ".tls.disabledAlgorithms"); + jdkTlsDphemeralDHKeySize = securityProps + .getProperty(propsPrefix + ".tls.ephemeralDHKeySize"); + jdkTlsLegacyAlgorithms = securityProps + .getProperty(propsPrefix + ".tls.legacyAlgorithms"); + jdkCertpathDisabledAlgorithms = securityProps + .getProperty(propsPrefix + ".jce.certpath.disabledAlgorithms"); + jdkSecurityLegacyAlgorithm = securityProps + .getProperty(propsPrefix + ".jce.legacyAlgorithms"); + keyStoreType = securityProps.getProperty(propsPrefix + ".keystore.type"); + keyStore = securityProps.getProperty(propsPrefix + ".javax.net.ssl.keyStore"); + + jdkSecureRandomProvider = securityProps + .getProperty(propsPrefix + ".securerandom.provider"); + jdkSecureRandomAlgorithm = securityProps + .getProperty(propsPrefix + ".securerandom.algorithm"); + + if (debug != null) { + debug.println("Loaded restricted security properties."); + } + } + + /** + * Load security constraints with type, algorithm, attributes. + * + * Example: + * RestrictedSecurity1.jce.provider.1 = SUN [{CertPathBuilder, PKIX, *}, {Policy, + * JavaPolicy, *}, {CertPathValidator, *, *}]. + */ + private void initConstraints() { + + for (int pNum = 1; pNum <= providersSN.size(); pNum++) { + + String providerName = providersSN.get(pNum - 1); + String providerInfo = securityProps + .getProperty(propsPrefix + ".jce.provider." + pNum); + + if (debug != null) { + debug.println("Loading constraints for security provider: " + providerName); + } + + // Remove all the space. + providerInfo = providerInfo.trim().replaceAll(" ", ""); + + // Provider with constraints. + if (providerInfo.indexOf("[{") > 0) { + String[] inputArray = providerInfo.substring(providerInfo.indexOf("[{") + 2, providerInfo.length() - 2) + .split("\\},\\{"); + + // Column is type, algorithm and attributes. + String[][] constraints = new String[inputArray.length][3]; + + int cNum = 0; + for (String input : inputArray) { + String[] inConstraint = input.trim().split(","); + + int dNum = 0; + for (String inConsDetail : inConstraint) { + constraints[cNum][dNum] = !isNullOrBlank(inConsDetail) ? inConsDetail.trim() : "*"; + dNum ++; + } + // If each input constraint doesn't have exactly three parts, + // set the "*" to those missing parts + for (int i = dNum; i < 3; i ++) { + constraints[cNum][i] = "*"; + } + + if (debug != null) { + debug.println("Loading constraints for provider " + providerName + " with constraints type: " + + constraints[cNum][0] + " algorithm: " + constraints[cNum][1] + " attributes: " + + constraints[cNum][2]); + } + cNum++; + } + providerConstraints.put(providerName, constraints); + if (debug != null) { + debug.println("Loaded constraints for security provider: " + providerName); + } + } + } + } + + /** + * Check if the Service is allowed in restricted security mode. + * + * @param service the Service to check + * @return true if the Service is allowed + */ + public boolean isServiceAllowed(Service service) { + + String providerName = service.getProvider().getName(); + String type = service.getType(); + String algorithm = service.getAlgorithm(); + + // Provider with argument, remove argument. + // e.g. SunPKCS11-NSS-FIPS, remove argument -NSS-FIPS. + int pos = providerName.indexOf('-'); + providerName = (pos > 0) ? providerName.substring(0, pos) : providerName; + + String[][] constraints = providerConstraints.get(providerName); + + // Go into the security provider constraints check if there are. + if (constraints != null && constraints.length > 0) { + + for (int cNum = 0; cNum < constraints.length; cNum++) { + + boolean cTypePut = "*".equals(constraints[cNum][0]) || type.equals(constraints[cNum][0]); + boolean cAlgorithmPut = "*".equals(constraints[cNum][1]) || algorithm.equals(constraints[cNum][1]); + boolean cAttributePut = "*".equals(constraints[cNum][2]); + + if (cTypePut && cAlgorithmPut && cAttributePut) { + if (debug != null) { + debug.println("Security constraints check, service type " + type + " algorithm " + algorithm + + " is allowed in provider " + providerName); + } + return true; + } + + if (cTypePut && cAlgorithmPut) { + String[] cAttributes = constraints[cNum][2].split(":"); + + for (String cAttribute : cAttributes) { + String[] input = cAttribute.trim().split("="); + cAttributePut = true; + + try { + String cName = input[0]; + String cValue = input[1]; + String sValue = service.getAttribute(cName); + cAttributePut &= (sValue != null) && cValue.equalsIgnoreCase(sValue); + } catch (ArrayIndexOutOfBoundsException ex) { + cAttributePut = false; + new RuntimeException( + "Security constraints attribute for provider " + providerName + " is incorrect") + .printStackTrace(); + } + } + + if (cAttributePut) { + if (debug != null) { + debug.println( + "Security constraints check, service type " + type + " algorithm " + algorithm + + " attribute " + constraints[cNum][2] + " is allowed in provider " + + providerName); + } + return true; + } + } + } + if (debug != null) { + debug.println("Security constraints check, service type " + type + " algorithm " + algorithm + + " is NOT allowed in provider " + providerName); + } + return false; + } + return true; + } + + /** + * Check if the provider is allowed in restricted security mode. + * + * @param providerName the provider to check + * @return true if the provider is allowed + */ + public boolean isProviderAllowed(String providerName) { + + if (debug != null) { + debug.println("Checking the provider " + providerName + " in the restricted security mode."); + } + + // Remove the provider class package name if there is. + int pos = providerName.lastIndexOf('.'); + providerName = (pos > 0) ? providerName.substring(pos + 1, providerName.length()) : providerName; + + // Remove argument, e.g. -NSS-FIPS, if there is. + pos = providerName.indexOf('-'); + providerName = (pos > 0) ? providerName.substring(0, pos) : providerName; + + // Check if the provider is in the restricted security provider list. + // If not, the provider won't be registered. + if (providersSN.contains(providerName)) { + if (debug != null) { + debug.println("The provider " + providerName + " is allowed in the restricted security mode."); + } + return true; + } + + if (debug != null) { + debug.println("The provider " + providerName + " is not allowed in the restricted security mode."); + + System.out.println("Stack trace:"); + StackTraceElement[] elements = Thread.currentThread().getStackTrace(); + for (int i = 1; i < elements.length; i++) { + StackTraceElement stack = elements[i]; + System.out.println("\tat " + stack.getClassName() + "." + stack.getMethodName() + "(" + + stack.getFileName() + ":" + stack.getLineNumber() + ")"); + } + } + return false; + } + + /** + * Check if the provider is allowed in restricted security mode. + * + * @param providerClazz the provider class to check + * @return true if the provider is allowed + */ + public boolean isProviderAllowed(Class providerClazz) { + + String providerName = providerClazz.getName(); + + // Check if the specified class extends java.security.Provider + if (!java.security.Provider.class.isAssignableFrom(providerClazz)) { + if (debug != null) { + debug.println("The provider class " + providerName + " does not extend java.security.Provider."); + } + // For class doesn't extend java.security.Provider, no need to + // check allowed or not allowed, always return true to load it. + return true; + } + return isProviderAllowed(providerName); + } + + /** + * List Audit info if userSecurityAudit is ture, default as false. + */ + protected void listAudit() { + + System.out.println(); + System.out.println("Restricted Security Audit Info:"); + System.out.println("==============================="); + + for (int num = 1;; ++num) { + String desc = securityProps.getProperty("RestrictedSecurity" + num + ".desc.name"); + if (desc == null || desc.trim().isEmpty()) { + break; + } + System.out.println("RestrictedSecurity" + num + ".desc.name: " + + securityProps.getProperty("RestrictedSecurity" + num + ".desc.name")); + System.out.println("RestrictedSecurity" + num + ".desc.number: " + + securityProps.getProperty("RestrictedSecurity" + num + ".desc.number")); + System.out.println("RestrictedSecurity" + num + ".desc.policy: " + + securityProps.getProperty("RestrictedSecurity" + num + ".desc.policy")); + System.out.println("RestrictedSecurity" + num + ".desc.sunsetDate: " + + securityProps.getProperty("RestrictedSecurity" + num + ".desc.sunsetDate")); + System.out.println(); + } + } + + /** + * List Trace info if userSecurityTrace is true, default as false. + */ + protected void listTrace() { + + System.out.println(); + System.out.println("Restricted Security Trace Info:"); + System.out.println("==============================="); + System.out.println(propsPrefix + ".desc.name: " + descName); + System.out.println(propsPrefix + ".desc.number: " + descNumber); + System.out.println(propsPrefix + ".desc.policy: " + descPolicy); + System.out.println(propsPrefix + ".desc.sunsetDate: " + descSunsetDate); + System.out.println(); + + // List only restrictions. + System.out.println(propsPrefix + ".tls.disabledNamedCurves: " + + jdkTlsDisabledNamedCurves); + System.out.println(propsPrefix + ".tls.disabledAlgorithms: " + + jdkTlsDisabledAlgorithms); + System.out.println(propsPrefix + ".tls.ephemeralDHKeySize: " + + jdkTlsDphemeralDHKeySize); + System.out.println(propsPrefix + ".tls.legacyAlgorithms: " + + jdkTlsLegacyAlgorithms); + System.out.println(propsPrefix + ".jce.certpath.disabledAlgorithms: " + + jdkCertpathDisabledAlgorithms); + System.out.println(propsPrefix + ".jce.legacyAlgorithms: " + + jdkSecurityLegacyAlgorithm); + System.out.println(); + + System.out.println(propsPrefix + ".keystore.type: " + + keyStoreType); + System.out.println(propsPrefix + ".javax.net.ssl.keyStore: " + + keyStore); + System.out.println(propsPrefix + ".securerandom.provider: " + + jdkSecureRandomProvider); + System.out.println(propsPrefix + ".securerandom.algorithm: " + + jdkSecureRandomAlgorithm); + + // List providers. + System.out.println(); + for (int pNum = 1; pNum <= providers.size(); pNum++) { + System.out.println(propsPrefix + ".jce.provider." + pNum + ": " + + providers.get(pNum - 1)); + } + + System.out.println(); + } + + /** + * Print help info if userSecurityHelp is ture, default as false. + */ + protected void printHelp() { + + System.out.println(); + System.out.println("Restricted Security Mode Usage:"); + System.out.println("==============================="); + + System.out.println( + "-Dsemeru.restrictedsecurity= This flag will select the settings for the user " + + "specified restricted security policy."); + System.out.println( + "-Dsemeru.restrictedsecurity=audit This flag will list the name and number of all " + + "configured restricted security policies. it will NOT cause the jvm to terminate " + + "after printing the restricted security policies."); + System.out.println( + "-Dsemeru.restrictedsecurity=trace This flag will list all properties relevant to " + + "the restricted security mode, including the existing default properties and the " + + "restricted security restrictions."); + System.out.println("-Dsemeru.restrictedsecurity=help This flag will print help message."); + + System.out.println(); + System.out.println("e.g."); + System.out.println(" -Dsemeru.restrictedsecurity=1,trace,audit,help"); + System.out.println(" -Dsemeru.restrictedsecurity=help"); + + System.out.println(); + } + + /** + * Check if the input string is null and empty. + * + * @param string the input string + * @return true if the input string is null and emtpy + */ + private static boolean isNullOrBlank(String string) { + return (string == null) || string.isBlank(); + } + + /** + * Function to check if brackets are balanced. + * + * @param string Input string for checking + * @return true if the brackets are balanced + */ + private boolean areBracketsBalanced(String string) { + + Deque stack = new ArrayDeque(); + + for (int i = 0; i < string.length(); i++) { + char x = string.charAt(i); + + if (x == '(' || x == '[' || x == '{') { + stack.push(x); + continue; + } + + char check; + try { + switch (x) { + case ')': + check = stack.pop(); + if (check == '{' || check == '[') { + return false; + } + break; + case '}': + check = stack.pop(); + if (check == '(' || check == '[') { + return false; + } + break; + case ']': + check = stack.pop(); + if (check == '(' || check == '{') { + return false; + } + break; + } + } catch (NoSuchElementException ex) { + return false; + } + } + // Check Empty Stack. + return stack.isEmpty(); + } + + public String getDescName() { + return descName; + } + + public String getDescNumber() { + return descNumber; + } + + public String getDescPolicy() { + return descPolicy; + } + + public String getDescSunsetDate() { + return descSunsetDate; + } + + public String getJdkTlsDisabledNamedCurves() { + return jdkTlsDisabledNamedCurves; + } + + public String getJdkTlsDisabledAlgorithms() { + return jdkTlsDisabledAlgorithms; + } + + public String getJdkTlsDphemeralDHKeySize() { + return jdkTlsDphemeralDHKeySize; + } + + public String getJdkTlsLegacyAlgorithms() { + return jdkTlsLegacyAlgorithms; + } + + public String getJdkCertpathDisabledAlgorithms() { + return jdkCertpathDisabledAlgorithms; + } + + public String getJdkSecurityLegacyAlgorithm() { + return jdkSecurityLegacyAlgorithm; + } + + public String getKeyStoreType() { + return keyStoreType; + } + + public String getKeyStore() { + return keyStore; + } + + public ArrayList getProviders() { + return providers; + } + + public String getJdkSecureRandomProvider() { + return jdkSecureRandomProvider; + } + + public String getJdkSecureRandomAlgorithm() { + return jdkSecureRandomAlgorithm; + } +} diff --git a/src/java.base/share/classes/java/security/Provider.java b/src/java.base/share/classes/java/security/Provider.java index 1f0bbfd766a..88f2a5e1bbc 100644 --- a/src/java.base/share/classes/java/security/Provider.java +++ b/src/java.base/share/classes/java/security/Provider.java @@ -23,6 +23,12 @@ * questions. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved + * =========================================================================== + */ + package java.security; import java.io.*; @@ -35,6 +41,9 @@ import java.util.function.Function; import java.util.concurrent.ConcurrentHashMap; +import openj9.internal.security.RestrictedSecurityConfigurator; +import openj9.internal.security.RestrictedSecurityProperties; + /** * This class represents a "provider" for the * Java Security API, where a provider implements some or all parts of @@ -1372,6 +1381,13 @@ protected void putService(Service s) { throw new IllegalArgumentException ("service.getProvider() must match this Provider object"); } + if (RestrictedSecurityConfigurator.isEnabled()) { + // If restricted security does not allow this service, then return + // without registering. + if (!RestrictedSecurityProperties.getInstance().isServiceAllowed(s)) { + return; + } + } String type = s.getType(); String algorithm = s.getAlgorithm(); ServiceKey key = new ServiceKey(type, algorithm, true); diff --git a/src/java.base/share/classes/java/security/SecureRandom.java b/src/java.base/share/classes/java/security/SecureRandom.java index 9e23ab1e009..3681e221a79 100644 --- a/src/java.base/share/classes/java/security/SecureRandom.java +++ b/src/java.base/share/classes/java/security/SecureRandom.java @@ -41,7 +41,8 @@ import sun.security.provider.SunEntries; import sun.security.util.Debug; -import openj9.internal.security.FIPSConfigurator; +import openj9.internal.security.RestrictedSecurityConfigurator; +import openj9.internal.security.RestrictedSecurityProperties; /** * This class provides a cryptographically strong random number @@ -270,27 +271,29 @@ private void getDefaultPRNG(boolean setSeed, byte[] seed) { Service prngService = null; String prngAlgorithm = null; - // If in FIPS mode, use the SecureRandom from the FIPS provider - if (FIPSConfigurator.enableFips()) { - Provider p = Security.getProvider("SunPKCS11-NSS-FIPS"); - prngAlgorithm = "PKCS11"; - prngService = p.getService("SecureRandom", prngAlgorithm); - } else { - for (Provider p : Providers.getProviderList().providers()) { - // SUN provider uses the SunEntries.DEF_SECURE_RANDOM_ALGO - // as the default SecureRandom algorithm; for other providers, - // Provider.getDefaultSecureRandom() will use the 1st - // registered SecureRandom algorithm - if (p.getName().equals("SUN")) { - prngAlgorithm = SunEntries.DEF_SECURE_RANDOM_ALGO; + for (Provider p : Providers.getProviderList().providers()) { + // In restricted security mode, use the SecureRandom from restricted security provider. + if (RestrictedSecurityConfigurator.isEnabled()) { + String srProvider = RestrictedSecurityProperties.getInstance().getJdkSecureRandomProvider(); + if (p.getName().equals(srProvider)) { + prngAlgorithm = RestrictedSecurityProperties.getInstance().getJdkSecureRandomAlgorithm(); prngService = p.getService("SecureRandom", prngAlgorithm); break; - } else { - prngService = p.getDefaultSecureRandomService(); - if (prngService != null) { - prngAlgorithm = prngService.getAlgorithm(); - break; - } + } + } + // SUN provider uses the SunEntries.DEF_SECURE_RANDOM_ALGO + // as the default SecureRandom algorithm; for other providers, + // Provider.getDefaultSecureRandom() will use the 1st + // registered SecureRandom algorithm + else if (p.getName().equals("SUN")) { + prngAlgorithm = SunEntries.DEF_SECURE_RANDOM_ALGO; + prngService = p.getService("SecureRandom", prngAlgorithm); + break; + } else { + prngService = p.getDefaultSecureRandomService(); + if (prngService != null) { + prngAlgorithm = prngService.getAlgorithm(); + break; } } } diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java index 3135b209549..125466a9c11 100644 --- a/src/java.base/share/classes/java/security/Security.java +++ b/src/java.base/share/classes/java/security/Security.java @@ -50,7 +50,7 @@ import openj9.internal.criu.security.CRIUConfigurator; /*[ENDIF] CRIU_SUPPORT*/ -import openj9.internal.security.FIPSConfigurator; +import openj9.internal.security.RestrictedSecurityConfigurator; /** *

This class centralizes all security properties and common security @@ -212,14 +212,14 @@ private static void initialize() { } /*[ENDIF] CRIU_SUPPORT*/ - // Load FIPS properties + // Load restricted security mode properties. if (loadedProps) { - boolean fipsEnabled = FIPSConfigurator.configureFIPS(props); + boolean enabled = RestrictedSecurityConfigurator.configure(props); if (sdebug != null) { - if (fipsEnabled) { - sdebug.println("FIPS mode enabled."); + if (enabled) { + sdebug.println("Restricted security mode enabled."); } else { - sdebug.println("FIPS mode disabled."); + sdebug.println("Restricted security mode disabled."); } } } diff --git a/src/java.base/share/classes/java/util/ServiceLoader.java b/src/java.base/share/classes/java/util/ServiceLoader.java index d248d1ea4a7..9f615619fe2 100644 --- a/src/java.base/share/classes/java/util/ServiceLoader.java +++ b/src/java.base/share/classes/java/util/ServiceLoader.java @@ -23,6 +23,12 @@ * questions. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved + * =========================================================================== + */ + package java.util; import java.io.BufferedReader; @@ -57,6 +63,9 @@ import jdk.internal.reflect.CallerSensitive; import jdk.internal.reflect.Reflection; +import openj9.internal.security.RestrictedSecurityConfigurator; +import openj9.internal.security.RestrictedSecurityProperties; + /** * A facility to load implementations of a service. * @@ -884,6 +893,14 @@ private Provider loadProvider(ServiceProvider provider) { @SuppressWarnings("unchecked") Class type = (Class) returnType; + // If the restricted security mode is enabled. + if (RestrictedSecurityConfigurator.isEnabled()) { + // If the provider is NOT allowed in restricted security mode. + if (!RestrictedSecurityProperties.getInstance().isProviderAllowed(clazz)) { + // Then skip it. + return null; + } + } return new ProviderImpl(service, type, factoryMethod, acc); } } @@ -897,6 +914,14 @@ private Provider loadProvider(ServiceProvider provider) { Class type = (Class) clazz; @SuppressWarnings("unchecked") Constructor ctor = (Constructor ) getConstructor(clazz); + // If the restricted security mode is enabled. + if (RestrictedSecurityConfigurator.isEnabled()) { + // If the provider is NOT allowed in restricted security mode. + if (!RestrictedSecurityProperties.getInstance().isProviderAllowed(clazz)) { + // Then skip it. + return null; + } + } return new ProviderImpl(service, type, ctor, acc); } @@ -1231,6 +1256,14 @@ private boolean hasNextService() { Class type = (Class) clazz; Constructor ctor = (Constructor)getConstructor(clazz); + // If the restricted security mode is enabled. + if (RestrictedSecurityConfigurator.isEnabled()) { + // If the provider is NOT allowed in restricted security mode. + if (!RestrictedSecurityProperties.getInstance().isProviderAllowed(clazz)) { + // Then skip it. + continue; + } + } ProviderImpl p = new ProviderImpl(service, type, ctor, acc); nextProvider = (ProviderImpl) p; } else { diff --git a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java index a07d6fea8b8..646ac1f74ae 100644 --- a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java +++ b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java @@ -23,6 +23,12 @@ * questions. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved + * =========================================================================== + */ + package sun.security.jca; import java.io.File; @@ -33,6 +39,9 @@ import sun.security.util.PropertyExpander; +import openj9.internal.security.RestrictedSecurityConfigurator; +import openj9.internal.security.RestrictedSecurityProperties; + /** * Class representing a configured provider which encapsulates configuration * (provider name + optional argument), the provider loading logic, and @@ -162,6 +171,12 @@ public String toString() { // com.sun.net.ssl.internal.ssl.Provider has been deprecated since JDK 9 @SuppressWarnings("deprecation") synchronized Provider getProvider() { + // If provider is not allowed in restricted security mode, return without load. + if (RestrictedSecurityConfigurator.isEnabled()) { + if (!RestrictedSecurityProperties.getInstance().isProviderAllowed(provName)) { + return null; + } + } // volatile variable load Provider p = provider; if (p != null) { diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java index dd2921f94fc..eefb08a74f4 100644 --- a/src/java.base/share/classes/sun/security/provider/SunEntries.java +++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java @@ -40,8 +40,6 @@ import jdk.internal.util.StaticProperty; import sun.security.action.GetPropertyAction; -import openj9.internal.security.FIPSConfigurator; - /** * Defines the entries of the SUN provider. * @@ -114,266 +112,218 @@ public static List createAliasesWithOid(String ... oids) { // common attribute map HashMap attrs = new HashMap<>(3); - if (FIPSConfigurator.enableFips()) { - // FIPS supported - attrs.put("ImplementedIn", "Software"); - - /* - * Certificates - */ - add(p, "CertificateFactory", "X.509", - "sun.security.provider.X509Factory", - createAliases("X509"), attrs); - - /* - * CertStores - */ - add(p, "CertStore", "Collection", - "sun.security.provider.certpath.CollectionCertStore", - null, attrs); - add(p, "CertStore", "com.sun.security.IndexedCollection", - "sun.security.provider.certpath.IndexedCollectionCertStore", - null, attrs); - - /* - * Policy - */ - add(p, "Policy", "JavaPolicy", "sun.security.provider.PolicySpiFile", - null, null); - - /* - * Configuration - */ - add(p, "Configuration", "JavaLoginConfig", - "sun.security.provider.ConfigFile$Spi", null, null); - - /* - * CertPathBuilder and CertPathValidator - */ - attrs.clear(); - attrs.put("ValidationAlgorithm", "RFC5280"); - attrs.put("ImplementedIn", "Software"); - - add(p, "CertPathBuilder", "PKIX", - "sun.security.provider.certpath.SunCertPathBuilder", - null, attrs); - add(p, "CertPathValidator", "PKIX", - "sun.security.provider.certpath.PKIXCertPathValidator", + /* + * SecureRandom engines + */ + attrs.put("ThreadSafe", "true"); + if (NativePRNG.isAvailable()) { + add(p, "SecureRandom", "NativePRNG", + "sun.security.provider.NativePRNG", null, attrs); - } else { - /* - * SecureRandom engines - */ - attrs.put("ThreadSafe", "true"); - if (NativePRNG.isAvailable()) { - add(p, "SecureRandom", "NativePRNG", - "sun.security.provider.NativePRNG", - null, attrs); - } - if (NativePRNG.Blocking.isAvailable()) { - add(p, "SecureRandom", "NativePRNGBlocking", - "sun.security.provider.NativePRNG$Blocking", null, attrs); - } - if (NativePRNG.NonBlocking.isAvailable()) { - add(p, "SecureRandom", "NativePRNGNonBlocking", - "sun.security.provider.NativePRNG$NonBlocking", null, attrs); - } - attrs.put("ImplementedIn", "Software"); - add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", + } + if (NativePRNG.Blocking.isAvailable()) { + add(p, "SecureRandom", "NativePRNGBlocking", + "sun.security.provider.NativePRNG$Blocking", null, attrs); + } + if (NativePRNG.NonBlocking.isAvailable()) { + add(p, "SecureRandom", "NativePRNGNonBlocking", + "sun.security.provider.NativePRNG$NonBlocking", null, attrs); + } + attrs.put("ImplementedIn", "Software"); + add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", null, attrs); - add(p, "SecureRandom", "SHA1PRNG", - "sun.security.provider.SecureRandom", null, attrs); - - /* - * Signature engines - */ - attrs.clear(); - String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + - "|java.security.interfaces.DSAPrivateKey"; - attrs.put("SupportedKeyClasses", dsaKeyClasses); - attrs.put("ImplementedIn", "Software"); - - attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures - - add(p, "Signature", "SHA1withDSA", - "sun.security.provider.DSA$SHA1withDSA", - createAliasesWithOid("1.2.840.10040.4.3", "DSA", "DSS", + add(p, "SecureRandom", "SHA1PRNG", + "sun.security.provider.SecureRandom", null, attrs); + + /* + * Signature engines + */ + attrs.clear(); + String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + + "|java.security.interfaces.DSAPrivateKey"; + attrs.put("SupportedKeyClasses", dsaKeyClasses); + attrs.put("ImplementedIn", "Software"); + + attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures + + add(p, "Signature", "SHA1withDSA", + "sun.security.provider.DSA$SHA1withDSA", + createAliasesWithOid("1.2.840.10040.4.3", "DSA", "DSS", "SHA/DSA", "SHA-1/DSA", "SHA1/DSA", "SHAwithDSA", "DSAWithSHA1", "1.3.14.3.2.13", "1.3.14.3.2.27"), attrs); - add(p, "Signature", "NONEwithDSA", "sun.security.provider.DSA$RawDSA", - createAliases("RawDSA"), attrs); - - attrs.put("KeySize", "2048"); // for SHA224 and SHA256 DSA signatures - - add(p, "Signature", "SHA224withDSA", - "sun.security.provider.DSA$SHA224withDSA", - createAliasesWithOid("2.16.840.1.101.3.4.3.1"), attrs); - add(p, "Signature", "SHA256withDSA", - "sun.security.provider.DSA$SHA256withDSA", - createAliasesWithOid("2.16.840.1.101.3.4.3.2"), attrs); - - attrs.remove("KeySize"); - - add(p, "Signature", "SHA1withDSAinP1363Format", - "sun.security.provider.DSA$SHA1withDSAinP1363Format", - null, null); - add(p, "Signature", "NONEwithDSAinP1363Format", - "sun.security.provider.DSA$RawDSAinP1363Format", - null, null); - add(p, "Signature", "SHA224withDSAinP1363Format", - "sun.security.provider.DSA$SHA224withDSAinP1363Format", - null, null); - add(p, "Signature", "SHA256withDSAinP1363Format", - "sun.security.provider.DSA$SHA256withDSAinP1363Format", - null, null); - - /* - * Key Pair Generator engines - */ - attrs.clear(); - attrs.put("ImplementedIn", "Software"); - attrs.put("KeySize", "2048"); // for DSA KPG and APG only - - String dsaOid = "1.2.840.10040.4.1"; - List dsaAliases = createAliasesWithOid(dsaOid, "1.3.14.3.2.12"); - String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; - dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); - add(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, dsaAliases, attrs); - - /* - * Algorithm Parameter Generator engines - */ - add(p, "AlgorithmParameterGenerator", "DSA", - "sun.security.provider.DSAParameterGenerator", dsaAliases, - attrs); - attrs.remove("KeySize"); - - /* - * Algorithm Parameter engines - */ - add(p, "AlgorithmParameters", "DSA", - "sun.security.provider.DSAParameters", dsaAliases, attrs); - - /* - * Key factories - */ - add(p, "KeyFactory", "DSA", "sun.security.provider.DSAKeyFactory", - dsaAliases, attrs); - - /* - * Digest engines - */ - String providerSHA; - String providerSHA224; - String providerSHA256; - String providerSHA384; - String providerSHA512; - /* - * Set the digest provider based on whether native crypto is - * enabled or not. - */ - if (useNativeDigest) { - providerSHA = "sun.security.provider.NativeSHA"; - providerSHA224 = "sun.security.provider.NativeSHA2$SHA224"; - providerSHA256 = "sun.security.provider.NativeSHA2$SHA256"; - providerSHA384 = "sun.security.provider.NativeSHA5$SHA384"; - providerSHA512 = "sun.security.provider.NativeSHA5$SHA512"; - } else { - providerSHA = "sun.security.provider.SHA"; - providerSHA224 = "sun.security.provider.SHA2$SHA224"; - providerSHA256 = "sun.security.provider.SHA2$SHA256"; - providerSHA384 = "sun.security.provider.SHA5$SHA384"; - providerSHA512 = "sun.security.provider.SHA5$SHA512"; - } - - add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", null, attrs); - add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", null, attrs); - add(p, "MessageDigest", "SHA", providerSHA, - createAliasesWithOid("1.3.14.3.2.26", "SHA-1", "SHA1"), attrs); - - String sha2BaseOid = "2.16.840.1.101.3.4.2"; - add(p, "MessageDigest", "SHA-224", providerSHA224, - createAliasesWithOid(sha2BaseOid + ".4"), attrs); - add(p, "MessageDigest", "SHA-256", providerSHA256, - createAliasesWithOid(sha2BaseOid + ".1"), attrs); - add(p, "MessageDigest", "SHA-384", providerSHA384, - createAliasesWithOid(sha2BaseOid + ".2"), attrs); - add(p, "MessageDigest", "SHA-512", providerSHA512, - createAliasesWithOid(sha2BaseOid + ".3"), attrs); - add(p, "MessageDigest", "SHA-512/224", - "sun.security.provider.SHA5$SHA512_224", - createAliasesWithOid(sha2BaseOid + ".5"), attrs); - add(p, "MessageDigest", "SHA-512/256", - "sun.security.provider.SHA5$SHA512_256", - createAliasesWithOid(sha2BaseOid + ".6"), attrs); - add(p, "MessageDigest", "SHA3-224", "sun.security.provider.SHA3$SHA224", - createAliasesWithOid(sha2BaseOid + ".7"), attrs); - add(p, "MessageDigest", "SHA3-256", "sun.security.provider.SHA3$SHA256", - createAliasesWithOid(sha2BaseOid + ".8"), attrs); - add(p, "MessageDigest", "SHA3-384", "sun.security.provider.SHA3$SHA384", - createAliasesWithOid(sha2BaseOid + ".9"), attrs); - add(p, "MessageDigest", "SHA3-512", "sun.security.provider.SHA3$SHA512", - createAliasesWithOid(sha2BaseOid + ".10"), attrs); - - /* - * Certificates - */ - add(p, "CertificateFactory", "X.509", - "sun.security.provider.X509Factory", - createAliases("X509"), attrs); - - /* - * KeyStore - */ - add(p, "KeyStore", "PKCS12", - "sun.security.pkcs12.PKCS12KeyStore$DualFormatPKCS12", - null, null); - add(p, "KeyStore", "JKS", - "sun.security.provider.JavaKeyStore$DualFormatJKS", - null, attrs); - add(p, "KeyStore", "CaseExactJKS", - "sun.security.provider.JavaKeyStore$CaseExactJKS", - null, attrs); - add(p, "KeyStore", "DKS", "sun.security.provider.DomainKeyStore$DKS", - null, attrs); - - - /* - * CertStores - */ - add(p, "CertStore", "Collection", - "sun.security.provider.certpath.CollectionCertStore", - null, attrs); - add(p, "CertStore", "com.sun.security.IndexedCollection", - "sun.security.provider.certpath.IndexedCollectionCertStore", - null, attrs); + add(p, "Signature", "NONEwithDSA", "sun.security.provider.DSA$RawDSA", + createAliases("RawDSA"), attrs); + + attrs.put("KeySize", "2048"); // for SHA224 and SHA256 DSA signatures + + add(p, "Signature", "SHA224withDSA", + "sun.security.provider.DSA$SHA224withDSA", + createAliasesWithOid("2.16.840.1.101.3.4.3.1"), attrs); + add(p, "Signature", "SHA256withDSA", + "sun.security.provider.DSA$SHA256withDSA", + createAliasesWithOid("2.16.840.1.101.3.4.3.2"), attrs); + + attrs.remove("KeySize"); + + add(p, "Signature", "SHA1withDSAinP1363Format", + "sun.security.provider.DSA$SHA1withDSAinP1363Format", + null, null); + add(p, "Signature", "NONEwithDSAinP1363Format", + "sun.security.provider.DSA$RawDSAinP1363Format", + null, null); + add(p, "Signature", "SHA224withDSAinP1363Format", + "sun.security.provider.DSA$SHA224withDSAinP1363Format", + null, null); + add(p, "Signature", "SHA256withDSAinP1363Format", + "sun.security.provider.DSA$SHA256withDSAinP1363Format", + null, null); + + /* + * Key Pair Generator engines + */ + attrs.clear(); + attrs.put("ImplementedIn", "Software"); + attrs.put("KeySize", "2048"); // for DSA KPG and APG only + + String dsaOid = "1.2.840.10040.4.1"; + List dsaAliases = createAliasesWithOid(dsaOid, "1.3.14.3.2.12"); + String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; + dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); + add(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, dsaAliases, attrs); + + /* + * Algorithm Parameter Generator engines + */ + add(p, "AlgorithmParameterGenerator", "DSA", + "sun.security.provider.DSAParameterGenerator", dsaAliases, + attrs); + attrs.remove("KeySize"); + + /* + * Algorithm Parameter engines + */ + add(p, "AlgorithmParameters", "DSA", + "sun.security.provider.DSAParameters", dsaAliases, attrs); + + /* + * Key factories + */ + add(p, "KeyFactory", "DSA", "sun.security.provider.DSAKeyFactory", + dsaAliases, attrs); + + /* + * Digest engines + */ + String providerSHA; + String providerSHA224; + String providerSHA256; + String providerSHA384; + String providerSHA512; + /* + * Set the digest provider based on whether native crypto is + * enabled or not. + */ + if (useNativeDigest) { + providerSHA = "sun.security.provider.NativeSHA"; + providerSHA224 = "sun.security.provider.NativeSHA2$SHA224"; + providerSHA256 = "sun.security.provider.NativeSHA2$SHA256"; + providerSHA384 = "sun.security.provider.NativeSHA5$SHA384"; + providerSHA512 = "sun.security.provider.NativeSHA5$SHA512"; + } else { + providerSHA = "sun.security.provider.SHA"; + providerSHA224 = "sun.security.provider.SHA2$SHA224"; + providerSHA256 = "sun.security.provider.SHA2$SHA256"; + providerSHA384 = "sun.security.provider.SHA5$SHA384"; + providerSHA512 = "sun.security.provider.SHA5$SHA512"; + } - /* - * Policy - */ - add(p, "Policy", "JavaPolicy", "sun.security.provider.PolicySpiFile", - null, null); + add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", null, attrs); + add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", null, attrs); + add(p, "MessageDigest", "SHA", providerSHA, + createAliasesWithOid("1.3.14.3.2.26", "SHA-1", "SHA1"), attrs); + + String sha2BaseOid = "2.16.840.1.101.3.4.2"; + add(p, "MessageDigest", "SHA-224", providerSHA224, + createAliasesWithOid(sha2BaseOid + ".4"), attrs); + add(p, "MessageDigest", "SHA-256", providerSHA256, + createAliasesWithOid(sha2BaseOid + ".1"), attrs); + add(p, "MessageDigest", "SHA-384", providerSHA384, + createAliasesWithOid(sha2BaseOid + ".2"), attrs); + add(p, "MessageDigest", "SHA-512", providerSHA512, + createAliasesWithOid(sha2BaseOid + ".3"), attrs); + add(p, "MessageDigest", "SHA-512/224", + "sun.security.provider.SHA5$SHA512_224", + createAliasesWithOid(sha2BaseOid + ".5"), attrs); + add(p, "MessageDigest", "SHA-512/256", + "sun.security.provider.SHA5$SHA512_256", + createAliasesWithOid(sha2BaseOid + ".6"), attrs); + add(p, "MessageDigest", "SHA3-224", "sun.security.provider.SHA3$SHA224", + createAliasesWithOid(sha2BaseOid + ".7"), attrs); + add(p, "MessageDigest", "SHA3-256", "sun.security.provider.SHA3$SHA256", + createAliasesWithOid(sha2BaseOid + ".8"), attrs); + add(p, "MessageDigest", "SHA3-384", "sun.security.provider.SHA3$SHA384", + createAliasesWithOid(sha2BaseOid + ".9"), attrs); + add(p, "MessageDigest", "SHA3-512", "sun.security.provider.SHA3$SHA512", + createAliasesWithOid(sha2BaseOid + ".10"), attrs); + + /* + * Certificates + */ + add(p, "CertificateFactory", "X.509", + "sun.security.provider.X509Factory", + createAliases("X509"), attrs); + + /* + * KeyStore + */ + add(p, "KeyStore", "PKCS12", + "sun.security.pkcs12.PKCS12KeyStore$DualFormatPKCS12", + null, null); + add(p, "KeyStore", "JKS", + "sun.security.provider.JavaKeyStore$DualFormatJKS", + null, attrs); + add(p, "KeyStore", "CaseExactJKS", + "sun.security.provider.JavaKeyStore$CaseExactJKS", + null, attrs); + add(p, "KeyStore", "DKS", "sun.security.provider.DomainKeyStore$DKS", + null, attrs); - /* - * Configuration - */ - add(p, "Configuration", "JavaLoginConfig", - "sun.security.provider.ConfigFile$Spi", null, null); - /* - * CertPathBuilder and CertPathValidator - */ - attrs.clear(); - attrs.put("ValidationAlgorithm", "RFC5280"); - attrs.put("ImplementedIn", "Software"); + /* + * CertStores + */ + add(p, "CertStore", "Collection", + "sun.security.provider.certpath.CollectionCertStore", + null, attrs); + add(p, "CertStore", "com.sun.security.IndexedCollection", + "sun.security.provider.certpath.IndexedCollectionCertStore", + null, attrs); - add(p, "CertPathBuilder", "PKIX", - "sun.security.provider.certpath.SunCertPathBuilder", - null, attrs); - add(p, "CertPathValidator", "PKIX", - "sun.security.provider.certpath.PKIXCertPathValidator", - null, attrs); - } + /* + * Policy + */ + add(p, "Policy", "JavaPolicy", "sun.security.provider.PolicySpiFile", + null, null); + + /* + * Configuration + */ + add(p, "Configuration", "JavaLoginConfig", + "sun.security.provider.ConfigFile$Spi", null, null); + + /* + * CertPathBuilder and CertPathValidator + */ + attrs.clear(); + attrs.put("ValidationAlgorithm", "RFC5280"); + attrs.put("ImplementedIn", "Software"); + + add(p, "CertPathBuilder", "PKIX", + "sun.security.provider.certpath.SunCertPathBuilder", + null, attrs); + add(p, "CertPathValidator", "PKIX", + "sun.security.provider.certpath.PKIXCertPathValidator", + null, attrs); } Iterator iterator() { diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security index 9af64321c40..7d7429c8e66 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -85,6 +85,58 @@ security.provider.tbd=Apple security.provider.tbd=SunPKCS11 #endif +#ifdef linux-x86 +# +# Java Security Restrictive Mode +# +RestrictedSecurity1.desc.name = Red Hat Enterprise Linux 8 NSS Cryptographic Module FIPS 140-2 +RestrictedSecurity1.desc.number = Certificate #3946 +RestrictedSecurity1.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3946 +RestrictedSecurity1.desc.sunsetDate = 2026-06-06 + +RestrictedSecurity1.tls.disabledNamedCurves = +RestrictedSecurity1.tls.disabledAlgorithms = X25519, X448, SSLv3, TLSv1, TLSv1.1, \ + TLS_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, \ + TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, \ + TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, \ + TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \ + TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, \ + TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \ + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, \ + TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, \ + TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, \ + TLS_RSA_WITH_AES_128_CBC_SHA, TLS_AES_256_GCM_SHA384, \ + TLS_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, \ + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, \ + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, \ + TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, \ + TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, \ + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, \ + TLS_EMPTY_RENEGOTIATION_INFO_SCSV; +RestrictedSecurity1.tls.ephemeralDHKeySize = +RestrictedSecurity1.tls.legacyAlgorithms = + +RestrictedSecurity1.jce.certpath.disabledAlgorithms = +RestrictedSecurity1.jce.legacyAlgorithms = +RestrictedSecurity1.jce.provider.1 = SunPKCS11 ${java.home}/conf/security/nss.fips.cfg +RestrictedSecurity1.jce.provider.2 = SUN [{CertificateFactory, X.509, ImplementedIn=Software}, \ + {CertStore, Collection, ImplementedIn=Software}, \ + {CertStore, com.sun.security.IndexedCollection, ImplementedIn=Software}, \ + {Policy, JavaPolicy, *}, {Configuration, JavaLoginConfig, *}, \ + {CertPathBuilder, PKIX, ValidationAlgorithm=RFC5280:ImplementedIn=Software}, \ + {CertPathValidator, PKIX, ValidationAlgorithm=RFC5280:ImplementedIn=Software}] +RestrictedSecurity1.jce.provider.3 = SunEC [{KeyFactory, EC, ImplementedIn=Software: \ + SupportedKeyClasses=java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey: \ + KeySize=256}, {AlgorithmParameters, EC, *}] +RestrictedSecurity1.jce.provider.4 = SunJSSE + +RestrictedSecurity1.keystore.type = PKCS11 +RestrictedSecurity1.javax.net.ssl.keyStore = NONE + +RestrictedSecurity1.securerandom.provider = SunPKCS11-NSS-FIPS +RestrictedSecurity1.securerandom.algorithm = PKCS11 +#endif + # # A list of preferred providers for specific algorithms. These providers will # be searched for matching algorithms before the list of registered providers. diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java index 436f6258f34..d1aff4e50a3 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -57,7 +57,7 @@ import com.sun.crypto.provider.ChaCha20Poly1305Parameters; import jdk.internal.misc.InnocuousThread; -import openj9.internal.security.FIPSConfigurator; +import openj9.internal.security.RestrictedSecurityConfigurator; import sun.security.util.Debug; import sun.security.util.ResourcesMgr; import static sun.security.util.SecurityConstants.PROVIDER_VER; @@ -104,7 +104,7 @@ public final class SunPKCS11 extends AuthProvider { // This is the SunPKCS11 provider instance // there can only be a single PKCS11 provider in - // FIPS mode. + // restricted security mode. static SunPKCS11 mysunpkcs11; Token getToken() { @@ -397,11 +397,11 @@ private static T checkNull(T obj) { nssModule.setProvider(this); } - // When FIPS mode is enabled, configure p11 object to FIPS mode - // and pass the parent object so it can callback. - if (FIPSConfigurator.enableFips()) { + // When restricted security mode is enabled, configure p11 object to + // restricted security mode and pass the parent object so it can callback. + if (RestrictedSecurityConfigurator.isEnabled()) { if (debug != null) { - System.out.println("FIPS mode in SunPKCS11"); + debug.println("Restricted security mode in SunPKCS11"); } @SuppressWarnings("unchecked") diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java index 887ef943ed2..32de34582a3 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java @@ -155,7 +155,7 @@ static boolean isKey(CK_ATTRIBUTE[] attrs) { // This is the SunPKCS11 provider instance // there can only be a single PKCS11 provider in - // FIPS mode. + // restricted security mode. private static SunPKCS11 mysunpkcs11; private static final class InnerPKCS11 extends PKCS11 implements Consumer { @@ -163,15 +163,15 @@ private static final class InnerPKCS11 extends PKCS11 implements Consumer ATTRS = new HashMap<>(3); - if (FIPSConfigurator.enableFips()) { - ATTRS.put("ImplementedIn", "Software"); - String ecKeyClasses = "java.security.interfaces.ECPublicKey" + - "|java.security.interfaces.ECPrivateKey"; - ATTRS.put("SupportedKeyClasses", ecKeyClasses); - ATTRS.put("KeySize", "256"); - - /* - * Key Factory engine - */ - putService(new ProviderService(this, "KeyFactory", - "EC", "sun.security.ec.ECKeyFactory", - new String[] { "EllipticCurve" }, ATTRS)); - - /* - * Algorithm Parameter engine - */ - // "AlgorithmParameters.EC SupportedCurves" prop used by unit test - boolean firstCurve = true; - StringBuilder names = new StringBuilder(); - Pattern nameSplitPattern = Pattern.compile(CurveDB.SPLIT_PATTERN); - - Collection supportedCurves = - CurveDB.getSupportedCurves(); - for (NamedCurve namedCurve : supportedCurves) { - if (!firstCurve) { - names.append("|"); - } else { - firstCurve = false; - } - - names.append("["); - - String[] commonNames = nameSplitPattern.split(namedCurve.getName()); - for (String commonName : commonNames) { - names.append(commonName.trim()); - names.append(","); - } - - names.append(namedCurve.getObjectId()); - names.append("]"); + ATTRS.put("ImplementedIn", "Software"); + String ecKeyClasses = "java.security.interfaces.ECPublicKey" + + "|java.security.interfaces.ECPrivateKey"; + ATTRS.put("SupportedKeyClasses", ecKeyClasses); + ATTRS.put("KeySize", "256"); + + /* + * Key Factory engine + */ + putService(new ProviderService(this, "KeyFactory", + "EC", "sun.security.ec.ECKeyFactory", + new String[] { "EllipticCurve" }, ATTRS)); + + /* + * Algorithm Parameter engine + */ + // "AlgorithmParameters.EC SupportedCurves" prop used by unit test + boolean firstCurve = true; + StringBuilder names = new StringBuilder(); + Pattern nameSplitPattern = Pattern.compile(CurveDB.SPLIT_PATTERN); + + Collection supportedCurves = + CurveDB.getSupportedCurves(); + for (NamedCurve namedCurve : supportedCurves) { + if (!firstCurve) { + names.append("|"); + } else { + firstCurve = false; } - HashMap apAttrs = new HashMap<>(ATTRS); - apAttrs.put("SupportedCurves", names.toString()); - - putService(new ProviderService(this, "AlgorithmParameters", - "EC", "sun.security.util.ECParameters", - new String[] { "EllipticCurve", "1.2.840.10045.2.1", "OID.1.2.840.10045.2.1" }, - apAttrs)); + names.append("["); - } else { - ATTRS.put("ImplementedIn", "Software"); - String ecKeyClasses = "java.security.interfaces.ECPublicKey" + - "|java.security.interfaces.ECPrivateKey"; - ATTRS.put("SupportedKeyClasses", ecKeyClasses); - ATTRS.put("KeySize", "256"); - - /* - * Key Factory engine - */ - putService(new ProviderService(this, "KeyFactory", - "EC", "sun.security.ec.ECKeyFactory", - new String[] { "EllipticCurve" }, ATTRS)); - - /* - * Algorithm Parameter engine - */ - // "AlgorithmParameters.EC SupportedCurves" prop used by unit test - boolean firstCurve = true; - StringBuilder names = new StringBuilder(); - Pattern nameSplitPattern = Pattern.compile(CurveDB.SPLIT_PATTERN); - - Collection supportedCurves = - CurveDB.getSupportedCurves(); - for (NamedCurve namedCurve : supportedCurves) { - if (!firstCurve) { - names.append("|"); - } else { - firstCurve = false; - } - - names.append("["); - - String[] commonNames = nameSplitPattern.split(namedCurve.getName()); - for (String commonName : commonNames) { - names.append(commonName.trim()); - names.append(","); - } - - names.append(namedCurve.getObjectId()); - names.append("]"); + String[] commonNames = nameSplitPattern.split(namedCurve.getName()); + for (String commonName : commonNames) { + names.append(commonName.trim()); + names.append(","); } - HashMap apAttrs = new HashMap<>(ATTRS); - apAttrs.put("SupportedCurves", names.toString()); + names.append(namedCurve.getObjectId()); + names.append("]"); + } - putService(new ProviderService(this, "AlgorithmParameters", + HashMap apAttrs = new HashMap<>(ATTRS); + apAttrs.put("SupportedCurves", names.toString()); + + putService(new ProviderService(this, "AlgorithmParameters", "EC", "sun.security.util.ECParameters", new String[] { "EllipticCurve", "1.2.840.10045.2.1", "OID.1.2.840.10045.2.1" }, apAttrs)); - putXDHEntries(); + putXDHEntries(); - /* - * Register the algorithms below only when the full ECC implementation - * is available - */ - if (!useFullImplementation) { - return; - } + /* + * Register the algorithms below only when the full ECC implementation + * is available + */ + if (!useFullImplementation) { + return; + } - /* - * Signature engines - */ - putService(new ProviderService(this, "Signature", + /* + * Signature engines + */ + putService(new ProviderService(this, "Signature", "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", null, ATTRS)); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", new String[] { "1.2.840.10045.4.1", "OID.1.2.840.10045.4.1" }, ATTRS)); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", new String[] { "1.2.840.10045.4.3.1", "OID.1.2.840.10045.4.3.1"}, ATTRS)); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", new String[] { "1.2.840.10045.4.3.2", "OID.1.2.840.10045.4.3.2"}, ATTRS)); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", new String[] { "1.2.840.10045.4.3.3", "OID.1.2.840.10045.4.3.3" }, ATTRS)); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", new String[] { "1.2.840.10045.4.3.4", "OID.1.2.840.10045.4.3.4" }, ATTRS)); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "NONEwithECDSAinP1363Format", "sun.security.ec.ECDSASignature$RawinP1363Format")); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "SHA1withECDSAinP1363Format", "sun.security.ec.ECDSASignature$SHA1inP1363Format")); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "SHA224withECDSAinP1363Format", "sun.security.ec.ECDSASignature$SHA224inP1363Format")); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "SHA256withECDSAinP1363Format", "sun.security.ec.ECDSASignature$SHA256inP1363Format")); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "SHA384withECDSAinP1363Format", "sun.security.ec.ECDSASignature$SHA384inP1363Format")); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "SHA512withECDSAinP1363Format", "sun.security.ec.ECDSASignature$SHA512inP1363Format")); - /* - * Key Pair Generator engine - */ - putService(new ProviderService(this, "KeyPairGenerator", + /* + * Key Pair Generator engine + */ + putService(new ProviderService(this, "KeyPairGenerator", "EC", "sun.security.ec.ECKeyPairGenerator", new String[] { "EllipticCurve" }, ATTRS)); - /* - * Key Agreement engine - */ - if (useNativeEC) { - putService(new ProviderService(this, "KeyAgreement", + /* + * Key Agreement engine + */ + if (useNativeEC) { + putService(new ProviderService(this, "KeyAgreement", "ECDH", "sun.security.ec.NativeECDHKeyAgreement", null, ATTRS)); - } else { - putService(new ProviderService(this, "KeyAgreement", + } else { + putService(new ProviderService(this, "KeyAgreement", "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); - } } } From 1fb2d90611207f4a66e198744a6fae14c584ab24 Mon Sep 17 00:00:00 2001 From: Zainab Fatmi Date: Mon, 14 Nov 2022 13:08:32 -0500 Subject: [PATCH 2/2] Add a restricted security policy for CRIU Signed-off-by: Zainab Fatmi --- .../{CRIUSECProvider.java => CRIUSEC.java} | 18 ++++++------ .../RestrictedSecurityConfigurator.java | 28 +++++++++++++++++-- .../share/conf/security/java.security | 20 +++++++++++++ 3 files changed, 55 insertions(+), 11 deletions(-) rename closed/src/java.base/share/classes/openj9/internal/criu/{CRIUSECProvider.java => CRIUSEC.java} (77%) diff --git a/closed/src/java.base/share/classes/openj9/internal/criu/CRIUSECProvider.java b/closed/src/java.base/share/classes/openj9/internal/criu/CRIUSEC.java similarity index 77% rename from closed/src/java.base/share/classes/openj9/internal/criu/CRIUSECProvider.java rename to closed/src/java.base/share/classes/openj9/internal/criu/CRIUSEC.java index 52c9ba4ac7c..e9246dae5a6 100644 --- a/closed/src/java.base/share/classes/openj9/internal/criu/CRIUSECProvider.java +++ b/closed/src/java.base/share/classes/openj9/internal/criu/CRIUSEC.java @@ -28,21 +28,21 @@ import java.security.Provider; /** - * The CRIUSECProvider is a security provider that is used as follows when CRIU - * is enabled. During the checkpoint phase, all other security providers are - * removed, except CRIUSECProvider, and the digests are cleared, to ensure that - * no state is saved during checkpoint that is then restored during the restore - * phase. During the resore phase, CRIUSECProvider is removed and the other - * security providers are added back. + * The CRIUSEC is a security provider that is used as follows when CRIU is + * enabled. During the checkpoint phase, all other security providers are + * removed, except CRIUSEC, and the digests are cleared, to ensure that no + * state is saved during checkpoint that is then restored during the restore + * phase. During the resore phase, CRIUSEC is removed and the other security + * providers are added back. */ -public final class CRIUSECProvider extends Provider { +public final class CRIUSEC extends Provider { private static final long serialVersionUID = -3240458633432287743L; - public CRIUSECProvider() { + public CRIUSEC() { super("CRIUSEC", "1", "CRIUSEC Provider"); - String packageName = CRIUSECProvider.class.getPackage().getName() + "."; + String packageName = CRIUSEC.class.getPackage().getName() + "."; String[] aliases = new String[] { "SHA", "SHA1", diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java index 6ff528b4f02..7716e48239f 100644 --- a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java +++ b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java @@ -37,6 +37,10 @@ import sun.security.util.Debug; +/*[IF CRIU_SUPPORT]*/ +import openj9.internal.criu.InternalCRIUSupport; +/*[ENDIF] CRIU_SUPPORT*/ + /** * Configures the security providers when in restricted security mode. */ @@ -72,8 +76,18 @@ public String[] run() { } }); userEnabledFIPS = Boolean.parseBoolean(props[0]); + String securitySetting = props[1]; // If semeru.fips is true, then ignore semeru.restrictedsecurity, use userSecurityNum 1. - userSecuritySetting = userEnabledFIPS ? "1" : props[1]; + if (Boolean.parseBoolean(props[0])) { + securitySetting = "1"; + } + /*[IF CRIU_SUPPORT]*/ + // If CRIU checkpoint mode is enabled, use the 2nd restricted security policy. + if (InternalCRIUSupport.isCheckpointAllowed()) { + securitySetting = "2"; + } + /*[ENDIF] CRIU_SUPPORT*/ + userSecuritySetting = securitySetting; userEnabledSecurity = !isNullOrBlank(userSecuritySetting); isSecuritySupported = "Linux".equalsIgnoreCase(props[2]) && supportPlatforms.contains(props[3]); @@ -86,7 +100,8 @@ private RestrictedSecurityConfigurator() { /** * Restricted security mode will be enabled only if the semeru.fips system - * property is true (default as false). + * property is true (default as false), or semeru.restrictedsecurity is set, + * or CRIU checkpoint mode is enabled. * * @return true if restricted security is enabled */ @@ -94,6 +109,15 @@ public static boolean isEnabled() { return securityEnabled; } +/*[IF CRIU_SUPPORT]*/ + /** + * Disables the restricted security mode. + */ + public static void disable() { + securityEnabled = false; + } +/*[ENDIF] CRIU_SUPPORT*/ + /** * Remove the security providers and only add the restricted security providers. * diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security index 7d7429c8e66..9cc6537e9af 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -135,6 +135,26 @@ RestrictedSecurity1.javax.net.ssl.keyStore = NONE RestrictedSecurity1.securerandom.provider = SunPKCS11-NSS-FIPS RestrictedSecurity1.securerandom.algorithm = PKCS11 + +RestrictedSecurity2.desc.name = CRIU +RestrictedSecurity2.desc.number = 1 +RestrictedSecurity2.desc.policy = Security +RestrictedSecurity2.desc.sunsetDate = 2030-01-01 + +RestrictedSecurity2.tls.disabledNamedCurves = +RestrictedSecurity2.tls.disabledAlgorithms = +RestrictedSecurity2.tls.ephemeralDHKeySize = +RestrictedSecurity2.tls.legacyAlgorithms = + +RestrictedSecurity2.jce.certpath.disabledAlgorithms = +RestrictedSecurity2.jce.legacyAlgorithms = +RestrictedSecurity2.jce.provider.1 = openj9.internal.criu.CRIUSEC + +RestrictedSecurity2.keystore.type = +RestrictedSecurity2.javax.net.ssl.keyStore = + +RestrictedSecurity2.securerandom.provider = CRIUSEC +RestrictedSecurity2.securerandom.algorithm = SHA1PRNG #endif #