From 955312b11791792e551762020cf5e45f0cc33235 Mon Sep 17 00:00:00 2001 From: Tao Liu Date: Sun, 11 Sep 2022 12:26:47 -0400 Subject: [PATCH] Java Restricted Security Mode Signed-off-by: Tao Liu --- .../internal/security/FIPSConfigurator.java | 159 ----- .../RestrictedSecurityConfigurator.java | 320 +++++++++ .../RestrictedSecurityProperties.java | 658 ++++++++++++++++++ .../share/classes/java/security/Provider.java | 15 + .../classes/java/security/SecureRandom.java | 43 +- .../share/classes/java/security/Security.java | 12 +- .../classes/java/util/ServiceLoader.java | 22 +- .../sun/security/jca/ProviderConfig.java | 29 +- .../sun/security/provider/SunEntries.java | 462 ++++++------ .../share/conf/security/java.security | 52 ++ .../sun/security/pkcs11/SunPKCS11.java | 12 +- .../sun/security/pkcs11/wrapper/PKCS11.java | 10 +- .../share/classes/sun/security/ec/SunEC.java | 200 ++---- 13 files changed, 1407 insertions(+), 587 deletions(-) delete mode 100644 closed/src/java.base/share/classes/openj9/internal/security/FIPSConfigurator.java create mode 100644 closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java create mode 100644 closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityProperties.java diff --git a/closed/src/java.base/share/classes/openj9/internal/security/FIPSConfigurator.java b/closed/src/java.base/share/classes/openj9/internal/security/FIPSConfigurator.java deleted file mode 100644 index 395d8138c96..00000000000 --- a/closed/src/java.base/share/classes/openj9/internal/security/FIPSConfigurator.java +++ /dev/null @@ -1,159 +0,0 @@ -/* - * =========================================================================== - * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved - * =========================================================================== - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * IBM designates this particular file as subject to the "Classpath" exception - * as provided by IBM in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, see . - * - * =========================================================================== - */ - -package openj9.internal.security; - -import java.util.Iterator; -import java.util.Map.Entry; -import java.util.Properties; -import java.security.AccessController; -import java.security.PrivilegedAction; - -import sun.security.util.Debug; - -/** - * Configures the security providers when in FIPS mode. - */ -public final class FIPSConfigurator { - - private static final Debug debug = Debug.getInstance("semerufips"); - - // FIPS mode enable check, only supported on Linux x64. - private static final boolean userEnabledFIPS; - private static final boolean isFIPSSupported; - private static final boolean shouldEnableFIPS; - - static { - String[] props = AccessController.doPrivileged( - new PrivilegedAction<>() { - @Override - public String[] run() { - return new String[] {System.getProperty("semeru.fips"), - System.getProperty("os.name"), - System.getProperty("os.arch")}; - } - }); - userEnabledFIPS = Boolean.parseBoolean(props[0]); - isFIPSSupported = "Linux".equalsIgnoreCase(props[1]) - && "amd64".equalsIgnoreCase(props[2]); - shouldEnableFIPS = userEnabledFIPS && isFIPSSupported; - } - - private FIPSConfigurator() { - super(); - } - - /** - * FIPS mode will be enabled only if the semeru.fips system - * property is true (default as false). - * - * @return true if FIPS is enabled - */ - public static boolean enableFips() { - return shouldEnableFIPS; - } - - /** - * Remove the security providers and only add the FIPS security providers. - * - * @param props the java.security properties - * @return true if the FIPS properties loaded successfully - */ - public static boolean configureFIPS(Properties props) { - boolean loadedProps = false; - - // Check if FIPS is supported on this platform. - if (userEnabledFIPS && !isFIPSSupported) { - throw new RuntimeException("FIPS is not supported on this platform."); - } - - try { - if (shouldEnableFIPS) { - if (debug != null) { - debug.println("FIPS mode detected, loading properties"); - } - - // Remove all security providers. - Iterator> i = props.entrySet().iterator(); - while (i.hasNext()) { - Entry e = i.next(); - if (((String) e.getKey()).startsWith("security.provider")) { - if (debug != null) { - debug.println("Removing provider: " + e); - } - i.remove(); - } - } - - // Add FIPS security providers. - props.put("security.provider.1", "SunPKCS11 ${java.home}/conf/security/nss.fips.cfg"); - props.put("security.provider.2", "SUN"); - props.put("security.provider.3", "SunEC"); - props.put("security.provider.4", "SunJSSE"); - - // Add FIPS security properties. - props.put("keystore.type", "PKCS11"); - System.setProperty("javax.net.ssl.keyStore", "NONE"); - - // Add FIPS disabled algorithms. - String disabledAlgorithms = props.get("jdk.tls.disabledAlgorithms") - + ", X25519, X448" - + ", SSLv3, TLSv1, TLSv1.1" - + ", TLS_CHACHA20_POLY1305_SHA256" - + ", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" - + ", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" - + ", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" - + ", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" - + ", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA" - + ", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" - + ", TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256" - + ", TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256" - + ", TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA" - + ", TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256" - + ", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - + ", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" - + ", TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" - + ", TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" - + ", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" - + ", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" - + ", TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" - + ", TLS_EMPTY_RENEGOTIATION_INFO_SCSV"; - props.put("jdk.tls.disabledAlgorithms", disabledAlgorithms); - - if (debug != null) { - debug.println("FIPS mode properties loaded"); - debug.println(props.toString()); - } - - loadedProps = true; - } - } catch (Exception e) { - if (debug != null) { - debug.println("Unable to load FIPS configuration"); - e.printStackTrace(); - } - } - return loadedProps; - } -} diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java new file mode 100644 index 00000000000..7e59f56cdd5 --- /dev/null +++ b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java @@ -0,0 +1,320 @@ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved + * =========================================================================== + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * IBM designates this particular file as subject to the "Classpath" exception + * as provided by IBM in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, see . + * + * =========================================================================== + */ + +package openj9.internal.security; + +import java.security.AccessController; +import java.security.PrivilegedAction; +import java.time.LocalDate; +import java.time.format.DateTimeFormatter; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.HashMap; +import java.util.Iterator; +import java.util.Map; +import java.util.Map.Entry; +import java.util.Properties; + +import sun.security.util.Debug; + +/** + * Configures the security providers when in restricted security mode. + */ +public final class RestrictedSecurityConfigurator { + + private static final Debug debug = Debug.getInstance("semerufips"); + + // Restricted security mode enable check, only supported on Linux x64. + private static final boolean userEnabledSecurity; + private static final boolean isSecuritySupported; + private static final boolean shouldEnableSecurity; + private static final String userSecuritySetting; + private static final boolean userEnabledFIPS; + + private static String userSecurityNum = "0"; + private static boolean userSecurityTrace = false; + private static boolean userSecurityAudit = false; + private static boolean userSecurityHelp = false; + + private static final String[] supportPlatforms = {"amd64"}; + + static { + String[] props = AccessController.doPrivileged( + new PrivilegedAction<>() { + @Override + public String[] run() { + return new String[] { System.getProperty("semeru.fips"), + System.getProperty("semeru.restrictedsecurity"), + System.getProperty("os.name"), + System.getProperty("os.arch") }; + } + }); + userEnabledFIPS = Boolean.parseBoolean(props[0]); + // If semeru.fips is true, then ignore semeru.restrictedsecurity, use userSecurityNum 1. + userSecuritySetting = userEnabledFIPS ? "1" : props[1]; + userEnabledSecurity = notNullEmpty(userSecuritySetting) ? true : false; + isSecuritySupported = "Linux".equalsIgnoreCase(props[2]) + && Arrays.asList(supportPlatforms).contains(props[3]); + shouldEnableSecurity = (userEnabledFIPS || userEnabledSecurity) && isSecuritySupported; + } + + private RestrictedSecurityConfigurator() { + super(); + } + + /** + * Restricted security mode will be enabled only if the semeru.fips system + * property is true (default as false). + * + * @return true if restricted security is enabled. + */ + public static boolean isEnabled() { + return shouldEnableSecurity; + } + + /** + * Remove the security providers and only add the restricted security providers. + * + * @param props the java.security properties. + * @return true if the restricted security properties loaded successfully. + */ + public static boolean configure(Properties props) { + boolean loadedProps = false; + + // Check if restricted security is supported on this platform. + if ((userEnabledFIPS || userEnabledSecurity) && !isSecuritySupported) { + new RuntimeException("Restricted security mode is not supported on this platform.") + .printStackTrace(); + System.exit(1); + } + + try { + if (shouldEnableSecurity) { + if (debug != null) { + debug.println("Restricted security mode detected, loading properties."); + } + + // Read and set user restricted security settings. + initUserSetting(); + + // Initialize the restricted security properties from java.security file. + RestrictedSecurityProperties restricts = RestrictedSecurityProperties.getInstance(userSecurityNum, + props, userSecurityTrace, userSecurityAudit, userSecurityHelp); + restricts.init(); + + // Check if the SunsetDate expired. + if (isPolicySunset(restricts.getDescSunsetDate())) { + new RuntimeException("Restricted security policy expired.").printStackTrace(); + System.exit(1); + } + + // Check secure random settings. + if (!notNullEmpty(restricts.getJdkSecureRandomProvider()) + || !notNullEmpty(restricts.getJdkSecureRandomAlgorithm())) { + new RuntimeException("Restricted security mode secure random is null.") + .printStackTrace(); + System.exit(1); + } + + // Remove all security providers. + Iterator> i = props.entrySet().iterator(); + while (i.hasNext()) { + Entry e = i.next(); + if (((String) e.getKey()).startsWith("security.provider")) { + if (debug != null) { + debug.println("Removing provider: " + e); + } + i.remove(); + } + } + + // Add restricted security providers. + setProviders(props, restricts.getProviders()); + + // Add restricted security Properties. + setProperties(props, restricts); + + if (debug != null) { + debug.println("Restricted security mode loaded."); + debug.println("Restricted security properties: " + props.toString()); + } + + loadedProps = true; + } + + } catch (Exception e) { + if (debug != null) { + debug.println("Unable to load restricted security mode configuration"); + } + e.printStackTrace(); + } + return loadedProps; + } + + /** + * Load user restricted security settings from system property. + */ + private static void initUserSetting() { + + if (debug != null) { + debug.println("Loading user restricted security settings."); + } + + String[] inputs = userSecuritySetting.split(","); + + // For input ",," + if (inputs.length == 0) { + new RuntimeException("user restricted security setting " + userSecuritySetting + " incorrect.") + .printStackTrace(); + System.exit(1); + } + + for (String input : inputs) { + if (input.trim().equalsIgnoreCase("trace")) { + userSecurityTrace = true; + } else if (input.trim().equalsIgnoreCase("audit")) { + userSecurityAudit = true; + } else if (input.trim().equalsIgnoreCase("help")) { + userSecurityHelp = true; + } else { + try { + Integer.parseInt(input.trim()); + } catch (NumberFormatException e) { + new RuntimeException("user restricted security setting " + userSecuritySetting + " incorrect.") + .printStackTrace(); + System.exit(1); + } + userSecurityNum = input.trim(); + } + } + + if (debug != null) { + debug.println("User restricted security settings loaded, with userSecurityNum: " + userSecurityNum + + " userSecurityTrace: " + userSecurityTrace + " userSecurityAudit: " + userSecurityAudit + + " userSecurityHelp: " + userSecurityHelp); + } + } + + /** + * Add restricted security providers. + * + * @param providers the provider name array. + */ + private static void setProviders(Properties props, ArrayList providers) { + + if (debug != null) { + debug.println("Adding restricted security provider."); + } + + int pNum = 1; + for (String provider : providers) { + props.setProperty("security.provider." + pNum, provider); + pNum ++; + if (debug != null) { + debug.println("Added restricted security provider: " + provider); + } + } + } + + /** + * Add restricted security properties. + * + * @param props the java.security properties. + */ + private static void setProperties(Properties props, RestrictedSecurityProperties properties) { + + if (debug != null) { + debug.println("Adding restricted security properties."); + } + + Map propsMapping = new HashMap<>(); + + // JDK properties name as Key, restricted security properties vaule as value. + propsMapping.put("jdk.tls.disabledNamedCurves", properties.getJdkTlsDisabledNamedCurves()); + propsMapping.put("jdk.tls.disabledAlgorithms", properties.getJdkTlsDisabledAlgorithms()); + propsMapping.put("jdk.tls.ephemeralDHKeySize", properties.getJdkTlsDphemeralDHKeySize()); + propsMapping.put("jdk.tls.legacyAlgorithms", properties.getJdkTlsLegacyAlgorithms()); + propsMapping.put("jdk.certpath.disabledAlgorithms", properties.getJdkCertpathDisabledAlgorithms()); + propsMapping.put("jdk.security.legacyAlgorithm", properties.getJdkSecurityLegacyAlgorithm()); + + for (Map.Entry entry : propsMapping.entrySet()) { + String jdkPropsName = entry.getKey(); + String propsNewValue = entry.getValue(); + + String propsOldValue = notNullEmpty(props.getProperty(jdkPropsName)) ? props.getProperty(jdkPropsName) : ""; + + if (notNullEmpty(propsNewValue)) { + props.setProperty(jdkPropsName, + notNullEmpty(propsOldValue) ? propsOldValue + ", " + propsNewValue : propsNewValue); + if (debug != null) { + debug.println("Added restricted security properties, with property: " + jdkPropsName + " values: " + + (notNullEmpty(propsOldValue) ? propsOldValue + ", " + propsNewValue : propsNewValue)); + } + } + } + + // For keyStore and keystore.type, old value not needed, just set the new value. + if (notNullEmpty(properties.getKeyStoreType())) + props.setProperty("keystore.type", properties.getKeyStoreType()); + if (notNullEmpty(properties.getKeyStore())) + System.setProperty("javax.net.ssl.keyStore", properties.getKeyStore()); + } + + /** + * Check if restricted security policy sunset. + * + * @param descSunsetDate the sun set date from java.security. + * @return true if the restricted security policy sunset. + */ + private static boolean isPolicySunset(String descSunsetDate) { + + boolean isSunset = false; + try { + if (LocalDate.parse(descSunsetDate, DateTimeFormatter.ofPattern("MM/dd/yyyy")).isBefore(LocalDate.now())) { + isSunset = true; + } + } catch (Exception except) { + new RuntimeException( + "Restricted security policy sunset date is inccorect, the correct format is MM/dd/yyyy.") + .printStackTrace(); + System.exit(1); + } + + if (debug != null) { + debug.println("Restricted security policy is sunset: " + isSunset); + } + + return isSunset; + } + + /** + * Check if the input string is not null and empty. + * + * @param string the input string. + * @return true if the input string is not null and emtpy. + */ + private static boolean notNullEmpty(String string) { + return (string == null || string.isEmpty() || string.trim().isEmpty()) ? false : true; + } +} diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityProperties.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityProperties.java new file mode 100644 index 00000000000..11a6d255370 --- /dev/null +++ b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityProperties.java @@ -0,0 +1,658 @@ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved + * =========================================================================== + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * IBM designates this particular file as subject to the "Classpath" exception + * as provided by IBM in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, see . + * + * =========================================================================== + */ + +package openj9.internal.security; + +import java.security.Provider.Service; +import java.util.ArrayDeque; +import java.util.ArrayList; +import java.util.Deque; +import java.util.HashMap; +import java.util.Map; +import java.util.Properties; + +import sun.security.util.Debug; + +public final class RestrictedSecurityProperties { + + private static final Debug debug = Debug.getInstance("semerufips"); + + private static RestrictedSecurityProperties instance = null; + + private static String descName; + private static String descNumber; + private static String descPolicy; + private static String descSunsetDate; + + // Security properties. + private static String jdkTlsDisabledNamedCurves; + private static String jdkTlsDisabledAlgorithms; + private static String jdkTlsDphemeralDHKeySize; + private static String jdkTlsLegacyAlgorithms; + private static String jdkCertpathDisabledAlgorithms; + private static String jdkSecurityLegacyAlgorithm; + private static String keyStoreType; + private static String keyStore; + + // For Secure Random. + private static String jdkSecureRandomProvider; + private static String jdkSecureRandomAlgorithm; + + // Provider with argument (provider name + optional argument). + private static ArrayList providers; + // Provider without argument. + private static ArrayList providersSN; + // Constraints for each provider if there are. + private static Map providerConstraints; + + private static String userSecurityNum = "0"; + private static boolean userSecurityTrace = false; + private static boolean userSecurityAudit = false; + private static boolean userSecurityHelp = false; + + // The java.security properties. + private Properties securityProps; + + /** + * + * @param num the restricted security setting number. + * @param props the java.security properties. + * @param trace the user security trace. + * @param audit the user security audit. + * @param help the user security help. + */ + private RestrictedSecurityProperties(String num, Properties props, boolean trace, boolean audit, boolean help) { + + userSecurityNum = num; + userSecurityTrace = trace; + userSecurityAudit = audit; + userSecurityHelp = help; + securityProps = props; + } + + /** + * Get instance of RestrictedSecurityProperties. + * + * @param num the restricted security setting number. + * @param props the java.security properties. + * @param trace the user security trace. + * @param audit the user security audit. + * @param help the user security help. + * @return the created RestrictedSecurityProperties instance. + */ + public static RestrictedSecurityProperties getInstance(String num, Properties props, boolean trace, boolean audit, + boolean help) { + if (instance == null) { + instance = new RestrictedSecurityProperties(num, props, trace, audit, help); + } + return instance; + } + + /** + * Get instance of RestrictedSecurityProperties. + * + * @return the created RestrictedSecurityProperties instance. + */ + public static RestrictedSecurityProperties getInstance() { + if (instance == null) { + throw new RuntimeException( + "Restricted security mode initialization error, call getInstance with variables first."); + } + return instance; + } + + /** + * Initialize the restricted security properties. + */ + public void init() { + if (debug != null) { + debug.println("Loading Java restricted security properties."); + } + + if (securityProps == null) { + throw new RuntimeException( + "Restricted security mode initialization error, call getInstance with variables first."); + } + + try { + + // Print out the Help and Audit info. + if (userSecurityHelp) { + printHelp(); + if ("0".equals(userSecurityNum)) { + if (debug != null) { + debug.println("Print out the help info and exit."); + } + System.exit(0); + } + } + if (userSecurityAudit) { + listAudit(); + if ("0".equals(userSecurityNum)) { + if (debug != null) { + debug.println("Print out the audit info and exit."); + } + System.exit(0); + } + } + + // Load the restricted security providers from java.security properties. + initProviders(); + // Load the restricted security properties from java.security properties. + initProperties(); + // Load the restricted security provider constraints from java.security properties. + initConstraints(); + + // Print out the Trace info. + if (userSecurityTrace) + listTrace(); + + if (debug != null) { + debug.println("Loaded Java restricted security properties."); + } + } catch (Exception e) { + if (debug != null) { + debug.println("Unable to load Java restricted security properties."); + } + e.printStackTrace(); + } + } + + /** + * Load restricted security provider. + */ + private void initProviders() { + + if (debug != null) { + debug.println("Loading restricted security providers."); + } + + providers = new ArrayList(); + providersSN = new ArrayList(); + + int pNum = 1; + while (notNullEmpty( + securityProps.getProperty("RestrictedSecurity" + userSecurityNum + ".jce.provider." + pNum))) { + + String providerInfo = securityProps + .getProperty("RestrictedSecurity" + userSecurityNum + ".jce.provider." + pNum); + + if (!areBracketsBalanced(providerInfo)) { + new RuntimeException("Restricted security provider format is inccorect: " + providerInfo) + .printStackTrace(); + System.exit(1); + } + + String providerName = (providerInfo.indexOf("[") < 0) ? providerInfo.trim() + : providerInfo.substring(0, providerInfo.indexOf("[")).trim(); + // Provider with argument (provider name + optional argument). + providers.add(pNum - 1, providerName); + + if (providerName.indexOf(" ") > 0) { + providerName = providerName.substring(0, providerName.indexOf(" ")); + } + // Provider without argument. + providersSN.add(pNum - 1, providerName); + + if (debug != null) { + debug.println("Loaded restricted security provider: " + providers.get(pNum - 1) + " with short name: " + + providersSN.get(pNum - 1)); + } + pNum++; + } + + if (providers.isEmpty()) { + new RuntimeException("Restricted security mode provider list empty, " + + "or no such restricted security policy in java.security file.").printStackTrace(); + System.exit(1); + } + } + + /** + * Load restricted security properties. + */ + private void initProperties() { + + if (debug != null) { + debug.println("Loading restricted security properties."); + } + + descName = securityProps.getProperty("RestrictedSecurity" + userSecurityNum + ".desc.name").trim(); + descNumber = securityProps.getProperty("RestrictedSecurity" + userSecurityNum + ".desc.number").trim(); + descPolicy = securityProps.getProperty("RestrictedSecurity" + userSecurityNum + ".desc.policy").trim(); + descSunsetDate = securityProps.getProperty("RestrictedSecurity" + userSecurityNum + ".desc.sunsetDate").trim(); + + jdkTlsDisabledNamedCurves = securityProps + .getProperty("RestrictedSecurity" + userSecurityNum + ".tls.disabledNamedCurves").trim(); + jdkTlsDisabledAlgorithms = securityProps + .getProperty("RestrictedSecurity" + userSecurityNum + ".tls.disabledAlgorithms").trim(); + jdkTlsDphemeralDHKeySize = securityProps + .getProperty("RestrictedSecurity" + userSecurityNum + ".tls.ephemeralDHKeySize").trim(); + jdkTlsLegacyAlgorithms = securityProps + .getProperty("RestrictedSecurity" + userSecurityNum + ".tls.legacyAlgorithms").trim(); + jdkCertpathDisabledAlgorithms = securityProps + .getProperty("RestrictedSecurity" + userSecurityNum + ".jce.certpath.disabledAlgorithms").trim(); + jdkSecurityLegacyAlgorithm = securityProps + .getProperty("RestrictedSecurity" + userSecurityNum + ".jce.legacyAlgorithms"); + keyStoreType = securityProps.getProperty("RestrictedSecurity" + userSecurityNum + ".keystore.type").trim(); + keyStore = securityProps.getProperty("RestrictedSecurity" + userSecurityNum + ".javax.net.ssl.keyStore").trim(); + + jdkSecureRandomProvider = securityProps + .getProperty("RestrictedSecurity" + userSecurityNum + ".securerandom.provider").trim(); + jdkSecureRandomAlgorithm = securityProps + .getProperty("RestrictedSecurity" + userSecurityNum + ".securerandom.algorithm").trim(); + + if (debug != null) { + debug.println("Loaded restricted security properties."); + } + } + + /** + * Load security constraints with type, algorithm, attributes. + * + * Example: + * RestrictedSecurity1.jce.provider.1 = SUN [{CertPathBuilder, PKIX, *}, {Policy, + * JavaPolicy, *}, {CertPathValidator, *, *}]. + */ + private void initConstraints() { + + // Key is the Provider Name, Value is the Constraints. + providerConstraints = new HashMap(); + + for (int pNum = 1; pNum <= providersSN.size(); pNum++) { + + String providerName = providersSN.get(pNum - 1); + String providerInfo = securityProps + .getProperty("RestrictedSecurity" + userSecurityNum + ".jce.provider." + pNum); + + if (debug != null) { + debug.println("Loading constraints for security provider: " + providerName); + } + + // Provider with constraints. + if (providerInfo.indexOf("[") > 0) { + + providerInfo = providerInfo.trim().replaceAll(" ", ""); + String[] inputArray = providerInfo.substring(providerInfo.indexOf("[") + 2, providerInfo.length() - 2) + .split("\\},\\{"); + + // Column is type, algorithm and attributes. + String[][] constraints = new String[inputArray.length][3]; + + int cNum = 0; + for (String input : inputArray) { + String[] constraint = input.trim().split(","); + + constraints[cNum][0] = notNullEmpty(constraint[0]) ? constraint[0].trim() : "*"; + constraints[cNum][1] = notNullEmpty(constraint[1]) ? constraint[1].trim() : "*"; + constraints[cNum][2] = notNullEmpty(constraint[2]) ? constraint[2].trim() : "*"; + + if (debug != null) { + debug.println("Loading constraints for provider " + providerName + " with constraints type: " + + constraints[cNum][0] + " algorithm: " + constraints[cNum][1] + " attributes: " + + constraints[cNum][2]); + } + cNum++; + } + providerConstraints.put(providerName, constraints); + if (debug != null) { + debug.println("Loaded constraints for security provider: " + providerName); + } + } + } + } + + /** + * Check if the Service is allowed in restricted security mode. + * + * @param service the Service to check. + * @return true if the Service is allowed. + */ + public boolean isServiceAllowed(Service service) { + + boolean isRegister = true; + + String providerName = service.getProvider().getName(); + String type = service.getType(); + String algorithm = service.getAlgorithm(); + + // Provider with argument, remove argument. + // e.g. SunPKCS11-NSS-FIPS, remove argument -NSS-FIPS. + if (providerName.indexOf("-") > 0) { + providerName = providerName.substring(0, providerName.indexOf("-")); + } + + String[][] constraints = providerConstraints.get(providerName); + + // Go into the security provider constraints check if there are. + if (constraints != null && constraints.length >= 0) { + + isRegister = false; + for (int cNum = 0; cNum < constraints.length; cNum++) { + + boolean cTypePut = "*".equals(constraints[cNum][0]) ? true + : type.equals(constraints[cNum][0]); + boolean cAlgorithmPut = "*".equals(constraints[cNum][1]) ? true + : algorithm.equals(constraints[cNum][1]); + boolean cAttributePut = "*".equals(constraints[cNum][2]); + + if (cTypePut && cAlgorithmPut && cAttributePut) { + if (debug != null) { + debug.println("Security constraints check, service type " + type + " algorithm " + algorithm + + " is allowed in provider " + providerName); + } + isRegister = true; + return isRegister; + } + + if (cTypePut && cAlgorithmPut) { + String[] cAttributes = constraints[cNum][2].split(":"); + cAttributePut = true; + + for (String cAttribute : cAttributes) { + String[] input = cAttribute.trim().split("="); + String name = input[0]; + String value = input[1]; + cAttributePut = ((service.getAttribute(name) != null) + && value.equalsIgnoreCase(service.getAttribute(name))) ? cAttributePut && true + : cAttributePut && false; + } + + if (cAttributePut) { + if (debug != null) { + debug.println( + "Security constraints check, service type " + type + " algorithm " + algorithm + + " attribute " + constraints[cNum][2] + " is allowed in provider " + + providerName); + } + isRegister = true; + return isRegister; + } + } + } + if (debug != null) { + debug.println("Security constraints check, service type " + type + " algorithm " + algorithm + + " is NOT allowed in provider " + providerName); + } + } + return isRegister; + } + + /** + * Check if the provider is allowed in restricted security mode. + * + * @param provider the provider to check. + * @return true if the provider is allowed. + */ + public boolean isProviderAllow(String providerName) { + + boolean isAllow = false; + + // Remove the provider class package name if there is. + providerName = providerName.indexOf(".") > 0 + ? providerName.substring(providerName.lastIndexOf(".") + 1, providerName.length()) + : providerName; + + // Remove argument, e.g. -NSS-FIPS, if there is. + providerName = (providerName.indexOf("-") > 0) + ? providerName.substring(0, providerName.indexOf("-")) + : providerName; + + // Check if the provider is in the restricted security provider list. + // If not, the provider won't be registered. + if (providersSN.contains(providerName)) { + if (debug != null) { + debug.println("The provider " + providerName + " is allowed in the restricted security mode."); + } + isAllow = true; + return isAllow; + } + + if (debug != null) { + debug.println("The provider " + providerName + " is not allowed in the restricted security mode."); + + System.out.println("Stack trace:"); + StackTraceElement[] elements = Thread.currentThread().getStackTrace(); + for (int i = 1; i < elements.length; i++) { + StackTraceElement stack = elements[i]; + System.out.println("\tat " + stack.getClassName() + "." + stack.getMethodName() + "(" + + stack.getFileName() + ":" + stack.getLineNumber() + ")"); + } + } + return isAllow; + } + + /** + * List Audit info if userSecurityAudit is ture, default as false. + */ + protected void listAudit() { + + System.out.println(" "); + System.out.println("Restricted Security Audit Info: "); + System.out.println("================ "); + + int num = 1; + while (notNullEmpty(securityProps.getProperty("RestrictedSecurity" + num + ".desc.name"))) { + System.out.println("RestrictedSecurity" + num + ".desc.name: " + + securityProps.getProperty("RestrictedSecurity" + num + ".desc.name")); + System.out.println("RestrictedSecurity" + num + ".desc.number: " + + securityProps.getProperty("RestrictedSecurity" + num + ".desc.number")); + System.out.println("RestrictedSecurity" + num + ".desc.policy: " + + securityProps.getProperty("RestrictedSecurity" + num + ".desc.policy")); + System.out.println("RestrictedSecurity" + num + ".desc.sunsetDate: " + + securityProps.getProperty("RestrictedSecurity" + num + ".desc.sunsetDate")); + System.out.println(" "); + num++; + } + } + + /** + * List Trace info if userSecurityTrace is true, default as false. + */ + protected void listTrace() { + + System.out.println(" "); + System.out.println("Restricted Security Trace Info: "); + System.out.println("================ "); + System.out.println("RestrictedSecurity" + userSecurityNum + ".desc.name: " + descName); + System.out.println("RestrictedSecurity" + userSecurityNum + ".desc.number: " + descNumber); + System.out.println("RestrictedSecurity" + userSecurityNum + ".desc.policy: " + descPolicy); + System.out.println("RestrictedSecurity" + userSecurityNum + ".desc.sunsetDate: " + descSunsetDate); + System.out.println(" "); + + // List only restrictions. + System.out.println("RestrictedSecurity" + userSecurityNum + ".tls.disabledNamedCurves: " + + jdkTlsDisabledNamedCurves); + System.out.println("RestrictedSecurity" + userSecurityNum + ".tls.disabledAlgorithms: " + + jdkTlsDisabledAlgorithms); + System.out.println("RestrictedSecurity" + userSecurityNum + ".tls.ephemeralDHKeySize: " + + jdkTlsDphemeralDHKeySize); + System.out.println("RestrictedSecurity" + userSecurityNum + ".tls.legacyAlgorithms: " + + jdkTlsLegacyAlgorithms); + System.out.println("RestrictedSecurity" + userSecurityNum + ".jce.certpath.disabledAlgorithms: " + + jdkCertpathDisabledAlgorithms); + System.out.println("RestrictedSecurity" + userSecurityNum + ".jce.legacyAlgorithms: " + + jdkSecurityLegacyAlgorithm); + + System.out.println("RestrictedSecurity" + userSecurityNum + ".keystore.type: " + + keyStoreType); + System.out.println("RestrictedSecurity" + userSecurityNum + ".javax.net.ssl.keyStore: " + + keyStore); + System.out.println("RestrictedSecurity" + userSecurityNum + ".securerandom.provider: " + + jdkSecureRandomProvider); + System.out.println("RestrictedSecurity" + userSecurityNum + ".securerandom.algorithm: " + + jdkSecureRandomAlgorithm); + + // List providers. + System.out.println(" "); + for (int pNum = 1; pNum <= providers.size(); pNum++) { + System.out.println("RestrictedSecurity" + userSecurityNum + ".jce.provider." + pNum + ": " + + providers.get(pNum - 1)); + } + + System.out.println(" "); + } + + /** + * Print help info if userSecurityHelp is ture, default as false. + */ + protected void printHelp() { + + System.out.println(" "); + System.out.println("Usage: "); + System.out.println("====== "); + + System.out.println( + "-Dsemeru.restrictedsecurity= this flag will select the settings for the user " + + "specified restricted security policy."); + System.out.println( + "-Dsemeru.restrictedsecurity=audit will list the name and number of all configured " + + "restricted security policies. it will NOT cause the jvm to terminate after printing " + + "the restricted security policies."); + System.out.println( + "-Dsemeru.restrictedsecurity=trace will list all properties relevant to the security " + + "restrict mode, including the existing default properties and the restricted security " + + "restrictions."); + System.out.println("-Dsemeru.restrictedsecurity=help print help message."); + + System.out.println("e.g. "); + System.out.println(" -Dsemeru.restrictedsecurity=1,trace,audit,help "); + System.out.println(" -Dsemeru.restrictedsecurity=help "); + + System.out.println(" "); + } + + /** + * Check if the input string is not null and empty. + * + * @param string the input string. + * @return true if the input string is not null and emtpy. + */ + private boolean notNullEmpty(String string) { + return (string == null || string.isEmpty() || string.trim().isEmpty()) ? false : true; + } + + /** + * Function to check if brackets are balanced. + * + * @param string Input string for checking. + * @return true if the brackets are balanced. + */ + private boolean areBracketsBalanced(String string) { + + Deque stack = new ArrayDeque(); + + for (int i = 0; i < string.length(); i++) { + char x = string.charAt(i); + + if (x == '(' || x == '[' || x == '{') { + stack.push(x); + continue; + } + + char check; + switch (x) { + case ')': + check = stack.pop(); + if (check == '{' || check == '[') + return false; + break; + + case '}': + check = stack.pop(); + if (check == '(' || check == '[') + return false; + break; + + case ']': + check = stack.pop(); + if (check == '(' || check == '{') + return false; + break; + } + } + // Check Empty Stack. + return (stack.isEmpty()); + } + + public String getDescName() { + return descName; + } + + public String getDescNumber() { + return descNumber; + } + + public String getDescPolicy() { + return descPolicy; + } + + public String getDescSunsetDate() { + return descSunsetDate; + } + + public String getJdkTlsDisabledNamedCurves() { + return jdkTlsDisabledNamedCurves; + } + + public String getJdkTlsDisabledAlgorithms() { + return jdkTlsDisabledAlgorithms; + } + + public String getJdkTlsDphemeralDHKeySize() { + return jdkTlsDphemeralDHKeySize; + } + + public String getJdkTlsLegacyAlgorithms() { + return jdkTlsLegacyAlgorithms; + } + + public String getJdkCertpathDisabledAlgorithms() { + return jdkCertpathDisabledAlgorithms; + } + + public String getJdkSecurityLegacyAlgorithm() { + return jdkSecurityLegacyAlgorithm; + } + + public String getKeyStoreType() { + return keyStoreType; + } + + public String getKeyStore() { + return keyStore; + } + + public ArrayList getProviders() { + return providers; + } + + public String getJdkSecureRandomProvider() { + return jdkSecureRandomProvider; + } + + public String getJdkSecureRandomAlgorithm() { + return jdkSecureRandomAlgorithm; + } +} diff --git a/src/java.base/share/classes/java/security/Provider.java b/src/java.base/share/classes/java/security/Provider.java index 1f0bbfd766a..1db2b69289a 100644 --- a/src/java.base/share/classes/java/security/Provider.java +++ b/src/java.base/share/classes/java/security/Provider.java @@ -23,6 +23,12 @@ * questions. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved + * =========================================================================== + */ + package java.security; import java.io.*; @@ -35,6 +41,9 @@ import java.util.function.Function; import java.util.concurrent.ConcurrentHashMap; +import openj9.internal.security.RestrictedSecurityConfigurator; +import openj9.internal.security.RestrictedSecurityProperties; + /** * This class represents a "provider" for the * Java Security API, where a provider implements some or all parts of @@ -1372,6 +1381,12 @@ protected void putService(Service s) { throw new IllegalArgumentException ("service.getProvider() must match this Provider object"); } + if (RestrictedSecurityConfigurator.isEnabled()) { + // If restricted security is not allow, then return without register. + if (!RestrictedSecurityProperties.getInstance().isServiceAllowed(s)) { + return; + } + } String type = s.getType(); String algorithm = s.getAlgorithm(); ServiceKey key = new ServiceKey(type, algorithm, true); diff --git a/src/java.base/share/classes/java/security/SecureRandom.java b/src/java.base/share/classes/java/security/SecureRandom.java index 9e23ab1e009..3681e221a79 100644 --- a/src/java.base/share/classes/java/security/SecureRandom.java +++ b/src/java.base/share/classes/java/security/SecureRandom.java @@ -41,7 +41,8 @@ import sun.security.provider.SunEntries; import sun.security.util.Debug; -import openj9.internal.security.FIPSConfigurator; +import openj9.internal.security.RestrictedSecurityConfigurator; +import openj9.internal.security.RestrictedSecurityProperties; /** * This class provides a cryptographically strong random number @@ -270,27 +271,29 @@ private void getDefaultPRNG(boolean setSeed, byte[] seed) { Service prngService = null; String prngAlgorithm = null; - // If in FIPS mode, use the SecureRandom from the FIPS provider - if (FIPSConfigurator.enableFips()) { - Provider p = Security.getProvider("SunPKCS11-NSS-FIPS"); - prngAlgorithm = "PKCS11"; - prngService = p.getService("SecureRandom", prngAlgorithm); - } else { - for (Provider p : Providers.getProviderList().providers()) { - // SUN provider uses the SunEntries.DEF_SECURE_RANDOM_ALGO - // as the default SecureRandom algorithm; for other providers, - // Provider.getDefaultSecureRandom() will use the 1st - // registered SecureRandom algorithm - if (p.getName().equals("SUN")) { - prngAlgorithm = SunEntries.DEF_SECURE_RANDOM_ALGO; + for (Provider p : Providers.getProviderList().providers()) { + // In restricted security mode, use the SecureRandom from restricted security provider. + if (RestrictedSecurityConfigurator.isEnabled()) { + String srProvider = RestrictedSecurityProperties.getInstance().getJdkSecureRandomProvider(); + if (p.getName().equals(srProvider)) { + prngAlgorithm = RestrictedSecurityProperties.getInstance().getJdkSecureRandomAlgorithm(); prngService = p.getService("SecureRandom", prngAlgorithm); break; - } else { - prngService = p.getDefaultSecureRandomService(); - if (prngService != null) { - prngAlgorithm = prngService.getAlgorithm(); - break; - } + } + } + // SUN provider uses the SunEntries.DEF_SECURE_RANDOM_ALGO + // as the default SecureRandom algorithm; for other providers, + // Provider.getDefaultSecureRandom() will use the 1st + // registered SecureRandom algorithm + else if (p.getName().equals("SUN")) { + prngAlgorithm = SunEntries.DEF_SECURE_RANDOM_ALGO; + prngService = p.getService("SecureRandom", prngAlgorithm); + break; + } else { + prngService = p.getDefaultSecureRandomService(); + if (prngService != null) { + prngAlgorithm = prngService.getAlgorithm(); + break; } } } diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java index 3135b209549..125466a9c11 100644 --- a/src/java.base/share/classes/java/security/Security.java +++ b/src/java.base/share/classes/java/security/Security.java @@ -50,7 +50,7 @@ import openj9.internal.criu.security.CRIUConfigurator; /*[ENDIF] CRIU_SUPPORT*/ -import openj9.internal.security.FIPSConfigurator; +import openj9.internal.security.RestrictedSecurityConfigurator; /** *

This class centralizes all security properties and common security @@ -212,14 +212,14 @@ private static void initialize() { } /*[ENDIF] CRIU_SUPPORT*/ - // Load FIPS properties + // Load restricted security mode properties. if (loadedProps) { - boolean fipsEnabled = FIPSConfigurator.configureFIPS(props); + boolean enabled = RestrictedSecurityConfigurator.configure(props); if (sdebug != null) { - if (fipsEnabled) { - sdebug.println("FIPS mode enabled."); + if (enabled) { + sdebug.println("Restricted security mode enabled."); } else { - sdebug.println("FIPS mode disabled."); + sdebug.println("Restricted security mode disabled."); } } } diff --git a/src/java.base/share/classes/java/util/ServiceLoader.java b/src/java.base/share/classes/java/util/ServiceLoader.java index d248d1ea4a7..22abb7ae1ed 100644 --- a/src/java.base/share/classes/java/util/ServiceLoader.java +++ b/src/java.base/share/classes/java/util/ServiceLoader.java @@ -23,6 +23,12 @@ * questions. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved + * =========================================================================== + */ + package java.util; import java.io.BufferedReader; @@ -57,6 +63,9 @@ import jdk.internal.reflect.CallerSensitive; import jdk.internal.reflect.Reflection; +import openj9.internal.security.RestrictedSecurityConfigurator; +import openj9.internal.security.RestrictedSecurityProperties; + /** * A facility to load implementations of a service. * @@ -777,7 +786,18 @@ private S newInstance() { Throwable exc = null; if (acc == null) { try { - p = ctor.newInstance(); + // If the specified class extends Provider && restricted security mode enable. + if (java.security.Provider.class.isAssignableFrom(ctor.getDeclaringClass()) + && RestrictedSecurityConfigurator.isEnabled()) { + // Load the provider if it is allowed in restricted security mode. + // Do nothing(return p = null) if it is not allowed. + if (RestrictedSecurityProperties.getInstance() + .isProviderAllow(ctor.getDeclaringClass().getName())) { + p = ctor.newInstance(); + } + } else { + p = ctor.newInstance(); + } } catch (Throwable x) { exc = x; } diff --git a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java index a07d6fea8b8..d4df599d60c 100644 --- a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java +++ b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java @@ -23,6 +23,12 @@ * questions. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved + * =========================================================================== + */ + package sun.security.jca; import java.io.File; @@ -33,6 +39,9 @@ import sun.security.util.PropertyExpander; +import openj9.internal.security.RestrictedSecurityConfigurator; +import openj9.internal.security.RestrictedSecurityProperties; + /** * Class representing a configured provider which encapsulates configuration * (provider name + optional argument), the provider loading logic, and @@ -162,6 +171,12 @@ public String toString() { // com.sun.net.ssl.internal.ssl.Provider has been deprecated since JDK 9 @SuppressWarnings("deprecation") synchronized Provider getProvider() { + // If provider is not allowed in restricted security mode, return without load. + if (RestrictedSecurityConfigurator.isEnabled()) { + if (!RestrictedSecurityProperties.getInstance().isProviderAllow(provName)) { + return null; + } + } // volatile variable load Provider p = provider; if (p != null) { @@ -338,12 +353,14 @@ public Provider load(String pn) { while (iter.hasNext()) { try { Provider p = iter.next(); - String pName = p.getName(); - if (debug != null) { - debug.println("Found SL Provider named " + pName); - } - if (pName.equals(pn)) { - return p; + if (p != null) { + String pName = p.getName(); + if (debug != null) { + debug.println("Found SL Provider named " + pName); + } + if (pName.equals(pn)) { + return p; + } } } catch (SecurityException | ServiceConfigurationError | InvalidParameterException ex) { diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java index a34f822b5bb..950400f6a64 100644 --- a/src/java.base/share/classes/sun/security/provider/SunEntries.java +++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java @@ -40,8 +40,6 @@ import jdk.internal.util.StaticProperty; import sun.security.action.GetPropertyAction; -import openj9.internal.security.FIPSConfigurator; - /** * Defines the entries of the SUN provider. * @@ -118,266 +116,218 @@ public static List createAliasesWithOid(String ... oids) { // common attribute map HashMap attrs = new HashMap<>(3); - if (FIPSConfigurator.enableFips()) { - // FIPS supported - attrs.put("ImplementedIn", "Software"); - - /* - * Certificates - */ - add(p, "CertificateFactory", "X.509", - "sun.security.provider.X509Factory", - createAliases("X509"), attrs); - - /* - * CertStores - */ - add(p, "CertStore", "Collection", - "sun.security.provider.certpath.CollectionCertStore", - null, attrs); - add(p, "CertStore", "com.sun.security.IndexedCollection", - "sun.security.provider.certpath.IndexedCollectionCertStore", + /* + * SecureRandom engines + */ + attrs.put("ThreadSafe", "true"); + if (NativePRNG.isAvailable()) { + add(p, "SecureRandom", "NativePRNG", + "sun.security.provider.NativePRNG", null, attrs); - - /* - * Policy - */ - add(p, "Policy", "JavaPolicy", "sun.security.provider.PolicySpiFile", - null, null); - - /* - * Configuration - */ - add(p, "Configuration", "JavaLoginConfig", - "sun.security.provider.ConfigFile$Spi", null, null); - - /* - * CertPathBuilder and CertPathValidator - */ - attrs.clear(); - attrs.put("ValidationAlgorithm", "RFC5280"); - attrs.put("ImplementedIn", "Software"); - - add(p, "CertPathBuilder", "PKIX", - "sun.security.provider.certpath.SunCertPathBuilder", - null, attrs); - add(p, "CertPathValidator", "PKIX", - "sun.security.provider.certpath.PKIXCertPathValidator", - null, attrs); - } else { - /* - * SecureRandom engines - */ - attrs.put("ThreadSafe", "true"); - if (NativePRNG.isAvailable()) { - add(p, "SecureRandom", "NativePRNG", - "sun.security.provider.NativePRNG", - null, attrs); - } - if (NativePRNG.Blocking.isAvailable()) { - add(p, "SecureRandom", "NativePRNGBlocking", - "sun.security.provider.NativePRNG$Blocking", null, attrs); - } - if (NativePRNG.NonBlocking.isAvailable()) { - add(p, "SecureRandom", "NativePRNGNonBlocking", - "sun.security.provider.NativePRNG$NonBlocking", null, attrs); - } - attrs.put("ImplementedIn", "Software"); - add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", + } + if (NativePRNG.Blocking.isAvailable()) { + add(p, "SecureRandom", "NativePRNGBlocking", + "sun.security.provider.NativePRNG$Blocking", null, attrs); + } + if (NativePRNG.NonBlocking.isAvailable()) { + add(p, "SecureRandom", "NativePRNGNonBlocking", + "sun.security.provider.NativePRNG$NonBlocking", null, attrs); + } + attrs.put("ImplementedIn", "Software"); + add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", null, attrs); - add(p, "SecureRandom", "SHA1PRNG", - "sun.security.provider.SecureRandom", null, attrs); - - /* - * Signature engines - */ - attrs.clear(); - String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + - "|java.security.interfaces.DSAPrivateKey"; - attrs.put("SupportedKeyClasses", dsaKeyClasses); - attrs.put("ImplementedIn", "Software"); - - attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures - - add(p, "Signature", "SHA1withDSA", - "sun.security.provider.DSA$SHA1withDSA", - createAliasesWithOid("1.2.840.10040.4.3", "DSA", "DSS", + add(p, "SecureRandom", "SHA1PRNG", + "sun.security.provider.SecureRandom", null, attrs); + + /* + * Signature engines + */ + attrs.clear(); + String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + + "|java.security.interfaces.DSAPrivateKey"; + attrs.put("SupportedKeyClasses", dsaKeyClasses); + attrs.put("ImplementedIn", "Software"); + + attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures + + add(p, "Signature", "SHA1withDSA", + "sun.security.provider.DSA$SHA1withDSA", + createAliasesWithOid("1.2.840.10040.4.3", "DSA", "DSS", "SHA/DSA", "SHA-1/DSA", "SHA1/DSA", "SHAwithDSA", - "DSAWithSHA1", "1.3.14.3.2.13", "1.3.14.3.2.27"), attrs); - add(p, "Signature", "NONEwithDSA", "sun.security.provider.DSA$RawDSA", - createAliases("RawDSA"), attrs); - - attrs.put("KeySize", "2048"); // for SHA224 and SHA256 DSA signatures - - add(p, "Signature", "SHA224withDSA", - "sun.security.provider.DSA$SHA224withDSA", - createAliasesWithOid("2.16.840.1.101.3.4.3.1"), attrs); - add(p, "Signature", "SHA256withDSA", - "sun.security.provider.DSA$SHA256withDSA", - createAliasesWithOid("2.16.840.1.101.3.4.3.2"), attrs); - - attrs.remove("KeySize"); - - add(p, "Signature", "SHA1withDSAinP1363Format", - "sun.security.provider.DSA$SHA1withDSAinP1363Format", - null, null); - add(p, "Signature", "NONEwithDSAinP1363Format", - "sun.security.provider.DSA$RawDSAinP1363Format", - null, null); - add(p, "Signature", "SHA224withDSAinP1363Format", - "sun.security.provider.DSA$SHA224withDSAinP1363Format", - null, null); - add(p, "Signature", "SHA256withDSAinP1363Format", - "sun.security.provider.DSA$SHA256withDSAinP1363Format", - null, null); - - /* - * Key Pair Generator engines - */ - attrs.clear(); - attrs.put("ImplementedIn", "Software"); - attrs.put("KeySize", "2048"); // for DSA KPG and APG only - - String dsaOid = "1.2.840.10040.4.1"; - List dsaAliases = createAliasesWithOid(dsaOid, "1.3.14.3.2.12"); - String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; - dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); - add(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, dsaAliases, attrs); - - /* - * Algorithm Parameter Generator engines - */ - add(p, "AlgorithmParameterGenerator", "DSA", - "sun.security.provider.DSAParameterGenerator", dsaAliases, - attrs); - attrs.remove("KeySize"); - - /* - * Algorithm Parameter engines - */ - add(p, "AlgorithmParameters", "DSA", - "sun.security.provider.DSAParameters", dsaAliases, attrs); - - /* - * Key factories - */ - add(p, "KeyFactory", "DSA", "sun.security.provider.DSAKeyFactory", - dsaAliases, attrs); - - /* - * Digest engines - */ - String providerSHA; - String providerSHA224; - String providerSHA256; - String providerSHA384; - String providerSHA512; - /* - * Set the digest provider based on whether native crypto is - * enabled or not. - */ - if (useNativeDigest) { - providerSHA = "sun.security.provider.NativeSHA"; - providerSHA224 = "sun.security.provider.NativeSHA2$SHA224"; - providerSHA256 = "sun.security.provider.NativeSHA2$SHA256"; - providerSHA384 = "sun.security.provider.NativeSHA5$SHA384"; - providerSHA512 = "sun.security.provider.NativeSHA5$SHA512"; - } else { - providerSHA = "sun.security.provider.SHA"; - providerSHA224 = "sun.security.provider.SHA2$SHA224"; - providerSHA256 = "sun.security.provider.SHA2$SHA256"; - providerSHA384 = "sun.security.provider.SHA5$SHA384"; - providerSHA512 = "sun.security.provider.SHA5$SHA512"; - } - - add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", null, attrs); - add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", null, attrs); - add(p, "MessageDigest", "SHA", providerSHA, - createAliasesWithOid("1.3.14.3.2.26", "SHA-1", "SHA1"), attrs); - - String sha2BaseOid = "2.16.840.1.101.3.4.2"; - add(p, "MessageDigest", "SHA-224", providerSHA224, - createAliasesWithOid(sha2BaseOid + ".4"), attrs); - add(p, "MessageDigest", "SHA-256", providerSHA256, - createAliasesWithOid(sha2BaseOid + ".1"), attrs); - add(p, "MessageDigest", "SHA-384", providerSHA384, - createAliasesWithOid(sha2BaseOid + ".2"), attrs); - add(p, "MessageDigest", "SHA-512", providerSHA512, - createAliasesWithOid(sha2BaseOid + ".3"), attrs); - add(p, "MessageDigest", "SHA-512/224", - "sun.security.provider.SHA5$SHA512_224", - createAliasesWithOid(sha2BaseOid + ".5"), attrs); - add(p, "MessageDigest", "SHA-512/256", - "sun.security.provider.SHA5$SHA512_256", - createAliasesWithOid(sha2BaseOid + ".6"), attrs); - add(p, "MessageDigest", "SHA3-224", "sun.security.provider.SHA3$SHA224", - createAliasesWithOid(sha2BaseOid + ".7"), attrs); - add(p, "MessageDigest", "SHA3-256", "sun.security.provider.SHA3$SHA256", - createAliasesWithOid(sha2BaseOid + ".8"), attrs); - add(p, "MessageDigest", "SHA3-384", "sun.security.provider.SHA3$SHA384", - createAliasesWithOid(sha2BaseOid + ".9"), attrs); - add(p, "MessageDigest", "SHA3-512", "sun.security.provider.SHA3$SHA512", - createAliasesWithOid(sha2BaseOid + ".10"), attrs); - - /* - * Certificates - */ - add(p, "CertificateFactory", "X.509", - "sun.security.provider.X509Factory", - createAliases("X509"), attrs); - - /* - * KeyStore - */ - add(p, "KeyStore", "PKCS12", - "sun.security.pkcs12.PKCS12KeyStore$DualFormatPKCS12", - null, null); - add(p, "KeyStore", "JKS", - "sun.security.provider.JavaKeyStore$DualFormatJKS", - null, attrs); - add(p, "KeyStore", "CaseExactJKS", - "sun.security.provider.JavaKeyStore$CaseExactJKS", - null, attrs); - add(p, "KeyStore", "DKS", "sun.security.provider.DomainKeyStore$DKS", - null, attrs); - - - /* - * CertStores - */ - add(p, "CertStore", "Collection", - "sun.security.provider.certpath.CollectionCertStore", - null, attrs); - add(p, "CertStore", "com.sun.security.IndexedCollection", - "sun.security.provider.certpath.IndexedCollectionCertStore", - null, attrs); - - /* - * Policy - */ - add(p, "Policy", "JavaPolicy", "sun.security.provider.PolicySpiFile", - null, null); + "DSAWithSHA1", "1.3.14.3.2.13", "1.3.14.3.2.27"), + attrs); + add(p, "Signature", "NONEwithDSA", "sun.security.provider.DSA$RawDSA", + createAliases("RawDSA"), attrs); + + attrs.put("KeySize", "2048"); // for SHA224 and SHA256 DSA signatures + + add(p, "Signature", "SHA224withDSA", + "sun.security.provider.DSA$SHA224withDSA", + createAliasesWithOid("2.16.840.1.101.3.4.3.1"), attrs); + add(p, "Signature", "SHA256withDSA", + "sun.security.provider.DSA$SHA256withDSA", + createAliasesWithOid("2.16.840.1.101.3.4.3.2"), attrs); + + attrs.remove("KeySize"); + + add(p, "Signature", "SHA1withDSAinP1363Format", + "sun.security.provider.DSA$SHA1withDSAinP1363Format", + null, null); + add(p, "Signature", "NONEwithDSAinP1363Format", + "sun.security.provider.DSA$RawDSAinP1363Format", + null, null); + add(p, "Signature", "SHA224withDSAinP1363Format", + "sun.security.provider.DSA$SHA224withDSAinP1363Format", + null, null); + add(p, "Signature", "SHA256withDSAinP1363Format", + "sun.security.provider.DSA$SHA256withDSAinP1363Format", + null, null); + + /* + * Key Pair Generator engines + */ + attrs.clear(); + attrs.put("ImplementedIn", "Software"); + attrs.put("KeySize", "2048"); // for DSA KPG and APG only + + String dsaOid = "1.2.840.10040.4.1"; + List dsaAliases = createAliasesWithOid(dsaOid, "1.3.14.3.2.12"); + String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; + dsaKPGImplClass += (useLegacyDSA ? "Legacy" : "Current"); + add(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, dsaAliases, attrs); + + /* + * Algorithm Parameter Generator engines + */ + add(p, "AlgorithmParameterGenerator", "DSA", + "sun.security.provider.DSAParameterGenerator", dsaAliases, + attrs); + attrs.remove("KeySize"); + + /* + * Algorithm Parameter engines + */ + add(p, "AlgorithmParameters", "DSA", + "sun.security.provider.DSAParameters", dsaAliases, attrs); + + /* + * Key factories + */ + add(p, "KeyFactory", "DSA", "sun.security.provider.DSAKeyFactory", + dsaAliases, attrs); + + /* + * Digest engines + */ + String providerSHA; + String providerSHA224; + String providerSHA256; + String providerSHA384; + String providerSHA512; + /* + * Set the digest provider based on whether native crypto is + * enabled or not. + */ + if (useNativeDigest) { + providerSHA = "sun.security.provider.NativeSHA"; + providerSHA224 = "sun.security.provider.NativeSHA2$SHA224"; + providerSHA256 = "sun.security.provider.NativeSHA2$SHA256"; + providerSHA384 = "sun.security.provider.NativeSHA5$SHA384"; + providerSHA512 = "sun.security.provider.NativeSHA5$SHA512"; + } else { + providerSHA = "sun.security.provider.SHA"; + providerSHA224 = "sun.security.provider.SHA2$SHA224"; + providerSHA256 = "sun.security.provider.SHA2$SHA256"; + providerSHA384 = "sun.security.provider.SHA5$SHA384"; + providerSHA512 = "sun.security.provider.SHA5$SHA512"; + } - /* - * Configuration - */ - add(p, "Configuration", "JavaLoginConfig", - "sun.security.provider.ConfigFile$Spi", null, null); + add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", null, attrs); + add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", null, attrs); + add(p, "MessageDigest", "SHA", providerSHA, + createAliasesWithOid("1.3.14.3.2.26", "SHA-1", "SHA1"), attrs); + + String sha2BaseOid = "2.16.840.1.101.3.4.2"; + add(p, "MessageDigest", "SHA-224", providerSHA224, + createAliasesWithOid(sha2BaseOid + ".4"), attrs); + add(p, "MessageDigest", "SHA-256", providerSHA256, + createAliasesWithOid(sha2BaseOid + ".1"), attrs); + add(p, "MessageDigest", "SHA-384", providerSHA384, + createAliasesWithOid(sha2BaseOid + ".2"), attrs); + add(p, "MessageDigest", "SHA-512", providerSHA512, + createAliasesWithOid(sha2BaseOid + ".3"), attrs); + add(p, "MessageDigest", "SHA-512/224", + "sun.security.provider.SHA5$SHA512_224", + createAliasesWithOid(sha2BaseOid + ".5"), attrs); + add(p, "MessageDigest", "SHA-512/256", + "sun.security.provider.SHA5$SHA512_256", + createAliasesWithOid(sha2BaseOid + ".6"), attrs); + add(p, "MessageDigest", "SHA3-224", "sun.security.provider.SHA3$SHA224", + createAliasesWithOid(sha2BaseOid + ".7"), attrs); + add(p, "MessageDigest", "SHA3-256", "sun.security.provider.SHA3$SHA256", + createAliasesWithOid(sha2BaseOid + ".8"), attrs); + add(p, "MessageDigest", "SHA3-384", "sun.security.provider.SHA3$SHA384", + createAliasesWithOid(sha2BaseOid + ".9"), attrs); + add(p, "MessageDigest", "SHA3-512", "sun.security.provider.SHA3$SHA512", + createAliasesWithOid(sha2BaseOid + ".10"), attrs); + + /* + * Certificates + */ + add(p, "CertificateFactory", "X.509", + "sun.security.provider.X509Factory", + createAliases("X509"), attrs); + + /* + * KeyStore + */ + add(p, "KeyStore", "PKCS12", + "sun.security.pkcs12.PKCS12KeyStore$DualFormatPKCS12", + null, null); + add(p, "KeyStore", "JKS", + "sun.security.provider.JavaKeyStore$DualFormatJKS", + null, attrs); + add(p, "KeyStore", "CaseExactJKS", + "sun.security.provider.JavaKeyStore$CaseExactJKS", + null, attrs); + add(p, "KeyStore", "DKS", "sun.security.provider.DomainKeyStore$DKS", + null, attrs); - /* - * CertPathBuilder and CertPathValidator - */ - attrs.clear(); - attrs.put("ValidationAlgorithm", "RFC5280"); - attrs.put("ImplementedIn", "Software"); + /* + * CertStores + */ + add(p, "CertStore", "Collection", + "sun.security.provider.certpath.CollectionCertStore", + null, attrs); + add(p, "CertStore", "com.sun.security.IndexedCollection", + "sun.security.provider.certpath.IndexedCollectionCertStore", + null, attrs); - add(p, "CertPathBuilder", "PKIX", - "sun.security.provider.certpath.SunCertPathBuilder", - null, attrs); - add(p, "CertPathValidator", "PKIX", - "sun.security.provider.certpath.PKIXCertPathValidator", - null, attrs); - } + /* + * Policy + */ + add(p, "Policy", "JavaPolicy", "sun.security.provider.PolicySpiFile", + null, null); + + /* + * Configuration + */ + add(p, "Configuration", "JavaLoginConfig", + "sun.security.provider.ConfigFile$Spi", null, null); + + /* + * CertPathBuilder and CertPathValidator + */ + attrs.clear(); + attrs.put("ValidationAlgorithm", "RFC5280"); + attrs.put("ImplementedIn", "Software"); + + add(p, "CertPathBuilder", "PKIX", + "sun.security.provider.certpath.SunCertPathBuilder", + null, attrs); + add(p, "CertPathValidator", "PKIX", + "sun.security.provider.certpath.PKIXCertPathValidator", + null, attrs); } Iterator iterator() { diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security index 9af64321c40..22a5dba2b18 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -85,6 +85,58 @@ security.provider.tbd=Apple security.provider.tbd=SunPKCS11 #endif +#ifdef linux-x86 +# +# Java Security Restrictive Mode +# +RestrictedSecurity1.desc.name = Red Hat Enterprise Linux 8 NSS Cryptographic Module FIPS 140-2 +RestrictedSecurity1.desc.number = Certificate #3946 +RestrictedSecurity1.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3946 +RestrictedSecurity1.desc.sunsetDate = 06/06/2026 + +RestrictedSecurity1.tls.disabledNamedCurves = +RestrictedSecurity1.tls.disabledAlgorithms = X25519, X448, SSLv3, TLSv1, TLSv1.1, \ + TLS_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, \ + TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, \ + TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, \ + TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \ + TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, \ + TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \ + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, \ + TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, \ + TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, \ + TLS_RSA_WITH_AES_128_CBC_SHA, TLS_AES_256_GCM_SHA384, \ + TLS_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, \ + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, \ + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, \ + TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, \ + TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, \ + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, \ + TLS_EMPTY_RENEGOTIATION_INFO_SCSV; +RestrictedSecurity1.tls.ephemeralDHKeySize = +RestrictedSecurity1.tls.legacyAlgorithms = + +RestrictedSecurity1.jce.certpath.disabledAlgorithms = +RestrictedSecurity1.jce.legacyAlgorithms = +RestrictedSecurity1.jce.provider.1 = SunPKCS11 ${java.home}/conf/security/nss.fips.cfg +RestrictedSecurity1.jce.provider.2 = SUN [{CertificateFactory, X.509, ImplementedIn=Software}, \ + {CertStore, Collection, ImplementedIn=Software}, \ + {CertStore, com.sun.security.IndexedCollection, ImplementedIn=Software}, \ + {Policy, JavaPolicy, *}, {Configuration, JavaLoginConfig, *}, \ + {CertPathBuilder, PKIX, ValidationAlgorithm=RFC5280:ImplementedIn=Software}, \ + {CertPathValidator, PKIX, ValidationAlgorithm=RFC5280:ImplementedIn=Software}] +RestrictedSecurity1.jce.provider.3 = SunEC [{KeyFactory, EC, ImplementedIn=Software: \ + SupportedKeyClasses=java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey: \ + KeySize=256}, {AlgorithmParameters, EC, *}] +RestrictedSecurity1.jce.provider.4 = SunJSSE + +RestrictedSecurity1.keystore.type = PKCS11 +RestrictedSecurity1.javax.net.ssl.keyStore = NONE + +RestrictedSecurity1.securerandom.provider = SunPKCS11-NSS-FIPS +RestrictedSecurity1.securerandom.algorithm = PKCS11 +#endif + # # A list of preferred providers for specific algorithms. These providers will # be searched for matching algorithms before the list of registered providers. diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java index 436f6258f34..65b581190b7 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -57,7 +57,7 @@ import com.sun.crypto.provider.ChaCha20Poly1305Parameters; import jdk.internal.misc.InnocuousThread; -import openj9.internal.security.FIPSConfigurator; +import openj9.internal.security.RestrictedSecurityConfigurator; import sun.security.util.Debug; import sun.security.util.ResourcesMgr; import static sun.security.util.SecurityConstants.PROVIDER_VER; @@ -104,7 +104,7 @@ public final class SunPKCS11 extends AuthProvider { // This is the SunPKCS11 provider instance // there can only be a single PKCS11 provider in - // FIPS mode. + // restricted security mode. static SunPKCS11 mysunpkcs11; Token getToken() { @@ -397,11 +397,11 @@ private static T checkNull(T obj) { nssModule.setProvider(this); } - // When FIPS mode is enabled, configure p11 object to FIPS mode - // and pass the parent object so it can callback. - if (FIPSConfigurator.enableFips()) { + // When restricted security mode is enabled, configure p11 object to + // restricted security mode and pass the parent object so it can callback. + if (RestrictedSecurityConfigurator.isEnabled()) { if (debug != null) { - System.out.println("FIPS mode in SunPKCS11"); + System.out.println("Restricted security mode in SunPKCS11"); } @SuppressWarnings("unchecked") diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java index 887ef943ed2..32de34582a3 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java @@ -155,7 +155,7 @@ static boolean isKey(CK_ATTRIBUTE[] attrs) { // This is the SunPKCS11 provider instance // there can only be a single PKCS11 provider in - // FIPS mode. + // restricted security mode. private static SunPKCS11 mysunpkcs11; private static final class InnerPKCS11 extends PKCS11 implements Consumer { @@ -163,15 +163,15 @@ private static final class InnerPKCS11 extends PKCS11 implements Consumer ATTRS = new HashMap<>(3); - if (FIPSConfigurator.enableFips()) { - ATTRS.put("ImplementedIn", "Software"); - String ecKeyClasses = "java.security.interfaces.ECPublicKey" + - "|java.security.interfaces.ECPrivateKey"; - ATTRS.put("SupportedKeyClasses", ecKeyClasses); - ATTRS.put("KeySize", "256"); - - /* - * Key Factory engine - */ - putService(new ProviderService(this, "KeyFactory", + ATTRS.put("ImplementedIn", "Software"); + String ecKeyClasses = "java.security.interfaces.ECPublicKey" + + "|java.security.interfaces.ECPrivateKey"; + ATTRS.put("SupportedKeyClasses", ecKeyClasses); + ATTRS.put("KeySize", "256"); + + /* + * Key Factory engine + */ + putService(new ProviderService(this, "KeyFactory", "EC", "sun.security.ec.ECKeyFactory", new String[] { "EllipticCurve" }, ATTRS)); - /* - * Algorithm Parameter engine - */ - // "AlgorithmParameters.EC SupportedCurves" prop used by unit test - boolean firstCurve = true; - StringBuilder names = new StringBuilder(); - Pattern nameSplitPattern = Pattern.compile(CurveDB.SPLIT_PATTERN); - - Collection supportedCurves = - CurveDB.getSupportedCurves(); - for (NamedCurve namedCurve : supportedCurves) { - if (!firstCurve) { - names.append("|"); - } else { - firstCurve = false; - } - - names.append("["); - - String[] commonNames = nameSplitPattern.split(namedCurve.getName()); - for (String commonName : commonNames) { - names.append(commonName.trim()); - names.append(","); - } - - names.append(namedCurve.getObjectId()); - names.append("]"); + /* + * Algorithm Parameter engine + */ + // "AlgorithmParameters.EC SupportedCurves" prop used by unit test + boolean firstCurve = true; + StringBuilder names = new StringBuilder(); + Pattern nameSplitPattern = Pattern.compile(CurveDB.SPLIT_PATTERN); + + Collection supportedCurves = CurveDB.getSupportedCurves(); + for (NamedCurve namedCurve : supportedCurves) { + if (!firstCurve) { + names.append("|"); + } else { + firstCurve = false; } - HashMap apAttrs = new HashMap<>(ATTRS); - apAttrs.put("SupportedCurves", names.toString()); - - putService(new ProviderService(this, "AlgorithmParameters", - "EC", "sun.security.util.ECParameters", - new String[] { "EllipticCurve", "1.2.840.10045.2.1", "OID.1.2.840.10045.2.1" }, - apAttrs)); - - } else { - ATTRS.put("ImplementedIn", "Software"); - String ecKeyClasses = "java.security.interfaces.ECPublicKey" + - "|java.security.interfaces.ECPrivateKey"; - ATTRS.put("SupportedKeyClasses", ecKeyClasses); - ATTRS.put("KeySize", "256"); - - /* - * Key Factory engine - */ - putService(new ProviderService(this, "KeyFactory", - "EC", "sun.security.ec.ECKeyFactory", - new String[] { "EllipticCurve" }, ATTRS)); + names.append("["); - /* - * Algorithm Parameter engine - */ - // "AlgorithmParameters.EC SupportedCurves" prop used by unit test - boolean firstCurve = true; - StringBuilder names = new StringBuilder(); - Pattern nameSplitPattern = Pattern.compile(CurveDB.SPLIT_PATTERN); - - Collection supportedCurves = - CurveDB.getSupportedCurves(); - for (NamedCurve namedCurve : supportedCurves) { - if (!firstCurve) { - names.append("|"); - } else { - firstCurve = false; - } - - names.append("["); - - String[] commonNames = nameSplitPattern.split(namedCurve.getName()); - for (String commonName : commonNames) { - names.append(commonName.trim()); - names.append(","); - } - - names.append(namedCurve.getObjectId()); - names.append("]"); + String[] commonNames = nameSplitPattern.split(namedCurve.getName()); + for (String commonName : commonNames) { + names.append(commonName.trim()); + names.append(","); } - HashMap apAttrs = new HashMap<>(ATTRS); - apAttrs.put("SupportedCurves", names.toString()); + names.append(namedCurve.getObjectId()); + names.append("]"); + } + + HashMap apAttrs = new HashMap<>(ATTRS); + apAttrs.put("SupportedCurves", names.toString()); - putService(new ProviderService(this, "AlgorithmParameters", + putService(new ProviderService(this, "AlgorithmParameters", "EC", "sun.security.util.ECParameters", new String[] { "EllipticCurve", "1.2.840.10045.2.1", "OID.1.2.840.10045.2.1" }, apAttrs)); - putXDHEntries(); + putXDHEntries(); - /* - * Register the algorithms below only when the full ECC implementation - * is available - */ - if (!useFullImplementation) { - return; - } + /* + * Register the algorithms below only when the full ECC implementation + * is available + */ + if (!useFullImplementation) { + return; + } - /* - * Signature engines - */ - putService(new ProviderService(this, "Signature", + /* + * Signature engines + */ + putService(new ProviderService(this, "Signature", "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", null, ATTRS)); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", new String[] { "1.2.840.10045.4.1", "OID.1.2.840.10045.4.1" }, ATTRS)); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", - new String[] { "1.2.840.10045.4.3.1", "OID.1.2.840.10045.4.3.1"}, + new String[] { "1.2.840.10045.4.3.1", "OID.1.2.840.10045.4.3.1" }, ATTRS)); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", - new String[] { "1.2.840.10045.4.3.2", "OID.1.2.840.10045.4.3.2"}, + new String[] { "1.2.840.10045.4.3.2", "OID.1.2.840.10045.4.3.2" }, ATTRS)); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", new String[] { "1.2.840.10045.4.3.3", "OID.1.2.840.10045.4.3.3" }, ATTRS)); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", new String[] { "1.2.840.10045.4.3.4", "OID.1.2.840.10045.4.3.4" }, ATTRS)); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "NONEwithECDSAinP1363Format", "sun.security.ec.ECDSASignature$RawinP1363Format")); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "SHA1withECDSAinP1363Format", "sun.security.ec.ECDSASignature$SHA1inP1363Format")); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "SHA224withECDSAinP1363Format", "sun.security.ec.ECDSASignature$SHA224inP1363Format")); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "SHA256withECDSAinP1363Format", "sun.security.ec.ECDSASignature$SHA256inP1363Format")); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "SHA384withECDSAinP1363Format", "sun.security.ec.ECDSASignature$SHA384inP1363Format")); - putService(new ProviderService(this, "Signature", + putService(new ProviderService(this, "Signature", "SHA512withECDSAinP1363Format", "sun.security.ec.ECDSASignature$SHA512inP1363Format")); - /* - * Key Pair Generator engine - */ - putService(new ProviderService(this, "KeyPairGenerator", + /* + * Key Pair Generator engine + */ + putService(new ProviderService(this, "KeyPairGenerator", "EC", "sun.security.ec.ECKeyPairGenerator", new String[] { "EllipticCurve" }, ATTRS)); - /* - * Key Agreement engine - */ - if (useNativeEC) { - putService(new ProviderService(this, "KeyAgreement", + /* + * Key Agreement engine + */ + if (useNativeEC) { + putService(new ProviderService(this, "KeyAgreement", "ECDH", "sun.security.ec.NativeECDHKeyAgreement", null, ATTRS)); - } else { - putService(new ProviderService(this, "KeyAgreement", + } else { + putService(new ProviderService(this, "KeyAgreement", "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); - } } }