Merge pull request #745 from ibmruntimes/openj9

Merge the latest openj9 changes to 0.43

closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECKeyPairGenerator.java

@@ -39,6 +39,7 @@
 import java.security.KeyPair;
 import java.security.KeyPairGeneratorSpi;
 import java.security.PrivateKey;
+import java.security.Provider;
 import java.security.ProviderException;
 import java.security.PublicKey;
 import java.security.SecureRandom;
@@ -56,6 +57,7 @@
 
 import sun.security.ec.point.*;
 import sun.security.jca.JCAUtil;
+import sun.security.provider.Sun;
 import sun.security.util.ECUtil;
 
 import static sun.security.ec.ECOperations.IntermediateValueException;
@@ -97,6 +99,28 @@ public NativeECKeyPairGenerator() {
 
  @Override
  public void initialize(int keySize, SecureRandom random) {
+ if (random == null) {
+ if (nativeCryptTrace) {
+ System.err.println("No SecureRandom implementation was provided during"
+ + " initialization. Using OpenSSL.");
+ }
+ } else if ((random.getProvider() instanceof Sun)
+ && ("NativePRNG".equals(random.getAlgorithm()) || "DRBG".equals(random.getAlgorithm()))
+ ) {
+ if (nativeCryptTrace) {
+ System.err.println("Default SecureRandom implementation was provided during"
+ + " initialization. Using OpenSSL.");
+ }
+ } else {
+ if (nativeCryptTrace) {
+ System.err.println("SecureRandom implementation was provided during"
+ + " initialization. Using Java implementation instead of OpenSSL.");
+ }
+ this.javaImplementation = new ECKeyPairGenerator();
+ this.javaImplementation.initialize(keySize, random);
+ return;
+ }
+
  if (keySize < KEY_SIZE_MIN) {
  throw new InvalidParameterException
  ("Key size must be at least " + KEY_SIZE_MIN + " bits");
@@ -125,6 +149,28 @@ public void initialize(int keySize, SecureRandom random) {
  @Override
  public void initialize(AlgorithmParameterSpec params, SecureRandom random)
  throws InvalidAlgorithmParameterException {
+ if (random == null) {
+ if (nativeCryptTrace) {
+ System.err.println("No SecureRandom implementation was provided during"
+ + " initialization. Using OpenSSL.");
+ }
+ } else if ((random.getProvider() instanceof Sun)
+ && ("NativePRNG".equals(random.getAlgorithm()) || "DRBG".equals(random.getAlgorithm()))
+ ) {
+ if (nativeCryptTrace) {
+ System.err.println("Default SecureRandom implementation was provided during"
+ + " initialization. Using OpenSSL.");
+ }
+ } else {
+ if (nativeCryptTrace) {
+ System.err.println("SecureRandom implementation was provided during"
+ + " initialization. Using Java implementation instead of OpenSSL.");
+ }
+ this.javaImplementation = new ECKeyPairGenerator();
+ this.javaImplementation.initialize(params, random);
+ return;
+ }
+
  ECParameterSpec ecSpec = null;
 
  if (params instanceof ECParameterSpec) {

closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeXDHKeyPairGenerator.java

@@ -38,6 +38,7 @@
 import java.security.KeyFactory;
 import java.security.KeyPair;
 import java.security.KeyPairGeneratorSpi;
+import java.security.Provider;
 import java.security.ProviderException;
 import java.security.PublicKey;
 import java.security.SecureRandom;
@@ -46,6 +47,8 @@
 
 import jdk.crypto.jniprovider.NativeCrypto;
 
+import sun.security.jca.JCAUtil;
+import sun.security.provider.Sun;
 import sun.security.util.BitArray;
 import sun.security.x509.AlgorithmId;
 import sun.security.x509.X509Key;
@@ -59,6 +62,7 @@ public class NativeXDHKeyPairGenerator extends KeyPairGeneratorSpi {
  private final XECParameters lockedParams;
 
  private XDHKeyPairGenerator javaImplementation;
+ private boolean useJavaImpl;
 
  public NativeXDHKeyPairGenerator() {
  tryInitialize(NamedParameterSpec.X25519);
@@ -105,10 +109,42 @@ private void initializeImpl(XECParameters params, SecureRandom random) {
  }
 
  ops = new XECOperations(params);
+ this.random = (random != null) ? random : JCAUtil.getSecureRandom();
+
+ useJavaImpl = false;
+ if (random == null) {
+ if (nativeCryptTrace) {
+ System.err.println("No SecureRandom implementation was provided during"
+ + " initialization. Using OpenSSL.");
+ }
+ } else if ((random.getProvider() instanceof Sun)
+ && ("NativePRNG".equals(random.getAlgorithm()) || "DRBG".equals(random.getAlgorithm()))
+ ) {
+ if (nativeCryptTrace) {
+ System.err.println("Default SecureRandom implementation was provided during"
+ + " initialization. Using OpenSSL.");
+ }
+ } else {
+ if (nativeCryptTrace) {
+ System.err.println("SecureRandom implementation was provided during"
+ + " initialization. Using Java implementation instead of OpenSSL.");
+ }
+ useJavaImpl = true;
+ }
  }
 
  @Override
  public KeyPair generateKeyPair() {
+ /*
+ * When the keypair generator is initialized with
+ * anything other than the default SecureRandom
+ * implementation, use the Java implementation
+ * to generate the keypair.
+ */
+ if (useJavaImpl) {
+ return javaImplGenerateKeyPair();
+ }
+
  /* If library isn't loaded, use Java implementation. */
  if (!NativeCrypto.isAllowedAndLoaded()) {
  if (nativeCryptTrace) {
@@ -177,12 +213,16 @@ public KeyPair generateKeyPair() {
  */
  private void initializeJavaImplementation() {
  if (javaImplementation == null) {
- if (isX25519(ops.getParameters())) {
+ if (lockedParams == null) {
+ javaImplementation = new XDHKeyPairGenerator();
+ } else if (isX25519(lockedParams)) {
  javaImplementation = new XDHKeyPairGenerator.X25519();
  } else {
  javaImplementation = new XDHKeyPairGenerator.X448();
  }
  }
+
+ javaImplementation.initialize(ops.getParameters().getBits(), random);
  }
 
  /*

src/java.base/share/classes/module-info.java

@@ -25,7 +25,7 @@
 
 /*
  * ===========================================================================
- * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved
+ * (c) Copyright IBM Corp. 2022, 2023 All Rights Reserved
  * ===========================================================================
  */
 
@@ -298,6 +298,7 @@
  java.rmi,
  java.security.jgss,
  jdk.crypto.cryptoki,
+ jdk.crypto.ec,
  jdk.security.auth;
  exports sun.security.provider.certpath to
  java.naming,

test/jdk/ProblemList-FIPS140_2.txt

@@ -1128,3 +1128,11 @@ sun/security/ssl/SSLSocketImpl/SSLSocketSSLEngineCloseInbound.java https://githu
 # NSS can not be initialized twice, because the FIPS already initial it.
 
 sun/security/pkcs11/tls/TestKeyMaterialChaCha20.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/591 linux-x64,linux-ppc64le,linux-s390x
+
+# Temporary Exclusion
+java/util/jar/JarFile/VerifySignedJar.java https://github.ibm.com/runtimes/backlog/issues/1089 linux-x64,linux-ppc64le,linux-s390x
+java/util/jar/JarFile/SignedJarPendingBlock.java https://github.ibm.com/runtimes/backlog/issues/1089 linux-x64,linux-ppc64le,linux-s390x
+com/sun/jndi/ldap/LdapSSLHandshakeFailureTest.java https://github.ibm.com/runtimes/backlog/issues/1089 linux-x64,linux-ppc64le,linux-s390x
+javax/smartcardio/TerminalFactorySpiTest.java https://github.ibm.com/runtimes/backlog/issues/1089 linux-x64,linux-ppc64le,linux-s390x
+sun/security/krb5/auto/Unavailable.java https://github.ibm.com/runtimes/backlog/issues/1089 linux-x64,linux-ppc64le,linux-s390x
+sun/security/krb5/etype/WeakCrypto.java https://github.ibm.com/runtimes/backlog/issues/1089 linux-x64,linux-ppc64le,linux-s390x