From 4c92ade4033926b0911d3d35ec8374310caf33ee Mon Sep 17 00:00:00 2001 From: Anna Babu Palathingal Date: Tue, 5 Dec 2023 10:42:50 -0500 Subject: [PATCH 1/2] Excludes subtests for FIPS openjdk17_j9 related: backlog/issues/1089 Signed-off-by: Anna Babu Palathingal --- test/jdk/ProblemList-FIPS140_2.txt | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/test/jdk/ProblemList-FIPS140_2.txt b/test/jdk/ProblemList-FIPS140_2.txt index f86a58b4a7e..a8b0945cd15 100644 --- a/test/jdk/ProblemList-FIPS140_2.txt +++ b/test/jdk/ProblemList-FIPS140_2.txt @@ -1220,4 +1220,9 @@ com/sun/crypto/provider/Cipher/AEAD/GCMBufferTest.java https://github.com/ibmrun # java.security.ProviderException: cancel failed # It seems that the keysize of DSA should not be 2048. After changing it to 1024, the cancelOperation failure disappeared. # The new exception is generating a DSA certificate but failed to generate DSA public key while trying to get the prime number when calling generatePublic() function from KeyFactory. -sun/security/x509/X509CertImpl/V3Certificate.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/131 linux-x64,linux-ppc64le,linux-s390x \ No newline at end of file +sun/security/x509/X509CertImpl/V3Certificate.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/131 linux-x64,linux-ppc64le,linux-s390x + +# Temporary Exclusion +java/util/jar/JarFile/VerifySignedJar.java https://github.ibm.com/runtimes/backlog/issues/1089 linux-x64,linux-ppc64le,linux-s390x +com/sun/jndi/ldap/LdapSSLHandshakeFailureTest.java https://github.ibm.com/runtimes/backlog/issues/1089 linux-x64,linux-ppc64le,linux-s390x +javax/smartcardio/TerminalFactorySpiTest.java https://github.ibm.com/runtimes/backlog/issues/1089 linux-x64,linux-ppc64le,linux-s390x From 707026f38218c04c15c67f0b8f7c52fc5f03ba5d Mon Sep 17 00:00:00 2001 From: Kostas Tsiounis Date: Tue, 26 Sep 2023 14:44:21 -0400 Subject: [PATCH 2/2] Revert to Java impl when non-default SecureRandom present --- .../security/ec/NativeECKeyPairGenerator.java | 46 +++++++++++++++++++ .../ec/NativeXDHKeyPairGenerator.java | 42 ++++++++++++++++- 2 files changed, 87 insertions(+), 1 deletion(-) diff --git a/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECKeyPairGenerator.java b/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECKeyPairGenerator.java index 8c2440b25bc..9543beeaab7 100644 --- a/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECKeyPairGenerator.java +++ b/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECKeyPairGenerator.java @@ -39,6 +39,7 @@ import java.security.KeyPair; import java.security.KeyPairGeneratorSpi; import java.security.PrivateKey; +import java.security.Provider; import java.security.ProviderException; import java.security.PublicKey; import java.security.SecureRandom; @@ -56,6 +57,7 @@ import sun.security.ec.point.*; import sun.security.jca.JCAUtil; +import sun.security.provider.Sun; import sun.security.util.ECUtil; import static sun.security.ec.ECOperations.IntermediateValueException; @@ -97,6 +99,28 @@ public NativeECKeyPairGenerator() { @Override public void initialize(int keySize, SecureRandom random) { + if (random == null) { + if (nativeCryptTrace) { + System.err.println("No SecureRandom implementation was provided during" + + " initialization. Using OpenSSL."); + } + } else if ((random.getProvider() instanceof Sun) + && ("NativePRNG".equals(random.getAlgorithm()) || "DRBG".equals(random.getAlgorithm())) + ) { + if (nativeCryptTrace) { + System.err.println("Default SecureRandom implementation was provided during" + + " initialization. Using OpenSSL."); + } + } else { + if (nativeCryptTrace) { + System.err.println("SecureRandom implementation was provided during" + + " initialization. Using Java implementation instead of OpenSSL."); + } + this.javaImplementation = new ECKeyPairGenerator(); + this.javaImplementation.initialize(keySize, random); + return; + } + if (keySize < KEY_SIZE_MIN) { throw new InvalidParameterException ("Key size must be at least " + KEY_SIZE_MIN + " bits"); @@ -125,6 +149,28 @@ public void initialize(int keySize, SecureRandom random) { @Override public void initialize(AlgorithmParameterSpec params, SecureRandom random) throws InvalidAlgorithmParameterException { + if (random == null) { + if (nativeCryptTrace) { + System.err.println("No SecureRandom implementation was provided during" + + " initialization. Using OpenSSL."); + } + } else if ((random.getProvider() instanceof Sun) + && ("NativePRNG".equals(random.getAlgorithm()) || "DRBG".equals(random.getAlgorithm())) + ) { + if (nativeCryptTrace) { + System.err.println("Default SecureRandom implementation was provided during" + + " initialization. Using OpenSSL."); + } + } else { + if (nativeCryptTrace) { + System.err.println("SecureRandom implementation was provided during" + + " initialization. Using Java implementation instead of OpenSSL."); + } + this.javaImplementation = new ECKeyPairGenerator(); + this.javaImplementation.initialize(params, random); + return; + } + ECParameterSpec ecSpec = null; if (params instanceof ECParameterSpec ecParams) { diff --git a/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeXDHKeyPairGenerator.java b/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeXDHKeyPairGenerator.java index 2ea9b88b7c5..3fc76bf7eaf 100644 --- a/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeXDHKeyPairGenerator.java +++ b/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeXDHKeyPairGenerator.java @@ -38,6 +38,7 @@ import java.security.KeyFactory; import java.security.KeyPair; import java.security.KeyPairGeneratorSpi; +import java.security.Provider; import java.security.ProviderException; import java.security.PublicKey; import java.security.SecureRandom; @@ -46,6 +47,8 @@ import jdk.crypto.jniprovider.NativeCrypto; +import sun.security.jca.JCAUtil; +import sun.security.provider.Sun; import sun.security.util.BitArray; import sun.security.x509.AlgorithmId; import sun.security.x509.X509Key; @@ -59,6 +62,7 @@ public class NativeXDHKeyPairGenerator extends KeyPairGeneratorSpi { private final XECParameters lockedParams; private XDHKeyPairGenerator javaImplementation; + private boolean useJavaImpl; public NativeXDHKeyPairGenerator() { tryInitialize(NamedParameterSpec.X25519); @@ -105,10 +109,42 @@ private void initializeImpl(XECParameters params, SecureRandom random) { } ops = new XECOperations(params); + this.random = (random != null) ? random : JCAUtil.getSecureRandom(); + + useJavaImpl = false; + if (random == null) { + if (nativeCryptTrace) { + System.err.println("No SecureRandom implementation was provided during" + + " initialization. Using OpenSSL."); + } + } else if ((random.getProvider() instanceof Sun) + && ("NativePRNG".equals(random.getAlgorithm()) || "DRBG".equals(random.getAlgorithm())) + ) { + if (nativeCryptTrace) { + System.err.println("Default SecureRandom implementation was provided during" + + " initialization. Using OpenSSL."); + } + } else { + if (nativeCryptTrace) { + System.err.println("SecureRandom implementation was provided during" + + " initialization. Using Java implementation instead of OpenSSL."); + } + useJavaImpl = true; + } } @Override public KeyPair generateKeyPair() { + /* + * When the keypair generator is initialized with + * anything other than the default SecureRandom + * implementation, use the Java implementation + * to generate the keypair. + */ + if (useJavaImpl) { + return javaImplGenerateKeyPair(); + } + /* If library isn't loaded, use Java implementation. */ if (!NativeCrypto.isAllowedAndLoaded()) { if (nativeCryptTrace) { @@ -177,12 +213,16 @@ public KeyPair generateKeyPair() { */ private void initializeJavaImplementation() { if (javaImplementation == null) { - if (isX25519(ops.getParameters())) { + if (lockedParams == null) { + javaImplementation = new XDHKeyPairGenerator(); + } else if (isX25519(lockedParams)) { javaImplementation = new XDHKeyPairGenerator.X25519(); } else { javaImplementation = new XDHKeyPairGenerator.X448(); } } + + javaImplementation.initialize(ops.getParameters().getBits(), random); } /*