Skip to content

RH2134669: Add missing attributes when registering services in FIPS mode. #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 11 commits into
base: fips
Choose a base branch
from
Draft

RH2134669: Add missing attributes when registering services in FIPS mode. #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
a6e533a
RH1995150 - Disable non-FIPS crypto in SUN and SunEC security providers
martinuy Jun 6, 2022
6afe961
RH2052070 - Enable AlgorithmParameters and AlgorithmParameterGenerato…
martinuy Sep 19, 2022
ff26db7
Backport JDK-6676643: Improve current C_GetAttributeValue native impl…
franferrax Oct 24, 2022
46ffa10
RH2023467: Enable FIPS keys export
franferrax May 12, 2022
1c68a80
RH2104724: Avoid import/export of DH private keys
franferrax Aug 11, 2022
833d9b3
Adjust code between 17u and 11u
franferrax Oct 11, 2022
c9c517a
Adjust code for 11u missing JDK-8023980: JCE doesn't provide any clas…
franferrax Oct 11, 2022
0cb2359
Import required enum and remove unused variables
franferrax Oct 24, 2022
f260c02
RH2134669: Add missing attributes when registering services in FIPS m…
martinuy Oct 19, 2022
fb658ee
VerifyMissingAttributes test added.
martinuy Oct 25, 2022
b12bd91
VerifyMissingAttributes test: use the String filter getProviders() AP…
martinuy Nov 3, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
741 changes: 376 additions & 365 deletions src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
View file
Open in desktop

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions src/java.base/share/classes/module-info.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,7 @@
java.sql,
java.xml,
jdk.crypto.cryptoki,
jdk.crypto.ec,
jdk.jartool,
jdk.attach,
jdk.charsets,
Expand Down
220 changes: 116 additions & 104 deletions src/java.base/share/classes/sun/security/provider/SunEntries.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
import java.util.*;
import java.security.*;

import jdk.internal.misc.SharedSecrets;
import jdk.internal.util.StaticProperty;
import sun.security.action.GetPropertyAction;

Expand Down Expand Up @@ -77,6 +78,10 @@

public final class SunEntries {

private static final boolean systemFipsEnabled =
SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
.isSystemFipsEnabled();

// the default algo used by SecureRandom class for new SecureRandom() calls
public static final String DEF_SECURE_RANDOM_ALGO;

Expand All @@ -100,71 +105,76 @@ public static List<String> createAliasesWithOid(String ... oids) {
// common attribute map
HashMap<String, String> attrs = new HashMap<>(3);

/*
* SecureRandom engines
*/
attrs.put("ThreadSafe", "true");
if (NativePRNG.isAvailable()) {
add(p, "SecureRandom", "NativePRNG",
"sun.security.provider.NativePRNG",
null, attrs);
}
if (NativePRNG.Blocking.isAvailable()) {
add(p, "SecureRandom", "NativePRNGBlocking",
"sun.security.provider.NativePRNG$Blocking", null, attrs);
}
if (NativePRNG.NonBlocking.isAvailable()) {
add(p, "SecureRandom", "NativePRNGNonBlocking",
"sun.security.provider.NativePRNG$NonBlocking", null, attrs);
}
attrs.put("ImplementedIn", "Software");
add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG",
null, attrs);
add(p, "SecureRandom", "SHA1PRNG",
"sun.security.provider.SecureRandom", null, attrs);

/*
* Signature engines
*/
attrs.clear();
String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
"|java.security.interfaces.DSAPrivateKey";
attrs.put("SupportedKeyClasses", dsaKeyClasses);
attrs.put("ImplementedIn", "Software");

attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures

add(p, "Signature", "SHA1withDSA",
"sun.security.provider.DSA$SHA1withDSA",
createAliasesWithOid("1.2.840.10040.4.3", "DSA", "DSS",
"SHA/DSA", "SHA-1/DSA", "SHA1/DSA", "SHAwithDSA",
"DSAWithSHA1", "1.3.14.3.2.13", "1.3.14.3.2.27"), attrs);
add(p, "Signature", "NONEwithDSA", "sun.security.provider.DSA$RawDSA",
createAliases("RawDSA"), attrs);

attrs.put("KeySize", "2048"); // for SHA224 and SHA256 DSA signatures

add(p, "Signature", "SHA224withDSA",
"sun.security.provider.DSA$SHA224withDSA",
createAliasesWithOid("2.16.840.1.101.3.4.3.1"), attrs);
add(p, "Signature", "SHA256withDSA",
"sun.security.provider.DSA$SHA256withDSA",
createAliasesWithOid("2.16.840.1.101.3.4.3.2"), attrs);
String dsaOid = "1.2.840.10040.4.1";
List<String> dsaAliases = createAliasesWithOid(dsaOid, "1.3.14.3.2.12");

attrs.remove("KeySize");
if (!systemFipsEnabled) {
/*
* SecureRandom engines
*/
attrs.put("ThreadSafe", "true");
if (NativePRNG.isAvailable()) {
add(p, "SecureRandom", "NativePRNG",
"sun.security.provider.NativePRNG",
null, attrs);
}
if (NativePRNG.Blocking.isAvailable()) {
add(p, "SecureRandom", "NativePRNGBlocking",
"sun.security.provider.NativePRNG$Blocking", null, attrs);
}
if (NativePRNG.NonBlocking.isAvailable()) {
add(p, "SecureRandom", "NativePRNGNonBlocking",
"sun.security.provider.NativePRNG$NonBlocking", null, attrs);
}
attrs.put("ImplementedIn", "Software");
add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG",
null, attrs);
add(p, "SecureRandom", "SHA1PRNG",
"sun.security.provider.SecureRandom", null, attrs);

add(p, "Signature", "SHA1withDSAinP1363Format",
"sun.security.provider.DSA$SHA1withDSAinP1363Format",
null, null);
add(p, "Signature", "NONEwithDSAinP1363Format",
"sun.security.provider.DSA$RawDSAinP1363Format",
null, null);
add(p, "Signature", "SHA224withDSAinP1363Format",
"sun.security.provider.DSA$SHA224withDSAinP1363Format",
null, null);
add(p, "Signature", "SHA256withDSAinP1363Format",
"sun.security.provider.DSA$SHA256withDSAinP1363Format",
null, null);
/*
* Signature engines
*/
attrs.clear();
String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
"|java.security.interfaces.DSAPrivateKey";
attrs.put("SupportedKeyClasses", dsaKeyClasses);
attrs.put("ImplementedIn", "Software");

attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures

add(p, "Signature", "SHA1withDSA",
"sun.security.provider.DSA$SHA1withDSA",
createAliasesWithOid("1.2.840.10040.4.3", "DSA", "DSS",
"SHA/DSA", "SHA-1/DSA", "SHA1/DSA", "SHAwithDSA",
"DSAWithSHA1", "1.3.14.3.2.13", "1.3.14.3.2.27"), attrs);
add(p, "Signature", "NONEwithDSA", "sun.security.provider.DSA$RawDSA",
createAliases("RawDSA"), attrs);

attrs.put("KeySize", "2048"); // for SHA224 and SHA256 DSA signatures

add(p, "Signature", "SHA224withDSA",
"sun.security.provider.DSA$SHA224withDSA",
createAliasesWithOid("2.16.840.1.101.3.4.3.1"), attrs);
add(p, "Signature", "SHA256withDSA",
"sun.security.provider.DSA$SHA256withDSA",
createAliasesWithOid("2.16.840.1.101.3.4.3.2"), attrs);

attrs.remove("KeySize");

add(p, "Signature", "SHA1withDSAinP1363Format",
"sun.security.provider.DSA$SHA1withDSAinP1363Format",
null, null);
add(p, "Signature", "NONEwithDSAinP1363Format",
"sun.security.provider.DSA$RawDSAinP1363Format",
null, null);
add(p, "Signature", "SHA224withDSAinP1363Format",
"sun.security.provider.DSA$SHA224withDSAinP1363Format",
null, null);
add(p, "Signature", "SHA256withDSAinP1363Format",
"sun.security.provider.DSA$SHA256withDSAinP1363Format",
null, null);
}

/*
* Key Pair Generator engines
Expand All @@ -173,11 +183,11 @@ public static List<String> createAliasesWithOid(String ... oids) {
attrs.put("ImplementedIn", "Software");
attrs.put("KeySize", "2048"); // for DSA KPG and APG only

String dsaOid = "1.2.840.10040.4.1";
List<String> dsaAliases = createAliasesWithOid(dsaOid, "1.3.14.3.2.12");
String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
add(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, dsaAliases, attrs);
if (!systemFipsEnabled) {
String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
add(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, dsaAliases, attrs);
}

/*
* Algorithm Parameter Generator engines
Expand All @@ -193,43 +203,45 @@ public static List<String> createAliasesWithOid(String ... oids) {
add(p, "AlgorithmParameters", "DSA",
"sun.security.provider.DSAParameters", dsaAliases, attrs);

/*
* Key factories
*/
add(p, "KeyFactory", "DSA", "sun.security.provider.DSAKeyFactory",
dsaAliases, attrs);
if (!systemFipsEnabled) {
/*
* Key factories
*/
add(p, "KeyFactory", "DSA", "sun.security.provider.DSAKeyFactory",
dsaAliases, attrs);

/*
* Digest engines
*/
add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", null, attrs);
add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", null, attrs);
add(p, "MessageDigest", "SHA", "sun.security.provider.SHA",
createAliasesWithOid("1.3.14.3.2.26", "SHA-1", "SHA1"), attrs);

String sha2BaseOid = "2.16.840.1.101.3.4.2";
add(p, "MessageDigest", "SHA-224", "sun.security.provider.SHA2$SHA224",
createAliasesWithOid(sha2BaseOid + ".4"), attrs);
add(p, "MessageDigest", "SHA-256", "sun.security.provider.SHA2$SHA256",
createAliasesWithOid(sha2BaseOid + ".1"), attrs);
add(p, "MessageDigest", "SHA-384", "sun.security.provider.SHA5$SHA384",
createAliasesWithOid(sha2BaseOid + ".2"), attrs);
add(p, "MessageDigest", "SHA-512", "sun.security.provider.SHA5$SHA512",
createAliasesWithOid(sha2BaseOid + ".3"), attrs);
add(p, "MessageDigest", "SHA-512/224",
"sun.security.provider.SHA5$SHA512_224",
createAliasesWithOid(sha2BaseOid + ".5"), attrs);
add(p, "MessageDigest", "SHA-512/256",
"sun.security.provider.SHA5$SHA512_256",
createAliasesWithOid(sha2BaseOid + ".6"), attrs);
add(p, "MessageDigest", "SHA3-224", "sun.security.provider.SHA3$SHA224",
createAliasesWithOid(sha2BaseOid + ".7"), attrs);
add(p, "MessageDigest", "SHA3-256", "sun.security.provider.SHA3$SHA256",
createAliasesWithOid(sha2BaseOid + ".8"), attrs);
add(p, "MessageDigest", "SHA3-384", "sun.security.provider.SHA3$SHA384",
createAliasesWithOid(sha2BaseOid + ".9"), attrs);
add(p, "MessageDigest", "SHA3-512", "sun.security.provider.SHA3$SHA512",
createAliasesWithOid(sha2BaseOid + ".10"), attrs);
/*
* Digest engines
*/
add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", null, attrs);
add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", null, attrs);
add(p, "MessageDigest", "SHA", "sun.security.provider.SHA",
createAliasesWithOid("1.3.14.3.2.26", "SHA-1", "SHA1"), attrs);

String sha2BaseOid = "2.16.840.1.101.3.4.2";
add(p, "MessageDigest", "SHA-224", "sun.security.provider.SHA2$SHA224",
createAliasesWithOid(sha2BaseOid + ".4"), attrs);
add(p, "MessageDigest", "SHA-256", "sun.security.provider.SHA2$SHA256",
createAliasesWithOid(sha2BaseOid + ".1"), attrs);
add(p, "MessageDigest", "SHA-384", "sun.security.provider.SHA5$SHA384",
createAliasesWithOid(sha2BaseOid + ".2"), attrs);
add(p, "MessageDigest", "SHA-512", "sun.security.provider.SHA5$SHA512",
createAliasesWithOid(sha2BaseOid + ".3"), attrs);
add(p, "MessageDigest", "SHA-512/224",
"sun.security.provider.SHA5$SHA512_224",
createAliasesWithOid(sha2BaseOid + ".5"), attrs);
add(p, "MessageDigest", "SHA-512/256",
"sun.security.provider.SHA5$SHA512_256",
createAliasesWithOid(sha2BaseOid + ".6"), attrs);
add(p, "MessageDigest", "SHA3-224", "sun.security.provider.SHA3$SHA224",
createAliasesWithOid(sha2BaseOid + ".7"), attrs);
add(p, "MessageDigest", "SHA3-256", "sun.security.provider.SHA3$SHA256",
createAliasesWithOid(sha2BaseOid + ".8"), attrs);
add(p, "MessageDigest", "SHA3-384", "sun.security.provider.SHA3$SHA384",
createAliasesWithOid(sha2BaseOid + ".9"), attrs);
add(p, "MessageDigest", "SHA3-512", "sun.security.provider.SHA3$SHA512",
createAliasesWithOid(sha2BaseOid + ".10"), attrs);
}

/*
* Certificates
Expand Down
84 changes: 48 additions & 36 deletions src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@

import java.util.*;
import java.security.Provider;
import jdk.internal.misc.SharedSecrets;
import static sun.security.provider.SunEntries.createAliasesWithOid;

/**
Expand All @@ -36,6 +37,10 @@
*/
public final class SunRsaSignEntries {

private static final boolean systemFipsEnabled =
SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
.isSystemFipsEnabled();

private void add(Provider p, String type, String algo, String cn,
List<String> aliases, HashMap<String, String> attrs) {
services.add(new Provider.Service(p, type, algo, cn, aliases, attrs));
Expand Down Expand Up @@ -63,46 +68,53 @@ public SunRsaSignEntries(Provider p) {
add(p, "KeyFactory", "RSA",
"sun.security.rsa.RSAKeyFactory$Legacy",
rsaAliases, null);
add(p, "KeyPairGenerator", "RSA",
"sun.security.rsa.RSAKeyPairGenerator$Legacy",
rsaAliases, null);
add(p, "Signature", "MD2withRSA",
"sun.security.rsa.RSASignature$MD2withRSA",
createAliasesWithOid(rsaOid + ".2"), attrs);
add(p, "Signature", "MD5withRSA",
"sun.security.rsa.RSASignature$MD5withRSA",
createAliasesWithOid(rsaOid + ".4"), attrs);
add(p, "Signature", "SHA1withRSA",
"sun.security.rsa.RSASignature$SHA1withRSA",
createAliasesWithOid(rsaOid + ".5", sha1withRSAOid2), attrs);
add(p, "Signature", "SHA224withRSA",
"sun.security.rsa.RSASignature$SHA224withRSA",
createAliasesWithOid(rsaOid + ".14"), attrs);
add(p, "Signature", "SHA256withRSA",
"sun.security.rsa.RSASignature$SHA256withRSA",
createAliasesWithOid(rsaOid + ".11"), attrs);
add(p, "Signature", "SHA384withRSA",
"sun.security.rsa.RSASignature$SHA384withRSA",
createAliasesWithOid(rsaOid + ".12"), attrs);
add(p, "Signature", "SHA512withRSA",
"sun.security.rsa.RSASignature$SHA512withRSA",
createAliasesWithOid(rsaOid + ".13"), attrs);
add(p, "Signature", "SHA512/224withRSA",
"sun.security.rsa.RSASignature$SHA512_224withRSA",
createAliasesWithOid(rsaOid + ".15"), attrs);
add(p, "Signature", "SHA512/256withRSA",
"sun.security.rsa.RSASignature$SHA512_256withRSA",
createAliasesWithOid(rsaOid + ".16"), attrs);

if (!systemFipsEnabled) {
add(p, "KeyPairGenerator", "RSA",
"sun.security.rsa.RSAKeyPairGenerator$Legacy",
rsaAliases, null);
add(p, "Signature", "MD2withRSA",
"sun.security.rsa.RSASignature$MD2withRSA",
createAliasesWithOid(rsaOid + ".2"), attrs);
add(p, "Signature", "MD5withRSA",
"sun.security.rsa.RSASignature$MD5withRSA",
createAliasesWithOid(rsaOid + ".4"), attrs);
add(p, "Signature", "SHA1withRSA",
"sun.security.rsa.RSASignature$SHA1withRSA",
createAliasesWithOid(rsaOid + ".5", sha1withRSAOid2), attrs);
add(p, "Signature", "SHA224withRSA",
"sun.security.rsa.RSASignature$SHA224withRSA",
createAliasesWithOid(rsaOid + ".14"), attrs);
add(p, "Signature", "SHA256withRSA",
"sun.security.rsa.RSASignature$SHA256withRSA",
createAliasesWithOid(rsaOid + ".11"), attrs);
add(p, "Signature", "SHA384withRSA",
"sun.security.rsa.RSASignature$SHA384withRSA",
createAliasesWithOid(rsaOid + ".12"), attrs);
add(p, "Signature", "SHA512withRSA",
"sun.security.rsa.RSASignature$SHA512withRSA",
createAliasesWithOid(rsaOid + ".13"), attrs);
add(p, "Signature", "SHA512/224withRSA",
"sun.security.rsa.RSASignature$SHA512_224withRSA",
createAliasesWithOid(rsaOid + ".15"), attrs);
add(p, "Signature", "SHA512/256withRSA",
"sun.security.rsa.RSASignature$SHA512_256withRSA",
createAliasesWithOid(rsaOid + ".16"), attrs);
}

add(p, "KeyFactory", "RSASSA-PSS",
"sun.security.rsa.RSAKeyFactory$PSS",
rsapssAliases, null);
add(p, "KeyPairGenerator", "RSASSA-PSS",
"sun.security.rsa.RSAKeyPairGenerator$PSS",
rsapssAliases, null);
add(p, "Signature", "RSASSA-PSS",
"sun.security.rsa.RSAPSSSignature",
rsapssAliases, attrs);

if (!systemFipsEnabled) {
add(p, "KeyPairGenerator", "RSASSA-PSS",
"sun.security.rsa.RSAKeyPairGenerator$PSS",
rsapssAliases, null);
add(p, "Signature", "RSASSA-PSS",
"sun.security.rsa.RSAPSSSignature",
rsapssAliases, attrs);
}

add(p, "AlgorithmParameters", "RSASSA-PSS",
"sun.security.rsa.PSSParameters",
rsapssAliases, null);
Expand Down
2 changes: 2 additions & 0 deletions src/java.base/share/conf/security/java.security
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,8 @@ fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
fips.provider.2=SUN
fips.provider.3=SunEC
fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
fips.provider.5=SunJCE
fips.provider.6=SunRsaSign

#
# A list of preferred providers for specific algorithms. These providers will
Expand Down
1 change: 1 addition & 0 deletions src/java.base/share/lib/security/default.policy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,7 @@ grant codeBase "jrt:/jdk.charsets" {
grant codeBase "jrt:/jdk.crypto.ec" {
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.*";
permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
permission java.lang.RuntimePermission "loadLibrary.sunec";
permission java.security.SecurityPermission "putProviderProperty.SunEC";
permission java.security.SecurityPermission "clearProviderProperties.SunEC";
Expand Down
Loading