1 /* 2 * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 27 package sun.security.ssl; 28 29 import java.security.*; 30 import static sun.security.util.SecurityConstants.PROVIDER_VER; 31 32 /** 33 * The JSSE provider. 34 * 35 * The RSA implementation has been removed from JSSE, but we still need to 36 * register the same algorithms for compatibility. We just point to the RSA 37 * implementation in the SunRsaSign provider. This works because all classes 38 * are in the bootclasspath and therefore loaded by the same classloader. 39 * 40 * SunJSSE now supports an experimental FIPS compliant mode when used with an 41 * appropriate FIPS certified crypto provider. In FIPS mode, we: 42 * . allow only TLS 1.0 or later 43 * . allow only FIPS approved ciphersuites 44 * . perform all crypto in the FIPS crypto provider 45 * 46 * It is currently not possible to use both FIPS compliant SunJSSE and 47 * standard JSSE at the same time because of the various static data structures 48 * we use. 49 * 50 * However, we do want to allow FIPS mode to be enabled at runtime and without 51 * editing the java.security file. That means we need to allow 52 * Security.removeProvider("SunJSSE") to work, which creates an instance of 53 * this class in non-FIPS mode. That is why we delay the selection of the mode 54 * as long as possible. This is until we open an SSL/TLS connection and the 55 * data structures need to be initialized or until SunJSSE is initialized in 56 * FIPS mode. 57 * 58 */ 59 public abstract class SunJSSE extends java.security.Provider { 60 61 private static final long serialVersionUID = 3231825739635378733L; 62 63 private static String info = "Sun JSSE provider" + 64 "(PKCS12, SunX509/PKIX key/trust factories, " + 65 "SSLv3/TLSv1/TLSv1.1/TLSv1.2/DTLSv1.0/DTLSv1.2)"; 66 67 private static String fipsInfo = 68 "Sun JSSE provider (FIPS mode, crypto provider "; 69 70 // tri-valued flag: 71 // null := no final decision made 72 // false := data structures initialized in non-FIPS mode 73 // true := data structures initialized in FIPS mode 74 private static Boolean fips; 75 76 // the FIPS certificate crypto provider that we use to perform all crypto 77 // operations. null in non-FIPS mode 78 static java.security.Provider cryptoProvider; 79 80 protected static synchronized boolean isFIPS() { 81 if (fips == null) { 82 fips = false; 83 } 84 return fips; 85 } 132 } 133 134 private SunJSSE(java.security.Provider cryptoProvider, 135 String providerName) { 136 super("SunJSSE", PROVIDER_VER, fipsInfo + providerName + ")"); 137 subclassCheck(); 138 if (cryptoProvider == null) { 139 // Calling Security.getProvider() will cause other providers to be 140 // loaded. That is not good but unavoidable here. 141 cryptoProvider = Security.getProvider(providerName); 142 if (cryptoProvider == null) { 143 throw new ProviderException 144 ("Crypto provider not installed: " + providerName); 145 } 146 } 147 ensureFIPS(cryptoProvider); 148 registerAlgorithms(true); 149 } 150 151 private void registerAlgorithms(final boolean isfips) { 152 AccessController.doPrivileged(new PrivilegedAction<>() { 153 @Override 154 public Object run() { 155 doRegister(isfips); 156 return null; 157 } 158 }); 159 } 160 161 private void doRegister(boolean isfips) { 162 if (isfips == false) { 163 put("KeyFactory.RSA", 164 "sun.security.rsa.RSAKeyFactory"); 165 put("Alg.Alias.KeyFactory.1.2.840.113549.1.1", "RSA"); 166 put("Alg.Alias.KeyFactory.OID.1.2.840.113549.1.1", "RSA"); 167 168 put("KeyPairGenerator.RSA", 169 "sun.security.rsa.RSAKeyPairGenerator"); 170 put("Alg.Alias.KeyPairGenerator.1.2.840.113549.1.1", "RSA"); 171 put("Alg.Alias.KeyPairGenerator.OID.1.2.840.113549.1.1", "RSA"); 172 173 put("Signature.MD2withRSA", 174 "sun.security.rsa.RSASignature$MD2withRSA"); 175 put("Alg.Alias.Signature.1.2.840.113549.1.1.2", "MD2withRSA"); 176 put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.2", 177 "MD2withRSA"); 178 179 put("Signature.MD5withRSA", 180 "sun.security.rsa.RSASignature$MD5withRSA"); 181 put("Alg.Alias.Signature.1.2.840.113549.1.1.4", "MD5withRSA"); 182 put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.4", 183 "MD5withRSA"); 184 185 put("Signature.SHA1withRSA", 186 "sun.security.rsa.RSASignature$SHA1withRSA"); 187 put("Alg.Alias.Signature.1.2.840.113549.1.1.5", "SHA1withRSA"); 188 put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.5", 189 "SHA1withRSA"); 197 put("KeyManagerFactory.SunX509", 198 "sun.security.ssl.KeyManagerFactoryImpl$SunX509"); 199 put("KeyManagerFactory.NewSunX509", 200 "sun.security.ssl.KeyManagerFactoryImpl$X509"); 201 put("Alg.Alias.KeyManagerFactory.PKIX", "NewSunX509"); 202 203 put("TrustManagerFactory.SunX509", 204 "sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory"); 205 put("TrustManagerFactory.PKIX", 206 "sun.security.ssl.TrustManagerFactoryImpl$PKIXFactory"); 207 put("Alg.Alias.TrustManagerFactory.SunPKIX", "PKIX"); 208 put("Alg.Alias.TrustManagerFactory.X509", "PKIX"); 209 put("Alg.Alias.TrustManagerFactory.X.509", "PKIX"); 210 211 put("SSLContext.TLSv1", 212 "sun.security.ssl.SSLContextImpl$TLS10Context"); 213 put("SSLContext.TLSv1.1", 214 "sun.security.ssl.SSLContextImpl$TLS11Context"); 215 put("SSLContext.TLSv1.2", 216 "sun.security.ssl.SSLContextImpl$TLS12Context"); 217 put("SSLContext.TLS", 218 "sun.security.ssl.SSLContextImpl$TLSContext"); 219 if (isfips == false) { 220 put("Alg.Alias.SSLContext.SSL", "TLS"); 221 put("Alg.Alias.SSLContext.SSLv3", "TLSv1"); 222 } 223 224 put("SSLContext.DTLSv1.0", 225 "sun.security.ssl.SSLContextImpl$DTLS10Context"); 226 put("SSLContext.DTLSv1.2", 227 "sun.security.ssl.SSLContextImpl$DTLS12Context"); 228 put("SSLContext.DTLS", 229 "sun.security.ssl.SSLContextImpl$DTLSContext"); 230 231 put("SSLContext.Default", 232 "sun.security.ssl.SSLContextImpl$DefaultSSLContext"); 233 234 /* 235 * KeyStore 236 */ | 1 /* 2 * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.ssl; 27 28 import java.security.*; 29 import static sun.security.util.SecurityConstants.PROVIDER_VER; 30 31 /** 32 * The JSSE provider. 33 * 34 * The RSA implementation has been removed from JSSE, but we still need to 35 * register the same algorithms for compatibility. We just point to the RSA 36 * implementation in the SunRsaSign provider. This works because all classes 37 * are in the bootclasspath and therefore loaded by the same classloader. 38 * 39 * SunJSSE now supports an experimental FIPS compliant mode when used with an 40 * appropriate FIPS certified crypto provider. In FIPS mode, we: 41 * . allow only TLS 1.0 or later 42 * . allow only FIPS approved ciphersuites 43 * . perform all crypto in the FIPS crypto provider 44 * 45 * It is currently not possible to use both FIPS compliant SunJSSE and 46 * standard JSSE at the same time because of the various static data structures 47 * we use. 48 * 49 * However, we do want to allow FIPS mode to be enabled at runtime and without 50 * editing the java.security file. That means we need to allow 51 * Security.removeProvider("SunJSSE") to work, which creates an instance of 52 * this class in non-FIPS mode. That is why we delay the selection of the mode 53 * as long as possible. This is until we open an SSL/TLS connection and the 54 * data structures need to be initialized or until SunJSSE is initialized in 55 * FIPS mode. 56 * 57 */ 58 public abstract class SunJSSE extends java.security.Provider { 59 60 private static final long serialVersionUID = 3231825739635378733L; 61 62 private static String info = "Sun JSSE provider" + 63 "(PKCS12, SunX509/PKIX key/trust factories, " + 64 "SSLv3/TLSv1/TLSv1.1/TLSv1.2/TLSv1.3/DTLSv1.0/DTLSv1.2)"; 65 66 private static String fipsInfo = 67 "Sun JSSE provider (FIPS mode, crypto provider "; 68 69 // tri-valued flag: 70 // null := no final decision made 71 // false := data structures initialized in non-FIPS mode 72 // true := data structures initialized in FIPS mode 73 private static Boolean fips; 74 75 // the FIPS certificate crypto provider that we use to perform all crypto 76 // operations. null in non-FIPS mode 77 static java.security.Provider cryptoProvider; 78 79 protected static synchronized boolean isFIPS() { 80 if (fips == null) { 81 fips = false; 82 } 83 return fips; 84 } 131 } 132 133 private SunJSSE(java.security.Provider cryptoProvider, 134 String providerName) { 135 super("SunJSSE", PROVIDER_VER, fipsInfo + providerName + ")"); 136 subclassCheck(); 137 if (cryptoProvider == null) { 138 // Calling Security.getProvider() will cause other providers to be 139 // loaded. That is not good but unavoidable here. 140 cryptoProvider = Security.getProvider(providerName); 141 if (cryptoProvider == null) { 142 throw new ProviderException 143 ("Crypto provider not installed: " + providerName); 144 } 145 } 146 ensureFIPS(cryptoProvider); 147 registerAlgorithms(true); 148 } 149 150 private void registerAlgorithms(final boolean isfips) { 151 AccessController.doPrivileged(new PrivilegedAction<Object>() { 152 @Override 153 public Object run() { 154 doRegister(isfips); 155 return null; 156 } 157 }); 158 } 159 160 private void doRegister(boolean isfips) { 161 if (isfips == false) { 162 put("KeyFactory.RSA", 163 "sun.security.rsa.RSAKeyFactory$Legacy"); 164 put("Alg.Alias.KeyFactory.1.2.840.113549.1.1", "RSA"); 165 put("Alg.Alias.KeyFactory.OID.1.2.840.113549.1.1", "RSA"); 166 167 put("KeyPairGenerator.RSA", 168 "sun.security.rsa.RSAKeyPairGenerator$Legacy"); 169 put("Alg.Alias.KeyPairGenerator.1.2.840.113549.1.1", "RSA"); 170 put("Alg.Alias.KeyPairGenerator.OID.1.2.840.113549.1.1", "RSA"); 171 172 put("Signature.MD2withRSA", 173 "sun.security.rsa.RSASignature$MD2withRSA"); 174 put("Alg.Alias.Signature.1.2.840.113549.1.1.2", "MD2withRSA"); 175 put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.2", 176 "MD2withRSA"); 177 178 put("Signature.MD5withRSA", 179 "sun.security.rsa.RSASignature$MD5withRSA"); 180 put("Alg.Alias.Signature.1.2.840.113549.1.1.4", "MD5withRSA"); 181 put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.4", 182 "MD5withRSA"); 183 184 put("Signature.SHA1withRSA", 185 "sun.security.rsa.RSASignature$SHA1withRSA"); 186 put("Alg.Alias.Signature.1.2.840.113549.1.1.5", "SHA1withRSA"); 187 put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.5", 188 "SHA1withRSA"); 196 put("KeyManagerFactory.SunX509", 197 "sun.security.ssl.KeyManagerFactoryImpl$SunX509"); 198 put("KeyManagerFactory.NewSunX509", 199 "sun.security.ssl.KeyManagerFactoryImpl$X509"); 200 put("Alg.Alias.KeyManagerFactory.PKIX", "NewSunX509"); 201 202 put("TrustManagerFactory.SunX509", 203 "sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory"); 204 put("TrustManagerFactory.PKIX", 205 "sun.security.ssl.TrustManagerFactoryImpl$PKIXFactory"); 206 put("Alg.Alias.TrustManagerFactory.SunPKIX", "PKIX"); 207 put("Alg.Alias.TrustManagerFactory.X509", "PKIX"); 208 put("Alg.Alias.TrustManagerFactory.X.509", "PKIX"); 209 210 put("SSLContext.TLSv1", 211 "sun.security.ssl.SSLContextImpl$TLS10Context"); 212 put("SSLContext.TLSv1.1", 213 "sun.security.ssl.SSLContextImpl$TLS11Context"); 214 put("SSLContext.TLSv1.2", 215 "sun.security.ssl.SSLContextImpl$TLS12Context"); 216 put("SSLContext.TLSv1.3", 217 "sun.security.ssl.SSLContextImpl$TLS13Context"); 218 put("SSLContext.TLS", 219 "sun.security.ssl.SSLContextImpl$TLSContext"); 220 if (isfips == false) { 221 put("Alg.Alias.SSLContext.SSL", "TLS"); 222 put("Alg.Alias.SSLContext.SSLv3", "TLSv1"); 223 } 224 225 put("SSLContext.DTLSv1.0", 226 "sun.security.ssl.SSLContextImpl$DTLS10Context"); 227 put("SSLContext.DTLSv1.2", 228 "sun.security.ssl.SSLContextImpl$DTLS12Context"); 229 put("SSLContext.DTLS", 230 "sun.security.ssl.SSLContextImpl$DTLSContext"); 231 232 put("SSLContext.Default", 233 "sun.security.ssl.SSLContextImpl$DefaultSSLContext"); 234 235 /* 236 * KeyStore 237 */ |