archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-27 06:45:07 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8217835: Remove the experimental SunJSSE FIPS compliant mode

Browse source 
Reviewed-by: mullan
This commit is contained in:
Xue-Lei Andrew Fan 2019-02-12 13:36:15 -08:00
parent 5d0ff15a58
commit fca0af0487
46 changed files with 364 additions and 2350 deletions
Download patch file Download diff file Expand all files Collapse all files

121
src/java.base/share/classes/sun/security/ssl/SunJSSE.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -66,97 +66,16 @@ public abstract class SunJSSE extends java.security.Provider {
"(PKCS12, SunX509/PKIX key/trust factories, " +
"SSLv3/TLSv1/TLSv1.1/TLSv1.2/TLSv1.3/DTLSv1.0/DTLSv1.2)";
private static String fipsInfo =
"Sun JSSE provider (FIPS mode, crypto provider ";
// tri-valued flag:
// null := no final decision made
// false := data structures initialized in non-FIPS mode
// true := data structures initialized in FIPS mode
private static Boolean fips;
// the FIPS certificate crypto provider that we use to perform all crypto
// operations. null in non-FIPS mode
static java.security.Provider cryptoProvider;
protected static synchronized boolean isFIPS() {
if (fips == null) {
fips = false;
}
return fips;
}
// ensure we can use FIPS mode using the specified crypto provider.
// enable FIPS mode if not already enabled.
private static synchronized void ensureFIPS(java.security.Provider p) {
if (fips == null) {
fips = true;
cryptoProvider = p;
} else {
if (fips == false) {
throw new ProviderException
("SunJSSE already initialized in non-FIPS mode");
}
if (cryptoProvider != p) {
throw new ProviderException
("SunJSSE already initialized with FIPS crypto provider "
+ cryptoProvider);
}
}
}
// standard constructor
protected SunJSSE() {
super("SunJSSE", PROVIDER_VER, info);
subclassCheck();
if (Boolean.TRUE.equals(fips)) {
throw new ProviderException
("SunJSSE is already initialized in FIPS mode");
}
registerAlgorithms(false);
registerAlgorithms();
}
// preferred constructor to enable FIPS mode at runtime
protected SunJSSE(java.security.Provider cryptoProvider){
this(checkNull(cryptoProvider), cryptoProvider.getName());
}
// constructor to enable FIPS mode from java.security file
protected SunJSSE(String cryptoProvider){
this(null, checkNull(cryptoProvider));
}
private static <T> T checkNull(T t) {
if (t == null) {
throw new ProviderException("cryptoProvider must not be null");
}
return t;
}
private SunJSSE(java.security.Provider cryptoProvider,
String providerName) {
super("SunJSSE", PROVIDER_VER, fipsInfo + providerName + ")");
subclassCheck();
if (cryptoProvider == null) {
// Calling Security.getProvider() will cause other providers to be
// loaded. That is not good but unavoidable here.
cryptoProvider = Security.getProvider(providerName);
if (cryptoProvider == null) {
throw new ProviderException
("Crypto provider not installed: " + providerName);
}
}
ensureFIPS(cryptoProvider);
registerAlgorithms(true);
}
private void registerAlgorithms(final boolean isfips) {
AccessController.doPrivileged(new PrivilegedAction<Object>() {
@Override
public Object run() {
doRegister(isfips);
return null;
}
private void registerAlgorithms() {
AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
doRegister();
return null;
});
}
@ -165,14 +84,13 @@ public abstract class SunJSSE extends java.security.Provider {
putService(new Provider.Service(this, type, algo, cn, aliases, attrs));
}
private void doRegister(boolean isfips) {
if (isfips == false) {
Iterator<Provider.Service> rsaIter =
new SunRsaSignEntries(this).iterator();
while (rsaIter.hasNext()) {
putService(rsaIter.next());
}
private void doRegister() {
Iterator<Provider.Service> rsaIter =
new SunRsaSignEntries(this).iterator();
while (rsaIter.hasNext()) {
putService(rsaIter.next());
}
ps("Signature", "MD5andSHA1withRSA",
"sun.security.ssl.RSASignature", null, null);
@ -183,14 +101,15 @@ public abstract class SunJSSE extends java.security.Provider {
createAliases("PKIX"), null);
ps("TrustManagerFactory", "SunX509",
"sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory", null, null);
"sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory",
null, null);
ps("TrustManagerFactory", "PKIX",
"sun.security.ssl.TrustManagerFactoryImpl$PKIXFactory",
createAliases("SunPKIX", "X509", "X.509"), null);
ps("SSLContext", "TLSv1",
"sun.security.ssl.SSLContextImpl$TLS10Context",
(isfips? null : createAliases("SSLv3")), null);
createAliases("SSLv3"), null);
ps("SSLContext", "TLSv1.1",
"sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
ps("SSLContext", "TLSv1.2",
@ -199,7 +118,7 @@ public abstract class SunJSSE extends java.security.Provider {
"sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
ps("SSLContext", "TLS",
"sun.security.ssl.SSLContextImpl$TLSContext",
(isfips? null : createAliases("SSL")), null);
createAliases("SSL"), null);
ps("SSLContext", "DTLSv1.0",
"sun.security.ssl.SSLContextImpl$DTLS10Context", null, null);
@ -225,12 +144,4 @@ public abstract class SunJSSE extends java.security.Provider {
throw new AssertionError("Illegal subclass: " + getClass());
}
}
@Override
@SuppressWarnings("deprecation")
protected final void finalize() throws Throwable {
// empty
super.finalize();
}
}