|
|
9d60fa |
# HG changeset patch
|
|
|
9d60fa |
# User mbalao
|
|
|
9d60fa |
# Date 1568305840 10800
|
|
|
9d60fa |
# Thu Sep 12 13:30:40 2019 -0300
|
|
|
9d60fa |
# Node ID b0436c181872b567c5b8906051fc8836c860541c
|
|
|
9d60fa |
# Parent 6d947fcb3ea40ca9d40804db2c8c384f4679e10e
|
|
|
9d60fa |
8230923: SunJSSE is not properly initialized in FIPS mode from a configuration file
|
|
|
9d60fa |
Reviewed-by: andrew
|
|
|
9d60fa |
|
|
|
9d60fa |
diff --git a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java
|
|
|
9d60fa |
--- a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java
|
|
|
9d60fa |
+++ b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java
|
|
|
9d60fa |
@@ -179,7 +179,11 @@
|
|
|
9d60fa |
} else if (provName.equals("SunJCE") || provName.equals("com.sun.crypto.provider.SunJCE")) {
|
|
|
9d60fa |
p = new com.sun.crypto.provider.SunJCE();
|
|
|
9d60fa |
} else if (provName.equals("SunJSSE") || provName.equals("com.sun.net.ssl.internal.ssl.Provider")) {
|
|
|
9d60fa |
- p = new com.sun.net.ssl.internal.ssl.Provider();
|
|
|
9d60fa |
+ if (hasArgument()) {
|
|
|
9d60fa |
+ p = new com.sun.net.ssl.internal.ssl.Provider(argument);
|
|
|
9d60fa |
+ } else {
|
|
|
9d60fa |
+ p = new com.sun.net.ssl.internal.ssl.Provider();
|
|
|
9d60fa |
+ }
|
|
|
9d60fa |
} else if (provName.equals("Apple") || provName.equals("apple.security.AppleProvider")) {
|
|
|
9d60fa |
// need to use reflection since this class only exists on MacOsx
|
|
|
9d60fa |
p = AccessController.doPrivileged(new PrivilegedAction<Provider>() {
|
|
|
9d60fa |
diff --git a/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java
|
|
|
9d60fa |
new file mode 100644
|
|
|
9d60fa |
--- /dev/null
|
|
|
9d60fa |
+++ b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java
|
|
|
9d60fa |
@@ -0,0 +1,131 @@
|
|
|
9d60fa |
+/*
|
|
|
9d60fa |
+ * Copyright (c) 2019, Red Hat, Inc.
|
|
|
9d60fa |
+ *
|
|
|
9d60fa |
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
9d60fa |
+ *
|
|
|
9d60fa |
+ * This code is free software; you can redistribute it and/or modify it
|
|
|
9d60fa |
+ * under the terms of the GNU General Public License version 2 only, as
|
|
|
9d60fa |
+ * published by the Free Software Foundation.
|
|
|
9d60fa |
+ *
|
|
|
9d60fa |
+ * This code is distributed in the hope that it will be useful, but WITHOUT
|
|
|
9d60fa |
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
|
9d60fa |
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
9d60fa |
+ * version 2 for more details (a copy is included in the LICENSE file that
|
|
|
9d60fa |
+ * accompanied this code).
|
|
|
9d60fa |
+ *
|
|
|
9d60fa |
+ * You should have received a copy of the GNU General Public License version
|
|
|
9d60fa |
+ * 2 along with this work; if not, write to the Free Software Foundation,
|
|
|
9d60fa |
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
9d60fa |
+ *
|
|
|
9d60fa |
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
|
9d60fa |
+ * or visit www.oracle.com if you need additional information or have any
|
|
|
9d60fa |
+ * questions.
|
|
|
9d60fa |
+ */
|
|
|
9d60fa |
+
|
|
|
9d60fa |
+/*
|
|
|
9d60fa |
+ * @test
|
|
|
9d60fa |
+ * @bug 8230923
|
|
|
9d60fa |
+ * @requires (jdk.version.major == 11) & (os.family == "linux") & (os.arch == "amd64" | os.arch == "x86_64")
|
|
|
9d60fa |
+ * @modules java.base/com.sun.net.ssl.internal.ssl
|
|
|
9d60fa |
+ * @library /test/lib
|
|
|
9d60fa |
+ * @run main/othervm/timeout=30 SunJSSEFIPSInit
|
|
|
9d60fa |
+ * @author Martin Balao (mbalao@redhat.com)
|
|
|
9d60fa |
+ */
|
|
|
9d60fa |
+
|
|
|
9d60fa |
+import java.io.File;
|
|
|
9d60fa |
+import java.io.FileOutputStream;
|
|
|
9d60fa |
+import java.io.IOException;
|
|
|
9d60fa |
+import java.nio.file.FileVisitResult;
|
|
|
9d60fa |
+import java.nio.file.Files;
|
|
|
9d60fa |
+import java.nio.file.Path;
|
|
|
9d60fa |
+import java.nio.file.SimpleFileVisitor;
|
|
|
9d60fa |
+import java.nio.file.attribute.BasicFileAttributes;
|
|
|
9d60fa |
+import java.security.Security;
|
|
|
9d60fa |
+import java.util.ArrayList;
|
|
|
9d60fa |
+import java.util.List;
|
|
|
9d60fa |
+
|
|
|
9d60fa |
+import jdk.test.lib.process.OutputAnalyzer;
|
|
|
9d60fa |
+import jdk.test.lib.process.ProcessTools;
|
|
|
9d60fa |
+
|
|
|
9d60fa |
+public class SunJSSEFIPSInit {
|
|
|
9d60fa |
+ private static String lineSep = System.lineSeparator();
|
|
|
9d60fa |
+ private static String javaBinPath = System.getProperty("java.home", ".") +
|
|
|
9d60fa |
+ File.separator + "bin" + File.separator + "java";
|
|
|
9d60fa |
+ private static String nssConfigFileName = "nss.cfg";
|
|
|
9d60fa |
+ private static String javaSecConfigFileName = "java.security";
|
|
|
9d60fa |
+ private static Path tmpDirPath;
|
|
|
9d60fa |
+ public static void main(String[] args) throws Throwable {
|
|
|
9d60fa |
+ tmpDirPath = Files.createTempDirectory("tmpdir");
|
|
|
9d60fa |
+ try {
|
|
|
9d60fa |
+ deployConfigFiles();
|
|
|
9d60fa |
+ List<String> cmds = new ArrayList<>();
|
|
|
9d60fa |
+ cmds.add(javaBinPath);
|
|
|
9d60fa |
+ cmds.add("-cp");
|
|
|
9d60fa |
+ cmds.add(System.getProperty("test.classes", "."));
|
|
|
9d60fa |
+ cmds.add("-Djava.security.properties=" + tmpDirPath +
|
|
|
9d60fa |
+ File.separator + javaSecConfigFileName);
|
|
|
9d60fa |
+ cmds.add(SunJSSEFIPSInitClient.class.getName());
|
|
|
9d60fa |
+ OutputAnalyzer out = ProcessTools.executeCommand(
|
|
|
9d60fa |
+ cmds.toArray(new String[cmds.size()]));
|
|
|
9d60fa |
+ out.stdoutShouldContain("SunJSSE.isFIPS(): true");
|
|
|
9d60fa |
+ System.out.println("TEST PASS - OK");
|
|
|
9d60fa |
+ } finally {
|
|
|
9d60fa |
+ deleteDir(tmpDirPath);
|
|
|
9d60fa |
+ }
|
|
|
9d60fa |
+ }
|
|
|
9d60fa |
+
|
|
|
9d60fa |
+ private static void deployConfigFiles() throws IOException {
|
|
|
9d60fa |
+ deployJavaSecurityFile();
|
|
|
9d60fa |
+ deployNssConfigFile();
|
|
|
9d60fa |
+ }
|
|
|
9d60fa |
+
|
|
|
9d60fa |
+ private static void deployJavaSecurityFile() throws IOException {
|
|
|
9d60fa |
+ int numberOfProviders = Security.getProviders().length;
|
|
|
9d60fa |
+ StringBuilder sb = new StringBuilder();
|
|
|
9d60fa |
+ sb.append("security.provider.1=SunPKCS11 " + tmpDirPath +
|
|
|
9d60fa |
+ File.separator + nssConfigFileName + lineSep);
|
|
|
9d60fa |
+ sb.append("security.provider.2=com.sun.net.ssl.internal.ssl.Provider" +
|
|
|
9d60fa |
+ " SunPKCS11-NSS" + lineSep);
|
|
|
9d60fa |
+ for (int i = 3; i <= numberOfProviders; i++) {
|
|
|
9d60fa |
+ sb.append("security.provider." + i + "=\"\"" + lineSep);
|
|
|
9d60fa |
+ }
|
|
|
9d60fa |
+ writeFile(javaSecConfigFileName, sb.toString());
|
|
|
9d60fa |
+ }
|
|
|
9d60fa |
+
|
|
|
9d60fa |
+ private static void deployNssConfigFile() throws IOException {
|
|
|
9d60fa |
+ StringBuilder sb = new StringBuilder();
|
|
|
9d60fa |
+ sb.append("name = NSS" + lineSep);
|
|
|
9d60fa |
+ sb.append("nssLibraryDirectory = /usr/lib64" + lineSep);
|
|
|
9d60fa |
+ sb.append("nssDbMode = noDb" + lineSep);
|
|
|
9d60fa |
+ sb.append("nssModule = crypto" + lineSep);
|
|
|
9d60fa |
+ writeFile(nssConfigFileName, sb.toString());
|
|
|
9d60fa |
+ }
|
|
|
9d60fa |
+
|
|
|
9d60fa |
+ private static void writeFile(String fileName, String fileContent)
|
|
|
9d60fa |
+ throws IOException {
|
|
|
9d60fa |
+ try (FileOutputStream fos = new FileOutputStream(new File(tmpDirPath +
|
|
|
9d60fa |
+ File.separator + fileName))) {
|
|
|
9d60fa |
+ fos.write(fileContent.getBytes());
|
|
|
9d60fa |
+ }
|
|
|
9d60fa |
+ }
|
|
|
9d60fa |
+
|
|
|
9d60fa |
+ private static void deleteDir(Path directory) throws IOException {
|
|
|
9d60fa |
+ Files.walkFileTree(directory, new SimpleFileVisitor<Path>() {
|
|
|
9d60fa |
+
|
|
|
9d60fa |
+ @Override
|
|
|
9d60fa |
+ public FileVisitResult visitFile(Path file,
|
|
|
9d60fa |
+ BasicFileAttributes attrs) throws IOException {
|
|
|
9d60fa |
+ Files.delete(file);
|
|
|
9d60fa |
+ return FileVisitResult.CONTINUE;
|
|
|
9d60fa |
+ }
|
|
|
9d60fa |
+
|
|
|
9d60fa |
+ @Override
|
|
|
9d60fa |
+ public FileVisitResult postVisitDirectory(Path dir, IOException exc)
|
|
|
9d60fa |
+ throws IOException {
|
|
|
9d60fa |
+ Files.delete(dir);
|
|
|
9d60fa |
+ return FileVisitResult.CONTINUE;
|
|
|
9d60fa |
+ }
|
|
|
9d60fa |
+ });
|
|
|
9d60fa |
+ }
|
|
|
9d60fa |
+}
|
|
|
9d60fa |
+
|
|
|
9d60fa |
diff --git a/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java
|
|
|
9d60fa |
new file mode 100644
|
|
|
9d60fa |
--- /dev/null
|
|
|
9d60fa |
+++ b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java
|
|
|
9d60fa |
@@ -0,0 +1,42 @@
|
|
|
9d60fa |
+/*
|
|
|
9d60fa |
+ * Copyright (c) 2019, Red Hat, Inc.
|
|
|
9d60fa |
+ *
|
|
|
9d60fa |
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
9d60fa |
+ *
|
|
|
9d60fa |
+ * This code is free software; you can redistribute it and/or modify it
|
|
|
9d60fa |
+ * under the terms of the GNU General Public License version 2 only, as
|
|
|
9d60fa |
+ * published by the Free Software Foundation.
|
|
|
9d60fa |
+ *
|
|
|
9d60fa |
+ * This code is distributed in the hope that it will be useful, but WITHOUT
|
|
|
9d60fa |
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
|
9d60fa |
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
9d60fa |
+ * version 2 for more details (a copy is included in the LICENSE file that
|
|
|
9d60fa |
+ * accompanied this code).
|
|
|
9d60fa |
+ *
|
|
|
9d60fa |
+ * You should have received a copy of the GNU General Public License version
|
|
|
9d60fa |
+ * 2 along with this work; if not, write to the Free Software Foundation,
|
|
|
9d60fa |
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
9d60fa |
+ *
|
|
|
9d60fa |
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
|
9d60fa |
+ * or visit www.oracle.com if you need additional information or have any
|
|
|
9d60fa |
+ * questions.
|
|
|
9d60fa |
+ */
|
|
|
9d60fa |
+
|
|
|
9d60fa |
+import java.security.Provider;
|
|
|
9d60fa |
+import java.security.Security;
|
|
|
9d60fa |
+
|
|
|
9d60fa |
+public class SunJSSEFIPSInitClient {
|
|
|
9d60fa |
+ public static void main(String[] args) throws Exception {
|
|
|
9d60fa |
+ boolean isSunJSSEFIPS = false;
|
|
|
9d60fa |
+ Provider[] provs = Security.getProviders();
|
|
|
9d60fa |
+ for (Provider p : provs) {
|
|
|
9d60fa |
+ if (p.getName().equals("SunJSSE") &&
|
|
|
9d60fa |
+ p instanceof com.sun.net.ssl.internal.ssl.Provider) {
|
|
|
9d60fa |
+ isSunJSSEFIPS = ((com.sun.net.ssl.internal.ssl.Provider)p).isFIPS();
|
|
|
9d60fa |
+ break;
|
|
|
9d60fa |
+ }
|
|
|
9d60fa |
+ }
|
|
|
9d60fa |
+ System.out.println("SunJSSE.isFIPS(): " + isSunJSSEFIPS);
|
|
|
9d60fa |
+ }
|
|
|
9d60fa |
+}
|
|
|
9d60fa |
+
|