/* |
|
* Copyright (c) 1999, 2021, Oracle and/or its affiliates. All rights reserved. |
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
* |
|
* This code is free software; you can redistribute it and/or modify it |
|
* under the terms of the GNU General Public License version 2 only, as |
|
* published by the Free Software Foundation. Oracle designates this |
|
* particular file as subject to the "Classpath" exception as provided |
|
* by Oracle in the LICENSE file that accompanied this code. |
|
* |
|
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
* version 2 for more details (a copy is included in the LICENSE file that |
|
* accompanied this code). |
|
* |
|
* You should have received a copy of the GNU General Public License version |
|
* 2 along with this work; if not, write to the Free Software Foundation, |
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
* |
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
* or visit www.oracle.com if you need additional information or have any |
|
* questions. |
|
*/ |
|
package sun.security.ssl; |
|
import java.security.*; |
|
import java.util.*; |
|
import static sun.security.util.SecurityConstants.PROVIDER_VER; |
|
/** |
|
* The JSSE provider. |
|
* |
|
* SunJSSE now supports an experimental FIPS compliant mode when used with an |
|
* appropriate FIPS certified crypto provider. In FIPS mode, we: |
|
* . allow only TLS 1.0 or later |
|
* . allow only FIPS approved ciphersuites |
|
* . perform all crypto in the FIPS crypto provider |
|
* |
|
* It is currently not possible to use both FIPS compliant SunJSSE and |
|
* standard JSSE at the same time because of the various static data structures |
|
* we use. |
|
* |
|
* However, we do want to allow FIPS mode to be enabled at runtime and without |
|
* editing the java.security file. That means we need to allow |
|
* Security.removeProvider("SunJSSE") to work, which creates an instance of |
|
* this class in non-FIPS mode. That is why we delay the selection of the mode |
|
* as long as possible. This is until we open an SSL/TLS connection and the |
|
* data structures need to be initialized or until SunJSSE is initialized in |
|
* FIPS mode. |
|
* |
|
*/ |
|
public class SunJSSE extends java.security.Provider { |
|
@java.io.Serial |
|
private static final long serialVersionUID = 3231825739635378733L; |
|
private static final String info = "Sun JSSE provider" + |
|
"(PKCS12, SunX509/PKIX key/trust factories, " + |
|
"SSLv3/TLSv1/TLSv1.1/TLSv1.2/TLSv1.3/DTLSv1.0/DTLSv1.2)"; |
|
public SunJSSE() { |
|
super("SunJSSE", PROVIDER_VER, info); |
|
registerAlgorithms(); |
|
} |
|
@SuppressWarnings("removal") |
|
private void registerAlgorithms() { |
|
AccessController.doPrivileged((PrivilegedAction<Void>) () -> { |
|
doRegister(); |
|
return null; |
|
}); |
|
} |
|
private void ps(String type, String algo, String cn, |
|
List<String> a, HashMap<String, String> attrs) { |
|
putService(new Provider.Service(this, type, algo, cn, a, attrs)); |
|
} |
|
private void doRegister() { |
|
ps("Signature", "MD5andSHA1withRSA", |
|
"sun.security.ssl.RSASignature", null, null); |
|
ps("KeyManagerFactory", "SunX509", |
|
"sun.security.ssl.KeyManagerFactoryImpl$SunX509", null, null); |
|
ps("KeyManagerFactory", "NewSunX509", |
|
"sun.security.ssl.KeyManagerFactoryImpl$X509", |
|
List.of("PKIX"), null); |
|
ps("TrustManagerFactory", "SunX509", |
|
"sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory", |
|
null, null); |
|
ps("TrustManagerFactory", "PKIX", |
|
"sun.security.ssl.TrustManagerFactoryImpl$PKIXFactory", |
|
List.of("SunPKIX", "X509", "X.509"), null); |
|
ps("SSLContext", "TLSv1", |
|
"sun.security.ssl.SSLContextImpl$TLS10Context", |
|
List.of("SSLv3"), null); |
|
ps("SSLContext", "TLSv1.1", |
|
"sun.security.ssl.SSLContextImpl$TLS11Context", null, null); |
|
ps("SSLContext", "TLSv1.2", |
|
"sun.security.ssl.SSLContextImpl$TLS12Context", null, null); |
|
ps("SSLContext", "TLSv1.3", |
|
"sun.security.ssl.SSLContextImpl$TLS13Context", null, null); |
|
ps("SSLContext", "TLS", |
|
"sun.security.ssl.SSLContextImpl$TLSContext", |
|
List.of("SSL"), null); |
|
ps("SSLContext", "DTLSv1.0", |
|
"sun.security.ssl.SSLContextImpl$DTLS10Context", null, null); |
|
ps("SSLContext", "DTLSv1.2", |
|
"sun.security.ssl.SSLContextImpl$DTLS12Context", null, null); |
|
ps("SSLContext", "DTLS", |
|
"sun.security.ssl.SSLContextImpl$DTLSContext", null, null); |
|
ps("SSLContext", "Default", |
|
"sun.security.ssl.SSLContextImpl$DefaultSSLContext", null, null); |
|
/* |
|
* KeyStore |
|
*/ |
|
ps("KeyStore", "PKCS12", |
|
"sun.security.pkcs12.PKCS12KeyStore", null, null); |
|
} |
|
} |