From b99bb2a969b3bd16710407be286acecf1e19aded Mon Sep 17 00:00:00 2001 From: Tao Liu Date: Sun, 11 Sep 2022 12:26:47 -0400 Subject: [PATCH] Java Restricted Security Mode Signed-off-by: Tao Liu --- .../internal/security/FIPSConfigurator.java | 159 --- .../internal/security/RestrictedSecurity.java | 1053 +++++++++++++++++ .../share/classes/java/security/Provider.java | 13 + .../classes/java/security/SecureRandom.java | 44 +- .../share/classes/java/security/Security.java | 17 +- .../classes/java/util/ServiceLoader.java | 19 + .../sun/security/jca/ProviderConfig.java | 9 +- .../sun/security/jca/ProviderList.java | 30 +- .../sun/security/provider/SunEntries.java | 462 ++++---- .../share/conf/security/java.security | 52 + .../sun/security/pkcs11/SunPKCS11.java | 6 +- .../share/classes/sun/security/ec/SunEC.java | 282 ++--- 12 files changed, 1521 insertions(+), 625 deletions(-) delete mode 100644 closed/src/java.base/share/classes/openj9/internal/security/FIPSConfigurator.java create mode 100644 closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java diff --git a/closed/src/java.base/share/classes/openj9/internal/security/FIPSConfigurator.java b/closed/src/java.base/share/classes/openj9/internal/security/FIPSConfigurator.java deleted file mode 100644 index 395d8138c96..00000000000 --- a/closed/src/java.base/share/classes/openj9/internal/security/FIPSConfigurator.java +++ /dev/null @@ -1,159 +0,0 @@ -/* - * =========================================================================== - * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved - * =========================================================================== - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * IBM designates this particular file as subject to the "Classpath" exception - * as provided by IBM in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, see . - * - * =========================================================================== - */ - -package openj9.internal.security; - -import java.util.Iterator; -import java.util.Map.Entry; -import java.util.Properties; -import java.security.AccessController; -import java.security.PrivilegedAction; - -import sun.security.util.Debug; - -/** - * Configures the security providers when in FIPS mode. - */ -public final class FIPSConfigurator { - - private static final Debug debug = Debug.getInstance("semerufips"); - - // FIPS mode enable check, only supported on Linux x64. - private static final boolean userEnabledFIPS; - private static final boolean isFIPSSupported; - private static final boolean shouldEnableFIPS; - - static { - String[] props = AccessController.doPrivileged( - new PrivilegedAction<>() { - @Override - public String[] run() { - return new String[] {System.getProperty("semeru.fips"), - System.getProperty("os.name"), - System.getProperty("os.arch")}; - } - }); - userEnabledFIPS = Boolean.parseBoolean(props[0]); - isFIPSSupported = "Linux".equalsIgnoreCase(props[1]) - && "amd64".equalsIgnoreCase(props[2]); - shouldEnableFIPS = userEnabledFIPS && isFIPSSupported; - } - - private FIPSConfigurator() { - super(); - } - - /** - * FIPS mode will be enabled only if the semeru.fips system - * property is true (default as false). - * - * @return true if FIPS is enabled - */ - public static boolean enableFips() { - return shouldEnableFIPS; - } - - /** - * Remove the security providers and only add the FIPS security providers. - * - * @param props the java.security properties - * @return true if the FIPS properties loaded successfully - */ - public static boolean configureFIPS(Properties props) { - boolean loadedProps = false; - - // Check if FIPS is supported on this platform. - if (userEnabledFIPS && !isFIPSSupported) { - throw new RuntimeException("FIPS is not supported on this platform."); - } - - try { - if (shouldEnableFIPS) { - if (debug != null) { - debug.println("FIPS mode detected, loading properties"); - } - - // Remove all security providers. - Iterator> i = props.entrySet().iterator(); - while (i.hasNext()) { - Entry e = i.next(); - if (((String) e.getKey()).startsWith("security.provider")) { - if (debug != null) { - debug.println("Removing provider: " + e); - } - i.remove(); - } - } - - // Add FIPS security providers. - props.put("security.provider.1", "SunPKCS11 ${java.home}/conf/security/nss.fips.cfg"); - props.put("security.provider.2", "SUN"); - props.put("security.provider.3", "SunEC"); - props.put("security.provider.4", "SunJSSE"); - - // Add FIPS security properties. - props.put("keystore.type", "PKCS11"); - System.setProperty("javax.net.ssl.keyStore", "NONE"); - - // Add FIPS disabled algorithms. - String disabledAlgorithms = props.get("jdk.tls.disabledAlgorithms") - + ", X25519, X448" - + ", SSLv3, TLSv1, TLSv1.1" - + ", TLS_CHACHA20_POLY1305_SHA256" - + ", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" - + ", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" - + ", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" - + ", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" - + ", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA" - + ", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" - + ", TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256" - + ", TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256" - + ", TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA" - + ", TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256" - + ", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - + ", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" - + ", TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" - + ", TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" - + ", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" - + ", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" - + ", TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" - + ", TLS_EMPTY_RENEGOTIATION_INFO_SCSV"; - props.put("jdk.tls.disabledAlgorithms", disabledAlgorithms); - - if (debug != null) { - debug.println("FIPS mode properties loaded"); - debug.println(props.toString()); - } - - loadedProps = true; - } - } catch (Exception e) { - if (debug != null) { - debug.println("Unable to load FIPS configuration"); - e.printStackTrace(); - } - } - return loadedProps; - } -} diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java new file mode 100644 index 00000000000..9bacf62f094 --- /dev/null +++ b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java @@ -0,0 +1,1053 @@ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2022, 2023 All Rights Reserved + * =========================================================================== + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * IBM designates this particular file as subject to the "Classpath" exception + * as provided by IBM in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, see . + * + * =========================================================================== + */ +package openj9.internal.security; + +import java.security.AccessController; +import java.security.PrivilegedAction; +import java.security.Provider.Service; +import java.time.LocalDate; +import java.time.format.DateTimeFormatter; +import java.time.format.DateTimeParseException; +import java.util.ArrayList; +import java.util.Deque; +import java.util.HashMap; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; +import java.util.Map; +import java.util.Objects; +import java.util.Properties; + +import sun.security.util.Debug; + +/** + * Configures the security providers when in restricted security mode. + */ +public final class RestrictedSecurity { + + private static final Debug debug = Debug.getInstance("semerufips"); + + // Restricted security mode enable check, only supported on Linux x64. + private static final boolean userEnabledFIPS; + private static final boolean userEnabledSecurity; + private static final boolean isSecuritySupported; + private static final boolean shouldEnableSecurity; + private static final String userSecuritySetting; + + private static boolean securityEnabled; + + private static int userSecurityNum; + private static boolean userSecurityTrace; + private static boolean userSecurityAudit; + private static boolean userSecurityHelp; + + private static RestrictedSecurityProperties restricts; + + private static final List supportPlatforms = List.of("amd64"); + + static { + @SuppressWarnings("removal") + String[] props = AccessController.doPrivileged( + new PrivilegedAction<>() { + @Override + public String[] run() { + return new String[] { System.getProperty("semeru.fips"), + System.getProperty("semeru.restrictedsecurity"), + System.getProperty("os.name"), + System.getProperty("os.arch") }; + } + }); + userEnabledFIPS = Boolean.parseBoolean(props[0]); + // If semeru.fips is true, then ignore semeru.restrictedsecurity, use userSecurityNum 1. + userSecuritySetting = userEnabledFIPS ? "1" : props[1]; + userEnabledSecurity = !isNullOrBlank(userSecuritySetting); + isSecuritySupported = "Linux".equalsIgnoreCase(props[2]) + && supportPlatforms.contains(props[3]); + shouldEnableSecurity = (userEnabledFIPS || userEnabledSecurity) && isSecuritySupported; + } + + private RestrictedSecurity() { + super(); + } + + /** + * Check if restricted security mode is enabled. + * + * Restricted security mode is enabled when, on supported platforms, + * the semeru.restrictedsecurity system property is set or the system + * property semeru.fips is true. + * + * @return true if restricted security mode is enabled + */ + public static boolean isEnabled() { + return securityEnabled; + } + + /** + * Get restricted security mode secure random provider. + * + * Restricted security mode secure random provider can only + * be called in restricted security mode. + * + * @return the secure random provider + */ + public static String getRandomProvider() { + if (!securityEnabled) { + printStackTraceAndExit( + "Restricted security mode secure random provider can only be used when restricted security mode is enabled."); + } + return restricts.jdkSecureRandomProvider; + } + + /** + * Get restricted security mode secure random algorithm. + * + * Restricted security mode secure random algorithm can only + * be called in restricted security mode. + * + * @return the secure random algorithm + */ + public static String getRandomAlgorithm() { + if (!securityEnabled) { + printStackTraceAndExit( + "Restricted security mode secure random algorithm can only be used when restricted security mode is enabled."); + } + return restricts.jdkSecureRandomAlgorithm; + } + + /** + * Check if the FIPS mode is enabled. + * + * FIPS mode will be enabled when the semeru.fips system property is true, + * or semeru.restrictedsecurity system property is set by using FIPS policy. + * + * @return true if FIPS is enabled + */ + public static boolean isFIPSEnabled() { + return securityEnabled && (userSecurityNum == 1); + } + + /** + * Check if the service is allowed in restricted security mode. + * + * @param service the service to check + * @return true if the service is allowed + */ + public static boolean isServiceAllowed(Service service) { + if (securityEnabled) { + return restricts.isRestrictedServiceAllowed(service); + } + return true; + } + + /** + * Check if the provider is allowed in restricted security mode. + * + * @param providerName the provider to check + * @return true if the provider is allowed + */ + public static boolean isProviderAllowed(String providerName) { + if (securityEnabled) { + return restricts.isRestrictedProviderAllowed(providerName); + } + return true; + } + + /** + * Check if the provider is allowed in restricted security mode. + * + * @param providerClazz the provider class to check + * @return true if the provider is allowed + */ + public static boolean isProviderAllowed(Class providerClazz) { + if (securityEnabled) { + String providerName = providerClazz.getName(); + + // Check if the specified class extends java.security.Provider. + if (java.security.Provider.class.isAssignableFrom(providerClazz)) { + return restricts.isRestrictedProviderAllowed(providerName); + } + + // For a class that doesn't extend java.security.Provider, no need to + // check allowed or not allowed, always return true to load it. + if (debug != null) { + debug.println("The provider class " + providerName + " does not extend java.security.Provider."); + } + } + return true; + } + + /** + * Remove the security providers and only add restricted security providers. + * + * @param props the java.security properties + * @return true if restricted security properties loaded successfully + */ + public static boolean configure(Properties props) { + // Check if restricted security is already initialized. + if (securityEnabled) { + printStackTraceAndExit("Restricted security mode is already initialized, it can't be initialized twice."); + } + + // Check if restricted security is supported on this platform. + if ((userEnabledFIPS || userEnabledSecurity) && !isSecuritySupported) { + printStackTraceAndExit("Restricted security mode is not supported on this platform."); + } + + try { + if (shouldEnableSecurity) { + if (debug != null) { + debug.println("Restricted security mode detected, loading..."); + } + + // Read and set user restricted security settings. + initUserSetting(); + + // Initialize restricted security properties from java.security file. + restricts = new RestrictedSecurityProperties(userSecurityNum, + props, userSecurityTrace, userSecurityAudit, userSecurityHelp); + + // Restricted security properties checks. + restrictsCheck(); + + // Remove all security providers. + for (Iterator> i = props.entrySet().iterator(); i.hasNext();) { + Map.Entry e = i.next(); + String key = (String) e.getKey(); + if (key.startsWith("security.provider")) { + if (debug != null) { + debug.println("Removing provider: " + e); + } + i.remove(); + } + } + + // Add restricted security providers. + setProviders(props); + + // Add restricted security Properties. + setProperties(props); + + // Print out the Trace info. + if (userSecurityTrace) { + restricts.listTrace(); + } + + if (debug != null) { + debug.println("Restricted security mode loaded."); + debug.println("Restricted security mode properties: " + props.toString()); + } + + securityEnabled = true; + } + } catch (Exception e) { + if (debug != null) { + debug.println("Unable to load restricted security mode configurations."); + } + printStackTraceAndExit(e); + } + return securityEnabled; + } + + /** + * Load user restricted security settings from system property. + */ + private static void initUserSetting() { + if (debug != null) { + debug.println("Loading user restricted security settings."); + } + + String[] inputs = userSecuritySetting.split(","); + + // For input ",," + if (inputs.length == 0) { + printStackTraceAndExit("User restricted security setting " + userSecuritySetting + " incorrect."); + } + + for (String input : inputs) { + String in = input.trim(); + if (in.equalsIgnoreCase("audit")) { + userSecurityAudit = true; + } else if (in.equalsIgnoreCase("help")) { + userSecurityHelp = true; + } else if (in.equalsIgnoreCase("trace")) { + userSecurityTrace = true; + } else { + try { + userSecurityNum = Integer.parseInt(in); + } catch (NumberFormatException e) { + printStackTraceAndExit("User restricted security setting " + userSecuritySetting + " incorrect."); + } + } + } + + if (debug != null) { + debug.println("Loaded user restricted security settings, with userSecurityNum: " + userSecurityNum + + " userSecurityTrace: " + userSecurityTrace + + " userSecurityAudit: " + userSecurityAudit + + " userSecurityHelp: " + userSecurityHelp); + } + } + + /** + * Add restricted security providers. + * + * @param props the java.security properties + */ + private static void setProviders(Properties props) { + if (debug != null) { + debug.println("Adding restricted security provider."); + } + + int pNum = 0; + for (String provider : restricts.providers) { + pNum += 1; + props.setProperty("security.provider." + pNum, provider); + if (debug != null) { + debug.println("Added restricted security provider: " + provider); + } + } + } + + /** + * Add restricted security properties. + * + * @param props the java.security properties + */ + private static void setProperties(Properties props) { + if (debug != null) { + debug.println("Adding restricted security properties."); + } + + Map propsMapping = new HashMap<>(); + + // JDK properties name as key, restricted security properties value as value. + propsMapping.put("jdk.tls.disabledNamedCurves", restricts.jdkTlsDisabledNamedCurves); + propsMapping.put("jdk.tls.disabledAlgorithms", restricts.jdkTlsDisabledAlgorithms); + propsMapping.put("jdk.tls.ephemeralDHKeySize", restricts.jdkTlsDphemeralDHKeySize); + propsMapping.put("jdk.tls.legacyAlgorithms", restricts.jdkTlsLegacyAlgorithms); + propsMapping.put("jdk.certpath.disabledAlgorithms", restricts.jdkCertpathDisabledAlgorithms); + propsMapping.put("jdk.security.legacyAlgorithm", restricts.jdkSecurityLegacyAlgorithm); + + for (Map.Entry entry : propsMapping.entrySet()) { + String jdkPropsName = entry.getKey(); + String propsNewValue = entry.getValue(); + + String propsOldValue = props.getProperty(jdkPropsName); + if (isNullOrBlank(propsOldValue)) { + propsOldValue = ""; + } + + if (!isNullOrBlank(propsNewValue)) { + String values = isNullOrBlank(propsOldValue) ? propsNewValue : (propsOldValue + ", " + propsNewValue); + props.setProperty(jdkPropsName, values); + if (debug != null) { + debug.println("Added restricted security properties, with property: " + jdkPropsName + " value: " + + values); + } + } + } + + // For keyStore and keystore.type, old value not needed, just set the new value. + String keyStoreType = restricts.keyStoreType; + if (!isNullOrBlank(keyStoreType)) { + props.setProperty("keystore.type", keyStoreType); + } + String keyStore = restricts.keyStore; + if (!isNullOrBlank(keyStore)) { + // SSL property "javax.net.ssl.keyStore" set at the JVM level via system properties. + System.setProperty("javax.net.ssl.keyStore", keyStore); + } + } + + /** + * Check restricted security properties. + */ + private static void restrictsCheck() { + // Check restricts object. + if (restricts == null) { + printStackTraceAndExit("Restricted security property is null."); + } + + // Check if the SunsetDate expired. + if (isPolicySunset(restricts.descSunsetDate)) { + printStackTraceAndExit("Restricted security policy expired."); + } + + // Check secure random settings. + if (isNullOrBlank(restricts.jdkSecureRandomProvider) + || isNullOrBlank(restricts.jdkSecureRandomAlgorithm)) { + printStackTraceAndExit("Restricted security mode secure random is missing."); + } + } + + /** + * Check if restricted security policy is sunset. + * + * @param descSunsetDate the sunset date from java.security + * @return true if restricted security policy sunset + */ + private static boolean isPolicySunset(String descSunsetDate) { + boolean isSunset = false; + try { + isSunset = LocalDate.parse(descSunsetDate, DateTimeFormatter.ofPattern("yyyy-MM-dd")) + .isBefore(LocalDate.now()); + } catch (DateTimeParseException except) { + printStackTraceAndExit( + "Restricted security policy sunset date is incorrect, the correct format is yyyy-MM-dd."); + } + + if (debug != null) { + debug.println("Restricted security policy is sunset: " + isSunset); + } + return isSunset; + } + + /** + * Check if the input string is null or blank. + * + * @param string the input string + * @return true if the input string is null or blank + */ + private static boolean isNullOrBlank(String string) { + return (string == null) || string.isBlank(); + } + + private static void printStackTraceAndExit(Exception exception) { + exception.printStackTrace(); + System.exit(1); + } + + private static void printStackTraceAndExit(String message) { + printStackTraceAndExit(new RuntimeException(message)); + } + + /** + * This class is used to save and operate on restricted security + * properties which are loaded from the java.security file. + */ + private static final class RestrictedSecurityProperties { + + private String descName; + private String descNumber; + private String descPolicy; + private String descSunsetDate; + + // Security properties. + private String jdkTlsDisabledNamedCurves; + private String jdkTlsDisabledAlgorithms; + private String jdkTlsDphemeralDHKeySize; + private String jdkTlsLegacyAlgorithms; + private String jdkCertpathDisabledAlgorithms; + private String jdkSecurityLegacyAlgorithm; + private String keyStoreType; + private String keyStore; + + // For SecureRandom. + String jdkSecureRandomProvider; + String jdkSecureRandomAlgorithm; + + // Provider with argument (provider name + optional argument). + private final List providers; + // Provider without argument. + private final List providersSimpleName; + // The map is keyed by provider name. + private final Map providerConstraints; + + private final int userSecurityNum; + private final boolean userSecurityTrace; + private final boolean userSecurityAudit; + private final boolean userSecurityHelp; + + private final String propsPrefix; + + // The java.security properties. + private final Properties securityProps; + + /** + * + * @param num the restricted security setting number + * @param props the java.security properties + * @param trace the user security trace + * @param audit the user security audit + * @param help the user security help + */ + private RestrictedSecurityProperties(int num, Properties props, boolean trace, boolean audit, boolean help) { + Objects.requireNonNull(props); + + userSecurityNum = num; + userSecurityTrace = trace; + userSecurityAudit = audit; + userSecurityHelp = help; + securityProps = props; + + propsPrefix = "RestrictedSecurity" + userSecurityNum; + + providers = new ArrayList<>(); + providersSimpleName = new ArrayList<>(); + providerConstraints = new HashMap<>(); + + // Initialize the properties. + init(); + } + + /** + * Initialize restricted security properties. + */ + private void init() { + if (debug != null) { + debug.println("Initializing restricted security mode."); + } + + try { + // Print out the Help and Audit info. + if (userSecurityHelp || userSecurityAudit || userSecurityTrace) { + if (userSecurityHelp) { + printHelp(); + } + if (userSecurityAudit) { + listAudit(); + } + if (userSecurityNum == 0) { + if (userSecurityTrace) { + printStackTraceAndExit( + "Unable to list the trace info without specify the security policy number."); + } else { + if (debug != null) { + debug.println("Print out the info and exit."); + } + System.exit(0); + } + } + } + + // Load restricted security providers from java.security properties. + initProviders(); + // Load restricted security properties from java.security properties. + initProperties(); + // Load restricted security provider constraints from java.security properties. + initConstraints(); + + if (debug != null) { + debug.println("Initialized restricted security mode."); + } + } catch (Exception e) { + if (debug != null) { + debug.println("Unable to initialize restricted security mode."); + } + printStackTraceAndExit(e); + } + } + + /** + * Load restricted security provider. + */ + private void initProviders() { + if (debug != null) { + debug.println("Loading restricted security providers."); + } + + for (int pNum = 1;; ++pNum) { + String providerInfo = securityProps + .getProperty(propsPrefix + ".jce.provider." + pNum); + + if ((providerInfo == null) || providerInfo.trim().isEmpty()) { + break; + } + + if (!areBracketsBalanced(providerInfo)) { + printStackTraceAndExit("Provider format is incorrect: " + providerInfo); + } + + int pos = providerInfo.indexOf('['); + String providerName = (pos < 0) ? providerInfo.trim() : providerInfo.substring(0, pos).trim(); + // Provider with argument (provider name + optional argument). + providers.add(pNum - 1, providerName); + + // Remove the provider's optional arguments if there are. + pos = providerName.indexOf(' '); + providerName = (pos < 0) ? providerName.trim() : providerName.substring(0, pos).trim(); + // Remove the provider's class package names if there are. + pos = providerName.lastIndexOf('.'); + providerName = (pos < 0) ? providerName : providerName.substring(pos + 1, providerName.length()); + // Provider without arguments and package names. + providersSimpleName.add(pNum - 1, providerName); + + if (debug != null) { + debug.println( + "Loaded restricted security provider: " + providers.get(pNum - 1) + + " with simple name: " + providerName); + } + } + + if (providers.isEmpty()) { + printStackTraceAndExit( + "Restricted security mode provider list empty, or no such restricted security policy in java.security file."); + } + } + + /** + * Load restricted security properties. + */ + private void initProperties() { + if (debug != null) { + debug.println("Loading restricted security properties."); + } + + descName = parseProperty(securityProps.getProperty(propsPrefix + ".desc.name")); + descNumber = parseProperty(securityProps.getProperty(propsPrefix + ".desc.number")); + descPolicy = parseProperty(securityProps.getProperty(propsPrefix + ".desc.policy")); + descSunsetDate = parseProperty(securityProps.getProperty(propsPrefix + ".desc.sunsetDate")); + + jdkTlsDisabledNamedCurves = parseProperty( + securityProps.getProperty(propsPrefix + ".tls.disabledNamedCurves")); + jdkTlsDisabledAlgorithms = parseProperty( + securityProps.getProperty(propsPrefix + ".tls.disabledAlgorithms")); + jdkTlsDphemeralDHKeySize = parseProperty( + securityProps.getProperty(propsPrefix + ".tls.ephemeralDHKeySize")); + jdkTlsLegacyAlgorithms = parseProperty( + securityProps.getProperty(propsPrefix + ".tls.legacyAlgorithms")); + jdkCertpathDisabledAlgorithms = parseProperty( + securityProps.getProperty(propsPrefix + ".jce.certpath.disabledAlgorithms")); + jdkSecurityLegacyAlgorithm = parseProperty( + securityProps.getProperty(propsPrefix + ".jce.legacyAlgorithms")); + keyStoreType = parseProperty( + securityProps.getProperty(propsPrefix + ".keystore.type")); + keyStore = parseProperty( + securityProps.getProperty(propsPrefix + ".javax.net.ssl.keyStore")); + + jdkSecureRandomProvider = parseProperty( + securityProps.getProperty(propsPrefix + ".securerandom.provider")); + jdkSecureRandomAlgorithm = parseProperty( + securityProps.getProperty(propsPrefix + ".securerandom.algorithm")); + + if (debug != null) { + debug.println("Loaded restricted security properties."); + } + } + + /** + * Load security constraints with type, algorithm, attributes. + * + * Example: + * RestrictedSecurity1.jce.provider.1 = SUN [{CertPathBuilder, PKIX, *}, + * {Policy, JavaPolicy, *}, {CertPathValidator, *, *}]. + */ + private void initConstraints() { + for (int pNum = 1; pNum <= providersSimpleName.size(); pNum++) { + String providerName = providersSimpleName.get(pNum - 1); + String providerInfo = securityProps + .getProperty(propsPrefix + ".jce.provider." + pNum); + + if (debug != null) { + debug.println("Loading constraints for security provider: " + providerName); + } + + // Check if the provider has constraints. + if (providerInfo.indexOf('[') < 0) { + if (debug != null) { + debug.println("No constraints for security provider: " + providerName); + } + providerConstraints.put(providerName, new Constraint[0]); + continue; + } + + // Remove the whitespaces in the format separator if there are. + providerInfo = providerInfo.trim() + .replaceAll("\\[\\s+\\{", "[{") + .replaceAll("\\}\\s+\\]", "}]") + .replaceAll("\\}\\s*,\\s*\\{", "},{"); + + int startIndex = providerInfo.lastIndexOf("[{"); + int endIndex = providerInfo.indexOf("}]"); + + // Provider with constraints. + if ((startIndex > 0) && (endIndex > startIndex)) { + String[] constrArray = providerInfo + .substring(startIndex + 2, endIndex).split("\\},\\{"); + + if (constrArray.length <= 0) { + printStackTraceAndExit("Constraint format is incorrect: " + providerInfo); + } + + // Constraint object array. + // For each constraint type, algorithm and attributes. + Constraint[] constraints = new Constraint[constrArray.length]; + + int cNum = 0; + for (String constr : constrArray) { + String[] input = constr.split(","); + + // Each constraint must includes 3 fields(type, algorithm, attributes). + if (input.length != 3) { + printStackTraceAndExit("Constraint format is incorrect: " + providerInfo); + } + + String inType = input[0].trim(); + String inAlgorithm = input[1].trim(); + String inAttributes = input[2].trim(); + + // Each attribute must includes 2 fields (key and value) or *. + if (!isAsterisk(inAttributes)) { + String[] attributeArray = inAttributes.split(":"); + for (String attribute : attributeArray) { + String[] in = attribute.split("=", 2); + if (in.length != 2) { + printStackTraceAndExit( + "Constraint attributes format is incorrect: " + providerInfo); + } + } + } + + Constraint constraint = new Constraint(inType, inAlgorithm, inAttributes); + + if (debug != null) { + debug.println("Loading constraints for security provider: " + providerName + + " with constraints type: " + inType + + " algorithm: " + inAlgorithm + + " attributes: " + inAttributes); + } + constraints[cNum] = constraint; + cNum++; + } + providerConstraints.put(providerName, constraints); + if (debug != null) { + debug.println("Loaded constraints for security provider: " + providerName); + } + } else { + printStackTraceAndExit("Constraint format is incorrect: " + providerInfo); + } + } + } + + /** + * Check if the Service is allowed in restricted security mode. + * + * @param service the Service to check + * @return true if the Service is allowed + */ + boolean isRestrictedServiceAllowed(Service service) { + String providerName = service.getProvider().getName(); + + // Provider with argument, remove argument. + // e.g. SunPKCS11-NSS-FIPS, remove argument -NSS-FIPS. + int pos = providerName.indexOf('-'); + providerName = (pos < 0) ? providerName : providerName.substring(0, pos); + + Constraint[] constraints = providerConstraints.get(providerName); + + if (constraints == null) { + // Disallow unknown providers. + return false; + } else if (constraints.length == 0) { + // Allow this provider with no constraints. + return true; + } + + // Check the constraints of this provider. + String type = service.getType(); + String algorithm = service.getAlgorithm(); + + for (Constraint constraint : constraints) { + String cType = constraint.type; + String cAlgorithm = constraint.algorithm; + String cAttribute = constraint.attributes; + + if (!isAsterisk(cType) && !type.equals(cType)) { + // The constraint doesn't apply to the service type. + continue; + } + if (!isAsterisk(cAlgorithm) && !algorithm.equalsIgnoreCase(cAlgorithm)) { + // The constraint doesn't apply to the service algorith. + continue; + } + + // For type and algorithm match, and attribute is *. + if (isAsterisk(cAttribute)) { + if (debug != null) { + debug.println("Security constraints check." + + " Service type: " + type + + " Algorithm: " + algorithm + + " is allowed in provider " + providerName); + } + return true; + } + + // For type and algorithm match, and attribute is not *. + // Then continue checking attributes. + String[] cAttributeArray = cAttribute.split(":"); + + // For each attribute, must be all matched for return allowed. + for (String attribute : cAttributeArray) { + String[] input = attribute.split("=", 2); + + String cName = input[0].trim(); + String cValue = input[1].trim(); + String sValue = service.getAttribute(cName); + if ((sValue == null) || !cValue.equalsIgnoreCase(sValue)) { + // If any attribute doesn't match, return service is not allowed. + if (debug != null) { + debug.println( + "Security constraints check." + + " Service type: " + type + + " Algorithm: " + algorithm + + " Attribute: " + cAttribute + + " is NOT allowed in provider: " + providerName); + } + return false; + } + } + if (debug != null) { + debug.println( + "Security constraints check." + + " Service type: " + type + + " Algorithm: " + algorithm + + " Attribute: " + cAttribute + + " is allowed in provider: " + providerName); + } + return true; + } + if (debug != null) { + debug.println("Security constraints check." + + " Service type: " + type + + " Algorithm: " + algorithm + + " is NOT allowed in provider " + providerName); + } + // No match for any constraint, return NOT allowed. + return false; + } + + /** + * Check if the provider is allowed in restricted security mode. + * + * @param providerName the provider to check + * @return true if the provider is allowed + */ + boolean isRestrictedProviderAllowed(String providerName) { + if (debug != null) { + debug.println("Checking the provider " + providerName + " in restricted security mode."); + } + + // Remove argument, e.g. -NSS-FIPS, if there is. + int pos = providerName.indexOf('-'); + providerName = (pos < 0) ? providerName : providerName.substring(0, pos); + + // Remove the provider class package name if there is. + pos = providerName.lastIndexOf('.'); + providerName = (pos < 0) ? providerName : providerName.substring(pos + 1, providerName.length()); + + // Check if the provider is in restricted security provider list. + // If not, the provider won't be registered. + if (providersSimpleName.contains(providerName)) { + if (debug != null) { + debug.println("The provider " + providerName + " is allowed in restricted security mode."); + } + return true; + } + + if (debug != null) { + debug.println("The provider " + providerName + " is not allowed in restricted security mode."); + + debug.println("Stack trace:"); + StackTraceElement[] elements = Thread.currentThread().getStackTrace(); + for (int i = 1; i < elements.length; i++) { + StackTraceElement stack = elements[i]; + debug.println("\tat " + stack.getClassName() + "." + stack.getMethodName() + "(" + + stack.getFileName() + ":" + stack.getLineNumber() + ")"); + } + } + return false; + } + + /** + * List audit info if userSecurityAudit is true, default as false. + */ + private void listAudit() { + System.out.println(); + System.out.println("Restricted Security Audit Info:"); + System.out.println("==============================="); + + for (int num = 1;; ++num) { + String desc = securityProps.getProperty("RestrictedSecurity" + num + ".desc.name"); + if ((desc == null) || desc.trim().isEmpty()) { + break; + } + System.out.println("RestrictedSecurity" + num + ".desc.name: " + + securityProps.getProperty("RestrictedSecurity" + num + ".desc.name")); + System.out.println("RestrictedSecurity" + num + ".desc.number: " + + parseProperty(securityProps.getProperty("RestrictedSecurity" + num + ".desc.number"))); + System.out.println("RestrictedSecurity" + num + ".desc.policy: " + + parseProperty(securityProps.getProperty("RestrictedSecurity" + num + ".desc.policy"))); + System.out.println("RestrictedSecurity" + num + ".desc.sunsetDate: " + + parseProperty(securityProps.getProperty("RestrictedSecurity" + num + ".desc.sunsetDate"))); + System.out.println(); + } + } + + /** + * List trace info if userSecurityTrace is true, default as false. + */ + void listTrace() { + System.out.println(); + System.out.println("Restricted Security Trace Info:"); + System.out.println("==============================="); + System.out.println(propsPrefix + ".desc.name: " + descName); + System.out.println(propsPrefix + ".desc.number: " + descNumber); + System.out.println(propsPrefix + ".desc.policy: " + descPolicy); + System.out.println(propsPrefix + ".desc.sunsetDate: " + descSunsetDate); + System.out.println(); + + // List restrictions. + System.out.println(propsPrefix + ".tls.disabledNamedCurves: " + + parseProperty(securityProps.getProperty("jdk.tls.disabledNamedCurves"))); + System.out.println(propsPrefix + ".tls.disabledAlgorithms: " + + parseProperty(securityProps.getProperty("jdk.tls.disabledAlgorithms"))); + System.out.println(propsPrefix + ".tls.ephemeralDHKeySize: " + + parseProperty(securityProps.getProperty("jdk.tls.ephemeralDHKeySize"))); + System.out.println(propsPrefix + ".tls.legacyAlgorithms: " + + parseProperty(securityProps.getProperty("jdk.tls.legacyAlgorithms"))); + System.out.println(propsPrefix + ".jce.certpath.disabledAlgorithms: " + + parseProperty(securityProps.getProperty("jdk.certpath.disabledAlgorithms"))); + System.out.println(propsPrefix + ".jce.legacyAlgorithms: " + + parseProperty(securityProps.getProperty("jdk.security.legacyAlgorithm"))); + System.out.println(); + + System.out.println(propsPrefix + ".keystore.type: " + + parseProperty(securityProps.getProperty("keystore.type"))); + System.out.println(propsPrefix + ".javax.net.ssl.keyStore: " + + keyStore); + System.out.println(propsPrefix + ".securerandom.provider: " + + jdkSecureRandomProvider); + System.out.println(propsPrefix + ".securerandom.algorithm: " + + jdkSecureRandomAlgorithm); + + // List providers. + System.out.println(); + for (int pNum = 1; pNum <= providers.size(); pNum++) { + System.out.println(propsPrefix + ".jce.provider." + pNum + ": " + + providers.get(pNum - 1)); + } + + System.out.println(); + } + + /** + * Print help info if userSecurityHelp is ture, default as false. + */ + private void printHelp() { + System.out.println(); + System.out.println("Restricted Security Mode Usage:"); + System.out.println("==============================="); + + System.out.println( + "-Dsemeru.restrictedsecurity= This flag will select the settings for the user " + + "specified restricted security policy."); + System.out.println( + "-Dsemeru.restrictedsecurity=audit This flag will list the name and number of all " + + "configured restricted security policies."); + System.out.println( + "-Dsemeru.restrictedsecurity=trace This flag will list all properties relevant to " + + "restricted security mode, including the existing default properties and " + + "restricted security properties."); + System.out.println("-Dsemeru.restrictedsecurity=help This flag will print help message."); + + System.out.println(); + System.out.println("e.g."); + System.out.println(" -Dsemeru.restrictedsecurity=1,trace,audit,help"); + System.out.println(" -Dsemeru.restrictedsecurity=help"); + + System.out.println(); + } + + /** + * Check if the input string is null. If null return "". + * + * @param string the input string + * @return "" if the string is null + */ + private static String parseProperty(String string) { + return (string != null) ? string.trim() : ""; + } + + /** + * Check if the brackets are balanced. + * + * @param string input string for checking + * @return true if the brackets are balanced + */ + private static boolean areBracketsBalanced(String string) { + Deque deque = new LinkedList<>(); + + for (char ch : string.toCharArray()) { + switch (ch) { + case '{': + deque.addFirst('}'); + break; + case '[': + deque.addFirst(']'); + break; + case '(': + deque.addFirst(')'); + break; + case '}': + case ']': + case ')': + if (deque.isEmpty() || (deque.removeFirst().charValue() != ch)) { + return false; + } + break; + default: + break; + } + } + return deque.isEmpty(); + } + + /** + * Check if the input string is asterisk (*). + * + * @param string input string for checking + * @return true if the input string is asterisk + */ + private static boolean isAsterisk(String string) { + return "*".equals(string); + } + + /** + * A class representing the constraints of a provider. + */ + private static final class Constraint { + final String type; + final String algorithm; + final String attributes; + + Constraint(String type, String algorithm, String attributes) { + super(); + this.type = type; + this.algorithm = algorithm; + this.attributes = attributes; + } + } + } +} diff --git a/src/java.base/share/classes/java/security/Provider.java b/src/java.base/share/classes/java/security/Provider.java index 1f0bbfd766a..06aa6d1395f 100644 --- a/src/java.base/share/classes/java/security/Provider.java +++ b/src/java.base/share/classes/java/security/Provider.java @@ -23,6 +23,12 @@ * questions. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2022, 2023 All Rights Reserved + * =========================================================================== + */ + package java.security; import java.io.*; @@ -35,6 +41,8 @@ import java.util.function.Function; import java.util.concurrent.ConcurrentHashMap; +import openj9.internal.security.RestrictedSecurity; + /** * This class represents a "provider" for the * Java Security API, where a provider implements some or all parts of @@ -1372,6 +1380,11 @@ protected void putService(Service s) { throw new IllegalArgumentException ("service.getProvider() must match this Provider object"); } + if (!RestrictedSecurity.isServiceAllowed(s)) { + // We're in restricted security mode which does not allow this service, + // return without registering. + return; + } String type = s.getType(); String algorithm = s.getAlgorithm(); ServiceKey key = new ServiceKey(type, algorithm, true); diff --git a/src/java.base/share/classes/java/security/SecureRandom.java b/src/java.base/share/classes/java/security/SecureRandom.java index 9e23ab1e009..94922b88554 100644 --- a/src/java.base/share/classes/java/security/SecureRandom.java +++ b/src/java.base/share/classes/java/security/SecureRandom.java @@ -25,7 +25,7 @@ /* * =========================================================================== - * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved + * (c) Copyright IBM Corp. 2022, 2023 All Rights Reserved * =========================================================================== */ @@ -41,7 +41,7 @@ import sun.security.provider.SunEntries; import sun.security.util.Debug; -import openj9.internal.security.FIPSConfigurator; +import openj9.internal.security.RestrictedSecurity; /** * This class provides a cryptographically strong random number @@ -270,27 +270,29 @@ private void getDefaultPRNG(boolean setSeed, byte[] seed) { Service prngService = null; String prngAlgorithm = null; - // If in FIPS mode, use the SecureRandom from the FIPS provider - if (FIPSConfigurator.enableFips()) { - Provider p = Security.getProvider("SunPKCS11-NSS-FIPS"); - prngAlgorithm = "PKCS11"; - prngService = p.getService("SecureRandom", prngAlgorithm); - } else { - for (Provider p : Providers.getProviderList().providers()) { - // SUN provider uses the SunEntries.DEF_SECURE_RANDOM_ALGO - // as the default SecureRandom algorithm; for other providers, - // Provider.getDefaultSecureRandom() will use the 1st - // registered SecureRandom algorithm - if (p.getName().equals("SUN")) { - prngAlgorithm = SunEntries.DEF_SECURE_RANDOM_ALGO; + for (Provider p : Providers.getProviderList().providers()) { + // In restricted security mode, use the SecureRandom from restricted security provider. + if (RestrictedSecurity.isEnabled()) { + String srProvider = RestrictedSecurity.getRandomProvider(); + if (p.getName().equals(srProvider)) { + prngAlgorithm = RestrictedSecurity.getRandomAlgorithm(); prngService = p.getService("SecureRandom", prngAlgorithm); break; - } else { - prngService = p.getDefaultSecureRandomService(); - if (prngService != null) { - prngAlgorithm = prngService.getAlgorithm(); - break; - } + } + } + // SUN provider uses the SunEntries.DEF_SECURE_RANDOM_ALGO + // as the default SecureRandom algorithm; for other providers, + // Provider.getDefaultSecureRandom() will use the 1st + // registered SecureRandom algorithm + else if (p.getName().equals("SUN")) { + prngAlgorithm = SunEntries.DEF_SECURE_RANDOM_ALGO; + prngService = p.getService("SecureRandom", prngAlgorithm); + break; + } else { + prngService = p.getDefaultSecureRandomService(); + if (prngService != null) { + prngAlgorithm = prngService.getAlgorithm(); + break; } } } diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java index 1d991756f72..51a938f5b57 100644 --- a/src/java.base/share/classes/java/security/Security.java +++ b/src/java.base/share/classes/java/security/Security.java @@ -50,7 +50,7 @@ import openj9.internal.criu.security.CRIUConfigurator; /*[ENDIF] CRIU_SUPPORT*/ -import openj9.internal.security.FIPSConfigurator; +import openj9.internal.security.RestrictedSecurity; /** *

This class centralizes all security properties and common security @@ -215,16 +215,11 @@ private static void initialize() { } /*[ENDIF] CRIU_SUPPORT */ - // Load FIPS properties - if (loadedProps) { - boolean fipsEnabled = FIPSConfigurator.configureFIPS(props); - if (sdebug != null) { - if (fipsEnabled) { - sdebug.println("FIPS mode enabled."); - } else { - sdebug.println("FIPS mode disabled."); - } - } + // Load restricted security mode properties. + boolean restrictedSecurityEnabled = RestrictedSecurity.configure(props); + if (sdebug != null) { + sdebug.println(restrictedSecurityEnabled ? "Restricted security mode enabled." + : "Restricted security mode disabled."); } } diff --git a/src/java.base/share/classes/java/util/ServiceLoader.java b/src/java.base/share/classes/java/util/ServiceLoader.java index d248d1ea4a7..b8bfda71298 100644 --- a/src/java.base/share/classes/java/util/ServiceLoader.java +++ b/src/java.base/share/classes/java/util/ServiceLoader.java @@ -23,6 +23,12 @@ * questions. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2022, 2023 All Rights Reserved + * =========================================================================== + */ + package java.util; import java.io.BufferedReader; @@ -57,6 +63,8 @@ import jdk.internal.reflect.CallerSensitive; import jdk.internal.reflect.Reflection; +import openj9.internal.security.RestrictedSecurity; + /** * A facility to load implementations of a service. * @@ -873,6 +881,12 @@ private Provider loadProvider(ServiceProvider provider) { fail(service, clazz + " is not public"); } + if (!RestrictedSecurity.isProviderAllowed(clazz)) { + // We're in restricted security mode which does not allow this provider, + // skip it. + return null; + } + // if provider in explicit module then check for static factory method if (inExplicitModule(clazz)) { Method factoryMethod = findStaticProviderMethod(clazz); @@ -1228,6 +1242,11 @@ private boolean hasNextService() { } if (service.isAssignableFrom(clazz)) { + if (!RestrictedSecurity.isProviderAllowed(clazz)) { + // We're in restricted security mode which does not allow this provider, + // skip it. + continue; + } Class type = (Class) clazz; Constructor ctor = (Constructor)getConstructor(clazz); diff --git a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java index db420525e62..e59159b0036 100644 --- a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java +++ b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java @@ -25,7 +25,7 @@ /* * =========================================================================== - * (c) Copyright IBM Corp. 2023, 2023 All Rights Reserved + * (c) Copyright IBM Corp. 2022, 2023 All Rights Reserved * =========================================================================== */ @@ -39,6 +39,8 @@ import sun.security.util.PropertyExpander; +import openj9.internal.security.RestrictedSecurity; + /** * Class representing a configured provider which encapsulates configuration * (provider name + optional argument), the provider loading logic, and @@ -168,6 +170,11 @@ public String toString() { // com.sun.net.ssl.internal.ssl.Provider has been deprecated since JDK 9 @SuppressWarnings("deprecation") synchronized Provider getProvider() { + if (!RestrictedSecurity.isProviderAllowed(provName)) { + // We're in restricted security mode which does not allow this provider, + // return without loading. + return null; + } // volatile variable load Provider p = provider; if (p != null) { diff --git a/src/java.base/share/classes/sun/security/jca/ProviderList.java b/src/java.base/share/classes/sun/security/jca/ProviderList.java index 405de65f26f..63a0163bcbb 100644 --- a/src/java.base/share/classes/sun/security/jca/ProviderList.java +++ b/src/java.base/share/classes/sun/security/jca/ProviderList.java @@ -39,6 +39,8 @@ import java.security.Provider.Service; import java.security.Security; +import openj9.internal.security.RestrictedSecurity; + /** * List of Providers. Used to represent the provider preferences. * @@ -112,7 +114,13 @@ public static ProviderList add(ProviderList providerList, Provider p) { public static ProviderList insertAt(ProviderList providerList, Provider p, int position) { - if (providerList.getProvider(p.getName()) != null) { + String providerName = p.getName(); + if (providerList.getProvider(providerName) != null) { + return providerList; + } + if (!RestrictedSecurity.isProviderAllowed(providerName)) { + // We're in restricted security mode which does not allow this provider, + // return without adding. return providerList; } List list = new ArrayList<> @@ -144,6 +152,16 @@ public static ProviderList remove(ProviderList providerList, String name) { // Create a new ProviderList from the specified Providers. // This method is for use by SunJSSE. public static ProviderList newList(Provider ... providers) { + if (RestrictedSecurity.isEnabled()) { + List allowedProviders = new ArrayList<>(); + for (Provider p : providers) { + if (RestrictedSecurity.isProviderAllowed(p.getName())) { + // This provider is allowed, add it the list. + allowedProviders.add(p); + } + } + providers = allowedProviders.toArray(new Provider[allowedProviders.size()]); + } ProviderConfig[] configs = new ProviderConfig[providers.length]; for (int i = 0; i < providers.length; i++) { configs[i] = new ProviderConfig(providers[i]); @@ -379,7 +397,8 @@ public Service getService(String type, String name) { for (i = 0; i < pList.size(); i++) { Provider p = getProvider(pList.get(i).provider); Service s = p.getService(type, name); - if (s != null) { + if ((s != null) && RestrictedSecurity.isServiceAllowed(s)) { + // We found a service that is allowed in restricted security mode. return s; } } @@ -388,7 +407,8 @@ public Service getService(String type, String name) { for (i = 0; i < configs.length; i++) { Provider p = getProvider(i); Service s = p.getService(type, name); - if (s != null) { + if ((s != null) && RestrictedSecurity.isServiceAllowed(s)) { + // We found a service that is allowed in restricted security mode. return s; } } @@ -524,14 +544,14 @@ private Service tryGet(int index) { if (type != null) { // simple lookup Service s = p.getService(type, algorithm); - if (s != null) { + if ((s != null) && RestrictedSecurity.isServiceAllowed(s)) { addService(s); } } else { // parallel lookup for (ServiceId id : ids) { Service s = p.getService(id.type, id.algorithm); - if (s != null) { + if ((s != null) && RestrictedSecurity.isServiceAllowed(s)) { addService(s); } } diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java index 6ddcaec9746..bf423e3a388 100644 --- a/src/java.base/share/classes/sun/security/provider/SunEntries.java +++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java @@ -40,8 +40,6 @@ import jdk.internal.util.StaticProperty; import sun.security.action.GetPropertyAction; -import openj9.internal.security.FIPSConfigurator; - /** * Defines the entries of the SUN provider. * @@ -114,266 +112,218 @@ public static List createAliasesWithOid(String ... oids) { // common attribute map HashMap attrs = new HashMap<>(3); - if (FIPSConfigurator.enableFips()) { - // FIPS supported - attrs.put("ImplementedIn", "Software"); - - /* - * Certificates - */ - add(p, "CertificateFactory", "X.509", - "sun.security.provider.X509Factory", - createAliases("X509"), attrs); - - /* - * CertStores - */ - add(p, "CertStore", "Collection", - "sun.security.provider.certpath.CollectionCertStore", - null, attrs); - add(p, "CertStore", "com.sun.security.IndexedCollection", - "sun.security.provider.certpath.IndexedCollectionCertStore", - null, attrs); - - /* - * Policy - */ - add(p, "Policy", "JavaPolicy", "sun.security.provider.PolicySpiFile", - null, null); - - /* - * Configuration - */ - add(p, "Configuration", "JavaLoginConfig", - "sun.security.provider.ConfigFile$Spi", null, null); - - /* - * CertPathBuilder and CertPathValidator - */ - attrs.clear(); - attrs.put("ValidationAlgorithm", "RFC5280"); - attrs.put("ImplementedIn", "Software"); - - add(p, "CertPathBuilder", "PKIX", - "sun.security.provider.certpath.SunCertPathBuilder", - null, attrs); - add(p, "CertPathValidator", "PKIX", - "sun.security.provider.certpath.PKIXCertPathValidator", + /* + * SecureRandom engines + */ + attrs.put("ThreadSafe", "true"); + if (NativePRNG.isAvailable()) { + add(p, "SecureRandom", "NativePRNG", + "sun.security.provider.NativePRNG", null, attrs); + } + if (NativePRNG.Blocking.isAvailable()) { + add(p, "SecureRandom", "NativePRNGBlocking", + "sun.security.provider.NativePRNG$Blocking", null, attrs); + } + if (NativePRNG.NonBlocking.isAvailable()) { + add(p, "SecureRandom", "NativePRNGNonBlocking", + "sun.security.provider.NativePRNG$NonBlocking", null, attrs); + } + attrs.put("ImplementedIn", "Software"); + add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", + null, attrs); + add(p, "SecureRandom", "SHA1PRNG", + "sun.security.provider.SecureRandom", null, attrs); + + /* + * Signature engines + */ + attrs.clear(); + String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + + "|java.security.interfaces.DSAPrivateKey"; + attrs.put("SupportedKeyClasses", dsaKeyClasses); + attrs.put("ImplementedIn", "Software"); + + attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures + + add(p, "Signature", "SHA1withDSA", + "sun.security.provider.DSA$SHA1withDSA", + createAliasesWithOid("1.2.840.10040.4.3", "DSA", "DSS", + "SHA/DSA", "SHA-1/DSA", "SHA1/DSA", "SHAwithDSA", + "DSAWithSHA1", "1.3.14.3.2.13", "1.3.14.3.2.27"), attrs); + add(p, "Signature", "NONEwithDSA", "sun.security.provider.DSA$RawDSA", + createAliases("RawDSA"), attrs); + + attrs.put("KeySize", "2048"); // for SHA224 and SHA256 DSA signatures + + add(p, "Signature", "SHA224withDSA", + "sun.security.provider.DSA$SHA224withDSA", + createAliasesWithOid("2.16.840.1.101.3.4.3.1"), attrs); + add(p, "Signature", "SHA256withDSA", + "sun.security.provider.DSA$SHA256withDSA", + createAliasesWithOid("2.16.840.1.101.3.4.3.2"), attrs); + + attrs.remove("KeySize"); + + add(p, "Signature", "SHA1withDSAinP1363Format", + "sun.security.provider.DSA$SHA1withDSAinP1363Format", + null, null); + add(p, "Signature", "NONEwithDSAinP1363Format", + "sun.security.provider.DSA$RawDSAinP1363Format", + null, null); + add(p, "Signature", "SHA224withDSAinP1363Format", + "sun.security.provider.DSA$SHA224withDSAinP1363Format", + null, null); + add(p, "Signature", "SHA256withDSAinP1363Format", + "sun.security.provider.DSA$SHA256withDSAinP1363Format", + null, null); + + /* + * Key Pair Generator engines + */ + attrs.clear(); + attrs.put("ImplementedIn", "Software"); + attrs.put("KeySize", "2048"); // for DSA KPG and APG only + + String dsaOid = "1.2.840.10040.4.1"; + List dsaAliases = createAliasesWithOid(dsaOid, "1.3.14.3.2.12"); + String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; + dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); + add(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, dsaAliases, attrs); + + /* + * Algorithm Parameter Generator engines + */ + add(p, "AlgorithmParameterGenerator", "DSA", + "sun.security.provider.DSAParameterGenerator", dsaAliases, + attrs); + attrs.remove("KeySize"); + + /* + * Algorithm Parameter engines + */ + add(p, "AlgorithmParameters", "DSA", + "sun.security.provider.DSAParameters", dsaAliases, attrs); + + /* + * Key factories + */ + add(p, "KeyFactory", "DSA", "sun.security.provider.DSAKeyFactory", + dsaAliases, attrs); + + /* + * Digest engines + */ + String providerSHA; + String providerSHA224; + String providerSHA256; + String providerSHA384; + String providerSHA512; + /* + * Set the digest provider based on whether native crypto is + * enabled or not. + */ + if (useNativeDigest && NativeCrypto.isAllowedAndLoaded()) { + providerSHA = "sun.security.provider.NativeSHA"; + providerSHA224 = "sun.security.provider.NativeSHA2$SHA224"; + providerSHA256 = "sun.security.provider.NativeSHA2$SHA256"; + providerSHA384 = "sun.security.provider.NativeSHA5$SHA384"; + providerSHA512 = "sun.security.provider.NativeSHA5$SHA512"; } else { - /* - * SecureRandom engines - */ - attrs.put("ThreadSafe", "true"); - if (NativePRNG.isAvailable()) { - add(p, "SecureRandom", "NativePRNG", - "sun.security.provider.NativePRNG", - null, attrs); - } - if (NativePRNG.Blocking.isAvailable()) { - add(p, "SecureRandom", "NativePRNGBlocking", - "sun.security.provider.NativePRNG$Blocking", null, attrs); - } - if (NativePRNG.NonBlocking.isAvailable()) { - add(p, "SecureRandom", "NativePRNGNonBlocking", - "sun.security.provider.NativePRNG$NonBlocking", null, attrs); - } - attrs.put("ImplementedIn", "Software"); - add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", - null, attrs); - add(p, "SecureRandom", "SHA1PRNG", - "sun.security.provider.SecureRandom", null, attrs); - - /* - * Signature engines - */ - attrs.clear(); - String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + - "|java.security.interfaces.DSAPrivateKey"; - attrs.put("SupportedKeyClasses", dsaKeyClasses); - attrs.put("ImplementedIn", "Software"); - - attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures - - add(p, "Signature", "SHA1withDSA", - "sun.security.provider.DSA$SHA1withDSA", - createAliasesWithOid("1.2.840.10040.4.3", "DSA", "DSS", - "SHA/DSA", "SHA-1/DSA", "SHA1/DSA", "SHAwithDSA", - "DSAWithSHA1", "1.3.14.3.2.13", "1.3.14.3.2.27"), attrs); - add(p, "Signature", "NONEwithDSA", "sun.security.provider.DSA$RawDSA", - createAliases("RawDSA"), attrs); - - attrs.put("KeySize", "2048"); // for SHA224 and SHA256 DSA signatures - - add(p, "Signature", "SHA224withDSA", - "sun.security.provider.DSA$SHA224withDSA", - createAliasesWithOid("2.16.840.1.101.3.4.3.1"), attrs); - add(p, "Signature", "SHA256withDSA", - "sun.security.provider.DSA$SHA256withDSA", - createAliasesWithOid("2.16.840.1.101.3.4.3.2"), attrs); - - attrs.remove("KeySize"); - - add(p, "Signature", "SHA1withDSAinP1363Format", - "sun.security.provider.DSA$SHA1withDSAinP1363Format", - null, null); - add(p, "Signature", "NONEwithDSAinP1363Format", - "sun.security.provider.DSA$RawDSAinP1363Format", - null, null); - add(p, "Signature", "SHA224withDSAinP1363Format", - "sun.security.provider.DSA$SHA224withDSAinP1363Format", - null, null); - add(p, "Signature", "SHA256withDSAinP1363Format", - "sun.security.provider.DSA$SHA256withDSAinP1363Format", - null, null); - - /* - * Key Pair Generator engines - */ - attrs.clear(); - attrs.put("ImplementedIn", "Software"); - attrs.put("KeySize", "2048"); // for DSA KPG and APG only - - String dsaOid = "1.2.840.10040.4.1"; - List dsaAliases = createAliasesWithOid(dsaOid, "1.3.14.3.2.12"); - String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; - dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); - add(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, dsaAliases, attrs); - - /* - * Algorithm Parameter Generator engines - */ - add(p, "AlgorithmParameterGenerator", "DSA", - "sun.security.provider.DSAParameterGenerator", dsaAliases, - attrs); - attrs.remove("KeySize"); - - /* - * Algorithm Parameter engines - */ - add(p, "AlgorithmParameters", "DSA", - "sun.security.provider.DSAParameters", dsaAliases, attrs); - - /* - * Key factories - */ - add(p, "KeyFactory", "DSA", "sun.security.provider.DSAKeyFactory", - dsaAliases, attrs); - - /* - * Digest engines - */ - String providerSHA; - String providerSHA224; - String providerSHA256; - String providerSHA384; - String providerSHA512; - /* - * Set the digest provider based on whether native crypto is - * enabled or not. - */ - if (useNativeDigest && NativeCrypto.isAllowedAndLoaded()) { - providerSHA = "sun.security.provider.NativeSHA"; - providerSHA224 = "sun.security.provider.NativeSHA2$SHA224"; - providerSHA256 = "sun.security.provider.NativeSHA2$SHA256"; - providerSHA384 = "sun.security.provider.NativeSHA5$SHA384"; - providerSHA512 = "sun.security.provider.NativeSHA5$SHA512"; - } else { - providerSHA = "sun.security.provider.SHA"; - providerSHA224 = "sun.security.provider.SHA2$SHA224"; - providerSHA256 = "sun.security.provider.SHA2$SHA256"; - providerSHA384 = "sun.security.provider.SHA5$SHA384"; - providerSHA512 = "sun.security.provider.SHA5$SHA512"; - } - - add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", null, attrs); - add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", null, attrs); - add(p, "MessageDigest", "SHA", providerSHA, - createAliasesWithOid("1.3.14.3.2.26", "SHA-1", "SHA1"), attrs); - - String sha2BaseOid = "2.16.840.1.101.3.4.2"; - add(p, "MessageDigest", "SHA-224", providerSHA224, - createAliasesWithOid(sha2BaseOid + ".4"), attrs); - add(p, "MessageDigest", "SHA-256", providerSHA256, - createAliasesWithOid(sha2BaseOid + ".1"), attrs); - add(p, "MessageDigest", "SHA-384", providerSHA384, - createAliasesWithOid(sha2BaseOid + ".2"), attrs); - add(p, "MessageDigest", "SHA-512", providerSHA512, - createAliasesWithOid(sha2BaseOid + ".3"), attrs); - add(p, "MessageDigest", "SHA-512/224", - "sun.security.provider.SHA5$SHA512_224", - createAliasesWithOid(sha2BaseOid + ".5"), attrs); - add(p, "MessageDigest", "SHA-512/256", - "sun.security.provider.SHA5$SHA512_256", - createAliasesWithOid(sha2BaseOid + ".6"), attrs); - add(p, "MessageDigest", "SHA3-224", "sun.security.provider.SHA3$SHA224", - createAliasesWithOid(sha2BaseOid + ".7"), attrs); - add(p, "MessageDigest", "SHA3-256", "sun.security.provider.SHA3$SHA256", - createAliasesWithOid(sha2BaseOid + ".8"), attrs); - add(p, "MessageDigest", "SHA3-384", "sun.security.provider.SHA3$SHA384", - createAliasesWithOid(sha2BaseOid + ".9"), attrs); - add(p, "MessageDigest", "SHA3-512", "sun.security.provider.SHA3$SHA512", - createAliasesWithOid(sha2BaseOid + ".10"), attrs); - - /* - * Certificates - */ - add(p, "CertificateFactory", "X.509", - "sun.security.provider.X509Factory", - createAliases("X509"), attrs); - - /* - * KeyStore - */ - add(p, "KeyStore", "PKCS12", - "sun.security.pkcs12.PKCS12KeyStore$DualFormatPKCS12", - null, null); - add(p, "KeyStore", "JKS", - "sun.security.provider.JavaKeyStore$DualFormatJKS", - null, attrs); - add(p, "KeyStore", "CaseExactJKS", - "sun.security.provider.JavaKeyStore$CaseExactJKS", - null, attrs); - add(p, "KeyStore", "DKS", "sun.security.provider.DomainKeyStore$DKS", - null, attrs); - - - /* - * CertStores - */ - add(p, "CertStore", "Collection", - "sun.security.provider.certpath.CollectionCertStore", - null, attrs); - add(p, "CertStore", "com.sun.security.IndexedCollection", - "sun.security.provider.certpath.IndexedCollectionCertStore", - null, attrs); + providerSHA = "sun.security.provider.SHA"; + providerSHA224 = "sun.security.provider.SHA2$SHA224"; + providerSHA256 = "sun.security.provider.SHA2$SHA256"; + providerSHA384 = "sun.security.provider.SHA5$SHA384"; + providerSHA512 = "sun.security.provider.SHA5$SHA512"; + } - /* - * Policy - */ - add(p, "Policy", "JavaPolicy", "sun.security.provider.PolicySpiFile", - null, null); + add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", null, attrs); + add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", null, attrs); + add(p, "MessageDigest", "SHA", providerSHA, + createAliasesWithOid("1.3.14.3.2.26", "SHA-1", "SHA1"), attrs); + + String sha2BaseOid = "2.16.840.1.101.3.4.2"; + add(p, "MessageDigest", "SHA-224", providerSHA224, + createAliasesWithOid(sha2BaseOid + ".4"), attrs); + add(p, "MessageDigest", "SHA-256", providerSHA256, + createAliasesWithOid(sha2BaseOid + ".1"), attrs); + add(p, "MessageDigest", "SHA-384", providerSHA384, + createAliasesWithOid(sha2BaseOid + ".2"), attrs); + add(p, "MessageDigest", "SHA-512", providerSHA512, + createAliasesWithOid(sha2BaseOid + ".3"), attrs); + add(p, "MessageDigest", "SHA-512/224", + "sun.security.provider.SHA5$SHA512_224", + createAliasesWithOid(sha2BaseOid + ".5"), attrs); + add(p, "MessageDigest", "SHA-512/256", + "sun.security.provider.SHA5$SHA512_256", + createAliasesWithOid(sha2BaseOid + ".6"), attrs); + add(p, "MessageDigest", "SHA3-224", "sun.security.provider.SHA3$SHA224", + createAliasesWithOid(sha2BaseOid + ".7"), attrs); + add(p, "MessageDigest", "SHA3-256", "sun.security.provider.SHA3$SHA256", + createAliasesWithOid(sha2BaseOid + ".8"), attrs); + add(p, "MessageDigest", "SHA3-384", "sun.security.provider.SHA3$SHA384", + createAliasesWithOid(sha2BaseOid + ".9"), attrs); + add(p, "MessageDigest", "SHA3-512", "sun.security.provider.SHA3$SHA512", + createAliasesWithOid(sha2BaseOid + ".10"), attrs); + + /* + * Certificates + */ + add(p, "CertificateFactory", "X.509", + "sun.security.provider.X509Factory", + createAliases("X509"), attrs); + + /* + * KeyStore + */ + add(p, "KeyStore", "PKCS12", + "sun.security.pkcs12.PKCS12KeyStore$DualFormatPKCS12", + null, null); + add(p, "KeyStore", "JKS", + "sun.security.provider.JavaKeyStore$DualFormatJKS", + null, attrs); + add(p, "KeyStore", "CaseExactJKS", + "sun.security.provider.JavaKeyStore$CaseExactJKS", + null, attrs); + add(p, "KeyStore", "DKS", "sun.security.provider.DomainKeyStore$DKS", + null, attrs); - /* - * Configuration - */ - add(p, "Configuration", "JavaLoginConfig", - "sun.security.provider.ConfigFile$Spi", null, null); - /* - * CertPathBuilder and CertPathValidator - */ - attrs.clear(); - attrs.put("ValidationAlgorithm", "RFC5280"); - attrs.put("ImplementedIn", "Software"); + /* + * CertStores + */ + add(p, "CertStore", "Collection", + "sun.security.provider.certpath.CollectionCertStore", + null, attrs); + add(p, "CertStore", "com.sun.security.IndexedCollection", + "sun.security.provider.certpath.IndexedCollectionCertStore", + null, attrs); - add(p, "CertPathBuilder", "PKIX", - "sun.security.provider.certpath.SunCertPathBuilder", - null, attrs); - add(p, "CertPathValidator", "PKIX", - "sun.security.provider.certpath.PKIXCertPathValidator", - null, attrs); - } + /* + * Policy + */ + add(p, "Policy", "JavaPolicy", "sun.security.provider.PolicySpiFile", + null, null); + + /* + * Configuration + */ + add(p, "Configuration", "JavaLoginConfig", + "sun.security.provider.ConfigFile$Spi", null, null); + + /* + * CertPathBuilder and CertPathValidator + */ + attrs.clear(); + attrs.put("ValidationAlgorithm", "RFC5280"); + attrs.put("ImplementedIn", "Software"); + + add(p, "CertPathBuilder", "PKIX", + "sun.security.provider.certpath.SunCertPathBuilder", + null, attrs); + add(p, "CertPathValidator", "PKIX", + "sun.security.provider.certpath.PKIXCertPathValidator", + null, attrs); } Iterator iterator() { diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security index 9af64321c40..972f55d4f89 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -85,6 +85,58 @@ security.provider.tbd=Apple security.provider.tbd=SunPKCS11 #endif +#ifdef linux-x86 +# +# Java Restricted Security Mode +# +RestrictedSecurity1.desc.name = Red Hat Enterprise Linux 8 NSS Cryptographic Module FIPS 140-2 +RestrictedSecurity1.desc.number = Certificate #3946 +RestrictedSecurity1.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3946 +RestrictedSecurity1.desc.sunsetDate = 2026-06-06 + +RestrictedSecurity1.tls.disabledNamedCurves = +RestrictedSecurity1.tls.disabledAlgorithms = X25519, X448, SSLv3, TLSv1, TLSv1.1, \ + TLS_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, \ + TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, \ + TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, \ + TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \ + TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, \ + TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \ + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, \ + TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, \ + TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, \ + TLS_RSA_WITH_AES_128_CBC_SHA, TLS_AES_256_GCM_SHA384, \ + TLS_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, \ + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, \ + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, \ + TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, \ + TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, \ + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, \ + TLS_EMPTY_RENEGOTIATION_INFO_SCSV +RestrictedSecurity1.tls.ephemeralDHKeySize = +RestrictedSecurity1.tls.legacyAlgorithms = + +RestrictedSecurity1.jce.certpath.disabledAlgorithms = +RestrictedSecurity1.jce.legacyAlgorithms = +RestrictedSecurity1.jce.provider.1 = SunPKCS11 ${java.home}/conf/security/nss.fips.cfg +RestrictedSecurity1.jce.provider.2 = SUN [{CertificateFactory, X.509, ImplementedIn=Software}, \ + {CertStore, Collection, ImplementedIn=Software}, \ + {CertStore, com.sun.security.IndexedCollection, ImplementedIn=Software}, \ + {Policy, JavaPolicy, *}, {Configuration, JavaLoginConfig, *}, \ + {CertPathBuilder, PKIX, ValidationAlgorithm=RFC5280:ImplementedIn=Software}, \ + {CertPathValidator, PKIX, ValidationAlgorithm=RFC5280:ImplementedIn=Software}] +RestrictedSecurity1.jce.provider.3 = SunEC [{KeyFactory, EC, ImplementedIn=Software: \ + SupportedKeyClasses=java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey: \ + KeySize=256}, {AlgorithmParameters, EC, *}] +RestrictedSecurity1.jce.provider.4 = SunJSSE + +RestrictedSecurity1.keystore.type = PKCS11 +RestrictedSecurity1.javax.net.ssl.keyStore = NONE + +RestrictedSecurity1.securerandom.provider = SunPKCS11-NSS-FIPS +RestrictedSecurity1.securerandom.algorithm = PKCS11 +#endif + # # A list of preferred providers for specific algorithms. These providers will # be searched for matching algorithms before the list of registered providers. diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java index fefcbf5ab0c..04873345e1f 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -55,7 +55,7 @@ import com.sun.crypto.provider.ChaCha20Poly1305Parameters; import jdk.internal.misc.InnocuousThread; -import openj9.internal.security.FIPSConfigurator; +import openj9.internal.security.RestrictedSecurity; import sun.security.util.Debug; import sun.security.util.ResourcesMgr; import static sun.security.util.SecurityConstants.PROVIDER_VER; @@ -434,9 +434,9 @@ private static T checkNull(T obj) { // When FIPS mode is enabled, configure p11 object to FIPS mode // and pass the parent object so it can callback. - if (FIPSConfigurator.enableFips()) { + if (RestrictedSecurity.isFIPSEnabled()) { if (debug != null) { - System.out.println("FIPS mode in SunPKCS11"); + debug.println("FIPS mode in SunPKCS11"); } @SuppressWarnings("unchecked") diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java index b84049c0a03..475101f3612 100644 --- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java @@ -39,8 +39,6 @@ import static sun.security.util.SecurityConstants.PROVIDER_VER; -import openj9.internal.security.FIPSConfigurator; - import jdk.crypto.jniprovider.NativeCrypto; /** @@ -193,182 +191,128 @@ public Void run() { void putEntries(boolean useFullImplementation) { HashMap ATTRS = new HashMap<>(3); - - if (FIPSConfigurator.enableFips()) { - ATTRS.put("ImplementedIn", "Software"); - String ecKeyClasses = "java.security.interfaces.ECPublicKey" + - "|java.security.interfaces.ECPrivateKey"; - ATTRS.put("SupportedKeyClasses", ecKeyClasses); - ATTRS.put("KeySize", "256"); - - /* - * Key Factory engine - */ - putService(new ProviderService(this, "KeyFactory", - "EC", "sun.security.ec.ECKeyFactory", - new String[] { "EllipticCurve" }, ATTRS)); - - /* - * Algorithm Parameter engine - */ - // "AlgorithmParameters.EC SupportedCurves" prop used by unit test - boolean firstCurve = true; - StringBuilder names = new StringBuilder(); - Pattern nameSplitPattern = Pattern.compile(CurveDB.SPLIT_PATTERN); - - Collection supportedCurves = - CurveDB.getSupportedCurves(); - for (NamedCurve namedCurve : supportedCurves) { - if (!firstCurve) { - names.append("|"); - } else { - firstCurve = false; - } - - names.append("["); - - String[] commonNames = nameSplitPattern.split(namedCurve.getName()); - for (String commonName : commonNames) { - names.append(commonName.trim()); - names.append(","); - } - - names.append(namedCurve.getObjectId()); - names.append("]"); + ATTRS.put("ImplementedIn", "Software"); + String ecKeyClasses = "java.security.interfaces.ECPublicKey" + + "|java.security.interfaces.ECPrivateKey"; + ATTRS.put("SupportedKeyClasses", ecKeyClasses); + ATTRS.put("KeySize", "256"); + + /* + * Key Factory engine + */ + putService(new ProviderService(this, "KeyFactory", + "EC", "sun.security.ec.ECKeyFactory", + new String[] { "EllipticCurve" }, ATTRS)); + + /* + * Algorithm Parameter engine + */ + // "AlgorithmParameters.EC SupportedCurves" prop used by unit test + boolean firstCurve = true; + StringBuilder names = new StringBuilder(); + Pattern nameSplitPattern = Pattern.compile(CurveDB.SPLIT_PATTERN); + + Collection supportedCurves = + CurveDB.getSupportedCurves(); + for (NamedCurve namedCurve : supportedCurves) { + if (!firstCurve) { + names.append("|"); + } else { + firstCurve = false; } - HashMap apAttrs = new HashMap<>(ATTRS); - apAttrs.put("SupportedCurves", names.toString()); + names.append("["); - putService(new ProviderService(this, "AlgorithmParameters", - "EC", "sun.security.util.ECParameters", - new String[] { "EllipticCurve", "1.2.840.10045.2.1", "OID.1.2.840.10045.2.1" }, - apAttrs)); - - } else { - ATTRS.put("ImplementedIn", "Software"); - String ecKeyClasses = "java.security.interfaces.ECPublicKey" + - "|java.security.interfaces.ECPrivateKey"; - ATTRS.put("SupportedKeyClasses", ecKeyClasses); - ATTRS.put("KeySize", "256"); - - /* - * Key Factory engine - */ - putService(new ProviderService(this, "KeyFactory", - "EC", "sun.security.ec.ECKeyFactory", - new String[] { "EllipticCurve" }, ATTRS)); - - /* - * Algorithm Parameter engine - */ - // "AlgorithmParameters.EC SupportedCurves" prop used by unit test - boolean firstCurve = true; - StringBuilder names = new StringBuilder(); - Pattern nameSplitPattern = Pattern.compile(CurveDB.SPLIT_PATTERN); - - Collection supportedCurves = - CurveDB.getSupportedCurves(); - for (NamedCurve namedCurve : supportedCurves) { - if (!firstCurve) { - names.append("|"); - } else { - firstCurve = false; - } - - names.append("["); - - String[] commonNames = nameSplitPattern.split(namedCurve.getName()); - for (String commonName : commonNames) { - names.append(commonName.trim()); - names.append(","); - } - - names.append(namedCurve.getObjectId()); - names.append("]"); + String[] commonNames = nameSplitPattern.split(namedCurve.getName()); + for (String commonName : commonNames) { + names.append(commonName.trim()); + names.append(","); } - HashMap apAttrs = new HashMap<>(ATTRS); - apAttrs.put("SupportedCurves", names.toString()); + names.append(namedCurve.getObjectId()); + names.append("]"); + } - putService(new ProviderService(this, "AlgorithmParameters", - "EC", "sun.security.util.ECParameters", - new String[] { "EllipticCurve", "1.2.840.10045.2.1", "OID.1.2.840.10045.2.1" }, - apAttrs)); + HashMap apAttrs = new HashMap<>(ATTRS); + apAttrs.put("SupportedCurves", names.toString()); - putXDHEntries(); + putService(new ProviderService(this, "AlgorithmParameters", + "EC", "sun.security.util.ECParameters", + new String[] { "EllipticCurve", "1.2.840.10045.2.1", "OID.1.2.840.10045.2.1" }, + apAttrs)); - /* - * Register the algorithms below only when the full ECC implementation - * is available - */ - if (!useFullImplementation) { - return; - } + putXDHEntries(); - /* - * Signature engines - */ - putService(new ProviderService(this, "Signature", - "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", - null, ATTRS)); - putService(new ProviderService(this, "Signature", - "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", - new String[] { "1.2.840.10045.4.1", "OID.1.2.840.10045.4.1" }, - ATTRS)); - putService(new ProviderService(this, "Signature", - "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", - new String[] { "1.2.840.10045.4.3.1", "OID.1.2.840.10045.4.3.1"}, - ATTRS)); - putService(new ProviderService(this, "Signature", - "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", - new String[] { "1.2.840.10045.4.3.2", "OID.1.2.840.10045.4.3.2"}, - ATTRS)); - putService(new ProviderService(this, "Signature", - "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", - new String[] { "1.2.840.10045.4.3.3", "OID.1.2.840.10045.4.3.3" }, - ATTRS)); - putService(new ProviderService(this, "Signature", - "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", - new String[] { "1.2.840.10045.4.3.4", "OID.1.2.840.10045.4.3.4" }, - ATTRS)); - - putService(new ProviderService(this, "Signature", - "NONEwithECDSAinP1363Format", - "sun.security.ec.ECDSASignature$RawinP1363Format")); - putService(new ProviderService(this, "Signature", - "SHA1withECDSAinP1363Format", - "sun.security.ec.ECDSASignature$SHA1inP1363Format")); - putService(new ProviderService(this, "Signature", - "SHA224withECDSAinP1363Format", - "sun.security.ec.ECDSASignature$SHA224inP1363Format")); - putService(new ProviderService(this, "Signature", - "SHA256withECDSAinP1363Format", - "sun.security.ec.ECDSASignature$SHA256inP1363Format")); - putService(new ProviderService(this, "Signature", - "SHA384withECDSAinP1363Format", - "sun.security.ec.ECDSASignature$SHA384inP1363Format")); - putService(new ProviderService(this, "Signature", - "SHA512withECDSAinP1363Format", - "sun.security.ec.ECDSASignature$SHA512inP1363Format")); - - /* - * Key Pair Generator engine - */ - putService(new ProviderService(this, "KeyPairGenerator", - "EC", "sun.security.ec.ECKeyPairGenerator", - new String[] { "EllipticCurve" }, ATTRS)); - - /* - * Key Agreement engine - */ - if (useNativeEC && NativeCrypto.isAllowedAndLoaded()) { - putService(new ProviderService(this, "KeyAgreement", - "ECDH", "sun.security.ec.NativeECDHKeyAgreement", null, ATTRS)); - } else { - putService(new ProviderService(this, "KeyAgreement", - "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); - } + /* + * Register the algorithms below only when the full ECC implementation + * is available + */ + if (!useFullImplementation) { + return; + } + + /* + * Signature engines + */ + putService(new ProviderService(this, "Signature", + "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", + null, ATTRS)); + putService(new ProviderService(this, "Signature", + "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", + new String[] { "1.2.840.10045.4.1", "OID.1.2.840.10045.4.1" }, + ATTRS)); + putService(new ProviderService(this, "Signature", + "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", + new String[] { "1.2.840.10045.4.3.1", "OID.1.2.840.10045.4.3.1"}, + ATTRS)); + putService(new ProviderService(this, "Signature", + "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", + new String[] { "1.2.840.10045.4.3.2", "OID.1.2.840.10045.4.3.2"}, + ATTRS)); + putService(new ProviderService(this, "Signature", + "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", + new String[] { "1.2.840.10045.4.3.3", "OID.1.2.840.10045.4.3.3" }, + ATTRS)); + putService(new ProviderService(this, "Signature", + "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", + new String[] { "1.2.840.10045.4.3.4", "OID.1.2.840.10045.4.3.4" }, + ATTRS)); + + putService(new ProviderService(this, "Signature", + "NONEwithECDSAinP1363Format", + "sun.security.ec.ECDSASignature$RawinP1363Format")); + putService(new ProviderService(this, "Signature", + "SHA1withECDSAinP1363Format", + "sun.security.ec.ECDSASignature$SHA1inP1363Format")); + putService(new ProviderService(this, "Signature", + "SHA224withECDSAinP1363Format", + "sun.security.ec.ECDSASignature$SHA224inP1363Format")); + putService(new ProviderService(this, "Signature", + "SHA256withECDSAinP1363Format", + "sun.security.ec.ECDSASignature$SHA256inP1363Format")); + putService(new ProviderService(this, "Signature", + "SHA384withECDSAinP1363Format", + "sun.security.ec.ECDSASignature$SHA384inP1363Format")); + putService(new ProviderService(this, "Signature", + "SHA512withECDSAinP1363Format", + "sun.security.ec.ECDSASignature$SHA512inP1363Format")); + + /* + * Key Pair Generator engine + */ + putService(new ProviderService(this, "KeyPairGenerator", + "EC", "sun.security.ec.ECKeyPairGenerator", + new String[] { "EllipticCurve" }, ATTRS)); + + /* + * Key Agreement engine + */ + if (useNativeEC && NativeCrypto.isAllowedAndLoaded()) { + putService(new ProviderService(this, "KeyAgreement", + "ECDH", "sun.security.ec.NativeECDHKeyAgreement", null, ATTRS)); + } else { + putService(new ProviderService(this, "KeyAgreement", + "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); } }