stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8217835: Remove the experimental SunJSSE FIPS compliant mode

Browse Source 
Reviewed-by: mullan
This commit is contained in:
Xue-Lei Andrew Fan 2019-02-12 13:36:15 -08:00
parent 5d0ff15a58
commit fca0af0487
46 changed files with 364 additions and 2350 deletions

17
src/java.base/share/classes/com/sun/net/ssl/internal/ssl/Provider.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2007, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -42,21 +42,6 @@ public final class Provider extends SunJSSE {
super();
}
// preferred constructor to enable FIPS mode at runtime
public Provider(java.security.Provider cryptoProvider) {
super(cryptoProvider);
}
// constructor to enable FIPS mode from java.security file
public Provider(String cryptoProvider) {
super(cryptoProvider);
}
// public for now, but we may want to change it or not document it.
public static synchronized boolean isFIPS() {
return SunJSSE.isFIPS();
}
/**
* Installs the JSSE provider.
*/

4
src/java.base/share/classes/sun/security/ssl/Authenticator.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2012, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -484,7 +484,7 @@ abstract class Authenticator {
throw new RuntimeException("Unknown MacAlg " + macAlg);
}
Mac m = JsseJce.getMac(algorithm);
Mac m = Mac.getInstance(algorithm);
m.init(key);
this.macAlg = macAlg;
this.mac = m;

14
src/java.base/share/classes/sun/security/ssl/CertificateVerify.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -196,13 +196,13 @@ final class CertificateVerify {
Signature signer = null;
switch (algorithm) {
case "RSA":
signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA);
signer = Signature.getInstance(JsseJce.SIGNATURE_RAWRSA);
break;
case "DSA":
signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA);
signer = Signature.getInstance(JsseJce.SIGNATURE_RAWDSA);
break;
case "EC":
signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA);
signer = Signature.getInstance(JsseJce.SIGNATURE_RAWECDSA);
break;
default:
throw new SignatureException("Unrecognized algorithm: "
@ -439,13 +439,13 @@ final class CertificateVerify {
Signature signer = null;
switch (algorithm) {
case "RSA":
signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA);
signer = Signature.getInstance(JsseJce.SIGNATURE_RAWRSA);
break;
case "DSA":
signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA);
signer = Signature.getInstance(JsseJce.SIGNATURE_RAWDSA);
break;
case "EC":
signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA);
signer = Signature.getInstance(JsseJce.SIGNATURE_RAWECDSA);
break;
default:
throw new SignatureException("Unrecognized algorithm: "

4
src/java.base/share/classes/sun/security/ssl/DHClientKeyExchange.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -280,7 +280,7 @@ final class DHClientKeyExchange {
DHPublicKeySpec spec = new DHPublicKeySpec(
new BigInteger(1, ckem.y),
params.getP(), params.getG());
KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
KeyFactory kf = KeyFactory.getInstance("DiffieHellman");
DHPublicKey peerPublicKey =
(DHPublicKey)kf.generatePublic(spec);

14
src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java

@ -87,7 +87,7 @@ final class DHKeyExchange {
return null;
}
KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
KeyFactory kf = KeyFactory.getInstance("DiffieHellman");
DHPublicKeySpec spec = new DHPublicKeySpec(
new BigInteger(1, encodedPublic),
params.getP(), params.getG());
@ -106,7 +106,7 @@ final class DHKeyExchange {
DHEPossession(NamedGroup namedGroup, SecureRandom random) {
try {
KeyPairGenerator kpg =
JsseJce.getKeyPairGenerator("DiffieHellman");
KeyPairGenerator.getInstance("DiffieHellman");
DHParameterSpec params =
(DHParameterSpec)namedGroup.getParameterSpec();
kpg.initialize(params, random);
@ -129,7 +129,7 @@ final class DHKeyExchange {
PredefinedDHParameterSpecs.definedParams.get(keyLength);
try {
KeyPairGenerator kpg =
JsseJce.getKeyPairGenerator("DiffieHellman");
KeyPairGenerator.getInstance("DiffieHellman");
if (params != null) {
kpg.initialize(params, random);
} else {
@ -155,7 +155,7 @@ final class DHKeyExchange {
DHEPossession(DHECredentials credentials, SecureRandom random) {
try {
KeyPairGenerator kpg =
JsseJce.getKeyPairGenerator("DiffieHellman");
KeyPairGenerator.getInstance("DiffieHellman");
kpg.initialize(credentials.popPublicKey.getParams(), random);
KeyPair kp = generateDHKeyPair(kpg);
if (kp == null) {
@ -208,7 +208,7 @@ final class DHKeyExchange {
params.getP(), params.getG());
}
try {
KeyFactory factory = JsseJce.getKeyFactory("DiffieHellman");
KeyFactory factory = KeyFactory.getInstance("DiffieHellman");
return factory.getKeySpec(key, DHPublicKeySpec.class);
} catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
// unlikely
@ -473,7 +473,7 @@ final class DHKeyExchange {
private SecretKey t12DeriveKey(String algorithm,
AlgorithmParameterSpec params) throws IOException {
try {
KeyAgreement ka = JsseJce.getKeyAgreement("DiffieHellman");
KeyAgreement ka = KeyAgreement.getInstance("DiffieHellman");
ka.init(localPrivateKey);
ka.doPhase(peerPublicKey, true);
SecretKey preMasterSecret =
@ -499,7 +499,7 @@ final class DHKeyExchange {
private SecretKey t13DeriveKey(String algorithm,
AlgorithmParameterSpec params) throws IOException {
try {
KeyAgreement ka = JsseJce.getKeyAgreement("DiffieHellman");
KeyAgreement ka = KeyAgreement.getInstance("DiffieHellman");
ka.init(localPrivateKey);
ka.doPhase(peerPublicKey, true);
SecretKey sharedSecret =

6
src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -420,7 +420,7 @@ final class DHServerKeyExchange {
Signature signer = null;
switch (keyAlgorithm) {
case "DSA":
signer = JsseJce.getSignature(JsseJce.SIGNATURE_DSA);
signer = Signature.getInstance(JsseJce.SIGNATURE_DSA);
break;
case "RSA":
signer = RSASignature.getInstance();
@ -524,7 +524,7 @@ final class DHServerKeyExchange {
// check constraints of EC PublicKey
DHPublicKey publicKey;
try {
KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
KeyFactory kf = KeyFactory.getInstance("DiffieHellman");
DHPublicKeySpec spec = new DHPublicKeySpec(
new BigInteger(1, skem.y),
new BigInteger(1, skem.p),

17
src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -49,6 +49,7 @@ import sun.security.ssl.SSLHandshake.HandshakeMessage;
import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
import sun.security.ssl.X509Authentication.X509Credentials;
import sun.security.ssl.X509Authentication.X509Possession;
import sun.security.util.ECUtil;
import sun.security.util.HexDumpEncoder;
/**
@ -78,7 +79,7 @@ final class ECDHClientKeyExchange {
ECPoint point = publicKey.getW();
ECParameterSpec params = publicKey.getParams();
encodedPoint = JsseJce.encodePoint(point, params.getCurve());
encodedPoint = ECUtil.encodePoint(point, params.getCurve());
}
ECDHClientKeyExchangeMessage(HandshakeContext handshakeContext,
@ -99,10 +100,10 @@ final class ECDHClientKeyExchange {
try {
ECParameterSpec params = publicKey.getParams();
ECPoint point =
JsseJce.decodePoint(encodedPoint, params.getCurve());
ECUtil.decodePoint(encodedPoint, params.getCurve());
ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
KeyFactory kf = JsseJce.getKeyFactory("EC");
KeyFactory kf = KeyFactory.getInstance("EC");
ECPublicKey peerPublicKey =
(ECPublicKey)kf.generatePublic(spec);
@ -319,10 +320,10 @@ final class ECDHClientKeyExchange {
// create the credentials
try {
ECPoint point =
JsseJce.decodePoint(cke.encodedPoint, params.getCurve());
ECUtil.decodePoint(cke.encodedPoint, params.getCurve());
ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
KeyFactory kf = JsseJce.getKeyFactory("EC");
KeyFactory kf = KeyFactory.getInstance("EC");
ECPublicKey peerPublicKey =
(ECPublicKey)kf.generatePublic(spec);
@ -493,10 +494,10 @@ final class ECDHClientKeyExchange {
// create the credentials
try {
ECPoint point =
JsseJce.decodePoint(cke.encodedPoint, params.getCurve());
ECUtil.decodePoint(cke.encodedPoint, params.getCurve());
ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
KeyFactory kf = JsseJce.getKeyFactory("EC");
KeyFactory kf = KeyFactory.getInstance("EC");
ECPublicKey peerPublicKey =
(ECPublicKey)kf.generatePublic(spec);

26
src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -85,14 +85,14 @@ final class ECDHKeyExchange {
}
ECParameterSpec parameters =
JsseJce.getECParameterSpec(namedGroup.oid);
ECUtil.getECParameterSpec(null, namedGroup.oid);
if (parameters == null) {
return null;
}
ECPoint point = JsseJce.decodePoint(
ECPoint point = ECUtil.decodePoint(
encodedPoint, parameters.getCurve());
KeyFactory factory = JsseJce.getKeyFactory("EC");
KeyFactory factory = KeyFactory.getInstance("EC");
ECPublicKey publicKey = (ECPublicKey)factory.generatePublic(
new ECPublicKeySpec(point, parameters));
return new ECDHECredentials(publicKey, namedGroup);
@ -106,7 +106,7 @@ final class ECDHKeyExchange {
ECDHEPossession(NamedGroup namedGroup, SecureRandom random) {
try {
KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("EC");
KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec params =
(ECGenParameterSpec)namedGroup.getParameterSpec();
kpg.initialize(params, random);
@ -124,7 +124,7 @@ final class ECDHKeyExchange {
ECDHEPossession(ECDHECredentials credentials, SecureRandom random) {
ECParameterSpec params = credentials.popPublicKey.getParams();
try {
KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("EC");
KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC");
kpg.initialize(params, random);
KeyPair kp = kpg.generateKeyPair();
privateKey = kp.getPrivate();
@ -149,7 +149,7 @@ final class ECDHKeyExchange {
PublicKey peerPublicKey) throws SSLHandshakeException {
try {
KeyAgreement ka = JsseJce.getKeyAgreement("ECDH");
KeyAgreement ka = KeyAgreement.getInstance("ECDH");
ka.init(privateKey);
ka.doPhase(peerPublicKey, true);
return ka.generateSecret("TlsPremasterSecret");
@ -165,8 +165,8 @@ final class ECDHKeyExchange {
try {
ECParameterSpec params = publicKey.getParams();
ECPoint point =
JsseJce.decodePoint(encodedPoint, params.getCurve());
KeyFactory kf = JsseJce.getKeyFactory("EC");
ECUtil.decodePoint(encodedPoint, params.getCurve());
KeyFactory kf = KeyFactory.getInstance("EC");
ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
PublicKey peerPublicKey = kf.generatePublic(spec);
return getAgreedSecret(peerPublicKey);
@ -183,10 +183,10 @@ final class ECDHKeyExchange {
ECParameterSpec params = publicKey.getParams();
ECPoint point =
JsseJce.decodePoint(encodedPoint, params.getCurve());
ECUtil.decodePoint(encodedPoint, params.getCurve());
ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
KeyFactory kf = JsseJce.getKeyFactory("EC");
KeyFactory kf = KeyFactory.getInstance("EC");
ECPublicKey pubKey = (ECPublicKey)kf.generatePublic(spec);
// check constraints of ECPublicKey
@ -424,7 +424,7 @@ final class ECDHKeyExchange {
private SecretKey t12DeriveKey(String algorithm,
AlgorithmParameterSpec params) throws IOException {
try {
KeyAgreement ka = JsseJce.getKeyAgreement("ECDH");
KeyAgreement ka = KeyAgreement.getInstance("ECDH");
ka.init(localPrivateKey);
ka.doPhase(peerPublicKey, true);
SecretKey preMasterSecret =
@ -451,7 +451,7 @@ final class ECDHKeyExchange {
private SecretKey t13DeriveKey(String algorithm,
AlgorithmParameterSpec params) throws IOException {
try {
KeyAgreement ka = JsseJce.getKeyAgreement("ECDH");
KeyAgreement ka = KeyAgreement.getInstance("ECDH");
ka.init(localPrivateKey);
ka.doPhase(peerPublicKey, true);
SecretKey sharedSecret =

13
src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -52,6 +52,7 @@ import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
import sun.security.ssl.X509Authentication.X509Credentials;
import sun.security.ssl.X509Authentication.X509Possession;
import sun.security.util.ECUtil;
import sun.security.util.HexDumpEncoder;
/**
@ -120,7 +121,7 @@ final class ECDHServerKeyExchange {
publicKey = ecdhePossession.publicKey;
ECParameterSpec params = publicKey.getParams();
ECPoint point = publicKey.getW();
publicPoint = JsseJce.encodePoint(point, params.getCurve());
publicPoint = ECUtil.encodePoint(point, params.getCurve());
this.namedGroup = NamedGroup.valueOf(params);
if ((namedGroup == null) || (namedGroup.oid == null) ) {
@ -221,7 +222,7 @@ final class ECDHServerKeyExchange {
}
ECParameterSpec parameters =
JsseJce.getECParameterSpec(namedGroup.oid);
ECUtil.getECParameterSpec(null, namedGroup.oid);
if (parameters == null) {
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No supported EC parameter: " + namedGroup);
@ -236,8 +237,8 @@ final class ECDHServerKeyExchange {
ECPublicKey ecPublicKey = null;
try {
ECPoint point =
JsseJce.decodePoint(publicPoint, parameters.getCurve());
KeyFactory factory = JsseJce.getKeyFactory("EC");
ECUtil.decodePoint(publicPoint, parameters.getCurve());
KeyFactory factory = KeyFactory.getInstance("EC");
ecPublicKey = (ECPublicKey)factory.generatePublic(
new ECPublicKeySpec(point, parameters));
} catch (NoSuchAlgorithmException |
@ -446,7 +447,7 @@ final class ECDHServerKeyExchange {
Signature signer = null;
switch (keyAlgorithm) {
case "EC":
signer = JsseJce.getSignature(JsseJce.SIGNATURE_ECDSA);
signer = Signature.getInstance(JsseJce.SIGNATURE_ECDSA);
break;
case "RSA":
signer = RSASignature.getInstance();

4
src/java.base/share/classes/sun/security/ssl/EphemeralKeyManager.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -69,7 +69,7 @@ final class EphemeralKeyManager {
KeyPair kp = keys[index].getKeyPair();
if (kp == null) {
try {
KeyPairGenerator kgen = JsseJce.getKeyPairGenerator("RSA");
KeyPairGenerator kgen = KeyPairGenerator.getInstance("RSA");
kgen.initialize(length, random);
keys[index] = new EphemeralKeyPair(kgen.genKeyPair());
kp = keys[index].getKeyPair();

8
src/java.base/share/classes/sun/security/ssl/Finished.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -257,7 +257,7 @@ final class Finished {
TlsPrfParameterSpec spec = new TlsPrfParameterSpec(
masterSecretKey, tlsLabel, seed, 12,
hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg);
KeyGenerator kg = KeyGenerator.getInstance(prfAlg);
kg.init(spec);
SecretKey prfKey = kg.generateKey();
if (!"RAW".equals(prfKey.getFormat())) {
@ -309,7 +309,7 @@ final class Finished {
TlsPrfParameterSpec spec = new TlsPrfParameterSpec(
masterSecretKey, tlsLabel, seed, 12,
hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg);
KeyGenerator kg = KeyGenerator.getInstance(prfAlg);
kg.init(spec);
SecretKey prfKey = kg.generateKey();
if (!"RAW".equals(prfKey.getFormat())) {
@ -350,7 +350,7 @@ final class Finished {
String hmacAlg =
"Hmac" + hashAlg.name.replace("-", "");
try {
Mac hmac = JsseJce.getMac(hmacAlg);
Mac hmac = Mac.getInstance(hmacAlg);
hmac.init(finishedSecret);
return hmac.doFinal(context.handshakeHash.digest());
} catch (NoSuchAlgorithmException |InvalidKeyException ex) {

4
src/java.base/share/classes/sun/security/ssl/HKDF.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -62,7 +62,7 @@ final class HKDF {
Objects.requireNonNull(hashAlg,
"Must provide underlying HKDF Digest algorithm.");
hmacAlg = "Hmac" + hashAlg.replace("-", "");
hmacObj = JsseJce.getMac(hmacAlg);
hmacObj = Mac.getInstance(hmacAlg);
hmacLen = hmacObj.getMacLength();
}

57
src/java.base/share/classes/sun/security/ssl/HandshakeHash.java

@ -29,6 +29,7 @@ import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.LinkedList;
import javax.crypto.SecretKey;
@ -269,8 +270,13 @@ final class HandshakeHash {
private final ByteArrayOutputStream baos;
S30HandshakeHash(CipherSuite cipherSuite) {
this.mdMD5 = JsseJce.getMessageDigest("MD5");
this.mdSHA = JsseJce.getMessageDigest("SHA");
try {
this.mdMD5 = MessageDigest.getInstance("MD5");
this.mdSHA = MessageDigest.getInstance("SHA");
} catch (NoSuchAlgorithmException nsae) {
throw new RuntimeException(
"Hash algorithm MD5 or SHA is not available", nsae);
}
boolean hasArchived = false;
if (mdMD5 instanceof Cloneable) {
@ -379,7 +385,12 @@ final class HandshakeHash {
"MessageDigest does no support clone operation");
}
} else {
md5Clone = JsseJce.getMessageDigest("MD5");
try {
md5Clone = MessageDigest.getInstance("MD5");
} catch (NoSuchAlgorithmException nsae) {
throw new RuntimeException(
"Hash algorithm MD5 is not available", nsae);
}
md5Clone.update(md5.archived());
}
@ -396,7 +407,12 @@ final class HandshakeHash {
"MessageDigest does no support clone operation");
}
} else {
shaClone = JsseJce.getMessageDigest("SHA");
try {
shaClone = MessageDigest.getInstance("SHA");
} catch (NoSuchAlgorithmException nsae) {
throw new RuntimeException(
"Hash algorithm SHA is not available", nsae);
}
shaClone.update(sha.archived());
}
@ -447,8 +463,15 @@ final class HandshakeHash {
private final ByteArrayOutputStream baos;
T10HandshakeHash(CipherSuite cipherSuite) {
MessageDigest mdMD5 = JsseJce.getMessageDigest("MD5");
MessageDigest mdSHA = JsseJce.getMessageDigest("SHA");
MessageDigest mdMD5;
MessageDigest mdSHA;
try {
mdMD5 = MessageDigest.getInstance("MD5");
mdSHA = MessageDigest.getInstance("SHA");
} catch (NoSuchAlgorithmException nsae) {
throw new RuntimeException(
"Hash algorithm MD5 or SHA is not available", nsae);
}
boolean hasArchived = false;
if (mdMD5 instanceof Cloneable) {
@ -514,8 +537,15 @@ final class HandshakeHash {
private final ByteArrayOutputStream baos;
T12HandshakeHash(CipherSuite cipherSuite) {
MessageDigest md =
JsseJce.getMessageDigest(cipherSuite.hashAlg.name);
MessageDigest md;
try {
md = MessageDigest.getInstance(cipherSuite.hashAlg.name);
} catch (NoSuchAlgorithmException nsae) {
throw new RuntimeException(
"Hash algorithm " +
cipherSuite.hashAlg.name + " is not available", nsae);
}
if (md instanceof Cloneable) {
transcriptHash = new CloneableHash(md);
this.baos = new ByteArrayOutputStream();
@ -552,8 +582,15 @@ final class HandshakeHash {
private final TranscriptHash transcriptHash;
T13HandshakeHash(CipherSuite cipherSuite) {
MessageDigest md =
JsseJce.getMessageDigest(cipherSuite.hashAlg.name);
MessageDigest md;
try {
md = MessageDigest.getInstance(cipherSuite.hashAlg.name);
} catch (NoSuchAlgorithmException nsae) {
throw new RuntimeException(
"Hash algorithm " +
cipherSuite.hashAlg.name + " is not available", nsae);
}
if (md instanceof Cloneable) {
transcriptHash = new CloneableHash(md);
} else {

38
src/java.base/share/classes/sun/security/ssl/HelloCookieManager.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -27,6 +27,7 @@ package sun.security.ssl;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import static sun.security.ssl.ClientHello.ClientHelloMessage;
@ -143,7 +144,13 @@ abstract class HelloCookieManager {
cookieVersion++;
}
MessageDigest md = JsseJce.getMessageDigest("SHA-256");
MessageDigest md;
try {
md = MessageDigest.getInstance("SHA-256");
} catch (NoSuchAlgorithmException nsae) {
throw new RuntimeException(
"MessageDigest algorithm SHA-256 is not available", nsae);
}
byte[] helloBytes = clientHello.getHelloCookieBytes();
md.update(helloBytes);
byte[] cookie = md.digest(secret); // 32 bytes
@ -169,7 +176,13 @@ abstract class HelloCookieManager {
}
}
MessageDigest md = JsseJce.getMessageDigest("SHA-256");
MessageDigest md;
try {
md = MessageDigest.getInstance("SHA-256");
} catch (NoSuchAlgorithmException nsae) {
throw new RuntimeException(
"MessageDigest algorithm SHA-256 is not available", nsae);
}
byte[] helloBytes = clientHello.getHelloCookieBytes();
md.update(helloBytes);
byte[] target = md.digest(secret); // 32 bytes
@ -234,8 +247,16 @@ abstract class HelloCookieManager {
cookieVersion++; // allow wrapped version number
}
MessageDigest md = JsseJce.getMessageDigest(
MessageDigest md;
try {
md = MessageDigest.getInstance(
context.negotiatedCipherSuite.hashAlg.name);
} catch (NoSuchAlgorithmException nsae) {
throw new RuntimeException(
"MessageDigest algorithm " +
context.negotiatedCipherSuite.hashAlg.name +
" is not available", nsae);
}
byte[] headerBytes = clientHello.getHeaderBytes();
md.update(headerBytes);
byte[] headerCookie = md.digest(secret);
@ -300,7 +321,14 @@ abstract class HelloCookieManager {
}
}
MessageDigest md = JsseJce.getMessageDigest(cs.hashAlg.name);
MessageDigest md;
try {
md = MessageDigest.getInstance(cs.hashAlg.name);
} catch (NoSuchAlgorithmException nsae) {
throw new RuntimeException(
"MessageDigest algorithm " +
cs.hashAlg.name + " is not available", nsae);
}
byte[] headerBytes = clientHello.getHeaderBytes();
md.update(headerBytes);
byte[] headerCookie = md.digest(secret);

251
src/java.base/share/classes/sun/security/ssl/JsseJce.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2001, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -29,13 +29,7 @@ import java.math.BigInteger;
import java.security.*;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.*;
import java.util.*;
import javax.crypto.*;
import sun.security.jca.ProviderList;
import sun.security.jca.Providers;
import static sun.security.ssl.SunJSSE.cryptoProvider;
import sun.security.util.ECUtil;
import static sun.security.util.SecurityConstants.PROVIDER_VER;
/**
* This class contains a few static methods for interaction with the JCA/JCE
@ -47,54 +41,6 @@ final class JsseJce {
static final boolean ALLOW_ECC =
Utilities.getBooleanProperty("com.sun.net.ssl.enableECC", true);
private static final ProviderList fipsProviderList;
static {
// force FIPS flag initialization
// Because isFIPS() is synchronized and cryptoProvider is not modified
// after it completes, this also eliminates the need for any further
// synchronization when accessing cryptoProvider
if (SunJSSE.isFIPS() == false) {
fipsProviderList = null;
} else {
// Setup a ProviderList that can be used by the trust manager
// during certificate chain validation. All the crypto must be
// from the FIPS provider, but we also allow the required
// certificate related services from the SUN provider.
Provider sun = Security.getProvider("SUN");
if (sun == null) {
throw new RuntimeException
("FIPS mode: SUN provider must be installed");
}
Provider sunCerts = new SunCertificates(sun);
fipsProviderList = ProviderList.newList(cryptoProvider, sunCerts);
}
}
private static final class SunCertificates extends Provider {
private static final long serialVersionUID = -3284138292032213752L;
SunCertificates(final Provider p) {
super("SunCertificates", PROVIDER_VER, "SunJSSE internal");
AccessController.doPrivileged(new PrivilegedAction<Object>() {
@Override
public Object run() {
// copy certificate related services from the Sun provider
for (Map.Entry<Object,Object> entry : p.entrySet()) {
String key = (String)entry.getKey();
if (key.startsWith("CertPathValidator.")
|| key.startsWith("CertPathBuilder.")
|| key.startsWith("CertStore.")
|| key.startsWith("CertificateFactory.")) {
put(key, entry.getValue());
}
}
return null;
}
});
}
}
/**
* JCE transformation string for RSA with PKCS#1 v1.5 padding.
* Can be used for encryption, decryption, signing, verifying.
@ -180,153 +126,6 @@ final class JsseJce {
return EcAvailability.isAvailable;
}
/**
* Return an JCE cipher implementation for the specified algorithm.
*/
static Cipher getCipher(String transformation)
throws NoSuchAlgorithmException {
try {
if (cryptoProvider == null) {
return Cipher.getInstance(transformation);
} else {
return Cipher.getInstance(transformation, cryptoProvider);
}
} catch (NoSuchPaddingException e) {
throw new NoSuchAlgorithmException(e);
}
}
/**
* Return an JCA signature implementation for the specified algorithm.
* The algorithm string should be one of the constants defined
* in this class.
*/
static Signature getSignature(String algorithm)
throws NoSuchAlgorithmException {
if (cryptoProvider == null) {
return Signature.getInstance(algorithm);
} else {
// reference equality
if (algorithm == SIGNATURE_SSLRSA) {
// The SunPKCS11 provider currently does not support this
// special algorithm. We allow a fallback in this case because
// the SunJSSE implementation does the actual crypto using
// a NONEwithRSA signature obtained from the cryptoProvider.
if (cryptoProvider.getService("Signature", algorithm) == null) {
// Calling Signature.getInstance() and catching the
// exception would be cleaner, but exceptions are a little
// expensive. So we check directly via getService().
try {
return Signature.getInstance(algorithm, "SunJSSE");
} catch (NoSuchProviderException e) {
throw new NoSuchAlgorithmException(e);
}
}
}
return Signature.getInstance(algorithm, cryptoProvider);
}
}
static KeyGenerator getKeyGenerator(String algorithm)
throws NoSuchAlgorithmException {
if (cryptoProvider == null) {
return KeyGenerator.getInstance(algorithm);
} else {
return KeyGenerator.getInstance(algorithm, cryptoProvider);
}
}
static KeyPairGenerator getKeyPairGenerator(String algorithm)
throws NoSuchAlgorithmException {
if (cryptoProvider == null) {
return KeyPairGenerator.getInstance(algorithm);
} else {
return KeyPairGenerator.getInstance(algorithm, cryptoProvider);
}
}
static KeyAgreement getKeyAgreement(String algorithm)
throws NoSuchAlgorithmException {
if (cryptoProvider == null) {
return KeyAgreement.getInstance(algorithm);
} else {
return KeyAgreement.getInstance(algorithm, cryptoProvider);
}
}
static Mac getMac(String algorithm)
throws NoSuchAlgorithmException {
if (cryptoProvider == null) {
return Mac.getInstance(algorithm);
} else {
return Mac.getInstance(algorithm, cryptoProvider);
}
}
static KeyFactory getKeyFactory(String algorithm)
throws NoSuchAlgorithmException {
if (cryptoProvider == null) {
return KeyFactory.getInstance(algorithm);
} else {
return KeyFactory.getInstance(algorithm, cryptoProvider);
}
}
static AlgorithmParameters getAlgorithmParameters(String algorithm)
throws NoSuchAlgorithmException {
if (cryptoProvider == null) {
return AlgorithmParameters.getInstance(algorithm);
} else {
return AlgorithmParameters.getInstance(algorithm, cryptoProvider);
}
}
static SecureRandom getSecureRandom() throws KeyManagementException {
if (cryptoProvider == null) {
return new SecureRandom();
}
// Try "PKCS11" first. If that is not supported, iterate through
// the provider and return the first working implementation.
try {
return SecureRandom.getInstance("PKCS11", cryptoProvider);
} catch (NoSuchAlgorithmException e) {
// ignore
}
for (Provider.Service s : cryptoProvider.getServices()) {
if (s.getType().equals("SecureRandom")) {
try {
return SecureRandom.getInstance(
s.getAlgorithm(), cryptoProvider);
} catch (NoSuchAlgorithmException ee) {
// ignore
}
}
}
throw new KeyManagementException("FIPS mode: no SecureRandom "
+ " implementation found in provider " + cryptoProvider.getName());
}
static MessageDigest getMD5() {
return getMessageDigest("MD5");
}
static MessageDigest getSHA() {
return getMessageDigest("SHA");
}
static MessageDigest getMessageDigest(String algorithm) {
try {
if (cryptoProvider == null) {
return MessageDigest.getInstance(algorithm);
} else {
return MessageDigest.getInstance(algorithm, cryptoProvider);
}
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException
("Algorithm " + algorithm + " not available", e);
}
}
static int getRSAKeyLength(PublicKey key) {
BigInteger modulus;
if (key instanceof RSAPublicKey) {
@ -345,47 +144,13 @@ final class JsseJce {
rsaKey.getPublicExponent());
}
try {
KeyFactory factory = JsseJce.getKeyFactory("RSA");
KeyFactory factory = KeyFactory.getInstance("RSA");
return factory.getKeySpec(key, RSAPublicKeySpec.class);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
static ECParameterSpec getECParameterSpec(String namedCurveOid) {
return ECUtil.getECParameterSpec(cryptoProvider, namedCurveOid);
}
static String getNamedCurveOid(ECParameterSpec params) {
return ECUtil.getCurveName(cryptoProvider, params);
}
static ECPoint decodePoint(byte[] encoded, EllipticCurve curve)
throws java.io.IOException {
return ECUtil.decodePoint(encoded, curve);
}
static byte[] encodePoint(ECPoint point, EllipticCurve curve) {
return ECUtil.encodePoint(point, curve);
}
// In FIPS mode, set thread local providers; otherwise a no-op.
// Must be paired with endFipsProvider.
static Object beginFipsProvider() {
if (fipsProviderList == null) {
return null;
} else {
return Providers.beginThreadProviderList(fipsProviderList);
}
}
static void endFipsProvider(Object o) {
if (fipsProviderList != null) {
Providers.endThreadProviderList((ProviderList)o);
}
}
// lazy initialization holder class idiom for static default parameters
//
// See Effective Java Second Edition: Item 71.
@ -396,12 +161,12 @@ final class JsseJce {
static {
boolean mediator = true;
try {
JsseJce.getSignature(SIGNATURE_ECDSA);
JsseJce.getSignature(SIGNATURE_RAWECDSA);
JsseJce.getKeyAgreement("ECDH");
JsseJce.getKeyFactory("EC");
JsseJce.getKeyPairGenerator("EC");
JsseJce.getAlgorithmParameters("EC");
Signature.getInstance(SIGNATURE_ECDSA);
Signature.getInstance(SIGNATURE_RAWECDSA);
KeyAgreement.getInstance("ECDH");
KeyFactory.getInstance("EC");
KeyPairGenerator.getInstance("EC");
AlgorithmParameters.getInstance("EC");
} catch (Exception e) {
mediator = false;
}

19
src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -61,12 +61,6 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
protected void engineInit(KeyStore ks, char[] password) throws
KeyStoreException, NoSuchAlgorithmException,
UnrecoverableKeyException {
if ((ks != null) && SunJSSE.isFIPS()) {
if (ks.getProvider() != SunJSSE.cryptoProvider) {
throw new KeyStoreException("FIPS mode: KeyStore must be "
+ "from provider " + SunJSSE.cryptoProvider.getName());
}
}
keyManager = new SunX509KeyManagerImpl(ks, password);
isInitialized = true;
}
@ -91,12 +85,6 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
keyManager = new X509KeyManagerImpl(
Collections.<Builder>emptyList());
} else {
if (SunJSSE.isFIPS() &&
(ks.getProvider() != SunJSSE.cryptoProvider)) {
throw new KeyStoreException(
"FIPS mode: KeyStore must be " +
"from provider " + SunJSSE.cryptoProvider.getName());
}
try {
Builder builder = Builder.newInstance(ks,
new PasswordProtection(password));
@ -115,10 +103,7 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
throw new InvalidAlgorithmParameterException(
"Parameters must be instance of KeyStoreBuilderParameters");
}
if (SunJSSE.isFIPS()) {
throw new InvalidAlgorithmParameterException
("FIPS mode: KeyStoreBuilderParameters not supported");
}
List<Builder> builders =
((KeyStoreBuilderParameters)params).getParameters();
keyManager = new X509KeyManagerImpl(builders);

2
src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java

@ -765,7 +765,7 @@ final class PreSharedKeyExtension {
String hmacAlg =
"Hmac" + hashAlg.name.replace("-", "");
try {
Mac hmac = JsseJce.getMac(hmacAlg);
Mac hmac = Mac.getInstance(hmacAlg);
hmac.init(finishedKey);
return hmac.doFinal(digest);
} catch (NoSuchAlgorithmException | InvalidKeyException ex) {

12
src/java.base/share/classes/sun/security/ssl/RSAKeyExchange.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -109,7 +109,7 @@ final class RSAKeyExchange {
byte[] getEncoded(PublicKey publicKey,
SecureRandom secureRandom) throws GeneralSecurityException {
Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
Cipher cipher = Cipher.getInstance(JsseJce.CIPHER_RSA_PKCS1);
cipher.init(Cipher.WRAP_MODE, publicKey, secureRandom);
return cipher.wrap(premasterSecret);
}
@ -119,7 +119,7 @@ final class RSAKeyExchange {
ClientHandshakeContext chc) throws GeneralSecurityException {
String algorithm = chc.negotiatedProtocol.useTLS12PlusSpec() ?
"SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret";
KeyGenerator kg = JsseJce.getKeyGenerator(algorithm);
KeyGenerator kg = KeyGenerator.getInstance(algorithm);
TlsRsaPremasterSecretParameterSpec spec =
new TlsRsaPremasterSecretParameterSpec(
chc.clientHelloVersion,
@ -136,7 +136,7 @@ final class RSAKeyExchange {
byte[] encoded = null;
boolean needFailover = false;
Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
Cipher cipher = Cipher.getInstance(JsseJce.CIPHER_RSA_PKCS1);
try {
// Try UNWRAP_MODE mode firstly.
cipher.init(Cipher.UNWRAP_MODE, privateKey,
@ -163,7 +163,7 @@ final class RSAKeyExchange {
if (needFailover) {
// The cipher might be spoiled by unsuccessful call to init(),
// so request a fresh instance
cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
cipher = Cipher.getInstance(JsseJce.CIPHER_RSA_PKCS1);
// Use DECRYPT_MODE and dispose the previous initialization.
cipher.init(Cipher.DECRYPT_MODE, privateKey);
@ -227,7 +227,7 @@ final class RSAKeyExchange {
try {
String s = ((clientVersion >= ProtocolVersion.TLS12.id) ?
"SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret");
KeyGenerator kg = JsseJce.getKeyGenerator(s);
KeyGenerator kg = KeyGenerator.getInstance(s);
kg.init(new TlsRsaPremasterSecretParameterSpec(
clientVersion, serverVersion, encodedSecret),
generator);

4
src/java.base/share/classes/sun/security/ssl/RSAServerKeyExchange.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -306,7 +306,7 @@ final class RSAServerKeyExchange {
// check constraints of RSA PublicKey
RSAPublicKey publicKey;
try {
KeyFactory kf = JsseJce.getKeyFactory("RSA");
KeyFactory kf = KeyFactory.getInstance("RSA");
RSAPublicKeySpec spec = new RSAPublicKeySpec(
new BigInteger(1, skem.modulus),
new BigInteger(1, skem.exponent));

10
src/java.base/share/classes/sun/security/ssl/RSASignature.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -53,9 +53,9 @@ public final class RSASignature extends SignatureSpi {
public RSASignature() throws NoSuchAlgorithmException {
super();
rawRsa = JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA);
this.mdMD5 = JsseJce.getMessageDigest("MD5");
this.mdSHA = JsseJce.getMessageDigest("SHA");
rawRsa = Signature.getInstance(JsseJce.SIGNATURE_RAWRSA);
this.mdMD5 = MessageDigest.getInstance("MD5");
this.mdSHA = MessageDigest.getInstance("SHA");
}
/**
@ -66,7 +66,7 @@ public final class RSASignature extends SignatureSpi {
* which may be this class.
*/
static Signature getInstance() throws NoSuchAlgorithmException {
return JsseJce.getSignature(JsseJce.SIGNATURE_SSLRSA);
return Signature.getInstance(JsseJce.SIGNATURE_SSLRSA);
}
@Override

30
src/java.base/share/classes/sun/security/ssl/SSLCipher.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -851,7 +851,7 @@ enum SSLCipher {
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
this.cipher = JsseJce.getCipher(algorithm);
this.cipher = Cipher.getInstance(algorithm);
cipher.init(Cipher.DECRYPT_MODE, key, params, random);
}
@ -933,7 +933,7 @@ enum SSLCipher {
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
this.cipher = JsseJce.getCipher(algorithm);
this.cipher = Cipher.getInstance(algorithm);
cipher.init(Cipher.ENCRYPT_MODE, key, params, random);
}
@ -1023,7 +1023,7 @@ enum SSLCipher {
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
this.cipher = JsseJce.getCipher(algorithm);
this.cipher = Cipher.getInstance(algorithm);
cipher.init(Cipher.DECRYPT_MODE, key, params, random);
}
@ -1175,7 +1175,7 @@ enum SSLCipher {
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
this.cipher = JsseJce.getCipher(algorithm);
this.cipher = Cipher.getInstance(algorithm);
cipher.init(Cipher.ENCRYPT_MODE, key, params, random);
}
@ -1291,7 +1291,7 @@ enum SSLCipher {
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
this.cipher = JsseJce.getCipher(algorithm);
this.cipher = Cipher.getInstance(algorithm);
if (params == null) {
params = new IvParameterSpec(new byte[sslCipher.ivSize]);
}
@ -1455,7 +1455,7 @@ enum SSLCipher {
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
this.cipher = JsseJce.getCipher(algorithm);
this.cipher = Cipher.getInstance(algorithm);
this.random = random;
if (params == null) {
params = new IvParameterSpec(new byte[sslCipher.ivSize]);
@ -1590,7 +1590,7 @@ enum SSLCipher {
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
this.cipher = JsseJce.getCipher(algorithm);
this.cipher = Cipher.getInstance(algorithm);
this.tagSize = sslCipher.tagSize;
this.key = key;
this.fixedIv = ((IvParameterSpec)params).getIV();
@ -1705,7 +1705,7 @@ enum SSLCipher {
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
this.cipher = JsseJce.getCipher(algorithm);
this.cipher = Cipher.getInstance(algorithm);
this.tagSize = sslCipher.tagSize;
this.key = key;
this.fixedIv = ((IvParameterSpec)params).getIV();
@ -1838,7 +1838,7 @@ enum SSLCipher {
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
this.cipher = JsseJce.getCipher(algorithm);
this.cipher = Cipher.getInstance(algorithm);
this.tagSize = sslCipher.tagSize;
this.key = key;
this.iv = ((IvParameterSpec)params).getIV();
@ -1992,7 +1992,7 @@ enum SSLCipher {
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
this.cipher = JsseJce.getCipher(algorithm);
this.cipher = Cipher.getInstance(algorithm);
this.tagSize = sslCipher.tagSize;
this.key = key;
this.iv = ((IvParameterSpec)params).getIV();
@ -2133,7 +2133,7 @@ enum SSLCipher {
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
this.cipher = JsseJce.getCipher(algorithm);
this.cipher = Cipher.getInstance(algorithm);
this.tagSize = sslCipher.tagSize;
this.key = key;
this.iv = ((IvParameterSpec)params).getIV();
@ -2252,7 +2252,7 @@ enum SSLCipher {
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
this.cipher = JsseJce.getCipher(algorithm);
this.cipher = Cipher.getInstance(algorithm);
this.tagSize = sslCipher.tagSize;
this.key = key;
this.iv = ((IvParameterSpec)params).getIV();
@ -2392,7 +2392,7 @@ enum SSLCipher {
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
this.cipher = JsseJce.getCipher(algorithm);
this.cipher = Cipher.getInstance(algorithm);
this.tagSize = sslCipher.tagSize;
this.key = key;
this.iv = ((IvParameterSpec)params).getIV();
@ -2534,7 +2534,7 @@ enum SSLCipher {
Key key, AlgorithmParameterSpec params,
SecureRandom random) throws GeneralSecurityException {
super(authenticator, protocolVersion);
this.cipher = JsseJce.getCipher(algorithm);
this.cipher = Cipher.getInstance(algorithm);
this.tagSize = sslCipher.tagSize;
this.key = key;
this.iv = ((IvParameterSpec)params).getIV();

5
src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -36,6 +36,7 @@ import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.function.BiFunction;
import javax.crypto.KeyGenerator;
import javax.net.ssl.HandshakeCompletedListener;
import javax.net.ssl.SNIMatcher;
import javax.net.ssl.SNIServerName;
@ -104,7 +105,7 @@ final class SSLConfiguration implements Cloneable {
"jdk.tls.useExtendedMasterSecret", true);
if (supportExtendedMasterSecret) {
try {
JsseJce.getKeyGenerator("SunTlsExtendedMasterSecret");
KeyGenerator.getInstance("SunTlsExtendedMasterSecret");
} catch (NoSuchAlgorithmException nae) {
supportExtendedMasterSecret = false;
}

226
src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -94,14 +94,8 @@ public abstract class SSLContextImpl extends SSLContextSpi {
trustManager = chooseTrustManager(tm);
if (sr == null) {
secureRandom = JsseJce.getSecureRandom();
secureRandom = new SecureRandom();
} else {
if (SunJSSE.isFIPS() &&
(sr.getProvider() != SunJSSE.cryptoProvider)) {
throw new KeyManagementException
("FIPS mode: SecureRandom must be from provider "
+ SunJSSE.cryptoProvider.getName());
}
secureRandom = sr;
}
@ -127,12 +121,6 @@ public abstract class SSLContextImpl extends SSLContextSpi {
// We only use the first instance of X509TrustManager passed to us.
for (int i = 0; tm != null && i < tm.length; i++) {
if (tm[i] instanceof X509TrustManager) {
if (SunJSSE.isFIPS() &&
!(tm[i] instanceof X509TrustManagerImpl)) {
throw new KeyManagementException
("FIPS mode: only SunJSSE TrustManagers may be used");
}
if (tm[i] instanceof X509ExtendedTrustManager) {
return (X509TrustManager)tm[i];
} else {
@ -153,20 +141,7 @@ public abstract class SSLContextImpl extends SSLContextSpi {
if (!(km instanceof X509KeyManager)) {
continue;
}
if (SunJSSE.isFIPS()) {
// In FIPS mode, require that one of SunJSSE's own keymanagers
// is used. Otherwise, we cannot be sure that only keys from
// the FIPS token are used.
if ((km instanceof X509KeyManagerImpl)
|| (km instanceof SunX509KeyManagerImpl)) {
return (X509ExtendedKeyManager)km;
} else {
// throw exception, we don't want to silently use the
// dummy keymanager without telling the user.
throw new KeyManagementException
("FIPS mode: only SunJSSE KeyManagers may be used");
}
}
if (km instanceof X509ExtendedKeyManager) {
return (X509ExtendedKeyManager)km;
}
@ -548,41 +523,24 @@ public abstract class SSLContextImpl extends SSLContextSpi {
private static final List<CipherSuite> serverDefaultCipherSuites;
static {
if (SunJSSE.isFIPS()) {
supportedProtocols = Arrays.asList(
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10
);
supportedProtocols = Arrays.asList(
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10,
ProtocolVersion.SSL30,
ProtocolVersion.SSL20Hello
);
serverDefaultProtocols = getAvailableProtocols(
new ProtocolVersion[] {
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10
});
} else {
supportedProtocols = Arrays.asList(
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10,
ProtocolVersion.SSL30,
ProtocolVersion.SSL20Hello
);
serverDefaultProtocols = getAvailableProtocols(
new ProtocolVersion[] {
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10,
ProtocolVersion.SSL30,
ProtocolVersion.SSL20Hello
});
}
serverDefaultProtocols = getAvailableProtocols(
new ProtocolVersion[] {
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10,
ProtocolVersion.SSL30,
ProtocolVersion.SSL20Hello
});
supportedCipherSuites = getApplicableSupportedCipherSuites(
supportedProtocols);
@ -626,23 +584,14 @@ public abstract class SSLContextImpl extends SSLContextSpi {
}
static ProtocolVersion[] getSupportedProtocols() {
if (SunJSSE.isFIPS()) {
return new ProtocolVersion[] {
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10
};
} else {
return new ProtocolVersion[]{
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10,
ProtocolVersion.SSL30,
ProtocolVersion.SSL20Hello
};
}
return new ProtocolVersion[]{
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10,
ProtocolVersion.SSL30,
ProtocolVersion.SSL20Hello
};
}
}
@ -656,18 +605,11 @@ public abstract class SSLContextImpl extends SSLContextSpi {
private static final List<CipherSuite> clientDefaultCipherSuites;
static {
if (SunJSSE.isFIPS()) {
clientDefaultProtocols = getAvailableProtocols(
new ProtocolVersion[] {
ProtocolVersion.TLS10
});
} else {
clientDefaultProtocols = getAvailableProtocols(
new ProtocolVersion[] {
ProtocolVersion.TLS10,
ProtocolVersion.SSL30
});
}
clientDefaultProtocols = getAvailableProtocols(
new ProtocolVersion[] {
ProtocolVersion.TLS10,
ProtocolVersion.SSL30
});
clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
clientDefaultProtocols, true);
@ -694,20 +636,12 @@ public abstract class SSLContextImpl extends SSLContextSpi {
private static final List<CipherSuite> clientDefaultCipherSuites;
static {
if (SunJSSE.isFIPS()) {
clientDefaultProtocols = getAvailableProtocols(
new ProtocolVersion[] {
ProtocolVersion.TLS11,
ProtocolVersion.TLS10
});
} else {
clientDefaultProtocols = getAvailableProtocols(
new ProtocolVersion[] {
ProtocolVersion.TLS11,
ProtocolVersion.TLS10,
ProtocolVersion.SSL30
});
}
clientDefaultProtocols = getAvailableProtocols(
new ProtocolVersion[] {
ProtocolVersion.TLS11,
ProtocolVersion.TLS10,
ProtocolVersion.SSL30
});
clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
clientDefaultProtocols, true);
@ -735,22 +669,13 @@ public abstract class SSLContextImpl extends SSLContextSpi {
private static final List<CipherSuite> clientDefaultCipherSuites;
static {
if (SunJSSE.isFIPS()) {
clientDefaultProtocols = getAvailableProtocols(
new ProtocolVersion[] {
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10
});
} else {
clientDefaultProtocols = getAvailableProtocols(
new ProtocolVersion[] {
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10,
ProtocolVersion.SSL30
});
}
clientDefaultProtocols = getAvailableProtocols(
new ProtocolVersion[] {
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10,
ProtocolVersion.SSL30
});
clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
clientDefaultProtocols, true);
@ -777,24 +702,14 @@ public abstract class SSLContextImpl extends SSLContextSpi {
private static final List<CipherSuite> clientDefaultCipherSuites;
static {
if (SunJSSE.isFIPS()) {
clientDefaultProtocols = getAvailableProtocols(
new ProtocolVersion[] {
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10
});
} else {
clientDefaultProtocols = getAvailableProtocols(
new ProtocolVersion[] {
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10,
ProtocolVersion.SSL30
});
}
clientDefaultProtocols = getAvailableProtocols(
new ProtocolVersion[] {
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10,
ProtocolVersion.SSL30
});
clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
clientDefaultProtocols, true);
@ -866,16 +781,6 @@ public abstract class SSLContextImpl extends SSLContextSpi {
" is not a supported SSL protocol name");
}
if (SunJSSE.isFIPS() &&
((pv == ProtocolVersion.SSL30) ||
(pv == ProtocolVersion.SSL20Hello))) {
reservedException = new IllegalArgumentException(
propname + ": " + pv +
" is not FIPS compliant");
break;
}
// ignore duplicated protocols
if (!arrayList.contains(pv)) {
arrayList.add(pv);
@ -955,22 +860,13 @@ public abstract class SSLContextImpl extends SSLContextSpi {
}
static ProtocolVersion[] getProtocols() {
if (SunJSSE.isFIPS()) {
return new ProtocolVersion[]{
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10
};
} else {
return new ProtocolVersion[]{
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10,
ProtocolVersion.SSL30
};
}
return new ProtocolVersion[]{
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10,
ProtocolVersion.SSL30
};
}
protected CustomizedTLSContext() {

4
src/java.base/share/classes/sun/security/ssl/SSLMasterKeyDerivation.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -145,7 +145,7 @@ enum SSLMasterKeyDerivation implements SSLKeyDerivationGenerator {
}
try {
KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg);
KeyGenerator kg = KeyGenerator.getInstance(masterAlg);
kg.init(spec);
return kg.generateKey();
} catch (InvalidAlgorithmParameterException |

4
src/java.base/share/classes/sun/security/ssl/SSLTrafficKeyDerivation.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -280,7 +280,7 @@ enum SSLTrafficKeyDerivation implements SSLKeyDerivationGenerator {
hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
try {
KeyGenerator kg = JsseJce.getKeyGenerator(keyMaterialAlg);
KeyGenerator kg = KeyGenerator.getInstance(keyMaterialAlg);
kg.init(spec);
this.keyMaterialSpec = (TlsKeyMaterialSpec)kg.generateKey();

8
src/java.base/share/classes/sun/security/ssl/SignatureScheme.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -194,7 +194,7 @@ enum SignatureScheme {
boolean mediator = true;
try {
Signature signer = JsseJce.getSignature("RSASSA-PSS");
Signature signer = Signature.getInstance("RSASSA-PSS");
signer.setParameter(pssParamSpec);
} catch (InvalidAlgorithmParameterException |
NoSuchAlgorithmException exp) {
@ -275,7 +275,7 @@ enum SignatureScheme {
mediator = signAlgParamSpec.isAvailable;
} else {
try {
JsseJce.getSignature(algorithm);
Signature.getInstance(algorithm);
} catch (Exception e) {
mediator = false;
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@ -466,7 +466,7 @@ enum SignatureScheme {
return null;
}
Signature signer = JsseJce.getSignature(algorithm);
Signature signer = Signature.getInstance(algorithm);
if (key instanceof PublicKey) {
signer.initVerify((PublicKey)(key));
} else {

121
src/java.base/share/classes/sun/security/ssl/SunJSSE.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -66,97 +66,16 @@ public abstract class SunJSSE extends java.security.Provider {
"(PKCS12, SunX509/PKIX key/trust factories, " +
"SSLv3/TLSv1/TLSv1.1/TLSv1.2/TLSv1.3/DTLSv1.0/DTLSv1.2)";
private static String fipsInfo =
"Sun JSSE provider (FIPS mode, crypto provider ";
// tri-valued flag:
// null := no final decision made
// false := data structures initialized in non-FIPS mode
// true := data structures initialized in FIPS mode
private static Boolean fips;
// the FIPS certificate crypto provider that we use to perform all crypto
// operations. null in non-FIPS mode
static java.security.Provider cryptoProvider;
protected static synchronized boolean isFIPS() {
if (fips == null) {
fips = false;
}
return fips;
}
// ensure we can use FIPS mode using the specified crypto provider.
// enable FIPS mode if not already enabled.
private static synchronized void ensureFIPS(java.security.Provider p) {
if (fips == null) {
fips = true;
cryptoProvider = p;
} else {
if (fips == false) {
throw new ProviderException
("SunJSSE already initialized in non-FIPS mode");
}
if (cryptoProvider != p) {
throw new ProviderException
("SunJSSE already initialized with FIPS crypto provider "
+ cryptoProvider);
}
}
}
// standard constructor
protected SunJSSE() {
super("SunJSSE", PROVIDER_VER, info);
subclassCheck();
if (Boolean.TRUE.equals(fips)) {
throw new ProviderException
("SunJSSE is already initialized in FIPS mode");
}
registerAlgorithms(false);
registerAlgorithms();
}
// preferred constructor to enable FIPS mode at runtime
protected SunJSSE(java.security.Provider cryptoProvider){
this(checkNull(cryptoProvider), cryptoProvider.getName());
}
// constructor to enable FIPS mode from java.security file
protected SunJSSE(String cryptoProvider){
this(null, checkNull(cryptoProvider));
}
private static <T> T checkNull(T t) {
if (t == null) {
throw new ProviderException("cryptoProvider must not be null");
}
return t;
}
private SunJSSE(java.security.Provider cryptoProvider,
String providerName) {
super("SunJSSE", PROVIDER_VER, fipsInfo + providerName + ")");
subclassCheck();
if (cryptoProvider == null) {
// Calling Security.getProvider() will cause other providers to be
// loaded. That is not good but unavoidable here.
cryptoProvider = Security.getProvider(providerName);
if (cryptoProvider == null) {
throw new ProviderException
("Crypto provider not installed: " + providerName);
}
}
ensureFIPS(cryptoProvider);
registerAlgorithms(true);
}
private void registerAlgorithms(final boolean isfips) {
AccessController.doPrivileged(new PrivilegedAction<Object>() {
@Override
public Object run() {
doRegister(isfips);
return null;
}
private void registerAlgorithms() {
AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
doRegister();
return null;
});
}
@ -165,14 +84,13 @@ public abstract class SunJSSE extends java.security.Provider {
putService(new Provider.Service(this, type, algo, cn, aliases, attrs));
}
private void doRegister(boolean isfips) {
if (isfips == false) {
Iterator<Provider.Service> rsaIter =
new SunRsaSignEntries(this).iterator();
while (rsaIter.hasNext()) {
putService(rsaIter.next());
}
private void doRegister() {
Iterator<Provider.Service> rsaIter =
new SunRsaSignEntries(this).iterator();
while (rsaIter.hasNext()) {
putService(rsaIter.next());
}
ps("Signature", "MD5andSHA1withRSA",
"sun.security.ssl.RSASignature", null, null);
@ -183,14 +101,15 @@ public abstract class SunJSSE extends java.security.Provider {
createAliases("PKIX"), null);
ps("TrustManagerFactory", "SunX509",
"sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory", null, null);
"sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory",
null, null);
ps("TrustManagerFactory", "PKIX",
"sun.security.ssl.TrustManagerFactoryImpl$PKIXFactory",
createAliases("SunPKIX", "X509", "X.509"), null);
ps("SSLContext", "TLSv1",
"sun.security.ssl.SSLContextImpl$TLS10Context",
(isfips? null : createAliases("SSLv3")), null);
createAliases("SSLv3"), null);
ps("SSLContext", "TLSv1.1",
"sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
ps("SSLContext", "TLSv1.2",
@ -199,7 +118,7 @@ public abstract class SunJSSE extends java.security.Provider {
"sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
ps("SSLContext", "TLS",
"sun.security.ssl.SSLContextImpl$TLSContext",
(isfips? null : createAliases("SSL")), null);
createAliases("SSL"), null);
ps("SSLContext", "DTLSv1.0",
"sun.security.ssl.SSLContextImpl$DTLS10Context", null, null);
@ -225,12 +144,4 @@ public abstract class SunJSSE extends java.security.Provider {
throw new AssertionError("Illegal subclass: " + getClass());
}
}
@Override
@SuppressWarnings("deprecation")
protected final void finalize() throws Throwable {
// empty
super.finalize();
}
}

208
src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -52,6 +52,7 @@ import static sun.security.ssl.SSLExtension.EE_SUPPORTED_GROUPS;
import sun.security.ssl.SSLExtension.ExtensionConsumer;
import sun.security.ssl.SSLExtension.SSLExtensionSpec;
import sun.security.ssl.SSLHandshake.HandshakeMessage;
import sun.security.util.ECUtil;
/**
* Pack of the "supported_groups" extensions [RFC 4492/7919].
@ -158,15 +159,23 @@ final class SupportedGroupsExtension {
}
static enum NamedGroupType {
NAMED_GROUP_ECDHE, // Elliptic Curve Groups (ECDHE)
NAMED_GROUP_FFDHE, // Finite Field Groups (DHE)
NAMED_GROUP_XDH, // Finite Field Groups (XDH)
NAMED_GROUP_ARBITRARY, // arbitrary prime and curves (ECDHE)
NAMED_GROUP_NONE; // Not predefined named group
NAMED_GROUP_ECDHE ("EC"),
NAMED_GROUP_FFDHE ("DiffieHellman"),
NAMED_GROUP_X25519 ("x25519"),
NAMED_GROUP_X448 ("x448"),
NAMED_GROUP_ARBITRARY ("EC"),
NAMED_GROUP_NONE ("");
private final String algorithm;
private NamedGroupType(String algorithm) {
this.algorithm = algorithm;
}
boolean isSupported(List<CipherSuite> cipherSuites) {
for (CipherSuite cs : cipherSuites) {
if (cs.keyExchange == null || cs.keyExchange.groupType == this) {
if (cs.keyExchange == null ||
cs.keyExchange.groupType == this) {
return true;
}
}
@ -180,108 +189,142 @@ final class SupportedGroupsExtension {
//
// See sun.security.util.CurveDB for the OIDs
// NIST K-163
SECT163_K1 (0x0001, "sect163k1", "1.3.132.0.1", true,
SECT163_K1 (0x0001, "sect163k1", "1.3.132.0.1",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
SECT163_R1 (0x0002, "sect163r1", "1.3.132.0.2", false,
SECT163_R1 (0x0002, "sect163r1", "1.3.132.0.2",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST B-163
SECT163_R2 (0x0003, "sect163r2", "1.3.132.0.15", true,
SECT163_R2 (0x0003, "sect163r2", "1.3.132.0.15",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
SECT193_R1 (0x0004, "sect193r1", "1.3.132.0.24", false,
SECT193_R1 (0x0004, "sect193r1", "1.3.132.0.24",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
SECT193_R2 (0x0005, "sect193r2", "1.3.132.0.25", false,
SECT193_R2 (0x0005, "sect193r2", "1.3.132.0.25",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST K-233
SECT233_K1 (0x0006, "sect233k1", "1.3.132.0.26", true,
SECT233_K1 (0x0006, "sect233k1", "1.3.132.0.26",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST B-233
SECT233_R1 (0x0007, "sect233r1", "1.3.132.0.27", true,
SECT233_R1 (0x0007, "sect233r1", "1.3.132.0.27",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
SECT239_K1 (0x0008, "sect239k1", "1.3.132.0.3", false,
SECT239_K1 (0x0008, "sect239k1", "1.3.132.0.3",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST K-283
SECT283_K1 (0x0009, "sect283k1", "1.3.132.0.16", true,
SECT283_K1 (0x0009, "sect283k1", "1.3.132.0.16",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST B-283
SECT283_R1 (0x000A, "sect283r1", "1.3.132.0.17", true,
SECT283_R1 (0x000A, "sect283r1", "1.3.132.0.17",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST K-409
SECT409_K1 (0x000B, "sect409k1", "1.3.132.0.36", true,
SECT409_K1 (0x000B, "sect409k1", "1.3.132.0.36",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST B-409
SECT409_R1 (0x000C, "sect409r1", "1.3.132.0.37", true,
SECT409_R1 (0x000C, "sect409r1", "1.3.132.0.37",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST K-571
SECT571_K1 (0x000D, "sect571k1", "1.3.132.0.38", true,
SECT571_K1 (0x000D, "sect571k1", "1.3.132.0.38",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST B-571
SECT571_R1 (0x000E, "sect571r1", "1.3.132.0.39", true,
SECT571_R1 (0x000E, "sect571r1", "1.3.132.0.39",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
SECP160_K1 (0x000F, "secp160k1", "1.3.132.0.9", false,
SECP160_K1 (0x000F, "secp160k1", "1.3.132.0.9",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
SECP160_R1 (0x0010, "secp160r1", "1.3.132.0.8", false,
SECP160_R1 (0x0010, "secp160r1", "1.3.132.0.8",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
SECP160_R2 (0x0011, "secp160r2", "1.3.132.0.30", false,
SECP160_R2 (0x0011, "secp160r2", "1.3.132.0.30",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
SECP192_K1 (0x0012, "secp192k1", "1.3.132.0.31", false,
SECP192_K1 (0x0012, "secp192k1", "1.3.132.0.31",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST P-192
SECP192_R1 (0x0013, "secp192r1", "1.2.840.10045.3.1.1", true,
SECP192_R1 (0x0013, "secp192r1", "1.2.840.10045.3.1.1",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
SECP224_K1 (0x0014, "secp224k1", "1.3.132.0.32", false,
SECP224_K1 (0x0014, "secp224k1", "1.3.132.0.32",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST P-224
SECP224_R1 (0x0015, "secp224r1", "1.3.132.0.33", true,
SECP224_R1 (0x0015, "secp224r1", "1.3.132.0.33",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
SECP256_K1 (0x0016, "secp256k1", "1.3.132.0.10", false,
SECP256_K1 (0x0016, "secp256k1", "1.3.132.0.10",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_12),
// NIST P-256
SECP256_R1 (0x0017, "secp256r1", "1.2.840.10045.3.1.7", true,
SECP256_R1 (0x0017, "secp256r1", "1.2.840.10045.3.1.7",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_13),
// NIST P-384
SECP384_R1 (0x0018, "secp384r1", "1.3.132.0.34", true,
SECP384_R1 (0x0018, "secp384r1", "1.3.132.0.34",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_13),
// NIST P-521
SECP521_R1 (0x0019, "secp521r1", "1.3.132.0.35", true,
SECP521_R1 (0x0019, "secp521r1", "1.3.132.0.35",
NamedGroupType.NAMED_GROUP_ECDHE,
ProtocolVersion.PROTOCOLS_TO_13),
// x25519 and x448
X25519 (0x001D, "x25519", true, "x25519",
X25519 (0x001D, "x25519", null,
NamedGroupType.NAMED_GROUP_X25519,
ProtocolVersion.PROTOCOLS_TO_13),
X448 (0x001E, "x448", true, "x448",
X448 (0x001E, "x448", null,
NamedGroupType.NAMED_GROUP_X448,
ProtocolVersion.PROTOCOLS_TO_13),
// Finite Field Diffie-Hellman Ephemeral Parameters (RFC 7919)
FFDHE_2048 (0x0100, "ffdhe2048", true,
FFDHE_2048 (0x0100, "ffdhe2048", null,
NamedGroupType.NAMED_GROUP_FFDHE,
ProtocolVersion.PROTOCOLS_TO_13),
FFDHE_3072 (0x0101, "ffdhe3072", true,
FFDHE_3072 (0x0101, "ffdhe3072", null,
NamedGroupType.NAMED_GROUP_FFDHE,
ProtocolVersion.PROTOCOLS_TO_13),
FFDHE_4096 (0x0102, "ffdhe4096", true,
FFDHE_4096 (0x0102, "ffdhe4096", null,
NamedGroupType.NAMED_GROUP_FFDHE,
ProtocolVersion.PROTOCOLS_TO_13),
FFDHE_6144 (0x0103, "ffdhe6144", true,
FFDHE_6144 (0x0103, "ffdhe6144", null,
NamedGroupType.NAMED_GROUP_FFDHE,
ProtocolVersion.PROTOCOLS_TO_13),
FFDHE_8192 (0x0104, "ffdhe8192", true,
FFDHE_8192 (0x0104, "ffdhe8192", null,
NamedGroupType.NAMED_GROUP_FFDHE,
ProtocolVersion.PROTOCOLS_TO_13),
// Elliptic Curves (RFC 4492)
//
// arbitrary prime and characteristic-2 curves
ARBITRARY_PRIME (0xFF01, "arbitrary_explicit_prime_curves",
ARBITRARY_PRIME (0xFF01, "arbitrary_explicit_prime_curves", null,
NamedGroupType.NAMED_GROUP_ARBITRARY,
ProtocolVersion.PROTOCOLS_TO_12),
ARBITRARY_CHAR2 (0xFF02, "arbitrary_explicit_char2_curves",
ARBITRARY_CHAR2 (0xFF02, "arbitrary_explicit_char2_curves", null,
NamedGroupType.NAMED_GROUP_ARBITRARY,
ProtocolVersion.PROTOCOLS_TO_12);
final int id; // hash + signature
@ -289,55 +332,16 @@ final class SupportedGroupsExtension {
final String name; // literal name
final String oid; // object identifier of the named group
final String algorithm; // signature algorithm
final boolean isFips; // can be used in FIPS mode?
final ProtocolVersion[] supportedProtocols;
// Constructor used for Elliptic Curve Groups (ECDHE)
private NamedGroup(int id, String name, String oid, boolean isFips,
private NamedGroup(int id, String name, String oid,
NamedGroupType namedGroupType,
ProtocolVersion[] supportedProtocols) {
this.id = id;
this.type = NamedGroupType.NAMED_GROUP_ECDHE;
this.type = namedGroupType;
this.name = name;
this.oid = oid;
this.algorithm = "EC";
this.isFips = isFips;
this.supportedProtocols = supportedProtocols;
}
// Constructor used for Elliptic Curve Groups (XDH)
private NamedGroup(int id, String name,
boolean isFips, String algorithm,
ProtocolVersion[] supportedProtocols) {
this.id = id;
this.type = NamedGroupType.NAMED_GROUP_XDH;
this.name = name;
this.oid = null;
this.algorithm = algorithm;
this.isFips = isFips;
this.supportedProtocols = supportedProtocols;
}
// Constructor used for Finite Field Diffie-Hellman Groups (FFDHE)
private NamedGroup(int id, String name, boolean isFips,
ProtocolVersion[] supportedProtocols) {
this.id = id;
this.type = NamedGroupType.NAMED_GROUP_FFDHE;
this.name = name;
this.oid = null;
this.algorithm = "DiffieHellman";
this.isFips = isFips;
this.supportedProtocols = supportedProtocols;
}
// Constructor used for arbitrary prime and curves (ECDHE)
private NamedGroup(int id, String name,
ProtocolVersion[] supportedProtocols) {
this.id = id;
this.type = NamedGroupType.NAMED_GROUP_ARBITRARY;
this.name = name;
this.oid = null;
this.algorithm = "EC";
this.isFips = false;
this.algorithm = namedGroupType.algorithm;
this.supportedProtocols = supportedProtocols;
}
@ -352,7 +356,7 @@ final class SupportedGroupsExtension {
}
static NamedGroup valueOf(ECParameterSpec params) {
String oid = JsseJce.getNamedCurveOid(params);
String oid = ECUtil.getCurveName(null, params);
if ((oid != null) && (!oid.isEmpty())) {
for (NamedGroup group : NamedGroup.values()) {
if ((group.type == NamedGroupType.NAMED_GROUP_ECDHE) &&
@ -472,8 +476,6 @@ final class SupportedGroupsExtension {
static final NamedGroup[] supportedNamedGroups;
static {
boolean requireFips = SunJSSE.isFIPS();
// The value of the System Property defines a list of enabled named
// groups in preference order, separated with comma. For example:
//
@ -499,8 +501,7 @@ final class SupportedGroupsExtension {
group = group.trim();
if (!group.isEmpty()) {
NamedGroup namedGroup = NamedGroup.nameOf(group);
if (namedGroup != null &&
(!requireFips || namedGroup.isFips)) {
if (namedGroup != null) {
if (isAvailableGroup(namedGroup)) {
groupList.add(namedGroup);
}
@ -514,29 +515,7 @@ final class SupportedGroupsExtension {
property + ") contains no supported named groups");
}
} else { // default groups
NamedGroup[] groups;
if (requireFips) {
groups = new NamedGroup[] {
// only NIST curves in FIPS mode
NamedGroup.SECP256_R1,
NamedGroup.SECP384_R1,
NamedGroup.SECP521_R1,
NamedGroup.SECT283_K1,
NamedGroup.SECT283_R1,
NamedGroup.SECT409_K1,
NamedGroup.SECT409_R1,
NamedGroup.SECT571_K1,
NamedGroup.SECT571_R1,
// FFDHE 2048
NamedGroup.FFDHE_2048,
NamedGroup.FFDHE_3072,
NamedGroup.FFDHE_4096,
NamedGroup.FFDHE_6144,
NamedGroup.FFDHE_8192,
};
} else {
groups = new NamedGroup[] {
NamedGroup[] groups = new NamedGroup[] {
// NIST curves first
NamedGroup.SECP256_R1,
NamedGroup.SECP384_R1,
@ -558,7 +537,6 @@ final class SupportedGroupsExtension {
NamedGroup.FFDHE_6144,
NamedGroup.FFDHE_8192,
};
}
groupList = new ArrayList<>(groups.length);
for (NamedGroup group : groups) {
@ -587,7 +565,7 @@ final class SupportedGroupsExtension {
if (namedGroup.type == NamedGroupType.NAMED_GROUP_ECDHE) {
if (namedGroup.oid != null) {
try {
params = JsseJce.getAlgorithmParameters("EC");
params = AlgorithmParameters.getInstance("EC");
spec = new ECGenParameterSpec(namedGroup.oid);
} catch (NoSuchAlgorithmException e) {
return false;
@ -595,7 +573,7 @@ final class SupportedGroupsExtension {
}
} else if (namedGroup.type == NamedGroupType.NAMED_GROUP_FFDHE) {
try {
params = JsseJce.getAlgorithmParameters("DiffieHellman");
params = AlgorithmParameters.getInstance("DiffieHellman");
spec = getFFDHEDHParameterSpec(namedGroup);
} catch (NoSuchAlgorithmException e) {
return false;

22
src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -218,7 +218,7 @@ final class X509TrustManagerImpl extends X509ExtendedTrustManager
responseList =
((ExtendedSSLSession)session).getStatusResponses();
}
trustedChain = validate(v, chain, responseList,
trustedChain = v.validate(chain, null, responseList,
constraints, isClient ? null : authType);
// check if EE certificate chains to a public root CA (as
@ -234,7 +234,7 @@ final class X509TrustManagerImpl extends X509ExtendedTrustManager
getRequestedServerNames(socket), chainsToPublicCA);
}
} else {
trustedChain = validate(v, chain, Collections.emptyList(),
trustedChain = v.validate(chain, null, Collections.emptyList(),
null, isClient ? null : authType);
}
@ -276,7 +276,7 @@ final class X509TrustManagerImpl extends X509ExtendedTrustManager
responseList =
((ExtendedSSLSession)session).getStatusResponses();
}
trustedChain = validate(v, chain, responseList,
trustedChain = v.validate(chain, null, responseList,
constraints, isClient ? null : authType);
// check if EE certificate chains to a public root CA (as
@ -292,7 +292,7 @@ final class X509TrustManagerImpl extends X509ExtendedTrustManager
getRequestedServerNames(engine), chainsToPublicCA);
}
} else {
trustedChain = validate(v, chain, Collections.emptyList(),
trustedChain = v.validate(chain, null, Collections.emptyList(),
null, isClient ? null : authType);
}
@ -312,18 +312,6 @@ final class X509TrustManagerImpl extends X509ExtendedTrustManager
return v;
}
private static X509Certificate[] validate(Validator v,
X509Certificate[] chain, List<byte[]> responseList,
AlgorithmConstraints constraints, String authType)
throws CertificateException {
Object o = JsseJce.beginFipsProvider();
try {
return v.validate(chain, null, responseList, constraints, authType);
} finally {
JsseJce.endFipsProvider(o);
}
}
// Get string representation of HostName from a list of server names.
//
// We are only accepting host_name name type in the list.

608
test/jdk/sun/security/pkcs11/fips/CipherTest.java

@ -1,608 +0,0 @@
/*
* Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
import java.io.*;
import java.net.*;
import java.util.*;
import java.util.concurrent.*;
import java.security.*;
import java.security.cert.*;
import java.security.cert.Certificate;
import javax.net.ssl.*;
/**
* Test that all ciphersuites work in all versions and all client
* authentication types. The way this is setup the server is stateless and
* all checking is done on the client side.
*
* The test is multithreaded to speed it up, especially on multiprocessor
* machines. To simplify debugging, run with -DnumThreads=1.
*
* @author Andreas Sterbenz
*/
public class CipherTest {
// use any available port for the server socket
static int serverPort = 0;
final int THREADS;
// assume that if we do not read anything for 20 seconds, something
// has gone wrong
final static int TIMEOUT = 20 * 1000;
static KeyStore /* trustStore, */ keyStore;
static X509ExtendedKeyManager keyManager;
static X509TrustManager trustManager;
static SecureRandom secureRandom;
private static PeerFactory peerFactory;
static abstract class Server implements Runnable {
final CipherTest cipherTest;
Server(CipherTest cipherTest) throws Exception {
this.cipherTest = cipherTest;
}
public abstract void run();
void handleRequest(InputStream in, OutputStream out) throws IOException {
boolean newline = false;
StringBuilder sb = new StringBuilder();
while (true) {
int ch = in.read();
if (ch < 0) {
throw new EOFException();
}
sb.append((char)ch);
if (ch == '\r') {
// empty
} else if (ch == '\n') {
if (newline) {
// 2nd newline in a row, end of request
break;
}
newline = true;
} else {
newline = false;
}
}
String request = sb.toString();
if (request.startsWith("GET / HTTP/1.") == false) {
throw new IOException("Invalid request: " + request);
}
out.write("HTTP/1.0 200 OK\r\n\r\n".getBytes());
}
}
public static class TestParameters {
String cipherSuite;
String protocol;
String clientAuth;
TestParameters(String cipherSuite, String protocol,
String clientAuth) {
this.cipherSuite = cipherSuite;
this.protocol = protocol;
this.clientAuth = clientAuth;
}
boolean isEnabled() {
return TLSCipherStatus.isEnabled(cipherSuite, protocol);
}
public String toString() {
String s = cipherSuite + " in " + protocol + " mode";
if (clientAuth != null) {
s += " with " + clientAuth + " client authentication";
}
return s;
}
static enum TLSCipherStatus {
// cipher suites supported since TLS 1.2
CS_01("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF),
CS_02("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF),
CS_03("TLS_RSA_WITH_AES_256_CBC_SHA256", 0x0303, 0xFFFF),
CS_04("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF),
CS_05("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF),
CS_06("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", 0x0303, 0xFFFF),
CS_07("TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", 0x0303, 0xFFFF),
CS_08("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
CS_09("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
CS_10("TLS_RSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
CS_11("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
CS_12("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
CS_13("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
CS_14("TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
CS_15("TLS_DH_anon_WITH_AES_256_CBC_SHA256", 0x0303, 0xFFFF),
CS_16("TLS_DH_anon_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
CS_17("TLS_RSA_WITH_NULL_SHA256", 0x0303, 0xFFFF),
CS_20("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
CS_21("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
CS_22("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
CS_23("TLS_RSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
CS_24("TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
CS_25("TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
CS_26("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
CS_27("TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
CS_28("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
CS_29("TLS_RSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
CS_30("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
CS_31("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
CS_32("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
CS_33("TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
CS_34("TLS_DH_anon_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
CS_35("TLS_DH_anon_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
// cipher suites obsoleted since TLS 1.2
CS_50("SSL_RSA_WITH_DES_CBC_SHA", 0x0000, 0x0303),
CS_51("SSL_DHE_RSA_WITH_DES_CBC_SHA", 0x0000, 0x0303),
CS_52("SSL_DHE_DSS_WITH_DES_CBC_SHA", 0x0000, 0x0303),
CS_53("SSL_DH_anon_WITH_DES_CBC_SHA", 0x0000, 0x0303),
CS_54("TLS_KRB5_WITH_DES_CBC_SHA", 0x0000, 0x0303),
CS_55("TLS_KRB5_WITH_DES_CBC_MD5", 0x0000, 0x0303),
// cipher suites obsoleted since TLS 1.1
CS_60("SSL_RSA_EXPORT_WITH_RC4_40_MD5", 0x0000, 0x0302),
CS_61("SSL_DH_anon_EXPORT_WITH_RC4_40_MD5", 0x0000, 0x0302),
CS_62("SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", 0x0000, 0x0302),
CS_63("SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", 0x0000, 0x0302),
CS_64("SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", 0x0000, 0x0302),
CS_65("SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA", 0x0000, 0x0302),
CS_66("TLS_KRB5_EXPORT_WITH_RC4_40_SHA", 0x0000, 0x0302),
CS_67("TLS_KRB5_EXPORT_WITH_RC4_40_MD5", 0x0000, 0x0302),
CS_68("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", 0x0000, 0x0302),
CS_69("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", 0x0000, 0x0302),
// ignore TLS_EMPTY_RENEGOTIATION_INFO_SCSV always
CS_99("TLS_EMPTY_RENEGOTIATION_INFO_SCSV", 0xFFFF, 0x0000);
// the cipher suite name
final String cipherSuite;
// supported since protocol version
final int supportedSince;
// obsoleted since protocol version
final int obsoletedSince;
TLSCipherStatus(String cipherSuite,
int supportedSince, int obsoletedSince) {
this.cipherSuite = cipherSuite;
this.supportedSince = supportedSince;
this.obsoletedSince = obsoletedSince;
}
static boolean isEnabled(String cipherSuite, String protocol) {
int versionNumber = toVersionNumber(protocol);
if (versionNumber < 0) {
return true; // unlikely to happen
}
for (TLSCipherStatus status : TLSCipherStatus.values()) {
if (cipherSuite.equals(status.cipherSuite)) {
if ((versionNumber < status.supportedSince) ||
(versionNumber >= status.obsoletedSince)) {
return false;
}
return true;
}
}
return true;
}
private static int toVersionNumber(String protocol) {
int versionNumber = -1;
switch (protocol) {
case "SSLv2Hello":
versionNumber = 0x0002;
break;
case "SSLv3":
versionNumber = 0x0300;
break;
case "TLSv1":
versionNumber = 0x0301;
break;
case "TLSv1.1":
versionNumber = 0x0302;
break;
case "TLSv1.2":
versionNumber = 0x0303;
break;
default:
// unlikely to happen
}
return versionNumber;
}
}
}
private List<TestParameters> tests;
private Iterator<TestParameters> testIterator;
private SSLSocketFactory factory;
private boolean failed;
private CipherTest(PeerFactory peerFactory) throws IOException {
THREADS = Integer.parseInt(System.getProperty("numThreads", "4"));
factory = (SSLSocketFactory)SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket)factory.createSocket();
String[] cipherSuites = socket.getSupportedCipherSuites();
String[] protocols = socket.getSupportedProtocols();
// String[] clientAuths = {null, "RSA", "DSA"};
String[] clientAuths = {null};
tests = new ArrayList<TestParameters>(
cipherSuites.length * protocols.length * clientAuths.length);
for (int i = 0; i < cipherSuites.length; i++) {
String cipherSuite = cipherSuites[i];
for (int j = 0; j < protocols.length; j++) {
String protocol = protocols[j];
if (!peerFactory.isSupported(cipherSuite, protocol)) {
continue;
}
for (int k = 0; k < clientAuths.length; k++) {
String clientAuth = clientAuths[k];
if ((clientAuth != null) &&
(cipherSuite.indexOf("DH_anon") != -1)) {
// no client with anonymous ciphersuites
continue;
}
tests.add(new TestParameters(cipherSuite, protocol,
clientAuth));
}
}
}
testIterator = tests.iterator();
}
synchronized void setFailed() {
failed = true;
}
public void run() throws Exception {
Thread[] threads = new Thread[THREADS];
for (int i = 0; i < THREADS; i++) {
try {
threads[i] = new Thread(peerFactory.newClient(this),
"Client " + i);
} catch (Exception e) {
e.printStackTrace();
return;
}
threads[i].start();
}
try {
for (int i = 0; i < THREADS; i++) {
threads[i].join();
}
} catch (InterruptedException e) {
setFailed();
e.printStackTrace();
}
if (failed) {
throw new Exception("*** Test '" + peerFactory.getName() +
"' failed ***");
} else {
System.out.println("Test '" + peerFactory.getName() +
"' completed successfully");
}
}
synchronized TestParameters getTest() {
if (failed) {
return null;
}
if (testIterator.hasNext()) {
return (TestParameters)testIterator.next();
}
return null;
}
SSLSocketFactory getFactory() {
return factory;
}
static abstract class Client implements Runnable {
final CipherTest cipherTest;
Client(CipherTest cipherTest) throws Exception {
this.cipherTest = cipherTest;
}
public final void run() {
while (true) {
TestParameters params = cipherTest.getTest();
if (params == null) {
// no more tests
break;
}
if (params.isEnabled() == false) {
System.out.println("Skipping disabled test " + params);
continue;
}
try {
runTest(params);
System.out.println("Passed " + params);
} catch (Exception e) {
cipherTest.setFailed();
System.out.println("** Failed " + params + "**");
e.printStackTrace();
}
}
}
abstract void runTest(TestParameters params) throws Exception;
void sendRequest(InputStream in, OutputStream out) throws IOException {
out.write("GET / HTTP/1.0\r\n\r\n".getBytes());
out.flush();
StringBuilder sb = new StringBuilder();
while (true) {
int ch = in.read();
if (ch < 0) {
break;
}
sb.append((char)ch);
}
String response = sb.toString();
if (response.startsWith("HTTP/1.0 200 ") == false) {
throw new IOException("Invalid response: " + response);
}
}
}
// for some reason, ${test.src} has a different value when the
// test is called from the script and when it is called directly...
static String pathToStores = ".";
static String pathToStoresSH = ".";
static String keyStoreFile = "keystore";
static String trustStoreFile = "truststore";
static char[] passwd = "passphrase".toCharArray();
static File PATH;
private static KeyStore readKeyStore(String name) throws Exception {
File file = new File(PATH, name);
InputStream in = new FileInputStream(file);
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(in, passwd);
in.close();
return ks;
}
public static void main(PeerFactory peerFactory, KeyStore keyStore,
String[] args) throws Exception {
long time = System.currentTimeMillis();
String relPath;
if ((args != null) && (args.length > 0) && args[0].equals("sh")) {
relPath = pathToStoresSH;
} else {
relPath = pathToStores;
}
PATH = new File(System.getProperty("test.src", "."), relPath);
CipherTest.peerFactory = peerFactory;
System.out.print(
"Initializing test '" + peerFactory.getName() + "'...");
// secureRandom = new SecureRandom();
// secureRandom.nextInt();
// trustStore = readKeyStore(trustStoreFile);
CipherTest.keyStore = keyStore;
// keyStore = readKeyStore(keyStoreFile);
KeyManagerFactory keyFactory =
KeyManagerFactory.getInstance(
KeyManagerFactory.getDefaultAlgorithm());
keyFactory.init(keyStore, "test12".toCharArray());
keyManager = (X509ExtendedKeyManager)keyFactory.getKeyManagers()[0];
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
trustManager = (X509TrustManager)tmf.getTrustManagers()[0];
// trustManager = new AlwaysTrustManager();
SSLContext context = SSLContext.getInstance("TLS");
context.init(new KeyManager[] {keyManager},
new TrustManager[] {trustManager}, null);
SSLContext.setDefault(context);
CipherTest cipherTest = new CipherTest(peerFactory);
Thread serverThread = new Thread(peerFactory.newServer(cipherTest),
"Server");
serverThread.setDaemon(true);
serverThread.start();
System.out.println("Done");
cipherTest.run();
time = System.currentTimeMillis() - time;
System.out.println("Done. (" + time + " ms)");
}
static abstract class PeerFactory {
abstract String getName();
abstract Client newClient(CipherTest cipherTest) throws Exception;
abstract Server newServer(CipherTest cipherTest) throws Exception;
boolean isSupported(String cipherSuite, String protocol) {
// skip kerberos cipher suites
if (cipherSuite.startsWith("TLS_KRB5")) {
System.out.println("Skipping unsupported test for " +
cipherSuite + " of " + protocol);
return false;
}
// No ECDH-capable certificate in key store. May restructure
// this in the future.
if (cipherSuite.contains("ECDHE_ECDSA") ||
cipherSuite.contains("ECDH_ECDSA") ||
cipherSuite.contains("ECDH_RSA")) {
System.out.println("Skipping unsupported test for " +
cipherSuite + " of " + protocol);
return false;
}
// skip SSLv2Hello protocol
//
// skip TLSv1.2 protocol, we have not implement "SunTls12Prf" and
// SunTls12RsaPremasterSecret in SunPKCS11 provider
if (protocol.equals("SSLv2Hello") || protocol.equals("TLSv1.2")) {
System.out.println("Skipping unsupported test for " +
cipherSuite + " of " + protocol);
return false;
}
// ignore exportable cipher suite for TLSv1.1
if (protocol.equals("TLSv1.1")) {
if (cipherSuite.indexOf("_EXPORT_WITH") != -1) {
System.out.println("Skipping obsoleted test for " +
cipherSuite + " of " + protocol);
return false;
}
}
return true;
}
}
}
// we currently don't do any chain verification. we assume that works ok
// and we can speed up the test. we could also just add a plain certificate
// chain comparision with our trusted certificates.
class AlwaysTrustManager implements X509TrustManager {
public AlwaysTrustManager() {
}
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
// empty
}
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
// empty
}
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}
class MyX509KeyManager extends X509ExtendedKeyManager {
private final X509ExtendedKeyManager keyManager;
private String authType;
MyX509KeyManager(X509ExtendedKeyManager keyManager) {
this.keyManager = keyManager;
}
void setAuthType(String authType) {
this.authType = authType;
}
public String[] getClientAliases(String keyType, Principal[] issuers) {
if (authType == null) {
return null;
}
return keyManager.getClientAliases(authType, issuers);
}
public String chooseClientAlias(String[] keyType, Principal[] issuers,
Socket socket) {
if (authType == null) {
return null;
}
return keyManager.chooseClientAlias(new String[] {authType},
issuers, socket);
}
public String chooseEngineClientAlias(String[] keyType,
Principal[] issuers, SSLEngine engine) {
if (authType == null) {
return null;
}
return keyManager.chooseEngineClientAlias(new String[] {authType},
issuers, engine);
}
public String[] getServerAliases(String keyType, Principal[] issuers) {
throw new UnsupportedOperationException("Servers not supported");
}
public String chooseServerAlias(String keyType, Principal[] issuers,
Socket socket) {
throw new UnsupportedOperationException("Servers not supported");
}
public String chooseEngineServerAlias(String keyType, Principal[] issuers,
SSLEngine engine) {
throw new UnsupportedOperationException("Servers not supported");
}
public X509Certificate[] getCertificateChain(String alias) {
return keyManager.getCertificateChain(alias);
}
public PrivateKey getPrivateKey(String alias) {
return keyManager.getPrivateKey(alias);
}
}
class DaemonThreadFactory implements ThreadFactory {
final static ThreadFactory INSTANCE = new DaemonThreadFactory();
private final static ThreadFactory DEFAULT = Executors.defaultThreadFactory();
public Thread newThread(Runnable r) {
Thread t = DEFAULT.newThread(r);
t.setDaemon(true);
return t;
}
}

92
test/jdk/sun/security/pkcs11/fips/ClientJSSEServerJSSE.java

@ -1,92 +0,0 @@
/*
* Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 6313675 6323647 8028192
* @summary Verify that all ciphersuites work in FIPS mode
* @library /test/lib ..
* @author Andreas Sterbenz
* @modules java.base/com.sun.net.ssl.internal.ssl
* @run main/manual ClientJSSEServerJSSE
*/
/*
* JSSE supported cipher suites are changed with CR 6916074,
* need to update this test case in JDK 7 soon
*/
import java.security.*;
// This test belongs more in JSSE than here, but the JSSE workspace does not
// have the NSS test infrastructure. It will live here for the time being.
public class ClientJSSEServerJSSE extends SecmodTest {
public static void main(String[] args) throws Exception {
if (initSecmod() == false) {
return;
}
String arch = System.getProperty("os.arch");
if (!("sparc".equals(arch) || "sparcv9".equals(arch))) {
// we have not updated other platforms with the proper NSS
// libraries yet
System.out.println(
"Test currently works only on solaris-sparc " +
"and solaris-sparcv9. Skipping on " + arch);
return;
}
String configName = BASE + SEP + "fips.cfg";
Provider p = getSunPKCS11(configName);
System.out.println(p);
Security.addProvider(p);
Security.removeProvider("SunJSSE");
Provider jsse = new com.sun.net.ssl.internal.ssl.Provider(p);
Security.addProvider(jsse);
System.out.println(jsse.getInfo());
KeyStore ks = KeyStore.getInstance("PKCS11", p);
ks.load(null, "test12".toCharArray());
CipherTest.main(new JSSEFactory(), ks, args);
}
private static class JSSEFactory extends CipherTest.PeerFactory {
String getName() {
return "Client JSSE - Server JSSE";
}
CipherTest.Client newClient(CipherTest cipherTest) throws Exception {
return new JSSEClient(cipherTest);
}
CipherTest.Server newServer(CipherTest cipherTest) throws Exception {
return new JSSEServer(cipherTest);
}
}
}

90
test/jdk/sun/security/pkcs11/fips/ImportKeyStore.java

@ -1,90 +0,0 @@
/*
* Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
import java.io.*;
import java.util.*;
import java.security.*;
import java.security.KeyStore.*;
import java.security.cert.*;
/**
This is an approximation of the process used to create the *.db files
in this directory.
setenv LD_LIBRARY_PATH $WS/test/sun/security/pkcs11/nss/lib/solaris-sparc
modutil -create -dbdir .
modutil -changepw "NSS Internal PKCS #11 Module" -dbdir .
$JHOME/bin/keytool -list -storetype PKCS11 -addprovider SunPKCS11 -providerarg "--name=NSS\nnssSecmodDirectory=." -v -storepass test12
modutil -fips true -dbdir .
*/
public class ImportKeyStore {
public static void main(String[] args) throws Exception {
String nssCfg = "--name=NSS\nnssSecmodDirectory=.\n ";
// "attributes(*,CKO_PRIVATE_KEY,CKK_DSA) = { CKA_NETSCAPE_DB = 0h00 }";
Provider p = Security.getProvider("SunPKCS11");
p.configure(nssCfg);
KeyStore ks = KeyStore.getInstance("PKCS11", p);
ks.load(null, "test12".toCharArray());
System.out.println("Aliases: " + Collections.list(ks.aliases()));
System.out.println();
char[] srcpw = "passphrase".toCharArray();
// importKeyStore("truststore", srcpw, ks);
importKeyStore("keystore", srcpw, ks);
System.out.println("OK.");
}
private static void importKeyStore(String filename, char[] passwd, KeyStore dstks) throws Exception {
System.out.println("Importing JKS KeyStore " + filename);
InputStream in = new FileInputStream(filename);
KeyStore srcks = KeyStore.getInstance("JKS");
srcks.load(in, passwd);
in.close();
List<String> aliases = Collections.list(srcks.aliases());
for (String alias : aliases) {
System.out.println("Alias: " + alias);
if (srcks.isCertificateEntry(alias)) {
X509Certificate cert = (X509Certificate)srcks.getCertificate(alias);
System.out.println(" Certificate: " + cert.getSubjectX500Principal());
dstks.setCertificateEntry(alias + "-cert", cert);
} else if (srcks.isKeyEntry(alias)) {
PrivateKeyEntry entry = (PrivateKeyEntry)srcks.getEntry(alias, new PasswordProtection(passwd));
System.out.println(" Key: " + entry.getPrivateKey().toString().split("\n")[0]);
dstks.setEntry(alias, entry, null);
} else {
System.out.println(" Unknown entry: " + alias);
}
}
System.out.println();
}
}

93
test/jdk/sun/security/pkcs11/fips/JSSEClient.java

@ -1,93 +0,0 @@
/*
* Copyright (c) 2002, 2005, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
import java.io.*;
import java.net.*;
import java.util.*;
import java.security.*;
import java.security.cert.*;
import java.security.cert.Certificate;
import javax.net.ssl.*;
class JSSEClient extends CipherTest.Client {
private final SSLContext sslContext;
private final MyX509KeyManager keyManager;
JSSEClient(CipherTest cipherTest) throws Exception {
super(cipherTest);
this.keyManager = new MyX509KeyManager(CipherTest.keyManager);
sslContext = SSLContext.getInstance("TLS");
}
void runTest(CipherTest.TestParameters params) throws Exception {
SSLSocket socket = null;
try {
keyManager.setAuthType(params.clientAuth);
sslContext.init(new KeyManager[] {CipherTest.keyManager}, new TrustManager[] {cipherTest.trustManager}, cipherTest.secureRandom);
SSLSocketFactory factory = (SSLSocketFactory)sslContext.getSocketFactory();
socket = (SSLSocket)factory.createSocket("127.0.0.1", cipherTest.serverPort);
socket.setSoTimeout(cipherTest.TIMEOUT);
socket.setEnabledCipherSuites(new String[] {params.cipherSuite});
socket.setEnabledProtocols(new String[] {params.protocol});
InputStream in = socket.getInputStream();
OutputStream out = socket.getOutputStream();
sendRequest(in, out);
socket.close();
SSLSession session = socket.getSession();
session.invalidate();
String cipherSuite = session.getCipherSuite();
if (params.cipherSuite.equals(cipherSuite) == false) {
throw new Exception("Negotiated ciphersuite mismatch: " + cipherSuite + " != " + params.cipherSuite);
}
String protocol = session.getProtocol();
if (params.protocol.equals(protocol) == false) {
throw new Exception("Negotiated protocol mismatch: " + protocol + " != " + params.protocol);
}
if (cipherSuite.indexOf("DH_anon") == -1) {
session.getPeerCertificates();
}
Certificate[] certificates = session.getLocalCertificates();
if (params.clientAuth == null) {
if (certificates != null) {
throw new Exception("Local certificates should be null");
}
} else {
if ((certificates == null) || (certificates.length == 0)) {
throw new Exception("Certificates missing");
}
String keyAlg = certificates[0].getPublicKey().getAlgorithm();
if (params.clientAuth != keyAlg) {
throw new Exception("Certificate type mismatch: " + keyAlg + " != " + params.clientAuth);
}
}
} finally {
if (socket != null) {
socket.close();
}
}
}
}

93
test/jdk/sun/security/pkcs11/fips/JSSEServer.java

@ -1,93 +0,0 @@
/*
* Copyright (c) 2002, 2005, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
import java.io.*;
import java.net.*;
import java.util.*;
import java.util.concurrent.*;
import java.security.*;
import java.security.cert.*;
import java.security.cert.Certificate;
import javax.net.ssl.*;
class JSSEServer extends CipherTest.Server {
SSLServerSocket serverSocket;
JSSEServer(CipherTest cipherTest) throws Exception {
super(cipherTest);
SSLContext serverContext = SSLContext.getInstance("TLS");
serverContext.init(new KeyManager[] {cipherTest.keyManager}, new TrustManager[] {cipherTest.trustManager}, cipherTest.secureRandom);
SSLServerSocketFactory factory = (SSLServerSocketFactory)serverContext.getServerSocketFactory();
serverSocket = (SSLServerSocket)factory.createServerSocket(cipherTest.serverPort);
cipherTest.serverPort = serverSocket.getLocalPort();
serverSocket.setEnabledCipherSuites(factory.getSupportedCipherSuites());
// serverSocket.setWantClientAuth(true);
}
public void run() {
System.out.println("JSSE Server listening on port " + cipherTest.serverPort);
Executor exec = Executors.newFixedThreadPool
(cipherTest.THREADS, DaemonThreadFactory.INSTANCE);
try {
while (true) {
final SSLSocket socket = (SSLSocket)serverSocket.accept();
socket.setSoTimeout(cipherTest.TIMEOUT);
Runnable r = new Runnable() {
public void run() {
try {
InputStream in = socket.getInputStream();
OutputStream out = socket.getOutputStream();
handleRequest(in, out);
out.flush();
socket.close();
socket.getSession().invalidate();
} catch (IOException e) {
cipherTest.setFailed();
e.printStackTrace();
} finally {
if (socket != null) {
try {
socket.close();
} catch (IOException e) {
cipherTest.setFailed();
System.out.println("Exception closing socket on server side:");
e.printStackTrace();
}
}
}
}
};
exec.execute(r);
}
} catch (IOException e) {
cipherTest.setFailed();
e.printStackTrace();
//
}
}
}

453
test/jdk/sun/security/pkcs11/fips/TestTLS12.java

@ -1,453 +0,0 @@
/*
* Copyright (c) 2018, Red Hat, Inc.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8029661
* @summary Test TLS 1.2
* @modules java.base/sun.security.internal.spec
* java.base/sun.security.util
* java.base/com.sun.net.ssl.internal.ssl
* java.base/com.sun.crypto.provider
* @library /test/lib ..
* @run main/othervm/timeout=120 TestTLS12
*/
import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;
import java.nio.ByteBuffer;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.SecureRandom;
import java.security.Security;
import java.util.Arrays;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLEngineResult.HandshakeStatus;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManagerFactory;
import sun.security.internal.spec.TlsMasterSecretParameterSpec;
import sun.security.internal.spec.TlsPrfParameterSpec;
import sun.security.internal.spec.TlsRsaPremasterSecretParameterSpec;
public final class TestTLS12 extends SecmodTest {
private static final boolean enableDebug = true;
private static Provider sunPKCS11NSSProvider;
private static Provider sunJCEProvider;
private static com.sun.net.ssl.internal.ssl.Provider jsseProvider;
private static KeyStore ks;
private static KeyStore ts;
private static char[] passphrase = "JAHshj131@@".toCharArray();
private static RSAPrivateKey privateKey;
private static RSAPublicKey publicKey;
public static void main(String[] args) throws Exception {
try {
initialize();
} catch (Exception e) {
System.out.println("Test skipped: failure during" +
" initialization");
return;
}
if (shouldRun()) {
// Test against JCE
testTlsAuthenticationCodeGeneration();
// Self-integrity test (complete TLS 1.2 communication)
new testTLS12SunPKCS11Communication().run();
System.out.println("Test PASS - OK");
} else {
System.out.println("Test skipped: TLS 1.2 mechanisms" +
" not supported by current SunPKCS11 back-end");
}
}
private static boolean shouldRun() {
if (sunPKCS11NSSProvider == null) {
return false;
}
try {
KeyGenerator.getInstance("SunTls12MasterSecret",
sunPKCS11NSSProvider);
KeyGenerator.getInstance(
"SunTls12RsaPremasterSecret", sunPKCS11NSSProvider);
KeyGenerator.getInstance("SunTls12Prf", sunPKCS11NSSProvider);
} catch (NoSuchAlgorithmException e) {
return false;
}
return true;
}
private static void testTlsAuthenticationCodeGeneration()
throws Exception {
// Generate RSA Pre-Master Secret in SunPKCS11 provider
SecretKey rsaPreMasterSecret = null;
@SuppressWarnings("deprecation")
TlsRsaPremasterSecretParameterSpec rsaPreMasterSecretSpec =
new TlsRsaPremasterSecretParameterSpec(0x0303, 0x0303);
{
KeyGenerator rsaPreMasterSecretKG = KeyGenerator.getInstance(
"SunTls12RsaPremasterSecret", sunPKCS11NSSProvider);
rsaPreMasterSecretKG.init(rsaPreMasterSecretSpec, null);
rsaPreMasterSecret = rsaPreMasterSecretKG.generateKey();
}
// Get RSA Pre-Master Secret in plain (from SunPKCS11 provider)
byte[] rsaPlainPreMasterSecret = null;
{
Cipher rsaPreMasterSecretWrapperCipher =
Cipher.getInstance("RSA/ECB/PKCS1Padding",
sunPKCS11NSSProvider);
rsaPreMasterSecretWrapperCipher.init(Cipher.WRAP_MODE, publicKey,
new SecureRandom());
byte[] rsaEncryptedPreMasterSecret =
rsaPreMasterSecretWrapperCipher.wrap(rsaPreMasterSecret);
Cipher rsaPreMasterSecretUnwrapperCipher =
Cipher.getInstance("RSA/ECB/PKCS1Padding", sunJCEProvider);
rsaPreMasterSecretUnwrapperCipher.init(Cipher.UNWRAP_MODE,
privateKey, rsaPreMasterSecretSpec);
rsaPlainPreMasterSecret = rsaPreMasterSecretUnwrapperCipher.unwrap(
rsaEncryptedPreMasterSecret, "TlsRsaPremasterSecret",
Cipher.SECRET_KEY).getEncoded();
if (enableDebug) {
System.out.println("rsaPlainPreMasterSecret:");
for (byte b : rsaPlainPreMasterSecret) {
System.out.printf("%02X, ", b);
}
System.out.println("");
}
}
// Generate Master Secret
SecretKey sunPKCS11MasterSecret = null;
SecretKey jceMasterSecret = null;
{
KeyGenerator sunPKCS11MasterSecretGenerator =
KeyGenerator.getInstance("SunTls12MasterSecret",
sunPKCS11NSSProvider);
KeyGenerator jceMasterSecretGenerator = KeyGenerator.getInstance(
"SunTls12MasterSecret", sunJCEProvider);
@SuppressWarnings("deprecation")
TlsMasterSecretParameterSpec sunPKCS11MasterSecretSpec =
new TlsMasterSecretParameterSpec(rsaPreMasterSecret, 3, 3,
new byte[32], new byte[32], "SHA-256", 32, 64);
@SuppressWarnings("deprecation")
TlsMasterSecretParameterSpec jceMasterSecretSpec =
new TlsMasterSecretParameterSpec(
new SecretKeySpec(rsaPlainPreMasterSecret,
"Generic"), 3, 3, new byte[32],
new byte[32], "SHA-256", 32, 64);
sunPKCS11MasterSecretGenerator.init(sunPKCS11MasterSecretSpec,
null);
jceMasterSecretGenerator.init(jceMasterSecretSpec, null);
sunPKCS11MasterSecret =
sunPKCS11MasterSecretGenerator.generateKey();
jceMasterSecret = jceMasterSecretGenerator.generateKey();
if (enableDebug) {
System.out.println("Master Secret (SunJCE):");
if (jceMasterSecret != null) {
for (byte b : jceMasterSecret.getEncoded()) {
System.out.printf("%02X, ", b);
}
System.out.println("");
}
}
}
// Generate authentication codes
byte[] sunPKCS11AuthenticationCode = null;
byte[] jceAuthenticationCode = null;
{
// Generate SunPKCS11 authentication code
{
@SuppressWarnings("deprecation")
TlsPrfParameterSpec sunPKCS11AuthenticationCodeSpec =
new TlsPrfParameterSpec(sunPKCS11MasterSecret,
"client finished", "a".getBytes(), 12,
"SHA-256", 32, 64);
KeyGenerator sunPKCS11AuthCodeGenerator =
KeyGenerator.getInstance("SunTls12Prf",
sunPKCS11NSSProvider);
sunPKCS11AuthCodeGenerator.init(
sunPKCS11AuthenticationCodeSpec);
sunPKCS11AuthenticationCode =
sunPKCS11AuthCodeGenerator.generateKey().getEncoded();
}
// Generate SunJCE authentication code
{
@SuppressWarnings("deprecation")
TlsPrfParameterSpec jceAuthenticationCodeSpec =
new TlsPrfParameterSpec(jceMasterSecret,
"client finished", "a".getBytes(), 12,
"SHA-256", 32, 64);
KeyGenerator jceAuthCodeGenerator =
KeyGenerator.getInstance("SunTls12Prf",
sunJCEProvider);
jceAuthCodeGenerator.init(jceAuthenticationCodeSpec);
jceAuthenticationCode =
jceAuthCodeGenerator.generateKey().getEncoded();
}
if (enableDebug) {
System.out.println("SunPKCS11 Authentication Code: ");
for (byte b : sunPKCS11AuthenticationCode) {
System.out.printf("%02X, ", b);
}
System.out.println("");
System.out.println("SunJCE Authentication Code: ");
for (byte b : jceAuthenticationCode) {
System.out.printf("%02X, ", b);
}
System.out.println("");
}
}
if (sunPKCS11AuthenticationCode == null ||
jceAuthenticationCode == null ||
sunPKCS11AuthenticationCode.length == 0 ||
jceAuthenticationCode.length == 0 ||
!Arrays.equals(sunPKCS11AuthenticationCode,
jceAuthenticationCode)) {
throw new Exception("Authentication codes from JCE" +
" and SunPKCS11 differ.");
}
}
private static class testTLS12SunPKCS11Communication {
public static void run() throws Exception {
SSLEngine[][] enginesToTest = getSSLEnginesToTest();
for (SSLEngine[] engineToTest : enginesToTest) {
SSLEngine clientSSLEngine = engineToTest[0];
SSLEngine serverSSLEngine = engineToTest[1];
// SSLEngine code based on RedhandshakeFinished.java
boolean dataDone = false;
ByteBuffer clientOut = null;
ByteBuffer clientIn = null;
ByteBuffer serverOut = null;
ByteBuffer serverIn = null;
ByteBuffer cTOs;
ByteBuffer sTOc;
SSLSession session = clientSSLEngine.getSession();
int appBufferMax = session.getApplicationBufferSize();
int netBufferMax = session.getPacketBufferSize();
clientIn = ByteBuffer.allocate(appBufferMax + 50);
serverIn = ByteBuffer.allocate(appBufferMax + 50);
cTOs = ByteBuffer.allocateDirect(netBufferMax);
sTOc = ByteBuffer.allocateDirect(netBufferMax);
clientOut = ByteBuffer.wrap(
"Hi Server, I'm Client".getBytes());
serverOut = ByteBuffer.wrap(
"Hello Client, I'm Server".getBytes());
SSLEngineResult clientResult;
SSLEngineResult serverResult;
while (!dataDone) {
clientResult = clientSSLEngine.wrap(clientOut, cTOs);
runDelegatedTasks(clientResult, clientSSLEngine);
serverResult = serverSSLEngine.wrap(serverOut, sTOc);
runDelegatedTasks(serverResult, serverSSLEngine);
cTOs.flip();
sTOc.flip();
if (enableDebug) {
System.out.println("Client -> Network");
printTlsNetworkPacket("", cTOs);
System.out.println("");
System.out.println("Server -> Network");
printTlsNetworkPacket("", sTOc);
System.out.println("");
}
clientResult = clientSSLEngine.unwrap(sTOc, clientIn);
runDelegatedTasks(clientResult, clientSSLEngine);
serverResult = serverSSLEngine.unwrap(cTOs, serverIn);
runDelegatedTasks(serverResult, serverSSLEngine);
cTOs.compact();
sTOc.compact();
if (!dataDone &&
(clientOut.limit() == serverIn.position()) &&
(serverOut.limit() == clientIn.position())) {
checkTransfer(serverOut, clientIn);
checkTransfer(clientOut, serverIn);
dataDone = true;
}
}
}
}
static void printTlsNetworkPacket(String prefix, ByteBuffer bb) {
ByteBuffer slice = bb.slice();
byte[] buffer = new byte[slice.remaining()];
slice.get(buffer);
for (int i = 0; i < buffer.length; i++) {
System.out.printf("%02X, ", (byte)(buffer[i] & (byte)0xFF));
if (i % 8 == 0 && i % 16 != 0) {
System.out.print(" ");
}
if (i % 16 == 0) {
System.out.println("");
}
}
System.out.flush();
}
private static void checkTransfer(ByteBuffer a, ByteBuffer b)
throws Exception {
a.flip();
b.flip();
if (!a.equals(b)) {
throw new Exception("Data didn't transfer cleanly");
}
a.position(a.limit());
b.position(b.limit());
a.limit(a.capacity());
b.limit(b.capacity());
}
private static void runDelegatedTasks(SSLEngineResult result,
SSLEngine engine) throws Exception {
if (result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) {
Runnable runnable;
while ((runnable = engine.getDelegatedTask()) != null) {
runnable.run();
}
HandshakeStatus hsStatus = engine.getHandshakeStatus();
if (hsStatus == HandshakeStatus.NEED_TASK) {
throw new Exception(
"handshake shouldn't need additional tasks");
}
}
}
private static SSLEngine[][] getSSLEnginesToTest() throws Exception {
SSLEngine[][] enginesToTest = new SSLEngine[2][2];
String[][] preferredSuites = new String[][]{ new String[] {
"TLS_RSA_WITH_AES_128_CBC_SHA256"
}, new String[] {
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"
}};
for (int i = 0; i < enginesToTest.length; i++) {
enginesToTest[i][0] = createSSLEngine(true);
enginesToTest[i][1] = createSSLEngine(false);
enginesToTest[i][0].setEnabledCipherSuites(preferredSuites[i]);
enginesToTest[i][1].setEnabledCipherSuites(preferredSuites[i]);
}
return enginesToTest;
}
static private SSLEngine createSSLEngine(boolean client)
throws Exception {
SSLEngine ssle;
KeyManagerFactory kmf = KeyManagerFactory.getInstance("PKIX",
jsseProvider);
kmf.init(ks, passphrase);
TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX",
jsseProvider);
tmf.init(ts);
SSLContext sslCtx = SSLContext.getInstance("TLSv1.2",
jsseProvider);
sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
ssle = sslCtx.createSSLEngine("localhost", 443);
ssle.setUseClientMode(client);
SSLParameters sslParameters = ssle.getSSLParameters();
ssle.setSSLParameters(sslParameters);
return ssle;
}
}
private static void initialize() throws Exception {
if (initSecmod() == false) {
return;
}
String configName = BASE + SEP + "fips.cfg";
sunPKCS11NSSProvider = getSunPKCS11(configName);
System.out.println("SunPKCS11 provider: " + sunPKCS11NSSProvider);
Security.addProvider(sunPKCS11NSSProvider);
sunJCEProvider = new com.sun.crypto.provider.SunJCE();
Security.addProvider(sunJCEProvider);
Security.removeProvider("SunJSSE");
jsseProvider =new com.sun.net.ssl.internal.ssl.Provider(
sunPKCS11NSSProvider);
Security.addProvider(jsseProvider);
System.out.println(jsseProvider.getInfo());
ks = KeyStore.getInstance("PKCS11", sunPKCS11NSSProvider);
ks.load(null, "test12".toCharArray());
ts = ks;
KeyStore ksPlain = readTestKeyStore();
privateKey = (RSAPrivateKey)ksPlain.getKey("rh_rsa_sha256",
passphrase);
publicKey = (RSAPublicKey)ksPlain.getCertificate(
"rh_rsa_sha256").getPublicKey();
}
private static KeyStore readTestKeyStore() throws Exception {
File file = new File(System.getProperty("test.src", "."), "keystore");
InputStream in = new FileInputStream(file);
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(in, "passphrase".toCharArray());
in.close();
return ks;
}
}

111
test/jdk/sun/security/pkcs11/fips/TrustManagerTest.java

@ -1,111 +0,0 @@
/*
* Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 6323647
* @summary Verify that the SunJSSE trustmanager works correctly in FIPS mode
* @author Andreas Sterbenz
* @library /test/lib ..
* @modules java.base/com.sun.net.ssl.internal.ssl
* @run main/othervm TrustManagerTest
* @run main/othervm TrustManagerTest sm TrustManagerTest.policy
*/
import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.Policy;
import java.security.Provider;
import java.security.Security;
import java.security.URIParameter;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
// This test belongs more in JSSE than here, but the JSSE workspace does not
// have the NSS test infrastructure. It will live here for the time being.
public class TrustManagerTest extends SecmodTest {
public static void main(String[] args) throws Exception {
if (initSecmod() == false) {
return;
}
if ("sparc".equals(System.getProperty("os.arch")) == false) {
// we have not updated other platforms with the proper NSS libraries yet
System.out.println("Test currently works only on solaris-sparc, skipping");
return;
}
String configName = BASE + SEP + "fips.cfg";
Provider p = getSunPKCS11(configName);
System.out.println(p);
Security.addProvider(p);
Security.removeProvider("SunJSSE");
Provider jsse = new com.sun.net.ssl.internal.ssl.Provider(p);
Security.addProvider(jsse);
System.out.println(jsse.getInfo());
KeyStore ks = KeyStore.getInstance("PKCS11", p);
ks.load(null, "test12".toCharArray());
X509Certificate server = loadCertificate("certs/server.cer");
X509Certificate ca = loadCertificate("certs/ca.cer");
X509Certificate anchor = loadCertificate("certs/anchor.cer");
if (args.length > 1 && "sm".equals(args[0])) {
Policy.setPolicy(Policy.getInstance("JavaPolicy",
new URIParameter(new File(BASE, args[1]).toURI())));
System.setSecurityManager(new SecurityManager());
}
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(null, null);
trustStore.setCertificateEntry("anchor", anchor);
TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
tmf.init(trustStore);
X509TrustManager tm = (X509TrustManager)tmf.getTrustManagers()[0];
X509Certificate[] chain = {server, ca, anchor};
tm.checkServerTrusted(chain, "RSA");
System.out.println("OK");
}
private static X509Certificate loadCertificate(String name) throws Exception {
try (InputStream in = new FileInputStream(BASE + SEP + name)) {
return (X509Certificate) CertificateFactory.getInstance("X.509")
.generateCertificate(in);
}
}
}

3
test/jdk/sun/security/pkcs11/fips/TrustManagerTest.policy

@ -1,3 +0,0 @@
grant {
};

BIN
test/jdk/sun/security/pkcs11/fips/cert8.db

Binary file not shown.

BIN
test/jdk/sun/security/pkcs11/fips/certs/anchor.cer

Binary file not shown.

BIN
test/jdk/sun/security/pkcs11/fips/certs/ca.cer

Binary file not shown.

BIN
test/jdk/sun/security/pkcs11/fips/certs/server.cer

Binary file not shown.

19
test/jdk/sun/security/pkcs11/fips/fips.cfg

@ -1,19 +0,0 @@
name = NSSKeyStore
nssSecmodDirectory = ${pkcs11test.nss.db}
nssLibraryDirectory = ${pkcs11test.nss.libdir}
nssModule = fips
# NSS needs CKA_NETSCAPE_DB for DSA and DH private keys
# just put an arbitrary value in there to make it happy
attributes(*,CKO_PRIVATE_KEY,CKK_DSA) = {
CKA_NETSCAPE_DB = 0h00
}
attributes(*,CKO_PRIVATE_KEY,CKK_DH) = {
CKA_NETSCAPE_DB = 0h00
}

BIN
test/jdk/sun/security/pkcs11/fips/key3.db

Binary file not shown.

BIN
test/jdk/sun/security/pkcs11/fips/keystore

Binary file not shown.

BIN
test/jdk/sun/security/pkcs11/fips/secmod.db

Binary file not shown.

BIN
test/jdk/sun/security/pkcs11/fips/truststore

Binary file not shown.