Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update TLS tests to be run in FIPS 140-3 mode. #380

Draft
wants to merge 1 commit into
base: openj9
Choose a base branch
from
Draft

Update TLS tests to be run in FIPS 140-3 mode. #380

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 31 additions & 2 deletions test/jdk/javax/net/ssl/DTLS/CipherSuite.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,9 @@
import javax.net.ssl.SSLEngine;
import java.security.Security;

import jdk.test.lib.Utils;
import jdk.test.lib.security.SecurityUtils;

/**
* Test common DTLS cipher suites.
*/
Expand All @@ -61,14 +64,40 @@ public class CipherSuite extends DTLSOverDatagram {
volatile static String cipherSuite;

public static void main(String[] args) throws Exception {
if (args.length > 1 && "re-enable".equals(args[1])) {
if (args.length > 1 && "re-enable".equals(args[1])
&& !(Utils.isFIPS())) {
Security.setProperty("jdk.tls.disabledAlgorithms", "");
}

cipherSuite = args[0];

CipherSuite testCase = new CipherSuite();
testCase.runTest(testCase);
try {
testCase.runTest(testCase);
} catch (javax.net.ssl.SSLHandshakeException sslhe) {
if (Utils.isFIPS()) {
if(!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) {
if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) {
System.out.println("Expected exception msg: <No appropriate protocol (protocol is disabled or cipher suites are inappropriate)> is caught");
return;
} else {
System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught");
return;
}
} else {
System.out.println("Unexpected exception is caught");
sslhe.printStackTrace();
return;
}
} else {
System.out.println("Unexpected exception is caught in Non-FIPS mode");
sslhe.printStackTrace();
return;
}
} catch (Exception e) {
e.printStackTrace();
return;
}
}

@Override
Expand Down
24 changes: 23 additions & 1 deletion test/jdk/javax/net/ssl/DTLS/DTLSWontNegotiateV10.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,9 @@ public class DTLSWontNegotiateV10 {
private static final int READ_TIMEOUT_SECS = Integer.getInteger("readtimeout", 30);

public static void main(String[] args) throws Exception {
if (args[0].equals(DTLSV_1_0)) {

if (args[0].equals(DTLSV_1_0)
&& !(Utils.isFIPS())) {
SecurityUtils.removeFromDisabledTlsAlgs(DTLSV_1_0);
}

Expand All @@ -74,6 +76,26 @@ public static void main(String[] args) throws Exception {
break;
} catch (SocketTimeoutException exc) {
System.out.println("The server timed-out waiting for packets from the client.");
} catch (javax.net.ssl.SSLHandshakeException sslhe) {
if (Utils.isFIPS()) {
if(!SecurityUtils.TLS_PROTOCOLS.contains(args[0])) {
if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) {
System.out.println("Expected exception msg: <No appropriate protocol (protocol is disabled or cipher suites are inappropriate)> is caught");
return;
} else {
System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught");
return;
}
} else {
System.out.println("Unexpected exception is caught");
sslhe.printStackTrace();
return;
}
} else {
System.out.println("Unexpected exception is caught in Non-FIPS mode");
sslhe.printStackTrace();
return;
}
}
}
if (tries == totalAttempts) {
Expand Down
36 changes: 33 additions & 3 deletions test/jdk/javax/net/ssl/DTLS/WeakCipherSuite.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@
import javax.net.ssl.SSLEngine;
import java.security.Security;

import jdk.test.lib.Utils;
import jdk.test.lib.security.SecurityUtils;

/**
* Test common DTLS weak cipher suites.
*/
Expand All @@ -52,13 +55,40 @@ public class WeakCipherSuite extends DTLSOverDatagram {
public static void main(String[] args) throws Exception {
// reset security properties to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
Security.setProperty("jdk.certpath.disabledAlgorithms", "");
if (!(Utils.isFIPS())) {
Security.setProperty("jdk.tls.disabledAlgorithms", "");
Security.setProperty("jdk.certpath.disabledAlgorithms", "");
}

cipherSuite = args[0];

WeakCipherSuite testCase = new WeakCipherSuite();
testCase.runTest(testCase);
try {
testCase.runTest(testCase);
} catch (javax.net.ssl.SSLHandshakeException sslhe) {
if (Utils.isFIPS()) {
if(!SecurityUtils.TLS_CIPHERSUITES.containsKey(cipherSuite)) {
if ("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)".equals(sslhe.getMessage())) {
System.out.println("Expected exception msg: <No appropriate protocol (protocol is disabled or cipher suites are inappropriate)> is caught");
return;
} else {
System.out.println("Unexpected exception msg: <" + sslhe.getMessage() + "> is caught");
return;
}
} else {
System.out.println("Unexpected exception is caught");
sslhe.printStackTrace();
return;
}
} else {
System.out.println("Unexpected exception is caught in Non-FIPS mode");
sslhe.printStackTrace();
return;
}
} catch (Exception e) {
e.printStackTrace();
return;
}
}

@Override
Expand Down
40 changes: 40 additions & 0 deletions test/jdk/javax/net/ssl/FIPSFlag/FIPSFlagTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
/*
* Copyright (c) 2016, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/

/*
* @test
* @summary Test flags used for FIPS 140-2 and FIPS 140-3
* @run main/othervm
* TestFIPS false
* @run main/othervm
* -Dsemeru.fips=true
* -Dsemeru.customprofile=OpenJCEPlusFIPS.FIPS140-3
* TestFIPS true 140-3
* @run main/othervm
* -Dsemeru.fips=true
* -Dsemeru.customprofile=OpenJCEPlusFIPS
* TestFIPS true 140-3
* @run main/othervm
* -Dsemeru.fips=true
* TestFIPS true 140-2
*/
87 changes: 87 additions & 0 deletions test/jdk/javax/net/ssl/FIPSFlag/TestFIPS.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
/*
* Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/

import java.security.Provider;
import java.security.Security;

public class TestFIPS {

private static final String SEMERU_FIPS = System.getProperty("semeru.fips");
private static final String PROFILE = System.getProperty("semeru.customprofile");

public static void main(String[] args) throws Exception {

for (Provider.Service service : Security.getProvider("SUN").getServices()) {
System.out.println("Service: " + service.getType() + " Algorithm: " + service.getAlgorithm() + " Class: " + service.getClassName());
}

if (SEMERU_FIPS == null) {
if (args[0].equals("false")) {
System.out.println("PASS");
} else {
throw new FIPSException("FIPS mode should be opened before using.");
}
return;
}

if (PROFILE == null) {
if (SEMERU_FIPS.equals(args[0])) {
if (args[0].equals("true")) {
if (System.getProperty("com.ibm.fips.mode").equals("140-2") && args[1].equals("140-2")) {
System.out.println("PASS");
} else {
throw new FIPSException("If there is no custom profile specified, the FIPS 140-2 should be used as default.");
}
} else {
throw new FIPSException("FIPS mode is not opened.");
}
} else {
throw new FIPSException("FIPS mode and expected mode do not match.");
}
return;
}

System.out.println("profile is: " + PROFILE);
if (PROFILE.contains("OpenJCEPlusFIPS")) {
if (SEMERU_FIPS.equals(args[0])) {
if (args[0].equals("true")) {
if (System.getProperty("com.ibm.fips.mode").equals("140-3") && args[1].equals("140-3")) {
System.out.println("PASS");
} else {
throw new FIPSException("FIPS profile and fips mode do not match.");
}
} else {
throw new FIPSException("FIPS mode is not opened.");
}
}
} else {
throw new FIPSException("FIPS profile is not supported in FIPS 140-3 mode.");
}
}

public static class FIPSException extends Exception {
public FIPSException(String message) {
super(message);
}
}
}
7 changes: 7 additions & 0 deletions test/jdk/javax/net/ssl/FixingJavadocs/ImplicitHandshake.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
* @bug 4387882
* @summary Need to revisit the javadocs for JSSE, especially the
* promoted classes.
* @library /test/lib
* @run main/othervm ImplicitHandshake
*
* SunJSSE does not support dynamic system properties, no way to re-use
Expand All @@ -37,6 +38,8 @@
import java.net.*;
import javax.net.ssl.*;

import jdk.test.lib.Utils;

public class ImplicitHandshake {

/*
Expand Down Expand Up @@ -191,6 +194,10 @@ public static void main(String[] args) throws Exception {
System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + trustStoreFile;

if (Utils.isFIPS()) {
keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd);
trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd);
}
System.setProperty("javax.net.ssl.keyStore", keyFilename);
System.setProperty("javax.net.ssl.keyStorePassword", passwd);
System.setProperty("javax.net.ssl.trustStore", trustFilename);
Expand Down
42 changes: 37 additions & 5 deletions test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
* @bug 6668231
* @summary Presence of a critical subjectAltName causes JSSE's SunX509 to
* fail trusted checks
* @library /test/lib
* @run main/othervm CriticalSubjectAltName
* @author Xuelei Fan
*/
Expand All @@ -53,6 +54,8 @@
import java.security.Security;
import java.security.cert.Certificate;

import jdk.test.lib.Utils;

public class CriticalSubjectAltName implements HostnameVerifier {
/*
* =============================================================
Expand Down Expand Up @@ -159,10 +162,12 @@ void doClientSide() throws Exception {

public static void main(String[] args) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty("jdk.certpath.disabledAlgorithms",
"MD2, RSA keySize < 1024");
Security.setProperty("jdk.tls.disabledAlgorithms",
"SSLv3, RC4, DH keySize < 768");
if (!(Utils.isFIPS())) {
Security.setProperty("jdk.certpath.disabledAlgorithms",
"MD2, RSA keySize < 1024");
Security.setProperty("jdk.tls.disabledAlgorithms",
"SSLv3, RC4, DH keySize < 768");
}

String keyFilename =
System.getProperty("test.src", "./") + "/" + pathToStores +
Expand All @@ -171,6 +176,11 @@ public static void main(String[] args) throws Exception {
System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + trustStoreFile;

if (Utils.isFIPS()) {
keyFilename = Utils.revertJKSToPKCS12(keyFilename, passwd);
trustFilename = Utils.revertJKSToPKCS12(trustFilename, passwd);
}

System.setProperty("javax.net.ssl.keyStore", keyFilename);
System.setProperty("javax.net.ssl.keyStorePassword", passwd);
System.setProperty("javax.net.ssl.trustStore", trustFilename);
Expand All @@ -182,7 +192,29 @@ public static void main(String[] args) throws Exception {
/*
* Start the tests.
*/
new CriticalSubjectAltName();
try {
new CriticalSubjectAltName();
} catch (Exception e) {
if (Utils.isFIPS()) {
if (e instanceof java.security.cert.CertPathValidatorException) {
if ("Algorithm constraints check failed on signature algorithm: MD5withRSA".equals(e.getMessage())) {
System.out.println("MD5withRSA is not a supported signature algorithm.");
return;
} else {
System.out.println("Unexpected exception msg: <" + e.getMessage() + "> is caught");
return;
}
} else {
System.out.println("Unexpected exception is caught");
e.printStackTrace();
return;
}
} else {
System.out.println("Unexpected exception is caught in Non-FIPS mode");
e.printStackTrace();
return;
}
}
}

Thread clientThread = null;
Expand Down
Loading