Add provider SunSASL in FIPS mode

taoliult · Sep 29, 2023 · a12b1a0 · a12b1a0
1 parent 18c8757
commit a12b1a0
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 29 deletions.
diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java
@@ -585,13 +585,8 @@ private void initProviders() {
  // Provider with argument (provider name + optional argument).
  providers.add(pNum - 1, providerName);
 
- // Remove the provider's optional arguments if there are.
- pos = providerName.indexOf(' ');
- providerName = (pos < 0) ? providerName.trim() : providerName.substring(0, pos).trim();
- // Remove the provider's class package names if there are.
- pos = providerName.lastIndexOf('.');
- providerName = (pos < 0) ? providerName : providerName.substring(pos + 1, providerName.length());
- // Provider without arguments and package names.
+ // Provider name defined in provider construction method.
+ providerName = getProvidersSimpleName(providerName);
  providersSimpleName.add(pNum - 1, providerName);
 
  if (debug != null) {
@@ -849,13 +844,7 @@ boolean isRestrictedProviderAllowed(String providerName) {
  debug.println("Checking the provider " + providerName + " in restricted security mode.");
  }
 
- // Remove argument, e.g. -NSS-FIPS, if there is.
- int pos = providerName.indexOf('-');
- providerName = (pos < 0) ? providerName : providerName.substring(0, pos);
-
- // Remove the provider class package name if there is.
- pos = providerName.lastIndexOf('.');
- providerName = (pos < 0) ? providerName : providerName.substring(pos + 1, providerName.length());
+ providerName = getProvidersSimpleName(providerName);
 
  // Check if the provider is in restricted security provider list.
  // If not, the provider won't be registered.
@@ -880,6 +869,40 @@ boolean isRestrictedProviderAllowed(String providerName) {
  return false;
  }
 
+ /**
+ * Get the provider name defined in provider construction method.
+ *
+ * @param providerName provider name or provider with packages or arguments
+ * @return provider name defined in provider construction method
+ */
+ private static String getProvidersSimpleName(String providerName) {
+ // Remove the provider's optional arguments if present.
+ int pos = providerName.indexOf(' ');
+ providerName = (pos < 0) ? providerName.trim() : providerName.substring(0, pos).trim();
+
+ // Remove argument, e.g. -NSS-FIPS, if present.
+ pos = providerName.indexOf('-');
+ providerName = (pos < 0) ? providerName : providerName.substring(0, pos);
+
+ if (providerName.equals("com.sun.net.ssl.internal.ssl.Provider")) {
+ // In JDK 8, the main class for the SunJSSE provider is
+ // com.sun.net.ssl.internal.ssl.Provider
+ return "SunJSSE";
+ } else if (providerName.equals("sun.security.provider.Sun")) {
+ // In JDK 8, the main class for the SUN provider is sun.security.provider.Sun
+ return "SUN";
+ } else if (providerName.equals("com.sun.security.sasl.Provider")) {
+ // The main class for the SunSASL provider is com.sun.security.sasl.Provider
+ return "SunSASL";
+ } else {
+ // Remove the provider's class package names if present.
+ pos = providerName.lastIndexOf('.');
+ providerName = (pos < 0) ? providerName : providerName.substring(pos + 1);
+ // Provider without arguments and package names.
+ return providerName;
+ }
+ }
+
  /**
  * List audit info if userSecurityAudit is true, default as false.
  */

diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
@@ -146,6 +146,7 @@ RestrictedSecurity1.jce.provider.3 = SunEC [{KeyFactory, EC, ImplementedIn=Softw
  SupportedKeyClasses=java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey: \
  KeySize=256}, {AlgorithmParameters, EC, *}]
 RestrictedSecurity1.jce.provider.4 = SunJSSE
+RestrictedSecurity1.jce.provider.5 = SunSASL
 
 RestrictedSecurity1.keystore.type = PKCS11
 RestrictedSecurity1.javax.net.ssl.keyStore = NONE

diff --git a/test/jdk/ProblemList-fips.txt b/test/jdk/ProblemList-fips.txt
@@ -571,21 +571,21 @@ com/sun/org/apache/xml/internal/security/ShortECDSA.java https://github.com/ibmr
 
 # Module java.security.sasl related. Unable to find client impl for CRAM-MD5 or DIGEST-MD5.
 
-com/sun/security/sasl/ntlm/NTLMTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
-com/sun/security/sasl/ntlm/Conformance.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
-com/sun/security/sasl/digest/Unbound.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
-com/sun/security/sasl/digest/PrivacyRc4.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
-com/sun/security/sasl/digest/Privacy.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
-com/sun/security/sasl/digest/NoQuoteParams.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
-com/sun/security/sasl/digest/Integrity.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
-com/sun/security/sasl/digest/CheckNegotiatedQOPs.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
-com/sun/security/sasl/digest/AuthRealms.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
-com/sun/security/sasl/digest/AuthRealmChoices.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
-com/sun/security/sasl/digest/AuthOnly.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
-com/sun/security/sasl/digest/AuthNoUtf8.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
-com/sun/security/sasl/Cram.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
-javax/security/sasl/Sasl/DisabledMechanisms.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
-javax/security/sasl/Sasl/ClientServerTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
+#com/sun/security/sasl/ntlm/NTLMTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
+#com/sun/security/sasl/ntlm/Conformance.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
+#com/sun/security/sasl/digest/Unbound.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
+#com/sun/security/sasl/digest/PrivacyRc4.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
+#com/sun/security/sasl/digest/Privacy.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
+#com/sun/security/sasl/digest/NoQuoteParams.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
+#com/sun/security/sasl/digest/Integrity.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
+#com/sun/security/sasl/digest/CheckNegotiatedQOPs.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
+#com/sun/security/sasl/digest/AuthRealms.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
+#com/sun/security/sasl/digest/AuthRealmChoices.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
+#com/sun/security/sasl/digest/AuthOnly.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
+#com/sun/security/sasl/digest/AuthNoUtf8.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
+#com/sun/security/sasl/Cram.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
+#javax/security/sasl/Sasl/DisabledMechanisms.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
+#javax/security/sasl/Sasl/ClientServerTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547 linux-x64
 
 # NoSuchAlgorithmException: JKS KeyStore not available or KeyStore file related.