# HG changeset patch
# User mbalao
# Date 1568305840 10800
# Thu Sep 12 13:30:40 2019 -0300
# Node ID b0436c181872b567c5b8906051fc8836c860541c
# Parent 6d947fcb3ea40ca9d40804db2c8c384f4679e10e
8230923: SunJSSE is not properly initialized in FIPS mode from a configuration file
Reviewed-by: andrew
diff --git a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java
--- a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java
+++ b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java
@@ -179,7 +179,11 @@
} else if (provName.equals("SunJCE") || provName.equals("com.sun.crypto.provider.SunJCE")) {
p = new com.sun.crypto.provider.SunJCE();
} else if (provName.equals("SunJSSE") || provName.equals("com.sun.net.ssl.internal.ssl.Provider")) {
- p = new com.sun.net.ssl.internal.ssl.Provider();
+ if (hasArgument()) {
+ p = new com.sun.net.ssl.internal.ssl.Provider(argument);
+ } else {
+ p = new com.sun.net.ssl.internal.ssl.Provider();
+ }
} else if (provName.equals("Apple") || provName.equals("apple.security.AppleProvider")) {
// need to use reflection since this class only exists on MacOsx
p = AccessController.doPrivileged(new PrivilegedAction<Provider>() {
diff --git a/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java
new file mode 100644
--- /dev/null
+++ b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java
@@ -0,0 +1,131 @@
+/*
+ * Copyright (c) 2019, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8230923
+ * @requires (jdk.version.major == 11) & (os.family == "linux") & (os.arch == "amd64" | os.arch == "x86_64")
+ * @modules java.base/com.sun.net.ssl.internal.ssl
+ * @library /test/lib
+ * @run main/othervm/timeout=30 SunJSSEFIPSInit
+ * @author Martin Balao (mbalao@redhat.com)
+ */
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.nio.file.FileVisitResult;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.SimpleFileVisitor;
+import java.nio.file.attribute.BasicFileAttributes;
+import java.security.Security;
+import java.util.ArrayList;
+import java.util.List;
+
+import jdk.test.lib.process.OutputAnalyzer;
+import jdk.test.lib.process.ProcessTools;
+
+public class SunJSSEFIPSInit {
+ private static String lineSep = System.lineSeparator();
+ private static String javaBinPath = System.getProperty("java.home", ".") +
+ File.separator + "bin" + File.separator + "java";
+ private static String nssConfigFileName = "nss.cfg";
+ private static String javaSecConfigFileName = "java.security";
+ private static Path tmpDirPath;
+ public static void main(String[] args) throws Throwable {
+ tmpDirPath = Files.createTempDirectory("tmpdir");
+ try {
+ deployConfigFiles();
+ List<String> cmds = new ArrayList<>();
+ cmds.add(javaBinPath);
+ cmds.add("-cp");
+ cmds.add(System.getProperty("test.classes", "."));
+ cmds.add("-Djava.security.properties=" + tmpDirPath +
+ File.separator + javaSecConfigFileName);
+ cmds.add(SunJSSEFIPSInitClient.class.getName());
+ OutputAnalyzer out = ProcessTools.executeCommand(
+ cmds.toArray(new String[cmds.size()]));
+ out.stdoutShouldContain("SunJSSE.isFIPS(): true");
+ System.out.println("TEST PASS - OK");
+ } finally {
+ deleteDir(tmpDirPath);
+ }
+ }
+
+ private static void deployConfigFiles() throws IOException {
+ deployJavaSecurityFile();
+ deployNssConfigFile();
+ }
+
+ private static void deployJavaSecurityFile() throws IOException {
+ int numberOfProviders = Security.getProviders().length;
+ StringBuilder sb = new StringBuilder();
+ sb.append("security.provider.1=SunPKCS11 " + tmpDirPath +
+ File.separator + nssConfigFileName + lineSep);
+ sb.append("security.provider.2=com.sun.net.ssl.internal.ssl.Provider" +
+ " SunPKCS11-NSS" + lineSep);
+ for (int i = 3; i <= numberOfProviders; i++) {
+ sb.append("security.provider." + i + "=\"\"" + lineSep);
+ }
+ writeFile(javaSecConfigFileName, sb.toString());
+ }
+
+ private static void deployNssConfigFile() throws IOException {
+ StringBuilder sb = new StringBuilder();
+ sb.append("name = NSS" + lineSep);
+ sb.append("nssLibraryDirectory = /usr/lib64" + lineSep);
+ sb.append("nssDbMode = noDb" + lineSep);
+ sb.append("nssModule = crypto" + lineSep);
+ writeFile(nssConfigFileName, sb.toString());
+ }
+
+ private static void writeFile(String fileName, String fileContent)
+ throws IOException {
+ try (FileOutputStream fos = new FileOutputStream(new File(tmpDirPath +
+ File.separator + fileName))) {
+ fos.write(fileContent.getBytes());
+ }
+ }
+
+ private static void deleteDir(Path directory) throws IOException {
+ Files.walkFileTree(directory, new SimpleFileVisitor<Path>() {
+
+ @Override
+ public FileVisitResult visitFile(Path file,
+ BasicFileAttributes attrs) throws IOException {
+ Files.delete(file);
+ return FileVisitResult.CONTINUE;
+ }
+
+ @Override
+ public FileVisitResult postVisitDirectory(Path dir, IOException exc)
+ throws IOException {
+ Files.delete(dir);
+ return FileVisitResult.CONTINUE;
+ }
+ });
+ }
+}
+
diff --git a/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java
new file mode 100644
--- /dev/null
+++ b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2019, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.security.Provider;
+import java.security.Security;
+
+public class SunJSSEFIPSInitClient {
+ public static void main(String[] args) throws Exception {
+ boolean isSunJSSEFIPS = false;
+ Provider[] provs = Security.getProviders();
+ for (Provider p : provs) {
+ if (p.getName().equals("SunJSSE") &&
+ p instanceof com.sun.net.ssl.internal.ssl.Provider) {
+ isSunJSSEFIPS = ((com.sun.net.ssl.internal.ssl.Provider)p).isFIPS();
+ break;
+ }
+ }
+ System.out.println("SunJSSE.isFIPS(): " + isSunJSSEFIPS);
+ }
+}
+