From 01b6e7623f9e9567fb97f25e46a1ba5f85d0a4cc Mon Sep 17 00:00:00 2001 From: Anna Babu Palathingal Date: Fri, 8 Dec 2023 14:49:39 -0500 Subject: [PATCH 1/2] Excludes subtests for FIPS openjdk11_j9 -Exclude `java/util/jar/JarFile/VerifySignedJar.java` -Exclude `java/util/jar/JarFile/SignedJarPendingBlock.java` -Exclude `com/sun/jndi/ldap/LdapSSLHandshakeFailureTest.java` -Exclude `sun/security/krb5/auto/Unavailable.java` -Exclude `sun/security/krb5/etype/WeakCrypto.java` related: backlog/issues/1089 Signed-off-by: Anna Babu Palathingal --- test/jdk/ProblemList-FIPS140_2.txt | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/test/jdk/ProblemList-FIPS140_2.txt b/test/jdk/ProblemList-FIPS140_2.txt index 1fc65ce6d9..dc9cbe7aaa 100644 --- a/test/jdk/ProblemList-FIPS140_2.txt +++ b/test/jdk/ProblemList-FIPS140_2.txt @@ -1128,3 +1128,11 @@ sun/security/ssl/SSLSocketImpl/SSLSocketSSLEngineCloseInbound.java https://githu # NSS can not be initialized twice, because the FIPS already initial it. sun/security/pkcs11/tls/TestKeyMaterialChaCha20.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/591 linux-x64,linux-ppc64le,linux-s390x + +# Temporary Exclusion +java/util/jar/JarFile/VerifySignedJar.java https://github.ibm.com/runtimes/backlog/issues/1089 linux-x64,linux-ppc64le,linux-s390x +java/util/jar/JarFile/SignedJarPendingBlock.java https://github.ibm.com/runtimes/backlog/issues/1089 linux-x64,linux-ppc64le,linux-s390x +com/sun/jndi/ldap/LdapSSLHandshakeFailureTest.java https://github.ibm.com/runtimes/backlog/issues/1089 linux-x64,linux-ppc64le,linux-s390x +javax/smartcardio/TerminalFactorySpiTest.java https://github.ibm.com/runtimes/backlog/issues/1089 linux-x64,linux-ppc64le,linux-s390x +sun/security/krb5/auto/Unavailable.java https://github.ibm.com/runtimes/backlog/issues/1089 linux-x64,linux-ppc64le,linux-s390x +sun/security/krb5/etype/WeakCrypto.java https://github.ibm.com/runtimes/backlog/issues/1089 linux-x64,linux-ppc64le,linux-s390x From 158ea3fe4e631cf91eaf4afb81619831e0ba8065 Mon Sep 17 00:00:00 2001 From: Kostas Tsiounis Date: Tue, 26 Sep 2023 14:44:21 -0400 Subject: [PATCH 2/2] Revert to Java impl when non-default SecureRandom present --- .../security/ec/NativeECKeyPairGenerator.java | 46 +++++++++++++++++++ .../ec/NativeXDHKeyPairGenerator.java | 42 ++++++++++++++++- src/java.base/share/classes/module-info.java | 3 +- 3 files changed, 89 insertions(+), 2 deletions(-) diff --git a/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECKeyPairGenerator.java b/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECKeyPairGenerator.java index 012192c71f..a1dada2cac 100644 --- a/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECKeyPairGenerator.java +++ b/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECKeyPairGenerator.java @@ -39,6 +39,7 @@ import java.security.KeyPair; import java.security.KeyPairGeneratorSpi; import java.security.PrivateKey; +import java.security.Provider; import java.security.ProviderException; import java.security.PublicKey; import java.security.SecureRandom; @@ -56,6 +57,7 @@ import sun.security.ec.point.*; import sun.security.jca.JCAUtil; +import sun.security.provider.Sun; import sun.security.util.ECUtil; import static sun.security.ec.ECOperations.IntermediateValueException; @@ -97,6 +99,28 @@ public NativeECKeyPairGenerator() { @Override public void initialize(int keySize, SecureRandom random) { + if (random == null) { + if (nativeCryptTrace) { + System.err.println("No SecureRandom implementation was provided during" + + " initialization. Using OpenSSL."); + } + } else if ((random.getProvider() instanceof Sun) + && ("NativePRNG".equals(random.getAlgorithm()) || "DRBG".equals(random.getAlgorithm())) + ) { + if (nativeCryptTrace) { + System.err.println("Default SecureRandom implementation was provided during" + + " initialization. Using OpenSSL."); + } + } else { + if (nativeCryptTrace) { + System.err.println("SecureRandom implementation was provided during" + + " initialization. Using Java implementation instead of OpenSSL."); + } + this.javaImplementation = new ECKeyPairGenerator(); + this.javaImplementation.initialize(keySize, random); + return; + } + if (keySize < KEY_SIZE_MIN) { throw new InvalidParameterException ("Key size must be at least " + KEY_SIZE_MIN + " bits"); @@ -125,6 +149,28 @@ public void initialize(int keySize, SecureRandom random) { @Override public void initialize(AlgorithmParameterSpec params, SecureRandom random) throws InvalidAlgorithmParameterException { + if (random == null) { + if (nativeCryptTrace) { + System.err.println("No SecureRandom implementation was provided during" + + " initialization. Using OpenSSL."); + } + } else if ((random.getProvider() instanceof Sun) + && ("NativePRNG".equals(random.getAlgorithm()) || "DRBG".equals(random.getAlgorithm())) + ) { + if (nativeCryptTrace) { + System.err.println("Default SecureRandom implementation was provided during" + + " initialization. Using OpenSSL."); + } + } else { + if (nativeCryptTrace) { + System.err.println("SecureRandom implementation was provided during" + + " initialization. Using Java implementation instead of OpenSSL."); + } + this.javaImplementation = new ECKeyPairGenerator(); + this.javaImplementation.initialize(params, random); + return; + } + ECParameterSpec ecSpec = null; if (params instanceof ECParameterSpec) { diff --git a/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeXDHKeyPairGenerator.java b/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeXDHKeyPairGenerator.java index 2ea9b88b7c..3fc76bf7ea 100644 --- a/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeXDHKeyPairGenerator.java +++ b/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeXDHKeyPairGenerator.java @@ -38,6 +38,7 @@ import java.security.KeyFactory; import java.security.KeyPair; import java.security.KeyPairGeneratorSpi; +import java.security.Provider; import java.security.ProviderException; import java.security.PublicKey; import java.security.SecureRandom; @@ -46,6 +47,8 @@ import jdk.crypto.jniprovider.NativeCrypto; +import sun.security.jca.JCAUtil; +import sun.security.provider.Sun; import sun.security.util.BitArray; import sun.security.x509.AlgorithmId; import sun.security.x509.X509Key; @@ -59,6 +62,7 @@ public class NativeXDHKeyPairGenerator extends KeyPairGeneratorSpi { private final XECParameters lockedParams; private XDHKeyPairGenerator javaImplementation; + private boolean useJavaImpl; public NativeXDHKeyPairGenerator() { tryInitialize(NamedParameterSpec.X25519); @@ -105,10 +109,42 @@ private void initializeImpl(XECParameters params, SecureRandom random) { } ops = new XECOperations(params); + this.random = (random != null) ? random : JCAUtil.getSecureRandom(); + + useJavaImpl = false; + if (random == null) { + if (nativeCryptTrace) { + System.err.println("No SecureRandom implementation was provided during" + + " initialization. Using OpenSSL."); + } + } else if ((random.getProvider() instanceof Sun) + && ("NativePRNG".equals(random.getAlgorithm()) || "DRBG".equals(random.getAlgorithm())) + ) { + if (nativeCryptTrace) { + System.err.println("Default SecureRandom implementation was provided during" + + " initialization. Using OpenSSL."); + } + } else { + if (nativeCryptTrace) { + System.err.println("SecureRandom implementation was provided during" + + " initialization. Using Java implementation instead of OpenSSL."); + } + useJavaImpl = true; + } } @Override public KeyPair generateKeyPair() { + /* + * When the keypair generator is initialized with + * anything other than the default SecureRandom + * implementation, use the Java implementation + * to generate the keypair. + */ + if (useJavaImpl) { + return javaImplGenerateKeyPair(); + } + /* If library isn't loaded, use Java implementation. */ if (!NativeCrypto.isAllowedAndLoaded()) { if (nativeCryptTrace) { @@ -177,12 +213,16 @@ public KeyPair generateKeyPair() { */ private void initializeJavaImplementation() { if (javaImplementation == null) { - if (isX25519(ops.getParameters())) { + if (lockedParams == null) { + javaImplementation = new XDHKeyPairGenerator(); + } else if (isX25519(lockedParams)) { javaImplementation = new XDHKeyPairGenerator.X25519(); } else { javaImplementation = new XDHKeyPairGenerator.X448(); } } + + javaImplementation.initialize(ops.getParameters().getBits(), random); } /* diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java index 6805f533c4..552539b646 100644 --- a/src/java.base/share/classes/module-info.java +++ b/src/java.base/share/classes/module-info.java @@ -25,7 +25,7 @@ /* * =========================================================================== - * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved + * (c) Copyright IBM Corp. 2022, 2023 All Rights Reserved * =========================================================================== */ @@ -298,6 +298,7 @@ java.rmi, java.security.jgss, jdk.crypto.cryptoki, + jdk.crypto.ec, jdk.security.auth; exports sun.security.provider.certpath to java.naming,