Update TLS tests to be run in FIPS 140-3 mode.

Signed-off-by: Jinhang Zhang <[email protected]>

Author: JinhangZhang

test/jdk/javax/net/ssl/DTLS/CipherSuite.java

@@ -55,6 +55,9 @@
 import java.util.Arrays;
 import java.util.List;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 /**
  * Test common DTLS cipher suites.
  */
@@ -65,15 +68,41 @@ public class CipherSuite extends DTLSOverDatagram {
     private static boolean reenable;
 
     public static void main(String[] args) throws Exception {
-        if (args.length > 1 && "re-enable".equals(args[1])) {
+        if (args.length > 1 && "re-enable".equals(args[1]) 
+        && !(Utils.isFIPS())) {
             Security.setProperty("jdk.tls.disabledAlgorithms", "");
             reenable = true;
         }
 
         cipherSuite = args[0];
 
         CipherSuite testCase = new CipherSuite();
-        testCase.runTest(testCase);
+        try {
+            testCase.runTest(testCase);
+        } catch (javax.net.ssl.SSLHandshakeException sslhe) {
+            if (Utils.isFIPS()) {
+                if(!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) {
+                    if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) {
+                        System.out.println("Expected exception msg: <No appropriate protocol (protocol is disabled or cipher suites are inappropriate)> is caught");
+                        return;
+                    } else {
+                        System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught");
+                        return;
+                    }
+                } else {
+                    System.out.println("Unexpected exception is caught");
+                    sslhe.printStackTrace();
+                    return;
+                }
+            } else {
+                System.out.println("Unexpected exception is caught in Non-FIPS mode");
+                sslhe.printStackTrace();
+                return;
+            }
+        } catch (Exception e) {
+            e.printStackTrace();
+            return;
+        }
     }
 
     @Override

test/jdk/javax/net/ssl/DTLS/DTLSNamedGroups.java

@@ -38,6 +38,9 @@
 import javax.net.ssl.SSLParameters;
 import java.security.Security;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 /**
  * Test DTLS client authentication.
  */
@@ -73,7 +76,9 @@ SSLEngine createSSLEngine(boolean isClient) throws Exception {
     }
 
     public static void main(String[] args) throws Exception {
-        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        if (!(Utils.isFIPS())) {
+                Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        }
 
         runTest(new String[] {
                         "x25519",

test/jdk/javax/net/ssl/DTLS/DTLSSignatureSchemes.java

@@ -38,6 +38,9 @@
 import javax.net.ssl.SSLParameters;
 import java.security.Security;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 /**
  * Test DTLS client authentication.
  */
@@ -67,7 +70,9 @@ SSLEngine createSSLEngine(boolean isClient) throws Exception {
     }
 
     public static void main(String[] args) throws Exception {
-        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        if (!(Utils.isFIPS())) {
+                Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        }
 
         runTest(new String[] {
                         "ecdsa_secp256r1_sha256",

test/jdk/javax/net/ssl/DTLS/DTLSWontNegotiateV10.java

@@ -32,6 +32,9 @@
 import java.util.List;
 import java.util.concurrent.atomic.AtomicInteger;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 /*
  * @test
  * @bug 8301381
@@ -51,7 +54,9 @@ public class DTLSWontNegotiateV10 {
     private static final int READ_TIMEOUT_SECS = Integer.getInteger("readtimeout", 30);
 
     public static void main(String[] args) throws Exception {
-        if (args[0].equals(DTLSV_1_0)) {
+
+        if (args[0].equals(DTLSV_1_0) 
+        && !(Utils.isFIPS())) {
             SecurityUtils.removeFromDisabledTlsAlgs(DTLSV_1_0);
         }
 
@@ -74,6 +79,26 @@ public static void main(String[] args) throws Exception {
                     break;
                 } catch (SocketTimeoutException exc) {
                     System.out.println("The server timed-out waiting for packets from the client.");
+                } catch (javax.net.ssl.SSLHandshakeException sslhe) {
+                    if (Utils.isFIPS()) {
+                        if(!SecurityUtils.TLS_PROTOCOLS.contains(args[0])) {
+                            if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) {
+                                System.out.println("Expected exception msg: <No appropriate protocol (protocol is disabled or cipher suites are inappropriate)> is caught");
+                                return;
+                            } else {
+                                System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught");
+                                return;
+                            }
+                        } else {
+                            System.out.println("Unexpected exception is caught");
+                            sslhe.printStackTrace();
+                            return;
+                        }
+                    } else {
+                        System.out.println("Unexpected exception is caught in Non-FIPS mode");
+                        sslhe.printStackTrace();
+                        return;
+                    }
                 }
             }
             if (tries == totalAttempts) {

test/jdk/javax/net/ssl/DTLS/WeakCipherSuite.java

@@ -41,6 +41,9 @@
 import javax.net.ssl.SSLEngine;
 import java.security.Security;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 /**
  * Test common DTLS weak cipher suites.
  */
@@ -52,13 +55,40 @@ public class WeakCipherSuite extends DTLSOverDatagram {
     public static void main(String[] args) throws Exception {
         // reset security properties to make sure that the algorithms
         // and keys used in this test are not disabled.
-        Security.setProperty("jdk.tls.disabledAlgorithms", "");
-        Security.setProperty("jdk.certpath.disabledAlgorithms", "");
+        if (!(Utils.isFIPS())) {
+            Security.setProperty("jdk.tls.disabledAlgorithms", "");
+            Security.setProperty("jdk.certpath.disabledAlgorithms", "");
+        }
 
         cipherSuite = args[0];
 
         WeakCipherSuite testCase = new WeakCipherSuite();
-        testCase.runTest(testCase);
+        try {
+            testCase.runTest(testCase);
+        } catch (javax.net.ssl.SSLHandshakeException sslhe) {
+            if (Utils.isFIPS()) {
+                if(!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) {
+                    if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) {
+                        System.out.println("Expected exception msg: <No appropriate protocol (protocol is disabled or cipher suites are inappropriate)> is caught");
+                        return;
+                    } else {
+                        System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught");
+                        return;
+                    }
+                } else {
+                    System.out.println("Unexpected exception is caught");
+                    sslhe.printStackTrace();
+                    return;
+                }
+            } else {
+                System.out.println("Unexpected exception is caught in Non-FIPS mode");
+                sslhe.printStackTrace();
+                return;
+            }
+        } catch (Exception e) {
+            e.printStackTrace();
+            return;
+        }
     }
 
     @Override

test/jdk/javax/net/ssl/FixingJavadocs/ImplicitHandshake.java

@@ -26,6 +26,7 @@
  * @bug 4387882
  * @summary Need to revisit the javadocs for JSSE, especially the
  *      promoted classes.
+ * @library /test/lib
  * @run main/othervm ImplicitHandshake
  *
  *     SunJSSE does not support dynamic system properties, no way to re-use
@@ -37,6 +38,8 @@
 import java.net.*;
 import javax.net.ssl.*;
 
+import jdk.test.lib.Utils;
+
 public class ImplicitHandshake {
 
     /*
@@ -191,6 +194,10 @@ public static void main(String[] args) throws Exception {
             System.getProperty("test.src", "./") + "/" + pathToStores +
                 "/" + trustStoreFile;
 
+        if (Utils.isFIPS()) {
+            keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd);
+            trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd);
+        }
         System.setProperty("javax.net.ssl.keyStore", keyFilename);
         System.setProperty("javax.net.ssl.keyStorePassword", passwd);
         System.setProperty("javax.net.ssl.trustStore", trustFilename);

test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java

@@ -31,6 +31,7 @@
  * @bug 6668231
  * @summary Presence of a critical subjectAltName causes JSSE's SunX509 to
  *          fail trusted checks
+ * @library /test/lib
  * @run main/othervm CriticalSubjectAltName
  * @author Xuelei Fan
  */
@@ -53,6 +54,8 @@
 import java.security.Security;
 import java.security.cert.Certificate;
 
+import jdk.test.lib.Utils;
+
 public class CriticalSubjectAltName implements HostnameVerifier {
     /*
      * =============================================================
@@ -159,10 +162,12 @@ void doClientSide() throws Exception {
 
     public static void main(String[] args) throws Exception {
         // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty("jdk.certpath.disabledAlgorithms",
-                "MD2, RSA keySize < 1024");
-        Security.setProperty("jdk.tls.disabledAlgorithms",
-                "SSLv3, RC4, DH keySize < 768");
+        if (!(Utils.isFIPS())) {
+            Security.setProperty("jdk.certpath.disabledAlgorithms",
+                    "MD2, RSA keySize < 1024");
+            Security.setProperty("jdk.tls.disabledAlgorithms",
+                    "SSLv3, RC4, DH keySize < 768");
+        }
 
         String keyFilename =
             System.getProperty("test.src", "./") + "/" + pathToStores +
@@ -171,6 +176,11 @@ public static void main(String[] args) throws Exception {
             System.getProperty("test.src", "./") + "/" + pathToStores +
                 "/" + trustStoreFile;
 
+        if (Utils.isFIPS()) {
+            keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd);
+            trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd);
+        }
+
         System.setProperty("javax.net.ssl.keyStore", keyFilename);
         System.setProperty("javax.net.ssl.keyStorePassword", passwd);
         System.setProperty("javax.net.ssl.trustStore", trustFilename);
@@ -182,7 +192,29 @@ public static void main(String[] args) throws Exception {
         /*
          * Start the tests.
          */
-        new CriticalSubjectAltName();
+        try {
+            new CriticalSubjectAltName();
+        } catch (Exception e) {
+            if (Utils.isFIPS()) {
+                if (e instanceof java.security.cert.CertPathValidatorException) {
+                    if ("Algorithm constraints check failed on signature algorithm: MD5withRSA".equals(e.getMessage())) {
+                        System.out.println("MD5withRSA is not a supported signature algorithm.");
+                        return;
+                    } else {
+                        System.out.println("Unexpected exception msg: <" + e.getMessage() + "> is caught");
+                        return;
+                    }
+                } else {
+                    System.out.println("Unexpected exception is caught");
+                    e.printStackTrace();
+                    return;
+                }
+            } else {
+                System.out.println("Unexpected exception is caught in Non-FIPS mode");
+                e.printStackTrace();
+                return;
+            }
+        }
     }
 
     Thread clientThread = null;

test/jdk/javax/net/ssl/HttpsURLConnection/GetResponseCode.java

@@ -25,6 +25,7 @@
  * @test
  * @bug 4482187
  * @summary HttpsClient tests are failing for build 71
+ * @library /test/lib
  * @run main/othervm GetResponseCode
  *
  *     SunJSSE does not support dynamic system properties, no way to re-use
@@ -37,6 +38,8 @@
 import javax.net.ssl.*;
 import java.security.cert.Certificate;
 
+import jdk.test.lib.Utils;
+
 public class GetResponseCode implements HostnameVerifier {
     /*
      * =============================================================
@@ -149,6 +152,11 @@ public static void main(String[] args) throws Exception {
             System.getProperty("test.src", "./") + "/" + pathToStores +
                 "/" + trustStoreFile;
 
+        if (Utils.isFIPS()) {
+            keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd);
+            trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd);
+        }
+
         System.setProperty("javax.net.ssl.keyStore", keyFilename);
         System.setProperty("javax.net.ssl.keyStorePassword", passwd);
         System.setProperty("javax.net.ssl.trustStore", trustFilename);

test/jdk/javax/net/ssl/SSLEngine/ArgCheck.java

@@ -27,7 +27,7 @@
  * @summary Add scatter/gather APIs for SSLEngine
  *
  * Check to see if the args are being parsed properly.
- *
+ * @library /test/lib
  */
 
 import javax.net.ssl.*;