1 /*
2 * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26
27 package sun.security.ssl;
28
29 import java.security.*;
30 import static sun.security.util.SecurityConstants.PROVIDER_VER;
31
32 /**
33 * The JSSE provider.
34 *
35 * The RSA implementation has been removed from JSSE, but we still need to
36 * register the same algorithms for compatibility. We just point to the RSA
37 * implementation in the SunRsaSign provider. This works because all classes
38 * are in the bootclasspath and therefore loaded by the same classloader.
39 *
40 * SunJSSE now supports an experimental FIPS compliant mode when used with an
41 * appropriate FIPS certified crypto provider. In FIPS mode, we:
42 * . allow only TLS 1.0 or later
43 * . allow only FIPS approved ciphersuites
44 * . perform all crypto in the FIPS crypto provider
45 *
46 * It is currently not possible to use both FIPS compliant SunJSSE and
47 * standard JSSE at the same time because of the various static data structures
48 * we use.
49 *
50 * However, we do want to allow FIPS mode to be enabled at runtime and without
51 * editing the java.security file. That means we need to allow
52 * Security.removeProvider("SunJSSE") to work, which creates an instance of
53 * this class in non-FIPS mode. That is why we delay the selection of the mode
54 * as long as possible. This is until we open an SSL/TLS connection and the
55 * data structures need to be initialized or until SunJSSE is initialized in
56 * FIPS mode.
57 *
58 */
59 public abstract class SunJSSE extends java.security.Provider {
60
61 private static final long serialVersionUID = 3231825739635378733L;
62
63 private static String info = "Sun JSSE provider" +
64 "(PKCS12, SunX509/PKIX key/trust factories, " +
65 "SSLv3/TLSv1/TLSv1.1/TLSv1.2/DTLSv1.0/DTLSv1.2)";
66
67 private static String fipsInfo =
68 "Sun JSSE provider (FIPS mode, crypto provider ";
69
70 // tri-valued flag:
71 // null := no final decision made
72 // false := data structures initialized in non-FIPS mode
73 // true := data structures initialized in FIPS mode
74 private static Boolean fips;
75
76 // the FIPS certificate crypto provider that we use to perform all crypto
77 // operations. null in non-FIPS mode
78 static java.security.Provider cryptoProvider;
79
80 protected static synchronized boolean isFIPS() {
81 if (fips == null) {
82 fips = false;
83 }
84 return fips;
85 }
132 }
133
134 private SunJSSE(java.security.Provider cryptoProvider,
135 String providerName) {
136 super("SunJSSE", PROVIDER_VER, fipsInfo + providerName + ")");
137 subclassCheck();
138 if (cryptoProvider == null) {
139 // Calling Security.getProvider() will cause other providers to be
140 // loaded. That is not good but unavoidable here.
141 cryptoProvider = Security.getProvider(providerName);
142 if (cryptoProvider == null) {
143 throw new ProviderException
144 ("Crypto provider not installed: " + providerName);
145 }
146 }
147 ensureFIPS(cryptoProvider);
148 registerAlgorithms(true);
149 }
150
151 private void registerAlgorithms(final boolean isfips) {
152 AccessController.doPrivileged(new PrivilegedAction<>() {
153 @Override
154 public Object run() {
155 doRegister(isfips);
156 return null;
157 }
158 });
159 }
160
161 private void doRegister(boolean isfips) {
162 if (isfips == false) {
163 put("KeyFactory.RSA",
164 "sun.security.rsa.RSAKeyFactory");
165 put("Alg.Alias.KeyFactory.1.2.840.113549.1.1", "RSA");
166 put("Alg.Alias.KeyFactory.OID.1.2.840.113549.1.1", "RSA");
167
168 put("KeyPairGenerator.RSA",
169 "sun.security.rsa.RSAKeyPairGenerator");
170 put("Alg.Alias.KeyPairGenerator.1.2.840.113549.1.1", "RSA");
171 put("Alg.Alias.KeyPairGenerator.OID.1.2.840.113549.1.1", "RSA");
172
173 put("Signature.MD2withRSA",
174 "sun.security.rsa.RSASignature$MD2withRSA");
175 put("Alg.Alias.Signature.1.2.840.113549.1.1.2", "MD2withRSA");
176 put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.2",
177 "MD2withRSA");
178
179 put("Signature.MD5withRSA",
180 "sun.security.rsa.RSASignature$MD5withRSA");
181 put("Alg.Alias.Signature.1.2.840.113549.1.1.4", "MD5withRSA");
182 put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.4",
183 "MD5withRSA");
184
185 put("Signature.SHA1withRSA",
186 "sun.security.rsa.RSASignature$SHA1withRSA");
187 put("Alg.Alias.Signature.1.2.840.113549.1.1.5", "SHA1withRSA");
188 put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.5",
189 "SHA1withRSA");
197 put("KeyManagerFactory.SunX509",
198 "sun.security.ssl.KeyManagerFactoryImpl$SunX509");
199 put("KeyManagerFactory.NewSunX509",
200 "sun.security.ssl.KeyManagerFactoryImpl$X509");
201 put("Alg.Alias.KeyManagerFactory.PKIX", "NewSunX509");
202
203 put("TrustManagerFactory.SunX509",
204 "sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory");
205 put("TrustManagerFactory.PKIX",
206 "sun.security.ssl.TrustManagerFactoryImpl$PKIXFactory");
207 put("Alg.Alias.TrustManagerFactory.SunPKIX", "PKIX");
208 put("Alg.Alias.TrustManagerFactory.X509", "PKIX");
209 put("Alg.Alias.TrustManagerFactory.X.509", "PKIX");
210
211 put("SSLContext.TLSv1",
212 "sun.security.ssl.SSLContextImpl$TLS10Context");
213 put("SSLContext.TLSv1.1",
214 "sun.security.ssl.SSLContextImpl$TLS11Context");
215 put("SSLContext.TLSv1.2",
216 "sun.security.ssl.SSLContextImpl$TLS12Context");
217 put("SSLContext.TLS",
218 "sun.security.ssl.SSLContextImpl$TLSContext");
219 if (isfips == false) {
220 put("Alg.Alias.SSLContext.SSL", "TLS");
221 put("Alg.Alias.SSLContext.SSLv3", "TLSv1");
222 }
223
224 put("SSLContext.DTLSv1.0",
225 "sun.security.ssl.SSLContextImpl$DTLS10Context");
226 put("SSLContext.DTLSv1.2",
227 "sun.security.ssl.SSLContextImpl$DTLS12Context");
228 put("SSLContext.DTLS",
229 "sun.security.ssl.SSLContextImpl$DTLSContext");
230
231 put("SSLContext.Default",
232 "sun.security.ssl.SSLContextImpl$DefaultSSLContext");
233
234 /*
235 * KeyStore
236 */
|
1 /*
2 * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.ssl;
27
28 import java.security.*;
29 import static sun.security.util.SecurityConstants.PROVIDER_VER;
30
31 /**
32 * The JSSE provider.
33 *
34 * The RSA implementation has been removed from JSSE, but we still need to
35 * register the same algorithms for compatibility. We just point to the RSA
36 * implementation in the SunRsaSign provider. This works because all classes
37 * are in the bootclasspath and therefore loaded by the same classloader.
38 *
39 * SunJSSE now supports an experimental FIPS compliant mode when used with an
40 * appropriate FIPS certified crypto provider. In FIPS mode, we:
41 * . allow only TLS 1.0 or later
42 * . allow only FIPS approved ciphersuites
43 * . perform all crypto in the FIPS crypto provider
44 *
45 * It is currently not possible to use both FIPS compliant SunJSSE and
46 * standard JSSE at the same time because of the various static data structures
47 * we use.
48 *
49 * However, we do want to allow FIPS mode to be enabled at runtime and without
50 * editing the java.security file. That means we need to allow
51 * Security.removeProvider("SunJSSE") to work, which creates an instance of
52 * this class in non-FIPS mode. That is why we delay the selection of the mode
53 * as long as possible. This is until we open an SSL/TLS connection and the
54 * data structures need to be initialized or until SunJSSE is initialized in
55 * FIPS mode.
56 *
57 */
58 public abstract class SunJSSE extends java.security.Provider {
59
60 private static final long serialVersionUID = 3231825739635378733L;
61
62 private static String info = "Sun JSSE provider" +
63 "(PKCS12, SunX509/PKIX key/trust factories, " +
64 "SSLv3/TLSv1/TLSv1.1/TLSv1.2/TLSv1.3/DTLSv1.0/DTLSv1.2)";
65
66 private static String fipsInfo =
67 "Sun JSSE provider (FIPS mode, crypto provider ";
68
69 // tri-valued flag:
70 // null := no final decision made
71 // false := data structures initialized in non-FIPS mode
72 // true := data structures initialized in FIPS mode
73 private static Boolean fips;
74
75 // the FIPS certificate crypto provider that we use to perform all crypto
76 // operations. null in non-FIPS mode
77 static java.security.Provider cryptoProvider;
78
79 protected static synchronized boolean isFIPS() {
80 if (fips == null) {
81 fips = false;
82 }
83 return fips;
84 }
131 }
132
133 private SunJSSE(java.security.Provider cryptoProvider,
134 String providerName) {
135 super("SunJSSE", PROVIDER_VER, fipsInfo + providerName + ")");
136 subclassCheck();
137 if (cryptoProvider == null) {
138 // Calling Security.getProvider() will cause other providers to be
139 // loaded. That is not good but unavoidable here.
140 cryptoProvider = Security.getProvider(providerName);
141 if (cryptoProvider == null) {
142 throw new ProviderException
143 ("Crypto provider not installed: " + providerName);
144 }
145 }
146 ensureFIPS(cryptoProvider);
147 registerAlgorithms(true);
148 }
149
150 private void registerAlgorithms(final boolean isfips) {
151 AccessController.doPrivileged(new PrivilegedAction<Object>() {
152 @Override
153 public Object run() {
154 doRegister(isfips);
155 return null;
156 }
157 });
158 }
159
160 private void doRegister(boolean isfips) {
161 if (isfips == false) {
162 put("KeyFactory.RSA",
163 "sun.security.rsa.RSAKeyFactory$Legacy");
164 put("Alg.Alias.KeyFactory.1.2.840.113549.1.1", "RSA");
165 put("Alg.Alias.KeyFactory.OID.1.2.840.113549.1.1", "RSA");
166
167 put("KeyPairGenerator.RSA",
168 "sun.security.rsa.RSAKeyPairGenerator$Legacy");
169 put("Alg.Alias.KeyPairGenerator.1.2.840.113549.1.1", "RSA");
170 put("Alg.Alias.KeyPairGenerator.OID.1.2.840.113549.1.1", "RSA");
171
172 put("Signature.MD2withRSA",
173 "sun.security.rsa.RSASignature$MD2withRSA");
174 put("Alg.Alias.Signature.1.2.840.113549.1.1.2", "MD2withRSA");
175 put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.2",
176 "MD2withRSA");
177
178 put("Signature.MD5withRSA",
179 "sun.security.rsa.RSASignature$MD5withRSA");
180 put("Alg.Alias.Signature.1.2.840.113549.1.1.4", "MD5withRSA");
181 put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.4",
182 "MD5withRSA");
183
184 put("Signature.SHA1withRSA",
185 "sun.security.rsa.RSASignature$SHA1withRSA");
186 put("Alg.Alias.Signature.1.2.840.113549.1.1.5", "SHA1withRSA");
187 put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.5",
188 "SHA1withRSA");
196 put("KeyManagerFactory.SunX509",
197 "sun.security.ssl.KeyManagerFactoryImpl$SunX509");
198 put("KeyManagerFactory.NewSunX509",
199 "sun.security.ssl.KeyManagerFactoryImpl$X509");
200 put("Alg.Alias.KeyManagerFactory.PKIX", "NewSunX509");
201
202 put("TrustManagerFactory.SunX509",
203 "sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory");
204 put("TrustManagerFactory.PKIX",
205 "sun.security.ssl.TrustManagerFactoryImpl$PKIXFactory");
206 put("Alg.Alias.TrustManagerFactory.SunPKIX", "PKIX");
207 put("Alg.Alias.TrustManagerFactory.X509", "PKIX");
208 put("Alg.Alias.TrustManagerFactory.X.509", "PKIX");
209
210 put("SSLContext.TLSv1",
211 "sun.security.ssl.SSLContextImpl$TLS10Context");
212 put("SSLContext.TLSv1.1",
213 "sun.security.ssl.SSLContextImpl$TLS11Context");
214 put("SSLContext.TLSv1.2",
215 "sun.security.ssl.SSLContextImpl$TLS12Context");
216 put("SSLContext.TLSv1.3",
217 "sun.security.ssl.SSLContextImpl$TLS13Context");
218 put("SSLContext.TLS",
219 "sun.security.ssl.SSLContextImpl$TLSContext");
220 if (isfips == false) {
221 put("Alg.Alias.SSLContext.SSL", "TLS");
222 put("Alg.Alias.SSLContext.SSLv3", "TLSv1");
223 }
224
225 put("SSLContext.DTLSv1.0",
226 "sun.security.ssl.SSLContextImpl$DTLS10Context");
227 put("SSLContext.DTLSv1.2",
228 "sun.security.ssl.SSLContextImpl$DTLS12Context");
229 put("SSLContext.DTLS",
230 "sun.security.ssl.SSLContextImpl$DTLSContext");
231
232 put("SSLContext.Default",
233 "sun.security.ssl.SSLContextImpl$DefaultSSLContext");
234
235 /*
236 * KeyStore
237 */
|