Skip to content

RH2020290: Support TLS 1.3 in FIPS mode #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 9 commits into from
Closed

RH2020290: Support TLS 1.3 in FIPS mode #7

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
a6e533a
RH1995150 - Disable non-FIPS crypto in SUN and SunEC security providers
martinuy Jun 6, 2022
6afe961
RH2052070 - Enable AlgorithmParameters and AlgorithmParameterGenerato…
martinuy Sep 19, 2022
ff26db7
Backport JDK-6676643: Improve current C_GetAttributeValue native impl…
franferrax Oct 24, 2022
46ffa10
RH2023467: Enable FIPS keys export
franferrax May 12, 2022
1c68a80
RH2104724: Avoid import/export of DH private keys
franferrax Aug 11, 2022
833d9b3
Adjust code between 17u and 11u
franferrax Oct 11, 2022
c9c517a
Adjust code for 11u missing JDK-8023980: JCE doesn't provide any clas…
franferrax Oct 11, 2022
0cb2359
Import required enum and remove unused variables
franferrax Oct 24, 2022
875a3e1
RH2020290: Support TLS 1.3 in FIPS mode
franferrax Oct 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
741 changes: 376 additions & 365 deletions src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
View file
Open in desktop

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions src/java.base/share/classes/module-info.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,7 @@
java.sql,
java.xml,
jdk.crypto.cryptoki,
jdk.crypto.ec,
jdk.jartool,
jdk.attach,
jdk.charsets,
Expand Down
230 changes: 120 additions & 110 deletions src/java.base/share/classes/sun/security/provider/SunEntries.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
import java.util.*;
import java.security.*;

import jdk.internal.misc.SharedSecrets;
import jdk.internal.util.StaticProperty;
import sun.security.action.GetPropertyAction;

Expand Down Expand Up @@ -77,6 +78,10 @@

public final class SunEntries {

private static final boolean systemFipsEnabled =
SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
.isSystemFipsEnabled();

// the default algo used by SecureRandom class for new SecureRandom() calls
public static final String DEF_SECURE_RANDOM_ALGO;

Expand All @@ -100,84 +105,87 @@ public static List<String> createAliasesWithOid(String ... oids) {
// common attribute map
HashMap<String, String> attrs = new HashMap<>(3);

/*
* SecureRandom engines
*/
attrs.put("ThreadSafe", "true");
if (NativePRNG.isAvailable()) {
add(p, "SecureRandom", "NativePRNG",
"sun.security.provider.NativePRNG",
null, attrs);
}
if (NativePRNG.Blocking.isAvailable()) {
add(p, "SecureRandom", "NativePRNGBlocking",
"sun.security.provider.NativePRNG$Blocking", null, attrs);
}
if (NativePRNG.NonBlocking.isAvailable()) {
add(p, "SecureRandom", "NativePRNGNonBlocking",
"sun.security.provider.NativePRNG$NonBlocking", null, attrs);
}
attrs.put("ImplementedIn", "Software");
add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG",
null, attrs);
add(p, "SecureRandom", "SHA1PRNG",
"sun.security.provider.SecureRandom", null, attrs);

/*
* Signature engines
*/
attrs.clear();
String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
"|java.security.interfaces.DSAPrivateKey";
attrs.put("SupportedKeyClasses", dsaKeyClasses);
attrs.put("ImplementedIn", "Software");

attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures

add(p, "Signature", "SHA1withDSA",
"sun.security.provider.DSA$SHA1withDSA",
createAliasesWithOid("1.2.840.10040.4.3", "DSA", "DSS",
"SHA/DSA", "SHA-1/DSA", "SHA1/DSA", "SHAwithDSA",
"DSAWithSHA1", "1.3.14.3.2.13", "1.3.14.3.2.27"), attrs);
add(p, "Signature", "NONEwithDSA", "sun.security.provider.DSA$RawDSA",
createAliases("RawDSA"), attrs);

attrs.put("KeySize", "2048"); // for SHA224 and SHA256 DSA signatures

add(p, "Signature", "SHA224withDSA",
"sun.security.provider.DSA$SHA224withDSA",
createAliasesWithOid("2.16.840.1.101.3.4.3.1"), attrs);
add(p, "Signature", "SHA256withDSA",
"sun.security.provider.DSA$SHA256withDSA",
createAliasesWithOid("2.16.840.1.101.3.4.3.2"), attrs);
String dsaOid = "1.2.840.10040.4.1";
List<String> dsaAliases = createAliasesWithOid(dsaOid, "1.3.14.3.2.12");

attrs.remove("KeySize");
if (!systemFipsEnabled) {
/*
* SecureRandom engines
*/
attrs.put("ThreadSafe", "true");
if (NativePRNG.isAvailable()) {
add(p, "SecureRandom", "NativePRNG",
"sun.security.provider.NativePRNG",
null, attrs);
}
if (NativePRNG.Blocking.isAvailable()) {
add(p, "SecureRandom", "NativePRNGBlocking",
"sun.security.provider.NativePRNG$Blocking", null, attrs);
}
if (NativePRNG.NonBlocking.isAvailable()) {
add(p, "SecureRandom", "NativePRNGNonBlocking",
"sun.security.provider.NativePRNG$NonBlocking", null, attrs);
}
attrs.put("ImplementedIn", "Software");
add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG",
null, attrs);
add(p, "SecureRandom", "SHA1PRNG",
"sun.security.provider.SecureRandom", null, attrs);

add(p, "Signature", "SHA1withDSAinP1363Format",
"sun.security.provider.DSA$SHA1withDSAinP1363Format",
null, null);
add(p, "Signature", "NONEwithDSAinP1363Format",
"sun.security.provider.DSA$RawDSAinP1363Format",
null, null);
add(p, "Signature", "SHA224withDSAinP1363Format",
"sun.security.provider.DSA$SHA224withDSAinP1363Format",
null, null);
add(p, "Signature", "SHA256withDSAinP1363Format",
"sun.security.provider.DSA$SHA256withDSAinP1363Format",
null, null);
/*
* Signature engines
*/
attrs.clear();
String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
"|java.security.interfaces.DSAPrivateKey";
attrs.put("SupportedKeyClasses", dsaKeyClasses);
attrs.put("ImplementedIn", "Software");

attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures

add(p, "Signature", "SHA1withDSA",
"sun.security.provider.DSA$SHA1withDSA",
createAliasesWithOid("1.2.840.10040.4.3", "DSA", "DSS",
"SHA/DSA", "SHA-1/DSA", "SHA1/DSA", "SHAwithDSA",
"DSAWithSHA1", "1.3.14.3.2.13", "1.3.14.3.2.27"), attrs);
add(p, "Signature", "NONEwithDSA", "sun.security.provider.DSA$RawDSA",
createAliases("RawDSA"), attrs);

attrs.put("KeySize", "2048"); // for SHA224 and SHA256 DSA signatures

add(p, "Signature", "SHA224withDSA",
"sun.security.provider.DSA$SHA224withDSA",
createAliasesWithOid("2.16.840.1.101.3.4.3.1"), attrs);
add(p, "Signature", "SHA256withDSA",
"sun.security.provider.DSA$SHA256withDSA",
createAliasesWithOid("2.16.840.1.101.3.4.3.2"), attrs);

attrs.remove("KeySize");

add(p, "Signature", "SHA1withDSAinP1363Format",
"sun.security.provider.DSA$SHA1withDSAinP1363Format",
null, null);
add(p, "Signature", "NONEwithDSAinP1363Format",
"sun.security.provider.DSA$RawDSAinP1363Format",
null, null);
add(p, "Signature", "SHA224withDSAinP1363Format",
"sun.security.provider.DSA$SHA224withDSAinP1363Format",
null, null);
add(p, "Signature", "SHA256withDSAinP1363Format",
"sun.security.provider.DSA$SHA256withDSAinP1363Format",
null, null);

/*
* Key Pair Generator engines
*/
attrs.clear();
attrs.put("ImplementedIn", "Software");
attrs.put("KeySize", "2048"); // for DSA KPG and APG only
/*
* Key Pair Generator engines
*/
attrs.clear();
attrs.put("ImplementedIn", "Software");
attrs.put("KeySize", "2048"); // for DSA KPG and APG only

String dsaOid = "1.2.840.10040.4.1";
List<String> dsaAliases = createAliasesWithOid(dsaOid, "1.3.14.3.2.12");
String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
add(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, dsaAliases, attrs);
String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
add(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, dsaAliases, attrs);
}

/*
* Algorithm Parameter Generator engines
Expand All @@ -193,43 +201,45 @@ public static List<String> createAliasesWithOid(String ... oids) {
add(p, "AlgorithmParameters", "DSA",
"sun.security.provider.DSAParameters", dsaAliases, attrs);

/*
* Key factories
*/
add(p, "KeyFactory", "DSA", "sun.security.provider.DSAKeyFactory",
dsaAliases, attrs);
if (!systemFipsEnabled) {
/*
* Key factories
*/
add(p, "KeyFactory", "DSA", "sun.security.provider.DSAKeyFactory",
dsaAliases, attrs);

/*
* Digest engines
*/
add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", null, attrs);
add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", null, attrs);
add(p, "MessageDigest", "SHA", "sun.security.provider.SHA",
createAliasesWithOid("1.3.14.3.2.26", "SHA-1", "SHA1"), attrs);

String sha2BaseOid = "2.16.840.1.101.3.4.2";
add(p, "MessageDigest", "SHA-224", "sun.security.provider.SHA2$SHA224",
createAliasesWithOid(sha2BaseOid + ".4"), attrs);
add(p, "MessageDigest", "SHA-256", "sun.security.provider.SHA2$SHA256",
createAliasesWithOid(sha2BaseOid + ".1"), attrs);
add(p, "MessageDigest", "SHA-384", "sun.security.provider.SHA5$SHA384",
createAliasesWithOid(sha2BaseOid + ".2"), attrs);
add(p, "MessageDigest", "SHA-512", "sun.security.provider.SHA5$SHA512",
createAliasesWithOid(sha2BaseOid + ".3"), attrs);
add(p, "MessageDigest", "SHA-512/224",
"sun.security.provider.SHA5$SHA512_224",
createAliasesWithOid(sha2BaseOid + ".5"), attrs);
add(p, "MessageDigest", "SHA-512/256",
"sun.security.provider.SHA5$SHA512_256",
createAliasesWithOid(sha2BaseOid + ".6"), attrs);
add(p, "MessageDigest", "SHA3-224", "sun.security.provider.SHA3$SHA224",
createAliasesWithOid(sha2BaseOid + ".7"), attrs);
add(p, "MessageDigest", "SHA3-256", "sun.security.provider.SHA3$SHA256",
createAliasesWithOid(sha2BaseOid + ".8"), attrs);
add(p, "MessageDigest", "SHA3-384", "sun.security.provider.SHA3$SHA384",
createAliasesWithOid(sha2BaseOid + ".9"), attrs);
add(p, "MessageDigest", "SHA3-512", "sun.security.provider.SHA3$SHA512",
createAliasesWithOid(sha2BaseOid + ".10"), attrs);
/*
* Digest engines
*/
add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", null, attrs);
add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", null, attrs);
add(p, "MessageDigest", "SHA", "sun.security.provider.SHA",
createAliasesWithOid("1.3.14.3.2.26", "SHA-1", "SHA1"), attrs);

String sha2BaseOid = "2.16.840.1.101.3.4.2";
add(p, "MessageDigest", "SHA-224", "sun.security.provider.SHA2$SHA224",
createAliasesWithOid(sha2BaseOid + ".4"), attrs);
add(p, "MessageDigest", "SHA-256", "sun.security.provider.SHA2$SHA256",
createAliasesWithOid(sha2BaseOid + ".1"), attrs);
add(p, "MessageDigest", "SHA-384", "sun.security.provider.SHA5$SHA384",
createAliasesWithOid(sha2BaseOid + ".2"), attrs);
add(p, "MessageDigest", "SHA-512", "sun.security.provider.SHA5$SHA512",
createAliasesWithOid(sha2BaseOid + ".3"), attrs);
add(p, "MessageDigest", "SHA-512/224",
"sun.security.provider.SHA5$SHA512_224",
createAliasesWithOid(sha2BaseOid + ".5"), attrs);
add(p, "MessageDigest", "SHA-512/256",
"sun.security.provider.SHA5$SHA512_256",
createAliasesWithOid(sha2BaseOid + ".6"), attrs);
add(p, "MessageDigest", "SHA3-224", "sun.security.provider.SHA3$SHA224",
createAliasesWithOid(sha2BaseOid + ".7"), attrs);
add(p, "MessageDigest", "SHA3-256", "sun.security.provider.SHA3$SHA256",
createAliasesWithOid(sha2BaseOid + ".8"), attrs);
add(p, "MessageDigest", "SHA3-384", "sun.security.provider.SHA3$SHA384",
createAliasesWithOid(sha2BaseOid + ".9"), attrs);
add(p, "MessageDigest", "SHA3-512", "sun.security.provider.SHA3$SHA512",
createAliasesWithOid(sha2BaseOid + ".10"), attrs);
}

/*
* Certificates
Expand Down
92 changes: 53 additions & 39 deletions src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@

import java.util.*;
import java.security.Provider;
import jdk.internal.misc.SharedSecrets;
import static sun.security.provider.SunEntries.createAliasesWithOid;

/**
Expand All @@ -36,6 +37,10 @@
*/
public final class SunRsaSignEntries {

private static final boolean systemFipsEnabled =
SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
.isSystemFipsEnabled();

private void add(Provider p, String type, String algo, String cn,
List<String> aliases, HashMap<String, String> attrs) {
services.add(new Provider.Service(p, type, algo, cn, aliases, attrs));
Expand All @@ -56,53 +61,62 @@ public SunRsaSignEntries(Provider p) {

// common attribute map
HashMap<String, String> attrs = new HashMap<>(3);
attrs.put("SupportedKeyClasses",
"java.security.interfaces.RSAPublicKey" +
"|java.security.interfaces.RSAPrivateKey");
if (!systemFipsEnabled) {
attrs.put("SupportedKeyClasses",
"java.security.interfaces.RSAPublicKey" +
"|java.security.interfaces.RSAPrivateKey");
}

add(p, "KeyFactory", "RSA",
"sun.security.rsa.RSAKeyFactory$Legacy",
rsaAliases, null);
add(p, "KeyPairGenerator", "RSA",
"sun.security.rsa.RSAKeyPairGenerator$Legacy",
rsaAliases, null);
add(p, "Signature", "MD2withRSA",
"sun.security.rsa.RSASignature$MD2withRSA",
createAliasesWithOid(rsaOid + ".2"), attrs);
add(p, "Signature", "MD5withRSA",
"sun.security.rsa.RSASignature$MD5withRSA",
createAliasesWithOid(rsaOid + ".4"), attrs);
add(p, "Signature", "SHA1withRSA",
"sun.security.rsa.RSASignature$SHA1withRSA",
createAliasesWithOid(rsaOid + ".5", sha1withRSAOid2), attrs);
add(p, "Signature", "SHA224withRSA",
"sun.security.rsa.RSASignature$SHA224withRSA",
createAliasesWithOid(rsaOid + ".14"), attrs);
add(p, "Signature", "SHA256withRSA",
"sun.security.rsa.RSASignature$SHA256withRSA",
createAliasesWithOid(rsaOid + ".11"), attrs);
add(p, "Signature", "SHA384withRSA",
"sun.security.rsa.RSASignature$SHA384withRSA",
createAliasesWithOid(rsaOid + ".12"), attrs);
add(p, "Signature", "SHA512withRSA",
"sun.security.rsa.RSASignature$SHA512withRSA",
createAliasesWithOid(rsaOid + ".13"), attrs);
add(p, "Signature", "SHA512/224withRSA",
"sun.security.rsa.RSASignature$SHA512_224withRSA",
createAliasesWithOid(rsaOid + ".15"), attrs);
add(p, "Signature", "SHA512/256withRSA",
"sun.security.rsa.RSASignature$SHA512_256withRSA",
createAliasesWithOid(rsaOid + ".16"), attrs);

if (!systemFipsEnabled) {
add(p, "KeyPairGenerator", "RSA",
"sun.security.rsa.RSAKeyPairGenerator$Legacy",
rsaAliases, null);
add(p, "Signature", "MD2withRSA",
"sun.security.rsa.RSASignature$MD2withRSA",
createAliasesWithOid(rsaOid + ".2"), attrs);
add(p, "Signature", "MD5withRSA",
"sun.security.rsa.RSASignature$MD5withRSA",
createAliasesWithOid(rsaOid + ".4"), attrs);
add(p, "Signature", "SHA1withRSA",
"sun.security.rsa.RSASignature$SHA1withRSA",
createAliasesWithOid(rsaOid + ".5", sha1withRSAOid2), attrs);
add(p, "Signature", "SHA224withRSA",
"sun.security.rsa.RSASignature$SHA224withRSA",
createAliasesWithOid(rsaOid + ".14"), attrs);
add(p, "Signature", "SHA256withRSA",
"sun.security.rsa.RSASignature$SHA256withRSA",
createAliasesWithOid(rsaOid + ".11"), attrs);
add(p, "Signature", "SHA384withRSA",
"sun.security.rsa.RSASignature$SHA384withRSA",
createAliasesWithOid(rsaOid + ".12"), attrs);
add(p, "Signature", "SHA512withRSA",
"sun.security.rsa.RSASignature$SHA512withRSA",
createAliasesWithOid(rsaOid + ".13"), attrs);
add(p, "Signature", "SHA512/224withRSA",
"sun.security.rsa.RSASignature$SHA512_224withRSA",
createAliasesWithOid(rsaOid + ".15"), attrs);
add(p, "Signature", "SHA512/256withRSA",
"sun.security.rsa.RSASignature$SHA512_256withRSA",
createAliasesWithOid(rsaOid + ".16"), attrs);
}

add(p, "KeyFactory", "RSASSA-PSS",
"sun.security.rsa.RSAKeyFactory$PSS",
rsapssAliases, null);
add(p, "KeyPairGenerator", "RSASSA-PSS",
"sun.security.rsa.RSAKeyPairGenerator$PSS",
rsapssAliases, null);
add(p, "Signature", "RSASSA-PSS",
"sun.security.rsa.RSAPSSSignature",
rsapssAliases, attrs);

if (!systemFipsEnabled) {
add(p, "KeyPairGenerator", "RSASSA-PSS",
"sun.security.rsa.RSAKeyPairGenerator$PSS",
rsapssAliases, null);
add(p, "Signature", "RSASSA-PSS",
"sun.security.rsa.RSAPSSSignature",
rsapssAliases, attrs);
}

add(p, "AlgorithmParameters", "RSASSA-PSS",
"sun.security.rsa.PSSParameters",
rsapssAliases, null);
Expand Down
Loading