Blame SOURCES/jdk8230923-fips_mode_initialisation_failure.patch

9d60fa
# HG changeset patch
9d60fa
# User mbalao
9d60fa
# Date 1568305840 10800
9d60fa
#      Thu Sep 12 13:30:40 2019 -0300
9d60fa
# Node ID b0436c181872b567c5b8906051fc8836c860541c
9d60fa
# Parent  6d947fcb3ea40ca9d40804db2c8c384f4679e10e
9d60fa
8230923: SunJSSE is not properly initialized in FIPS mode from a configuration file
9d60fa
Reviewed-by: andrew
9d60fa
9d60fa
diff --git a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java
9d60fa
--- a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java
9d60fa
+++ b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java
9d60fa
@@ -179,7 +179,11 @@
9d60fa
         } else if (provName.equals("SunJCE") || provName.equals("com.sun.crypto.provider.SunJCE")) {
9d60fa
             p = new com.sun.crypto.provider.SunJCE();
9d60fa
         } else if (provName.equals("SunJSSE") || provName.equals("com.sun.net.ssl.internal.ssl.Provider")) {
9d60fa
-            p = new com.sun.net.ssl.internal.ssl.Provider();
9d60fa
+            if (hasArgument()) {
9d60fa
+                p = new com.sun.net.ssl.internal.ssl.Provider(argument);
9d60fa
+            } else {
9d60fa
+                p = new com.sun.net.ssl.internal.ssl.Provider();
9d60fa
+            }
9d60fa
         } else if (provName.equals("Apple") || provName.equals("apple.security.AppleProvider")) {
9d60fa
             // need to use reflection since this class only exists on MacOsx
9d60fa
             p = AccessController.doPrivileged(new PrivilegedAction<Provider>() {
9d60fa
diff --git a/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java
9d60fa
new file mode 100644
9d60fa
--- /dev/null
9d60fa
+++ b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java
9d60fa
@@ -0,0 +1,131 @@
9d60fa
+/*
9d60fa
+ * Copyright (c) 2019, Red Hat, Inc.
9d60fa
+ *
9d60fa
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
9d60fa
+ *
9d60fa
+ * This code is free software; you can redistribute it and/or modify it
9d60fa
+ * under the terms of the GNU General Public License version 2 only, as
9d60fa
+ * published by the Free Software Foundation.
9d60fa
+ *
9d60fa
+ * This code is distributed in the hope that it will be useful, but WITHOUT
9d60fa
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
9d60fa
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
9d60fa
+ * version 2 for more details (a copy is included in the LICENSE file that
9d60fa
+ * accompanied this code).
9d60fa
+ *
9d60fa
+ * You should have received a copy of the GNU General Public License version
9d60fa
+ * 2 along with this work; if not, write to the Free Software Foundation,
9d60fa
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
9d60fa
+ *
9d60fa
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
9d60fa
+ * or visit www.oracle.com if you need additional information or have any
9d60fa
+ * questions.
9d60fa
+ */
9d60fa
+
9d60fa
+/*
9d60fa
+ * @test
9d60fa
+ * @bug 8230923
9d60fa
+ * @requires (jdk.version.major == 11) & (os.family == "linux") & (os.arch == "amd64" | os.arch == "x86_64")
9d60fa
+ * @modules java.base/com.sun.net.ssl.internal.ssl
9d60fa
+ * @library /test/lib
9d60fa
+ * @run main/othervm/timeout=30 SunJSSEFIPSInit
9d60fa
+ * @author Martin Balao (mbalao@redhat.com)
9d60fa
+ */
9d60fa
+
9d60fa
+import java.io.File;
9d60fa
+import java.io.FileOutputStream;
9d60fa
+import java.io.IOException;
9d60fa
+import java.nio.file.FileVisitResult;
9d60fa
+import java.nio.file.Files;
9d60fa
+import java.nio.file.Path;
9d60fa
+import java.nio.file.SimpleFileVisitor;
9d60fa
+import java.nio.file.attribute.BasicFileAttributes;
9d60fa
+import java.security.Security;
9d60fa
+import java.util.ArrayList;
9d60fa
+import java.util.List;
9d60fa
+
9d60fa
+import jdk.test.lib.process.OutputAnalyzer;
9d60fa
+import jdk.test.lib.process.ProcessTools;
9d60fa
+
9d60fa
+public class SunJSSEFIPSInit {
9d60fa
+    private static String lineSep = System.lineSeparator();
9d60fa
+    private static String javaBinPath = System.getProperty("java.home", ".") +
9d60fa
+        File.separator + "bin" + File.separator + "java";
9d60fa
+    private static String nssConfigFileName = "nss.cfg";
9d60fa
+    private static String javaSecConfigFileName = "java.security";
9d60fa
+    private static Path tmpDirPath;
9d60fa
+    public static void main(String[] args) throws Throwable {
9d60fa
+        tmpDirPath = Files.createTempDirectory("tmpdir");
9d60fa
+        try {
9d60fa
+            deployConfigFiles();
9d60fa
+            List<String> cmds = new ArrayList<>();
9d60fa
+            cmds.add(javaBinPath);
9d60fa
+            cmds.add("-cp");
9d60fa
+            cmds.add(System.getProperty("test.classes", "."));
9d60fa
+            cmds.add("-Djava.security.properties=" + tmpDirPath +
9d60fa
+                    File.separator + javaSecConfigFileName);
9d60fa
+            cmds.add(SunJSSEFIPSInitClient.class.getName());
9d60fa
+            OutputAnalyzer out = ProcessTools.executeCommand(
9d60fa
+                    cmds.toArray(new String[cmds.size()]));
9d60fa
+            out.stdoutShouldContain("SunJSSE.isFIPS(): true");
9d60fa
+            System.out.println("TEST PASS - OK");
9d60fa
+        } finally {
9d60fa
+            deleteDir(tmpDirPath);
9d60fa
+        }
9d60fa
+    }
9d60fa
+
9d60fa
+    private static void deployConfigFiles() throws IOException {
9d60fa
+        deployJavaSecurityFile();
9d60fa
+        deployNssConfigFile();
9d60fa
+    }
9d60fa
+
9d60fa
+    private static void deployJavaSecurityFile() throws IOException {
9d60fa
+        int numberOfProviders = Security.getProviders().length;
9d60fa
+        StringBuilder sb = new StringBuilder();
9d60fa
+        sb.append("security.provider.1=SunPKCS11 " + tmpDirPath +
9d60fa
+                File.separator + nssConfigFileName + lineSep);
9d60fa
+        sb.append("security.provider.2=com.sun.net.ssl.internal.ssl.Provider" +
9d60fa
+                " SunPKCS11-NSS" + lineSep);
9d60fa
+        for (int i = 3; i <= numberOfProviders; i++) {
9d60fa
+            sb.append("security.provider." + i + "=\"\"" + lineSep);
9d60fa
+        }
9d60fa
+        writeFile(javaSecConfigFileName, sb.toString());
9d60fa
+    }
9d60fa
+
9d60fa
+    private static void deployNssConfigFile() throws IOException {
9d60fa
+        StringBuilder sb = new StringBuilder();
9d60fa
+        sb.append("name = NSS" + lineSep);
9d60fa
+        sb.append("nssLibraryDirectory = /usr/lib64" + lineSep);
9d60fa
+        sb.append("nssDbMode = noDb" + lineSep);
9d60fa
+        sb.append("nssModule = crypto" + lineSep);
9d60fa
+        writeFile(nssConfigFileName, sb.toString());
9d60fa
+    }
9d60fa
+
9d60fa
+    private static void writeFile(String fileName, String fileContent)
9d60fa
+            throws IOException {
9d60fa
+        try (FileOutputStream fos = new FileOutputStream(new File(tmpDirPath +
9d60fa
+                File.separator + fileName))) {
9d60fa
+            fos.write(fileContent.getBytes());
9d60fa
+        }
9d60fa
+    }
9d60fa
+
9d60fa
+    private static void deleteDir(Path directory) throws IOException {
9d60fa
+        Files.walkFileTree(directory, new SimpleFileVisitor<Path>() {
9d60fa
+
9d60fa
+            @Override
9d60fa
+            public FileVisitResult visitFile(Path file,
9d60fa
+                    BasicFileAttributes attrs) throws IOException {
9d60fa
+                Files.delete(file);
9d60fa
+                return FileVisitResult.CONTINUE;
9d60fa
+            }
9d60fa
+
9d60fa
+            @Override
9d60fa
+            public FileVisitResult postVisitDirectory(Path dir, IOException exc)
9d60fa
+                    throws IOException {
9d60fa
+                Files.delete(dir);
9d60fa
+                return FileVisitResult.CONTINUE;
9d60fa
+            }
9d60fa
+        });
9d60fa
+    }
9d60fa
+}
9d60fa
+
9d60fa
diff --git a/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java
9d60fa
new file mode 100644
9d60fa
--- /dev/null
9d60fa
+++ b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java
9d60fa
@@ -0,0 +1,42 @@
9d60fa
+/*
9d60fa
+ * Copyright (c) 2019, Red Hat, Inc.
9d60fa
+ *
9d60fa
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
9d60fa
+ *
9d60fa
+ * This code is free software; you can redistribute it and/or modify it
9d60fa
+ * under the terms of the GNU General Public License version 2 only, as
9d60fa
+ * published by the Free Software Foundation.
9d60fa
+ *
9d60fa
+ * This code is distributed in the hope that it will be useful, but WITHOUT
9d60fa
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
9d60fa
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
9d60fa
+ * version 2 for more details (a copy is included in the LICENSE file that
9d60fa
+ * accompanied this code).
9d60fa
+ *
9d60fa
+ * You should have received a copy of the GNU General Public License version
9d60fa
+ * 2 along with this work; if not, write to the Free Software Foundation,
9d60fa
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
9d60fa
+ *
9d60fa
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
9d60fa
+ * or visit www.oracle.com if you need additional information or have any
9d60fa
+ * questions.
9d60fa
+ */
9d60fa
+
9d60fa
+import java.security.Provider;
9d60fa
+import java.security.Security;
9d60fa
+
9d60fa
+public class SunJSSEFIPSInitClient {
9d60fa
+    public static void main(String[] args) throws Exception {
9d60fa
+        boolean isSunJSSEFIPS = false;
9d60fa
+        Provider[] provs = Security.getProviders();
9d60fa
+        for (Provider p : provs) {
9d60fa
+            if (p.getName().equals("SunJSSE") &&
9d60fa
+                    p instanceof com.sun.net.ssl.internal.ssl.Provider) {
9d60fa
+                isSunJSSEFIPS = ((com.sun.net.ssl.internal.ssl.Provider)p).isFIPS();
9d60fa
+                break;
9d60fa
+            }
9d60fa
+        }
9d60fa
+        System.out.println("SunJSSE.isFIPS(): " + isSunJSSEFIPS);
9d60fa
+    }
9d60fa
+}
9d60fa
+