diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java index 98165807fb3..e1b78ba0410 100644 --- a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java +++ b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java @@ -1674,7 +1674,9 @@ private void checkHashValues() { printStackTraceAndExit("Incorrect definition of hash value for " + profileID); } + System.out.println("checkHashValues->hashInfo[0] is: " + hashInfo[0]); String digestAlgo = hashInfo[0].trim(); + System.out.println("checkHashValues->digestAlgo is: " + digestAlgo); String expectedHash = hashInfo[1].trim(); try { MessageDigest md = MessageDigest.getInstance(digestAlgo); diff --git a/test/jdk/javax/net/ssl/DTLS/CipherSuite.java b/test/jdk/javax/net/ssl/DTLS/CipherSuite.java index b96032fd781..1751f20ff9c 100644 --- a/test/jdk/javax/net/ssl/DTLS/CipherSuite.java +++ b/test/jdk/javax/net/ssl/DTLS/CipherSuite.java @@ -55,6 +55,9 @@ import java.util.Arrays; import java.util.List; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + /** * Test common DTLS cipher suites. */ @@ -65,7 +68,8 @@ public class CipherSuite extends DTLSOverDatagram { private static boolean reenable; public static void main(String[] args) throws Exception { - if (args.length > 1 && "re-enable".equals(args[1])) { + if (args.length > 1 && "re-enable".equals(args[1]) + && !(SecurityUtils.isFIPS())) { Security.setProperty("jdk.tls.disabledAlgorithms", ""); reenable = true; } @@ -73,7 +77,32 @@ public static void main(String[] args) throws Exception { cipherSuite = args[0]; CipherSuite testCase = new CipherSuite(); - testCase.runTest(testCase); + try { + testCase.runTest(testCase); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (SecurityUtils.isFIPS()) { + if(!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + sslhe.printStackTrace(); + return; + } + } else { + System.out.println("Unexpected exception is caught in Non-FIPS mode"); + sslhe.printStackTrace(); + return; + } + } catch (Exception e) { + e.printStackTrace(); + return; + } } @Override diff --git a/test/jdk/javax/net/ssl/DTLS/DTLSNamedGroups.java b/test/jdk/javax/net/ssl/DTLS/DTLSNamedGroups.java index e9165fa391c..312308e2b64 100644 --- a/test/jdk/javax/net/ssl/DTLS/DTLSNamedGroups.java +++ b/test/jdk/javax/net/ssl/DTLS/DTLSNamedGroups.java @@ -38,6 +38,9 @@ import javax.net.ssl.SSLParameters; import java.security.Security; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + /** * Test DTLS client authentication. */ @@ -73,7 +76,9 @@ SSLEngine createSSLEngine(boolean isClient) throws Exception { } public static void main(String[] args) throws Exception { - Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } runTest(new String[] { "x25519", diff --git a/test/jdk/javax/net/ssl/DTLS/DTLSSignatureSchemes.java b/test/jdk/javax/net/ssl/DTLS/DTLSSignatureSchemes.java index 5dd897b1bd7..bec4dcc28a4 100644 --- a/test/jdk/javax/net/ssl/DTLS/DTLSSignatureSchemes.java +++ b/test/jdk/javax/net/ssl/DTLS/DTLSSignatureSchemes.java @@ -38,6 +38,9 @@ import javax.net.ssl.SSLParameters; import java.security.Security; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + /** * Test DTLS client authentication. */ @@ -67,7 +70,9 @@ SSLEngine createSSLEngine(boolean isClient) throws Exception { } public static void main(String[] args) throws Exception { - Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } runTest(new String[] { "ecdsa_secp256r1_sha256", diff --git a/test/jdk/javax/net/ssl/DTLS/DTLSWontNegotiateV10.java b/test/jdk/javax/net/ssl/DTLS/DTLSWontNegotiateV10.java index f8b72005527..8c32eeebeaa 100644 --- a/test/jdk/javax/net/ssl/DTLS/DTLSWontNegotiateV10.java +++ b/test/jdk/javax/net/ssl/DTLS/DTLSWontNegotiateV10.java @@ -32,6 +32,9 @@ import java.util.List; import java.util.concurrent.atomic.AtomicInteger; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + /* * @test * @bug 8301381 @@ -51,7 +54,9 @@ public class DTLSWontNegotiateV10 { private static final int READ_TIMEOUT_SECS = Integer.getInteger("readtimeout", 30); public static void main(String[] args) throws Exception { - if (args[0].equals(DTLSV_1_0)) { + + if (args[0].equals(DTLSV_1_0) + && !(SecurityUtils.isFIPS())) { SecurityUtils.removeFromDisabledTlsAlgs(DTLSV_1_0); } @@ -74,6 +79,26 @@ public static void main(String[] args) throws Exception { break; } catch (SocketTimeoutException exc) { System.out.println("The server timed-out waiting for packets from the client."); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (SecurityUtils.isFIPS()) { + if(!SecurityUtils.TLS_PROTOCOLS.contains(args[0])) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + sslhe.printStackTrace(); + return; + } + } else { + System.out.println("Unexpected exception is caught in Non-FIPS mode"); + sslhe.printStackTrace(); + return; + } } } if (tries == totalAttempts) { diff --git a/test/jdk/javax/net/ssl/DTLS/WeakCipherSuite.java b/test/jdk/javax/net/ssl/DTLS/WeakCipherSuite.java index d9bb38ec15a..cc62d4df5cd 100644 --- a/test/jdk/javax/net/ssl/DTLS/WeakCipherSuite.java +++ b/test/jdk/javax/net/ssl/DTLS/WeakCipherSuite.java @@ -41,6 +41,9 @@ import javax.net.ssl.SSLEngine; import java.security.Security; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + /** * Test common DTLS weak cipher suites. */ @@ -52,13 +55,40 @@ public class WeakCipherSuite extends DTLSOverDatagram { public static void main(String[] args) throws Exception { // reset security properties to make sure that the algorithms // and keys used in this test are not disabled. - Security.setProperty("jdk.tls.disabledAlgorithms", ""); - Security.setProperty("jdk.certpath.disabledAlgorithms", ""); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + Security.setProperty("jdk.certpath.disabledAlgorithms", ""); + } cipherSuite = args[0]; WeakCipherSuite testCase = new WeakCipherSuite(); - testCase.runTest(testCase); + try { + testCase.runTest(testCase); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (SecurityUtils.isFIPS()) { + if(!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + sslhe.printStackTrace(); + return; + } + } else { + System.out.println("Unexpected exception is caught in Non-FIPS mode"); + sslhe.printStackTrace(); + return; + } + } catch (Exception e) { + e.printStackTrace(); + return; + } } @Override diff --git a/test/jdk/javax/net/ssl/FixingJavadocs/ImplicitHandshake.java b/test/jdk/javax/net/ssl/FixingJavadocs/ImplicitHandshake.java index b1ef64ef88a..47cdd0bc5cf 100644 --- a/test/jdk/javax/net/ssl/FixingJavadocs/ImplicitHandshake.java +++ b/test/jdk/javax/net/ssl/FixingJavadocs/ImplicitHandshake.java @@ -292,4 +292,4 @@ public void run() { doClientSide(); } } -} +} \ No newline at end of file diff --git a/test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java b/test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java index cb11b17ebb5..6c08e7c3445 100644 --- a/test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java +++ b/test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java @@ -31,6 +31,7 @@ * @bug 6668231 * @summary Presence of a critical subjectAltName causes JSSE's SunX509 to * fail trusted checks + * @library /test/lib * @run main/othervm CriticalSubjectAltName * @author Xuelei Fan */ @@ -53,6 +54,9 @@ import java.security.Security; import java.security.cert.Certificate; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class CriticalSubjectAltName implements HostnameVerifier { /* * ============================================================= @@ -160,10 +164,12 @@ void doClientSide() throws Exception { public static void main(String[] args) throws Exception { // MD5 is used in this test case, don't disable MD5 algorithm. - Security.setProperty("jdk.certpath.disabledAlgorithms", - "MD2, RSA keySize < 1024"); - Security.setProperty("jdk.tls.disabledAlgorithms", - "SSLv3, RC4, DH keySize < 768"); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.certpath.disabledAlgorithms", + "MD2, RSA keySize < 1024"); + Security.setProperty("jdk.tls.disabledAlgorithms", + "SSLv3, RC4, DH keySize < 768"); + } String keyFilename = System.getProperty("test.src", "./") + "/" + pathToStores + @@ -172,6 +178,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; + if (SecurityUtils.isFIPS()) { + keyFilename = SecurityUtils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = SecurityUtils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); @@ -183,7 +194,29 @@ public static void main(String[] args) throws Exception { /* * Start the tests. */ - new CriticalSubjectAltName(); + try { + new CriticalSubjectAltName(); + } catch (Exception e) { + if (SecurityUtils.isFIPS()) { + if (e instanceof java.security.cert.CertPathValidatorException) { + if ("Algorithm constraints check failed on signature algorithm: MD5withRSA".equals(e.getMessage())) { + System.out.println("MD5withRSA is not a supported signature algorithm."); + return; + } else { + System.out.println("Unexpected exception msg: <" + e.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + e.printStackTrace(); + return; + } + } else { + System.out.println("Unexpected exception is caught in Non-FIPS mode"); + e.printStackTrace(); + return; + } + } } Thread clientThread = null; diff --git a/test/jdk/javax/net/ssl/HttpsURLConnection/GetResponseCode.java b/test/jdk/javax/net/ssl/HttpsURLConnection/GetResponseCode.java index 87ffef9c0f8..349e97697ae 100644 --- a/test/jdk/javax/net/ssl/HttpsURLConnection/GetResponseCode.java +++ b/test/jdk/javax/net/ssl/HttpsURLConnection/GetResponseCode.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2001, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -21,235 +21,81 @@ * questions. */ -/* +/** * @test - * @bug 4482187 - * @summary HttpsClient tests are failing for build 71 - * @run main/othervm GetResponseCode - * - * SunJSSE does not support dynamic system properties, no way to re-use - * system properties in samevm/agentvm mode. - * - * @author Yingxian Wang + * @bug 4191815 + * @library /test/lib + * @summary Check that getResponseCode doesn't throw exception if http + * respone code is >= 400. */ -import java.io.*; import java.net.*; -import javax.net.ssl.*; -import java.security.cert.Certificate; - -public class GetResponseCode implements HostnameVerifier { - /* - * ============================================================= - * Set the various variables needed for the tests, then - * specify what tests to run on each side. - */ - - /* - * Should we run the client or server in a separate thread? - * Both sides can throw exceptions, but do you have a preference - * as to which side should be the main thread. - */ - static boolean separateServerThread = true; - - /* - * Where do we find the keystores? - */ - static String pathToStores = "../etc"; - static String keyStoreFile = "keystore"; - static String trustStoreFile = "truststore"; - static String passwd = "passphrase"; - - /* - * Is the server ready to serve? - */ - volatile static boolean serverReady = false; +import java.io.*; - /* - * Turn on SSL debugging? - */ - static boolean debug = false; +import jdk.test.lib.net.URIBuilder; - /* - * If the client or server is doing some kind of object creation - * that the other side depends on, and that thread prematurely - * exits, you may experience a hang. The test harness will - * terminate all hung threads after its timeout has expired, - * currently 3 minutes by default, but you might try to be - * smart about it.... - */ +public class GetResponseCode implements Runnable { - /* - * Define the server side of the test. - * - * If the server prematurely exits, serverReady will be set to true - * to avoid infinite hangs. - */ - void doServerSide() throws Exception { - SSLServerSocketFactory sslssf = - (SSLServerSocketFactory) SSLServerSocketFactory.getDefault(); - SSLServerSocket sslServerSocket = - (SSLServerSocket) sslssf.createServerSocket(serverPort); - serverPort = sslServerSocket.getLocalPort(); - - /* - * Signal Client, we're ready for his connect. - */ - serverReady = true; - - SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept(); - OutputStream sslOS = sslSocket.getOutputStream(); - BufferedWriter bw = new BufferedWriter(new OutputStreamWriter(sslOS)); - bw.write("HTTP/1.1 200 OK\r\n\r\n\r\n"); - bw.flush(); - Thread.sleep(5000); - sslSocket.close(); - } + ServerSocket ss; /* - * Define the client side of the test. - * - * If the server prematurely exits, serverReady will be set to true - * to avoid infinite hangs. + * Our "http" server to return a 404 */ - void doClientSide() throws Exception { - - /* - * Wait for server to get started. - */ - while (!serverReady) { - Thread.sleep(50); - } - - URL url = new URL("https://localhost:"+serverPort+"/index.html"); - HttpsURLConnection urlc = (HttpsURLConnection)url.openConnection(); - urlc.setHostnameVerifier(this); - urlc.getInputStream(); - - if (urlc.getResponseCode() == -1) { - throw new RuntimeException("getResponseCode() returns -1"); + public void run() { + try { + Socket s = ss.accept(); + + PrintStream out = new PrintStream( + new BufferedOutputStream( + s.getOutputStream() )); + + /* send the header */ + out.print("HTTP/1.1 404 Not Found\r\n"); + out.print("Content-Type: text/html; charset=iso-8859-1\r\n"); + out.print("Connection: close\r\n"); + out.print("\r\n"); + out.print(""); + out.print("404 Not Found"); + out.print("The requested URL was not found."); + out.print(""); + out.flush(); + + /* + * Sleep added to avoid connection reset + * on the client side + */ + Thread.sleep(1000); + s.close(); + ss.close(); + } catch (Exception e) { + e.printStackTrace(); } } - /* - * ============================================================= - * The remainder is just support stuff - */ - - // use any free port by default - volatile int serverPort = 0; - - volatile Exception serverException = null; - volatile Exception clientException = null; - - public static void main(String[] args) throws Exception { - String keyFilename = - System.getProperty("test.src", "./") + "/" + pathToStores + - "/" + keyStoreFile; - String trustFilename = - System.getProperty("test.src", "./") + "/" + pathToStores + - "/" + trustStoreFile; - - System.setProperty("javax.net.ssl.keyStore", keyFilename); - System.setProperty("javax.net.ssl.keyStorePassword", passwd); - System.setProperty("javax.net.ssl.trustStore", trustFilename); - System.setProperty("javax.net.ssl.trustStorePassword", passwd); - - if (debug) - System.setProperty("javax.net.debug", "all"); - - /* - * Start the tests. - */ - new GetResponseCode(); - } + GetResponseCode() throws Exception { - Thread clientThread = null; - Thread serverThread = null; + /* start the server */ + ss = new ServerSocket(); + ss.bind(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0)); + (new Thread(this)).start(); - /* - * Primary constructor, used to drive remainder of the test. - * - * Fork off the other side, then do your work. - */ - GetResponseCode() throws Exception { - if (separateServerThread) { - startServer(true); - startClient(false); - } else { - startClient(true); - startServer(false); - } + /* establish http connection to server */ + URL url = URIBuilder.newBuilder() + .scheme("http") + .loopback() + .port(ss.getLocalPort()) + .path("/missing.nohtml") + .toURL(); - /* - * Wait for other side to close down. - */ - if (separateServerThread) { - serverThread.join(); - } else { - clientThread.join(); - } + HttpURLConnection http = (HttpURLConnection) url.openConnection(Proxy.NO_PROXY); - /* - * When we get here, the test is pretty much over. - * - * If the main thread excepted, that propagates back - * immediately. If the other thread threw an exception, we - * should report back. - */ - if (serverException != null) - throw serverException; - if (clientException != null) - throw clientException; - } + int respCode = http.getResponseCode(); - void startServer(boolean newThread) throws Exception { - if (newThread) { - serverThread = new Thread() { - public void run() { - try { - doServerSide(); - } catch (Exception e) { - /* - * Our server thread just died. - * - * Release the client, if not active already... - */ - System.err.println("Server died..."); - serverReady = true; - serverException = e; - } - } - }; - serverThread.start(); - } else { - doServerSide(); - } - } + http.disconnect(); - void startClient(boolean newThread) throws Exception { - if (newThread) { - clientThread = new Thread() { - public void run() { - try { - doClientSide(); - } catch (Exception e) { - /* - * Our client thread just died. - */ - System.err.println("Client died..."); - clientException = e; - } - } - }; - clientThread.start(); - } else { - doClientSide(); - } } - // Simple test method to blindly agree that hostname and certname match - public boolean verify(String hostname, SSLSession session) { - return true; + public static void main(String args[]) throws Exception { + new GetResponseCode(); } -} +} \ No newline at end of file diff --git a/test/jdk/javax/net/ssl/SSLEngine/ArgCheck.java b/test/jdk/javax/net/ssl/SSLEngine/ArgCheck.java index 4781d15972b..b715ce09a5e 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/ArgCheck.java +++ b/test/jdk/javax/net/ssl/SSLEngine/ArgCheck.java @@ -27,7 +27,7 @@ * @summary Add scatter/gather APIs for SSLEngine * * Check to see if the args are being parsed properly. - * + * @library /test/lib */ import javax.net.ssl.*; diff --git a/test/jdk/javax/net/ssl/SSLEngine/Arrays.java b/test/jdk/javax/net/ssl/SSLEngine/Arrays.java index c5639229e07..56b76377c02 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/Arrays.java +++ b/test/jdk/javax/net/ssl/SSLEngine/Arrays.java @@ -41,7 +41,9 @@ import java.io.*; import java.security.*; import java.nio.*; +import java.util.*; +import jdk.test.lib.Utils; import jdk.test.lib.security.SecurityUtils; public class Arrays { @@ -187,12 +189,14 @@ public static void main(String args[]) throws Exception { contextVersion = args[0]; // Re-enable context version if it is disabled. // If context version is SSLv3, TLSv1 needs to be re-enabled. - if (contextVersion.equals("SSLv3")) { - SecurityUtils.removeFromDisabledTlsAlgs("TLSv1"); - } else if (contextVersion.equals("TLSv1") || - contextVersion.equals("TLSv1.1")) { - SecurityUtils.removeFromDisabledTlsAlgs(contextVersion); - } + if (!(SecurityUtils.isFIPS())) { + if (contextVersion.equals("SSLv3")) { + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1"); + } else if (contextVersion.equals("TLSv1") || + contextVersion.equals("TLSv1.1")) { + SecurityUtils.removeFromDisabledTlsAlgs(contextVersion); + } + } Arrays test; @@ -200,7 +204,32 @@ public static void main(String args[]) throws Exception { test.createSSLEngines(); - test.runTest(); + try { + test.runTest(); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (SecurityUtils.isFIPS()) { + if(!SecurityUtils.TLS_PROTOCOLS.contains(contextVersion)) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + sslhe.printStackTrace(); + return; + } + } else { + System.out.println("Unexpected exception is caught in Non-FIPS mode"); + sslhe.printStackTrace(); + return; + } + } catch (Exception e) { + e.printStackTrace(); + return; + } System.err.println("Test Passed."); } diff --git a/test/jdk/javax/net/ssl/SSLEngine/Basics.java b/test/jdk/javax/net/ssl/SSLEngine/Basics.java index 0ee7bfd7738..a5ad06b4d6e 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/Basics.java +++ b/test/jdk/javax/net/ssl/SSLEngine/Basics.java @@ -41,6 +41,7 @@ import javax.net.ssl.*; import javax.net.ssl.SSLEngineResult.*; +import jdk.test.lib.Utils; import jdk.test.lib.security.SecurityUtils; public class Basics { @@ -57,12 +58,16 @@ public class Basics { "/" + TRUSTSTORE_FILE; public static void main(String[] args) throws Exception { - // Re-enable TLSv1.1 and TLS_RSA_* since test depends on it. - SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1", "TLS_RSA_*"); + if (!(SecurityUtils.isFIPS())) { + // Re-enable TLSv1.1 and TLS_RSA_* since test depends on it. + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1", "TLS_RSA_*"); + runTest("TLSv1.1", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"); + } runTest("TLSv1.3", "TLS_AES_256_GCM_SHA384"); - runTest("TLSv1.2", "TLS_RSA_WITH_AES_256_GCM_SHA384"); - runTest("TLSv1.1", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"); + if (!(SecurityUtils.isFIPS())) { + runTest("TLSv1.2", "TLS_RSA_WITH_AES_256_GCM_SHA384"); + } } private static void runTest(String protocol, String cipherSuite) throws Exception { diff --git a/test/jdk/javax/net/ssl/SSLEngine/CheckTlsEngineResults.java b/test/jdk/javax/net/ssl/SSLEngine/CheckTlsEngineResults.java index 7a7ecdffa5d..e38126c2126 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/CheckTlsEngineResults.java +++ b/test/jdk/javax/net/ssl/SSLEngine/CheckTlsEngineResults.java @@ -25,9 +25,8 @@ * @test * @bug 4948079 * @summary Verify return values from SSLEngine wrap/unwrap (TLSv1.2) operations - * + * @library /test/lib * @run main CheckTlsEngineResults - * * @author Brad Wetmore */ @@ -41,6 +40,9 @@ import java.security.*; import java.nio.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class CheckTlsEngineResults { private final SSLContext SSL_CONTEXT; @@ -126,8 +128,15 @@ private void test() throws Exception { SSLEngineResult result1; // clientEngine's results from last operation SSLEngineResult result2; // serverEngine's results from last operation - String [] suite1 = new String [] { - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" }; + String[] suite1; + if (!(SecurityUtils.isFIPS())) { + suite1 = new String [] { + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" }; + } else { + suite1 = new String [] { + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" }; + } + String [] suite2 = new String [] { "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" }; @@ -153,7 +162,7 @@ private void test() throws Exception { result2 = serverEngine.unwrap(clientToServer, serverIn); checkResult(clientToServer, serverIn, result2, - Status.OK, HandshakeStatus.NEED_TASK, result1.bytesProduced(), 0); + Status.OK, HandshakeStatus.NEED_TASK, result1.bytesProduced(), 0); runDelegatedTasks(serverEngine); clientToServer.compact(); diff --git a/test/jdk/javax/net/ssl/SSLEngine/ConnectionTest.java b/test/jdk/javax/net/ssl/SSLEngine/ConnectionTest.java index e1ed18e9fde..ec0d1520db0 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/ConnectionTest.java +++ b/test/jdk/javax/net/ssl/SSLEngine/ConnectionTest.java @@ -27,7 +27,7 @@ * @summary Add non-blocking SSL/TLS functionality, usable with any * I/O abstraction * @author Brad Wetmore - * + * @library /test/lib * @run main/othervm ConnectionTest TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 * @run main/othervm ConnectionTest TLSv1.3 TLS_AES_256_GCM_SHA384 */ @@ -44,6 +44,9 @@ import java.security.*; import java.nio.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class ConnectionTest { private final SSLEngine clientEngine; @@ -93,6 +96,7 @@ public ConnectionTest(String enabledProtocol, String enabledCipherSuite) private SSLContext getSSLContext() throws Exception { KeyStore ks = KeyStore.getInstance("JKS"); KeyStore ts = KeyStore.getInstance("JKS"); + char[] passphrase = "passphrase".toCharArray(); ks.load(new FileInputStream(KEYSTORE_PATH), passphrase); @@ -597,7 +601,9 @@ private static void log(Object msg) { public static void main(String args[]) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } log(String.format("Running with %s and %s%n", args[0], args[1])); ConnectionTest ct = new ConnectionTest(args[0], args[1]); diff --git a/test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java b/test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java index 57eda1c2a42..50f59b0e4b3 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java +++ b/test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java @@ -39,6 +39,8 @@ import static javax.net.ssl.SSLEngineResult.HandshakeStatus.*; import jdk.test.lib.security.SecurityUtils; +import jdk.test.lib.Utils; + public class EngineCloseOnAlert { private static final String PATH_TO_STORES = "../etc"; @@ -55,16 +57,20 @@ public class EngineCloseOnAlert { private static KeyManagerFactory KMF; private static TrustManagerFactory TMF; - private static final String[] ONECIPHER = - { "TLS_RSA_WITH_AES_128_CBC_SHA" }; + private static final String[] ONECIPHER = (SecurityUtils.isFIPS()) ? + new String[] { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" } : new String[] { "TLS_RSA_WITH_AES_128_CBC_SHA" }; + public interface TestCase { public void runTest() throws Exception; } public static void main(String[] args) throws Exception { - // Re-enable TLS_RSA_* since test depends on it. - SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*"); + if (!(SecurityUtils.isFIPS())) { + // Re-enable TLS_RSA_* since test depends on it. + SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*"); + } + int failed = 0; List testMatrix = new LinkedList() {{ add(clientReceivesAlert); diff --git a/test/jdk/javax/net/ssl/SSLEngine/ExtendedKeyEngine.java b/test/jdk/javax/net/ssl/SSLEngine/ExtendedKeyEngine.java index 334091d7310..89602cbdc6d 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/ExtendedKeyEngine.java +++ b/test/jdk/javax/net/ssl/SSLEngine/ExtendedKeyEngine.java @@ -26,7 +26,6 @@ * @bug 4981697 * @summary Rework the X509KeyManager to avoid incompatibility issues * @author Brad R. Wetmore - * * @run main/othervm -Djdk.tls.acknowledgeCloseNotify=true ExtendedKeyEngine */ diff --git a/test/jdk/javax/net/ssl/SSLEngine/LargeBufs.java b/test/jdk/javax/net/ssl/SSLEngine/LargeBufs.java index 76c181ccff4..4d0ac5e904d 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/LargeBufs.java +++ b/test/jdk/javax/net/ssl/SSLEngine/LargeBufs.java @@ -29,7 +29,7 @@ * * This is to test larger buffer arrays, and make sure the maximum * is being passed. - * + * @library /test/lib * @run main/othervm -Djsse.enableCBCProtection=false LargeBufs * * @author Brad R. Wetmore @@ -43,6 +43,9 @@ import java.nio.*; import java.util.Random; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class LargeBufs { private static boolean debug = true; @@ -181,17 +184,22 @@ private void runTest(String cipher) throws Exception { } public static void main(String args[]) throws Exception { - // reset the security property to make sure that the algorithms - // and keys used in this test are not disabled. - Security.setProperty("jdk.tls.disabledAlgorithms", ""); - LargeBufs test; - test = new LargeBufs(); - test.runTest("SSL_RSA_WITH_RC4_128_MD5"); - - test = new LargeBufs(); - test.runTest("SSL_RSA_WITH_3DES_EDE_CBC_SHA"); + if (!(SecurityUtils.isFIPS())) { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + test = new LargeBufs(); + test.runTest("SSL_RSA_WITH_RC4_128_MD5"); + test = new LargeBufs(); + test.runTest("SSL_RSA_WITH_3DES_EDE_CBC_SHA"); + } else { + test = new LargeBufs(); + test.runTest("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"); + test = new LargeBufs(); + test.runTest("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"); + } System.out.println("Test Passed."); } diff --git a/test/jdk/javax/net/ssl/SSLEngine/NoAuthClientAuth.java b/test/jdk/javax/net/ssl/SSLEngine/NoAuthClientAuth.java index 208fb3935ae..6b7edeafb78 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/NoAuthClientAuth.java +++ b/test/jdk/javax/net/ssl/SSLEngine/NoAuthClientAuth.java @@ -30,6 +30,7 @@ * @test * @bug 4495742 8190492 * @summary Demonstrate SSLEngine switch from no client auth to client auth. + * @library /test/lib * @run main/othervm NoAuthClientAuth SSLv3 * @run main/othervm NoAuthClientAuth TLSv1 * @run main/othervm NoAuthClientAuth TLSv1.1 @@ -82,6 +83,9 @@ import java.security.*; import java.nio.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + // Note that this test case depends on JSSE provider implementation details. public class NoAuthClientAuth { @@ -140,16 +144,49 @@ public class NoAuthClientAuth { * Main entry point for this test. */ public static void main(String args[]) throws Exception { - Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + tlsProtocol = args[0]; + } else { + if (SecurityUtils.TLS_PROTOCOLS.contains(args[0])) { + tlsProtocol = args[0]; + } + } + // if (tlsProtocol == null) { + // return; + // } if (debug) { System.setProperty("javax.net.debug", "all"); } - tlsProtocol = args[0]; - NoAuthClientAuth test = new NoAuthClientAuth(); - test.runTest(); + try { + test.runTest(); + } catch (java.lang.IllegalArgumentException iae) { + if (SecurityUtils.isFIPS()) { + if (tlsProtocol == null) { + if ("Unsupported protocolnull".equals(iae.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + iae.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + iae.printStackTrace(); + return; + } + } else { + System.out.println("Unexpected exception is caught in Non-FIPS mode"); + iae.printStackTrace(); + return; + } + } catch (Exception e) { + e.printStackTrace(); + return; + } System.out.println("Test Passed."); } diff --git a/test/jdk/javax/net/ssl/SSLEngine/SSLEngineResultArgs.java b/test/jdk/javax/net/ssl/SSLEngine/SSLEngineResultArgs.java index 3685dca64df..079b6d535ed 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/SSLEngineResultArgs.java +++ b/test/jdk/javax/net/ssl/SSLEngine/SSLEngineResultArgs.java @@ -25,7 +25,6 @@ * @test * @bug 4965868 * @summary SSLEngineResult constructor needs null argument description - * * @author Brad Wetmore */ diff --git a/test/jdk/javax/net/ssl/SSLEngine/TestAllSuites.java b/test/jdk/javax/net/ssl/SSLEngine/TestAllSuites.java index 67387bd1661..95832ae9d5b 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/TestAllSuites.java +++ b/test/jdk/javax/net/ssl/SSLEngine/TestAllSuites.java @@ -38,6 +38,7 @@ * @author Brad Wetmore */ +import jdk.test.lib.Utils; import jdk.test.lib.security.SecurityUtils; import javax.net.ssl.*; @@ -89,7 +90,25 @@ private void createSSLEngines() { } private void test() throws Exception { - String [] suites = clientEngine.getEnabledCipherSuites(); + List tmpCipherSuites = new ArrayList<>(); + String [] suites; + if (SecurityUtils.isFIPS()) { + for (String ciphersuite : clientEngine.getEnabledCipherSuites()) { + if (!SecurityUtils.TLS_CIPHERSUITES.containsKey(ciphersuite)) { + continue; + } + if (!SecurityUtils.TLS_CIPHERSUITES.get(ciphersuite).equals(PROTOCOL)) { + continue; + } + tmpCipherSuites.add(ciphersuite); + } + if (tmpCipherSuites.size() == 0) { + return; + } + suites = tmpCipherSuites.toArray(new String[0]); + } else { + suites = clientEngine.getEnabledCipherSuites(); + } System.out.println("Enabled cipher suites for protocol " + PROTOCOL + ": " + Arrays.toString(suites)); for (String suite: suites){ @@ -224,11 +243,17 @@ public static void main(String args[]) throws Exception { if (args.length < 1) { throw new RuntimeException("Missing TLS protocol parameter."); } - - switch(args[0]) { - case "TLSv1.1" -> SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1"); - case "TLSv1.3" -> SecurityUtils.addToDisabledTlsAlgs("TLSv1.2"); - } + if (!(SecurityUtils.isFIPS())) { + switch(args[0]) { + case "TLSv1.1" -> SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1"); + case "TLSv1.3" -> SecurityUtils.addToDisabledTlsAlgs("TLSv1.2"); + } + } + // else { + // if (!SecurityUtils.TLS_PROTOCOLS.contains(args[0])) { + // return; + // } + // } TestAllSuites testAllSuites = new TestAllSuites(args[0]); testAllSuites.createSSLEngines(); diff --git a/test/jdk/javax/net/ssl/SSLParameters/NamedGroups.java b/test/jdk/javax/net/ssl/SSLParameters/NamedGroups.java index fc5001e89b8..0329c20db0e 100644 --- a/test/jdk/javax/net/ssl/SSLParameters/NamedGroups.java +++ b/test/jdk/javax/net/ssl/SSLParameters/NamedGroups.java @@ -29,6 +29,7 @@ * @bug 8281236 * @summary Check TLS connection behaviors for named groups configuration * @library /javax/net/ssl/templates + * /test/lib * @run main/othervm NamedGroups */ @@ -37,6 +38,9 @@ import javax.net.ssl.SSLSocket; import java.security.Security; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class NamedGroups extends SSLSocketTemplate { private final String[] serverNamedGroups; private final String[] clientNamedGroups; @@ -91,7 +95,9 @@ protected void runClientApplication(SSLSocket sslSocket) throws Exception { } public static void main(String[] args) throws Exception { - Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } runTest(new String[] { "x25519", diff --git a/test/jdk/javax/net/ssl/SSLParameters/SignatureSchemes.java b/test/jdk/javax/net/ssl/SSLParameters/SignatureSchemes.java index 7dadeff5703..88bc14203d5 100644 --- a/test/jdk/javax/net/ssl/SSLParameters/SignatureSchemes.java +++ b/test/jdk/javax/net/ssl/SSLParameters/SignatureSchemes.java @@ -29,6 +29,7 @@ * @bug 8280494 * @summary (D)TLS signature schemes * @library /javax/net/ssl/templates + * /test/lib * @run main/othervm SignatureSchemes */ @@ -37,6 +38,9 @@ import javax.net.ssl.SSLSocket; import java.security.Security; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class SignatureSchemes extends SSLSocketTemplate { private final String[] serverSignatureSchemes; private final String[] clientSignatureSchemes; @@ -91,7 +95,9 @@ protected void runClientApplication(SSLSocket sslSocket) throws Exception { } public static void main(String[] args) throws Exception { - Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } runTest(new String[] { "ecdsa_secp256r1_sha256", diff --git a/test/jdk/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java b/test/jdk/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java index 58e387bcdad..3f9b58f5560 100644 --- a/test/jdk/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java +++ b/test/jdk/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java @@ -30,6 +30,7 @@ * @test * @bug 7188657 * @summary There should be a way to reorder the JSSE ciphers + * @library /test/lib * @run main/othervm UseCipherSuitesOrder * TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA */ @@ -39,6 +40,9 @@ import javax.net.ssl.*; import java.util.Arrays; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class UseCipherSuitesOrder { /* @@ -174,6 +178,10 @@ private static void parseArguments(String[] args) throws Exception { throw new Exception("Need to enable at least two cipher suites"); } + if (SecurityUtils.isFIPS()) { + cliEnabledCipherSuites = new String[] { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"}; + } + // Only need to use 2 cipher suites in server side. srvEnabledCipherSuites = Arrays.copyOf( cliEnabledCipherSuites, 2); @@ -197,7 +205,9 @@ private static void parseArguments(String[] args) throws Exception { public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } // parse the arguments parseArguments(args); @@ -209,6 +219,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; + if (SecurityUtils.isFIPS()) { + keyFilename = SecurityUtils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = SecurityUtils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/SSLSession/HttpsURLConnectionLocalCertificateChain.java b/test/jdk/javax/net/ssl/SSLSession/HttpsURLConnectionLocalCertificateChain.java index c6e9753a2c1..7d2467c46dd 100644 --- a/test/jdk/javax/net/ssl/SSLSession/HttpsURLConnectionLocalCertificateChain.java +++ b/test/jdk/javax/net/ssl/SSLSession/HttpsURLConnectionLocalCertificateChain.java @@ -24,6 +24,7 @@ /* * @test * @bug 4395238 4354003 4387961 4395266 + * @library /test/lib * @summary A test of many of the new functionality to go into JSSE 1.1 * Fixed 4395238: The new certificate chains APIs should really be * returning certs, not x509 certs @@ -42,6 +43,9 @@ import javax.net.ssl.*; import java.security.cert.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class HttpsURLConnectionLocalCertificateChain implements HandshakeCompletedListener, HostnameVerifier { @@ -211,7 +215,6 @@ void doClientSide() throws Exception { myURLc = (HttpsURLConnection) myURL.openConnection(); myURLc.setHostnameVerifier(this); myURLc.connect(); - InputStream sslIS = myURLc.getInputStream(); System.out.println("Client reading..."); @@ -245,6 +248,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; + if (SecurityUtils.isFIPS()) { + keyFilename = SecurityUtils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = SecurityUtils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/SSLSession/JSSERenegotiate.java b/test/jdk/javax/net/ssl/SSLSession/JSSERenegotiate.java index 435dd2345d6..8bee221b1b0 100644 --- a/test/jdk/javax/net/ssl/SSLSession/JSSERenegotiate.java +++ b/test/jdk/javax/net/ssl/SSLSession/JSSERenegotiate.java @@ -24,6 +24,7 @@ /* * @test * @bug 4280338 + * @library /test/lib * @summary "Unsupported SSL message version" SSLProtocolException * w/SSL_RSA_WITH_NULL_MD5 * @run main/othervm JSSERenegotiate @@ -40,10 +41,13 @@ import java.security.Security; import javax.net.ssl.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class JSSERenegotiate { - static final String suite1 = "SSL_RSA_WITH_NULL_MD5"; - static final String suite2 = "SSL_RSA_WITH_NULL_SHA"; + static String suite1; + static String suite2; static final String dataString = "This is a test"; @@ -193,7 +197,9 @@ void doClientSide() throws Exception { public static void main(String[] args) throws Exception { // reset the security property to make sure that the cipher suites // used in this test are not disabled - Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } String keyFilename = System.getProperty("test.src", "./") + "/" + pathToStores + @@ -202,6 +208,16 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; + if (SecurityUtils.isFIPS()) { + keyFilename = SecurityUtils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = SecurityUtils.revertJKSToPKCS12(trustFilename, passwd); + suite1 = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"; + suite2 = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"; + } else { + suite1 = "SSL_RSA_WITH_NULL_MD5"; + suite2 = "SSL_RSA_WITH_NULL_SHA"; + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/SSLSession/RenegotiateTLS13.java b/test/jdk/javax/net/ssl/SSLSession/RenegotiateTLS13.java index 9495ee2d28a..3ecbfc30c22 100644 --- a/test/jdk/javax/net/ssl/SSLSession/RenegotiateTLS13.java +++ b/test/jdk/javax/net/ssl/SSLSession/RenegotiateTLS13.java @@ -23,6 +23,7 @@ /* * @test + * @library /test/lib * @run main/othervm -Djavax.net.debug=ssl RenegotiateTLS13 */ @@ -40,6 +41,9 @@ import java.security.KeyStore; import java.security.SecureRandom; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class RenegotiateTLS13 { static final String dataString = "This is a test"; @@ -139,6 +143,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; + if (SecurityUtils.isFIPS()) { + keyFilename = SecurityUtils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = SecurityUtils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/SSLSession/SSLCtxAccessToSessCtx.java b/test/jdk/javax/net/ssl/SSLSession/SSLCtxAccessToSessCtx.java index d50a30bcc3c..330c6a22a65 100644 --- a/test/jdk/javax/net/ssl/SSLSession/SSLCtxAccessToSessCtx.java +++ b/test/jdk/javax/net/ssl/SSLSession/SSLCtxAccessToSessCtx.java @@ -24,6 +24,7 @@ /* * @test * @bug 4473210 + * @library /test/lib * @summary SSLSessionContext should be accessible from SSLContext * @run main/othervm -Djdk.tls.server.enableSessionTicketExtension=false * SSLCtxAccessToSessCtx @@ -40,6 +41,9 @@ import java.util.concurrent.atomic.AtomicInteger; import java.security.KeyStore; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class SSLCtxAccessToSessCtx { /* @@ -172,6 +176,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; + if (SecurityUtils.isFIPS()) { + keyFilename = SecurityUtils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = SecurityUtils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/SSLSession/SessionCacheSizeTests.java b/test/jdk/javax/net/ssl/SSLSession/SessionCacheSizeTests.java index bd6891a3573..b1f084958b8 100644 --- a/test/jdk/javax/net/ssl/SSLSession/SessionCacheSizeTests.java +++ b/test/jdk/javax/net/ssl/SSLSession/SessionCacheSizeTests.java @@ -29,6 +29,7 @@ /* * @test * @bug 4366807 + * @library /test/lib * @summary Need new APIs to get/set session timeout and session cache size. * @run main/othervm SessionCacheSizeTests */ @@ -39,6 +40,9 @@ import java.util.*; import java.security.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + /** * Session cache size tests cover the following cases: * 1. Effect of system property javax.net.ssl.SessionCacheSize (this @@ -305,6 +309,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; + if (SecurityUtils.isFIPS()) { + keyFilename = SecurityUtils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = SecurityUtils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/SSLSession/SessionTimeOutTests.java b/test/jdk/javax/net/ssl/SSLSession/SessionTimeOutTests.java index 18a31dd1dd1..525559b37c4 100644 --- a/test/jdk/javax/net/ssl/SSLSession/SessionTimeOutTests.java +++ b/test/jdk/javax/net/ssl/SSLSession/SessionTimeOutTests.java @@ -27,6 +27,7 @@ /* * @test * @bug 4366807 + * @library /test/lib * @summary Need new APIs to get/set session timeout and session cache size. * @run main/othervm SessionTimeOutTests */ @@ -41,6 +42,9 @@ import java.util.concurrent.CountDownLatch; import java.util.concurrent.TimeUnit; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + /** * Session reuse time-out tests cover the cases below: * 1. general test, i.e timeout is set to x and session invalidates when @@ -332,6 +336,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; + if (SecurityUtils.isFIPS()) { + keyFilename = SecurityUtils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = SecurityUtils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/SSLSession/TestEnabledProtocols.java b/test/jdk/javax/net/ssl/SSLSession/TestEnabledProtocols.java index 4e56a9a655b..287cd8dbb66 100644 --- a/test/jdk/javax/net/ssl/SSLSession/TestEnabledProtocols.java +++ b/test/jdk/javax/net/ssl/SSLSession/TestEnabledProtocols.java @@ -34,6 +34,7 @@ * 4701722 protocol mismatch exceptions should be consistent between * SSLv3 and TLSv1 * @library /javax/net/ssl/templates + * @library /test/lib * @run main/othervm TestEnabledProtocols * @author Ram Marti */ @@ -52,6 +53,9 @@ import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLSocket; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class TestEnabledProtocols extends SSLSocketTemplate { private final String[] serverProtocols; @@ -165,121 +169,236 @@ private void failTest(Exception e, String message) { } public static void main(String[] args) throws Exception { - Security.setProperty("jdk.tls.disabledAlgorithms", ""); - - runCase(new String[] { "TLSv1" }, - new String[] { "TLSv1" }, - false, "TLSv1"); - runCase(new String[] { "TLSv1" }, - new String[] { "TLSv1", "SSLv2Hello" }, - true, null); - runCase(new String[] { "TLSv1" }, - new String[] { "TLSv1", "SSLv3" }, - false, "TLSv1"); - runCase(new String[] { "TLSv1" }, - new String[] { "SSLv3", "SSLv2Hello" }, - true, null); - runCase(new String[] { "TLSv1" }, - new String[] { "SSLv3" }, - true, null); - runCase(new String[] { "TLSv1" }, - new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - true, null); - - runCase(new String[] { "TLSv1", "SSLv2Hello" }, - new String[] { "TLSv1" }, - false, "TLSv1"); - runCase(new String[] { "TLSv1", "SSLv2Hello" }, - new String[] { "TLSv1", "SSLv2Hello" }, - false, "TLSv1"); - runCase(new String[] { "TLSv1", "SSLv2Hello" }, - new String[] { "TLSv1", "SSLv3" }, - false, "TLSv1"); - runCase(new String[] { "TLSv1", "SSLv2Hello" }, - new String[] { "SSLv3", "SSLv2Hello" }, - true, null); - runCase(new String[] { "TLSv1", "SSLv2Hello" }, - new String[] { "SSLv3" }, - true, null); - runCase(new String[] { "TLSv1", "SSLv2Hello" }, - new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - false, "TLSv1"); - - runCase(new String[] { "TLSv1", "SSLv3" }, - new String[] { "TLSv1" }, - false, "TLSv1"); - runCase(new String[] { "TLSv1", "SSLv3" }, - new String[] { "TLSv1", "SSLv2Hello" }, - true, null); - runCase(new String[] { "TLSv1", "SSLv3" }, - new String[] { "TLSv1", "SSLv3" }, - false, "TLSv1"); - runCase(new String[] { "TLSv1", "SSLv3" }, - new String[] { "SSLv3", "SSLv2Hello" }, - true, null); - runCase(new String[] { "TLSv1", "SSLv3" }, - new String[] { "SSLv3" }, - false, "SSLv3"); - runCase(new String[] { "TLSv1", "SSLv3" }, - new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - true, null); - - runCase(new String[] { "SSLv3", "SSLv2Hello" }, - new String[] { "TLSv1" }, - true, null); - runCase(new String[] { "SSLv3", "SSLv2Hello" }, - new String[] { "TLSv1", "SSLv2Hello" }, - true, null); - runCase(new String[] { "SSLv3", "SSLv2Hello" }, - new String[] { "TLSv1", "SSLv3" }, - false, "SSLv3"); - runCase(new String[] { "SSLv3", "SSLv2Hello" }, - new String[] { "SSLv3", "SSLv2Hello" }, - false, "SSLv3"); - runCase(new String[] { "SSLv3", "SSLv2Hello" }, - new String[] { "SSLv3" }, - false, "SSLv3"); - runCase(new String[] { "SSLv3", "SSLv2Hello" }, - new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - false, "SSLv3"); - - runCase(new String[] { "SSLv3" }, - new String[] { "TLSv1" }, - true, null); - runCase(new String[] { "SSLv3" }, - new String[] { "TLSv1", "SSLv2Hello" }, - true, null); - runCase(new String[] { "SSLv3" }, - new String[] { "TLSv1", "SSLv3" }, - false, "SSLv3"); - runCase(new String[] { "SSLv3" }, - new String[] { "SSLv3", "SSLv2Hello" }, - true, null); - runCase(new String[] { "SSLv3" }, - new String[] { "SSLv3" }, - false, "SSLv3"); - runCase(new String[] { "SSLv3" }, - new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - true, null); - - runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - new String[] { "TLSv1" }, - false, "TLSv1"); - runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - new String[] { "TLSv1", "SSLv2Hello" }, - false, "TLSv1"); - runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - new String[] { "TLSv1", "SSLv3" }, - false, "TLSv1"); - runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - new String[] { "SSLv3", "SSLv2Hello" }, - false, "SSLv3"); - runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - new String[] { "SSLv3" }, - false, "SSLv3"); - runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - false, "TLSv1"); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + runCase(new String[] { "TLSv1" }, + new String[] { "TLSv1" }, + false, "TLSv1"); + runCase(new String[] { "TLSv1" }, + new String[] { "TLSv1", "SSLv2Hello" }, + true, null); + runCase(new String[] { "TLSv1" }, + new String[] { "TLSv1", "SSLv3" }, + false, "TLSv1"); + runCase(new String[] { "TLSv1" }, + new String[] { "SSLv3", "SSLv2Hello" }, + true, null); + runCase(new String[] { "TLSv1" }, + new String[] { "SSLv3" }, + true, null); + runCase(new String[] { "TLSv1" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + true, null); + + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "TLSv1" }, + false, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv2Hello" }, + false, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3" }, + false, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "SSLv3", "SSLv2Hello" }, + true, null); + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "SSLv3" }, + true, null); + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + false, "TLSv1"); + + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "TLSv1" }, + false, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "TLSv1", "SSLv2Hello" }, + true, null); + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "TLSv1", "SSLv3" }, + false, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "SSLv3", "SSLv2Hello" }, + true, null); + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "SSLv3" }, + false, "SSLv3"); + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + true, null); + + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1" }, + true, null); + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv2Hello" }, + true, null); + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3" }, + false, "SSLv3"); + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "SSLv3", "SSLv2Hello" }, + false, "SSLv3"); + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "SSLv3" }, + false, "SSLv3"); + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + false, "SSLv3"); + + runCase(new String[] { "SSLv3" }, + new String[] { "TLSv1" }, + true, null); + runCase(new String[] { "SSLv3" }, + new String[] { "TLSv1", "SSLv2Hello" }, + true, null); + runCase(new String[] { "SSLv3" }, + new String[] { "TLSv1", "SSLv3" }, + false, "SSLv3"); + runCase(new String[] { "SSLv3" }, + new String[] { "SSLv3", "SSLv2Hello" }, + true, null); + runCase(new String[] { "SSLv3" }, + new String[] { "SSLv3" }, + false, "SSLv3"); + runCase(new String[] { "SSLv3" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + true, null); + + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1" }, + false, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv2Hello" }, + false, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3" }, + false, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "SSLv3", "SSLv2Hello" }, + false, "SSLv3"); + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "SSLv3" }, + false, "SSLv3"); + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + false, "TLSv1"); + } else { + runCase(new String[] { "TLSv1" }, + new String[] { "TLSv1" }, + true, "TLSv1"); + runCase(new String[] { "TLSv1" }, + new String[] { "TLSv1", "SSLv2Hello" }, + true, null); + runCase(new String[] { "TLSv1" }, + new String[] { "TLSv1", "SSLv3" }, + true, "TLSv1"); + runCase(new String[] { "TLSv1" }, + new String[] { "SSLv3", "SSLv2Hello" }, + true, null); + runCase(new String[] { "TLSv1" }, + new String[] { "SSLv3" }, + true, null); + runCase(new String[] { "TLSv1" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + true, null); + + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "TLSv1" }, + true, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv2Hello" }, + true, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3" }, + true, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "SSLv3", "SSLv2Hello" }, + true, null); + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "SSLv3" }, + true, null); + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + true, "TLSv1"); + + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "TLSv1" }, + true, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "TLSv1", "SSLv2Hello" }, + true, null); + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "TLSv1", "SSLv3" }, + true, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "SSLv3", "SSLv2Hello" }, + true, null); + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "SSLv3" }, + true, "SSLv3"); + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + true, null); + + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1" }, + true, null); + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv2Hello" }, + true, null); + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3" }, + true, "SSLv3"); + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "SSLv3", "SSLv2Hello" }, + true, "SSLv3"); + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "SSLv3" }, + true, "SSLv3"); + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + true, "SSLv3"); + + runCase(new String[] { "SSLv3" }, + new String[] { "TLSv1" }, + true, null); + runCase(new String[] { "SSLv3" }, + new String[] { "TLSv1", "SSLv2Hello" }, + true, null); + runCase(new String[] { "SSLv3" }, + new String[] { "TLSv1", "SSLv3" }, + true, "SSLv3"); + runCase(new String[] { "SSLv3" }, + new String[] { "SSLv3", "SSLv2Hello" }, + true, null); + runCase(new String[] { "SSLv3" }, + new String[] { "SSLv3" }, + true, "SSLv3"); + runCase(new String[] { "SSLv3" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + true, null); + + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1" }, + true, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv2Hello" }, + true, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3" }, + true, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "SSLv3", "SSLv2Hello" }, + true, "SSLv3"); + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "SSLv3" }, + true, "SSLv3"); + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + true, "TLSv1"); + } } private static void runCase( diff --git a/test/jdk/javax/net/ssl/SSLSocket/ClientExcOnAlert.java b/test/jdk/javax/net/ssl/SSLSocket/ClientExcOnAlert.java index 063befba3b7..4076a4c1f5b 100644 --- a/test/jdk/javax/net/ssl/SSLSocket/ClientExcOnAlert.java +++ b/test/jdk/javax/net/ssl/SSLSocket/ClientExcOnAlert.java @@ -31,6 +31,7 @@ * @bug 8242294 * @summary JSSE Client does not throw SSLException when an alert occurs during * handshaking. + * @library /test/lib * @run main/othervm ClientExcOnAlert TLSv1.2 * @run main/othervm ClientExcOnAlert TLSv1.3 */ @@ -55,6 +56,12 @@ import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; + +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class ClientExcOnAlert { // This is a PKCS#12 keystore created with the following command: // keytool -genkeypair -alias testcert -keyalg rsa -keysize 2048 @@ -66,6 +73,62 @@ public class ClientExcOnAlert { // file. private static int serverPort = -1; private static final String KEYSTORE_PASS = "password"; + private static final String KEYSTORE_PEM_FIPS = + "MIIKSAIBAzCCCfIGCSqGSIb3DQEHAaCCCeMEggnfMIIJ2zCCBbIGCSqGSIb3DQEH\n" + + "AaCCBaMEggWfMIIFmzCCBZcGCyqGSIb3DQEMCgECoIIFQDCCBTwwZgYJKoZIhvcN\n" + + "AQUNMFkwOAYJKoZIhvcNAQUMMCsEFP7ZmvMWCdMoEl7dN3tGIJ/H07uaAgInEAIB\n" + + "IDAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQ6TSt7X56b5cBa+8RqrGDdASC\n" + + "BNCvTQBv3HX+NF9HoA8ugwD0Cg3bsbtcAC6GrBc99BP6blahV4L6AhbNUNOb3N/9\n" + + "UXjB1OObzBP9gOCDfsvKhbr5r6D5K62lvP8twyW/pMuoks0xm/VSmJyMCtSthX6x\n" + + "BIOhDiLA2G1GclENe5gtQRCk9uc28QhLSIJn42dA90q6MvO8dj1oTxQx1QvWZwvS\n" + + "7BSTYMg52TZ6KyxV8LTwDuYQImTN6Pfow/tdM0ilxu7pHVyCJQ4tYHPzAC5Pi7Bm\n" + + "WgPomFlFpzxzSX2MQHEMJMuUAycDhJHAKIfugOuxvpGr7j48/1AMLmrTPP+rlKWC\n" + + "WtCAImu3/OsZJcLs/yNDJLLvv+zMOrTwV/YLlQK2sRQWSgSfSiR9+hxElb0okdrj\n" + + "JR+TgE9tUNOF/8dDs6bZaX1mnKbsg6r4eDGMocoLAO+2NOayXLH7zzpIkzK4Kahz\n" + + "+b2tqwC7A4hRhweUeqphb6B5SvBaMTsM0qEtv9iM/JekRtvS1EW/TxYwNC9e90k0\n" + + "Agm10JrjFBEZP2nO54pHgwzaErIF5wX9RLTz2MQ3x50+ZYLnLiWWzdwd+znJia2i\n" + + "0WXZWDRT+5Jnt9MFvfwCq4QG4Q/aDnudRXvt1g7H5DaBBEpJmAuKEwZgdaPb5De9\n" + + "dX6aaTnOqsHed2vyv6sq3V4FRzqnAOTSZEg+N7d3U37U9+dIVJEyorEVxggGzNBM\n" + + "EYVuoJS/L033n1DF6HfOXZRDNSMQG/o435cyC6LedhgDSNGesJCli6R5mxl/fcRQ\n" + + "OO5ezuyGCxqP/7cj021gOsF7ksmAYRZ+/GLFHTjnkKcHgoRWDBBcf+PNH4cO85gi\n" + + "d064Y/OWHSarBVgVQ9bfSnppz7gldKmdx2lx/dOKFO9n/AJg4MuNmyXMmPPkHV+b\n" + + "X90O6GV6t20nkJ5vp9c8IJZI0piyVVg2ql6nHbg7uxGgq2PYjJO7FwwRQKFobzhb\n" + + "Rf2BmLE9OuQ8r+fkXwLTTViIvGbJtdIFz/6mJi09EgLb4wlpbMiO2+IzzioRxgSY\n" + + "1GfGugnRN//JkXK6jgv8SBd+bQMhlfzt0V7HIFQyMgUGCx/zX9/hpH5Lc1MI7s0+\n" + + "WPJo9pDt8QjBH6q/ftlXOLaGe5m1FpLhNx1uCrGEX3Dd7dKH8IPxPLb1mYlUF0jU\n" + + "J7vKLCDSdXr8gIr0lTliIHBKwIDGyYHc1KxXmtSFVwjeGqwoP7tYupCKBfoL8lsx\n" + + "8EV6edQt+oGv6UeUTbvz60G1LULTZM2QPjQBPKYpmpVqRq7tu2l3IdS7IZyLcBMz\n" + + "iphQpwlrwMTKgZN2OnuqOARB96fApQNFf9e3Nds2DdNC4ddm857wmOYC+0x4i6yz\n" + + "CZWW2bAtbUtRc/QVsEP+1fMcqU3d6Slw2Ee3MHchZu0Ol13tVGQSWMEa/a4l0d2/\n" + + "8zvMuerhur19AyVfDL1Iua0mxVQnDhcSP6ehRS+uiL1GD0f61E+XOLiMfziPicxJ\n" + + "Rat8Qzf4vuXrEjfw9dUpgIOTEr6CHBkzBkA0dGqYJ9ADQE5qsjhXaONghOHddC/6\n" + + "vJC/gJ5TBZqOkBjON/t+1S0/+fwqBAGrPucSZzpPz9kubNNf1xSu0krDmvOow3dR\n" + + "yW2T8WwN44s5gapmWnbUFU+Vr+508zJo7ZmWOb1clR36CTFEMB8GCSqGSIb3DQEJ\n" + + "FDESHhAAdABlAHMAdABjAGUAcgB0MCEGCSqGSIb3DQEJFTEUBBJUaW1lIDE3Mjc5\n" + + "MjI0NTExMjMwggQhBgkqhkiG9w0BBwagggQSMIIEDgIBADCCBAcGCSqGSIb3DQEH\n" + + "ATBmBgkqhkiG9w0BBQ0wWTA4BgkqhkiG9w0BBQwwKwQUHOKHGaZ2GF/jONcU8T0z\n" + + "l/ffYjECAicQAgEgMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBDsOtP5yKJD\n" + + "Ol4ugduFiI6xgIIDkJnbhnLIGZ4UwFYfFmcHGC4mxaNOXFB7xALCHsYyeOB/29PC\n" + + "3mUhvh+s2KAWGNr/7M+3JRyzGB+Y1zsZWe6A/vEK/OgVFBFBWy0H4N5Z9AH150Nu\n" + + "/IIF7MWqEtCy11KIkplwbPTadZ0nnKrKfs4XrcuhNSFeK4nouLTYqRAmpLOpjsYp\n" + + "WGBZI4JbcprlT5C/0J3OWK7xjjCl0Si/vCy6ndC9F8LzAdkS2LTuvoDG/Qyt86fP\n" + + "wehiEa0p3GF8MMz6aQCNnID1cgRZzmi+hVRiT3HY5SGAR9+d/UiEne+ZcTmKfpOk\n" + + "CdVO/BlGVUimWK6G26jsft1ttWjUlkIk6unENiTeQWDAXLQ48ugVINktazZwsbxU\n" + + "WdRXx+UPnmGQUBSCH0RJvaxLZYvNjUMjT4AyZpE2ZySsxx9qV12r/8hLsTvj4pgb\n" + + "EyPsN92BYBy69ZY6pnCkQQS1HvYNKg38N7YLw8lPH0eDXf1U4JBM8yaoObk6cAn5\n" + + "UojK1zhEQvp/rjuLei6PMfhpYYggD62yrV0otxA3B2FDlNJyN+0FIU3HVAXCfGBD\n" + + "mLB+GK8Vorto/Jl6n89trbHdmAKpqJAg0Y8Fw+Wb37JGKYRxQdBUibxDSqtT06rE\n" + + "ya558u0blvicCvouLv1mpPSuD8o+j1rKnwd7HixXyV1BsjnKeINQqn3DDdzJaZhy\n" + + "qBAQB44E4/MZfwvgq9EsMEKB9AdFucM+WorhLTDxkunPe6cvGlP7j4afBxUGphLd\n" + + "SWebCmw37TMqiqsO2sLDquY6DL9V6gfene95CirITuBCRFkrb7NpRmcH4QopXPfZ\n" + + "CZ+Mcl54kofpOY4OilpmSC23yUmYHJCfEtgee4NQOTyy+nPFj6VTbx8mcLcxKtjc\n" + + "MC7Dpq4tw0ztOoMbXOfEY/1h2zB92rcj+GjCvZ8fLhjzvIVVue8gNmVgDYVP6xtf\n" + + "qL2pQw/IRZoCW01ydqnTPex7rbKgMZltNdeppkjBA3hK7CdVv19iBW+T4Lb0K1JB\n" + + "M7ieGPIa0wh/DzI4e50w4bF53GZOTAVqlnlMxgmmuRsriQ/hJLeke42xgwkZtXMr\n" + + "lM3OlC3+nXjiK+JgBMr/3MQC2zQAehnSo1uW9/vpVHXmxMtcGak7efPwoAaeZqZl\n" + + "/+kXiTxXxSzEMlsQVbTWwjB8mLUu4vWnPbiqoRYIM1Q9QcEdnirjVnnOCEciAQGG\n" + + "Y11kdb2ENSHRX5NUOTBNMDEwDQYJYIZIAWUDBAIBBQAEIHhui4/QEqwZWT786fWa\n" + + "OWN+ZcmH2eWmED7W4LHvFpLfBBQyF4zTLMhBt0xov+nGx3UZWE/2xgICJxA="; private static final String KEYSTORE_PEM = "MIIJrwIBAzCCCWgGCSqGSIb3DQEHAaCCCVkEgglVMIIJUTCCBW0GCSqGSIb3DQEH\n" + "AaCCBV4EggVaMIIFVjCCBVIGCyqGSIb3DQEMCgECoIIE+zCCBPcwKQYKKoZIhvcN\n" + @@ -124,6 +187,8 @@ public class ClientExcOnAlert { static final Condition serverReady = lock.newCondition(); public static void main(String[] args) throws Exception { + System.setProperty("javax.net.ssl.trustStore", "keystore.p12"); + System.setProperty("javax.net.ssl.trustStorePassword", KEYSTORE_PASS); Thread serverThread = new Thread(() -> { try { doServerSide(); @@ -134,7 +199,6 @@ public static void main(String[] args) throws Exception { } ); serverThread.start(); - try { doClientSide((args == null || args.length < 1) ? null : args[0]); throw new RuntimeException("Expected SSLException did not occur!"); @@ -143,19 +207,23 @@ public static void main(String[] args) throws Exception { } finally { serverThread.join(); } - } static void doServerSide() throws Exception { Thread.currentThread().setName("ServerThread"); SSLContext sslc = SSLContext.getInstance("TLS"); log("doServerSide start"); - KeyManagerFactory kmf = createKeyManagerFactory(KEYSTORE_PEM, + KeyManagerFactory kmf; + if (!(SecurityUtils.isFIPS())) { + kmf = createKeyManagerFactory(KEYSTORE_PEM, + KEYSTORE_PASS); + } else { + kmf = createKeyManagerFactory(KEYSTORE_PEM_FIPS, KEYSTORE_PASS); + } sslc.init(kmf.getKeyManagers(), null, null); SSLServerSocketFactory ssf = (SSLServerSocketFactory)sslc.getServerSocketFactory(); - try (SSLServerSocket sslServerSocket = (SSLServerSocket)ssf.createServerSocket(0)) { sslServerSocket.setReuseAddress(true); @@ -247,4 +315,4 @@ private static void log(String msgFmt, Object ... args) { sb.append(String.format(msgFmt, args)); System.out.println(sb.toString()); } -} +} \ No newline at end of file diff --git a/test/jdk/javax/net/ssl/SSLSocket/keystore.p12 b/test/jdk/javax/net/ssl/SSLSocket/keystore.p12 new file mode 100644 index 00000000000..1ef00155d70 Binary files /dev/null and b/test/jdk/javax/net/ssl/SSLSocket/keystore.p12 differ diff --git a/test/jdk/javax/net/ssl/ServerName/BestEffortOnLazyConnected.java b/test/jdk/javax/net/ssl/ServerName/BestEffortOnLazyConnected.java index bda0710f61e..c62d8bc4190 100644 --- a/test/jdk/javax/net/ssl/ServerName/BestEffortOnLazyConnected.java +++ b/test/jdk/javax/net/ssl/ServerName/BestEffortOnLazyConnected.java @@ -30,6 +30,7 @@ * @test * @bug 8144566 * @summary Custom HostnameVerifier disables SNI extension + * @library /test/lib * @run main/othervm BestEffortOnLazyConnected */ @@ -37,6 +38,9 @@ import java.net.*; import javax.net.ssl.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class BestEffortOnLazyConnected { /* @@ -171,6 +175,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; + if (SecurityUtils.isFIPS()) { + keyFilename = SecurityUtils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = SecurityUtils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/ServerName/SSLEngineExplorer.java b/test/jdk/javax/net/ssl/ServerName/SSLEngineExplorer.java index 64a62158eee..de9a2eef2dd 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLEngineExplorer.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLEngineExplorer.java @@ -31,6 +31,7 @@ * @bug 7068321 8190492 * @summary Support TLS Server Name Indication (SNI) Extension in JSSE Server * @library ../SSLEngine ../templates + * @library /test/lib * @build SSLEngineService SSLCapabilities SSLExplorer * @run main/othervm SSLEngineExplorer SSLv2Hello,SSLv3 * @run main/othervm SSLEngineExplorer SSLv3 @@ -46,6 +47,9 @@ import java.nio.channels.*; import java.security.Security; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class SSLEngineExplorer extends SSLEngineService { /* @@ -220,7 +224,19 @@ void checkCapabilities(SSLCapabilities capabilities, private static String[] supportedProtocols; // supported protocols private static void parseArguments(String[] args) { - supportedProtocols = args[0].split(","); + List supportProtocols = new ArrayList<>(); + for (String supportProtocol : args[0].split(",")) { + System.out.println("the args[0] is: " + supportProtocol); + if (!SecurityUtils.TLS_PROTOCOLS.contains(supportProtocol)) { + continue; + } + System.out.println("SupportProtocol is: " + supportProtocol); + supportProtocols.add(supportProtocol); + } + supportedProtocols = supportProtocols.toArray(new String[0]); + for (String s : supportedProtocols) { + System.out.println("SupportedProtocols is: " + s); + } } @@ -237,7 +253,9 @@ private static void parseArguments(String[] args) { public static void main(String args[]) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } if (debug) System.setProperty("javax.net.debug", "all"); @@ -245,9 +263,35 @@ public static void main(String args[]) throws Exception { /* * Get the customized arguments. */ + System.out.println("args is: " + args); parseArguments(args); - new SSLEngineExplorer(); + try { + new SSLEngineExplorer(); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (SecurityUtils.isFIPS()) { + if (supportedProtocols == null || supportedProtocols.length == 0) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + sslhe.printStackTrace(); + return; + } + } else { + System.out.println("Unexpected exception is caught in Non-FIPS mode"); + sslhe.printStackTrace(); + return; + } + } catch (Exception e) { + e.printStackTrace(); + return; + } } Thread clientThread = null; diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketConsistentSNI.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketConsistentSNI.java index 38d999aa3ef..76a7a457156 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketConsistentSNI.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketConsistentSNI.java @@ -30,6 +30,7 @@ * @test * @bug 7068321 * @summary Support TLS Server Name Indication (SNI) Extension in JSSE Server + * @library /test/lib * @run main/othervm SSLSocketConsistentSNI */ @@ -40,6 +41,9 @@ import java.net.*; import javax.net.ssl.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class SSLSocketConsistentSNI { /* @@ -218,6 +222,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; + if (SecurityUtils.isFIPS()) { + keyFilename = SecurityUtils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = SecurityUtils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorer.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorer.java index 3ae2e777810..66091824f5b 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorer.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorer.java @@ -31,6 +31,7 @@ * @bug 7068321 8190492 * @summary Support TLS Server Name Indication (SNI) Extension in JSSE Server * @library ../templates + * @library /test/lib * @build SSLCapabilities SSLExplorer * @run main/othervm SSLSocketExplorer SSLv2Hello,SSLv3 * @run main/othervm SSLSocketExplorer SSLv3 @@ -47,6 +48,9 @@ import javax.net.ssl.*; import java.security.Security; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class SSLSocketExplorer { /* @@ -212,7 +216,14 @@ void checkCapabilities(SSLCapabilities capabilities, private static String[] supportedProtocols; // supported protocols private static void parseArguments(String[] args) { - supportedProtocols = args[0].split(","); + List supportProtocols = new ArrayList<>(); + for (String supportProtocol : args[0].split(",")) { + if (!SecurityUtils.TLS_PROTOCOLS.contains(supportProtocol)) { + continue; + } + supportProtocols.add(supportProtocol); + } + supportedProtocols = supportProtocols.toArray(new String[0]); } @@ -230,7 +241,9 @@ private static void parseArguments(String[] args) { public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + @@ -239,6 +252,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; + if (SecurityUtils.isFIPS()) { + keyFilename = SecurityUtils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = SecurityUtils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); @@ -255,7 +273,32 @@ public static void main(String[] args) throws Exception { /* * Start the tests. */ - new SSLSocketExplorer(); + try { + new SSLSocketExplorer(); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (SecurityUtils.isFIPS()) { + if (supportedProtocols == null || supportedProtocols.length == 0) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + sslhe.printStackTrace(); + return; + } + } else { + System.out.println("Unexpected exception is caught in Non-FIPS mode"); + sslhe.printStackTrace(); + return; + } + } catch (Exception e) { + e.printStackTrace(); + return; + } } Thread clientThread = null; diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerFailure.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerFailure.java index 7193fcaf136..de2a268c6c4 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerFailure.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerFailure.java @@ -31,6 +31,7 @@ * @bug 7068321 * @summary Support TLS Server Name Indication (SNI) Extension in JSSE Server * @library ../templates + * @library /test/lib * @build SSLCapabilities SSLExplorer * @run main/othervm SSLSocketExplorerFailure SSLv2Hello,SSLv3 * @run main/othervm SSLSocketExplorerFailure SSLv3 @@ -47,6 +48,9 @@ import javax.net.ssl.*; import java.security.Security; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class SSLSocketExplorerFailure { /* @@ -233,9 +237,11 @@ private static void parseArguments(String[] args) { volatile Exception clientException = null; public static void main(String[] args) throws Exception { - Security.setProperty("jdk.tls.disabledAlgorithms", ""); - Security.setProperty("jdk.certpath.disabledAlgorithms", ""); - + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + Security.setProperty("jdk.certpath.disabledAlgorithms", ""); + } + String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + "/" + keyStoreFile; diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerMatchedSNI.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerMatchedSNI.java index 0cea7323b83..f548ee65b32 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerMatchedSNI.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerMatchedSNI.java @@ -31,6 +31,7 @@ * @bug 7068321 * @summary Support TLS Server Name Indication (SNI) Extension in JSSE Server * @library ../templates + * @library /test/lib * @build SSLCapabilities SSLExplorer * @run main/othervm SSLSocketExplorerMatchedSNI www.example.com * www\.example\.com @@ -51,6 +52,9 @@ import java.net.*; import javax.net.ssl.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class SSLSocketExplorerMatchedSNI { /* @@ -291,6 +295,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; + if (SecurityUtils.isFIPS()) { + keyFilename = SecurityUtils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = SecurityUtils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithCliSNI.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithCliSNI.java index 8451b44f0bf..d6ca5505e32 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithCliSNI.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithCliSNI.java @@ -31,6 +31,7 @@ * @bug 7068321 * @summary Support TLS Server Name Indication (SNI) Extension in JSSE Server * @library ../templates + * @library /test/lib * @build SSLCapabilities SSLExplorer * @run main/othervm SSLSocketExplorerWithCliSNI */ @@ -42,6 +43,9 @@ import java.net.*; import javax.net.ssl.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class SSLSocketExplorerWithCliSNI { /* @@ -268,6 +272,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; + if (SecurityUtils.isFIPS()) { + keyFilename = SecurityUtils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = SecurityUtils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithSrvSNI.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithSrvSNI.java index 8b891e804e4..1ba3089af44 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithSrvSNI.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithSrvSNI.java @@ -31,6 +31,7 @@ * @bug 7068321 * @summary Support TLS Server Name Indication (SNI) Extension in JSSE Server * @library ../templates + * @library /test/lib * @build SSLCapabilities SSLExplorer * @run main/othervm SSLSocketExplorerWithSrvSNI */ @@ -42,6 +43,9 @@ import java.net.*; import javax.net.ssl.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class SSLSocketExplorerWithSrvSNI { /* @@ -251,6 +255,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; + if (SecurityUtils.isFIPS()) { + keyFilename = SecurityUtils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = SecurityUtils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketSNISensitive.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketSNISensitive.java index 45593b9129e..c52959b68ed 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketSNISensitive.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketSNISensitive.java @@ -29,6 +29,7 @@ /* * @test * @bug 7068321 + * @library /test/lib * @summary Support TLS Server Name Indication (SNI) Extension in JSSE Server * @run main/othervm SSLSocketSNISensitive PKIX www.example.com * @run main/othervm SSLSocketSNISensitive SunX509 www.example.com @@ -52,6 +53,11 @@ import java.security.interfaces.*; import java.util.Base64; +import java.io.ByteArrayInputStream; + +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + // Note: this test case works only on TLS 1.2 and prior versions because of // the use of MD5withRSA signed certificate. public class SSLSocketSNISensitive { @@ -247,6 +253,8 @@ public class SSLSocketSNISensitive { */ static boolean debug = false; + static String[] signatureAlgos = new String[5]; + /* * Define the server side of the test. * @@ -432,10 +440,12 @@ private static SSLContext generateSSLContext(boolean isClient) public static void main(String[] args) throws Exception { // MD5 is used in this test case, don't disable MD5 algorithm. - Security.setProperty("jdk.certpath.disabledAlgorithms", - "MD2, RSA keySize < 1024"); - Security.setProperty("jdk.tls.disabledAlgorithms", - "SSLv3, RC4, DH keySize < 768"); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.certpath.disabledAlgorithms", + "MD2, RSA keySize < 1024"); + Security.setProperty("jdk.tls.disabledAlgorithms", + "SSLv3, RC4, DH keySize < 768"); + } if (debug) System.setProperty("javax.net.debug", "all"); @@ -448,7 +458,36 @@ public static void main(String[] args) throws Exception { /* * Start the tests. */ - new SSLSocketSNISensitive(); + try { + new SSLSocketSNISensitive(); + } catch (Exception e) { + if (SecurityUtils.isFIPS()) { + // for (int i=0; i is caught."); + // return; + // } + // } + if (e instanceof javax.net.ssl.SSLHandshakeException) { + if ("no cipher suites in common".equals(e.getMessage())) { + System.out.println("Expected exception msg: is caught."); + return; + } else { + System.out.println("Unexpected exception msg: <" + e.getMessage() + "> is caught."); + return; + } + } else { + System.out.println("Unexpected exception msg is caught."); + return; + } + } else { + System.out.println("failure is not in FIPS mode."); + e.printStackTrace(); + return; + } + } } Thread clientThread = null; diff --git a/test/jdk/javax/net/ssl/TLS/CipherTestUtils.java b/test/jdk/javax/net/ssl/TLS/CipherTestUtils.java index 38b0d871c1c..139a8d66f52 100644 --- a/test/jdk/javax/net/ssl/TLS/CipherTestUtils.java +++ b/test/jdk/javax/net/ssl/TLS/CipherTestUtils.java @@ -72,7 +72,7 @@ public class CipherTestUtils { public static final SecureRandom secureRandom = new SecureRandom(); public static char[] PASSWORD = "passphrase".toCharArray(); private static final List TESTS = new ArrayList<>(3); - private static final List EXCEPTIONS + public static final List EXCEPTIONS = Collections.synchronizedList(new ArrayList<>(1)); private static final String CLIENT_PUBLIC_KEY diff --git a/test/jdk/javax/net/ssl/TLS/TestJSSE.java b/test/jdk/javax/net/ssl/TLS/TestJSSE.java index 29631064011..69e487d14c4 100644 --- a/test/jdk/javax/net/ssl/TLS/TestJSSE.java +++ b/test/jdk/javax/net/ssl/TLS/TestJSSE.java @@ -21,6 +21,14 @@ * questions. */ +import java.lang.reflect.Field; + +import java.util.List; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Map; +import java.util.HashMap; + import java.net.InetAddress; import java.security.Provider; import java.security.Security; @@ -28,14 +36,38 @@ public class TestJSSE { private static final String LOCAL_IP = InetAddress.getLoopbackAddress().getHostAddress(); + private static boolean isFIPS = Boolean.parseBoolean(System.getProperty("semeru.fips")); + private static final Map TLS_CIPHERSUITES = new HashMap<>(); + + private static String checkIfProtocolIsUsedInCommonFIPS(String srvProtocol, String clnProtocol) { + String protocolUsedInHandShake; + List srvProtocols = Arrays.asList(srvProtocol.split(",")); + List clnProtocols; + if (clnProtocol.equals("DEFAULT")) { + if (srvProtocols.contains("TLSv1.3")) { + protocolUsedInHandShake = "TLSv1.3"; + } else if (srvProtocols.contains("TLSv1.2")) { + protocolUsedInHandShake = "TLSv1.2"; + } else { + protocolUsedInHandShake = null; + } + } else { + clnProtocols = Arrays.asList(clnProtocol.split(",")); + if (srvProtocols.contains("TLSv1.3") && clnProtocols.contains("TLSv1.3")) { + protocolUsedInHandShake = "TLSv1.3"; + } else if (srvProtocols.contains("TLSv1.2") && clnProtocols.contains("TLSv1.2")) { + protocolUsedInHandShake = "TLSv1.2"; + } else { + protocolUsedInHandShake = null; + } + } + return protocolUsedInHandShake; + } public static void main(String... args) throws Exception { - // reset the security property to make sure that the algorithms - // and keys used in this test are not disabled. - Security.setProperty("jdk.tls.disabledAlgorithms", ""); // enable debug output - System.setProperty("javax.net.debug", "ssl,record"); + // System.setProperty("javax.net.debug", "ssl,record"); String srvProtocol = System.getProperty("SERVER_PROTOCOL"); String clnProtocol = System.getProperty("CLIENT_PROTOCOL"); @@ -43,13 +75,50 @@ public static void main(String... args) throws Exception { if (srvProtocol == null || clnProtocol == null || cipher == null) { throw new IllegalArgumentException("Incorrect parameters"); } + if (System.getProperty("jdk.tls.client.protocols") != null) { + clnProtocol = System.getProperty("jdk.tls.client.protocols"); + } System.out.println("ServerProtocol = " + srvProtocol); System.out.println("ClientProtocol = " + clnProtocol); System.out.println("Cipher = " + cipher); + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + String protocolUsedInHandShake = null; + if (!(isFIPS)) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } else { + TLS_CIPHERSUITES.put("TLS_AES_128_GCM_SHA256", "TLSv1.3"); + TLS_CIPHERSUITES.put("TLS_AES_256_GCM_SHA384", "TLSv1.3"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLSv1.2"); + protocolUsedInHandShake = checkIfProtocolIsUsedInCommonFIPS(srvProtocol, clnProtocol); + } + try (CipherTestUtils.Server srv = server(srvProtocol, cipher, args)) { client(srv.getPort(), clnProtocol, cipher, args); + } catch (Exception e) { + if (isFIPS) { + if (protocolUsedInHandShake == null || !TLS_CIPHERSUITES.containsKey(cipher) + || (protocolUsedInHandShake != null && !TLS_CIPHERSUITES.get(cipher).equals(protocolUsedInHandShake))) { + if (CipherTestUtils.EXCEPTIONS.get(0) instanceof javax.net.ssl.SSLHandshakeException) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(CipherTestUtils.EXCEPTIONS.get(0).getMessage())) { + if (args.length >= 1 && args[0].equals("javax.net.ssl.SSLHandshakeException")) { + System.out.println("Expected exception msg from client: is caught"); + } else { + System.out.println("Expected exception msg from client: is caught"); + } + } + } + } + } } } diff --git a/test/jdk/javax/net/ssl/TLSCommon/ConcurrentClientAccessTest.java b/test/jdk/javax/net/ssl/TLSCommon/ConcurrentClientAccessTest.java index 5c632f529ab..e76f2b9f0cf 100644 --- a/test/jdk/javax/net/ssl/TLSCommon/ConcurrentClientAccessTest.java +++ b/test/jdk/javax/net/ssl/TLSCommon/ConcurrentClientAccessTest.java @@ -45,9 +45,13 @@ import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManagerFactory; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + /* * @test * @bug 8208496 + * @library /test/lib * @summary Test to verify concurrent behavior of TLS. * @run main/othervm ConcurrentClientAccessTest */ @@ -56,46 +60,92 @@ public class ConcurrentClientAccessTest { private static final int THREADS = 50; public static void main(String[] args) throws Exception { - - Security.setProperty("jdk.tls.disabledAlgorithms", ""); - for (String tlsProtocol : new String[]{"TLSv1.3", "TLSv1.2", - "TLSv1.1", "TLSv1"}) { - System.out.printf("Protocol: %s%n", tlsProtocol); - CountDownLatch tillServerReady = new CountDownLatch(1); - Server server = new Server(tlsProtocol, tillServerReady); - server.start(); - - // Wait till server is ready to accept connection. - tillServerReady.await(); - CountDownLatch tillClientComplete = new CountDownLatch(THREADS); - ExecutorService executor = null; - try { - executor = newExecutorService(); - // Run 50 TLS clients for concurrent access to TLS Port. - for (int count = 1; count <= THREADS; count++) { - Client client = new Client(tlsProtocol, server.port, - tillClientComplete); - executor.execute(client); - // If Client has any Exception indicates problem - if (client.exception != null) { - throw new RuntimeException(client.exception); + String[] protocols = new String[]{"TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1"}; + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } + // else { + // protocols = new String[]{"TLSv1.3", "TLSv1.2"}; + // } + for (String tlsProtocol : protocols) { + Server server = null; + try{ + System.out.printf("Protocol: %s%n", tlsProtocol); + CountDownLatch tillServerReady = new CountDownLatch(1); + server = new Server(tlsProtocol, tillServerReady); + server.start(); + + // Wait till server is ready to accept connection. + tillServerReady.await(); + CountDownLatch tillClientComplete = new CountDownLatch(THREADS); + ExecutorService executor = null; + try { + executor = newExecutorService(); + // Run 50 TLS clients for concurrent access to TLS Port. + for (int count = 1; count <= THREADS; count++) { + Client client = null; + try { + client = new Client(tlsProtocol, server.port, + tillClientComplete); + executor.execute(client); + // If Client has any Exception indicates problem + if (client.exception != null) { + throw new RuntimeException(client.exception); + } + } catch (java.lang.RuntimeException re) { + if (client.exception != null) { + if (client.exception instanceof javax.net.ssl.SSLHandshakeException) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(client.exception.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + client.exception.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + client.exception.printStackTrace(); + return; + } + } + } + } + // Wait till all client thread complete execution + tillClientComplete.await(); + System.out.println("All client processed successfully."); + } finally { + if (executor != null) { + executor.shutdown(); } + // Fail Safe: Shutdown the server + server.stopServer(); } - // Wait till all client thread complete execution - tillClientComplete.await(); - System.out.println("All client processed successfully."); - } finally { - if (executor != null) { - executor.shutdown(); + // If Sever has any Exception indicates problem + if (server.exception != null) { + throw new RuntimeException(server.exception); + } + System.out.println(); + } catch (java.lang.RuntimeException re) { + if (SecurityUtils.isFIPS()) { + if (!SecurityUtils.TLS_PROTOCOLS.contains(tlsProtocol)) { + if (server.exception != null) { + if (server.exception instanceof javax.net.ssl.SSLHandshakeException) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(server.exception.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + server.exception.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + server.exception.printStackTrace(); + return; + } + } + } } - // Fail Safe: Shutdown the server - server.stopServer(); - } - // If Sever has any Exception indicates problem - if (server.exception != null) { - throw new RuntimeException(server.exception); } - System.out.println(); } } diff --git a/test/jdk/javax/net/ssl/TLSCommon/SSLEngineTestCase.java b/test/jdk/javax/net/ssl/TLSCommon/SSLEngineTestCase.java index dce28edadf2..51eb6b729d3 100644 --- a/test/jdk/javax/net/ssl/TLSCommon/SSLEngineTestCase.java +++ b/test/jdk/javax/net/ssl/TLSCommon/SSLEngineTestCase.java @@ -180,7 +180,7 @@ public enum HandshakeMode { private static final String SERVER_NAME = "service.localhost"; private static final String SNI_PATTERN = ".*"; - private static final String[] TLS13_CIPHERS = { + private static String[] TLS13_CIPHERS = { "TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256" @@ -188,7 +188,15 @@ public enum HandshakeMode { private static final String[] SUPPORTED_NON_KRB_CIPHERS; + private static final boolean ISFIPS = Boolean.parseBoolean(System.getProperty("semeru.fips")); + static { + if (ISFIPS) { + TLS13_CIPHERS = new String[] { + "TLS_AES_256_GCM_SHA384", + "TLS_AES_128_GCM_SHA256" + }; + } try { String[] allSupportedCiphers = getContext() .createSSLEngine().getSupportedCipherSuites(); @@ -796,10 +804,12 @@ public static void checkResult(SSLEngineResult r, */ public static SSLContext getContext() { try { - java.security.Security.setProperty( - "jdk.tls.disabledAlgorithms", ""); - java.security.Security.setProperty( - "jdk.certpath.disabledAlgorithms", ""); + if (!(ISFIPS)) { + java.security.Security.setProperty( + "jdk.tls.disabledAlgorithms", ""); + java.security.Security.setProperty( + "jdk.certpath.disabledAlgorithms", ""); + } KeyStore ks = KeyStore.getInstance("JKS"); KeyStore ts = KeyStore.getInstance("JKS"); char[] passphrase = PASSWD.toCharArray(); @@ -848,7 +858,7 @@ public static void setUpAndStartKDC() { * SSLEngineTestCase.TEST_MODE is "krb". */ public static void setUpAndStartKDCIfNeeded() { - if (TEST_MODE.equals("krb")) { + if (TEST_MODE.equals("krb") && !ISFIPS) { setUpAndStartKDC(); } } diff --git a/test/jdk/javax/net/ssl/TLSCommon/TLSTest.java b/test/jdk/javax/net/ssl/TLSCommon/TLSTest.java index 7d83b287ad1..05dac2d8d96 100644 --- a/test/jdk/javax/net/ssl/TLSCommon/TLSTest.java +++ b/test/jdk/javax/net/ssl/TLSCommon/TLSTest.java @@ -52,9 +52,13 @@ import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManagerFactory; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + /* * @test * @bug 8205111 + * @library /test/lib * @summary Test TLS with different types of supported keys. * @run main/othervm -Djavax.net.debug=ssl,handshake TLSTest TLSv1.3 rsa_pkcs1_sha1 TLS_AES_128_GCM_SHA256 * @run main/othervm @@ -158,16 +162,81 @@ public static void main(String[] args) throws Exception { final String tlsProtocol = args[0]; final KeyType keyType = KeyType.valueOf(args[1]); final String cipher = args[2]; - Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } + CountDownLatch serverReady = new CountDownLatch(1); Server server = new Server(tlsProtocol, keyType, cipher, serverReady); server.start(); // Wait till server is ready to accept connection. serverReady.await(); - new Client(tlsProtocol, keyType, cipher, server.port).doClientSide(); + try { + new Client(tlsProtocol, keyType, cipher, server.port).doClientSide(); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (SecurityUtils.isFIPS()) { + if (!SecurityUtils.TLS_PROTOCOLS.contains(tlsProtocol)) { + System.out.println(tlsProtocol + " is not available from Client side."); + } + if (!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipher)) { + System.out.println(cipher + " is not available from Client side."); + } else if (!SecurityUtils.TLS_CIPHERSUITES.get(cipher).equals(tlsProtocol)) { + System.out.println(cipher + " does not match " + tlsProtocol + " from Client side."); + } + if (args[1].contains("sha1")) { + System.out.println("FIPS140-3 does not support SHA1 from Client side."); + } + if ("No available authentication scheme".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught from Client side"); + return; + } else { + System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught from Client side"); + return; + } + } else { + sslhe.printStackTrace(); + return; + } + } catch (java.lang.ExceptionInInitializerError eiie) { + Throwable cause = eiie.getCause(); + if (cause instanceof java.lang.IllegalArgumentException) { + if (SecurityUtils.isFIPS() + && ("System property jdk.tls.namedGroups(" + System.getProperty("jdk.tls.namedGroups") + ") contains no supported named groups").equals(cause.getMessage())) { + System.out.println("Expected msg is caught from Client side."); + return; + } + } + } if (server.serverExc != null) { - throw new RuntimeException(server.serverExc); + if (SecurityUtils.isFIPS()) { + if (!SecurityUtils.TLS_PROTOCOLS.contains(tlsProtocol)) { + System.out.println(tlsProtocol + " is not available from Server side."); + } + if (!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipher)) { + System.out.println(cipher + " is not available from Server side."); + } else if (!SecurityUtils.TLS_CIPHERSUITES.get(cipher).equals(tlsProtocol)) { + System.out.println(cipher + " does not match " + tlsProtocol + " from Server side."); + } + if (args[1].contains("sha1")) { + System.out.println("FIPS140-3 does not support SHA1 from Server side."); + } + if (server.serverExc instanceof javax.net.ssl.SSLHandshakeException) { + if ("No available authentication scheme".equals(server.serverExc.getMessage())) { + System.out.println("Expected exception msg: is caught from Server side"); + return; + } else { + System.out.println("Unexpected exception msg: <" + server.serverExc.getMessage() + "> is caught from Server side"); + return; + } + } else { + System.out.println("Unexpected exception is caught from Server side"); + server.serverExc.printStackTrace(); + return; + } + } else { + throw new RuntimeException(server.serverExc); + } } } diff --git a/test/jdk/javax/net/ssl/TLSCommon/TLSWithEdDSA.java b/test/jdk/javax/net/ssl/TLSCommon/TLSWithEdDSA.java index 3fabc5bd73c..2f3608ebc4b 100644 --- a/test/jdk/javax/net/ssl/TLSCommon/TLSWithEdDSA.java +++ b/test/jdk/javax/net/ssl/TLSCommon/TLSWithEdDSA.java @@ -47,6 +47,7 @@ import java.security.KeyFactory; import java.security.KeyStore; import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; import java.security.Principal; import java.security.PrivateKey; import java.security.PublicKey; @@ -71,6 +72,7 @@ import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509ExtendedKeyManager; import javax.net.ssl.X509KeyManager; +import jdk.test.lib.Utils; import jdk.test.lib.security.SecurityUtils; public class TLSWithEdDSA extends SSLSocketTemplate { @@ -81,7 +83,7 @@ public class TLSWithEdDSA extends SSLSocketTemplate { private static final String DEF_ALL_EE = "EE_ECDSA_SECP256R1:" + "EE_ECDSA_SECP384R1:EE_ECDSA_SECP521R1:EE_RSA_2048:" + "EE_EC_RSA_SECP256R1:EE_DSA_2048:EE_DSA_1024:EE_ED25519:EE_ED448"; - private static final List TEST_PROTOS = List.of( + private static List TEST_PROTOS = List.of( "TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1"); private static CertificateFactory certFac; @@ -342,7 +344,7 @@ private static KeyStore createTrustStore(String certEnumNames) * the private key or certificate entries. */ private static KeyStore createKeyStore(String certEnumNames, char[] pass) - throws GeneralSecurityException { + throws GeneralSecurityException, NoSuchAlgorithmException { KeyStore.Builder keyStoreBuilder = KeyStore.Builder.newInstance("PKCS12", null, new KeyStore.PasswordProtection(pass)); @@ -393,7 +395,7 @@ private static X509Certificate pem2Cert(String certPem) * @throws GeneralSecurityException if any decoding errors occur. */ private static PrivateKey pem2PrivKey(String keyPem, String keyAlg) - throws GeneralSecurityException { + throws GeneralSecurityException, NoSuchAlgorithmException { PKCS8EncodedKeySpec p8Spec = new PKCS8EncodedKeySpec( Base64.getMimeDecoder().decode(keyPem)); KeyFactory keyFac = KeyFactory.getInstance(keyAlg); @@ -556,13 +558,24 @@ protected void runClientApplication(SSLSocket socket) throws Exception { } public static void main(String[] args) throws Exception { - SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1", "TLSv1"); + if (!(SecurityUtils.isFIPS())) { + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1", "TLSv1"); + } certFac = CertificateFactory.getInstance("X.509"); String testFormat; System.out.println("===== Test KeyManager alias retrieval ====="); - testKeyManager(DEF_ALL_EE, "EdDSA", - new String[] {"ee_ed25519", "ee_ed448"}); + try { + testKeyManager(DEF_ALL_EE, "EdDSA", + new String[] {"ee_ed25519", "ee_ed448"}); + } catch (NoSuchAlgorithmException nsae) { + if (SecurityUtils.isFIPS()) { + if ("EdDSA KeyFactory not available".equals(nsae.getMessage())){ + System.out.println("Expected exception msg: is caught."); + return; + } + } + } testFormat = "===== Basic Ed25519 Server-side Authentication: %s =====\n"; @@ -593,7 +606,7 @@ public static void main(String[] args) throws Exception { private static void testKeyManager(String keyStoreSpec, String keyType, String[] expAliases) - throws GeneralSecurityException, IOException { + throws GeneralSecurityException, NoSuchAlgorithmException, IOException { char[] passChar = PASSWD.toCharArray(); // Create the KeyManager factory and resulting KeyManager @@ -626,6 +639,10 @@ private static void testKeyManager(String keyStoreSpec, String keyType, private static void runtest(String testNameFmt, SessionChecker cliChk, Class cliExpExc, SessionChecker servChk, Class servExpExc) { + // if (!(SecurityUtils.isFIPS())) { + // TEST_PROTOS = List.of( + // "TLSv1.3", "TLSv1.2"); + // } TEST_PROTOS.forEach(protocol -> { clientParameters.put(ParamType.PROTOS, protocol); TLSWithEdDSA testObj = new TLSWithEdDSA(cliChk, cliExpExc, servChk, diff --git a/test/jdk/javax/net/ssl/TLSCommon/TestSessionLocalPrincipal.java b/test/jdk/javax/net/ssl/TLSCommon/TestSessionLocalPrincipal.java index 9daae683cc9..213b8920692 100644 --- a/test/jdk/javax/net/ssl/TLSCommon/TestSessionLocalPrincipal.java +++ b/test/jdk/javax/net/ssl/TLSCommon/TestSessionLocalPrincipal.java @@ -44,35 +44,63 @@ import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManagerFactory; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + /* * @test * @bug 8206355 8225438 + * @library /test/lib * @summary Test principal that was sent to the peer during handshake. * @run main/othervm TestSessionLocalPrincipal */ public class TestSessionLocalPrincipal { public static void main(String[] args) throws Exception { - - Security.setProperty("jdk.tls.disabledAlgorithms", ""); - for (String tlsProtocol : new String[]{ - "TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1"}) { + String[] protocols = new String[]{"TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1"}; + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } + for (String tlsProtocol : protocols) { for (boolean clientAuth : new boolean[]{true, false}) { - System.out.printf("Protocol %s: Client side auth enabled: %s%n", - tlsProtocol, clientAuth); - CountDownLatch serverReady = new CountDownLatch(1); - Server server = new Server(tlsProtocol, clientAuth, - serverReady); - server.start(); - - // Wait till server is ready to accept connection. - serverReady.await(); - new Client(tlsProtocol, clientAuth, server.port).doClientSide(); - if (server.serverExc != null) { - throw new RuntimeException(server.serverExc); + Server server = null; + try { + System.out.printf("Protocol %s: Client side auth enabled: %s%n", + tlsProtocol, clientAuth); + CountDownLatch serverReady = new CountDownLatch(1); + server = new Server(tlsProtocol, clientAuth, + serverReady); + server.start(); + + // Wait till server is ready to accept connection. + serverReady.await(); + new Client(tlsProtocol, clientAuth, server.port).doClientSide(); + if (server.serverExc != null) { + throw new RuntimeException(server.serverExc); + } + } catch (java.lang.RuntimeException re) { + if (SecurityUtils.isFIPS()) { + if (!SecurityUtils.TLS_PROTOCOLS.contains(tlsProtocol)) { + if (server.serverExc != null) { + if (server.serverExc instanceof javax.net.ssl.SSLHandshakeException) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(server.serverExc.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + server.serverExc.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + server.serverExc.printStackTrace(); + return; + } + } + } + } } } - } + } } public static class Server implements Runnable { diff --git a/test/jdk/javax/net/ssl/TLSTest_java.security b/test/jdk/javax/net/ssl/TLSTest_java.security new file mode 100644 index 00000000000..644416725cf --- /dev/null +++ b/test/jdk/javax/net/ssl/TLSTest_java.security @@ -0,0 +1,32 @@ +# Test-TLS-JKS Restricted Security mode profile for FIPS 140-3. This profile is a test profile that extends +# OpenJCEPlusFIPS.FIPS140-3. This profile also includes non-cryptographic algorithms and common configuration +# options such as, JKS from SUN. +# +RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Test-TLS-JKS.desc.name = Test-TLS OpenJCEPlusFIPS Cryptographic Module FIPS 140-3 +RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Test-TLS-JKS.desc.default = false +RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Test-TLS-JKS.extends = RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3 + +RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Test-TLS-JKS.jce.provider.2 = sun.security.provider.Sun [+ \ + {KeyStore, JKS, *}, \ + {MessageDigest, SHA-1, *}] + +# Test-TLS-PKCS12 Restricted Security mode profile for FIPS 140-3. This profile is a test profile that extends +# OpenJCEPlusFIPS.FIPS140-3. This profile also includes non-cryptographic algorithms and common configuration +# options such as, PKCS12 from SUN and PBE related services from SunJCE. +# +RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Test-TLS-PKCS12.desc.name = Test-TLS OpenJCEPlusFIPS Cryptographic Module FIPS 140-3 +RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Test-TLS-PKCS12.desc.default = false +RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Test-TLS-PKCS12.extends = RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3 + +RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Test-TLS-PKCS12.jce.provider.2 = sun.security.provider.Sun [+ \ + {KeyStore, JKS, *}, \ + {MessageDigest, SHA-1, *}, \ + {KeyStore, PKCS12, *}] + +RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Test-TLS-PKCS12.jce.provider.4 = com.sun.crypto.provider.SunJCE [{AlgorithmParameters, PBES2, *}, \ + {AlgorithmParameters, PBEWithHmacSHA256AndAES_256, *}, \ + {AlgorithmParameters, PBEWithMD5AndDES, *}, \ + {SecretKeyFactory, PBEWithMD5AndDES, *}, \ + {Cipher, PBEWithHmacSHA256AndAES_256, *}, \ + {Mac, HmacSHA1, *},\ + {Mac, HmacPBESHA256, *}] diff --git a/test/jdk/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java b/test/jdk/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java index f6ba0c1ca64..7513f7583a7 100644 --- a/test/jdk/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java +++ b/test/jdk/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java @@ -30,6 +30,7 @@ * @test * @bug 4873188 * @summary Support TLS 1.1 + * @library /test/lib * @run main/othervm EmptyCertificateAuthorities * @modules java.security.jgss * java.security.jgss/sun.security.jgss.krb5 @@ -60,6 +61,9 @@ import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class EmptyCertificateAuthorities { /* @@ -248,10 +252,12 @@ private void initialize() throws CertificateException { public static void main(String[] args) throws Exception { // MD5 is used in this test case, don't disable MD5 algorithm. - Security.setProperty("jdk.certpath.disabledAlgorithms", - "MD2, RSA keySize < 1024"); - Security.setProperty("jdk.tls.disabledAlgorithms", - "SSLv3, RC4, DH keySize < 768"); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.certpath.disabledAlgorithms", + "MD2, RSA keySize < 1024"); + Security.setProperty("jdk.tls.disabledAlgorithms", + "SSLv3, RC4, DH keySize < 768"); + } String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + @@ -271,7 +277,19 @@ public static void main(String[] args) throws Exception { /* * Start the tests. */ - new EmptyCertificateAuthorities(); + try { + new EmptyCertificateAuthorities(); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (SecurityUtils.isFIPS()) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } + } + } catch (Exception e) { + e.printStackTrace(); + return; + } } Thread clientThread = null; diff --git a/test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java b/test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java index a634424b3d7..5fc5c179dbe 100644 --- a/test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java +++ b/test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java @@ -49,6 +49,7 @@ import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; +import jdk.test.lib.Utils; import jdk.test.lib.security.SecurityUtils; public class GenericBlockCipher { @@ -148,7 +149,7 @@ void doClientSide() throws Exception { // enable a block cipher sslSocket.setEnabledCipherSuites( - new String[] {"TLS_RSA_WITH_AES_128_CBC_SHA"}); + new String[] {"TLS_RSA_WITH_AES_128_CBC_SHA"}); InputStream sslIS = sslSocket.getInputStream(); OutputStream sslOS = sslSocket.getOutputStream(); @@ -172,8 +173,11 @@ void doClientSide() throws Exception { volatile Exception clientException = null; public static void main(String[] args) throws Exception { - // Re-enable TLSv1.1 and TLS_RSA_* since test depends on it. - SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1", "TLS_RSA_*"); + // Re-enable TLSv1.1 since test depends on it. + if (!(SecurityUtils.isFIPS())) { + // Re-enable TLSv1.1 and TLS_RSA_* since test depends on it. + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1", "TLS_RSA_*"); + } String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + @@ -193,7 +197,19 @@ public static void main(String[] args) throws Exception { /* * Start the tests. */ - new GenericBlockCipher(); + try { + new GenericBlockCipher(); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (SecurityUtils.isFIPS()) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } + } + } catch (Exception e) { + e.printStackTrace(); + return; + } } Thread clientThread = null; diff --git a/test/jdk/javax/net/ssl/TLSv11/GenericStreamCipher.java b/test/jdk/javax/net/ssl/TLSv11/GenericStreamCipher.java index 2c5e00ccf40..730d22b39b6 100644 --- a/test/jdk/javax/net/ssl/TLSv11/GenericStreamCipher.java +++ b/test/jdk/javax/net/ssl/TLSv11/GenericStreamCipher.java @@ -25,6 +25,7 @@ * @test * @bug 4873188 * @summary Support TLS 1.1 + * @library /test/lib * @modules java.security.jgss * java.security.jgss/sun.security.jgss.krb5 * java.security.jgss/sun.security.krb5:+open @@ -49,6 +50,9 @@ import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class GenericStreamCipher { /* @@ -105,7 +109,7 @@ void doServerSide() throws Exception { // enable a stream cipher sslServerSocket.setEnabledCipherSuites( - new String[] {"SSL_RSA_WITH_RC4_128_MD5"}); + new String[] {"SSL_RSA_WITH_RC4_128_MD5"}); serverPort = sslServerSocket.getLocalPort(); @@ -150,7 +154,7 @@ void doClientSide() throws Exception { // enable a stream cipher sslSocket.setEnabledCipherSuites( - new String[] {"SSL_RSA_WITH_RC4_128_MD5"}); + new String[] {"SSL_RSA_WITH_RC4_128_MD5"}); InputStream sslIS = sslSocket.getInputStream(); OutputStream sslOS = sslSocket.getOutputStream(); @@ -176,7 +180,9 @@ void doClientSide() throws Exception { public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + @@ -196,7 +202,19 @@ public static void main(String[] args) throws Exception { /* * Start the tests. */ - new GenericStreamCipher(); + try { + new GenericStreamCipher(); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (SecurityUtils.isFIPS()) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } + } + } catch (Exception e) { + e.printStackTrace(); + return; + } } Thread clientThread = null; diff --git a/test/jdk/javax/net/ssl/TLSv12/DisabledShortDSAKeys.java b/test/jdk/javax/net/ssl/TLSv12/DisabledShortDSAKeys.java index fa82d60c799..9b1244b8d60 100644 --- a/test/jdk/javax/net/ssl/TLSv12/DisabledShortDSAKeys.java +++ b/test/jdk/javax/net/ssl/TLSv12/DisabledShortDSAKeys.java @@ -29,6 +29,7 @@ * @bug 8139565 * @summary Restrict certificates with DSA keys less than 1024 bits * @library /javax/net/ssl/templates + * @library /test/lib * @run main/othervm DisabledShortDSAKeys PKIX TLSv1.2 * @run main/othervm DisabledShortDSAKeys SunX509 TLSv1.2 * @run main/othervm DisabledShortDSAKeys PKIX TLSv1.1 @@ -52,6 +53,8 @@ import java.security.interfaces.*; import java.util.Base64; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; public class DisabledShortDSAKeys extends SSLContextTemplate { @@ -173,11 +176,12 @@ protected ContextParameters getClientContextParameters() { volatile Exception clientException = null; public static void main(String[] args) throws Exception { - Security.setProperty("jdk.certpath.disabledAlgorithms", - "DSA keySize < 1024"); - Security.setProperty("jdk.tls.disabledAlgorithms", - "DSA keySize < 1024"); - + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.certpath.disabledAlgorithms", + "DSA keySize < 1024"); + Security.setProperty("jdk.tls.disabledAlgorithms", + "DSA keySize < 1024"); + } if (debug) { System.setProperty("javax.net.debug", "all"); } diff --git a/test/jdk/javax/net/ssl/TLSv12/DisabledShortRSAKeys.java b/test/jdk/javax/net/ssl/TLSv12/DisabledShortRSAKeys.java index e14a90b781a..4f651dbddc0 100644 --- a/test/jdk/javax/net/ssl/TLSv12/DisabledShortRSAKeys.java +++ b/test/jdk/javax/net/ssl/TLSv12/DisabledShortRSAKeys.java @@ -29,6 +29,7 @@ * @bug 7109274 * @summary Consider disabling support for X.509 certificates with RSA keys * less than 1024 bits + * @library /test/lib * @library /javax/net/ssl/templates * @run main/othervm DisabledShortRSAKeys PKIX TLSv1.2 * @run main/othervm DisabledShortRSAKeys SunX509 TLSv1.2 @@ -44,6 +45,9 @@ import javax.net.ssl.*; import java.security.Security; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class DisabledShortRSAKeys extends SSLSocketTemplate { /* @@ -61,14 +65,24 @@ public DisabledShortRSAKeys(String tmAlgorithm, String enabledProtocol) { @Override public SSLContext createClientSSLContext() throws Exception { - return createSSLContext(new Cert[]{Cert.CA_RSA_512}, null, + if (SecurityUtils.isFIPS()) { + return createSSLContext(new Cert[]{Cert.CA_RSA_2048}, null, + new ContextParameters(enabledProtocol, tmAlgorithm, "NewSunX509")); + } else { + return createSSLContext(new Cert[]{Cert.CA_RSA_512}, null, new ContextParameters(enabledProtocol, tmAlgorithm, "NewSunX509")); + } } @Override public SSLContext createServerSSLContext() throws Exception { - return createSSLContext(null, new Cert[]{Cert.EE_RSA_512}, + if (SecurityUtils.isFIPS()) { + return createSSLContext(new Cert[]{Cert.EE_RSA_2048}, null, new ContextParameters(enabledProtocol, tmAlgorithm, "NewSunX509")); + } else { + return createSSLContext(null, new Cert[]{Cert.EE_RSA_512}, + new ContextParameters(enabledProtocol, tmAlgorithm, "NewSunX509")); + } } @Override @@ -107,10 +121,12 @@ protected void runClientApplication(SSLSocket socket) throws Exception { } public static void main(String[] args) throws Exception { - Security.setProperty("jdk.certpath.disabledAlgorithms", - "RSA keySize < 1024"); - Security.setProperty("jdk.tls.disabledAlgorithms", - "RSA keySize < 1024"); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.certpath.disabledAlgorithms", + "RSA keySize < 1024"); + Security.setProperty("jdk.tls.disabledAlgorithms", + "RSA keySize < 1024"); + } if (debug) { System.setProperty("javax.net.debug", "all"); @@ -124,4 +140,4 @@ public static void main(String[] args) throws Exception { */ new DisabledShortRSAKeys(tmAlgorithm, enabledProtocol).run(); } -} +} \ No newline at end of file diff --git a/test/jdk/javax/net/ssl/TLSv12/ProtocolFilter.java b/test/jdk/javax/net/ssl/TLSv12/ProtocolFilter.java index 3291096af48..24dc0a1ec90 100644 --- a/test/jdk/javax/net/ssl/TLSv12/ProtocolFilter.java +++ b/test/jdk/javax/net/ssl/TLSv12/ProtocolFilter.java @@ -27,6 +27,7 @@ /* * @test * @bug 8052406 + * @library /test/lib * @summary SSLv2Hello protocol may be filter out unexpectedly * @library /test/lib * @run main/othervm ProtocolFilter @@ -36,6 +37,7 @@ import java.net.*; import javax.net.ssl.*; +import jdk.test.lib.Utils; import jdk.test.lib.security.SecurityUtils; public class ProtocolFilter { @@ -93,8 +95,13 @@ void doServerSide() throws Exception { (SSLServerSocket) sslssf.createServerSocket(serverPort); // Only enable cipher suites for TLS v1.2. - sslServerSocket.setEnabledCipherSuites( - new String[]{"TLS_RSA_WITH_AES_128_CBC_SHA256"}); + if (SecurityUtils.isFIPS()) { + sslServerSocket.setEnabledCipherSuites( + new String[]{"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}); + } else { + sslServerSocket.setEnabledCipherSuites( + new String[]{"TLS_RSA_WITH_AES_128_CBC_SHA256"}); + } serverPort = sslServerSocket.getLocalPort(); @@ -159,8 +166,11 @@ void doClientSide() throws Exception { volatile Exception clientException = null; public static void main(String[] args) throws Exception { - // Re-enable TLS_RSA_* since test depends on it. - SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*"); + if (!(SecurityUtils.isFIPS())) { + // Re-enable TLS_RSA_* since test depends on it. + SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*"); + } + String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + "/" + keyStoreFile; @@ -168,6 +178,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; + if (SecurityUtils.isFIPS()) { + keyFilename = SecurityUtils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = SecurityUtils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/TLSv12/ShortRSAKey512.java b/test/jdk/javax/net/ssl/TLSv12/ShortRSAKey512.java index 4d4331dc973..c4d022efa4e 100644 --- a/test/jdk/javax/net/ssl/TLSv12/ShortRSAKey512.java +++ b/test/jdk/javax/net/ssl/TLSv12/ShortRSAKey512.java @@ -27,6 +27,7 @@ /* * @test * @bug 7106773 + * @library /test/lib * @summary 512 bits RSA key cannot work with SHA384 and SHA512 * * SunJSSE does not support dynamic system properties, no way to re-use @@ -41,6 +42,8 @@ import javax.net.ssl.*; import java.security.Security; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; public class ShortRSAKey512 extends SSLContextTemplate { @@ -168,9 +171,11 @@ private static void parseArguments(String[] args) { public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); - Security.setProperty("jdk.tls.disabledAlgorithms", - "SSLv3, RC4, DH keySize < 768"); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); + Security.setProperty("jdk.tls.disabledAlgorithms", + "SSLv3, RC4, DH keySize < 768"); + } if (debug) System.setProperty("javax.net.debug", "all"); @@ -183,7 +188,14 @@ public static void main(String[] args) throws Exception { /* * Start the tests. */ - new ShortRSAKey512(); + try { + new ShortRSAKey512(); + } catch (java.security.spec.InvalidKeySpecException ikse) { + if (SecurityUtils.isFIPS()) { + System.out.println("Inappropriate key specification: RSA keys must be at least 1024 bits long"); + return; + } + } } Thread clientThread = null; @@ -302,4 +314,4 @@ public void run() { } } } -} +} \ No newline at end of file diff --git a/test/jdk/javax/net/ssl/TLSv12/ShortRSAKeyGCM.java b/test/jdk/javax/net/ssl/TLSv12/ShortRSAKeyGCM.java index 702da61db91..bbf0a7a493e 100644 --- a/test/jdk/javax/net/ssl/TLSv12/ShortRSAKeyGCM.java +++ b/test/jdk/javax/net/ssl/TLSv12/ShortRSAKeyGCM.java @@ -31,6 +31,7 @@ * @bug 7030966 * @summary Support AEAD CipherSuites * @library /javax/net/ssl/templates + * @library /test/lib * @run main/othervm ShortRSAKeyGCM PKIX TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * @run main/othervm ShortRSAKeyGCM PKIX TLS_RSA_WITH_AES_128_GCM_SHA256 * @run main/othervm ShortRSAKeyGCM PKIX TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 @@ -68,6 +69,8 @@ import java.security.spec.*; import java.security.interfaces.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; public class ShortRSAKeyGCM extends SSLContextTemplate { @@ -194,9 +197,11 @@ protected ContextParameters getClientContextParameters() { public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); - Security.setProperty("jdk.tls.disabledAlgorithms", - "SSLv3, RC4, DH keySize < 768"); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); + Security.setProperty("jdk.tls.disabledAlgorithms", + "SSLv3, RC4, DH keySize < 768"); + } if (debug) { System.setProperty("javax.net.debug", "all"); @@ -207,10 +212,29 @@ public static void main(String[] args) throws Exception { */ parseArguments(args); + if (SecurityUtils.isFIPS()) { + if (!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) { + System.out.println(cipherSuite + " is not supported."); + return; + } + } + /* * Start the tests. */ - new ShortRSAKeyGCM(); + try { + new ShortRSAKeyGCM(); + } catch (java.security.spec.InvalidKeySpecException ikse) { + if (SecurityUtils.isFIPS()) { + if ("Inappropriate key specification: RSA keys must be at least 1024 bits long".equals(ikse.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } + } + } catch (Exception e) { + e.printStackTrace(); + return; + } } Thread clientThread = null; @@ -335,4 +359,4 @@ public void run() { } } } -} +} \ No newline at end of file diff --git a/test/jdk/javax/net/ssl/TLSv12/SignatureAlgorithms.java b/test/jdk/javax/net/ssl/TLSv12/SignatureAlgorithms.java index 488903c343d..829faf2f209 100644 --- a/test/jdk/javax/net/ssl/TLSv12/SignatureAlgorithms.java +++ b/test/jdk/javax/net/ssl/TLSv12/SignatureAlgorithms.java @@ -31,6 +31,7 @@ * @bug 8049321 * @summary Support SHA256WithDSA in JSSE * @library /javax/net/ssl/templates + * @library /test/lib * @run main/othervm SignatureAlgorithms PKIX "SHA-224,SHA-256" * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * @run main/othervm SignatureAlgorithms PKIX "SHA-1,SHA-224" @@ -52,6 +53,9 @@ import java.security.cert.Certificate; import java.security.cert.X509Certificate; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class SignatureAlgorithms extends SSLContextTemplate { /* @@ -77,11 +81,11 @@ public class SignatureAlgorithms extends SSLContextTemplate { */ volatile boolean serverReady = false; - private final Cert[] SERVER_CERTS = { - SSLContextTemplate.Cert.EE_DSA_SHA1_1024, - SSLContextTemplate.Cert.EE_DSA_SHA224_1024, - SSLContextTemplate.Cert.EE_DSA_SHA256_1024, - }; + private static Cert[] SERVER_CERTS = { + SSLContextTemplate.Cert.EE_DSA_SHA1_1024, + SSLContextTemplate.Cert.EE_DSA_SHA224_1024, + SSLContextTemplate.Cert.EE_DSA_SHA256_1024, +}; /* * Define the server side of the test. @@ -131,8 +135,14 @@ void doClientSide() throws Exception { while (!serverReady) { Thread.sleep(50); } + Cert[] trustedCerts; - SSLContext context = createSSLContext(new Cert[]{Cert.CA_DSA_SHA1_1024}, null, getClientContextParameters()); + if (SecurityUtils.isFIPS()) { + trustedCerts = new Cert[]{Cert.CA_RSA_2048}; + } else { + trustedCerts = new Cert[]{Cert.CA_DSA_SHA1_1024}; + } + SSLContext context = createSSLContext(trustedCerts, null, getClientContextParameters()); SSLSocketFactory sslsf = context.getSocketFactory(); try (SSLSocket sslSocket = @@ -141,6 +151,7 @@ void doClientSide() throws Exception { // enable TLSv1.2 only sslSocket.setEnabledProtocols(new String[] {"TLSv1.2"}); + System.out.println("In client side, the cipherSuite is: " + cipherSuite); // enable a block cipher sslSocket.setEnabledCipherSuites(new String[] {cipherSuite}); @@ -260,17 +271,31 @@ public static void main(String[] args) throws Exception { return; } - /* - * Expose the target algorithms by diabling unexpected algorithms. - */ - Security.setProperty( - "jdk.certpath.disabledAlgorithms", disabledAlgorithms); + if (!(SecurityUtils.isFIPS())) { + /* + * Expose the target algorithms by diabling unexpected algorithms. + */ + Security.setProperty( + "jdk.certpath.disabledAlgorithms", disabledAlgorithms); - /* - * Reset the security property to make sure that the algorithms - * and keys used in this test are not disabled by default. - */ - Security.setProperty( "jdk.tls.disabledAlgorithms", ""); + /* + * Reset the security property to make sure that the algorithms + * and keys used in this test are not disabled by default. + */ + Security.setProperty( "jdk.tls.disabledAlgorithms", ""); + } else { + if (!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) { + System.out.println(cipherSuite + " is not available."); + } else if (!SecurityUtils.TLS_CIPHERSUITES.get(cipherSuite).equals("TLSv1.2")) { + System.out.println(cipherSuite + " does not match TLSv1.2"); + } + SERVER_CERTS = new Cert[] { + SSLContextTemplate.Cert.EE_RSA_2048 + }; + disabledAlgorithms = "SHA-1"; + // cipherSuite = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"; + cipherSuite = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; + } /* * Start the tests. @@ -400,4 +425,4 @@ public void run() { } } } -} +} \ No newline at end of file diff --git a/test/jdk/javax/net/ssl/TLSv13/ClientHelloKeyShares.java b/test/jdk/javax/net/ssl/TLSv13/ClientHelloKeyShares.java index da68b027e2d..239ced21e97 100644 --- a/test/jdk/javax/net/ssl/TLSv13/ClientHelloKeyShares.java +++ b/test/jdk/javax/net/ssl/TLSv13/ClientHelloKeyShares.java @@ -35,6 +35,7 @@ * @test * @bug 8247630 * @summary Use two key share entries + * @library /test/lib * @run main/othervm ClientHelloKeyShares 29 23 * @run main/othervm -Djdk.tls.namedGroups=secp384r1,secp521r1,x448,ffdhe2048 ClientHelloKeyShares 24 30 * @run main/othervm -Djdk.tls.namedGroups=brainpoolP512r1tls13,x448,ffdhe2048 ClientHelloKeyShares 33 30 @@ -50,6 +51,8 @@ import java.nio.ByteBuffer; import java.util.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; public class ClientHelloKeyShares { @@ -69,9 +72,28 @@ public static void main(String args[]) throws Exception { // values which will be the expected NamedGroup IDs in the key_share // extension. Expected named group assertions may also be affected // by setting the jdk.tls.namedGroups System property. + List expectedKeyShares = new ArrayList<>(); Arrays.stream(args).forEach(arg -> expectedKeyShares.add(Integer.valueOf(arg))); + if (SecurityUtils.isFIPS()) { + expectedKeyShares.clear(); + Map supportKeyShares = new HashMap<>(); + supportKeyShares.put("secp256r1", 23); + supportKeyShares.put("secp384r1", 24); + supportKeyShares.put("secp521r1", 25); + + if (System.getProperty("jdk.tls.namedGroups") == null) { + expectedKeyShares.add(23); + } else { + for (String nameGroup: System.getProperty("jdk.tls.namedGroups").split(",")) { + if (supportKeyShares.containsKey(nameGroup)) { + expectedKeyShares.add(supportKeyShares.get(nameGroup)); + break; + } + } + } + } SSLContext sslCtx = SSLContext.getDefault(); SSLEngine engine = sslCtx.createSSLEngine(); @@ -82,7 +104,19 @@ public static void main(String args[]) throws Exception { ByteBuffer.allocateDirect(session.getPacketBufferSize()); // Create and check the ClientHello message - SSLEngineResult clientResult = engine.wrap(clientOut, cTOs); + SSLEngineResult clientResult = null; + try { + clientResult = engine.wrap(clientOut, cTOs); + } catch (java.lang.ExceptionInInitializerError eiie) { + Throwable cause = eiie.getCause(); + if (cause instanceof java.lang.IllegalArgumentException) { + if (SecurityUtils.isFIPS() + && ("System property jdk.tls.namedGroups(" + System.getProperty("jdk.tls.namedGroups") + ") contains no supported named groups").equals(cause.getMessage())) { + System.out.println("Expected msg is caught."); + return; + } + } + } logResult("client wrap: ", clientResult); if (clientResult.getStatus() != SSLEngineResult.Status.OK) { throw new RuntimeException("Client wrap got status: " + @@ -217,7 +251,7 @@ private static void checkClientHello(ByteBuffer data, break; case HELLO_EXT_SUPP_VERS: foundSupVer = true; - int supVerLen = Byte.toUnsignedInt(data.get()); + int supVerLen = Byte.toUnsignedInt(data.get()); // 04 for (int remain = supVerLen; remain > 0; remain -= 2) { foundTLS13 |= (Short.toUnsignedInt(data.getShort()) == TLS_PROT_VER_13); @@ -232,7 +266,8 @@ private static void checkClientHello(ByteBuffer data, foundKeyShare = true; int ksListLen = Short.toUnsignedInt(data.getShort()); while (ksListLen > 0) { - chKeyShares.add(Short.toUnsignedInt(data.getShort())); + int ks = Short.toUnsignedInt(data.getShort()); + chKeyShares.add(ks); int ksLen = Short.toUnsignedInt(data.getShort()); data.position(data.position() + ksLen); ksListLen -= (4 + ksLen); diff --git a/test/jdk/javax/net/ssl/TLSv13/HRRKeyShares.java b/test/jdk/javax/net/ssl/TLSv13/HRRKeyShares.java index 313b2c5084b..39b1471510c 100644 --- a/test/jdk/javax/net/ssl/TLSv13/HRRKeyShares.java +++ b/test/jdk/javax/net/ssl/TLSv13/HRRKeyShares.java @@ -45,6 +45,7 @@ import java.util.Map; import java.util.Objects; import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; public class HRRKeyShares { @@ -311,8 +312,9 @@ private static void hrrKeyShareTest(int hrrNamedGroup, boolean expectedPass) if (!initialCh.suppVersions.contains(TLS_PROT_VER_13)) { throw new RuntimeException( "Missing TLSv1.3 protocol in supported_versions"); - } else if (!initialCh.keyShares.containsKey(NG_X25519) || - !initialCh.keyShares.containsKey(NG_SECP256R1)) { + } else if (!(SecurityUtils.isFIPS()) && + (!initialCh.keyShares.containsKey(NG_X25519) || + !initialCh.keyShares.containsKey(NG_SECP256R1))) { throw new RuntimeException( "Missing one or more expected KeyShares"); } diff --git a/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java b/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java index 8db1dfdeac8..4020101346b 100644 --- a/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java +++ b/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java @@ -26,6 +26,7 @@ * @bug 8076221 8211883 8163327 8279164 8245545 * @summary Check if weak cipher suites are disabled * @library /javax/net/ssl/templates + * /test/lib * @modules jdk.crypto.ec * @run main/othervm DisabledAlgorithms default * @run main/othervm DisabledAlgorithms empty @@ -45,6 +46,9 @@ import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + /* * This test verifies that setEnabledProtocols() does not override the * jdk.tls.disabledAlgorithms property. Both the client and server throw @@ -148,6 +152,9 @@ public static void main(String[] args) throws Exception { checkFailure(DISABLED_CIPHERSUITES); break; case "empty": + if (SecurityUtils.isFIPS()) { + return; + } // reset jdk.tls.disabledAlgorithms Security.setProperty("jdk.tls.disabledAlgorithms", ""); System.out.println("jdk.tls.disabledAlgorithms = " diff --git a/test/jdk/javax/net/ssl/ciphersuites/TLSWontNegotiateDisabledCipherAlgos.java b/test/jdk/javax/net/ssl/ciphersuites/TLSWontNegotiateDisabledCipherAlgos.java index b22b4f02165..ed4dd222a98 100644 --- a/test/jdk/javax/net/ssl/ciphersuites/TLSWontNegotiateDisabledCipherAlgos.java +++ b/test/jdk/javax/net/ssl/ciphersuites/TLSWontNegotiateDisabledCipherAlgos.java @@ -30,6 +30,9 @@ import java.security.Security; import java.util.List; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + /* * @test id=Server * @bug 8301379 @@ -57,7 +60,7 @@ public class TLSWontNegotiateDisabledCipherAlgos { public static void main(String [] args) throws Exception { boolean useDisabledAlgo = Boolean.parseBoolean(args[1]); - if (useDisabledAlgo) { + if (useDisabledAlgo && !(SecurityUtils.isFIPS())) { Security.setProperty("jdk.tls.disabledAlgorithms", ""); } diff --git a/test/jdk/javax/net/ssl/finalize/SSLSessionFinalizeTest.java b/test/jdk/javax/net/ssl/finalize/SSLSessionFinalizeTest.java index 7ffa34ec7b7..896459e720f 100644 --- a/test/jdk/javax/net/ssl/finalize/SSLSessionFinalizeTest.java +++ b/test/jdk/javax/net/ssl/finalize/SSLSessionFinalizeTest.java @@ -24,6 +24,7 @@ /* * @test * @summary Test behavior related to finalize + * @library /test/lib * @run main/othervm SSLSessionFinalizeTest */ @@ -41,6 +42,9 @@ import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class SSLSessionFinalizeTest { /* @@ -103,6 +107,7 @@ void doServerSide() throws Exception { while (serverReady) { SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept(); + // System.out.printf(" accept: %s%n", sslSocket); InputStream sslIS = sslSocket.getInputStream(); OutputStream sslOS = sslSocket.getOutputStream(); @@ -191,6 +196,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; + if (SecurityUtils.isFIPS()) { + keyFilename = SecurityUtils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = SecurityUtils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java b/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java index 847c69112a0..0e10dffaaf4 100644 --- a/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java +++ b/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java @@ -25,6 +25,7 @@ * @test * @bug 4750141 4895631 8217579 8163326 8279164 8245545 * @summary Check enabled and supported ciphersuites are correct + * @library /test/lib * @run main/othervm CheckCipherSuites default * @run main/othervm CheckCipherSuites limited */ @@ -33,6 +34,9 @@ import java.security.Security; import javax.net.ssl.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class CheckCipherSuites { // List of enabled cipher suites when the "crypto.policy" security @@ -121,6 +125,21 @@ public class CheckCipherSuites { "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" }; + // List of enabled cipher suites when the "-Dsemeru.fips=true -Dsemeru.customprofile" security + // property is set. + private final static String[] ENABLED_FIPS = { + "TLS_AES_256_GCM_SHA384", + "TLS_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + }; + // List of supported cipher suites when the "crypto.policy" security // property is set to "unlimited" (the default value). private final static String[] SUPPORTED_DEFAULT = { @@ -207,6 +226,21 @@ public class CheckCipherSuites { "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" }; + // List of enabled cipher suites when the "-Dsemeru.fips=true -Dsemeru.customprofile" security + // property is set. + private final static String[] SUPPORTED_FIPS = { + "TLS_AES_256_GCM_SHA384", + "TLS_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + }; + private static void showSuites(String[] suites) { if ((suites == null) || (suites.length == 0)) { System.out.println(""); @@ -225,7 +259,12 @@ public static void main(String[] args) throws Exception { String[] ENABLED; String[] SUPPORTED; - if (args[0].equals("default")) { + String[] FIPS; + + if (SecurityUtils.isFIPS()) { + ENABLED = ENABLED_FIPS; + SUPPORTED = SUPPORTED_FIPS; + } else if (args[0].equals("default")) { ENABLED = ENABLED_DEFAULT; SUPPORTED = SUPPORTED_DEFAULT; } else if (args[0].equals("limited")) { diff --git a/test/jdk/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java b/test/jdk/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java index 6492e6508de..43e44f5f1ae 100644 --- a/test/jdk/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java +++ b/test/jdk/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java @@ -20,11 +20,13 @@ * or visit www.oracle.com if you need additional information or have any * questions. */ -import java.util.Arrays; +import java.util.*; import java.util.stream.Stream; + import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLSocket; +import jdk.test.lib.Utils; import jdk.test.lib.security.SecurityUtils; /* @@ -78,14 +80,47 @@ public class SystemPropCipherSuitesOrder extends SSLSocketTemplate { private final String protocol; - private static String[] servercipherSuites; - private static String[] clientcipherSuites; + private static String[] servercipherSuites = null; + private static String[] clientcipherSuites = null; public static void main(String[] args) { - servercipherSuites + + if (SecurityUtils.isFIPS()) { + // if (!SecurityUtils.TLS_PROTOCOLS.contains(args[0])) { + // System.out.println(args[0] + " is not supported in FIPS 140-3."); + // return; + // } + List tmpClient = new ArrayList<>(); + if (System.getProperty("jdk.tls.client.cipherSuites") != null) { + for (String clientcipherSuite : toArray(System.getProperty("jdk.tls.client.cipherSuites"))) { + if (SecurityUtils.TLS_CIPHERSUITES.containsKey(clientcipherSuite)) { + tmpClient.add(clientcipherSuite); + System.out.println("jdk.tls.client.cipherSuites: " + clientcipherSuite); + } + } + } + List tmpServer = new ArrayList<>(); + if (System.getProperty("jdk.tls.server.cipherSuites") != null) { + for (String servercipherSuite : toArray(System.getProperty("jdk.tls.server.cipherSuites"))) { + if (SecurityUtils.TLS_CIPHERSUITES.containsKey(servercipherSuite)) { + tmpServer.add(servercipherSuite); + System.out.println("jdk.tls.server.cipherSuites: " + servercipherSuite); + } + } + } + if (tmpClient.size() != 0) { + clientcipherSuites = tmpClient.toArray(new String[0]); + } + if (tmpServer.size() != 0) { + servercipherSuites = tmpServer.toArray(new String[0]); + } + + } else { + servercipherSuites = toArray(System.getProperty("jdk.tls.server.cipherSuites")); - clientcipherSuites + clientcipherSuites = toArray(System.getProperty("jdk.tls.client.cipherSuites")); + } System.out.printf("SYSTEM PROPERTIES: ServerProp:%s - ClientProp:%s%n", Arrays.deepToString(servercipherSuites), Arrays.deepToString(clientcipherSuites)); @@ -104,6 +139,16 @@ public static void main(String[] args) { try { new SystemPropCipherSuitesOrder(args[0]).run(); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (SecurityUtils.isFIPS()) { + if (!SecurityUtils.TLS_PROTOCOLS.contains(args[0]) + || (servercipherSuites == null && clientcipherSuites == null)) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught."); + return; + } + } + } } catch (Exception e) { throw new RuntimeException(e); } @@ -113,7 +158,9 @@ private SystemPropCipherSuitesOrder(String protocol) { this.protocol = protocol; // Re-enable protocol if disabled. if (protocol.equals("TLSv1") || protocol.equals("TLSv1.1")) { - SecurityUtils.removeFromDisabledTlsAlgs(protocol); + if (!(SecurityUtils.isFIPS())) { + SecurityUtils.removeFromDisabledTlsAlgs(protocol); + } } } diff --git a/test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java b/test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java index 2ce46eb8471..47deb2a3cbc 100644 --- a/test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java +++ b/test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java @@ -24,6 +24,7 @@ import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLSocket; +import jdk.test.lib.Utils; import jdk.test.lib.security.SecurityUtils; /* @@ -58,13 +59,38 @@ public class TLSCipherSuitesOrder extends SSLSocketTemplate { private final String[] clientcipherSuites; public static void main(String[] args) { - // Re-enable TLS_RSA_* since test depends on it. - SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*"); + if (!(SecurityUtils.isFIPS())) { + // Re-enable TLS_RSA_* since test depends on it. + SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*"); + } PROTOCOL protocol = PROTOCOL.valueOf(args[0]); + // if (Utils.isFIPS()) { + // if (!SecurityUtils.TLS_PROTOCOLS.contains(args[0])) { + // System.out.println(args[0] + " is not supported in FIPS 140-3."); + // return; + // } + // } try { new TLSCipherSuitesOrder(protocol.getProtocol(), protocol.getCipherSuite(args[1]), protocol.getCipherSuite(args[2])).run(); + } catch (javax.net.ssl.SSLHandshakeException sslex) { + if (SecurityUtils.isFIPS()) { + if (!SecurityUtils.TLS_PROTOCOLS.contains(args[0])) { + System.out.println(args[0] + " is not supported in FIPS 140-3."); + } + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslex.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + sslex.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught in Non-FIPS mode"); + sslex.printStackTrace(); + return; + } } catch (Exception e) { throw new RuntimeException(e); } @@ -73,8 +99,10 @@ public static void main(String[] args) { private TLSCipherSuitesOrder(String protocol, String[] clientcipherSuites, String[] servercipherSuites) { // Re-enable protocol if it is disabled. - if (protocol.equals("TLSv1") || protocol.equals("TLSv1.1")) { - SecurityUtils.removeFromDisabledTlsAlgs(protocol); + if (!SecurityUtils.isFIPS()) { + if (protocol.equals("TLSv1") || protocol.equals("TLSv1.1")) { + SecurityUtils.removeFromDisabledTlsAlgs(protocol); + } } this.protocol = protocol; this.clientcipherSuites = clientcipherSuites; diff --git a/test/jdk/javax/net/ssl/sanity/interop/CipherTest.java b/test/jdk/javax/net/ssl/sanity/interop/CipherTest.java index 39e88abce8e..9ce3e760b4b 100644 --- a/test/jdk/javax/net/ssl/sanity/interop/CipherTest.java +++ b/test/jdk/javax/net/ssl/sanity/interop/CipherTest.java @@ -58,6 +58,7 @@ public class CipherTest { static SecureRandom secureRandom; private static PeerFactory peerFactory; + public static final boolean ISFIPS = Boolean.parseBoolean(System.getProperty("semeru.fips")); static abstract class Server implements Runnable { @@ -135,8 +136,24 @@ private CipherTest(PeerFactory peerFactory) throws IOException { factory = (SSLSocketFactory)SSLSocketFactory.getDefault(); SSLSocket socket = (SSLSocket)factory.createSocket(); String[] cipherSuites = socket.getSupportedCipherSuites(); - String[] protocols = socket.getSupportedProtocols(); - String[] clientAuths = {null, "RSA", "DSA"}; + String[] protocols = null; + String[] clientAuths = null; + if (ISFIPS) { + clientAuths = new String[]{null, "RSA"}; + List tmp = new ArrayList<>(); + for (String protocol : socket.getSupportedProtocols()) { + if (protocol.equals("TLSv1.2") || protocol.equals("TLSv1.3")) { + tmp.add(protocol); + } + } + if (tmp.size() == 0 || tmp == null) { + return; + } + protocols = tmp.toArray(new String[0]); + } else { + clientAuths = new String[]{null, "RSA", "DSA"}; + protocols = socket.getSupportedProtocols(); + } tests = new ArrayList( cipherSuites.length * protocols.length * clientAuths.length); for (int j = 0; j < protocols.length; j++) { @@ -248,6 +265,16 @@ public final void run() { try { runTest(params); System.out.println("Passed " + params); + } catch (javax.net.ssl.SSLException sslException) { + if (ISFIPS) { + if ("DSA signing not supported in FIPS".equals(sslException.getMessage())) { + System.out.println("Expected exception msg: is caught."); + } else { + cipherTest.setFailed(); + System.out.println("** Failed " + params + "**"); + sslException.printStackTrace(); + } + } } catch (Exception e) { cipherTest.setFailed(); System.out.println("** Failed " + params + "**"); diff --git a/test/jdk/javax/net/ssl/sanity/interop/ClientJSSEServerJSSE.java b/test/jdk/javax/net/ssl/sanity/interop/ClientJSSEServerJSSE.java index 09e40c033b3..0a0ca607221 100644 --- a/test/jdk/javax/net/ssl/sanity/interop/ClientJSSEServerJSSE.java +++ b/test/jdk/javax/net/ssl/sanity/interop/ClientJSSEServerJSSE.java @@ -27,17 +27,22 @@ * @summary Verify that all ciphersuites work in all configurations * @author Andreas Sterbenz * @library ../../TLSCommon + * @library /test/lib * @run main/othervm/timeout=300 ClientJSSEServerJSSE */ import java.security.Security; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; public class ClientJSSEServerJSSE { public static void main(String[] args) throws Exception { // reset security properties to make sure that the algorithms // and keys used in this test are not disabled. - Security.setProperty("jdk.tls.disabledAlgorithms", ""); - Security.setProperty("jdk.certpath.disabledAlgorithms", ""); + if (!(SecurityUtils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + Security.setProperty("jdk.certpath.disabledAlgorithms", ""); + } CipherTest.main(new JSSEFactory(), args); } diff --git a/test/jdk/javax/net/ssl/sanity/pluggability/CheckSSLContextExport.java b/test/jdk/javax/net/ssl/sanity/pluggability/CheckSSLContextExport.java index dcf0fab42c9..1e5fae56e1b 100644 --- a/test/jdk/javax/net/ssl/sanity/pluggability/CheckSSLContextExport.java +++ b/test/jdk/javax/net/ssl/sanity/pluggability/CheckSSLContextExport.java @@ -25,11 +25,15 @@ * @test * @bug 4635454 6208022 8130181 * @summary Check pluggability of SSLContext class. + * @library /test/lib */ import java.security.*; import java.net.*; import javax.net.ssl.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class CheckSSLContextExport extends Provider { private static String info = "test provider for JSSE pluggability"; @@ -45,8 +49,12 @@ public static void test(String protocol) throws Exception { String providerName = mySSLContext.getProvider().getName(); if (!providerName.equals("TestJSSEPluggability")) { - System.out.println(providerName + "'s SSLContext is used"); - throw new Exception("...used the wrong provider: " + providerName); + if (!(SecurityUtils.isFIPS())) { + System.out.println(providerName + "'s SSLContext is used"); + throw new Exception("...used the wrong provider: " + providerName); + } else { + System.out.println("In FIPS mode, we dont support customized provider yet, " + providerName + "'s SSLContext is used"); + } } for (int i = 0; i < 2; i++) { boolean standardCiphers = true; @@ -112,7 +120,16 @@ public static void main(String[] argv) throws Exception { try { for (int i = 0; i < protocols.length; i++) { System.out.println("Testing " + protocols[i] + "'s SSLContext"); - test(protocols[i]); + try { + test(protocols[i]); + } catch (java.lang.IllegalStateException ise) { + if (SecurityUtils.isFIPS()) { + if (protocols[i].equals("SSL") && "SSLContext is not initialized".equals(ise.getMessage())) { + System.out.println("SSL is not supported in FIPS140-3."); + continue; + } + } + } } System.out.println("Test Passed"); } finally { diff --git a/test/jdk/javax/net/ssl/templates/NetSslUtils.java b/test/jdk/javax/net/ssl/templates/NetSslUtils.java new file mode 100644 index 00000000000..14b611d4e4e --- /dev/null +++ b/test/jdk/javax/net/ssl/templates/NetSslUtils.java @@ -0,0 +1,108 @@ +/* + * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + + import java.security.Security; + import java.security.Provider; + import java.util.List; + import java.util.ArrayList; + import java.util.Map; + import java.util.HashMap; + + import java.io.FileInputStream; + import java.io.FileOutputStream; + import java.security.KeyStore; + import java.security.Key; + import java.security.cert.Certificate; + import java.util.Enumeration; + + public class NetSslUtils { + public static final List TLS_PROTOCOLS = new ArrayList<>(); + public static final Map TLS_CIPHERSUITES = new HashMap<>(); + + public static final String isFIPS = System.getProperty("semeru.fips"); + public static boolean isFIPS() { + System.out.println("semeru.fips is: " + System.getProperty("semeru.fips")); + return Boolean.parseBoolean(isFIPS); + } + + public static final String FIPS_PROFILE = System.getProperty("semeru.customprofile"); + public static String getFipsProfile() { + System.out.println("semeru.customprofile is: " + System.getProperty("semeru.customprofile")); + return FIPS_PROFILE; + } + + public static String revertJKSToPKCS12(String keyFilename, String passwd) { + String p12keyFilename = keyFilename + ".p12"; + try { + KeyStore jksKeystore = KeyStore.getInstance("JKS"); + try (FileInputStream fis = new FileInputStream(keyFilename)) { + jksKeystore.load(fis, passwd.toCharArray()); + } + + KeyStore pkcs12Keystore = KeyStore.getInstance("PKCS12"); + pkcs12Keystore.load(null, null); + + Enumeration aliasesKey = jksKeystore.aliases(); + while (aliasesKey.hasMoreElements()) { + String alias = aliasesKey.nextElement(); + if (jksKeystore.isKeyEntry(alias)) { + char[] keyPassword = passwd.toCharArray(); + Key key = jksKeystore.getKey(alias, keyPassword); + Certificate[] chain = jksKeystore.getCertificateChain(alias); + pkcs12Keystore.setKeyEntry(alias, key, passwd.toCharArray(), chain); + } else if (jksKeystore.isCertificateEntry(alias)) { + Certificate cert = jksKeystore.getCertificate(alias); + pkcs12Keystore.setCertificateEntry(alias, cert); + } + } + + try (FileOutputStream fos = new FileOutputStream(p12keyFilename)) { + pkcs12Keystore.store(fos, passwd.toCharArray()); + } + System.out.println("JKS keystore converted to PKCS12 successfully."); + } catch (Exception e) { + e.printStackTrace(); + } + return p12keyFilename; + } + + static { + TLS_PROTOCOLS.add("TLSv1.2"); + TLS_PROTOCOLS.add("TLSv1.3"); + + TLS_CIPHERSUITES.put("TLS_AES_128_GCM_SHA256", "TLSv1.3"); + TLS_CIPHERSUITES.put("TLS_AES_256_GCM_SHA384", "TLSv1.3"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLSv1.2"); + } + } \ No newline at end of file diff --git a/test/jdk/javax/net/ssl/templates/SSLContextTemplate.java b/test/jdk/javax/net/ssl/templates/SSLContextTemplate.java index d06370ff919..70aae3e61a5 100644 --- a/test/jdk/javax/net/ssl/templates/SSLContextTemplate.java +++ b/test/jdk/javax/net/ssl/templates/SSLContextTemplate.java @@ -112,7 +112,7 @@ protected TrustManager createTrustManager(Cert[] trustedCerts, CertificateFactory cf = CertificateFactory.getInstance("X.509"); ByteArrayInputStream is; - KeyStore ts = KeyStore.getInstance("JKS"); + KeyStore ts = KeyStore.getInstance("JKS"); ts.load(null, null); if (trustedCerts != null && trustedCerts.length != 0) { diff --git a/test/jdk/javax/net/ssl/templates/SSLSocketTemplate.java b/test/jdk/javax/net/ssl/templates/SSLSocketTemplate.java index 0891523ac11..916ca5b5759 100644 --- a/test/jdk/javax/net/ssl/templates/SSLSocketTemplate.java +++ b/test/jdk/javax/net/ssl/templates/SSLSocketTemplate.java @@ -176,6 +176,9 @@ protected void configureServerSocket(SSLServerSocket socket) { protected void doServerSide() throws Exception { // kick start the server side service SSLContext context = createServerSSLContext(); + // if (context == null) { + // return; + // } SSLServerSocketFactory sslssf = context.getServerSocketFactory(); SSLServerSocket sslServerSocket = (SSLServerSocket)sslssf.createServerSocket( serverPort, 0, serverAddress); @@ -261,6 +264,9 @@ protected void doClientSide() throws Exception { } SSLContext context = createClientSSLContext(); + // if (context == null) { + // return; + // } SSLSocketFactory sslsf = context.getSocketFactory(); try (SSLSocket sslSocket = (SSLSocket)sslsf.createSocket()) { diff --git a/test/jdk/javax/net/ssl/templates/TLSBase.java b/test/jdk/javax/net/ssl/templates/TLSBase.java index 73951ce9422..412c2d58c92 100644 --- a/test/jdk/javax/net/ssl/templates/TLSBase.java +++ b/test/jdk/javax/net/ssl/templates/TLSBase.java @@ -67,10 +67,15 @@ abstract public class TLSBase { public String name; TLSBase() { - String keyFilename = TESTROOT + "/" + pathToStores + "/" + keyStoreFile; String trustFilename = TESTROOT + "/" + pathToStores + "/" + trustStoreFile; + + if (NetSslUtils.isFIPS()) { + keyFilename = NetSslUtils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = NetSslUtils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/lib/jdk/test/lib/Utils.java b/test/lib/jdk/test/lib/Utils.java index c4a42dc61ba..302ac787f1f 100644 --- a/test/lib/jdk/test/lib/Utils.java +++ b/test/lib/jdk/test/lib/Utils.java @@ -73,6 +73,13 @@ import java.util.stream.Collectors; import static java.lang.System.lineSeparator; +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.security.KeyStore; +import java.security.Key; +import java.security.cert.Certificate; +import java.util.Enumeration; + import static jdk.test.lib.Asserts.assertTrue; import jdk.test.lib.process.ProcessTools; import jdk.test.lib.process.OutputAnalyzer; @@ -161,6 +168,7 @@ public final class Utils { * Contains the seed value used for {@link java.util.Random} creation. */ public static final long SEED; + static { var seed = Long.getLong(SEED_PROPERTY_NAME); if (seed != null) { diff --git a/test/lib/jdk/test/lib/security/SecurityUtils.java b/test/lib/jdk/test/lib/security/SecurityUtils.java index 7509488225e..6807d6f2a21 100644 --- a/test/lib/jdk/test/lib/security/SecurityUtils.java +++ b/test/lib/jdk/test/lib/security/SecurityUtils.java @@ -24,15 +24,20 @@ package jdk.test.lib.security; import java.io.File; +import java.io.FileInputStream; +import java.io.FileOutputStream; import java.io.IOException; import java.nio.ByteBuffer; +import java.security.Key; import java.security.KeyStore; import java.security.Security; -import java.util.Arrays; -import java.util.List; +import java.security.cert.Certificate; import java.util.stream.Collectors; import java.util.stream.Stream; import jdk.test.lib.security.DiffieHellmanGroup; +import java.util.*; + +import java.util.Enumeration; /** * Common library for various security test helper functions. @@ -216,4 +221,71 @@ public static int getInt16(ByteBuffer m) throws IOException { } private SecurityUtils() {} + + public static final List TLS_PROTOCOLS = new ArrayList<>(); + public static final Map TLS_CIPHERSUITES = new HashMap<>(); + + static { + TLS_PROTOCOLS.add("TLSv1.2"); + TLS_PROTOCOLS.add("TLSv1.3"); + + TLS_CIPHERSUITES.put("TLS_AES_128_GCM_SHA256", "TLSv1.3"); + TLS_CIPHERSUITES.put("TLS_AES_256_GCM_SHA384", "TLSv1.3"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLSv1.2"); + } + + public static final String isFIPS = System.getProperty("semeru.fips"); + public static boolean isFIPS() { + System.out.println("semeru.fips is: " + System.getProperty("semeru.fips")); + return Boolean.parseBoolean(isFIPS); + } + + public static final String FIPS_PROFILE = System.getProperty("semeru.customprofile"); + public static String getFipsProfile() { + System.out.println("semeru.customprofile is: " + System.getProperty("semeru.customprofile")); + return FIPS_PROFILE; + } + + public static String revertJKSToPKCS12(String keyFilename, String passwd) { + String p12keyFilename = keyFilename + ".p12"; + try { + KeyStore jksKeystore = KeyStore.getInstance("JKS"); + try (FileInputStream fis = new FileInputStream(keyFilename)) { + jksKeystore.load(fis, passwd.toCharArray()); + } + + KeyStore pkcs12Keystore = KeyStore.getInstance("PKCS12"); + pkcs12Keystore.load(null, null); + + Enumeration aliasesKey = jksKeystore.aliases(); + while (aliasesKey.hasMoreElements()) { + String alias = aliasesKey.nextElement(); + if (jksKeystore.isKeyEntry(alias)) { + char[] keyPassword = passwd.toCharArray(); + Key key = jksKeystore.getKey(alias, keyPassword); + Certificate[] chain = jksKeystore.getCertificateChain(alias); + pkcs12Keystore.setKeyEntry(alias, key, passwd.toCharArray(), chain); + } else if (jksKeystore.isCertificateEntry(alias)) { + Certificate cert = jksKeystore.getCertificate(alias); + pkcs12Keystore.setCertificateEntry(alias, cert); + } + } + + try (FileOutputStream fos = new FileOutputStream(p12keyFilename)) { + pkcs12Keystore.store(fos, passwd.toCharArray()); + } + System.out.println("JKS keystore converted to PKCS12 successfully."); + } catch (Exception e) { + e.printStackTrace(); + } + return p12keyFilename; + } + }