8220016: Clean up redundant RSA services in the SunJSSE provider

Removed duplicated RSA signature/KF/KPG support in SunJSSE

Reviewed-by: xuelei
This commit is contained in:
Valerie Peng 2019-03-29 00:39:49 +00:00
parent b0f6b1086a
commit e90036145a
8 changed files with 101 additions and 41 deletions
src/java.base/share/classes/sun/security/ssl
test/jdk

@ -27,18 +27,12 @@ package sun.security.ssl;
import java.security.*;
import java.util.*;
import sun.security.rsa.SunRsaSignEntries;
import static sun.security.util.SecurityConstants.PROVIDER_VER;
import static sun.security.provider.SunEntries.createAliases;
/**
* The JSSE provider.
*
* The RSA implementation has been removed from JSSE, but we still need to
* register the same algorithms for compatibility. We just point to the RSA
* implementation in the SunRsaSign provider. This works because all classes
* are in the bootclasspath and therefore loaded by the same classloader.
*
* SunJSSE now supports an experimental FIPS compliant mode when used with an
* appropriate FIPS certified crypto provider. In FIPS mode, we:
* . allow only TLS 1.0 or later
@ -84,12 +78,6 @@ public class SunJSSE extends java.security.Provider {
}
private void doRegister() {
Iterator<Provider.Service> rsaIter =
new SunRsaSignEntries(this).iterator();
while (rsaIter.hasNext()) {
putService(rsaIter.next());
}
ps("Signature", "MD5andSHA1withRSA",
"sun.security.ssl.RSASignature", null, null);

@ -123,8 +123,13 @@ public class Offsets {
throw new RuntimeException("Test doesn't support this signature "
+ "algorithm: " + algorithm);
}
KeyPairGenerator kpg = KeyPairGenerator.getInstance(keyAlgo, provider);
KeyPairGenerator kpg = null;
// first try matching provider, fallback to most preferred if none available
try {
kpg = KeyPairGenerator.getInstance(keyAlgo, provider);
} catch (NoSuchAlgorithmException nsae) {
kpg = KeyPairGenerator.getInstance(keyAlgo);
}
kpg.initialize(keySize);
KeyPair kp = kpg.generateKeyPair();
PublicKey pubkey = kp.getPublic();

@ -1,5 +1,5 @@
/**
* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -21,13 +21,7 @@
* questions.
*/
import java.security.Signature;
import java.security.SignedObject;
import java.security.KeyPairGenerator;
import java.security.KeyPair;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.*;
import java.security.spec.*;
import java.util.*;
import jdk.test.lib.SigTestUtil;
@ -197,8 +191,15 @@ public class Chain {
if (test.provider != Provider.Default) {
signature = Signature.getInstance(test.sigAlg.name,
test.provider.name);
kpg = KeyPairGenerator.getInstance(
test.keyAlg.name, test.provider.name);
// try using the same provider first, if not, fallback
// to the first available impl
try {
kpg = KeyPairGenerator.getInstance(
test.keyAlg.name, test.provider.name);
} catch (NoSuchAlgorithmException nsae) {
kpg = KeyPairGenerator.getInstance(
test.keyAlg.name);
}
} else {
signature = Signature.getInstance(test.sigAlg.name);
kpg = KeyPairGenerator.getInstance(test.keyAlg.name);

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -111,7 +111,7 @@ public class Basic extends PKCS11Test {
this.provider = p;
// get private keys
KeyFactory kf = KeyFactory.getInstance("RSA", "SunJSSE");
KeyFactory kf = KeyFactory.getInstance("RSA");
KeyFactory dsaKf = KeyFactory.getInstance("DSA", "SUN");
ObjectInputStream ois1 = new ObjectInputStream

@ -1,5 +1,5 @@
/*
* Copyright (c) 2001, 2002, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2001, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -23,11 +23,11 @@
/*
* @test
* @bug 4503229
* @bug 4503229 8220016
* @summary default RSA KeyFactory can return broken RSAPrivateCrtKey objects
* This test was taken directly from the bug report, which
* was fixed in the crippled JSAFE provider, and needed
* to be brought forward into JSSE.
* to be brought forward into SunRsaSign (was JSSE).
* @author Brad Wetmore
*/
@ -39,7 +39,7 @@ import java.math.BigInteger;
public class BrokenRSAPrivateCrtKey {
public static void main(String[] args) throws Exception {
KeyPairGenerator generator =
KeyPairGenerator.getInstance("RSA", "SunJSSE");
KeyPairGenerator.getInstance("RSA", "SunRsaSign");
generator.initialize(512);
KeyPair pair = generator.generateKeyPair();
@ -55,7 +55,7 @@ public class BrokenRSAPrivateCrtKey {
privatekey.getPrimeExponentQ(),
privatekey.getCrtCoefficient());
KeyFactory factory = KeyFactory.getInstance("RSA", "SunJSSE");
KeyFactory factory = KeyFactory.getInstance("RSA", "SunRsaSign");
PrivateKey privatekey2 = factory.generatePrivate(spec);

@ -0,0 +1,71 @@
/*
* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
import java.security.*;
import java.util.Iterator;
import java.security.Provider.Service;
/*
* @test
* @bug 8220016
* @summary This test checks the RSA-related services in SunJSSE provider
*/
public class CheckProviderEntries {
private static boolean testResult = true;
private static void error(String msg) {
testResult = false;
System.out.println(msg);
}
public static void main(String[] args) throws NoSuchAlgorithmException,
InvalidKeyException, SignatureException {
Provider p = Security.getProvider("SunJSSE");
Iterator<Provider.Service> iter = p.getServices().iterator();
while (iter.hasNext()) {
Service s = iter.next();
String type = s.getType();
String algo = s.getAlgorithm();
System.out.println("Type: " + type + " " + algo);
try {
if (algo.indexOf("RSA") != -1) {
// only MD5andSHA1withRSA signature support
// error out on any other RSA support
if (type.equals("Signature") &&
algo.equals("MD5andSHA1withRSA")) {
s.newInstance(null);
continue;
}
error("Error: unexpected RSA services");
}
} catch (NoSuchAlgorithmException | InvalidParameterException e) {
error("Error: cannot create obj " + e);
}
}
if (testResult) {
System.out.println("Test Passed");
} else {
throw new RuntimeException("One or more tests failed");
}
}
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -27,7 +27,7 @@ import java.security.SignatureException;
/*
* @test
* @bug 8050374
* @bug 8050374 8220016
* @key randomness
* @summary This test validates signature verification
* Signature.verify(byte[], int, int). The test uses RandomFactory to
@ -37,10 +37,7 @@ import java.security.SignatureException;
* @library /test/lib
* @build jdk.test.lib.RandomFactory
* @compile ../../../../java/security/Signature/Offsets.java
* @run main SignatureOffsets SunJSSE MD2withRSA
* @run main SignatureOffsets SunJSSE MD5withRSA
* @run main SignatureOffsets SunJSSE SHA1withRSA
* @run main SignatureOffsets SunJSSE MD5andSHA1withRSA
* @run main SignatureOffsets SunJSSE MD5andSHA1withRSA
*/
public class SignatureOffsets {

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -30,6 +30,7 @@
* @compile ../../../../java/security/SignedObject/Chain.java
* @run main SignedObjectChain
*/
public class SignedObjectChain {
private static class Test extends Chain.Test {
@ -40,9 +41,6 @@ public class SignedObjectChain {
}
private static final Test[] tests = {
new Test(Chain.SigAlg.MD2withRSA),
new Test(Chain.SigAlg.MD5withRSA),
new Test(Chain.SigAlg.SHA1withRSA),
new Test(Chain.SigAlg.MD5andSHA1withRSA),
};