8245545: Disable TLS_RSA cipher suites

Reviewed-by: mullan
2024-11-21 14:14:30 +00:00 · 2024-11-21 14:14:30 +00:00 · 882d635807
commit 882d635807
parent 8f22db23a5
13 changed files with 64 additions and 46 deletions
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@ -746,7 +746,7 @@ http.auth.digest.disabledAlgorithms = MD5, SHA-1
 #       rsa_pkcs1_sha1, secp224r1, TLS_RSA_*
 jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \
    MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
-    ECDH
+    ECDH, TLS_RSA_*

 #
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
--- a/test/jdk/javax/net/ssl/DTLS/CipherSuite.java
+++ b/test/jdk/javax/net/ssl/DTLS/CipherSuite.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2024, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -33,16 +33,16 @@
 *          jdk.crypto.ec
 * @library /test/lib
 * @build DTLSOverDatagram
- * @run main/othervm CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA
+ * @run main/othervm CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA re-enable
 * @run main/othervm CipherSuite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- * @run main/othervm CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA256
+ * @run main/othervm CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA256 re-enable
 * @run main/othervm CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 * @run main/othervm CipherSuite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 * @run main/othervm CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 * @run main/othervm CipherSuite TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA re-enable
 * @run main/othervm CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 * @run main/othervm CipherSuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- * @run main/othervm CipherSuite TLS_RSA_WITH_AES_128_GCM_SHA256
+ * @run main/othervm CipherSuite TLS_RSA_WITH_AES_128_GCM_SHA256 re-enable
 * @run main/othervm CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 re-enable
 * @run main/othervm CipherSuite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 * @run main/othervm CipherSuite TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
--- a/test/jdk/javax/net/ssl/SSLEngine/Basics.java
+++ b/test/jdk/javax/net/ssl/SSLEngine/Basics.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2024, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -57,7 +57,8 @@ public class Basics {
                "/" + TRUSTSTORE_FILE;

    public static void main(String[] args) throws Exception {
-        SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1");
+        // Re-enable TLSv1.1 and TLS_RSA_* since test depends on it.
+        SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1", "TLS_RSA_*");

        runTest("TLSv1.3", "TLS_AES_256_GCM_SHA384");
        runTest("TLSv1.2", "TLS_RSA_WITH_AES_256_GCM_SHA384");
--- a/test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java
+++ b/test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2004, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -26,7 +26,8 @@
 * @bug 8133632
 * @summary javax.net.ssl.SSLEngine does not properly handle received
 *      SSL fatal alerts
- * @run main EngineCloseOnAlert
+ * @library /test/lib
+ * @run main/othervm EngineCloseOnAlert
 */

 import java.io.FileInputStream;
@ -36,6 +37,7 @@ import java.nio.ByteBuffer;
 import java.util.*;
 import java.security.*;
 import static javax.net.ssl.SSLEngineResult.HandshakeStatus.*;
+import jdk.test.lib.security.SecurityUtils;

 public class EngineCloseOnAlert {

@ -61,6 +63,8 @@ public class EngineCloseOnAlert {
    }

    public static void main(String[] args) throws Exception {
+        // Re-enable TLS_RSA_* since test depends on it.
+        SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*");
        int failed = 0;
        List<TestCase> testMatrix = new LinkedList<TestCase>() {{
            add(clientReceivesAlert);
--- a/test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java
+++ b/test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2024, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -172,8 +172,8 @@ public class GenericBlockCipher {
    volatile Exception clientException = null;

    public static void main(String[] args) throws Exception {
-        // Re-enable TLSv1.1 since test depends on it.
-        SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1");
+        // Re-enable TLSv1.1 and TLS_RSA_* since test depends on it.
+        SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1", "TLS_RSA_*");

        String keyFilename =
            System.getProperty("test.src", ".") + "/" + pathToStores +
--- a/test/jdk/javax/net/ssl/TLSv12/ProtocolFilter.java
+++ b/test/jdk/javax/net/ssl/TLSv12/ProtocolFilter.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2024, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -28,6 +28,7 @@
 * @test
 * @bug 8052406
 * @summary SSLv2Hello protocol may be filter out unexpectedly
+ * @library /test/lib
 * @run main/othervm ProtocolFilter
 */

@ -35,6 +36,8 @@ import java.io.*;
 import java.net.*;
 import javax.net.ssl.*;

+import jdk.test.lib.security.SecurityUtils;
+
 public class ProtocolFilter {

    /*
@ -156,6 +159,8 @@ public class ProtocolFilter {
    volatile Exception clientException = null;

    public static void main(String[] args) throws Exception {
+        // Re-enable TLS_RSA_* since test depends on it.
+        SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*");
        String keyFilename =
            System.getProperty("test.src", ".") + "/" + pathToStores +
                "/" + keyStoreFile;
--- a/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java
+++ b/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2024, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -23,7 +23,7 @@

 /*
 * @test
- * @bug 8076221 8211883 8163327 8279164
+ * @bug 8076221 8211883 8163327 8279164 8245545
 * @summary Check if weak cipher suites are disabled
 * @library /javax/net/ssl/templates
 * @modules jdk.crypto.ec
@ -124,7 +124,13 @@ public class DisabledAlgorithms {
            "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
            "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
            "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
-            "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"
+            "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
+            "TLS_RSA_WITH_AES_256_GCM_SHA384",
+            "TLS_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_RSA_WITH_AES_256_CBC_SHA256",
+            "TLS_RSA_WITH_AES_128_CBC_SHA256",
+            "TLS_RSA_WITH_AES_256_CBC_SHA",
+            "TLS_RSA_WITH_AES_128_CBC_SHA"
    };

    public static void main(String[] args) throws Exception {
--- a/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java
+++ b/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2024, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -23,7 +23,7 @@

 /*
 * @test
- * @bug 4750141 4895631 8217579 8163326 8279164
+ * @bug 4750141 4895631 8217579 8163326 8279164 8245545
 * @summary Check enabled and supported ciphersuites are correct
 * @run main/othervm CheckCipherSuites default
 * @run main/othervm CheckCipherSuites limited
@ -99,12 +99,6 @@ public class CheckCipherSuites {
        "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",

        // deprecated
-        "TLS_RSA_WITH_AES_256_GCM_SHA384",
-        "TLS_RSA_WITH_AES_128_GCM_SHA256",
-        "TLS_RSA_WITH_AES_256_CBC_SHA256",
-        "TLS_RSA_WITH_AES_128_CBC_SHA256",
-        "TLS_RSA_WITH_AES_256_CBC_SHA",
-        "TLS_RSA_WITH_AES_128_CBC_SHA",
        "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
    };

@ -124,9 +118,6 @@ public class CheckCipherSuites {
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
        "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
-        "TLS_RSA_WITH_AES_128_GCM_SHA256",
-        "TLS_RSA_WITH_AES_128_CBC_SHA256",
-        "TLS_RSA_WITH_AES_128_CBC_SHA",
        "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
    };

@ -194,12 +185,6 @@ public class CheckCipherSuites {
        "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",

        // deprecated
-        "TLS_RSA_WITH_AES_256_GCM_SHA384",
-        "TLS_RSA_WITH_AES_128_GCM_SHA256",
-        "TLS_RSA_WITH_AES_256_CBC_SHA256",
-        "TLS_RSA_WITH_AES_128_CBC_SHA256",
-        "TLS_RSA_WITH_AES_256_CBC_SHA",
-        "TLS_RSA_WITH_AES_128_CBC_SHA",
        "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
    };

@ -219,9 +204,6 @@ public class CheckCipherSuites {
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
        "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
-        "TLS_RSA_WITH_AES_128_GCM_SHA256",
-        "TLS_RSA_WITH_AES_128_CBC_SHA256",
-        "TLS_RSA_WITH_AES_128_CBC_SHA",
        "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
    };

--- a/test/jdk/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java
+++ b/test/jdk/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2019, 2024, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -21,6 +21,7 @@
 * questions.
 */
 import java.util.Arrays;
+import java.util.stream.Stream;
 import javax.net.ssl.SSLServerSocket;
 import javax.net.ssl.SSLSocket;

@ -86,8 +87,20 @@ public class SystemPropCipherSuitesOrder extends SSLSocketTemplate {
        clientcipherSuites
                = toArray(System.getProperty("jdk.tls.client.cipherSuites"));
        System.out.printf("SYSTEM PROPERTIES: ServerProp:%s - ClientProp:%s%n",
-                Arrays.deepToString(servercipherSuites),
-                Arrays.deepToString(clientcipherSuites));
+                          Arrays.deepToString(servercipherSuites),
+                          Arrays.deepToString(clientcipherSuites));
+
+        // Re-enable TLS_RSA_* cipher suites if needed since test depends on it.
+        if (Stream.concat(
+                        Arrays.stream(
+                                servercipherSuites == null
+                                        ? new String[0] : servercipherSuites),
+                        Arrays.stream(
+                                clientcipherSuites == null
+                                        ? new String[0] : clientcipherSuites))
+                .anyMatch(s -> s.startsWith("TLS_RSA_"))) {
+            SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*");
+        }

        try {
            new SystemPropCipherSuitesOrder(args[0]).run();
--- a/test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java
+++ b/test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2019, 2024, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -58,6 +58,8 @@ public class TLSCipherSuitesOrder extends SSLSocketTemplate {
    private final String[] clientcipherSuites;

    public static void main(String[] args) {
+        // Re-enable TLS_RSA_* since test depends on it.
+        SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*");
        PROTOCOL protocol = PROTOCOL.valueOf(args[0]);
        try {
            new TLSCipherSuitesOrder(protocol.getProtocol(),
--- a/test/jdk/sun/security/pkcs11/tls/tls12/FipsModeTLS12.java
+++ b/test/jdk/sun/security/pkcs11/tls/tls12/FipsModeTLS12.java
@ -1,5 +1,6 @@
 /*
 * Copyright (c) 2019, Red Hat, Inc.
+ * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -63,6 +64,7 @@ import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.TrustManagerFactory;

+import jdk.test.lib.security.SecurityUtils;
 import sun.security.internal.spec.TlsMasterSecretParameterSpec;
 import sun.security.internal.spec.TlsPrfParameterSpec;
 import sun.security.internal.spec.TlsRsaPremasterSecretParameterSpec;
@ -80,6 +82,9 @@ public final class FipsModeTLS12 extends SecmodTest {
    private static PublicKey publicKey;

    public static void main(String[] args) throws Exception {
+        // Re-enable TLS_RSA_* since test depends on it.
+        SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*");
+
        try {
            initialize();
        } catch (Exception e) {
--- a/test/jdk/sun/security/ssl/ClientHandshaker/LengthCheckTest.java
+++ b/test/jdk/sun/security/ssl/ClientHandshaker/LengthCheckTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2024, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -270,8 +270,8 @@ public class LengthCheckTest extends SSLEngineTemplate {
     * Main entry point for this test.
     */
    public static void main(String args[]) throws Exception {
-        // Re-enable TLSv1 since test depends on it.
-        SecurityUtils.removeFromDisabledTlsAlgs("TLSv1");
+        // Re-enable TLSv1 and TLS_RSA_* since test depends on it.
+        SecurityUtils.removeFromDisabledTlsAlgs("TLSv1", "TLS_RSA_*");

        List<LengthCheckTest> ccsTests = new ArrayList<>();

--- a/test/jdk/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.java
+++ b/test/jdk/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2024, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -100,8 +100,8 @@ public class DebugReportsOneExtraByte extends SSLEngineTemplate {

            System.out.println("Test Passed.");
        } else {
-            // Re-enable TLSv1 since test depends on it
-            SecurityUtils.removeFromDisabledTlsAlgs("TLSv1");
+            // Re-enable TLSv1 and TLS_RSA_* since test depends on it
+            SecurityUtils.removeFromDisabledTlsAlgs("TLSv1", "TLS_RSA_*");

            DebugReportsOneExtraByte test = new DebugReportsOneExtraByte();
            test.runTest();