[GR-31008] Disable experimental FIPS mode.

PullRequest: graal/8814
dedis · May 12, 2021 · b1b6ac0 · b1b6ac0
2 parents 4470d70 + 8d780a1
commit b1b6ac0
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 0 deletions.
diff --git a/substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/SecuritySubstitutions.java b/substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/SecuritySubstitutions.java
@@ -571,6 +571,22 @@ final class Target_sun_security_jca_ProviderConfig_ProviderLoader {
     static Target_sun_security_jca_ProviderConfig_ProviderLoader INSTANCE;
 }
 
+/**
+ * This only applies to JDK8 and JDK11. Experimental FIPS mode in the SunJSSE Provider was removed
+ * in JDK-8217835. Going forward it is recommended to configure FIPS 140 compliant cryptography
+ * providers by using the usual JCA providers configuration mechanism.
+ */
+@SuppressWarnings("unused")
+@TargetClass(value = sun.security.ssl.SunJSSE.class, onlyWith = JDK11OrEarlier.class)
+final class Target_sun_security_ssl_SunJSSE {
+
+    @Substitute
+    private Target_sun_security_ssl_SunJSSE(java.security.Provider cryptoProvider, String providerName) {
+        throw VMError.unsupportedFeature("Experimental FIPS mode in the SunJSSE Provider is deprecated (JDK-8217835)." +
+                        " To register a FIPS provider use the supported java.security.Security.addProvider() API.");
+    }
+}
+
 /** Dummy class to have a class with the file's name. */
 public final class SecuritySubstitutions {
 }
diff --git a/substratevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/SecurityServicesFeature.java b/substratevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/SecurityServicesFeature.java
@@ -153,6 +153,23 @@ public boolean isInConfiguration(IsInConfigurationAccess access) {
     public void afterRegistration(AfterRegistrationAccess a) {
         ModuleSupport.exportAndOpenPackageToClass("java.base", "sun.security.x509", false, getClass());
         ModuleSupport.openModuleByClass(Security.class, getClass());
+        disableExperimentalFipsMode(a);
+    }
+
+    /**
+     * The SunJSSE provider had a experimental feature that bound to a FIPS crypto provider. This
+     * has been removed in JDK-8217835. We disabled explicitly here by calling SunJSSE.isFIPS(). If
+     * it was already enabled that's an error.
+     */
+    private static void disableExperimentalFipsMode(AfterRegistrationAccess a) {
+        if (JavaVersionUtil.JAVA_SPEC <= 11) {
+            try {
+                Boolean isFIPS = (Boolean) method(a, "sun.security.ssl.SunJSSE", "isFIPS").invoke(null);
+                VMError.guarantee(!isFIPS, "SunJSSE is already initialized in experimental FIPS mode.");
+            } catch (IllegalAccessException | InvocationTargetException e) {
+                VMError.shouldNotReachHere(e);
+            }
+        }
     }
 
     @Override