From 6d1b21c539d388818dd122c845803375923ef095 Mon Sep 17 00:00:00 2001 From: JinhangZhang Date: Thu, 4 Apr 2024 13:49:12 -0400 Subject: [PATCH] Update TLS tests to be run in FIPS 140-3 mode. Signed-off-by: Jinhang Zhang --- .../jdk/ProblemList-FIPS140_3_OpenJcePlus.txt | 166 +-------- test/jdk/javax/net/ssl/DTLS/CipherSuite.java | 33 +- .../net/ssl/DTLS/DTLSWontNegotiateV10.java | 25 +- .../javax/net/ssl/DTLS/WeakCipherSuite.java | 36 +- .../javax/net/ssl/FIPSFlag/FIPSFlagTests.java | 40 ++ test/jdk/javax/net/ssl/FIPSFlag/TestFIPS.java | 87 +++++ .../ssl/FixingJavadocs/ImplicitHandshake.java | 7 + .../CriticalSubjectAltName.java | 42 ++- .../HttpsURLConnection/GetResponseCode.java | 8 + .../jdk/javax/net/ssl/SSLEngine/ArgCheck.java | 2 +- test/jdk/javax/net/ssl/SSLEngine/Arrays.java | 43 ++- test/jdk/javax/net/ssl/SSLEngine/Basics.java | 11 +- .../ssl/SSLEngine/CheckTlsEngineResults.java | 18 +- .../net/ssl/SSLEngine/ConnectionTest.java | 9 +- .../net/ssl/SSLEngine/EngineCloseOnAlert.java | 8 +- .../net/ssl/SSLEngine/ExtendedKeyEngine.java | 1 - .../javax/net/ssl/SSLEngine/LargeBufs.java | 27 +- .../net/ssl/SSLEngine/NoAuthClientAuth.java | 45 ++- .../ssl/SSLEngine/SSLEngineResultArgs.java | 1 - .../net/ssl/SSLEngine/TestAllSuites.java | 37 +- .../SSLParameters/UseCipherSuitesOrder.java | 16 +- ...tpsURLConnectionLocalCertificateChain.java | 9 +- .../net/ssl/SSLSession/JSSERenegotiate.java | 21 +- .../net/ssl/SSLSession/RenegotiateTLS13.java | 8 + .../ssl/SSLSession/SSLCtxAccessToSessCtx.java | 8 + .../ssl/SSLSession/SessionCacheSizeTests.java | 8 + .../ssl/SSLSession/SessionTimeOutTests.java | 8 + .../ssl/SSLSession/TestEnabledProtocols.java | 349 ++++++++++++------ .../net/ssl/SSLSocket/ClientExcOnAlert.java | 32 +- .../ServerName/BestEffortOnLazyConnected.java | 8 + .../net/ssl/ServerName/SSLEngineExplorer.java | 50 ++- .../ServerName/SSLSocketConsistentSNI.java | 8 + .../net/ssl/ServerName/SSLSocketExplorer.java | 49 ++- .../ServerName/SSLSocketExplorerFailure.java | 11 +- .../SSLSocketExplorerMatchedSNI.java | 8 + .../SSLSocketExplorerWithCliSNI.java | 8 + .../SSLSocketExplorerWithSrvSNI.java | 8 + .../ssl/ServerName/SSLSocketSNISensitive.java | 48 ++- .../javax/net/ssl/TLS/CipherTestUtils.java | 2 +- test/jdk/javax/net/ssl/TLS/TestJSSE.java | 77 +++- .../TLSCommon/ConcurrentClientAccessTest.java | 122 ++++-- .../net/ssl/TLSCommon/SSLEngineTestCase.java | 22 +- test/jdk/javax/net/ssl/TLSCommon/TLSTest.java | 75 +++- .../javax/net/ssl/TLSCommon/TLSWithEdDSA.java | 31 +- .../TLSCommon/TestSessionLocalPrincipal.java | 62 +++- test/jdk/javax/net/ssl/TLSTest_java.security | 20 + .../TLSv11/EmptyCertificateAuthorities.java | 28 +- .../net/ssl/TLSv11/GenericBlockCipher.java | 21 +- .../net/ssl/TLSv11/GenericStreamCipher.java | 26 +- .../net/ssl/TLSv12/DisabledShortDSAKeys.java | 14 +- .../net/ssl/TLSv12/DisabledShortRSAKeys.java | 30 +- .../javax/net/ssl/TLSv12/ProtocolFilter.java | 18 +- .../javax/net/ssl/TLSv12/ShortRSAKey512.java | 22 +- .../javax/net/ssl/TLSv12/ShortRSAKeyGCM.java | 34 +- .../net/ssl/TLSv12/SignatureAlgorithms.java | 59 ++- .../net/ssl/TLSv13/ClientHelloKeyShares.java | 41 +- .../javax/net/ssl/TLSv13/HRRKeyShares.java | 6 +- .../ssl/ciphersuites/DisabledAlgorithms.java | 7 + .../ssl/finalize/SSLSessionFinalizeTest.java | 9 + .../ciphersuites/CheckCipherSuites.java | 41 +- .../SystemPropCipherSuitesOrder.java | 58 ++- .../ciphersuites/TLSCipherSuitesOrder.java | 30 +- .../net/ssl/sanity/interop/CipherTest.java | 31 +- .../sanity/interop/ClientJSSEServerJSSE.java | 9 +- .../pluggability/CheckSSLContextExport.java | 23 +- .../javax/net/ssl/templates/NetSslUtils.java | 108 ++++++ .../net/ssl/templates/SSLContextTemplate.java | 2 +- .../net/ssl/templates/SSLSocketTemplate.java | 6 + test/jdk/javax/net/ssl/templates/TLSBase.java | 7 +- test/lib/jdk/test/lib/Utils.java | 54 +++ .../jdk/test/lib/security/SecurityUtils.java | 20 + 71 files changed, 1911 insertions(+), 507 deletions(-) create mode 100644 test/jdk/javax/net/ssl/FIPSFlag/FIPSFlagTests.java create mode 100644 test/jdk/javax/net/ssl/FIPSFlag/TestFIPS.java create mode 100644 test/jdk/javax/net/ssl/TLSTest_java.security create mode 100644 test/jdk/javax/net/ssl/templates/NetSslUtils.java diff --git a/test/jdk/ProblemList-FIPS140_3_OpenJcePlus.txt b/test/jdk/ProblemList-FIPS140_3_OpenJcePlus.txt index fab7277db40..6e4305d2893 100644 --- a/test/jdk/ProblemList-FIPS140_3_OpenJcePlus.txt +++ b/test/jdk/ProblemList-FIPS140_3_OpenJcePlus.txt @@ -460,168 +460,6 @@ java/rmi/server/clientStackTrace/ClientStackTrace.java https://github.com/ibmrun java/rmi/server/useCustomRef/UseCustomRef.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all java/rmi/transport/dgcDeadLock/DGCDeadLock.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all javax/imageio/CachePremissionsTest/CachePermissionsTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/ALPN/SSLEngineAlpnTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/ALPN/SSLServerSocketAlpnTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/ALPN/SSLSocketAlpnTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/CipherSuite.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/ClientAuth.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/DTLSBufferOverflowUnderflowTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/DTLSDataExchangeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/DTLSEnginesClosureTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/DTLSHandshakeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/DTLSHandshakeWithReplicatedPacketsTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/DTLSIncorrectAppDataTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/DTLSMFLNTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/DTLSNotEnabledRC4Test.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/DTLSOverDatagram.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/DTLSRehandshakeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/DTLSRehandshakeWithCipherChangeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/DTLSRehandshakeWithDataExTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/DTLSSequenceNumberTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/DTLSUnsupportedCiphersTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/DTLSWontNegotiateV10.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/InvalidCookie.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/InvalidRecords.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/NoMacInitialClientHello.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/PacketLossRetransmission.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/Reordered.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/RespondToRetransmit.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/Retransmission.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLS/WeakCipherSuite.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLSv10/DTLSv10BufferOverflowUnderflowTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLSv10/DTLSv10DataExchangeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLSv10/DTLSv10EnginesClosureTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLSv10/DTLSv10HandshakeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLSv10/DTLSv10HandshakeWithReplicatedPacketsTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLSv10/DTLSv10IncorrectAppDataTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLSv10/DTLSv10MFLNTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLSv10/DTLSv10NotEnabledRC4Test.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLSv10/DTLSv10RehandshakeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLSv10/DTLSv10RehandshakeWithCipherChangeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLSv10/DTLSv10RehandshakeWithDataExTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLSv10/DTLSv10SequenceNumberTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/DTLSv10/DTLSv10UnsupportedCiphersTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/FixingJavadocs/ImplicitHandshake.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/FixingJavadocs/KMTMGetNothing.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/FixingJavadocs/SSLSessionNulls.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/FixingJavadocs/SSLSocketInherit.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/HttpsURLConnection/DummyCacheResponse.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/HttpsURLConnection/Equals.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/HttpsURLConnection/GetResponseCode.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/HttpsURLConnection/HttpsSession.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLEngine/AcceptLargeFragments.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLEngine/ArgCheck.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLEngine/Arrays.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLEngine/Basics.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLEngine/CheckTlsEngineResults.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLEngine/ConnectionTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLEngine/EngineCloseOnAlert.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLEngine/ExtendedKeyEngine.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLEngine/ExtendedKeySocket.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLEngine/FinishedPresent.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLEngine/HandshakeWithInvalidRecordVersion.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLEngine/IllegalHandshakeMessage.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLEngine/LargeBufs.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLEngine/NoAuthClientAuth.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLEngine/TestAllSuites.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLSession/CheckSessionContext.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLSession/HttpsURLConnectionLocalCertificateChain.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLSession/JSSERenegotiate.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLSession/RenegotiateTLS13.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLSession/ResumeTLS13withSNI.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLSession/SSLCtxAccessToSessCtx.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLSession/SessionCacheSizeTests.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLSession/SessionTimeOutTests.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLSession/TestEnabledProtocols.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLSocket/ClientExcOnAlert.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLSocket/InputStreamClosure.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLSocket/OutputStreamClosure.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/SSLSocket/Tls13PacketSize.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/ServerName/EndingDotHostname.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/ServerName/SSLEngineExplorer.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/ServerName/SSLEngineExplorerUnmatchedSNI.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/ServerName/SSLSocketConsistentSNI.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/ServerName/SSLSocketExplorer.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/ServerName/SSLSocketExplorerFailure.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/ServerName/SSLSocketExplorerMatchedSNI.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/ServerName/SSLSocketExplorerUnmatchedSNI.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/ServerName/SSLSocketExplorerWithCliSNI.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/ServerName/SSLSocketExplorerWithSrvSNI.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/ServerName/SSLSocketInconsistentSNI.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/ServerName/SSLSocketSNISensitive.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/Stapling/HttpsUrlConnClient.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/Stapling/SSLEngineWithStapling.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/Stapling/SSLSocketWithStapling.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/Stapling/StapleEnableProps.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLS/TLSClientPropertyTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLS/TLSDataExchangeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLS/TLSEnginesClosureTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLS/TLSHandshakeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLS/TLSMFLNTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLS/TLSNotEnabledRC4Test.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLS/TLSRehandshakeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLS/TLSRehandshakeWithCipherChangeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLS/TLSRehandshakeWithDataExTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLS/TLSUnsupportedCiphersTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLS/TestJSSEClientDefaultProtocol.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLS/TestJSSEClientProtocol.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLS/TestJSSENoCommonProtocols.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLS/TestJSSEServerProtocol.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSCommon/ConcurrentClientAccessTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSCommon/TLSTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSCommon/TLSWithEdDSA.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSCommon/TestSessionLocalPrincipal.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv1/TLSDataExchangeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv1/TLSEnginesClosureTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv1/TLSHandshakeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv1/TLSMFLNTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv1/TLSNotEnabledRC4Test.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv1/TLSRehandshakeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv1/TLSRehandshakeWithCipherChangeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv1/TLSRehandshakeWithDataExTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv1/TLSUnsupportedCiphersTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv11/ExportableBlockCipher.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv11/ExportableStreamCipher.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv11/GenericBlockCipher.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv11/GenericStreamCipher.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv11/TLSDataExchangeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv11/TLSEnginesClosureTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x -javax/net/ssl/TLSv11/TLSHandshakeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv11/TLSMFLNTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv11/TLSNotEnabledRC4Test.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv11/TLSRehandshakeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv11/TLSRehandshakeWithCipherChangeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv11/TLSRehandshakeWithDataExTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv11/TLSUnsupportedCiphersTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv12/DisabledShortDSAKeys.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv12/DisabledShortRSAKeys.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv12/ProtocolFilter.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv12/ShortRSAKey512.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv12/ShortRSAKeyGCM.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv12/SignatureAlgorithms.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv12/TLSEnginesClosureTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv13/ClientHelloKeyShares.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv13/EngineOutOfSeqCCS.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/TLSv13/HRRKeyShares.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/ciphersuites/DisabledAlgorithms.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/ciphersuites/ECCurvesconstraints.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/compatibility/ClientHelloProcessing.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/finalize/SSLSessionFinalizeTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/interop/ClientHelloBufferUnderflowException.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/interop/ClientHelloChromeInterOp.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/sanity/CacertsExplorer.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/sanity/ciphersuites/CipherSuitesInOrder.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/sanity/interop/ClientJSSEServerJSSE.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/sanity/pluggability/CheckSSLContextExport.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/templates/SSLEngineTemplate.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/templates/SSLSocketTemplate.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all javax/rmi/ssl/SSLSocketParametersTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all javax/rmi/ssl/SocketFactoryTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all javax/security/auth/Destroyable/KeyDestructionTest.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all @@ -925,8 +763,6 @@ sun/security/x509/X509CRLImpl/Verify.java https://github.com/ibmruntimes/openj9- sun/security/x509/X509CertImpl/ECSigParamsVerifyWithCert.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all sun/security/x509/X509CertImpl/V3Certificate.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all sun/security/x509/X509CertImpl/Verify.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all -javax/net/ssl/ServerName/BestEffortOnLazyConnected.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all com/sun/jdi/JdwpAttachTest.java.JdwpAttachTest https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le,linux-s390x,aix-all sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-s390x,aix-all -javax/net/ssl/SSLEngine/LargePacket.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-x64,linux-ppc64le -jdk/nio/zipfs/ZipFSTester.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-ppc64le,linux-s390x,aix-all +jdk/nio/zipfs/ZipFSTester.java https://github.com/ibmruntimes/openj9-openjdk-jdk17/issues/321 linux-ppc64le,linux-s390x,aix-all \ No newline at end of file diff --git a/test/jdk/javax/net/ssl/DTLS/CipherSuite.java b/test/jdk/javax/net/ssl/DTLS/CipherSuite.java index 0b277792766..16871773640 100644 --- a/test/jdk/javax/net/ssl/DTLS/CipherSuite.java +++ b/test/jdk/javax/net/ssl/DTLS/CipherSuite.java @@ -52,6 +52,9 @@ import javax.net.ssl.SSLEngine; import java.security.Security; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + /** * Test common DTLS cipher suites. */ @@ -61,14 +64,40 @@ public class CipherSuite extends DTLSOverDatagram { volatile static String cipherSuite; public static void main(String[] args) throws Exception { - if (args.length > 1 && "re-enable".equals(args[1])) { + if (args.length > 1 && "re-enable".equals(args[1]) + && !(Utils.isFIPS())) { Security.setProperty("jdk.tls.disabledAlgorithms", ""); } cipherSuite = args[0]; CipherSuite testCase = new CipherSuite(); - testCase.runTest(testCase); + try { + testCase.runTest(testCase); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (Utils.isFIPS()) { + if(!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + sslhe.printStackTrace(); + return; + } + } else { + System.out.println("Unexpected exception is caught in Non-FIPS mode"); + sslhe.printStackTrace(); + return; + } + } catch (Exception e) { + e.printStackTrace(); + return; + } } @Override diff --git a/test/jdk/javax/net/ssl/DTLS/DTLSWontNegotiateV10.java b/test/jdk/javax/net/ssl/DTLS/DTLSWontNegotiateV10.java index f67a02b3052..fac0d50a7e1 100644 --- a/test/jdk/javax/net/ssl/DTLS/DTLSWontNegotiateV10.java +++ b/test/jdk/javax/net/ssl/DTLS/DTLSWontNegotiateV10.java @@ -21,6 +21,7 @@ * questions. */ +import jdk.test.lib.Utils; import jdk.test.lib.security.SecurityUtils; import javax.net.ssl.*; @@ -51,7 +52,9 @@ public class DTLSWontNegotiateV10 { private static final int READ_TIMEOUT_SECS = Integer.getInteger("readtimeout", 30); public static void main(String[] args) throws Exception { - if (args[0].equals(DTLSV_1_0)) { + + if (args[0].equals(DTLSV_1_0) + && !(Utils.isFIPS())) { SecurityUtils.removeFromDisabledTlsAlgs(DTLSV_1_0); } @@ -74,6 +77,26 @@ public static void main(String[] args) throws Exception { break; } catch (SocketTimeoutException exc) { System.out.println("The server timed-out waiting for packets from the client."); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (Utils.isFIPS()) { + if(!SecurityUtils.TLS_PROTOCOLS.contains(args[0])) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + sslhe.printStackTrace(); + return; + } + } else { + System.out.println("Unexpected exception is caught in Non-FIPS mode"); + sslhe.printStackTrace(); + return; + } } } if (tries == totalAttempts) { diff --git a/test/jdk/javax/net/ssl/DTLS/WeakCipherSuite.java b/test/jdk/javax/net/ssl/DTLS/WeakCipherSuite.java index d9bb38ec15a..0f9295cb436 100644 --- a/test/jdk/javax/net/ssl/DTLS/WeakCipherSuite.java +++ b/test/jdk/javax/net/ssl/DTLS/WeakCipherSuite.java @@ -41,6 +41,9 @@ import javax.net.ssl.SSLEngine; import java.security.Security; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + /** * Test common DTLS weak cipher suites. */ @@ -52,13 +55,40 @@ public class WeakCipherSuite extends DTLSOverDatagram { public static void main(String[] args) throws Exception { // reset security properties to make sure that the algorithms // and keys used in this test are not disabled. - Security.setProperty("jdk.tls.disabledAlgorithms", ""); - Security.setProperty("jdk.certpath.disabledAlgorithms", ""); + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + Security.setProperty("jdk.certpath.disabledAlgorithms", ""); + } cipherSuite = args[0]; WeakCipherSuite testCase = new WeakCipherSuite(); - testCase.runTest(testCase); + try { + testCase.runTest(testCase); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (Utils.isFIPS()) { + if(!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + sslhe.printStackTrace(); + return; + } + } else { + System.out.println("Unexpected exception is caught in Non-FIPS mode"); + sslhe.printStackTrace(); + return; + } + } catch (Exception e) { + e.printStackTrace(); + return; + } } @Override diff --git a/test/jdk/javax/net/ssl/FIPSFlag/FIPSFlagTests.java b/test/jdk/javax/net/ssl/FIPSFlag/FIPSFlagTests.java new file mode 100644 index 00000000000..1278ba8dd6c --- /dev/null +++ b/test/jdk/javax/net/ssl/FIPSFlag/FIPSFlagTests.java @@ -0,0 +1,40 @@ +/* + * Copyright (c) 2016, 2019, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @summary Test flags used for FIPS 140-2 and FIPS 140-3 + * @run main/othervm + * TestFIPS false + * @run main/othervm + * -Dsemeru.fips=true + * -Dsemeru.customprofile=OpenJCEPlusFIPS.FIPS140-3 + * TestFIPS true 140-3 + * @run main/othervm + * -Dsemeru.fips=true + * -Dsemeru.customprofile=OpenJCEPlusFIPS + * TestFIPS true 140-3 + * @run main/othervm + * -Dsemeru.fips=true + * TestFIPS true 140-2 + */ diff --git a/test/jdk/javax/net/ssl/FIPSFlag/TestFIPS.java b/test/jdk/javax/net/ssl/FIPSFlag/TestFIPS.java new file mode 100644 index 00000000000..abcab6f1cf1 --- /dev/null +++ b/test/jdk/javax/net/ssl/FIPSFlag/TestFIPS.java @@ -0,0 +1,87 @@ +/* + * Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import java.security.Provider; +import java.security.Security; + +public class TestFIPS { + + private static final String SEMERU_FIPS = System.getProperty("semeru.fips"); + private static final String PROFILE = System.getProperty("semeru.customprofile"); + + public static void main(String[] args) throws Exception { + + for (Provider.Service service : Security.getProvider("SUN").getServices()) { + System.out.println("Service: " + service.getType() + " Algorithm: " + service.getAlgorithm() + " Class: " + service.getClassName()); + } + + if (SEMERU_FIPS == null) { + if (args[0].equals("false")) { + System.out.println("PASS"); + } else { + throw new FIPSException("FIPS mode should be opened before using."); + } + return; + } + + if (PROFILE == null) { + if (SEMERU_FIPS.equals(args[0])) { + if (args[0].equals("true")) { + if (System.getProperty("com.ibm.fips.mode").equals("140-2") && args[1].equals("140-2")) { + System.out.println("PASS"); + } else { + throw new FIPSException("If there is no custom profile specified, the FIPS 140-2 should be used as default."); + } + } else { + throw new FIPSException("FIPS mode is not opened."); + } + } else { + throw new FIPSException("FIPS mode and expected mode do not match."); + } + return; + } + + System.out.println("profile is: " + PROFILE); + if (PROFILE.contains("OpenJCEPlusFIPS")) { + if (SEMERU_FIPS.equals(args[0])) { + if (args[0].equals("true")) { + if (System.getProperty("com.ibm.fips.mode").equals("140-3") && args[1].equals("140-3")) { + System.out.println("PASS"); + } else { + throw new FIPSException("FIPS profile and fips mode do not match."); + } + } else { + throw new FIPSException("FIPS mode is not opened."); + } + } + } else { + throw new FIPSException("FIPS profile is not supported in FIPS 140-3 mode."); + } + } + + public static class FIPSException extends Exception { + public FIPSException(String message) { + super(message); + } + } +} diff --git a/test/jdk/javax/net/ssl/FixingJavadocs/ImplicitHandshake.java b/test/jdk/javax/net/ssl/FixingJavadocs/ImplicitHandshake.java index b1ef64ef88a..09ea450c15d 100644 --- a/test/jdk/javax/net/ssl/FixingJavadocs/ImplicitHandshake.java +++ b/test/jdk/javax/net/ssl/FixingJavadocs/ImplicitHandshake.java @@ -26,6 +26,7 @@ * @bug 4387882 * @summary Need to revisit the javadocs for JSSE, especially the * promoted classes. + * @library /test/lib * @run main/othervm ImplicitHandshake * * SunJSSE does not support dynamic system properties, no way to re-use @@ -37,6 +38,8 @@ import java.net.*; import javax.net.ssl.*; +import jdk.test.lib.Utils; + public class ImplicitHandshake { /* @@ -191,6 +194,10 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; + if (Utils.isFIPS()) { + keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); + } System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java b/test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java index d4eca8b5776..d502c5319ff 100644 --- a/test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java +++ b/test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java @@ -31,6 +31,7 @@ * @bug 6668231 * @summary Presence of a critical subjectAltName causes JSSE's SunX509 to * fail trusted checks + * @library /test/lib * @run main/othervm CriticalSubjectAltName * @author Xuelei Fan */ @@ -53,6 +54,8 @@ import java.security.Security; import java.security.cert.Certificate; +import jdk.test.lib.Utils; + public class CriticalSubjectAltName implements HostnameVerifier { /* * ============================================================= @@ -159,10 +162,12 @@ void doClientSide() throws Exception { public static void main(String[] args) throws Exception { // MD5 is used in this test case, don't disable MD5 algorithm. - Security.setProperty("jdk.certpath.disabledAlgorithms", - "MD2, RSA keySize < 1024"); - Security.setProperty("jdk.tls.disabledAlgorithms", - "SSLv3, RC4, DH keySize < 768"); + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.certpath.disabledAlgorithms", + "MD2, RSA keySize < 1024"); + Security.setProperty("jdk.tls.disabledAlgorithms", + "SSLv3, RC4, DH keySize < 768"); + } String keyFilename = System.getProperty("test.src", "./") + "/" + pathToStores + @@ -171,6 +176,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; + if (Utils.isFIPS()) { + keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); @@ -182,7 +192,29 @@ public static void main(String[] args) throws Exception { /* * Start the tests. */ - new CriticalSubjectAltName(); + try { + new CriticalSubjectAltName(); + } catch (Exception e) { + if (Utils.isFIPS()) { + if (e instanceof java.security.cert.CertPathValidatorException) { + if ("Algorithm constraints check failed on signature algorithm: MD5withRSA".equals(e.getMessage())) { + System.out.println("MD5withRSA is not a supported signature algorithm."); + return; + } else { + System.out.println("Unexpected exception msg: <" + e.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + e.printStackTrace(); + return; + } + } else { + System.out.println("Unexpected exception is caught in Non-FIPS mode"); + e.printStackTrace(); + return; + } + } } Thread clientThread = null; diff --git a/test/jdk/javax/net/ssl/HttpsURLConnection/GetResponseCode.java b/test/jdk/javax/net/ssl/HttpsURLConnection/GetResponseCode.java index 87ffef9c0f8..310cc7303ff 100644 --- a/test/jdk/javax/net/ssl/HttpsURLConnection/GetResponseCode.java +++ b/test/jdk/javax/net/ssl/HttpsURLConnection/GetResponseCode.java @@ -25,6 +25,7 @@ * @test * @bug 4482187 * @summary HttpsClient tests are failing for build 71 + * @library /test/lib * @run main/othervm GetResponseCode * * SunJSSE does not support dynamic system properties, no way to re-use @@ -37,6 +38,8 @@ import javax.net.ssl.*; import java.security.cert.Certificate; +import jdk.test.lib.Utils; + public class GetResponseCode implements HostnameVerifier { /* * ============================================================= @@ -149,6 +152,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; + if (Utils.isFIPS()) { + keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/SSLEngine/ArgCheck.java b/test/jdk/javax/net/ssl/SSLEngine/ArgCheck.java index 4781d15972b..b715ce09a5e 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/ArgCheck.java +++ b/test/jdk/javax/net/ssl/SSLEngine/ArgCheck.java @@ -27,7 +27,7 @@ * @summary Add scatter/gather APIs for SSLEngine * * Check to see if the args are being parsed properly. - * + * @library /test/lib */ import javax.net.ssl.*; diff --git a/test/jdk/javax/net/ssl/SSLEngine/Arrays.java b/test/jdk/javax/net/ssl/SSLEngine/Arrays.java index 2ba56c85b34..75039b2160f 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/Arrays.java +++ b/test/jdk/javax/net/ssl/SSLEngine/Arrays.java @@ -41,7 +41,9 @@ import java.io.*; import java.security.*; import java.nio.*; +import java.util.*; +import jdk.test.lib.Utils; import jdk.test.lib.security.SecurityUtils; public class Arrays { @@ -187,12 +189,14 @@ public static void main(String args[]) throws Exception { contextVersion = args[0]; // Re-enable context version if it is disabled. // If context version is SSLv3, TLSv1 needs to be re-enabled. - if (contextVersion.equals("SSLv3")) { - SecurityUtils.removeFromDisabledTlsAlgs("TLSv1"); - } else if (contextVersion.equals("TLSv1") || - contextVersion.equals("TLSv1.1")) { - SecurityUtils.removeFromDisabledTlsAlgs(contextVersion); - } + if (!(Utils.isFIPS())) { + if (contextVersion.equals("SSLv3")) { + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1"); + } else if (contextVersion.equals("TLSv1") || + contextVersion.equals("TLSv1.1")) { + SecurityUtils.removeFromDisabledTlsAlgs(contextVersion); + } + } Arrays test; @@ -200,7 +204,32 @@ public static void main(String args[]) throws Exception { test.createSSLEngines(); - test.runTest(); + try { + test.runTest(); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (Utils.isFIPS()) { + if(!SecurityUtils.TLS_PROTOCOLS.contains(contextVersion)) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + sslhe.printStackTrace(); + return; + } + } else { + System.out.println("Unexpected exception is caught in Non-FIPS mode"); + sslhe.printStackTrace(); + return; + } + } catch (Exception e) { + e.printStackTrace(); + return; + } System.err.println("Test Passed."); } diff --git a/test/jdk/javax/net/ssl/SSLEngine/Basics.java b/test/jdk/javax/net/ssl/SSLEngine/Basics.java index 3239bfd4ce9..e5fcf225d55 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/Basics.java +++ b/test/jdk/javax/net/ssl/SSLEngine/Basics.java @@ -41,6 +41,7 @@ import javax.net.ssl.*; import javax.net.ssl.SSLEngineResult.*; +import jdk.test.lib.Utils; import jdk.test.lib.security.SecurityUtils; public class Basics { @@ -57,11 +58,15 @@ public class Basics { "/" + TRUSTSTORE_FILE; public static void main(String[] args) throws Exception { - SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1"); + if (!(Utils.isFIPS())) { + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1"); + runTest("TLSv1.1", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"); + } runTest("TLSv1.3", "TLS_AES_256_GCM_SHA384"); - runTest("TLSv1.2", "TLS_RSA_WITH_AES_256_GCM_SHA384"); - runTest("TLSv1.1", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"); + if (!(Utils.isFIPS())) { + runTest("TLSv1.2", "TLS_RSA_WITH_AES_256_GCM_SHA384"); + } } private static void runTest(String protocol, String cipherSuite) throws Exception { diff --git a/test/jdk/javax/net/ssl/SSLEngine/CheckTlsEngineResults.java b/test/jdk/javax/net/ssl/SSLEngine/CheckTlsEngineResults.java index 7a7ecdffa5d..93447ec3b3e 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/CheckTlsEngineResults.java +++ b/test/jdk/javax/net/ssl/SSLEngine/CheckTlsEngineResults.java @@ -25,9 +25,8 @@ * @test * @bug 4948079 * @summary Verify return values from SSLEngine wrap/unwrap (TLSv1.2) operations - * + * @library /test/lib * @run main CheckTlsEngineResults - * * @author Brad Wetmore */ @@ -41,6 +40,8 @@ import java.security.*; import java.nio.*; +import jdk.test.lib.Utils; + public class CheckTlsEngineResults { private final SSLContext SSL_CONTEXT; @@ -126,8 +127,15 @@ private void test() throws Exception { SSLEngineResult result1; // clientEngine's results from last operation SSLEngineResult result2; // serverEngine's results from last operation - String [] suite1 = new String [] { - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" }; + String[] suite1; + if (!(Utils.isFIPS())) { + suite1 = new String [] { + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" }; + } else { + suite1 = new String [] { + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" }; + } + String [] suite2 = new String [] { "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" }; @@ -153,7 +161,7 @@ private void test() throws Exception { result2 = serverEngine.unwrap(clientToServer, serverIn); checkResult(clientToServer, serverIn, result2, - Status.OK, HandshakeStatus.NEED_TASK, result1.bytesProduced(), 0); + Status.OK, HandshakeStatus.NEED_TASK, result1.bytesProduced(), 0); runDelegatedTasks(serverEngine); clientToServer.compact(); diff --git a/test/jdk/javax/net/ssl/SSLEngine/ConnectionTest.java b/test/jdk/javax/net/ssl/SSLEngine/ConnectionTest.java index e1ed18e9fde..066a06b3bef 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/ConnectionTest.java +++ b/test/jdk/javax/net/ssl/SSLEngine/ConnectionTest.java @@ -27,7 +27,7 @@ * @summary Add non-blocking SSL/TLS functionality, usable with any * I/O abstraction * @author Brad Wetmore - * + * @library /test/lib * @run main/othervm ConnectionTest TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 * @run main/othervm ConnectionTest TLSv1.3 TLS_AES_256_GCM_SHA384 */ @@ -44,6 +44,8 @@ import java.security.*; import java.nio.*; +import jdk.test.lib.Utils; + public class ConnectionTest { private final SSLEngine clientEngine; @@ -93,6 +95,7 @@ public ConnectionTest(String enabledProtocol, String enabledCipherSuite) private SSLContext getSSLContext() throws Exception { KeyStore ks = KeyStore.getInstance("JKS"); KeyStore ts = KeyStore.getInstance("JKS"); + char[] passphrase = "passphrase".toCharArray(); ks.load(new FileInputStream(KEYSTORE_PATH), passphrase); @@ -597,7 +600,9 @@ private static void log(Object msg) { public static void main(String args[]) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } log(String.format("Running with %s and %s%n", args[0], args[1])); ConnectionTest ct = new ConnectionTest(args[0], args[1]); diff --git a/test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java b/test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java index 7a4f71d8171..e25b3cb2473 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java +++ b/test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java @@ -26,6 +26,7 @@ * @bug 8133632 * @summary javax.net.ssl.SSLEngine does not properly handle received * SSL fatal alerts + * @library /test/lib * @run main EngineCloseOnAlert */ @@ -37,6 +38,8 @@ import java.security.*; import static javax.net.ssl.SSLEngineResult.HandshakeStatus.*; +import jdk.test.lib.Utils; + public class EngineCloseOnAlert { private static final String PATH_TO_STORES = "../etc"; @@ -53,8 +56,9 @@ public class EngineCloseOnAlert { private static KeyManagerFactory KMF; private static TrustManagerFactory TMF; - private static final String[] ONECIPHER = - { "TLS_RSA_WITH_AES_128_CBC_SHA" }; + private static final String[] ONECIPHER = (Utils.isFIPS()) ? + new String[] { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" } : new String[] { "TLS_RSA_WITH_AES_128_CBC_SHA" }; + public interface TestCase { public void runTest() throws Exception; diff --git a/test/jdk/javax/net/ssl/SSLEngine/ExtendedKeyEngine.java b/test/jdk/javax/net/ssl/SSLEngine/ExtendedKeyEngine.java index 334091d7310..89602cbdc6d 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/ExtendedKeyEngine.java +++ b/test/jdk/javax/net/ssl/SSLEngine/ExtendedKeyEngine.java @@ -26,7 +26,6 @@ * @bug 4981697 * @summary Rework the X509KeyManager to avoid incompatibility issues * @author Brad R. Wetmore - * * @run main/othervm -Djdk.tls.acknowledgeCloseNotify=true ExtendedKeyEngine */ diff --git a/test/jdk/javax/net/ssl/SSLEngine/LargeBufs.java b/test/jdk/javax/net/ssl/SSLEngine/LargeBufs.java index 76c181ccff4..6afcc648261 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/LargeBufs.java +++ b/test/jdk/javax/net/ssl/SSLEngine/LargeBufs.java @@ -29,7 +29,7 @@ * * This is to test larger buffer arrays, and make sure the maximum * is being passed. - * + * @library /test/lib * @run main/othervm -Djsse.enableCBCProtection=false LargeBufs * * @author Brad R. Wetmore @@ -43,6 +43,8 @@ import java.nio.*; import java.util.Random; +import jdk.test.lib.Utils; + public class LargeBufs { private static boolean debug = true; @@ -181,17 +183,22 @@ private void runTest(String cipher) throws Exception { } public static void main(String args[]) throws Exception { - // reset the security property to make sure that the algorithms - // and keys used in this test are not disabled. - Security.setProperty("jdk.tls.disabledAlgorithms", ""); - LargeBufs test; - test = new LargeBufs(); - test.runTest("SSL_RSA_WITH_RC4_128_MD5"); - - test = new LargeBufs(); - test.runTest("SSL_RSA_WITH_3DES_EDE_CBC_SHA"); + if (!(Utils.isFIPS())) { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + test = new LargeBufs(); + test.runTest("SSL_RSA_WITH_RC4_128_MD5"); + test = new LargeBufs(); + test.runTest("SSL_RSA_WITH_3DES_EDE_CBC_SHA"); + } else { + test = new LargeBufs(); + test.runTest("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"); + test = new LargeBufs(); + test.runTest("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"); + } System.out.println("Test Passed."); } diff --git a/test/jdk/javax/net/ssl/SSLEngine/NoAuthClientAuth.java b/test/jdk/javax/net/ssl/SSLEngine/NoAuthClientAuth.java index 208fb3935ae..74860fa2120 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/NoAuthClientAuth.java +++ b/test/jdk/javax/net/ssl/SSLEngine/NoAuthClientAuth.java @@ -30,6 +30,7 @@ * @test * @bug 4495742 8190492 * @summary Demonstrate SSLEngine switch from no client auth to client auth. + * @library /test/lib * @run main/othervm NoAuthClientAuth SSLv3 * @run main/othervm NoAuthClientAuth TLSv1 * @run main/othervm NoAuthClientAuth TLSv1.1 @@ -82,6 +83,9 @@ import java.security.*; import java.nio.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + // Note that this test case depends on JSSE provider implementation details. public class NoAuthClientAuth { @@ -140,16 +144,49 @@ public class NoAuthClientAuth { * Main entry point for this test. */ public static void main(String args[]) throws Exception { - Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + tlsProtocol = args[0]; + } else { + if (SecurityUtils.TLS_PROTOCOLS.contains(args[0])) { + tlsProtocol = args[0]; + } + } + // if (tlsProtocol == null) { + // return; + // } if (debug) { System.setProperty("javax.net.debug", "all"); } - tlsProtocol = args[0]; - NoAuthClientAuth test = new NoAuthClientAuth(); - test.runTest(); + try { + test.runTest(); + } catch (java.lang.IllegalArgumentException iae) { + if (Utils.isFIPS()) { + if (tlsProtocol == null) { + if ("Unsupported protocolnull".equals(iae.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + iae.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + iae.printStackTrace(); + return; + } + } else { + System.out.println("Unexpected exception is caught in Non-FIPS mode"); + iae.printStackTrace(); + return; + } + } catch (Exception e) { + e.printStackTrace(); + return; + } System.out.println("Test Passed."); } diff --git a/test/jdk/javax/net/ssl/SSLEngine/SSLEngineResultArgs.java b/test/jdk/javax/net/ssl/SSLEngine/SSLEngineResultArgs.java index 3685dca64df..079b6d535ed 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/SSLEngineResultArgs.java +++ b/test/jdk/javax/net/ssl/SSLEngine/SSLEngineResultArgs.java @@ -25,7 +25,6 @@ * @test * @bug 4965868 * @summary SSLEngineResult constructor needs null argument description - * * @author Brad Wetmore */ diff --git a/test/jdk/javax/net/ssl/SSLEngine/TestAllSuites.java b/test/jdk/javax/net/ssl/SSLEngine/TestAllSuites.java index 67387bd1661..c4e4e3d8dcc 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/TestAllSuites.java +++ b/test/jdk/javax/net/ssl/SSLEngine/TestAllSuites.java @@ -38,6 +38,7 @@ * @author Brad Wetmore */ +import jdk.test.lib.Utils; import jdk.test.lib.security.SecurityUtils; import javax.net.ssl.*; @@ -89,7 +90,25 @@ private void createSSLEngines() { } private void test() throws Exception { - String [] suites = clientEngine.getEnabledCipherSuites(); + List tmpCipherSuites = new ArrayList<>(); + String [] suites; + if (Utils.isFIPS()) { + for (String ciphersuite : clientEngine.getEnabledCipherSuites()) { + if (!SecurityUtils.TLS_CIPHERSUITES.containsKey(ciphersuite)) { + continue; + } + if (!SecurityUtils.TLS_CIPHERSUITES.get(ciphersuite).equals(PROTOCOL)) { + continue; + } + tmpCipherSuites.add(ciphersuite); + } + if (tmpCipherSuites.size() == 0) { + return; + } + suites = tmpCipherSuites.toArray(new String[0]); + } else { + suites = clientEngine.getEnabledCipherSuites(); + } System.out.println("Enabled cipher suites for protocol " + PROTOCOL + ": " + Arrays.toString(suites)); for (String suite: suites){ @@ -224,11 +243,17 @@ public static void main(String args[]) throws Exception { if (args.length < 1) { throw new RuntimeException("Missing TLS protocol parameter."); } - - switch(args[0]) { - case "TLSv1.1" -> SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1"); - case "TLSv1.3" -> SecurityUtils.addToDisabledTlsAlgs("TLSv1.2"); - } + if (!(Utils.isFIPS())) { + switch(args[0]) { + case "TLSv1.1" -> SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1"); + case "TLSv1.3" -> SecurityUtils.addToDisabledTlsAlgs("TLSv1.2"); + } + } + // else { + // if (!SecurityUtils.TLS_PROTOCOLS.contains(args[0])) { + // return; + // } + // } TestAllSuites testAllSuites = new TestAllSuites(args[0]); testAllSuites.createSSLEngines(); diff --git a/test/jdk/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java b/test/jdk/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java index 58e387bcdad..baf768a2ad4 100644 --- a/test/jdk/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java +++ b/test/jdk/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java @@ -30,6 +30,7 @@ * @test * @bug 7188657 * @summary There should be a way to reorder the JSSE ciphers + * @library /test/lib * @run main/othervm UseCipherSuitesOrder * TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA */ @@ -39,6 +40,8 @@ import javax.net.ssl.*; import java.util.Arrays; +import jdk.test.lib.Utils; + public class UseCipherSuitesOrder { /* @@ -174,6 +177,10 @@ private static void parseArguments(String[] args) throws Exception { throw new Exception("Need to enable at least two cipher suites"); } + if (Utils.isFIPS()) { + cliEnabledCipherSuites = new String[] { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"}; + } + // Only need to use 2 cipher suites in server side. srvEnabledCipherSuites = Arrays.copyOf( cliEnabledCipherSuites, 2); @@ -197,7 +204,9 @@ private static void parseArguments(String[] args) throws Exception { public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } // parse the arguments parseArguments(args); @@ -209,6 +218,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; + if (Utils.isFIPS()) { + keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/SSLSession/HttpsURLConnectionLocalCertificateChain.java b/test/jdk/javax/net/ssl/SSLSession/HttpsURLConnectionLocalCertificateChain.java index c6e9753a2c1..5ae7b17ad5e 100644 --- a/test/jdk/javax/net/ssl/SSLSession/HttpsURLConnectionLocalCertificateChain.java +++ b/test/jdk/javax/net/ssl/SSLSession/HttpsURLConnectionLocalCertificateChain.java @@ -24,6 +24,7 @@ /* * @test * @bug 4395238 4354003 4387961 4395266 + * @library /test/lib * @summary A test of many of the new functionality to go into JSSE 1.1 * Fixed 4395238: The new certificate chains APIs should really be * returning certs, not x509 certs @@ -42,6 +43,8 @@ import javax.net.ssl.*; import java.security.cert.*; +import jdk.test.lib.Utils; + public class HttpsURLConnectionLocalCertificateChain implements HandshakeCompletedListener, HostnameVerifier { @@ -211,7 +214,6 @@ void doClientSide() throws Exception { myURLc = (HttpsURLConnection) myURL.openConnection(); myURLc.setHostnameVerifier(this); myURLc.connect(); - InputStream sslIS = myURLc.getInputStream(); System.out.println("Client reading..."); @@ -245,6 +247,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; + if (Utils.isFIPS()) { + keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/SSLSession/JSSERenegotiate.java b/test/jdk/javax/net/ssl/SSLSession/JSSERenegotiate.java index 435dd2345d6..31225107ec0 100644 --- a/test/jdk/javax/net/ssl/SSLSession/JSSERenegotiate.java +++ b/test/jdk/javax/net/ssl/SSLSession/JSSERenegotiate.java @@ -24,6 +24,7 @@ /* * @test * @bug 4280338 + * @library /test/lib * @summary "Unsupported SSL message version" SSLProtocolException * w/SSL_RSA_WITH_NULL_MD5 * @run main/othervm JSSERenegotiate @@ -40,10 +41,12 @@ import java.security.Security; import javax.net.ssl.*; +import jdk.test.lib.Utils; + public class JSSERenegotiate { - static final String suite1 = "SSL_RSA_WITH_NULL_MD5"; - static final String suite2 = "SSL_RSA_WITH_NULL_SHA"; + static String suite1; + static String suite2; static final String dataString = "This is a test"; @@ -193,7 +196,9 @@ void doClientSide() throws Exception { public static void main(String[] args) throws Exception { // reset the security property to make sure that the cipher suites // used in this test are not disabled - Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } String keyFilename = System.getProperty("test.src", "./") + "/" + pathToStores + @@ -202,6 +207,16 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; + if (Utils.isFIPS()) { + keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); + suite1 = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"; + suite2 = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"; + } else { + suite1 = "SSL_RSA_WITH_NULL_MD5"; + suite2 = "SSL_RSA_WITH_NULL_SHA"; + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/SSLSession/RenegotiateTLS13.java b/test/jdk/javax/net/ssl/SSLSession/RenegotiateTLS13.java index 9495ee2d28a..7b5262fb1c6 100644 --- a/test/jdk/javax/net/ssl/SSLSession/RenegotiateTLS13.java +++ b/test/jdk/javax/net/ssl/SSLSession/RenegotiateTLS13.java @@ -23,6 +23,7 @@ /* * @test + * @library /test/lib * @run main/othervm -Djavax.net.debug=ssl RenegotiateTLS13 */ @@ -40,6 +41,8 @@ import java.security.KeyStore; import java.security.SecureRandom; +import jdk.test.lib.Utils; + public class RenegotiateTLS13 { static final String dataString = "This is a test"; @@ -139,6 +142,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; + if (Utils.isFIPS()) { + keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/SSLSession/SSLCtxAccessToSessCtx.java b/test/jdk/javax/net/ssl/SSLSession/SSLCtxAccessToSessCtx.java index 4e3b8e0b076..a05f925690a 100644 --- a/test/jdk/javax/net/ssl/SSLSession/SSLCtxAccessToSessCtx.java +++ b/test/jdk/javax/net/ssl/SSLSession/SSLCtxAccessToSessCtx.java @@ -24,6 +24,7 @@ /* * @test * @bug 4473210 + * @library /test/lib * @summary SSLSessionContext should be accessible from SSLContext * @run main/othervm -Djdk.tls.server.enableSessionTicketExtension=false * SSLCtxAccessToSessCtx @@ -40,6 +41,8 @@ import java.util.concurrent.atomic.AtomicInteger; import java.security.KeyStore; +import jdk.test.lib.Utils; + public class SSLCtxAccessToSessCtx { /* @@ -172,6 +175,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; + if (Utils.isFIPS()) { + keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/SSLSession/SessionCacheSizeTests.java b/test/jdk/javax/net/ssl/SSLSession/SessionCacheSizeTests.java index bb61abb35d5..b3203d07ae0 100644 --- a/test/jdk/javax/net/ssl/SSLSession/SessionCacheSizeTests.java +++ b/test/jdk/javax/net/ssl/SSLSession/SessionCacheSizeTests.java @@ -29,6 +29,7 @@ /* * @test * @bug 4366807 + * @library /test/lib * @summary Need new APIs to get/set session timeout and session cache size. * @run main/othervm SessionCacheSizeTests */ @@ -39,6 +40,8 @@ import java.util.*; import java.security.*; +import jdk.test.lib.Utils; + /** * Session cache size tests cover the following cases: * 1. Effect of system property javax.net.ssl.SessionCacheSize (this @@ -305,6 +308,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; + if (Utils.isFIPS()) { + keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/SSLSession/SessionTimeOutTests.java b/test/jdk/javax/net/ssl/SSLSession/SessionTimeOutTests.java index c44c12f6c59..e4fb9410e9f 100644 --- a/test/jdk/javax/net/ssl/SSLSession/SessionTimeOutTests.java +++ b/test/jdk/javax/net/ssl/SSLSession/SessionTimeOutTests.java @@ -27,6 +27,7 @@ /* * @test * @bug 4366807 + * @library /test/lib * @summary Need new APIs to get/set session timeout and session cache size. * @run main/othervm SessionTimeOutTests */ @@ -41,6 +42,8 @@ import java.util.concurrent.CountDownLatch; import java.util.concurrent.TimeUnit; +import jdk.test.lib.Utils; + /** * Session reuse time-out tests cover the cases below: * 1. general test, i.e timeout is set to x and session invalidates when @@ -332,6 +335,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; + if (Utils.isFIPS()) { + keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/SSLSession/TestEnabledProtocols.java b/test/jdk/javax/net/ssl/SSLSession/TestEnabledProtocols.java index 4e56a9a655b..c4aa2c915a9 100644 --- a/test/jdk/javax/net/ssl/SSLSession/TestEnabledProtocols.java +++ b/test/jdk/javax/net/ssl/SSLSession/TestEnabledProtocols.java @@ -34,6 +34,7 @@ * 4701722 protocol mismatch exceptions should be consistent between * SSLv3 and TLSv1 * @library /javax/net/ssl/templates + * @library /test/lib * @run main/othervm TestEnabledProtocols * @author Ram Marti */ @@ -52,6 +53,9 @@ import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLSocket; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class TestEnabledProtocols extends SSLSocketTemplate { private final String[] serverProtocols; @@ -165,121 +169,236 @@ private void failTest(Exception e, String message) { } public static void main(String[] args) throws Exception { - Security.setProperty("jdk.tls.disabledAlgorithms", ""); - - runCase(new String[] { "TLSv1" }, - new String[] { "TLSv1" }, - false, "TLSv1"); - runCase(new String[] { "TLSv1" }, - new String[] { "TLSv1", "SSLv2Hello" }, - true, null); - runCase(new String[] { "TLSv1" }, - new String[] { "TLSv1", "SSLv3" }, - false, "TLSv1"); - runCase(new String[] { "TLSv1" }, - new String[] { "SSLv3", "SSLv2Hello" }, - true, null); - runCase(new String[] { "TLSv1" }, - new String[] { "SSLv3" }, - true, null); - runCase(new String[] { "TLSv1" }, - new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - true, null); - - runCase(new String[] { "TLSv1", "SSLv2Hello" }, - new String[] { "TLSv1" }, - false, "TLSv1"); - runCase(new String[] { "TLSv1", "SSLv2Hello" }, - new String[] { "TLSv1", "SSLv2Hello" }, - false, "TLSv1"); - runCase(new String[] { "TLSv1", "SSLv2Hello" }, - new String[] { "TLSv1", "SSLv3" }, - false, "TLSv1"); - runCase(new String[] { "TLSv1", "SSLv2Hello" }, - new String[] { "SSLv3", "SSLv2Hello" }, - true, null); - runCase(new String[] { "TLSv1", "SSLv2Hello" }, - new String[] { "SSLv3" }, - true, null); - runCase(new String[] { "TLSv1", "SSLv2Hello" }, - new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - false, "TLSv1"); - - runCase(new String[] { "TLSv1", "SSLv3" }, - new String[] { "TLSv1" }, - false, "TLSv1"); - runCase(new String[] { "TLSv1", "SSLv3" }, - new String[] { "TLSv1", "SSLv2Hello" }, - true, null); - runCase(new String[] { "TLSv1", "SSLv3" }, - new String[] { "TLSv1", "SSLv3" }, - false, "TLSv1"); - runCase(new String[] { "TLSv1", "SSLv3" }, - new String[] { "SSLv3", "SSLv2Hello" }, - true, null); - runCase(new String[] { "TLSv1", "SSLv3" }, - new String[] { "SSLv3" }, - false, "SSLv3"); - runCase(new String[] { "TLSv1", "SSLv3" }, - new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - true, null); - - runCase(new String[] { "SSLv3", "SSLv2Hello" }, - new String[] { "TLSv1" }, - true, null); - runCase(new String[] { "SSLv3", "SSLv2Hello" }, - new String[] { "TLSv1", "SSLv2Hello" }, - true, null); - runCase(new String[] { "SSLv3", "SSLv2Hello" }, - new String[] { "TLSv1", "SSLv3" }, - false, "SSLv3"); - runCase(new String[] { "SSLv3", "SSLv2Hello" }, - new String[] { "SSLv3", "SSLv2Hello" }, - false, "SSLv3"); - runCase(new String[] { "SSLv3", "SSLv2Hello" }, - new String[] { "SSLv3" }, - false, "SSLv3"); - runCase(new String[] { "SSLv3", "SSLv2Hello" }, - new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - false, "SSLv3"); - - runCase(new String[] { "SSLv3" }, - new String[] { "TLSv1" }, - true, null); - runCase(new String[] { "SSLv3" }, - new String[] { "TLSv1", "SSLv2Hello" }, - true, null); - runCase(new String[] { "SSLv3" }, - new String[] { "TLSv1", "SSLv3" }, - false, "SSLv3"); - runCase(new String[] { "SSLv3" }, - new String[] { "SSLv3", "SSLv2Hello" }, - true, null); - runCase(new String[] { "SSLv3" }, - new String[] { "SSLv3" }, - false, "SSLv3"); - runCase(new String[] { "SSLv3" }, - new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - true, null); - - runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - new String[] { "TLSv1" }, - false, "TLSv1"); - runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - new String[] { "TLSv1", "SSLv2Hello" }, - false, "TLSv1"); - runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - new String[] { "TLSv1", "SSLv3" }, - false, "TLSv1"); - runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - new String[] { "SSLv3", "SSLv2Hello" }, - false, "SSLv3"); - runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - new String[] { "SSLv3" }, - false, "SSLv3"); - runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, - false, "TLSv1"); + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + runCase(new String[] { "TLSv1" }, + new String[] { "TLSv1" }, + false, "TLSv1"); + runCase(new String[] { "TLSv1" }, + new String[] { "TLSv1", "SSLv2Hello" }, + true, null); + runCase(new String[] { "TLSv1" }, + new String[] { "TLSv1", "SSLv3" }, + false, "TLSv1"); + runCase(new String[] { "TLSv1" }, + new String[] { "SSLv3", "SSLv2Hello" }, + true, null); + runCase(new String[] { "TLSv1" }, + new String[] { "SSLv3" }, + true, null); + runCase(new String[] { "TLSv1" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + true, null); + + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "TLSv1" }, + false, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv2Hello" }, + false, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3" }, + false, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "SSLv3", "SSLv2Hello" }, + true, null); + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "SSLv3" }, + true, null); + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + false, "TLSv1"); + + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "TLSv1" }, + false, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "TLSv1", "SSLv2Hello" }, + true, null); + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "TLSv1", "SSLv3" }, + false, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "SSLv3", "SSLv2Hello" }, + true, null); + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "SSLv3" }, + false, "SSLv3"); + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + true, null); + + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1" }, + true, null); + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv2Hello" }, + true, null); + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3" }, + false, "SSLv3"); + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "SSLv3", "SSLv2Hello" }, + false, "SSLv3"); + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "SSLv3" }, + false, "SSLv3"); + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + false, "SSLv3"); + + runCase(new String[] { "SSLv3" }, + new String[] { "TLSv1" }, + true, null); + runCase(new String[] { "SSLv3" }, + new String[] { "TLSv1", "SSLv2Hello" }, + true, null); + runCase(new String[] { "SSLv3" }, + new String[] { "TLSv1", "SSLv3" }, + false, "SSLv3"); + runCase(new String[] { "SSLv3" }, + new String[] { "SSLv3", "SSLv2Hello" }, + true, null); + runCase(new String[] { "SSLv3" }, + new String[] { "SSLv3" }, + false, "SSLv3"); + runCase(new String[] { "SSLv3" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + true, null); + + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1" }, + false, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv2Hello" }, + false, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3" }, + false, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "SSLv3", "SSLv2Hello" }, + false, "SSLv3"); + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "SSLv3" }, + false, "SSLv3"); + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + false, "TLSv1"); + } else { + runCase(new String[] { "TLSv1" }, + new String[] { "TLSv1" }, + true, "TLSv1"); + runCase(new String[] { "TLSv1" }, + new String[] { "TLSv1", "SSLv2Hello" }, + true, null); + runCase(new String[] { "TLSv1" }, + new String[] { "TLSv1", "SSLv3" }, + true, "TLSv1"); + runCase(new String[] { "TLSv1" }, + new String[] { "SSLv3", "SSLv2Hello" }, + true, null); + runCase(new String[] { "TLSv1" }, + new String[] { "SSLv3" }, + true, null); + runCase(new String[] { "TLSv1" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + true, null); + + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "TLSv1" }, + true, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv2Hello" }, + true, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3" }, + true, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "SSLv3", "SSLv2Hello" }, + true, null); + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "SSLv3" }, + true, null); + runCase(new String[] { "TLSv1", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + true, "TLSv1"); + + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "TLSv1" }, + true, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "TLSv1", "SSLv2Hello" }, + true, null); + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "TLSv1", "SSLv3" }, + true, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "SSLv3", "SSLv2Hello" }, + true, null); + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "SSLv3" }, + true, "SSLv3"); + runCase(new String[] { "TLSv1", "SSLv3" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + true, null); + + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1" }, + true, null); + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv2Hello" }, + true, null); + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3" }, + true, "SSLv3"); + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "SSLv3", "SSLv2Hello" }, + true, "SSLv3"); + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "SSLv3" }, + true, "SSLv3"); + runCase(new String[] { "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + true, "SSLv3"); + + runCase(new String[] { "SSLv3" }, + new String[] { "TLSv1" }, + true, null); + runCase(new String[] { "SSLv3" }, + new String[] { "TLSv1", "SSLv2Hello" }, + true, null); + runCase(new String[] { "SSLv3" }, + new String[] { "TLSv1", "SSLv3" }, + true, "SSLv3"); + runCase(new String[] { "SSLv3" }, + new String[] { "SSLv3", "SSLv2Hello" }, + true, null); + runCase(new String[] { "SSLv3" }, + new String[] { "SSLv3" }, + true, "SSLv3"); + runCase(new String[] { "SSLv3" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + true, null); + + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1" }, + true, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv2Hello" }, + true, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3" }, + true, "TLSv1"); + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "SSLv3", "SSLv2Hello" }, + true, "SSLv3"); + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "SSLv3" }, + true, "SSLv3"); + runCase(new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + new String[] { "TLSv1", "SSLv3", "SSLv2Hello" }, + true, "TLSv1"); + } } private static void runCase( diff --git a/test/jdk/javax/net/ssl/SSLSocket/ClientExcOnAlert.java b/test/jdk/javax/net/ssl/SSLSocket/ClientExcOnAlert.java index 063befba3b7..88e9f08edae 100644 --- a/test/jdk/javax/net/ssl/SSLSocket/ClientExcOnAlert.java +++ b/test/jdk/javax/net/ssl/SSLSocket/ClientExcOnAlert.java @@ -55,6 +55,9 @@ import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; + public class ClientExcOnAlert { // This is a PKCS#12 keystore created with the following command: // keytool -genkeypair -alias testcert -keyalg rsa -keysize 2048 @@ -66,6 +69,7 @@ public class ClientExcOnAlert { // file. private static int serverPort = -1; private static final String KEYSTORE_PASS = "password"; + // private static final String KEYSTORE_PEM_FIPS = ; private static final String KEYSTORE_PEM = "MIIJrwIBAzCCCWgGCSqGSIb3DQEHAaCCCVkEgglVMIIJUTCCBW0GCSqGSIb3DQEH\n" + "AaCCBV4EggVaMIIFVjCCBVIGCyqGSIb3DQEMCgECoIIE+zCCBPcwKQYKKoZIhvcN\n" + @@ -124,6 +128,7 @@ public class ClientExcOnAlert { static final Condition serverReady = lock.newCondition(); public static void main(String[] args) throws Exception { + printPEM(KEYSTORE_PEM); Thread serverThread = new Thread(() -> { try { doServerSide(); @@ -134,7 +139,6 @@ public static void main(String[] args) throws Exception { } ); serverThread.start(); - try { doClientSide((args == null || args.length < 1) ? null : args[0]); throw new RuntimeException("Expected SSLException did not occur!"); @@ -143,7 +147,6 @@ public static void main(String[] args) throws Exception { } finally { serverThread.join(); } - } static void doServerSide() throws Exception { @@ -151,11 +154,10 @@ static void doServerSide() throws Exception { SSLContext sslc = SSLContext.getInstance("TLS"); log("doServerSide start"); KeyManagerFactory kmf = createKeyManagerFactory(KEYSTORE_PEM, - KEYSTORE_PASS); + KEYSTORE_PASS); sslc.init(kmf.getKeyManagers(), null, null); SSLServerSocketFactory ssf = (SSLServerSocketFactory)sslc.getServerSocketFactory(); - try (SSLServerSocket sslServerSocket = (SSLServerSocket)ssf.createServerSocket(0)) { sslServerSocket.setReuseAddress(true); @@ -247,4 +249,24 @@ private static void log(String msgFmt, Object ... args) { sb.append(String.format(msgFmt, args)); System.out.println(sb.toString()); } -} + + private static void printPEM(String KEYSTORE_PEM) { + Base64.Decoder b64dec = Base64.getMimeDecoder(); + byte[] pemBytes = b64dec.decode(KEYSTORE_PEM); + + try { + CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); + X509Certificate cert = (X509Certificate) certFactory.generateCertificate(new ByteArrayInputStream(pemBytes)); + + System.out.println("Certificate:"); + System.out.println(" Subject: " + cert.getSubjectX500Principal().getName()); + System.out.println(" Issuer: " + cert.getIssuerX500Principal().getName()); + System.out.println(" Serial Number: " + cert.getSerialNumber()); + System.out.println(" Valid from: " + cert.getNotBefore()); + System.out.println(" Valid until: " + cert.getNotAfter()); + System.out.println(" Public Key Algorithm: " + cert.getPublicKey().getAlgorithm()); + } catch (Exception e) { + e.printStackTrace(); + } + } +} \ No newline at end of file diff --git a/test/jdk/javax/net/ssl/ServerName/BestEffortOnLazyConnected.java b/test/jdk/javax/net/ssl/ServerName/BestEffortOnLazyConnected.java index bda0710f61e..46dd8d629c2 100644 --- a/test/jdk/javax/net/ssl/ServerName/BestEffortOnLazyConnected.java +++ b/test/jdk/javax/net/ssl/ServerName/BestEffortOnLazyConnected.java @@ -30,6 +30,7 @@ * @test * @bug 8144566 * @summary Custom HostnameVerifier disables SNI extension + * @library /test/lib * @run main/othervm BestEffortOnLazyConnected */ @@ -37,6 +38,8 @@ import java.net.*; import javax.net.ssl.*; +import jdk.test.lib.Utils; + public class BestEffortOnLazyConnected { /* @@ -171,6 +174,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; + if (Utils.isFIPS()) { + keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/ServerName/SSLEngineExplorer.java b/test/jdk/javax/net/ssl/ServerName/SSLEngineExplorer.java index 64a62158eee..48d7fe00cfe 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLEngineExplorer.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLEngineExplorer.java @@ -31,6 +31,7 @@ * @bug 7068321 8190492 * @summary Support TLS Server Name Indication (SNI) Extension in JSSE Server * @library ../SSLEngine ../templates + * @library /test/lib * @build SSLEngineService SSLCapabilities SSLExplorer * @run main/othervm SSLEngineExplorer SSLv2Hello,SSLv3 * @run main/othervm SSLEngineExplorer SSLv3 @@ -46,6 +47,9 @@ import java.nio.channels.*; import java.security.Security; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class SSLEngineExplorer extends SSLEngineService { /* @@ -220,7 +224,19 @@ void checkCapabilities(SSLCapabilities capabilities, private static String[] supportedProtocols; // supported protocols private static void parseArguments(String[] args) { - supportedProtocols = args[0].split(","); + List supportProtocols = new ArrayList<>(); + for (String supportProtocol : args[0].split(",")) { + System.out.println("the args[0] is: " + supportProtocol); + if (!SecurityUtils.TLS_PROTOCOLS.contains(supportProtocol)) { + continue; + } + System.out.println("SupportProtocol is: " + supportProtocol); + supportProtocols.add(supportProtocol); + } + supportedProtocols = supportProtocols.toArray(new String[0]); + for (String s : supportedProtocols) { + System.out.println("SupportedProtocols is: " + s); + } } @@ -237,7 +253,9 @@ private static void parseArguments(String[] args) { public static void main(String args[]) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } if (debug) System.setProperty("javax.net.debug", "all"); @@ -245,9 +263,35 @@ public static void main(String args[]) throws Exception { /* * Get the customized arguments. */ + System.out.println("args is: " + args); parseArguments(args); - new SSLEngineExplorer(); + try { + new SSLEngineExplorer(); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (Utils.isFIPS()) { + if (supportedProtocols == null || supportedProtocols.length == 0) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + sslhe.printStackTrace(); + return; + } + } else { + System.out.println("Unexpected exception is caught in Non-FIPS mode"); + sslhe.printStackTrace(); + return; + } + } catch (Exception e) { + e.printStackTrace(); + return; + } } Thread clientThread = null; diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketConsistentSNI.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketConsistentSNI.java index 38d999aa3ef..1f1dd15fa82 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketConsistentSNI.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketConsistentSNI.java @@ -30,6 +30,7 @@ * @test * @bug 7068321 * @summary Support TLS Server Name Indication (SNI) Extension in JSSE Server + * @library /test/lib * @run main/othervm SSLSocketConsistentSNI */ @@ -40,6 +41,8 @@ import java.net.*; import javax.net.ssl.*; +import jdk.test.lib.Utils; + public class SSLSocketConsistentSNI { /* @@ -218,6 +221,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; + if (Utils.isFIPS()) { + keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorer.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorer.java index 4992553eba9..b5fbdbddc9a 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorer.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorer.java @@ -31,6 +31,7 @@ * @bug 7068321 8190492 * @summary Support TLS Server Name Indication (SNI) Extension in JSSE Server * @library ../templates + * @library /test/lib * @build SSLCapabilities SSLExplorer * @run main/othervm SSLSocketExplorer SSLv2Hello,SSLv3 * @run main/othervm SSLSocketExplorer SSLv3 @@ -47,6 +48,9 @@ import javax.net.ssl.*; import java.security.Security; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class SSLSocketExplorer { /* @@ -212,7 +216,14 @@ void checkCapabilities(SSLCapabilities capabilities, private static String[] supportedProtocols; // supported protocols private static void parseArguments(String[] args) { - supportedProtocols = args[0].split(","); + List supportProtocols = new ArrayList<>(); + for (String supportProtocol : args[0].split(",")) { + if (!SecurityUtils.TLS_PROTOCOLS.contains(supportProtocol)) { + continue; + } + supportProtocols.add(supportProtocol); + } + supportedProtocols = supportProtocols.toArray(new String[0]); } @@ -230,7 +241,9 @@ private static void parseArguments(String[] args) { public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + @@ -239,6 +252,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; + if (Utils.isFIPS()) { + keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); @@ -255,7 +273,32 @@ public static void main(String[] args) throws Exception { /* * Start the tests. */ - new SSLSocketExplorer(); + try { + new SSLSocketExplorer(); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (Utils.isFIPS()) { + if (supportedProtocols == null || supportedProtocols.length == 0) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + sslhe.printStackTrace(); + return; + } + } else { + System.out.println("Unexpected exception is caught in Non-FIPS mode"); + sslhe.printStackTrace(); + return; + } + } catch (Exception e) { + e.printStackTrace(); + return; + } } Thread clientThread = null; diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerFailure.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerFailure.java index 00d00001d87..2ea95b3d78d 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerFailure.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerFailure.java @@ -31,6 +31,7 @@ * @bug 7068321 * @summary Support TLS Server Name Indication (SNI) Extension in JSSE Server * @library ../templates + * @library /test/lib * @build SSLCapabilities SSLExplorer * @run main/othervm SSLSocketExplorerFailure SSLv2Hello,SSLv3 * @run main/othervm SSLSocketExplorerFailure SSLv3 @@ -47,6 +48,8 @@ import javax.net.ssl.*; import java.security.Security; +import jdk.test.lib.Utils; + public class SSLSocketExplorerFailure { /* @@ -233,9 +236,11 @@ private static void parseArguments(String[] args) { volatile Exception clientException = null; public static void main(String[] args) throws Exception { - Security.setProperty("jdk.tls.disabledAlgorithms", ""); - Security.setProperty("jdk.certpath.disabledAlgorithms", ""); - + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + Security.setProperty("jdk.certpath.disabledAlgorithms", ""); + } + String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + "/" + keyStoreFile; diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerMatchedSNI.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerMatchedSNI.java index 724a37e1a80..5d30d861ed1 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerMatchedSNI.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerMatchedSNI.java @@ -31,6 +31,7 @@ * @bug 7068321 * @summary Support TLS Server Name Indication (SNI) Extension in JSSE Server * @library ../templates + * @library /test/lib * @build SSLCapabilities SSLExplorer * @run main/othervm SSLSocketExplorerMatchedSNI www.example.com * www\.example\.com @@ -51,6 +52,8 @@ import java.net.*; import javax.net.ssl.*; +import jdk.test.lib.Utils; + public class SSLSocketExplorerMatchedSNI { /* @@ -291,6 +294,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; + if (Utils.isFIPS()) { + keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithCliSNI.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithCliSNI.java index 8f2b7816864..9907a06cb1e 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithCliSNI.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithCliSNI.java @@ -31,6 +31,7 @@ * @bug 7068321 * @summary Support TLS Server Name Indication (SNI) Extension in JSSE Server * @library ../templates + * @library /test/lib * @build SSLCapabilities SSLExplorer * @run main/othervm SSLSocketExplorerWithCliSNI */ @@ -42,6 +43,8 @@ import java.net.*; import javax.net.ssl.*; +import jdk.test.lib.Utils; + public class SSLSocketExplorerWithCliSNI { /* @@ -268,6 +271,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; + if (Utils.isFIPS()) { + keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithSrvSNI.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithSrvSNI.java index f026f32e781..ca677acfe62 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithSrvSNI.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerWithSrvSNI.java @@ -31,6 +31,7 @@ * @bug 7068321 * @summary Support TLS Server Name Indication (SNI) Extension in JSSE Server * @library ../templates + * @library /test/lib * @build SSLCapabilities SSLExplorer * @run main/othervm SSLSocketExplorerWithSrvSNI */ @@ -42,6 +43,8 @@ import java.net.*; import javax.net.ssl.*; +import jdk.test.lib.Utils; + public class SSLSocketExplorerWithSrvSNI { /* @@ -251,6 +254,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; + if (Utils.isFIPS()) { + keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/ServerName/SSLSocketSNISensitive.java b/test/jdk/javax/net/ssl/ServerName/SSLSocketSNISensitive.java index da2f422149d..d1a3a218686 100644 --- a/test/jdk/javax/net/ssl/ServerName/SSLSocketSNISensitive.java +++ b/test/jdk/javax/net/ssl/ServerName/SSLSocketSNISensitive.java @@ -31,6 +31,7 @@ /* * @test * @bug 7068321 + * @library /test/lib * @summary Support TLS Server Name Indication (SNI) Extension in JSSE Server * @run main/othervm SSLSocketSNISensitive PKIX www.example.com * @run main/othervm SSLSocketSNISensitive SunX509 www.example.com @@ -54,6 +55,10 @@ import java.security.interfaces.*; import java.util.Base64; +import java.io.ByteArrayInputStream; + +import jdk.test.lib.Utils; + // Note: this test case works only on TLS 1.2 and prior versions because of // the use of MD5withRSA signed certificate. public class SSLSocketSNISensitive { @@ -249,6 +254,8 @@ public class SSLSocketSNISensitive { */ static boolean debug = false; + static String[] signatureAlgos = new String[5]; + /* * Define the server side of the test. * @@ -434,10 +441,12 @@ private static SSLContext generateSSLContext(boolean isClient) public static void main(String[] args) throws Exception { // MD5 is used in this test case, don't disable MD5 algorithm. - Security.setProperty("jdk.certpath.disabledAlgorithms", - "MD2, RSA keySize < 1024"); - Security.setProperty("jdk.tls.disabledAlgorithms", - "SSLv3, RC4, DH keySize < 768"); + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.certpath.disabledAlgorithms", + "MD2, RSA keySize < 1024"); + Security.setProperty("jdk.tls.disabledAlgorithms", + "SSLv3, RC4, DH keySize < 768"); + } if (debug) System.setProperty("javax.net.debug", "all"); @@ -450,7 +459,36 @@ public static void main(String[] args) throws Exception { /* * Start the tests. */ - new SSLSocketSNISensitive(); + try { + new SSLSocketSNISensitive(); + } catch (Exception e) { + if (Utils.isFIPS()) { + // for (int i=0; i is caught."); + // return; + // } + // } + if (e instanceof javax.net.ssl.SSLHandshakeException) { + if ("no cipher suites in common".equals(e.getMessage())) { + System.out.println("Expected exception msg: is caught."); + return; + } else { + System.out.println("Unexpected exception msg: <" + e.getMessage() + "> is caught."); + return; + } + } else { + System.out.println("Unexpected exception msg is caught."); + return; + } + } else { + System.out.println("failure is not in FIPS mode."); + e.printStackTrace(); + return; + } + } } Thread clientThread = null; diff --git a/test/jdk/javax/net/ssl/TLS/CipherTestUtils.java b/test/jdk/javax/net/ssl/TLS/CipherTestUtils.java index 38b0d871c1c..139a8d66f52 100644 --- a/test/jdk/javax/net/ssl/TLS/CipherTestUtils.java +++ b/test/jdk/javax/net/ssl/TLS/CipherTestUtils.java @@ -72,7 +72,7 @@ public class CipherTestUtils { public static final SecureRandom secureRandom = new SecureRandom(); public static char[] PASSWORD = "passphrase".toCharArray(); private static final List TESTS = new ArrayList<>(3); - private static final List EXCEPTIONS + public static final List EXCEPTIONS = Collections.synchronizedList(new ArrayList<>(1)); private static final String CLIENT_PUBLIC_KEY diff --git a/test/jdk/javax/net/ssl/TLS/TestJSSE.java b/test/jdk/javax/net/ssl/TLS/TestJSSE.java index 29631064011..69e487d14c4 100644 --- a/test/jdk/javax/net/ssl/TLS/TestJSSE.java +++ b/test/jdk/javax/net/ssl/TLS/TestJSSE.java @@ -21,6 +21,14 @@ * questions. */ +import java.lang.reflect.Field; + +import java.util.List; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Map; +import java.util.HashMap; + import java.net.InetAddress; import java.security.Provider; import java.security.Security; @@ -28,14 +36,38 @@ public class TestJSSE { private static final String LOCAL_IP = InetAddress.getLoopbackAddress().getHostAddress(); + private static boolean isFIPS = Boolean.parseBoolean(System.getProperty("semeru.fips")); + private static final Map TLS_CIPHERSUITES = new HashMap<>(); + + private static String checkIfProtocolIsUsedInCommonFIPS(String srvProtocol, String clnProtocol) { + String protocolUsedInHandShake; + List srvProtocols = Arrays.asList(srvProtocol.split(",")); + List clnProtocols; + if (clnProtocol.equals("DEFAULT")) { + if (srvProtocols.contains("TLSv1.3")) { + protocolUsedInHandShake = "TLSv1.3"; + } else if (srvProtocols.contains("TLSv1.2")) { + protocolUsedInHandShake = "TLSv1.2"; + } else { + protocolUsedInHandShake = null; + } + } else { + clnProtocols = Arrays.asList(clnProtocol.split(",")); + if (srvProtocols.contains("TLSv1.3") && clnProtocols.contains("TLSv1.3")) { + protocolUsedInHandShake = "TLSv1.3"; + } else if (srvProtocols.contains("TLSv1.2") && clnProtocols.contains("TLSv1.2")) { + protocolUsedInHandShake = "TLSv1.2"; + } else { + protocolUsedInHandShake = null; + } + } + return protocolUsedInHandShake; + } public static void main(String... args) throws Exception { - // reset the security property to make sure that the algorithms - // and keys used in this test are not disabled. - Security.setProperty("jdk.tls.disabledAlgorithms", ""); // enable debug output - System.setProperty("javax.net.debug", "ssl,record"); + // System.setProperty("javax.net.debug", "ssl,record"); String srvProtocol = System.getProperty("SERVER_PROTOCOL"); String clnProtocol = System.getProperty("CLIENT_PROTOCOL"); @@ -43,13 +75,50 @@ public static void main(String... args) throws Exception { if (srvProtocol == null || clnProtocol == null || cipher == null) { throw new IllegalArgumentException("Incorrect parameters"); } + if (System.getProperty("jdk.tls.client.protocols") != null) { + clnProtocol = System.getProperty("jdk.tls.client.protocols"); + } System.out.println("ServerProtocol = " + srvProtocol); System.out.println("ClientProtocol = " + clnProtocol); System.out.println("Cipher = " + cipher); + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + String protocolUsedInHandShake = null; + if (!(isFIPS)) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } else { + TLS_CIPHERSUITES.put("TLS_AES_128_GCM_SHA256", "TLSv1.3"); + TLS_CIPHERSUITES.put("TLS_AES_256_GCM_SHA384", "TLSv1.3"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLSv1.2"); + protocolUsedInHandShake = checkIfProtocolIsUsedInCommonFIPS(srvProtocol, clnProtocol); + } + try (CipherTestUtils.Server srv = server(srvProtocol, cipher, args)) { client(srv.getPort(), clnProtocol, cipher, args); + } catch (Exception e) { + if (isFIPS) { + if (protocolUsedInHandShake == null || !TLS_CIPHERSUITES.containsKey(cipher) + || (protocolUsedInHandShake != null && !TLS_CIPHERSUITES.get(cipher).equals(protocolUsedInHandShake))) { + if (CipherTestUtils.EXCEPTIONS.get(0) instanceof javax.net.ssl.SSLHandshakeException) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(CipherTestUtils.EXCEPTIONS.get(0).getMessage())) { + if (args.length >= 1 && args[0].equals("javax.net.ssl.SSLHandshakeException")) { + System.out.println("Expected exception msg from client: is caught"); + } else { + System.out.println("Expected exception msg from client: is caught"); + } + } + } + } + } } } diff --git a/test/jdk/javax/net/ssl/TLSCommon/ConcurrentClientAccessTest.java b/test/jdk/javax/net/ssl/TLSCommon/ConcurrentClientAccessTest.java index b26c82c8cfb..34c0c5b5c9a 100644 --- a/test/jdk/javax/net/ssl/TLSCommon/ConcurrentClientAccessTest.java +++ b/test/jdk/javax/net/ssl/TLSCommon/ConcurrentClientAccessTest.java @@ -47,9 +47,13 @@ import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManagerFactory; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + /* * @test * @bug 8208496 + * @library /test/lib * @summary Test to verify concurrent behavior of TLS. * @run main/othervm ConcurrentClientAccessTest */ @@ -58,46 +62,92 @@ public class ConcurrentClientAccessTest { private static final int THREADS = 50; public static void main(String[] args) throws Exception { - - Security.setProperty("jdk.tls.disabledAlgorithms", ""); - for (String tlsProtocol : new String[]{"TLSv1.3", "TLSv1.2", - "TLSv1.1", "TLSv1"}) { - System.out.printf("Protocol: %s%n", tlsProtocol); - CountDownLatch tillServerReady = new CountDownLatch(1); - Server server = new Server(tlsProtocol, tillServerReady); - server.start(); - - // Wait till server is ready to accept connection. - tillServerReady.await(); - CountDownLatch tillClientComplete = new CountDownLatch(THREADS); - ExecutorService executor = null; - try { - executor = newExecutorService(); - // Run 50 TLS clients for concurrent access to TLS Port. - for (int count = 1; count <= THREADS; count++) { - Client client = new Client(tlsProtocol, server.port, - tillClientComplete); - executor.execute(client); - // If Client has any Exception indicates problem - if (client.exception != null) { - throw new RuntimeException(client.exception); + String[] protocols = new String[]{"TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1"}; + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } + // else { + // protocols = new String[]{"TLSv1.3", "TLSv1.2"}; + // } + for (String tlsProtocol : protocols) { + Server server = null; + try{ + System.out.printf("Protocol: %s%n", tlsProtocol); + CountDownLatch tillServerReady = new CountDownLatch(1); + server = new Server(tlsProtocol, tillServerReady); + server.start(); + + // Wait till server is ready to accept connection. + tillServerReady.await(); + CountDownLatch tillClientComplete = new CountDownLatch(THREADS); + ExecutorService executor = null; + try { + executor = newExecutorService(); + // Run 50 TLS clients for concurrent access to TLS Port. + for (int count = 1; count <= THREADS; count++) { + Client client = null; + try { + client = new Client(tlsProtocol, server.port, + tillClientComplete); + executor.execute(client); + // If Client has any Exception indicates problem + if (client.exception != null) { + throw new RuntimeException(client.exception); + } + } catch (java.lang.RuntimeException re) { + if (client.exception != null) { + if (client.exception instanceof javax.net.ssl.SSLHandshakeException) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(client.exception.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + client.exception.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + client.exception.printStackTrace(); + return; + } + } + } + } + // Wait till all client thread complete execution + tillClientComplete.await(); + System.out.println("All client processed successfully."); + } finally { + if (executor != null) { + executor.shutdown(); } + // Fail Safe: Shutdown the server + server.stopServer(); } - // Wait till all client thread complete execution - tillClientComplete.await(); - System.out.println("All client processed successfully."); - } finally { - if (executor != null) { - executor.shutdown(); + // If Sever has any Exception indicates problem + if (server.exception != null) { + throw new RuntimeException(server.exception); + } + System.out.println(); + } catch (java.lang.RuntimeException re) { + if (Utils.isFIPS()) { + if (!SecurityUtils.TLS_PROTOCOLS.contains(tlsProtocol)) { + if (server.exception != null) { + if (server.exception instanceof javax.net.ssl.SSLHandshakeException) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(server.exception.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + server.exception.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + server.exception.printStackTrace(); + return; + } + } + } } - // Fail Safe: Shutdown the server - server.stopServer(); - } - // If Sever has any Exception indicates problem - if (server.exception != null) { - throw new RuntimeException(server.exception); } - System.out.println(); } } diff --git a/test/jdk/javax/net/ssl/TLSCommon/SSLEngineTestCase.java b/test/jdk/javax/net/ssl/TLSCommon/SSLEngineTestCase.java index dce28edadf2..51eb6b729d3 100644 --- a/test/jdk/javax/net/ssl/TLSCommon/SSLEngineTestCase.java +++ b/test/jdk/javax/net/ssl/TLSCommon/SSLEngineTestCase.java @@ -180,7 +180,7 @@ public enum HandshakeMode { private static final String SERVER_NAME = "service.localhost"; private static final String SNI_PATTERN = ".*"; - private static final String[] TLS13_CIPHERS = { + private static String[] TLS13_CIPHERS = { "TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256" @@ -188,7 +188,15 @@ public enum HandshakeMode { private static final String[] SUPPORTED_NON_KRB_CIPHERS; + private static final boolean ISFIPS = Boolean.parseBoolean(System.getProperty("semeru.fips")); + static { + if (ISFIPS) { + TLS13_CIPHERS = new String[] { + "TLS_AES_256_GCM_SHA384", + "TLS_AES_128_GCM_SHA256" + }; + } try { String[] allSupportedCiphers = getContext() .createSSLEngine().getSupportedCipherSuites(); @@ -796,10 +804,12 @@ public static void checkResult(SSLEngineResult r, */ public static SSLContext getContext() { try { - java.security.Security.setProperty( - "jdk.tls.disabledAlgorithms", ""); - java.security.Security.setProperty( - "jdk.certpath.disabledAlgorithms", ""); + if (!(ISFIPS)) { + java.security.Security.setProperty( + "jdk.tls.disabledAlgorithms", ""); + java.security.Security.setProperty( + "jdk.certpath.disabledAlgorithms", ""); + } KeyStore ks = KeyStore.getInstance("JKS"); KeyStore ts = KeyStore.getInstance("JKS"); char[] passphrase = PASSWD.toCharArray(); @@ -848,7 +858,7 @@ public static void setUpAndStartKDC() { * SSLEngineTestCase.TEST_MODE is "krb". */ public static void setUpAndStartKDCIfNeeded() { - if (TEST_MODE.equals("krb")) { + if (TEST_MODE.equals("krb") && !ISFIPS) { setUpAndStartKDC(); } } diff --git a/test/jdk/javax/net/ssl/TLSCommon/TLSTest.java b/test/jdk/javax/net/ssl/TLSCommon/TLSTest.java index 74b5c828f48..2a614683e57 100644 --- a/test/jdk/javax/net/ssl/TLSCommon/TLSTest.java +++ b/test/jdk/javax/net/ssl/TLSCommon/TLSTest.java @@ -54,9 +54,13 @@ import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManagerFactory; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + /* * @test * @bug 8205111 + * @library /test/lib * @summary Test TLS with different types of supported keys. * @run main/othervm TLSTest TLSv1.3 rsa_pkcs1_sha1 TLS_AES_128_GCM_SHA256 * @run main/othervm @@ -159,16 +163,81 @@ public static void main(String[] args) throws Exception { final String tlsProtocol = args[0]; final KeyType keyType = KeyType.valueOf(args[1]); final String cipher = args[2]; - Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } + CountDownLatch serverReady = new CountDownLatch(1); Server server = new Server(tlsProtocol, keyType, cipher, serverReady); server.start(); // Wait till server is ready to accept connection. serverReady.await(); - new Client(tlsProtocol, keyType, cipher, server.port).doClientSide(); + try { + new Client(tlsProtocol, keyType, cipher, server.port).doClientSide(); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (Utils.isFIPS()) { + if (!SecurityUtils.TLS_PROTOCOLS.contains(tlsProtocol)) { + System.out.println(tlsProtocol + " is not available from Client side."); + } + if (!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipher)) { + System.out.println(cipher + " is not available from Client side."); + } else if (!SecurityUtils.TLS_CIPHERSUITES.get(cipher).equals(tlsProtocol)) { + System.out.println(cipher + " does not match " + tlsProtocol + " from Client side."); + } + if (args[1].contains("sha1")) { + System.out.println("FIPS140-3 does not support SHA1 from Client side."); + } + if ("No available authentication scheme".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught from Client side"); + return; + } else { + System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught from Client side"); + return; + } + } else { + sslhe.printStackTrace(); + return; + } + } catch (java.lang.ExceptionInInitializerError eiie) { + Throwable cause = eiie.getCause(); + if (cause instanceof java.lang.IllegalArgumentException) { + if (Utils.isFIPS() + && ("System property jdk.tls.namedGroups(" + System.getProperty("jdk.tls.namedGroups") + ") contains no supported named groups").equals(cause.getMessage())) { + System.out.println("Expected msg is caught from Client side."); + return; + } + } + } if (server.serverExc != null) { - throw new RuntimeException(server.serverExc); + if (Utils.isFIPS()) { + if (!SecurityUtils.TLS_PROTOCOLS.contains(tlsProtocol)) { + System.out.println(tlsProtocol + " is not available from Server side."); + } + if (!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipher)) { + System.out.println(cipher + " is not available from Server side."); + } else if (!SecurityUtils.TLS_CIPHERSUITES.get(cipher).equals(tlsProtocol)) { + System.out.println(cipher + " does not match " + tlsProtocol + " from Server side."); + } + if (args[1].contains("sha1")) { + System.out.println("FIPS140-3 does not support SHA1 from Server side."); + } + if (server.serverExc instanceof javax.net.ssl.SSLHandshakeException) { + if ("No available authentication scheme".equals(server.serverExc.getMessage())) { + System.out.println("Expected exception msg: is caught from Server side"); + return; + } else { + System.out.println("Unexpected exception msg: <" + server.serverExc.getMessage() + "> is caught from Server side"); + return; + } + } else { + System.out.println("Unexpected exception is caught from Server side"); + server.serverExc.printStackTrace(); + return; + } + } else { + throw new RuntimeException(server.serverExc); + } } } diff --git a/test/jdk/javax/net/ssl/TLSCommon/TLSWithEdDSA.java b/test/jdk/javax/net/ssl/TLSCommon/TLSWithEdDSA.java index 3fabc5bd73c..ed6f3ce283a 100644 --- a/test/jdk/javax/net/ssl/TLSCommon/TLSWithEdDSA.java +++ b/test/jdk/javax/net/ssl/TLSCommon/TLSWithEdDSA.java @@ -47,6 +47,7 @@ import java.security.KeyFactory; import java.security.KeyStore; import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; import java.security.Principal; import java.security.PrivateKey; import java.security.PublicKey; @@ -71,6 +72,7 @@ import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509ExtendedKeyManager; import javax.net.ssl.X509KeyManager; +import jdk.test.lib.Utils; import jdk.test.lib.security.SecurityUtils; public class TLSWithEdDSA extends SSLSocketTemplate { @@ -81,7 +83,7 @@ public class TLSWithEdDSA extends SSLSocketTemplate { private static final String DEF_ALL_EE = "EE_ECDSA_SECP256R1:" + "EE_ECDSA_SECP384R1:EE_ECDSA_SECP521R1:EE_RSA_2048:" + "EE_EC_RSA_SECP256R1:EE_DSA_2048:EE_DSA_1024:EE_ED25519:EE_ED448"; - private static final List TEST_PROTOS = List.of( + private static List TEST_PROTOS = List.of( "TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1"); private static CertificateFactory certFac; @@ -342,7 +344,7 @@ private static KeyStore createTrustStore(String certEnumNames) * the private key or certificate entries. */ private static KeyStore createKeyStore(String certEnumNames, char[] pass) - throws GeneralSecurityException { + throws GeneralSecurityException, NoSuchAlgorithmException { KeyStore.Builder keyStoreBuilder = KeyStore.Builder.newInstance("PKCS12", null, new KeyStore.PasswordProtection(pass)); @@ -393,7 +395,7 @@ private static X509Certificate pem2Cert(String certPem) * @throws GeneralSecurityException if any decoding errors occur. */ private static PrivateKey pem2PrivKey(String keyPem, String keyAlg) - throws GeneralSecurityException { + throws GeneralSecurityException, NoSuchAlgorithmException { PKCS8EncodedKeySpec p8Spec = new PKCS8EncodedKeySpec( Base64.getMimeDecoder().decode(keyPem)); KeyFactory keyFac = KeyFactory.getInstance(keyAlg); @@ -556,13 +558,24 @@ protected void runClientApplication(SSLSocket socket) throws Exception { } public static void main(String[] args) throws Exception { - SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1", "TLSv1"); + if (!(Utils.isFIPS())) { + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1", "TLSv1"); + } certFac = CertificateFactory.getInstance("X.509"); String testFormat; System.out.println("===== Test KeyManager alias retrieval ====="); - testKeyManager(DEF_ALL_EE, "EdDSA", - new String[] {"ee_ed25519", "ee_ed448"}); + try { + testKeyManager(DEF_ALL_EE, "EdDSA", + new String[] {"ee_ed25519", "ee_ed448"}); + } catch (NoSuchAlgorithmException nsae) { + if (Utils.isFIPS()) { + if ("EdDSA KeyFactory not available".equals(nsae.getMessage())){ + System.out.println("Expected exception msg: is caught."); + return; + } + } + } testFormat = "===== Basic Ed25519 Server-side Authentication: %s =====\n"; @@ -593,7 +606,7 @@ public static void main(String[] args) throws Exception { private static void testKeyManager(String keyStoreSpec, String keyType, String[] expAliases) - throws GeneralSecurityException, IOException { + throws GeneralSecurityException, NoSuchAlgorithmException, IOException { char[] passChar = PASSWD.toCharArray(); // Create the KeyManager factory and resulting KeyManager @@ -626,6 +639,10 @@ private static void testKeyManager(String keyStoreSpec, String keyType, private static void runtest(String testNameFmt, SessionChecker cliChk, Class cliExpExc, SessionChecker servChk, Class servExpExc) { + // if (!(Utils.isFIPS())) { + // TEST_PROTOS = List.of( + // "TLSv1.3", "TLSv1.2"); + // } TEST_PROTOS.forEach(protocol -> { clientParameters.put(ParamType.PROTOS, protocol); TLSWithEdDSA testObj = new TLSWithEdDSA(cliChk, cliExpExc, servChk, diff --git a/test/jdk/javax/net/ssl/TLSCommon/TestSessionLocalPrincipal.java b/test/jdk/javax/net/ssl/TLSCommon/TestSessionLocalPrincipal.java index 092a6e4aee8..8d41182074b 100644 --- a/test/jdk/javax/net/ssl/TLSCommon/TestSessionLocalPrincipal.java +++ b/test/jdk/javax/net/ssl/TLSCommon/TestSessionLocalPrincipal.java @@ -46,35 +46,63 @@ import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManagerFactory; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + /* * @test * @bug 8206355 8225438 + * @library /test/lib * @summary Test principal that was sent to the peer during handshake. * @run main/othervm TestSessionLocalPrincipal */ public class TestSessionLocalPrincipal { public static void main(String[] args) throws Exception { - - Security.setProperty("jdk.tls.disabledAlgorithms", ""); - for (String tlsProtocol : new String[]{ - "TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1"}) { + String[] protocols = new String[]{"TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1"}; + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } + for (String tlsProtocol : protocols) { for (boolean clientAuth : new boolean[]{true, false}) { - System.out.printf("Protocol %s: Client side auth enabled: %s%n", - tlsProtocol, clientAuth); - CountDownLatch serverReady = new CountDownLatch(1); - Server server = new Server(tlsProtocol, clientAuth, - serverReady); - server.start(); - - // Wait till server is ready to accept connection. - serverReady.await(); - new Client(tlsProtocol, clientAuth, server.port).doClientSide(); - if (server.serverExc != null) { - throw new RuntimeException(server.serverExc); + Server server = null; + try { + System.out.printf("Protocol %s: Client side auth enabled: %s%n", + tlsProtocol, clientAuth); + CountDownLatch serverReady = new CountDownLatch(1); + server = new Server(tlsProtocol, clientAuth, + serverReady); + server.start(); + + // Wait till server is ready to accept connection. + serverReady.await(); + new Client(tlsProtocol, clientAuth, server.port).doClientSide(); + if (server.serverExc != null) { + throw new RuntimeException(server.serverExc); + } + } catch (java.lang.RuntimeException re) { + if (Utils.isFIPS()) { + if (!SecurityUtils.TLS_PROTOCOLS.contains(tlsProtocol)) { + if (server.serverExc != null) { + if (server.serverExc instanceof javax.net.ssl.SSLHandshakeException) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(server.serverExc.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + server.serverExc.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught"); + server.serverExc.printStackTrace(); + return; + } + } + } + } } } - } + } } public static class Server implements Runnable { diff --git a/test/jdk/javax/net/ssl/TLSTest_java.security b/test/jdk/javax/net/ssl/TLSTest_java.security new file mode 100644 index 00000000000..3b7b200d5fe --- /dev/null +++ b/test/jdk/javax/net/ssl/TLSTest_java.security @@ -0,0 +1,20 @@ +# Test-TLS Restricted Security mode profile for FIPS 140-3. This profile is a test profile that extends +# OpenJCEPlusFIPS.FIPS140-3. This profile also includes non-cryptographic algorithms and common configuration +# options such as, PKCS12, JKS from SUN and PBE related services from SunJCE. +# +RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Test-TLS.desc.name = Test-TLS OpenJCEPlusFIPS Cryptographic Module FIPS 140-3 +RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Test-TLS.desc.default = false +RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Test-TLS.extends = RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3 + +RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Test-TLS.jce.provider.2 = sun.security.provider.Sun [+ \ + {KeyStore, JKS, *}, \ + {KeyStore, PKCS12, *}, \ + {MessageDigest, SHA-1, *}] + +RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Test-TLS.jce.provider.4 = com.sun.crypto.provider.SunJCE [{AlgorithmParameters, PBES2, *}, \ + {AlgorithmParameters, PBEWithHmacSHA256AndAES_256, *}, \ + {AlgorithmParameters, PBEWithMD5AndDES, *}, \ + {SecretKeyFactory, PBEWithMD5AndDES, *}, \ + {Cipher, PBEWithHmacSHA256AndAES_256, *}, \ + {Mac, HmacSHA1, *},\ + {Mac, HmacPBESHA256, *}] diff --git a/test/jdk/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java b/test/jdk/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java index 7469333e2e0..7741cde0efc 100644 --- a/test/jdk/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java +++ b/test/jdk/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java @@ -32,6 +32,7 @@ * @test * @bug 4873188 * @summary Support TLS 1.1 + * @library /test/lib * @run main/othervm EmptyCertificateAuthorities * @modules java.security.jgss * java.security.jgss/sun.security.jgss.krb5 @@ -62,6 +63,9 @@ import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class EmptyCertificateAuthorities { /* @@ -250,10 +254,12 @@ private void initialize() throws CertificateException { public static void main(String[] args) throws Exception { // MD5 is used in this test case, don't disable MD5 algorithm. - Security.setProperty("jdk.certpath.disabledAlgorithms", - "MD2, RSA keySize < 1024"); - Security.setProperty("jdk.tls.disabledAlgorithms", - "SSLv3, RC4, DH keySize < 768"); + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.certpath.disabledAlgorithms", + "MD2, RSA keySize < 1024"); + Security.setProperty("jdk.tls.disabledAlgorithms", + "SSLv3, RC4, DH keySize < 768"); + } String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + @@ -273,7 +279,19 @@ public static void main(String[] args) throws Exception { /* * Start the tests. */ - new EmptyCertificateAuthorities(); + try { + new EmptyCertificateAuthorities(); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (Utils.isFIPS()) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } + } + } catch (Exception e) { + e.printStackTrace(); + return; + } } Thread clientThread = null; diff --git a/test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java b/test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java index 24933838e05..91a81be9765 100644 --- a/test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java +++ b/test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java @@ -51,6 +51,7 @@ import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; +import jdk.test.lib.Utils; import jdk.test.lib.security.SecurityUtils; public class GenericBlockCipher { @@ -150,7 +151,7 @@ void doClientSide() throws Exception { // enable a block cipher sslSocket.setEnabledCipherSuites( - new String[] {"TLS_RSA_WITH_AES_128_CBC_SHA"}); + new String[] {"TLS_RSA_WITH_AES_128_CBC_SHA"}); InputStream sslIS = sslSocket.getInputStream(); OutputStream sslOS = sslSocket.getOutputStream(); @@ -175,7 +176,9 @@ void doClientSide() throws Exception { public static void main(String[] args) throws Exception { // Re-enable TLSv1.1 since test depends on it. - SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1"); + if (!(Utils.isFIPS())) { + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1"); + } String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + @@ -195,7 +198,19 @@ public static void main(String[] args) throws Exception { /* * Start the tests. */ - new GenericBlockCipher(); + try { + new GenericBlockCipher(); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (Utils.isFIPS()) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } + } + } catch (Exception e) { + e.printStackTrace(); + return; + } } Thread clientThread = null; diff --git a/test/jdk/javax/net/ssl/TLSv11/GenericStreamCipher.java b/test/jdk/javax/net/ssl/TLSv11/GenericStreamCipher.java index 99a6599c129..6394e80c6fc 100644 --- a/test/jdk/javax/net/ssl/TLSv11/GenericStreamCipher.java +++ b/test/jdk/javax/net/ssl/TLSv11/GenericStreamCipher.java @@ -27,6 +27,7 @@ * @test * @bug 4873188 * @summary Support TLS 1.1 + * @library /test/lib * @modules java.security.jgss * java.security.jgss/sun.security.jgss.krb5 * java.security.jgss/sun.security.krb5:+open @@ -51,6 +52,9 @@ import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class GenericStreamCipher { /* @@ -107,7 +111,7 @@ void doServerSide() throws Exception { // enable a stream cipher sslServerSocket.setEnabledCipherSuites( - new String[] {"SSL_RSA_WITH_RC4_128_MD5"}); + new String[] {"SSL_RSA_WITH_RC4_128_MD5"}); serverPort = sslServerSocket.getLocalPort(); @@ -152,7 +156,7 @@ void doClientSide() throws Exception { // enable a stream cipher sslSocket.setEnabledCipherSuites( - new String[] {"SSL_RSA_WITH_RC4_128_MD5"}); + new String[] {"SSL_RSA_WITH_RC4_128_MD5"}); InputStream sslIS = sslSocket.getInputStream(); OutputStream sslOS = sslSocket.getOutputStream(); @@ -178,7 +182,9 @@ void doClientSide() throws Exception { public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + } String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + @@ -198,7 +204,19 @@ public static void main(String[] args) throws Exception { /* * Start the tests. */ - new GenericStreamCipher(); + try { + new GenericStreamCipher(); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (Utils.isFIPS()) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } + } + } catch (Exception e) { + e.printStackTrace(); + return; + } } Thread clientThread = null; diff --git a/test/jdk/javax/net/ssl/TLSv12/DisabledShortDSAKeys.java b/test/jdk/javax/net/ssl/TLSv12/DisabledShortDSAKeys.java index 39937f8b743..6de3768863b 100644 --- a/test/jdk/javax/net/ssl/TLSv12/DisabledShortDSAKeys.java +++ b/test/jdk/javax/net/ssl/TLSv12/DisabledShortDSAKeys.java @@ -31,6 +31,7 @@ * @bug 8139565 * @summary Restrict certificates with DSA keys less than 1024 bits * @library /javax/net/ssl/templates + * @library /test/lib * @run main/othervm DisabledShortDSAKeys PKIX TLSv1.2 * @run main/othervm DisabledShortDSAKeys SunX509 TLSv1.2 * @run main/othervm DisabledShortDSAKeys PKIX TLSv1.1 @@ -54,6 +55,8 @@ import java.security.interfaces.*; import java.util.Base64; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; public class DisabledShortDSAKeys extends SSLContextTemplate { @@ -175,11 +178,12 @@ protected ContextParameters getClientContextParameters() { volatile Exception clientException = null; public static void main(String[] args) throws Exception { - Security.setProperty("jdk.certpath.disabledAlgorithms", - "DSA keySize < 1024"); - Security.setProperty("jdk.tls.disabledAlgorithms", - "DSA keySize < 1024"); - + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.certpath.disabledAlgorithms", + "DSA keySize < 1024"); + Security.setProperty("jdk.tls.disabledAlgorithms", + "DSA keySize < 1024"); + } if (debug) { System.setProperty("javax.net.debug", "all"); } diff --git a/test/jdk/javax/net/ssl/TLSv12/DisabledShortRSAKeys.java b/test/jdk/javax/net/ssl/TLSv12/DisabledShortRSAKeys.java index 3f275d8a285..36e4c61aab6 100644 --- a/test/jdk/javax/net/ssl/TLSv12/DisabledShortRSAKeys.java +++ b/test/jdk/javax/net/ssl/TLSv12/DisabledShortRSAKeys.java @@ -31,6 +31,7 @@ * @bug 7109274 * @summary Consider disabling support for X.509 certificates with RSA keys * less than 1024 bits + * @library /test/lib * @library /javax/net/ssl/templates * @run main/othervm DisabledShortRSAKeys PKIX TLSv1.2 * @run main/othervm DisabledShortRSAKeys SunX509 TLSv1.2 @@ -46,6 +47,9 @@ import javax.net.ssl.*; import java.security.Security; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class DisabledShortRSAKeys extends SSLSocketTemplate { /* @@ -63,14 +67,24 @@ public DisabledShortRSAKeys(String tmAlgorithm, String enabledProtocol) { @Override public SSLContext createClientSSLContext() throws Exception { - return createSSLContext(new Cert[]{Cert.CA_RSA_512}, null, + if (Utils.isFIPS()) { + return createSSLContext(new Cert[]{Cert.CA_RSA_2048}, null, + new ContextParameters(enabledProtocol, tmAlgorithm, "NewSunX509")); + } else { + return createSSLContext(new Cert[]{Cert.CA_RSA_512}, null, new ContextParameters(enabledProtocol, tmAlgorithm, "NewSunX509")); + } } @Override public SSLContext createServerSSLContext() throws Exception { - return createSSLContext(null, new Cert[]{Cert.EE_RSA_512}, + if (Utils.isFIPS()) { + return createSSLContext(new Cert[]{Cert.EE_RSA_2048}, null, new ContextParameters(enabledProtocol, tmAlgorithm, "NewSunX509")); + } else { + return createSSLContext(null, new Cert[]{Cert.EE_RSA_512}, + new ContextParameters(enabledProtocol, tmAlgorithm, "NewSunX509")); + } } @Override @@ -109,10 +123,12 @@ protected void runClientApplication(SSLSocket socket) throws Exception { } public static void main(String[] args) throws Exception { - Security.setProperty("jdk.certpath.disabledAlgorithms", - "RSA keySize < 1024"); - Security.setProperty("jdk.tls.disabledAlgorithms", - "RSA keySize < 1024"); + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.certpath.disabledAlgorithms", + "RSA keySize < 1024"); + Security.setProperty("jdk.tls.disabledAlgorithms", + "RSA keySize < 1024"); + } if (debug) { System.setProperty("javax.net.debug", "all"); @@ -126,4 +142,4 @@ public static void main(String[] args) throws Exception { */ new DisabledShortRSAKeys(tmAlgorithm, enabledProtocol).run(); } -} +} \ No newline at end of file diff --git a/test/jdk/javax/net/ssl/TLSv12/ProtocolFilter.java b/test/jdk/javax/net/ssl/TLSv12/ProtocolFilter.java index ec58bc74d0c..152ac7aed87 100644 --- a/test/jdk/javax/net/ssl/TLSv12/ProtocolFilter.java +++ b/test/jdk/javax/net/ssl/TLSv12/ProtocolFilter.java @@ -27,6 +27,7 @@ /* * @test * @bug 8052406 + * @library /test/lib * @summary SSLv2Hello protocol may be filter out unexpectedly * @run main/othervm ProtocolFilter */ @@ -35,6 +36,9 @@ import java.net.*; import javax.net.ssl.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class ProtocolFilter { /* @@ -90,8 +94,13 @@ void doServerSide() throws Exception { (SSLServerSocket) sslssf.createServerSocket(serverPort); // Only enable cipher suites for TLS v1.2. - sslServerSocket.setEnabledCipherSuites( - new String[]{"TLS_RSA_WITH_AES_128_CBC_SHA256"}); + if (Utils.isFIPS()) { + sslServerSocket.setEnabledCipherSuites( + new String[]{"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}); + } else { + sslServerSocket.setEnabledCipherSuites( + new String[]{"TLS_RSA_WITH_AES_128_CBC_SHA256"}); + } serverPort = sslServerSocket.getLocalPort(); @@ -163,6 +172,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; + if (Utils.isFIPS()) { + keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/TLSv12/ShortRSAKey512.java b/test/jdk/javax/net/ssl/TLSv12/ShortRSAKey512.java index c9ff202bd2c..c53ae0dd9b2 100644 --- a/test/jdk/javax/net/ssl/TLSv12/ShortRSAKey512.java +++ b/test/jdk/javax/net/ssl/TLSv12/ShortRSAKey512.java @@ -29,6 +29,7 @@ /* * @test * @bug 7106773 + * @library /test/lib * @summary 512 bits RSA key cannot work with SHA384 and SHA512 * * SunJSSE does not support dynamic system properties, no way to re-use @@ -43,6 +44,8 @@ import javax.net.ssl.*; import java.security.Security; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; public class ShortRSAKey512 extends SSLContextTemplate { @@ -170,9 +173,11 @@ private static void parseArguments(String[] args) { public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); - Security.setProperty("jdk.tls.disabledAlgorithms", - "SSLv3, RC4, DH keySize < 768"); + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); + Security.setProperty("jdk.tls.disabledAlgorithms", + "SSLv3, RC4, DH keySize < 768"); + } if (debug) System.setProperty("javax.net.debug", "all"); @@ -185,7 +190,14 @@ public static void main(String[] args) throws Exception { /* * Start the tests. */ - new ShortRSAKey512(); + try { + new ShortRSAKey512(); + } catch (java.security.spec.InvalidKeySpecException ikse) { + if (Utils.isFIPS()) { + System.out.println("Inappropriate key specification: RSA keys must be at least 1024 bits long"); + return; + } + } } Thread clientThread = null; @@ -304,4 +316,4 @@ public void run() { } } } -} +} \ No newline at end of file diff --git a/test/jdk/javax/net/ssl/TLSv12/ShortRSAKeyGCM.java b/test/jdk/javax/net/ssl/TLSv12/ShortRSAKeyGCM.java index df6767eadfb..d5b38ad67f1 100644 --- a/test/jdk/javax/net/ssl/TLSv12/ShortRSAKeyGCM.java +++ b/test/jdk/javax/net/ssl/TLSv12/ShortRSAKeyGCM.java @@ -33,6 +33,7 @@ * @bug 7030966 * @summary Support AEAD CipherSuites * @library /javax/net/ssl/templates + * @library /test/lib * @run main/othervm ShortRSAKeyGCM PKIX TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * @run main/othervm ShortRSAKeyGCM PKIX TLS_RSA_WITH_AES_128_GCM_SHA256 * @run main/othervm ShortRSAKeyGCM PKIX TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 @@ -70,6 +71,8 @@ import java.security.spec.*; import java.security.interfaces.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; public class ShortRSAKeyGCM extends SSLContextTemplate { @@ -196,9 +199,11 @@ protected ContextParameters getClientContextParameters() { public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. - Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); - Security.setProperty("jdk.tls.disabledAlgorithms", - "SSLv3, RC4, DH keySize < 768"); + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); + Security.setProperty("jdk.tls.disabledAlgorithms", + "SSLv3, RC4, DH keySize < 768"); + } if (debug) { System.setProperty("javax.net.debug", "all"); @@ -209,10 +214,29 @@ public static void main(String[] args) throws Exception { */ parseArguments(args); + if (Utils.isFIPS()) { + if (!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) { + System.out.println(cipherSuite + " is not supported."); + return; + } + } + /* * Start the tests. */ - new ShortRSAKeyGCM(); + try { + new ShortRSAKeyGCM(); + } catch (java.security.spec.InvalidKeySpecException ikse) { + if (Utils.isFIPS()) { + if ("Inappropriate key specification: RSA keys must be at least 1024 bits long".equals(ikse.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } + } + } catch (Exception e) { + e.printStackTrace(); + return; + } } Thread clientThread = null; @@ -337,4 +361,4 @@ public void run() { } } } -} +} \ No newline at end of file diff --git a/test/jdk/javax/net/ssl/TLSv12/SignatureAlgorithms.java b/test/jdk/javax/net/ssl/TLSv12/SignatureAlgorithms.java index 52191ec0882..ac8c5d986ca 100644 --- a/test/jdk/javax/net/ssl/TLSv12/SignatureAlgorithms.java +++ b/test/jdk/javax/net/ssl/TLSv12/SignatureAlgorithms.java @@ -33,6 +33,7 @@ * @bug 8049321 * @summary Support SHA256WithDSA in JSSE * @library /javax/net/ssl/templates + * @library /test/lib * @run main/othervm SignatureAlgorithms PKIX "SHA-224,SHA-256" * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * @run main/othervm SignatureAlgorithms PKIX "SHA-1,SHA-224" @@ -54,6 +55,9 @@ import java.security.cert.Certificate; import java.security.cert.X509Certificate; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class SignatureAlgorithms extends SSLContextTemplate { /* @@ -79,11 +83,11 @@ public class SignatureAlgorithms extends SSLContextTemplate { */ volatile boolean serverReady = false; - private final Cert[] SERVER_CERTS = { - SSLContextTemplate.Cert.EE_DSA_SHA1_1024, - SSLContextTemplate.Cert.EE_DSA_SHA224_1024, - SSLContextTemplate.Cert.EE_DSA_SHA256_1024, - }; + private static Cert[] SERVER_CERTS = { + SSLContextTemplate.Cert.EE_DSA_SHA1_1024, + SSLContextTemplate.Cert.EE_DSA_SHA224_1024, + SSLContextTemplate.Cert.EE_DSA_SHA256_1024, +}; /* * Define the server side of the test. @@ -133,8 +137,14 @@ void doClientSide() throws Exception { while (!serverReady) { Thread.sleep(50); } + Cert[] trustedCerts; - SSLContext context = createSSLContext(new Cert[]{Cert.CA_DSA_SHA1_1024}, null, getClientContextParameters()); + if (Utils.isFIPS()) { + trustedCerts = new Cert[]{Cert.CA_RSA_2048}; + } else { + trustedCerts = new Cert[]{Cert.CA_DSA_SHA1_1024}; + } + SSLContext context = createSSLContext(trustedCerts, null, getClientContextParameters()); SSLSocketFactory sslsf = context.getSocketFactory(); try (SSLSocket sslSocket = @@ -143,6 +153,7 @@ void doClientSide() throws Exception { // enable TLSv1.2 only sslSocket.setEnabledProtocols(new String[] {"TLSv1.2"}); + System.out.println("In client side, the cipherSuite is: " + cipherSuite); // enable a block cipher sslSocket.setEnabledCipherSuites(new String[] {cipherSuite}); @@ -262,17 +273,31 @@ public static void main(String[] args) throws Exception { return; } - /* - * Expose the target algorithms by diabling unexpected algorithms. - */ - Security.setProperty( - "jdk.certpath.disabledAlgorithms", disabledAlgorithms); + if (!(Utils.isFIPS())) { + /* + * Expose the target algorithms by diabling unexpected algorithms. + */ + Security.setProperty( + "jdk.certpath.disabledAlgorithms", disabledAlgorithms); - /* - * Reset the security property to make sure that the algorithms - * and keys used in this test are not disabled by default. - */ - Security.setProperty( "jdk.tls.disabledAlgorithms", ""); + /* + * Reset the security property to make sure that the algorithms + * and keys used in this test are not disabled by default. + */ + Security.setProperty( "jdk.tls.disabledAlgorithms", ""); + } else { + if (!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) { + System.out.println(cipherSuite + " is not available."); + } else if (!SecurityUtils.TLS_CIPHERSUITES.get(cipherSuite).equals("TLSv1.2")) { + System.out.println(cipherSuite + " does not match TLSv1.2"); + } + SERVER_CERTS = new Cert[] { + SSLContextTemplate.Cert.EE_RSA_2048 + }; + disabledAlgorithms = "SHA-1"; + // cipherSuite = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"; + cipherSuite = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; + } /* * Start the tests. @@ -402,4 +427,4 @@ public void run() { } } } -} +} \ No newline at end of file diff --git a/test/jdk/javax/net/ssl/TLSv13/ClientHelloKeyShares.java b/test/jdk/javax/net/ssl/TLSv13/ClientHelloKeyShares.java index da68b027e2d..f4120a9d6f5 100644 --- a/test/jdk/javax/net/ssl/TLSv13/ClientHelloKeyShares.java +++ b/test/jdk/javax/net/ssl/TLSv13/ClientHelloKeyShares.java @@ -35,6 +35,7 @@ * @test * @bug 8247630 * @summary Use two key share entries + * @library /test/lib * @run main/othervm ClientHelloKeyShares 29 23 * @run main/othervm -Djdk.tls.namedGroups=secp384r1,secp521r1,x448,ffdhe2048 ClientHelloKeyShares 24 30 * @run main/othervm -Djdk.tls.namedGroups=brainpoolP512r1tls13,x448,ffdhe2048 ClientHelloKeyShares 33 30 @@ -50,6 +51,8 @@ import java.nio.ByteBuffer; import java.util.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; public class ClientHelloKeyShares { @@ -69,9 +72,28 @@ public static void main(String args[]) throws Exception { // values which will be the expected NamedGroup IDs in the key_share // extension. Expected named group assertions may also be affected // by setting the jdk.tls.namedGroups System property. + List expectedKeyShares = new ArrayList<>(); Arrays.stream(args).forEach(arg -> expectedKeyShares.add(Integer.valueOf(arg))); + if (Utils.isFIPS()) { + expectedKeyShares.clear(); + Map supportKeyShares = new HashMap<>(); + supportKeyShares.put("secp256r1", 23); + supportKeyShares.put("secp384r1", 24); + supportKeyShares.put("secp521r1", 25); + + if (System.getProperty("jdk.tls.namedGroups") == null) { + expectedKeyShares.add(23); + } else { + for (String nameGroup: System.getProperty("jdk.tls.namedGroups").split(",")) { + if (supportKeyShares.containsKey(nameGroup)) { + expectedKeyShares.add(supportKeyShares.get(nameGroup)); + break; + } + } + } + } SSLContext sslCtx = SSLContext.getDefault(); SSLEngine engine = sslCtx.createSSLEngine(); @@ -82,7 +104,19 @@ public static void main(String args[]) throws Exception { ByteBuffer.allocateDirect(session.getPacketBufferSize()); // Create and check the ClientHello message - SSLEngineResult clientResult = engine.wrap(clientOut, cTOs); + SSLEngineResult clientResult = null; + try { + clientResult = engine.wrap(clientOut, cTOs); + } catch (java.lang.ExceptionInInitializerError eiie) { + Throwable cause = eiie.getCause(); + if (cause instanceof java.lang.IllegalArgumentException) { + if (Utils.isFIPS() + && ("System property jdk.tls.namedGroups(" + System.getProperty("jdk.tls.namedGroups") + ") contains no supported named groups").equals(cause.getMessage())) { + System.out.println("Expected msg is caught."); + return; + } + } + } logResult("client wrap: ", clientResult); if (clientResult.getStatus() != SSLEngineResult.Status.OK) { throw new RuntimeException("Client wrap got status: " + @@ -217,7 +251,7 @@ private static void checkClientHello(ByteBuffer data, break; case HELLO_EXT_SUPP_VERS: foundSupVer = true; - int supVerLen = Byte.toUnsignedInt(data.get()); + int supVerLen = Byte.toUnsignedInt(data.get()); // 04 for (int remain = supVerLen; remain > 0; remain -= 2) { foundTLS13 |= (Short.toUnsignedInt(data.getShort()) == TLS_PROT_VER_13); @@ -232,7 +266,8 @@ private static void checkClientHello(ByteBuffer data, foundKeyShare = true; int ksListLen = Short.toUnsignedInt(data.getShort()); while (ksListLen > 0) { - chKeyShares.add(Short.toUnsignedInt(data.getShort())); + int ks = Short.toUnsignedInt(data.getShort()); + chKeyShares.add(ks); int ksLen = Short.toUnsignedInt(data.getShort()); data.position(data.position() + ksLen); ksListLen -= (4 + ksLen); diff --git a/test/jdk/javax/net/ssl/TLSv13/HRRKeyShares.java b/test/jdk/javax/net/ssl/TLSv13/HRRKeyShares.java index 313b2c5084b..cf5ab2224b4 100644 --- a/test/jdk/javax/net/ssl/TLSv13/HRRKeyShares.java +++ b/test/jdk/javax/net/ssl/TLSv13/HRRKeyShares.java @@ -45,6 +45,7 @@ import java.util.Map; import java.util.Objects; import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; public class HRRKeyShares { @@ -311,8 +312,9 @@ private static void hrrKeyShareTest(int hrrNamedGroup, boolean expectedPass) if (!initialCh.suppVersions.contains(TLS_PROT_VER_13)) { throw new RuntimeException( "Missing TLSv1.3 protocol in supported_versions"); - } else if (!initialCh.keyShares.containsKey(NG_X25519) || - !initialCh.keyShares.containsKey(NG_SECP256R1)) { + } else if (!(Utils.isFIPS()) && + (!initialCh.keyShares.containsKey(NG_X25519) || + !initialCh.keyShares.containsKey(NG_SECP256R1))) { throw new RuntimeException( "Missing one or more expected KeyShares"); } diff --git a/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java b/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java index 855e34b57f0..512eeebf6eb 100644 --- a/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java +++ b/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java @@ -25,6 +25,7 @@ * @test * @bug 8076221 8211883 8279164 * @summary Check if weak cipher suites are disabled + * @library /test/lib * @modules jdk.crypto.ec * @run main/othervm DisabledAlgorithms default * @run main/othervm DisabledAlgorithms empty @@ -45,6 +46,9 @@ import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class DisabledAlgorithms { private static final String pathToStores = "../etc"; @@ -129,6 +133,9 @@ public static void main(String[] args) throws Exception { checkFailure(disabled_ciphersuites); break; case "empty": + if (Utils.isFIPS()) { + return; + } // reset jdk.tls.disabledAlgorithms Security.setProperty("jdk.tls.disabledAlgorithms", ""); System.out.println("jdk.tls.disabledAlgorithms = " diff --git a/test/jdk/javax/net/ssl/finalize/SSLSessionFinalizeTest.java b/test/jdk/javax/net/ssl/finalize/SSLSessionFinalizeTest.java index 69611763e32..690b85a1811 100644 --- a/test/jdk/javax/net/ssl/finalize/SSLSessionFinalizeTest.java +++ b/test/jdk/javax/net/ssl/finalize/SSLSessionFinalizeTest.java @@ -24,6 +24,7 @@ /* * @test * @summary Test behavior related to finalize + * @library /test/lib * @run main/othervm SSLSessionFinalizeTest * @run main/othervm/policy=security.policy SSLSessionFinalizeTest */ @@ -42,6 +43,8 @@ import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; +import jdk.test.lib.Utils; + public class SSLSessionFinalizeTest { /* @@ -104,6 +107,7 @@ void doServerSide() throws Exception { while (serverReady) { SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept(); + // System.out.printf(" accept: %s%n", sslSocket); InputStream sslIS = sslSocket.getInputStream(); OutputStream sslOS = sslSocket.getOutputStream(); @@ -192,6 +196,11 @@ public static void main(String[] args) throws Exception { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; + if (Utils.isFIPS()) { + keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java b/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java index caa96cdb224..09a36ced12c 100644 --- a/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java +++ b/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java @@ -25,6 +25,7 @@ * @test * @bug 4750141 4895631 8217579 8163326 8279164 * @summary Check enabled and supported ciphersuites are correct + * @library /test/lib * @run main/othervm CheckCipherSuites default * @run main/othervm CheckCipherSuites limited */ @@ -33,6 +34,9 @@ import java.security.Security; import javax.net.ssl.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class CheckCipherSuites { // List of enabled cipher suites when the "crypto.policy" security @@ -130,6 +134,21 @@ public class CheckCipherSuites { "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" }; + // List of enabled cipher suites when the "-Dsemeru.fips=true -Dsemeru.customprofile" security + // property is set. + private final static String[] ENABLED_FIPS = { + "TLS_AES_256_GCM_SHA384", + "TLS_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + }; + // List of supported cipher suites when the "crypto.policy" security // property is set to "unlimited" (the default value). private final static String[] SUPPORTED_DEFAULT = { @@ -225,6 +244,21 @@ public class CheckCipherSuites { "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" }; + // List of enabled cipher suites when the "-Dsemeru.fips=true -Dsemeru.customprofile" security + // property is set. + private final static String[] SUPPORTED_FIPS = { + "TLS_AES_256_GCM_SHA384", + "TLS_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + }; + private static void showSuites(String[] suites) { if ((suites == null) || (suites.length == 0)) { System.out.println(""); @@ -243,7 +277,12 @@ public static void main(String[] args) throws Exception { String[] ENABLED; String[] SUPPORTED; - if (args[0].equals("default")) { + String[] FIPS; + + if (Utils.isFIPS()) { + ENABLED = ENABLED_FIPS; + SUPPORTED = SUPPORTED_FIPS; + } else if (args[0].equals("default")) { ENABLED = ENABLED_DEFAULT; SUPPORTED = SUPPORTED_DEFAULT; } else if (args[0].equals("limited")) { diff --git a/test/jdk/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java b/test/jdk/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java index 2817e3400ab..c43279527f8 100644 --- a/test/jdk/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java +++ b/test/jdk/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java @@ -20,10 +20,11 @@ * or visit www.oracle.com if you need additional information or have any * questions. */ -import java.util.Arrays; +import java.util.*; import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLSocket; +import jdk.test.lib.Utils; import jdk.test.lib.security.SecurityUtils; /* @@ -77,20 +78,63 @@ public class SystemPropCipherSuitesOrder extends SSLSocketTemplate { private final String protocol; - private static String[] servercipherSuites; - private static String[] clientcipherSuites; + private static String[] servercipherSuites = null; + private static String[] clientcipherSuites = null; public static void main(String[] args) { - servercipherSuites + + if (Utils.isFIPS()) { + // if (!SecurityUtils.TLS_PROTOCOLS.contains(args[0])) { + // System.out.println(args[0] + " is not supported in FIPS 140-3."); + // return; + // } + List tmpClient = new ArrayList<>(); + if (System.getProperty("jdk.tls.client.cipherSuites") != null) { + for (String clientcipherSuite : toArray(System.getProperty("jdk.tls.client.cipherSuites"))) { + if (SecurityUtils.TLS_CIPHERSUITES.containsKey(clientcipherSuite)) { + tmpClient.add(clientcipherSuite); + System.out.println("jdk.tls.client.cipherSuites: " + clientcipherSuite); + } + } + } + List tmpServer = new ArrayList<>(); + if (System.getProperty("jdk.tls.server.cipherSuites") != null) { + for (String servercipherSuite : toArray(System.getProperty("jdk.tls.server.cipherSuites"))) { + if (SecurityUtils.TLS_CIPHERSUITES.containsKey(servercipherSuite)) { + tmpServer.add(servercipherSuite); + System.out.println("jdk.tls.server.cipherSuites: " + servercipherSuite); + } + } + } + if (tmpClient.size() != 0) { + clientcipherSuites = tmpClient.toArray(new String[0]); + } + if (tmpServer.size() != 0) { + servercipherSuites = tmpServer.toArray(new String[0]); + } + + } else { + servercipherSuites = toArray(System.getProperty("jdk.tls.server.cipherSuites")); - clientcipherSuites + clientcipherSuites = toArray(System.getProperty("jdk.tls.client.cipherSuites")); + } System.out.printf("SYSTEM PROPERTIES: ServerProp:%s - ClientProp:%s%n", Arrays.deepToString(servercipherSuites), Arrays.deepToString(clientcipherSuites)); try { new SystemPropCipherSuitesOrder(args[0]).run(); + } catch (javax.net.ssl.SSLHandshakeException sslhe) { + if (Utils.isFIPS()) { + if (!SecurityUtils.TLS_PROTOCOLS.contains(args[0]) + || (servercipherSuites == null && clientcipherSuites == null)) { + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) { + System.out.println("Expected exception msg: is caught."); + return; + } + } + } } catch (Exception e) { throw new RuntimeException(e); } @@ -100,7 +144,9 @@ private SystemPropCipherSuitesOrder(String protocol) { this.protocol = protocol; // Re-enable protocol if disabled. if (protocol.equals("TLSv1") || protocol.equals("TLSv1.1")) { - SecurityUtils.removeFromDisabledTlsAlgs(protocol); + if (!(Utils.isFIPS())) { + SecurityUtils.removeFromDisabledTlsAlgs(protocol); + } } } diff --git a/test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java b/test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java index c2171d80889..240ceb3e97d 100644 --- a/test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java +++ b/test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java @@ -24,6 +24,7 @@ import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLSocket; +import jdk.test.lib.Utils; import jdk.test.lib.security.SecurityUtils; /* @@ -59,10 +60,33 @@ public class TLSCipherSuitesOrder extends SSLSocketTemplate { public static void main(String[] args) { PROTOCOL protocol = PROTOCOL.valueOf(args[0]); + // if (Utils.isFIPS()) { + // if (!SecurityUtils.TLS_PROTOCOLS.contains(args[0])) { + // System.out.println(args[0] + " is not supported in FIPS 140-3."); + // return; + // } + // } try { new TLSCipherSuitesOrder(protocol.getProtocol(), protocol.getCipherSuite(args[1]), protocol.getCipherSuite(args[2])).run(); + } catch (javax.net.ssl.SSLHandshakeException sslex) { + if (Utils.isFIPS()) { + if (!SecurityUtils.TLS_PROTOCOLS.contains(args[0])) { + System.out.println(args[0] + " is not supported in FIPS 140-3."); + } + if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslex.getMessage())) { + System.out.println("Expected exception msg: is caught"); + return; + } else { + System.out.println("Unexpected exception msg: <" + sslex.getMessage() + "> is caught"); + return; + } + } else { + System.out.println("Unexpected exception is caught in Non-FIPS mode"); + sslex.printStackTrace(); + return; + } } catch (Exception e) { throw new RuntimeException(e); } @@ -71,8 +95,10 @@ public static void main(String[] args) { private TLSCipherSuitesOrder(String protocol, String[] clientcipherSuites, String[] servercipherSuites) { // Re-enable protocol if it is disabled. - if (protocol.equals("TLSv1") || protocol.equals("TLSv1.1")) { - SecurityUtils.removeFromDisabledTlsAlgs(protocol); + if (!Utils.isFIPS()) { + if (protocol.equals("TLSv1") || protocol.equals("TLSv1.1")) { + SecurityUtils.removeFromDisabledTlsAlgs(protocol); + } } this.protocol = protocol; this.clientcipherSuites = clientcipherSuites; diff --git a/test/jdk/javax/net/ssl/sanity/interop/CipherTest.java b/test/jdk/javax/net/ssl/sanity/interop/CipherTest.java index 39e88abce8e..9ce3e760b4b 100644 --- a/test/jdk/javax/net/ssl/sanity/interop/CipherTest.java +++ b/test/jdk/javax/net/ssl/sanity/interop/CipherTest.java @@ -58,6 +58,7 @@ public class CipherTest { static SecureRandom secureRandom; private static PeerFactory peerFactory; + public static final boolean ISFIPS = Boolean.parseBoolean(System.getProperty("semeru.fips")); static abstract class Server implements Runnable { @@ -135,8 +136,24 @@ private CipherTest(PeerFactory peerFactory) throws IOException { factory = (SSLSocketFactory)SSLSocketFactory.getDefault(); SSLSocket socket = (SSLSocket)factory.createSocket(); String[] cipherSuites = socket.getSupportedCipherSuites(); - String[] protocols = socket.getSupportedProtocols(); - String[] clientAuths = {null, "RSA", "DSA"}; + String[] protocols = null; + String[] clientAuths = null; + if (ISFIPS) { + clientAuths = new String[]{null, "RSA"}; + List tmp = new ArrayList<>(); + for (String protocol : socket.getSupportedProtocols()) { + if (protocol.equals("TLSv1.2") || protocol.equals("TLSv1.3")) { + tmp.add(protocol); + } + } + if (tmp.size() == 0 || tmp == null) { + return; + } + protocols = tmp.toArray(new String[0]); + } else { + clientAuths = new String[]{null, "RSA", "DSA"}; + protocols = socket.getSupportedProtocols(); + } tests = new ArrayList( cipherSuites.length * protocols.length * clientAuths.length); for (int j = 0; j < protocols.length; j++) { @@ -248,6 +265,16 @@ public final void run() { try { runTest(params); System.out.println("Passed " + params); + } catch (javax.net.ssl.SSLException sslException) { + if (ISFIPS) { + if ("DSA signing not supported in FIPS".equals(sslException.getMessage())) { + System.out.println("Expected exception msg: is caught."); + } else { + cipherTest.setFailed(); + System.out.println("** Failed " + params + "**"); + sslException.printStackTrace(); + } + } } catch (Exception e) { cipherTest.setFailed(); System.out.println("** Failed " + params + "**"); diff --git a/test/jdk/javax/net/ssl/sanity/interop/ClientJSSEServerJSSE.java b/test/jdk/javax/net/ssl/sanity/interop/ClientJSSEServerJSSE.java index 09e40c033b3..179ab260d5a 100644 --- a/test/jdk/javax/net/ssl/sanity/interop/ClientJSSEServerJSSE.java +++ b/test/jdk/javax/net/ssl/sanity/interop/ClientJSSEServerJSSE.java @@ -27,17 +27,22 @@ * @summary Verify that all ciphersuites work in all configurations * @author Andreas Sterbenz * @library ../../TLSCommon + * @library /test/lib * @run main/othervm/timeout=300 ClientJSSEServerJSSE */ import java.security.Security; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; public class ClientJSSEServerJSSE { public static void main(String[] args) throws Exception { // reset security properties to make sure that the algorithms // and keys used in this test are not disabled. - Security.setProperty("jdk.tls.disabledAlgorithms", ""); - Security.setProperty("jdk.certpath.disabledAlgorithms", ""); + if (!(Utils.isFIPS())) { + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + Security.setProperty("jdk.certpath.disabledAlgorithms", ""); + } CipherTest.main(new JSSEFactory(), args); } diff --git a/test/jdk/javax/net/ssl/sanity/pluggability/CheckSSLContextExport.java b/test/jdk/javax/net/ssl/sanity/pluggability/CheckSSLContextExport.java index dcf0fab42c9..8a4e9e6afe1 100644 --- a/test/jdk/javax/net/ssl/sanity/pluggability/CheckSSLContextExport.java +++ b/test/jdk/javax/net/ssl/sanity/pluggability/CheckSSLContextExport.java @@ -25,11 +25,15 @@ * @test * @bug 4635454 6208022 8130181 * @summary Check pluggability of SSLContext class. + * @library /test/lib */ import java.security.*; import java.net.*; import javax.net.ssl.*; +import jdk.test.lib.Utils; +import jdk.test.lib.security.SecurityUtils; + public class CheckSSLContextExport extends Provider { private static String info = "test provider for JSSE pluggability"; @@ -45,8 +49,12 @@ public static void test(String protocol) throws Exception { String providerName = mySSLContext.getProvider().getName(); if (!providerName.equals("TestJSSEPluggability")) { - System.out.println(providerName + "'s SSLContext is used"); - throw new Exception("...used the wrong provider: " + providerName); + if (!(Utils.isFIPS())) { + System.out.println(providerName + "'s SSLContext is used"); + throw new Exception("...used the wrong provider: " + providerName); + } else { + System.out.println("In FIPS mode, we dont support customized provider yet, " + providerName + "'s SSLContext is used"); + } } for (int i = 0; i < 2; i++) { boolean standardCiphers = true; @@ -112,7 +120,16 @@ public static void main(String[] argv) throws Exception { try { for (int i = 0; i < protocols.length; i++) { System.out.println("Testing " + protocols[i] + "'s SSLContext"); - test(protocols[i]); + try { + test(protocols[i]); + } catch (java.lang.IllegalStateException ise) { + if (Utils.isFIPS()) { + if (protocols[i].equals("SSL") && "SSLContext is not initialized".equals(ise.getMessage())) { + System.out.println("SSL is not supported in FIPS140-3."); + continue; + } + } + } } System.out.println("Test Passed"); } finally { diff --git a/test/jdk/javax/net/ssl/templates/NetSslUtils.java b/test/jdk/javax/net/ssl/templates/NetSslUtils.java new file mode 100644 index 00000000000..14b611d4e4e --- /dev/null +++ b/test/jdk/javax/net/ssl/templates/NetSslUtils.java @@ -0,0 +1,108 @@ +/* + * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + + import java.security.Security; + import java.security.Provider; + import java.util.List; + import java.util.ArrayList; + import java.util.Map; + import java.util.HashMap; + + import java.io.FileInputStream; + import java.io.FileOutputStream; + import java.security.KeyStore; + import java.security.Key; + import java.security.cert.Certificate; + import java.util.Enumeration; + + public class NetSslUtils { + public static final List TLS_PROTOCOLS = new ArrayList<>(); + public static final Map TLS_CIPHERSUITES = new HashMap<>(); + + public static final String isFIPS = System.getProperty("semeru.fips"); + public static boolean isFIPS() { + System.out.println("semeru.fips is: " + System.getProperty("semeru.fips")); + return Boolean.parseBoolean(isFIPS); + } + + public static final String FIPS_PROFILE = System.getProperty("semeru.customprofile"); + public static String getFipsProfile() { + System.out.println("semeru.customprofile is: " + System.getProperty("semeru.customprofile")); + return FIPS_PROFILE; + } + + public static String revertJKSToPKCS12(String keyFilename, String passwd) { + String p12keyFilename = keyFilename + ".p12"; + try { + KeyStore jksKeystore = KeyStore.getInstance("JKS"); + try (FileInputStream fis = new FileInputStream(keyFilename)) { + jksKeystore.load(fis, passwd.toCharArray()); + } + + KeyStore pkcs12Keystore = KeyStore.getInstance("PKCS12"); + pkcs12Keystore.load(null, null); + + Enumeration aliasesKey = jksKeystore.aliases(); + while (aliasesKey.hasMoreElements()) { + String alias = aliasesKey.nextElement(); + if (jksKeystore.isKeyEntry(alias)) { + char[] keyPassword = passwd.toCharArray(); + Key key = jksKeystore.getKey(alias, keyPassword); + Certificate[] chain = jksKeystore.getCertificateChain(alias); + pkcs12Keystore.setKeyEntry(alias, key, passwd.toCharArray(), chain); + } else if (jksKeystore.isCertificateEntry(alias)) { + Certificate cert = jksKeystore.getCertificate(alias); + pkcs12Keystore.setCertificateEntry(alias, cert); + } + } + + try (FileOutputStream fos = new FileOutputStream(p12keyFilename)) { + pkcs12Keystore.store(fos, passwd.toCharArray()); + } + System.out.println("JKS keystore converted to PKCS12 successfully."); + } catch (Exception e) { + e.printStackTrace(); + } + return p12keyFilename; + } + + static { + TLS_PROTOCOLS.add("TLSv1.2"); + TLS_PROTOCOLS.add("TLSv1.3"); + + TLS_CIPHERSUITES.put("TLS_AES_128_GCM_SHA256", "TLSv1.3"); + TLS_CIPHERSUITES.put("TLS_AES_256_GCM_SHA384", "TLSv1.3"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLSv1.2"); + } + } \ No newline at end of file diff --git a/test/jdk/javax/net/ssl/templates/SSLContextTemplate.java b/test/jdk/javax/net/ssl/templates/SSLContextTemplate.java index 568575faaee..88f8c8cc27f 100644 --- a/test/jdk/javax/net/ssl/templates/SSLContextTemplate.java +++ b/test/jdk/javax/net/ssl/templates/SSLContextTemplate.java @@ -112,7 +112,7 @@ protected TrustManager createTrustManager(Cert[] trustedCerts, CertificateFactory cf = CertificateFactory.getInstance("X.509"); ByteArrayInputStream is; - KeyStore ts = KeyStore.getInstance("JKS"); + KeyStore ts = KeyStore.getInstance("JKS"); ts.load(null, null); if (trustedCerts != null && trustedCerts.length != 0) { diff --git a/test/jdk/javax/net/ssl/templates/SSLSocketTemplate.java b/test/jdk/javax/net/ssl/templates/SSLSocketTemplate.java index fa6cccbcdcf..ed2bef460b2 100644 --- a/test/jdk/javax/net/ssl/templates/SSLSocketTemplate.java +++ b/test/jdk/javax/net/ssl/templates/SSLSocketTemplate.java @@ -176,6 +176,9 @@ protected void configureServerSocket(SSLServerSocket socket) { protected void doServerSide() throws Exception { // kick start the server side service SSLContext context = createServerSSLContext(); + // if (context == null) { + // return; + // } SSLServerSocketFactory sslssf = context.getServerSocketFactory(); InetAddress serverAddress = this.serverAddress; SSLServerSocket sslServerSocket = serverAddress == null ? @@ -266,6 +269,9 @@ protected void doClientSide() throws Exception { } SSLContext context = createClientSSLContext(); + // if (context == null) { + // return; + // } SSLSocketFactory sslsf = context.getSocketFactory(); try (SSLSocket sslSocket = (SSLSocket)sslsf.createSocket()) { diff --git a/test/jdk/javax/net/ssl/templates/TLSBase.java b/test/jdk/javax/net/ssl/templates/TLSBase.java index bcddb1147c8..38557a0550c 100644 --- a/test/jdk/javax/net/ssl/templates/TLSBase.java +++ b/test/jdk/javax/net/ssl/templates/TLSBase.java @@ -20,7 +20,6 @@ * or visit www.oracle.com if you need additional information or have any * questions. */ - import javax.net.ssl.SSLContext; import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLServerSocketFactory; @@ -72,6 +71,12 @@ abstract public class TLSBase { String trustFilename = System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; + + if (NetSslUtils.isFIPS()) { + keyFilename = NetSslUtils.revertJKSToPKCS12(keyFilename, passwd); + trustFilename = NetSslUtils.revertJKSToPKCS12(trustFilename, passwd); + } + System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); diff --git a/test/lib/jdk/test/lib/Utils.java b/test/lib/jdk/test/lib/Utils.java index f84ddab6d55..ef3c42d255c 100644 --- a/test/lib/jdk/test/lib/Utils.java +++ b/test/lib/jdk/test/lib/Utils.java @@ -59,6 +59,12 @@ import java.util.function.Function; import java.util.regex.Matcher; import java.util.regex.Pattern; +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.security.KeyStore; +import java.security.Key; +import java.security.cert.Certificate; +import java.util.Enumeration; import static jdk.test.lib.Asserts.assertTrue; import jdk.test.lib.process.ProcessTools; @@ -148,6 +154,54 @@ public final class Utils { * Contains the seed value used for {@link java.util.Random} creation. */ public static final long SEED; + + public static final String isFIPS = System.getProperty("semeru.fips"); + public static boolean isFIPS() { + System.out.println("semeru.fips is: " + System.getProperty("semeru.fips")); + return Boolean.parseBoolean(isFIPS); + } + + public static final String FIPS_PROFILE = System.getProperty("semeru.customprofile"); + public static String getFipsProfile() { + System.out.println("semeru.customprofile is: " + System.getProperty("semeru.customprofile")); + return FIPS_PROFILE; + } + + public static String revertJKSToPKCS12(String keyFilename, String passwd) { + String p12keyFilename = keyFilename + ".p12"; + try { + KeyStore jksKeystore = KeyStore.getInstance("JKS"); + try (FileInputStream fis = new FileInputStream(keyFilename)) { + jksKeystore.load(fis, passwd.toCharArray()); + } + + KeyStore pkcs12Keystore = KeyStore.getInstance("PKCS12"); + pkcs12Keystore.load(null, null); + + Enumeration aliasesKey = jksKeystore.aliases(); + while (aliasesKey.hasMoreElements()) { + String alias = aliasesKey.nextElement(); + if (jksKeystore.isKeyEntry(alias)) { + char[] keyPassword = passwd.toCharArray(); + Key key = jksKeystore.getKey(alias, keyPassword); + Certificate[] chain = jksKeystore.getCertificateChain(alias); + pkcs12Keystore.setKeyEntry(alias, key, passwd.toCharArray(), chain); + } else if (jksKeystore.isCertificateEntry(alias)) { + Certificate cert = jksKeystore.getCertificate(alias); + pkcs12Keystore.setCertificateEntry(alias, cert); + } + } + + try (FileOutputStream fos = new FileOutputStream(p12keyFilename)) { + pkcs12Keystore.store(fos, passwd.toCharArray()); + } + System.out.println("JKS keystore converted to PKCS12 successfully."); + } catch (Exception e) { + e.printStackTrace(); + } + return p12keyFilename; + } + static { var seed = Long.getLong(SEED_PROPERTY_NAME); if (seed != null) { diff --git a/test/lib/jdk/test/lib/security/SecurityUtils.java b/test/lib/jdk/test/lib/security/SecurityUtils.java index 319416a466c..cfd96bd6362 100644 --- a/test/lib/jdk/test/lib/security/SecurityUtils.java +++ b/test/lib/jdk/test/lib/security/SecurityUtils.java @@ -30,6 +30,7 @@ import java.util.List; import java.util.stream.Collectors; import java.util.stream.Stream; +import java.util.*; /** * Common library for various security test helper functions. @@ -126,4 +127,23 @@ private static boolean anyMatch(String value, List algs) { } private SecurityUtils() {} + + public static final List TLS_PROTOCOLS = new ArrayList<>(); + public static final Map TLS_CIPHERSUITES = new HashMap<>(); + + static { + TLS_PROTOCOLS.add("TLSv1.2"); + TLS_PROTOCOLS.add("TLSv1.3"); + + TLS_CIPHERSUITES.put("TLS_AES_128_GCM_SHA256", "TLSv1.3"); + TLS_CIPHERSUITES.put("TLS_AES_256_GCM_SHA384", "TLSv1.3"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLSv1.2"); + TLS_CIPHERSUITES.put("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLSv1.2"); + } }