From 8d780a11984715a80666377e445e655fe32ad108 Mon Sep 17 00:00:00 2001 From: Codrut Stancu Date: Tue, 20 Apr 2021 17:54:36 -0700 Subject: [PATCH] Disable experimental FIPS mode. --- .../svm/core/jdk/SecuritySubstitutions.java | 16 ++++++++++++++++ .../svm/hosted/SecurityServicesFeature.java | 17 +++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/SecuritySubstitutions.java b/substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/SecuritySubstitutions.java index 2f0063be528f..1141c83476cd 100644 --- a/substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/SecuritySubstitutions.java +++ b/substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/SecuritySubstitutions.java @@ -571,6 +571,22 @@ final class Target_sun_security_jca_ProviderConfig_ProviderLoader { static Target_sun_security_jca_ProviderConfig_ProviderLoader INSTANCE; } +/** + * This only applies to JDK8 and JDK11. Experimental FIPS mode in the SunJSSE Provider was removed + * in JDK-8217835. Going forward it is recommended to configure FIPS 140 compliant cryptography + * providers by using the usual JCA providers configuration mechanism. + */ +@SuppressWarnings("unused") +@TargetClass(value = sun.security.ssl.SunJSSE.class, onlyWith = JDK11OrEarlier.class) +final class Target_sun_security_ssl_SunJSSE { + + @Substitute + private Target_sun_security_ssl_SunJSSE(java.security.Provider cryptoProvider, String providerName) { + throw VMError.unsupportedFeature("Experimental FIPS mode in the SunJSSE Provider is deprecated (JDK-8217835)." + + " To register a FIPS provider use the supported java.security.Security.addProvider() API."); + } +} + /** Dummy class to have a class with the file's name. */ public final class SecuritySubstitutions { } diff --git a/substratevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/SecurityServicesFeature.java b/substratevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/SecurityServicesFeature.java index b1f93079272f..095530853d51 100644 --- a/substratevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/SecurityServicesFeature.java +++ b/substratevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/SecurityServicesFeature.java @@ -153,6 +153,23 @@ public boolean isInConfiguration(IsInConfigurationAccess access) { public void afterRegistration(AfterRegistrationAccess a) { ModuleSupport.exportAndOpenPackageToClass("java.base", "sun.security.x509", false, getClass()); ModuleSupport.openModuleByClass(Security.class, getClass()); + disableExperimentalFipsMode(a); + } + + /** + * The SunJSSE provider had a experimental feature that bound to a FIPS crypto provider. This + * has been removed in JDK-8217835. We disabled explicitly here by calling SunJSSE.isFIPS(). If + * it was already enabled that's an error. + */ + private static void disableExperimentalFipsMode(AfterRegistrationAccess a) { + if (JavaVersionUtil.JAVA_SPEC <= 11) { + try { + Boolean isFIPS = (Boolean) method(a, "sun.security.ssl.SunJSSE", "isFIPS").invoke(null); + VMError.guarantee(!isFIPS, "SunJSSE is already initialized in experimental FIPS mode."); + } catch (IllegalAccessException | InvocationTargetException e) { + VMError.shouldNotReachHere(e); + } + } } @Override