1 /*
2 * Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.ssl;
27
28 import java.util.*;
29 import java.math.BigInteger;
30
31 import java.security.*;
32 import java.security.interfaces.RSAPublicKey;
33 import java.security.spec.*;
34
35 import javax.crypto.*;
36
37 // explicit import to override the Provider class in this package
38 import java.security.Provider;
39
40 // need internal Sun classes for FIPS tricks
41 import sun.security.jca.Providers;
42 import sun.security.jca.ProviderList;
43
44 import sun.security.util.ECUtil;
45
46 import static sun.security.ssl.SunJSSE.cryptoProvider;
47 import static sun.security.util.SecurityConstants.PROVIDER_VER;
48
49 /**
50 * This class contains a few static methods for interaction with the JCA/JCE
51 * to obtain implementations, etc.
52 *
53 * @author Andreas Sterbenz
54 */
55 final class JsseJce {
56
57 private static final ProviderList fipsProviderList;
58
59 // Flag indicating whether Kerberos crypto is available.
60 // If true, then all the Kerberos-based crypto we need is available.
61 private static final boolean kerberosAvailable;
62 static {
63 ClientKeyExchangeService p =
64 ClientKeyExchangeService.find("KRB5");
65 kerberosAvailable = (p != null);
66 }
67
68 static {
69 // force FIPS flag initialization
70 // Because isFIPS() is synchronized and cryptoProvider is not modified
71 // after it completes, this also eliminates the need for any further
72 // synchronization when accessing cryptoProvider
73 if (SunJSSE.isFIPS() == false) {
74 fipsProviderList = null;
75 } else {
76 // Setup a ProviderList that can be used by the trust manager
77 // during certificate chain validation. All the crypto must be
78 // from the FIPS provider, but we also allow the required
79 // certificate related services from the SUN provider.
80 Provider sun = Security.getProvider("SUN");
81 if (sun == null) {
82 throw new RuntimeException
83 ("FIPS mode: SUN provider must be installed");
84 }
85 Provider sunCerts = new SunCertificates(sun);
86 fipsProviderList = ProviderList.newList(cryptoProvider, sunCerts);
87 }
164 * without hashing where the application provides the hash of the data.
165 * Used for RSA client authentication with a 36 byte hash.
166 */
167 static final String SIGNATURE_RAWRSA = "NONEwithRSA";
168 /**
169 * JCA identifier string for the SSL/TLS style RSA Signature. I.e.
170 * an signature using RSA with PKCS#1 v1.5 padding signing a
171 * concatenation of an MD5 and SHA-1 digest.
172 */
173 static final String SIGNATURE_SSLRSA = "MD5andSHA1withRSA";
174
175 private JsseJce() {
176 // no instantiation of this class
177 }
178
179 static boolean isEcAvailable() {
180 return EcAvailability.isAvailable;
181 }
182
183 static boolean isKerberosAvailable() {
184 return kerberosAvailable;
185 }
186
187 /**
188 * Return an JCE cipher implementation for the specified algorithm.
189 */
190 static Cipher getCipher(String transformation)
191 throws NoSuchAlgorithmException {
192 try {
193 if (cryptoProvider == null) {
194 return Cipher.getInstance(transformation);
195 } else {
196 return Cipher.getInstance(transformation, cryptoProvider);
197 }
198 } catch (NoSuchPaddingException e) {
199 throw new NoSuchAlgorithmException(e);
200 }
201 }
202
203 /**
204 * Return an JCA signature implementation for the specified algorithm.
282 return AlgorithmParameters.getInstance(algorithm);
283 } else {
284 return AlgorithmParameters.getInstance(algorithm, cryptoProvider);
285 }
286 }
287
288 static SecureRandom getSecureRandom() throws KeyManagementException {
289 if (cryptoProvider == null) {
290 return new SecureRandom();
291 }
292 // Try "PKCS11" first. If that is not supported, iterate through
293 // the provider and return the first working implementation.
294 try {
295 return SecureRandom.getInstance("PKCS11", cryptoProvider);
296 } catch (NoSuchAlgorithmException e) {
297 // ignore
298 }
299 for (Provider.Service s : cryptoProvider.getServices()) {
300 if (s.getType().equals("SecureRandom")) {
301 try {
302 return SecureRandom.getInstance(s.getAlgorithm(), cryptoProvider);
303 } catch (NoSuchAlgorithmException ee) {
304 // ignore
305 }
306 }
307 }
308 throw new KeyManagementException("FIPS mode: no SecureRandom "
309 + " implementation found in provider " + cryptoProvider.getName());
310 }
311
312 static MessageDigest getMD5() {
313 return getMessageDigest("MD5");
314 }
315
316 static MessageDigest getSHA() {
317 return getMessageDigest("SHA");
318 }
319
320 static MessageDigest getMessageDigest(String algorithm) {
321 try {
322 if (cryptoProvider == null) {
377 static Object beginFipsProvider() {
378 if (fipsProviderList == null) {
379 return null;
380 } else {
381 return Providers.beginThreadProviderList(fipsProviderList);
382 }
383 }
384
385 static void endFipsProvider(Object o) {
386 if (fipsProviderList != null) {
387 Providers.endThreadProviderList((ProviderList)o);
388 }
389 }
390
391
392 // lazy initialization holder class idiom for static default parameters
393 //
394 // See Effective Java Second Edition: Item 71.
395 private static class EcAvailability {
396 // Is EC crypto available?
397 private final static boolean isAvailable;
398
399 static {
400 boolean mediator = true;
401 try {
402 JsseJce.getSignature(SIGNATURE_ECDSA);
403 JsseJce.getSignature(SIGNATURE_RAWECDSA);
404 JsseJce.getKeyAgreement("ECDH");
405 JsseJce.getKeyFactory("EC");
406 JsseJce.getKeyPairGenerator("EC");
407 JsseJce.getAlgorithmParameters("EC");
408 } catch (Exception e) {
409 mediator = false;
410 }
411
412 isAvailable = mediator;
413 }
414 }
415 }
|
1 /*
2 * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.ssl;
27
28 import java.math.BigInteger;
29 import java.security.*;
30 import java.security.interfaces.RSAPublicKey;
31 import java.security.spec.*;
32 import java.util.*;
33 import javax.crypto.*;
34 import sun.security.jca.ProviderList;
35 import sun.security.jca.Providers;
36 import static sun.security.ssl.SunJSSE.cryptoProvider;
37 import sun.security.util.ECUtil;
38 import static sun.security.util.SecurityConstants.PROVIDER_VER;
39
40 /**
41 * This class contains a few static methods for interaction with the JCA/JCE
42 * to obtain implementations, etc.
43 *
44 * @author Andreas Sterbenz
45 */
46 final class JsseJce {
47 static final boolean ALLOW_ECC =
48 Utilities.getBooleanProperty("com.sun.net.ssl.enableECC", true);
49
50 private static final ProviderList fipsProviderList;
51
52 static {
53 // force FIPS flag initialization
54 // Because isFIPS() is synchronized and cryptoProvider is not modified
55 // after it completes, this also eliminates the need for any further
56 // synchronization when accessing cryptoProvider
57 if (SunJSSE.isFIPS() == false) {
58 fipsProviderList = null;
59 } else {
60 // Setup a ProviderList that can be used by the trust manager
61 // during certificate chain validation. All the crypto must be
62 // from the FIPS provider, but we also allow the required
63 // certificate related services from the SUN provider.
64 Provider sun = Security.getProvider("SUN");
65 if (sun == null) {
66 throw new RuntimeException
67 ("FIPS mode: SUN provider must be installed");
68 }
69 Provider sunCerts = new SunCertificates(sun);
70 fipsProviderList = ProviderList.newList(cryptoProvider, sunCerts);
71 }
148 * without hashing where the application provides the hash of the data.
149 * Used for RSA client authentication with a 36 byte hash.
150 */
151 static final String SIGNATURE_RAWRSA = "NONEwithRSA";
152 /**
153 * JCA identifier string for the SSL/TLS style RSA Signature. I.e.
154 * an signature using RSA with PKCS#1 v1.5 padding signing a
155 * concatenation of an MD5 and SHA-1 digest.
156 */
157 static final String SIGNATURE_SSLRSA = "MD5andSHA1withRSA";
158
159 private JsseJce() {
160 // no instantiation of this class
161 }
162
163 static boolean isEcAvailable() {
164 return EcAvailability.isAvailable;
165 }
166
167 static boolean isKerberosAvailable() {
168 return false;
169 }
170
171 /**
172 * Return an JCE cipher implementation for the specified algorithm.
173 */
174 static Cipher getCipher(String transformation)
175 throws NoSuchAlgorithmException {
176 try {
177 if (cryptoProvider == null) {
178 return Cipher.getInstance(transformation);
179 } else {
180 return Cipher.getInstance(transformation, cryptoProvider);
181 }
182 } catch (NoSuchPaddingException e) {
183 throw new NoSuchAlgorithmException(e);
184 }
185 }
186
187 /**
188 * Return an JCA signature implementation for the specified algorithm.
266 return AlgorithmParameters.getInstance(algorithm);
267 } else {
268 return AlgorithmParameters.getInstance(algorithm, cryptoProvider);
269 }
270 }
271
272 static SecureRandom getSecureRandom() throws KeyManagementException {
273 if (cryptoProvider == null) {
274 return new SecureRandom();
275 }
276 // Try "PKCS11" first. If that is not supported, iterate through
277 // the provider and return the first working implementation.
278 try {
279 return SecureRandom.getInstance("PKCS11", cryptoProvider);
280 } catch (NoSuchAlgorithmException e) {
281 // ignore
282 }
283 for (Provider.Service s : cryptoProvider.getServices()) {
284 if (s.getType().equals("SecureRandom")) {
285 try {
286 return SecureRandom.getInstance(
287 s.getAlgorithm(), cryptoProvider);
288 } catch (NoSuchAlgorithmException ee) {
289 // ignore
290 }
291 }
292 }
293 throw new KeyManagementException("FIPS mode: no SecureRandom "
294 + " implementation found in provider " + cryptoProvider.getName());
295 }
296
297 static MessageDigest getMD5() {
298 return getMessageDigest("MD5");
299 }
300
301 static MessageDigest getSHA() {
302 return getMessageDigest("SHA");
303 }
304
305 static MessageDigest getMessageDigest(String algorithm) {
306 try {
307 if (cryptoProvider == null) {
362 static Object beginFipsProvider() {
363 if (fipsProviderList == null) {
364 return null;
365 } else {
366 return Providers.beginThreadProviderList(fipsProviderList);
367 }
368 }
369
370 static void endFipsProvider(Object o) {
371 if (fipsProviderList != null) {
372 Providers.endThreadProviderList((ProviderList)o);
373 }
374 }
375
376
377 // lazy initialization holder class idiom for static default parameters
378 //
379 // See Effective Java Second Edition: Item 71.
380 private static class EcAvailability {
381 // Is EC crypto available?
382 private static final boolean isAvailable;
383
384 static {
385 boolean mediator = true;
386 try {
387 JsseJce.getSignature(SIGNATURE_ECDSA);
388 JsseJce.getSignature(SIGNATURE_RAWECDSA);
389 JsseJce.getKeyAgreement("ECDH");
390 JsseJce.getKeyFactory("EC");
391 JsseJce.getKeyPairGenerator("EC");
392 JsseJce.getAlgorithmParameters("EC");
393 } catch (Exception e) {
394 mediator = false;
395 }
396
397 isAvailable = mediator;
398 }
399 }
400 }
|