Update TLS tests to be run in FIPS 140-3 mode

closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java

@@ -1674,7 +1674,9 @@ private void checkHashValues() {
                     printStackTraceAndExit("Incorrect definition of hash value for " + profileID);
                 }
 
+                System.out.println("checkHashValues->hashInfo[0] is: " + hashInfo[0]);
                 String digestAlgo = hashInfo[0].trim();
+                System.out.println("checkHashValues->digestAlgo is: " + digestAlgo);
                 String expectedHash = hashInfo[1].trim();
                 try {
                     MessageDigest md = MessageDigest.getInstance(digestAlgo);

test/jdk/javax/net/ssl/DTLS/CipherSuite.java

@@ -55,6 +55,9 @@
 import java.util.Arrays;
 import java.util.List;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 /**
  * Test common DTLS cipher suites.
  */
@@ -65,15 +68,41 @@ public class CipherSuite extends DTLSOverDatagram {
     private static boolean reenable;
 
     public static void main(String[] args) throws Exception {
-        if (args.length > 1 && "re-enable".equals(args[1])) {
+        if (args.length > 1 && "re-enable".equals(args[1]) 
+        && !(SecurityUtils.isFIPS())) {
             Security.setProperty("jdk.tls.disabledAlgorithms", "");
             reenable = true;
         }
 
         cipherSuite = args[0];
 
         CipherSuite testCase = new CipherSuite();
-        testCase.runTest(testCase);
+        try {
+            testCase.runTest(testCase);
+        } catch (javax.net.ssl.SSLHandshakeException sslhe) {
+            if (SecurityUtils.isFIPS()) {
+                if(!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) {
+                    if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) {
+                        System.out.println("Expected exception msg: <No appropriate protocol (protocol is disabled or cipher suites are inappropriate)> is caught");
+                        return;
+                    } else {
+                        System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught");
+                        return;
+                    }
+                } else {
+                    System.out.println("Unexpected exception is caught");
+                    sslhe.printStackTrace();
+                    return;
+                }
+            } else {
+                System.out.println("Unexpected exception is caught in Non-FIPS mode");
+                sslhe.printStackTrace();
+                return;
+            }
+        } catch (Exception e) {
+            e.printStackTrace();
+            return;
+        }
     }
 
     @Override

test/jdk/javax/net/ssl/DTLS/DTLSNamedGroups.java

@@ -38,6 +38,9 @@
 import javax.net.ssl.SSLParameters;
 import java.security.Security;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 /**
  * Test DTLS client authentication.
  */
@@ -73,7 +76,9 @@ SSLEngine createSSLEngine(boolean isClient) throws Exception {
     }
 
     public static void main(String[] args) throws Exception {
-        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        if (!(SecurityUtils.isFIPS())) {
+                Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        }
 
         runTest(new String[] {
                         "x25519",

test/jdk/javax/net/ssl/DTLS/DTLSSignatureSchemes.java

@@ -38,6 +38,9 @@
 import javax.net.ssl.SSLParameters;
 import java.security.Security;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 /**
  * Test DTLS client authentication.
  */
@@ -67,7 +70,9 @@ SSLEngine createSSLEngine(boolean isClient) throws Exception {
     }
 
     public static void main(String[] args) throws Exception {
-        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        if (!(SecurityUtils.isFIPS())) {
+                Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        }
 
         runTest(new String[] {
                         "ecdsa_secp256r1_sha256",

test/jdk/javax/net/ssl/DTLS/DTLSWontNegotiateV10.java

@@ -32,6 +32,9 @@
 import java.util.List;
 import java.util.concurrent.atomic.AtomicInteger;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 /*
  * @test
  * @bug 8301381
@@ -51,7 +54,9 @@ public class DTLSWontNegotiateV10 {
     private static final int READ_TIMEOUT_SECS = Integer.getInteger("readtimeout", 30);
 
     public static void main(String[] args) throws Exception {
-        if (args[0].equals(DTLSV_1_0)) {
+
+        if (args[0].equals(DTLSV_1_0) 
+        && !(SecurityUtils.isFIPS())) {
             SecurityUtils.removeFromDisabledTlsAlgs(DTLSV_1_0);
         }
 
@@ -74,6 +79,26 @@ public static void main(String[] args) throws Exception {
                     break;
                 } catch (SocketTimeoutException exc) {
                     System.out.println("The server timed-out waiting for packets from the client.");
+                } catch (javax.net.ssl.SSLHandshakeException sslhe) {
+                    if (SecurityUtils.isFIPS()) {
+                        if(!SecurityUtils.TLS_PROTOCOLS.contains(args[0])) {
+                            if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) {
+                                System.out.println("Expected exception msg: <No appropriate protocol (protocol is disabled or cipher suites are inappropriate)> is caught");
+                                return;
+                            } else {
+                                System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught");
+                                return;
+                            }
+                        } else {
+                            System.out.println("Unexpected exception is caught");
+                            sslhe.printStackTrace();
+                            return;
+                        }
+                    } else {
+                        System.out.println("Unexpected exception is caught in Non-FIPS mode");
+                        sslhe.printStackTrace();
+                        return;
+                    }
                 }
             }
             if (tries == totalAttempts) {

test/jdk/javax/net/ssl/DTLS/WeakCipherSuite.java

@@ -41,6 +41,9 @@
 import javax.net.ssl.SSLEngine;
 import java.security.Security;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 /**
  * Test common DTLS weak cipher suites.
  */
@@ -52,13 +55,40 @@ public class WeakCipherSuite extends DTLSOverDatagram {
     public static void main(String[] args) throws Exception {
         // reset security properties to make sure that the algorithms
         // and keys used in this test are not disabled.
-        Security.setProperty("jdk.tls.disabledAlgorithms", "");
-        Security.setProperty("jdk.certpath.disabledAlgorithms", "");
+        if (!(SecurityUtils.isFIPS())) {
+            Security.setProperty("jdk.tls.disabledAlgorithms", "");
+            Security.setProperty("jdk.certpath.disabledAlgorithms", "");
+        }
 
         cipherSuite = args[0];
 
         WeakCipherSuite testCase = new WeakCipherSuite();
-        testCase.runTest(testCase);
+        try {
+            testCase.runTest(testCase);
+        } catch (javax.net.ssl.SSLHandshakeException sslhe) {
+            if (SecurityUtils.isFIPS()) {
+                if(!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) {
+                    if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) {
+                        System.out.println("Expected exception msg: <No appropriate protocol (protocol is disabled or cipher suites are inappropriate)> is caught");
+                        return;
+                    } else {
+                        System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught");
+                        return;
+                    }
+                } else {
+                    System.out.println("Unexpected exception is caught");
+                    sslhe.printStackTrace();
+                    return;
+                }
+            } else {
+                System.out.println("Unexpected exception is caught in Non-FIPS mode");
+                sslhe.printStackTrace();
+                return;
+            }
+        } catch (Exception e) {
+            e.printStackTrace();
+            return;
+        }
     }
 
     @Override

test/jdk/javax/net/ssl/FixingJavadocs/ImplicitHandshake.java

@@ -292,4 +292,4 @@ public void run() {
             doClientSide();
         }
     }
-}
+}

test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java

@@ -31,6 +31,7 @@
  * @bug 6668231
  * @summary Presence of a critical subjectAltName causes JSSE's SunX509 to
  *          fail trusted checks
+ * @library /test/lib
  * @run main/othervm CriticalSubjectAltName
  * @author Xuelei Fan
  */
@@ -53,6 +54,9 @@
 import java.security.Security;
 import java.security.cert.Certificate;
 
+import jdk.test.lib.Utils;
+import jdk.test.lib.security.SecurityUtils;
+
 public class CriticalSubjectAltName implements HostnameVerifier {
     /*
      * =============================================================
@@ -160,10 +164,12 @@ void doClientSide() throws Exception {
 
     public static void main(String[] args) throws Exception {
         // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty("jdk.certpath.disabledAlgorithms",
-                "MD2, RSA keySize < 1024");
-        Security.setProperty("jdk.tls.disabledAlgorithms",
-                "SSLv3, RC4, DH keySize < 768");
+        if (!(SecurityUtils.isFIPS())) {
+            Security.setProperty("jdk.certpath.disabledAlgorithms",
+                    "MD2, RSA keySize < 1024");
+            Security.setProperty("jdk.tls.disabledAlgorithms",
+                    "SSLv3, RC4, DH keySize < 768");
+        }
 
         String keyFilename =
             System.getProperty("test.src", "./") + "/" + pathToStores +
@@ -172,6 +178,11 @@ public static void main(String[] args) throws Exception {
             System.getProperty("test.src", "./") + "/" + pathToStores +
                 "/" + trustStoreFile;
 
+        if (SecurityUtils.isFIPS()) {
+            keyFilename = SecurityUtils.revertJKSToPKCS12(keyFilename, passwd);
+            trustFilename = SecurityUtils.revertJKSToPKCS12(trustFilename, passwd);
+        }
+
         System.setProperty("javax.net.ssl.keyStore", keyFilename);
         System.setProperty("javax.net.ssl.keyStorePassword", passwd);
         System.setProperty("javax.net.ssl.trustStore", trustFilename);
@@ -183,7 +194,29 @@ public static void main(String[] args) throws Exception {
         /*
          * Start the tests.
          */
-        new CriticalSubjectAltName();
+        try {
+            new CriticalSubjectAltName();
+        } catch (Exception e) {
+            if (SecurityUtils.isFIPS()) {
+                if (e instanceof java.security.cert.CertPathValidatorException) {
+                    if ("Algorithm constraints check failed on signature algorithm: MD5withRSA".equals(e.getMessage())) {
+                        System.out.println("MD5withRSA is not a supported signature algorithm.");
+                        return;
+                    } else {
+                        System.out.println("Unexpected exception msg: <" + e.getMessage() + "> is caught");
+                        return;
+                    }
+                } else {
+                    System.out.println("Unexpected exception is caught");
+                    e.printStackTrace();
+                    return;
+                }
+            } else {
+                System.out.println("Unexpected exception is caught in Non-FIPS mode");
+                e.printStackTrace();
+                return;
+            }
+        }
     }
 
     Thread clientThread = null;