# HG changeset patch # User mbalao # Date 1568305840 10800 # Thu Sep 12 13:30:40 2019 -0300 # Node ID b0436c181872b567c5b8906051fc8836c860541c # Parent 6d947fcb3ea40ca9d40804db2c8c384f4679e10e 8230923: SunJSSE is not properly initialized in FIPS mode from a configuration file Reviewed-by: andrew diff --git a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java --- a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java +++ b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java @@ -179,7 +179,11 @@ } else if (provName.equals("SunJCE") || provName.equals("com.sun.crypto.provider.SunJCE")) { p = new com.sun.crypto.provider.SunJCE(); } else if (provName.equals("SunJSSE") || provName.equals("com.sun.net.ssl.internal.ssl.Provider")) { - p = new com.sun.net.ssl.internal.ssl.Provider(); + if (hasArgument()) { + p = new com.sun.net.ssl.internal.ssl.Provider(argument); + } else { + p = new com.sun.net.ssl.internal.ssl.Provider(); + } } else if (provName.equals("Apple") || provName.equals("apple.security.AppleProvider")) { // need to use reflection since this class only exists on MacOsx p = AccessController.doPrivileged(new PrivilegedAction() { diff --git a/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java new file mode 100644 --- /dev/null +++ b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInit.java @@ -0,0 +1,131 @@ +/* + * Copyright (c) 2019, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8230923 + * @requires (jdk.version.major == 11) & (os.family == "linux") & (os.arch == "amd64" | os.arch == "x86_64") + * @modules java.base/com.sun.net.ssl.internal.ssl + * @library /test/lib + * @run main/othervm/timeout=30 SunJSSEFIPSInit + * @author Martin Balao (mbalao@redhat.com) + */ + +import java.io.File; +import java.io.FileOutputStream; +import java.io.IOException; +import java.nio.file.FileVisitResult; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.SimpleFileVisitor; +import java.nio.file.attribute.BasicFileAttributes; +import java.security.Security; +import java.util.ArrayList; +import java.util.List; + +import jdk.test.lib.process.OutputAnalyzer; +import jdk.test.lib.process.ProcessTools; + +public class SunJSSEFIPSInit { + private static String lineSep = System.lineSeparator(); + private static String javaBinPath = System.getProperty("java.home", ".") + + File.separator + "bin" + File.separator + "java"; + private static String nssConfigFileName = "nss.cfg"; + private static String javaSecConfigFileName = "java.security"; + private static Path tmpDirPath; + public static void main(String[] args) throws Throwable { + tmpDirPath = Files.createTempDirectory("tmpdir"); + try { + deployConfigFiles(); + List cmds = new ArrayList<>(); + cmds.add(javaBinPath); + cmds.add("-cp"); + cmds.add(System.getProperty("test.classes", ".")); + cmds.add("-Djava.security.properties=" + tmpDirPath + + File.separator + javaSecConfigFileName); + cmds.add(SunJSSEFIPSInitClient.class.getName()); + OutputAnalyzer out = ProcessTools.executeCommand( + cmds.toArray(new String[cmds.size()])); + out.stdoutShouldContain("SunJSSE.isFIPS(): true"); + System.out.println("TEST PASS - OK"); + } finally { + deleteDir(tmpDirPath); + } + } + + private static void deployConfigFiles() throws IOException { + deployJavaSecurityFile(); + deployNssConfigFile(); + } + + private static void deployJavaSecurityFile() throws IOException { + int numberOfProviders = Security.getProviders().length; + StringBuilder sb = new StringBuilder(); + sb.append("security.provider.1=SunPKCS11 " + tmpDirPath + + File.separator + nssConfigFileName + lineSep); + sb.append("security.provider.2=com.sun.net.ssl.internal.ssl.Provider" + + " SunPKCS11-NSS" + lineSep); + for (int i = 3; i <= numberOfProviders; i++) { + sb.append("security.provider." + i + "=\"\"" + lineSep); + } + writeFile(javaSecConfigFileName, sb.toString()); + } + + private static void deployNssConfigFile() throws IOException { + StringBuilder sb = new StringBuilder(); + sb.append("name = NSS" + lineSep); + sb.append("nssLibraryDirectory = /usr/lib64" + lineSep); + sb.append("nssDbMode = noDb" + lineSep); + sb.append("nssModule = crypto" + lineSep); + writeFile(nssConfigFileName, sb.toString()); + } + + private static void writeFile(String fileName, String fileContent) + throws IOException { + try (FileOutputStream fos = new FileOutputStream(new File(tmpDirPath + + File.separator + fileName))) { + fos.write(fileContent.getBytes()); + } + } + + private static void deleteDir(Path directory) throws IOException { + Files.walkFileTree(directory, new SimpleFileVisitor() { + + @Override + public FileVisitResult visitFile(Path file, + BasicFileAttributes attrs) throws IOException { + Files.delete(file); + return FileVisitResult.CONTINUE; + } + + @Override + public FileVisitResult postVisitDirectory(Path dir, IOException exc) + throws IOException { + Files.delete(dir); + return FileVisitResult.CONTINUE; + } + }); + } +} + diff --git a/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java new file mode 100644 --- /dev/null +++ b/test/jdk/sun/security/pkcs11/fips/SunJSSEFIPSInitClient.java @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2019, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import java.security.Provider; +import java.security.Security; + +public class SunJSSEFIPSInitClient { + public static void main(String[] args) throws Exception { + boolean isSunJSSEFIPS = false; + Provider[] provs = Security.getProviders(); + for (Provider p : provs) { + if (p.getName().equals("SunJSSE") && + p instanceof com.sun.net.ssl.internal.ssl.Provider) { + isSunJSSEFIPS = ((com.sun.net.ssl.internal.ssl.Provider)p).isFIPS(); + break; + } + } + System.out.println("SunJSSE.isFIPS(): " + isSunJSSEFIPS); + } +} +