deque = new LinkedList<>();
+
+ for (char ch : string.toCharArray()) {
+ switch (ch) {
+ case '{':
+ deque.addFirst('}');
+ break;
+ case '[':
+ deque.addFirst(']');
+ break;
+ case '(':
+ deque.addFirst(')');
+ break;
+ case '}':
+ case ']':
+ case ')':
+ if (deque.isEmpty() || (deque.removeFirst().charValue() != ch)) {
+ return false;
+ }
+ break;
+ default:
+ break;
+ }
+ }
+ return deque.isEmpty();
+ }
+
+ /**
+ * Check if the input string is asterisk (*).
+ *
+ * @param string input string for checking
+ * @return true if the input string is asterisk
+ */
+ private static boolean isAsterisk(String string) {
+ return "*".equals(string);
+ }
+
+ /**
+ * A class representing the constraints of a provider.
+ */
+ private static final class Constraint {
+ final String type;
+ final String algorithm;
+ final String attributes;
+
+ Constraint(String type, String algorithm, String attributes) {
+ super();
+ this.type = type;
+ this.algorithm = algorithm;
+ this.attributes = attributes;
+ }
+ }
+ }
+}
diff --git a/src/java.base/share/classes/java/security/Provider.java b/src/java.base/share/classes/java/security/Provider.java
index 1f0bbfd766a..06aa6d1395f 100644
--- a/src/java.base/share/classes/java/security/Provider.java
+++ b/src/java.base/share/classes/java/security/Provider.java
@@ -23,6 +23,12 @@
* questions.
*/
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2022, 2023 All Rights Reserved
+ * ===========================================================================
+ */
+
package java.security;
import java.io.*;
@@ -35,6 +41,8 @@
import java.util.function.Function;
import java.util.concurrent.ConcurrentHashMap;
+import openj9.internal.security.RestrictedSecurity;
+
/**
* This class represents a "provider" for the
* Java Security API, where a provider implements some or all parts of
@@ -1372,6 +1380,11 @@ protected void putService(Service s) {
throw new IllegalArgumentException
("service.getProvider() must match this Provider object");
}
+ if (!RestrictedSecurity.isServiceAllowed(s)) {
+ // We're in restricted security mode which does not allow this service,
+ // return without registering.
+ return;
+ }
String type = s.getType();
String algorithm = s.getAlgorithm();
ServiceKey key = new ServiceKey(type, algorithm, true);
diff --git a/src/java.base/share/classes/java/security/SecureRandom.java b/src/java.base/share/classes/java/security/SecureRandom.java
index 9e23ab1e009..94922b88554 100644
--- a/src/java.base/share/classes/java/security/SecureRandom.java
+++ b/src/java.base/share/classes/java/security/SecureRandom.java
@@ -25,7 +25,7 @@
/*
* ===========================================================================
- * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved
+ * (c) Copyright IBM Corp. 2022, 2023 All Rights Reserved
* ===========================================================================
*/
@@ -41,7 +41,7 @@
import sun.security.provider.SunEntries;
import sun.security.util.Debug;
-import openj9.internal.security.FIPSConfigurator;
+import openj9.internal.security.RestrictedSecurity;
/**
* This class provides a cryptographically strong random number
@@ -270,27 +270,29 @@ private void getDefaultPRNG(boolean setSeed, byte[] seed) {
Service prngService = null;
String prngAlgorithm = null;
- // If in FIPS mode, use the SecureRandom from the FIPS provider
- if (FIPSConfigurator.enableFips()) {
- Provider p = Security.getProvider("SunPKCS11-NSS-FIPS");
- prngAlgorithm = "PKCS11";
- prngService = p.getService("SecureRandom", prngAlgorithm);
- } else {
- for (Provider p : Providers.getProviderList().providers()) {
- // SUN provider uses the SunEntries.DEF_SECURE_RANDOM_ALGO
- // as the default SecureRandom algorithm; for other providers,
- // Provider.getDefaultSecureRandom() will use the 1st
- // registered SecureRandom algorithm
- if (p.getName().equals("SUN")) {
- prngAlgorithm = SunEntries.DEF_SECURE_RANDOM_ALGO;
+ for (Provider p : Providers.getProviderList().providers()) {
+ // In restricted security mode, use the SecureRandom from restricted security provider.
+ if (RestrictedSecurity.isEnabled()) {
+ String srProvider = RestrictedSecurity.getRandomProvider();
+ if (p.getName().equals(srProvider)) {
+ prngAlgorithm = RestrictedSecurity.getRandomAlgorithm();
prngService = p.getService("SecureRandom", prngAlgorithm);
break;
- } else {
- prngService = p.getDefaultSecureRandomService();
- if (prngService != null) {
- prngAlgorithm = prngService.getAlgorithm();
- break;
- }
+ }
+ }
+ // SUN provider uses the SunEntries.DEF_SECURE_RANDOM_ALGO
+ // as the default SecureRandom algorithm; for other providers,
+ // Provider.getDefaultSecureRandom() will use the 1st
+ // registered SecureRandom algorithm
+ else if (p.getName().equals("SUN")) {
+ prngAlgorithm = SunEntries.DEF_SECURE_RANDOM_ALGO;
+ prngService = p.getService("SecureRandom", prngAlgorithm);
+ break;
+ } else {
+ prngService = p.getDefaultSecureRandomService();
+ if (prngService != null) {
+ prngAlgorithm = prngService.getAlgorithm();
+ break;
}
}
}
diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
index 1d991756f72..51a938f5b57 100644
--- a/src/java.base/share/classes/java/security/Security.java
+++ b/src/java.base/share/classes/java/security/Security.java
@@ -50,7 +50,7 @@
import openj9.internal.criu.security.CRIUConfigurator;
/*[ENDIF] CRIU_SUPPORT*/
-import openj9.internal.security.FIPSConfigurator;
+import openj9.internal.security.RestrictedSecurity;
/**
* This class centralizes all security properties and common security
@@ -215,16 +215,11 @@ private static void initialize() {
}
/*[ENDIF] CRIU_SUPPORT */
- // Load FIPS properties
- if (loadedProps) {
- boolean fipsEnabled = FIPSConfigurator.configureFIPS(props);
- if (sdebug != null) {
- if (fipsEnabled) {
- sdebug.println("FIPS mode enabled.");
- } else {
- sdebug.println("FIPS mode disabled.");
- }
- }
+ // Load restricted security mode properties.
+ boolean restrictedSecurityEnabled = RestrictedSecurity.configure(props);
+ if (sdebug != null) {
+ sdebug.println(restrictedSecurityEnabled ? "Restricted security mode enabled."
+ : "Restricted security mode disabled.");
}
}
diff --git a/src/java.base/share/classes/java/util/ServiceLoader.java b/src/java.base/share/classes/java/util/ServiceLoader.java
index d248d1ea4a7..b8bfda71298 100644
--- a/src/java.base/share/classes/java/util/ServiceLoader.java
+++ b/src/java.base/share/classes/java/util/ServiceLoader.java
@@ -23,6 +23,12 @@
* questions.
*/
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2022, 2023 All Rights Reserved
+ * ===========================================================================
+ */
+
package java.util;
import java.io.BufferedReader;
@@ -57,6 +63,8 @@
import jdk.internal.reflect.CallerSensitive;
import jdk.internal.reflect.Reflection;
+import openj9.internal.security.RestrictedSecurity;
+
/**
* A facility to load implementations of a service.
*
@@ -873,6 +881,12 @@ private Provider loadProvider(ServiceProvider provider) {
fail(service, clazz + " is not public");
}
+ if (!RestrictedSecurity.isProviderAllowed(clazz)) {
+ // We're in restricted security mode which does not allow this provider,
+ // skip it.
+ return null;
+ }
+
// if provider in explicit module then check for static factory method
if (inExplicitModule(clazz)) {
Method factoryMethod = findStaticProviderMethod(clazz);
@@ -1228,6 +1242,11 @@ private boolean hasNextService() {
}
if (service.isAssignableFrom(clazz)) {
+ if (!RestrictedSecurity.isProviderAllowed(clazz)) {
+ // We're in restricted security mode which does not allow this provider,
+ // skip it.
+ continue;
+ }
Class extends S> type = (Class extends S>) clazz;
Constructor extends S> ctor
= (Constructor extends S>)getConstructor(clazz);
diff --git a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java
index db420525e62..e59159b0036 100644
--- a/src/java.base/share/classes/sun/security/jca/ProviderConfig.java
+++ b/src/java.base/share/classes/sun/security/jca/ProviderConfig.java
@@ -25,7 +25,7 @@
/*
* ===========================================================================
- * (c) Copyright IBM Corp. 2023, 2023 All Rights Reserved
+ * (c) Copyright IBM Corp. 2022, 2023 All Rights Reserved
* ===========================================================================
*/
@@ -39,6 +39,8 @@
import sun.security.util.PropertyExpander;
+import openj9.internal.security.RestrictedSecurity;
+
/**
* Class representing a configured provider which encapsulates configuration
* (provider name + optional argument), the provider loading logic, and
@@ -168,6 +170,11 @@ public String toString() {
// com.sun.net.ssl.internal.ssl.Provider has been deprecated since JDK 9
@SuppressWarnings("deprecation")
synchronized Provider getProvider() {
+ if (!RestrictedSecurity.isProviderAllowed(provName)) {
+ // We're in restricted security mode which does not allow this provider,
+ // return without loading.
+ return null;
+ }
// volatile variable load
Provider p = provider;
if (p != null) {
diff --git a/src/java.base/share/classes/sun/security/jca/ProviderList.java b/src/java.base/share/classes/sun/security/jca/ProviderList.java
index 405de65f26f..63a0163bcbb 100644
--- a/src/java.base/share/classes/sun/security/jca/ProviderList.java
+++ b/src/java.base/share/classes/sun/security/jca/ProviderList.java
@@ -39,6 +39,8 @@
import java.security.Provider.Service;
import java.security.Security;
+import openj9.internal.security.RestrictedSecurity;
+
/**
* List of Providers. Used to represent the provider preferences.
*
@@ -112,7 +114,13 @@ public static ProviderList add(ProviderList providerList, Provider p) {
public static ProviderList insertAt(ProviderList providerList, Provider p,
int position) {
- if (providerList.getProvider(p.getName()) != null) {
+ String providerName = p.getName();
+ if (providerList.getProvider(providerName) != null) {
+ return providerList;
+ }
+ if (!RestrictedSecurity.isProviderAllowed(providerName)) {
+ // We're in restricted security mode which does not allow this provider,
+ // return without adding.
return providerList;
}
List list = new ArrayList<>
@@ -144,6 +152,16 @@ public static ProviderList remove(ProviderList providerList, String name) {
// Create a new ProviderList from the specified Providers.
// This method is for use by SunJSSE.
public static ProviderList newList(Provider ... providers) {
+ if (RestrictedSecurity.isEnabled()) {
+ List allowedProviders = new ArrayList<>();
+ for (Provider p : providers) {
+ if (RestrictedSecurity.isProviderAllowed(p.getName())) {
+ // This provider is allowed, add it the list.
+ allowedProviders.add(p);
+ }
+ }
+ providers = allowedProviders.toArray(new Provider[allowedProviders.size()]);
+ }
ProviderConfig[] configs = new ProviderConfig[providers.length];
for (int i = 0; i < providers.length; i++) {
configs[i] = new ProviderConfig(providers[i]);
@@ -379,7 +397,8 @@ public Service getService(String type, String name) {
for (i = 0; i < pList.size(); i++) {
Provider p = getProvider(pList.get(i).provider);
Service s = p.getService(type, name);
- if (s != null) {
+ if ((s != null) && RestrictedSecurity.isServiceAllowed(s)) {
+ // We found a service that is allowed in restricted security mode.
return s;
}
}
@@ -388,7 +407,8 @@ public Service getService(String type, String name) {
for (i = 0; i < configs.length; i++) {
Provider p = getProvider(i);
Service s = p.getService(type, name);
- if (s != null) {
+ if ((s != null) && RestrictedSecurity.isServiceAllowed(s)) {
+ // We found a service that is allowed in restricted security mode.
return s;
}
}
@@ -524,14 +544,14 @@ private Service tryGet(int index) {
if (type != null) {
// simple lookup
Service s = p.getService(type, algorithm);
- if (s != null) {
+ if ((s != null) && RestrictedSecurity.isServiceAllowed(s)) {
addService(s);
}
} else {
// parallel lookup
for (ServiceId id : ids) {
Service s = p.getService(id.type, id.algorithm);
- if (s != null) {
+ if ((s != null) && RestrictedSecurity.isServiceAllowed(s)) {
addService(s);
}
}
diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java
index 6ddcaec9746..bf423e3a388 100644
--- a/src/java.base/share/classes/sun/security/provider/SunEntries.java
+++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java
@@ -40,8 +40,6 @@
import jdk.internal.util.StaticProperty;
import sun.security.action.GetPropertyAction;
-import openj9.internal.security.FIPSConfigurator;
-
/**
* Defines the entries of the SUN provider.
*
@@ -114,266 +112,218 @@ public static List createAliasesWithOid(String ... oids) {
// common attribute map
HashMap attrs = new HashMap<>(3);
- if (FIPSConfigurator.enableFips()) {
- // FIPS supported
- attrs.put("ImplementedIn", "Software");
-
- /*
- * Certificates
- */
- add(p, "CertificateFactory", "X.509",
- "sun.security.provider.X509Factory",
- createAliases("X509"), attrs);
-
- /*
- * CertStores
- */
- add(p, "CertStore", "Collection",
- "sun.security.provider.certpath.CollectionCertStore",
- null, attrs);
- add(p, "CertStore", "com.sun.security.IndexedCollection",
- "sun.security.provider.certpath.IndexedCollectionCertStore",
- null, attrs);
-
- /*
- * Policy
- */
- add(p, "Policy", "JavaPolicy", "sun.security.provider.PolicySpiFile",
- null, null);
-
- /*
- * Configuration
- */
- add(p, "Configuration", "JavaLoginConfig",
- "sun.security.provider.ConfigFile$Spi", null, null);
-
- /*
- * CertPathBuilder and CertPathValidator
- */
- attrs.clear();
- attrs.put("ValidationAlgorithm", "RFC5280");
- attrs.put("ImplementedIn", "Software");
-
- add(p, "CertPathBuilder", "PKIX",
- "sun.security.provider.certpath.SunCertPathBuilder",
- null, attrs);
- add(p, "CertPathValidator", "PKIX",
- "sun.security.provider.certpath.PKIXCertPathValidator",
+ /*
+ * SecureRandom engines
+ */
+ attrs.put("ThreadSafe", "true");
+ if (NativePRNG.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNG",
+ "sun.security.provider.NativePRNG",
null, attrs);
+ }
+ if (NativePRNG.Blocking.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNGBlocking",
+ "sun.security.provider.NativePRNG$Blocking", null, attrs);
+ }
+ if (NativePRNG.NonBlocking.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNGNonBlocking",
+ "sun.security.provider.NativePRNG$NonBlocking", null, attrs);
+ }
+ attrs.put("ImplementedIn", "Software");
+ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG",
+ null, attrs);
+ add(p, "SecureRandom", "SHA1PRNG",
+ "sun.security.provider.SecureRandom", null, attrs);
+
+ /*
+ * Signature engines
+ */
+ attrs.clear();
+ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
+ "|java.security.interfaces.DSAPrivateKey";
+ attrs.put("SupportedKeyClasses", dsaKeyClasses);
+ attrs.put("ImplementedIn", "Software");
+
+ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
+
+ add(p, "Signature", "SHA1withDSA",
+ "sun.security.provider.DSA$SHA1withDSA",
+ createAliasesWithOid("1.2.840.10040.4.3", "DSA", "DSS",
+ "SHA/DSA", "SHA-1/DSA", "SHA1/DSA", "SHAwithDSA",
+ "DSAWithSHA1", "1.3.14.3.2.13", "1.3.14.3.2.27"), attrs);
+ add(p, "Signature", "NONEwithDSA", "sun.security.provider.DSA$RawDSA",
+ createAliases("RawDSA"), attrs);
+
+ attrs.put("KeySize", "2048"); // for SHA224 and SHA256 DSA signatures
+
+ add(p, "Signature", "SHA224withDSA",
+ "sun.security.provider.DSA$SHA224withDSA",
+ createAliasesWithOid("2.16.840.1.101.3.4.3.1"), attrs);
+ add(p, "Signature", "SHA256withDSA",
+ "sun.security.provider.DSA$SHA256withDSA",
+ createAliasesWithOid("2.16.840.1.101.3.4.3.2"), attrs);
+
+ attrs.remove("KeySize");
+
+ add(p, "Signature", "SHA1withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA1withDSAinP1363Format",
+ null, null);
+ add(p, "Signature", "NONEwithDSAinP1363Format",
+ "sun.security.provider.DSA$RawDSAinP1363Format",
+ null, null);
+ add(p, "Signature", "SHA224withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA224withDSAinP1363Format",
+ null, null);
+ add(p, "Signature", "SHA256withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA256withDSAinP1363Format",
+ null, null);
+
+ /*
+ * Key Pair Generator engines
+ */
+ attrs.clear();
+ attrs.put("ImplementedIn", "Software");
+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only
+
+ String dsaOid = "1.2.840.10040.4.1";
+ List dsaAliases = createAliasesWithOid(dsaOid, "1.3.14.3.2.12");
+ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
+ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
+ add(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, dsaAliases, attrs);
+
+ /*
+ * Algorithm Parameter Generator engines
+ */
+ add(p, "AlgorithmParameterGenerator", "DSA",
+ "sun.security.provider.DSAParameterGenerator", dsaAliases,
+ attrs);
+ attrs.remove("KeySize");
+
+ /*
+ * Algorithm Parameter engines
+ */
+ add(p, "AlgorithmParameters", "DSA",
+ "sun.security.provider.DSAParameters", dsaAliases, attrs);
+
+ /*
+ * Key factories
+ */
+ add(p, "KeyFactory", "DSA", "sun.security.provider.DSAKeyFactory",
+ dsaAliases, attrs);
+
+ /*
+ * Digest engines
+ */
+ String providerSHA;
+ String providerSHA224;
+ String providerSHA256;
+ String providerSHA384;
+ String providerSHA512;
+ /*
+ * Set the digest provider based on whether native crypto is
+ * enabled or not.
+ */
+ if (useNativeDigest && NativeCrypto.isAllowedAndLoaded()) {
+ providerSHA = "sun.security.provider.NativeSHA";
+ providerSHA224 = "sun.security.provider.NativeSHA2$SHA224";
+ providerSHA256 = "sun.security.provider.NativeSHA2$SHA256";
+ providerSHA384 = "sun.security.provider.NativeSHA5$SHA384";
+ providerSHA512 = "sun.security.provider.NativeSHA5$SHA512";
} else {
- /*
- * SecureRandom engines
- */
- attrs.put("ThreadSafe", "true");
- if (NativePRNG.isAvailable()) {
- add(p, "SecureRandom", "NativePRNG",
- "sun.security.provider.NativePRNG",
- null, attrs);
- }
- if (NativePRNG.Blocking.isAvailable()) {
- add(p, "SecureRandom", "NativePRNGBlocking",
- "sun.security.provider.NativePRNG$Blocking", null, attrs);
- }
- if (NativePRNG.NonBlocking.isAvailable()) {
- add(p, "SecureRandom", "NativePRNGNonBlocking",
- "sun.security.provider.NativePRNG$NonBlocking", null, attrs);
- }
- attrs.put("ImplementedIn", "Software");
- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG",
- null, attrs);
- add(p, "SecureRandom", "SHA1PRNG",
- "sun.security.provider.SecureRandom", null, attrs);
-
- /*
- * Signature engines
- */
- attrs.clear();
- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
- "|java.security.interfaces.DSAPrivateKey";
- attrs.put("SupportedKeyClasses", dsaKeyClasses);
- attrs.put("ImplementedIn", "Software");
-
- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
-
- add(p, "Signature", "SHA1withDSA",
- "sun.security.provider.DSA$SHA1withDSA",
- createAliasesWithOid("1.2.840.10040.4.3", "DSA", "DSS",
- "SHA/DSA", "SHA-1/DSA", "SHA1/DSA", "SHAwithDSA",
- "DSAWithSHA1", "1.3.14.3.2.13", "1.3.14.3.2.27"), attrs);
- add(p, "Signature", "NONEwithDSA", "sun.security.provider.DSA$RawDSA",
- createAliases("RawDSA"), attrs);
-
- attrs.put("KeySize", "2048"); // for SHA224 and SHA256 DSA signatures
-
- add(p, "Signature", "SHA224withDSA",
- "sun.security.provider.DSA$SHA224withDSA",
- createAliasesWithOid("2.16.840.1.101.3.4.3.1"), attrs);
- add(p, "Signature", "SHA256withDSA",
- "sun.security.provider.DSA$SHA256withDSA",
- createAliasesWithOid("2.16.840.1.101.3.4.3.2"), attrs);
-
- attrs.remove("KeySize");
-
- add(p, "Signature", "SHA1withDSAinP1363Format",
- "sun.security.provider.DSA$SHA1withDSAinP1363Format",
- null, null);
- add(p, "Signature", "NONEwithDSAinP1363Format",
- "sun.security.provider.DSA$RawDSAinP1363Format",
- null, null);
- add(p, "Signature", "SHA224withDSAinP1363Format",
- "sun.security.provider.DSA$SHA224withDSAinP1363Format",
- null, null);
- add(p, "Signature", "SHA256withDSAinP1363Format",
- "sun.security.provider.DSA$SHA256withDSAinP1363Format",
- null, null);
-
- /*
- * Key Pair Generator engines
- */
- attrs.clear();
- attrs.put("ImplementedIn", "Software");
- attrs.put("KeySize", "2048"); // for DSA KPG and APG only
-
- String dsaOid = "1.2.840.10040.4.1";
- List dsaAliases = createAliasesWithOid(dsaOid, "1.3.14.3.2.12");
- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
- add(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, dsaAliases, attrs);
-
- /*
- * Algorithm Parameter Generator engines
- */
- add(p, "AlgorithmParameterGenerator", "DSA",
- "sun.security.provider.DSAParameterGenerator", dsaAliases,
- attrs);
- attrs.remove("KeySize");
-
- /*
- * Algorithm Parameter engines
- */
- add(p, "AlgorithmParameters", "DSA",
- "sun.security.provider.DSAParameters", dsaAliases, attrs);
-
- /*
- * Key factories
- */
- add(p, "KeyFactory", "DSA", "sun.security.provider.DSAKeyFactory",
- dsaAliases, attrs);
-
- /*
- * Digest engines
- */
- String providerSHA;
- String providerSHA224;
- String providerSHA256;
- String providerSHA384;
- String providerSHA512;
- /*
- * Set the digest provider based on whether native crypto is
- * enabled or not.
- */
- if (useNativeDigest && NativeCrypto.isAllowedAndLoaded()) {
- providerSHA = "sun.security.provider.NativeSHA";
- providerSHA224 = "sun.security.provider.NativeSHA2$SHA224";
- providerSHA256 = "sun.security.provider.NativeSHA2$SHA256";
- providerSHA384 = "sun.security.provider.NativeSHA5$SHA384";
- providerSHA512 = "sun.security.provider.NativeSHA5$SHA512";
- } else {
- providerSHA = "sun.security.provider.SHA";
- providerSHA224 = "sun.security.provider.SHA2$SHA224";
- providerSHA256 = "sun.security.provider.SHA2$SHA256";
- providerSHA384 = "sun.security.provider.SHA5$SHA384";
- providerSHA512 = "sun.security.provider.SHA5$SHA512";
- }
-
- add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", null, attrs);
- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", null, attrs);
- add(p, "MessageDigest", "SHA", providerSHA,
- createAliasesWithOid("1.3.14.3.2.26", "SHA-1", "SHA1"), attrs);
-
- String sha2BaseOid = "2.16.840.1.101.3.4.2";
- add(p, "MessageDigest", "SHA-224", providerSHA224,
- createAliasesWithOid(sha2BaseOid + ".4"), attrs);
- add(p, "MessageDigest", "SHA-256", providerSHA256,
- createAliasesWithOid(sha2BaseOid + ".1"), attrs);
- add(p, "MessageDigest", "SHA-384", providerSHA384,
- createAliasesWithOid(sha2BaseOid + ".2"), attrs);
- add(p, "MessageDigest", "SHA-512", providerSHA512,
- createAliasesWithOid(sha2BaseOid + ".3"), attrs);
- add(p, "MessageDigest", "SHA-512/224",
- "sun.security.provider.SHA5$SHA512_224",
- createAliasesWithOid(sha2BaseOid + ".5"), attrs);
- add(p, "MessageDigest", "SHA-512/256",
- "sun.security.provider.SHA5$SHA512_256",
- createAliasesWithOid(sha2BaseOid + ".6"), attrs);
- add(p, "MessageDigest", "SHA3-224", "sun.security.provider.SHA3$SHA224",
- createAliasesWithOid(sha2BaseOid + ".7"), attrs);
- add(p, "MessageDigest", "SHA3-256", "sun.security.provider.SHA3$SHA256",
- createAliasesWithOid(sha2BaseOid + ".8"), attrs);
- add(p, "MessageDigest", "SHA3-384", "sun.security.provider.SHA3$SHA384",
- createAliasesWithOid(sha2BaseOid + ".9"), attrs);
- add(p, "MessageDigest", "SHA3-512", "sun.security.provider.SHA3$SHA512",
- createAliasesWithOid(sha2BaseOid + ".10"), attrs);
-
- /*
- * Certificates
- */
- add(p, "CertificateFactory", "X.509",
- "sun.security.provider.X509Factory",
- createAliases("X509"), attrs);
-
- /*
- * KeyStore
- */
- add(p, "KeyStore", "PKCS12",
- "sun.security.pkcs12.PKCS12KeyStore$DualFormatPKCS12",
- null, null);
- add(p, "KeyStore", "JKS",
- "sun.security.provider.JavaKeyStore$DualFormatJKS",
- null, attrs);
- add(p, "KeyStore", "CaseExactJKS",
- "sun.security.provider.JavaKeyStore$CaseExactJKS",
- null, attrs);
- add(p, "KeyStore", "DKS", "sun.security.provider.DomainKeyStore$DKS",
- null, attrs);
-
-
- /*
- * CertStores
- */
- add(p, "CertStore", "Collection",
- "sun.security.provider.certpath.CollectionCertStore",
- null, attrs);
- add(p, "CertStore", "com.sun.security.IndexedCollection",
- "sun.security.provider.certpath.IndexedCollectionCertStore",
- null, attrs);
+ providerSHA = "sun.security.provider.SHA";
+ providerSHA224 = "sun.security.provider.SHA2$SHA224";
+ providerSHA256 = "sun.security.provider.SHA2$SHA256";
+ providerSHA384 = "sun.security.provider.SHA5$SHA384";
+ providerSHA512 = "sun.security.provider.SHA5$SHA512";
+ }
- /*
- * Policy
- */
- add(p, "Policy", "JavaPolicy", "sun.security.provider.PolicySpiFile",
- null, null);
+ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", null, attrs);
+ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", null, attrs);
+ add(p, "MessageDigest", "SHA", providerSHA,
+ createAliasesWithOid("1.3.14.3.2.26", "SHA-1", "SHA1"), attrs);
+
+ String sha2BaseOid = "2.16.840.1.101.3.4.2";
+ add(p, "MessageDigest", "SHA-224", providerSHA224,
+ createAliasesWithOid(sha2BaseOid + ".4"), attrs);
+ add(p, "MessageDigest", "SHA-256", providerSHA256,
+ createAliasesWithOid(sha2BaseOid + ".1"), attrs);
+ add(p, "MessageDigest", "SHA-384", providerSHA384,
+ createAliasesWithOid(sha2BaseOid + ".2"), attrs);
+ add(p, "MessageDigest", "SHA-512", providerSHA512,
+ createAliasesWithOid(sha2BaseOid + ".3"), attrs);
+ add(p, "MessageDigest", "SHA-512/224",
+ "sun.security.provider.SHA5$SHA512_224",
+ createAliasesWithOid(sha2BaseOid + ".5"), attrs);
+ add(p, "MessageDigest", "SHA-512/256",
+ "sun.security.provider.SHA5$SHA512_256",
+ createAliasesWithOid(sha2BaseOid + ".6"), attrs);
+ add(p, "MessageDigest", "SHA3-224", "sun.security.provider.SHA3$SHA224",
+ createAliasesWithOid(sha2BaseOid + ".7"), attrs);
+ add(p, "MessageDigest", "SHA3-256", "sun.security.provider.SHA3$SHA256",
+ createAliasesWithOid(sha2BaseOid + ".8"), attrs);
+ add(p, "MessageDigest", "SHA3-384", "sun.security.provider.SHA3$SHA384",
+ createAliasesWithOid(sha2BaseOid + ".9"), attrs);
+ add(p, "MessageDigest", "SHA3-512", "sun.security.provider.SHA3$SHA512",
+ createAliasesWithOid(sha2BaseOid + ".10"), attrs);
+
+ /*
+ * Certificates
+ */
+ add(p, "CertificateFactory", "X.509",
+ "sun.security.provider.X509Factory",
+ createAliases("X509"), attrs);
+
+ /*
+ * KeyStore
+ */
+ add(p, "KeyStore", "PKCS12",
+ "sun.security.pkcs12.PKCS12KeyStore$DualFormatPKCS12",
+ null, null);
+ add(p, "KeyStore", "JKS",
+ "sun.security.provider.JavaKeyStore$DualFormatJKS",
+ null, attrs);
+ add(p, "KeyStore", "CaseExactJKS",
+ "sun.security.provider.JavaKeyStore$CaseExactJKS",
+ null, attrs);
+ add(p, "KeyStore", "DKS", "sun.security.provider.DomainKeyStore$DKS",
+ null, attrs);
- /*
- * Configuration
- */
- add(p, "Configuration", "JavaLoginConfig",
- "sun.security.provider.ConfigFile$Spi", null, null);
- /*
- * CertPathBuilder and CertPathValidator
- */
- attrs.clear();
- attrs.put("ValidationAlgorithm", "RFC5280");
- attrs.put("ImplementedIn", "Software");
+ /*
+ * CertStores
+ */
+ add(p, "CertStore", "Collection",
+ "sun.security.provider.certpath.CollectionCertStore",
+ null, attrs);
+ add(p, "CertStore", "com.sun.security.IndexedCollection",
+ "sun.security.provider.certpath.IndexedCollectionCertStore",
+ null, attrs);
- add(p, "CertPathBuilder", "PKIX",
- "sun.security.provider.certpath.SunCertPathBuilder",
- null, attrs);
- add(p, "CertPathValidator", "PKIX",
- "sun.security.provider.certpath.PKIXCertPathValidator",
- null, attrs);
- }
+ /*
+ * Policy
+ */
+ add(p, "Policy", "JavaPolicy", "sun.security.provider.PolicySpiFile",
+ null, null);
+
+ /*
+ * Configuration
+ */
+ add(p, "Configuration", "JavaLoginConfig",
+ "sun.security.provider.ConfigFile$Spi", null, null);
+
+ /*
+ * CertPathBuilder and CertPathValidator
+ */
+ attrs.clear();
+ attrs.put("ValidationAlgorithm", "RFC5280");
+ attrs.put("ImplementedIn", "Software");
+
+ add(p, "CertPathBuilder", "PKIX",
+ "sun.security.provider.certpath.SunCertPathBuilder",
+ null, attrs);
+ add(p, "CertPathValidator", "PKIX",
+ "sun.security.provider.certpath.PKIXCertPathValidator",
+ null, attrs);
}
Iterator iterator() {
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
index 9af64321c40..972f55d4f89 100644
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -85,6 +85,58 @@ security.provider.tbd=Apple
security.provider.tbd=SunPKCS11
#endif
+#ifdef linux-x86
+#
+# Java Restricted Security Mode
+#
+RestrictedSecurity1.desc.name = Red Hat Enterprise Linux 8 NSS Cryptographic Module FIPS 140-2
+RestrictedSecurity1.desc.number = Certificate #3946
+RestrictedSecurity1.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3946
+RestrictedSecurity1.desc.sunsetDate = 2026-06-06
+
+RestrictedSecurity1.tls.disabledNamedCurves =
+RestrictedSecurity1.tls.disabledAlgorithms = X25519, X448, SSLv3, TLSv1, TLSv1.1, \
+ TLS_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, \
+ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, \
+ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, \
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, \
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, \
+ TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, \
+ TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, \
+ TLS_RSA_WITH_AES_128_CBC_SHA, TLS_AES_256_GCM_SHA384, \
+ TLS_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, \
+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, \
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, \
+ TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, \
+ TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, \
+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, \
+ TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+RestrictedSecurity1.tls.ephemeralDHKeySize =
+RestrictedSecurity1.tls.legacyAlgorithms =
+
+RestrictedSecurity1.jce.certpath.disabledAlgorithms =
+RestrictedSecurity1.jce.legacyAlgorithms =
+RestrictedSecurity1.jce.provider.1 = SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
+RestrictedSecurity1.jce.provider.2 = SUN [{CertificateFactory, X.509, ImplementedIn=Software}, \
+ {CertStore, Collection, ImplementedIn=Software}, \
+ {CertStore, com.sun.security.IndexedCollection, ImplementedIn=Software}, \
+ {Policy, JavaPolicy, *}, {Configuration, JavaLoginConfig, *}, \
+ {CertPathBuilder, PKIX, ValidationAlgorithm=RFC5280:ImplementedIn=Software}, \
+ {CertPathValidator, PKIX, ValidationAlgorithm=RFC5280:ImplementedIn=Software}]
+RestrictedSecurity1.jce.provider.3 = SunEC [{KeyFactory, EC, ImplementedIn=Software: \
+ SupportedKeyClasses=java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey: \
+ KeySize=256}, {AlgorithmParameters, EC, *}]
+RestrictedSecurity1.jce.provider.4 = SunJSSE
+
+RestrictedSecurity1.keystore.type = PKCS11
+RestrictedSecurity1.javax.net.ssl.keyStore = NONE
+
+RestrictedSecurity1.securerandom.provider = SunPKCS11-NSS-FIPS
+RestrictedSecurity1.securerandom.algorithm = PKCS11
+#endif
+
#
# A list of preferred providers for specific algorithms. These providers will
# be searched for matching algorithms before the list of registered providers.
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index fefcbf5ab0c..04873345e1f 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -55,7 +55,7 @@
import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
import jdk.internal.misc.InnocuousThread;
-import openj9.internal.security.FIPSConfigurator;
+import openj9.internal.security.RestrictedSecurity;
import sun.security.util.Debug;
import sun.security.util.ResourcesMgr;
import static sun.security.util.SecurityConstants.PROVIDER_VER;
@@ -434,9 +434,9 @@ private static T checkNull(T obj) {
// When FIPS mode is enabled, configure p11 object to FIPS mode
// and pass the parent object so it can callback.
- if (FIPSConfigurator.enableFips()) {
+ if (RestrictedSecurity.isFIPSEnabled()) {
if (debug != null) {
- System.out.println("FIPS mode in SunPKCS11");
+ debug.println("FIPS mode in SunPKCS11");
}
@SuppressWarnings("unchecked")
diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
index b84049c0a03..475101f3612 100644
--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
@@ -39,8 +39,6 @@
import static sun.security.util.SecurityConstants.PROVIDER_VER;
-import openj9.internal.security.FIPSConfigurator;
-
import jdk.crypto.jniprovider.NativeCrypto;
/**
@@ -193,182 +191,128 @@ public Void run() {
void putEntries(boolean useFullImplementation) {
HashMap ATTRS = new HashMap<>(3);
-
- if (FIPSConfigurator.enableFips()) {
- ATTRS.put("ImplementedIn", "Software");
- String ecKeyClasses = "java.security.interfaces.ECPublicKey" +
- "|java.security.interfaces.ECPrivateKey";
- ATTRS.put("SupportedKeyClasses", ecKeyClasses);
- ATTRS.put("KeySize", "256");
-
- /*
- * Key Factory engine
- */
- putService(new ProviderService(this, "KeyFactory",
- "EC", "sun.security.ec.ECKeyFactory",
- new String[] { "EllipticCurve" }, ATTRS));
-
- /*
- * Algorithm Parameter engine
- */
- // "AlgorithmParameters.EC SupportedCurves" prop used by unit test
- boolean firstCurve = true;
- StringBuilder names = new StringBuilder();
- Pattern nameSplitPattern = Pattern.compile(CurveDB.SPLIT_PATTERN);
-
- Collection extends NamedCurve> supportedCurves =
- CurveDB.getSupportedCurves();
- for (NamedCurve namedCurve : supportedCurves) {
- if (!firstCurve) {
- names.append("|");
- } else {
- firstCurve = false;
- }
-
- names.append("[");
-
- String[] commonNames = nameSplitPattern.split(namedCurve.getName());
- for (String commonName : commonNames) {
- names.append(commonName.trim());
- names.append(",");
- }
-
- names.append(namedCurve.getObjectId());
- names.append("]");
+ ATTRS.put("ImplementedIn", "Software");
+ String ecKeyClasses = "java.security.interfaces.ECPublicKey" +
+ "|java.security.interfaces.ECPrivateKey";
+ ATTRS.put("SupportedKeyClasses", ecKeyClasses);
+ ATTRS.put("KeySize", "256");
+
+ /*
+ * Key Factory engine
+ */
+ putService(new ProviderService(this, "KeyFactory",
+ "EC", "sun.security.ec.ECKeyFactory",
+ new String[] { "EllipticCurve" }, ATTRS));
+
+ /*
+ * Algorithm Parameter engine
+ */
+ // "AlgorithmParameters.EC SupportedCurves" prop used by unit test
+ boolean firstCurve = true;
+ StringBuilder names = new StringBuilder();
+ Pattern nameSplitPattern = Pattern.compile(CurveDB.SPLIT_PATTERN);
+
+ Collection extends NamedCurve> supportedCurves =
+ CurveDB.getSupportedCurves();
+ for (NamedCurve namedCurve : supportedCurves) {
+ if (!firstCurve) {
+ names.append("|");
+ } else {
+ firstCurve = false;
}
- HashMap apAttrs = new HashMap<>(ATTRS);
- apAttrs.put("SupportedCurves", names.toString());
+ names.append("[");
- putService(new ProviderService(this, "AlgorithmParameters",
- "EC", "sun.security.util.ECParameters",
- new String[] { "EllipticCurve", "1.2.840.10045.2.1", "OID.1.2.840.10045.2.1" },
- apAttrs));
-
- } else {
- ATTRS.put("ImplementedIn", "Software");
- String ecKeyClasses = "java.security.interfaces.ECPublicKey" +
- "|java.security.interfaces.ECPrivateKey";
- ATTRS.put("SupportedKeyClasses", ecKeyClasses);
- ATTRS.put("KeySize", "256");
-
- /*
- * Key Factory engine
- */
- putService(new ProviderService(this, "KeyFactory",
- "EC", "sun.security.ec.ECKeyFactory",
- new String[] { "EllipticCurve" }, ATTRS));
-
- /*
- * Algorithm Parameter engine
- */
- // "AlgorithmParameters.EC SupportedCurves" prop used by unit test
- boolean firstCurve = true;
- StringBuilder names = new StringBuilder();
- Pattern nameSplitPattern = Pattern.compile(CurveDB.SPLIT_PATTERN);
-
- Collection extends NamedCurve> supportedCurves =
- CurveDB.getSupportedCurves();
- for (NamedCurve namedCurve : supportedCurves) {
- if (!firstCurve) {
- names.append("|");
- } else {
- firstCurve = false;
- }
-
- names.append("[");
-
- String[] commonNames = nameSplitPattern.split(namedCurve.getName());
- for (String commonName : commonNames) {
- names.append(commonName.trim());
- names.append(",");
- }
-
- names.append(namedCurve.getObjectId());
- names.append("]");
+ String[] commonNames = nameSplitPattern.split(namedCurve.getName());
+ for (String commonName : commonNames) {
+ names.append(commonName.trim());
+ names.append(",");
}
- HashMap apAttrs = new HashMap<>(ATTRS);
- apAttrs.put("SupportedCurves", names.toString());
+ names.append(namedCurve.getObjectId());
+ names.append("]");
+ }
- putService(new ProviderService(this, "AlgorithmParameters",
- "EC", "sun.security.util.ECParameters",
- new String[] { "EllipticCurve", "1.2.840.10045.2.1", "OID.1.2.840.10045.2.1" },
- apAttrs));
+ HashMap apAttrs = new HashMap<>(ATTRS);
+ apAttrs.put("SupportedCurves", names.toString());
- putXDHEntries();
+ putService(new ProviderService(this, "AlgorithmParameters",
+ "EC", "sun.security.util.ECParameters",
+ new String[] { "EllipticCurve", "1.2.840.10045.2.1", "OID.1.2.840.10045.2.1" },
+ apAttrs));
- /*
- * Register the algorithms below only when the full ECC implementation
- * is available
- */
- if (!useFullImplementation) {
- return;
- }
+ putXDHEntries();
- /*
- * Signature engines
- */
- putService(new ProviderService(this, "Signature",
- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
- null, ATTRS));
- putService(new ProviderService(this, "Signature",
- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
- new String[] { "1.2.840.10045.4.1", "OID.1.2.840.10045.4.1" },
- ATTRS));
- putService(new ProviderService(this, "Signature",
- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
- new String[] { "1.2.840.10045.4.3.1", "OID.1.2.840.10045.4.3.1"},
- ATTRS));
- putService(new ProviderService(this, "Signature",
- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
- new String[] { "1.2.840.10045.4.3.2", "OID.1.2.840.10045.4.3.2"},
- ATTRS));
- putService(new ProviderService(this, "Signature",
- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
- new String[] { "1.2.840.10045.4.3.3", "OID.1.2.840.10045.4.3.3" },
- ATTRS));
- putService(new ProviderService(this, "Signature",
- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
- new String[] { "1.2.840.10045.4.3.4", "OID.1.2.840.10045.4.3.4" },
- ATTRS));
-
- putService(new ProviderService(this, "Signature",
- "NONEwithECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$RawinP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA1withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA224withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA256withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA384withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA512withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
-
- /*
- * Key Pair Generator engine
- */
- putService(new ProviderService(this, "KeyPairGenerator",
- "EC", "sun.security.ec.ECKeyPairGenerator",
- new String[] { "EllipticCurve" }, ATTRS));
-
- /*
- * Key Agreement engine
- */
- if (useNativeEC && NativeCrypto.isAllowedAndLoaded()) {
- putService(new ProviderService(this, "KeyAgreement",
- "ECDH", "sun.security.ec.NativeECDHKeyAgreement", null, ATTRS));
- } else {
- putService(new ProviderService(this, "KeyAgreement",
- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
- }
+ /*
+ * Register the algorithms below only when the full ECC implementation
+ * is available
+ */
+ if (!useFullImplementation) {
+ return;
+ }
+
+ /*
+ * Signature engines
+ */
+ putService(new ProviderService(this, "Signature",
+ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
+ null, ATTRS));
+ putService(new ProviderService(this, "Signature",
+ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
+ new String[] { "1.2.840.10045.4.1", "OID.1.2.840.10045.4.1" },
+ ATTRS));
+ putService(new ProviderService(this, "Signature",
+ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
+ new String[] { "1.2.840.10045.4.3.1", "OID.1.2.840.10045.4.3.1"},
+ ATTRS));
+ putService(new ProviderService(this, "Signature",
+ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
+ new String[] { "1.2.840.10045.4.3.2", "OID.1.2.840.10045.4.3.2"},
+ ATTRS));
+ putService(new ProviderService(this, "Signature",
+ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
+ new String[] { "1.2.840.10045.4.3.3", "OID.1.2.840.10045.4.3.3" },
+ ATTRS));
+ putService(new ProviderService(this, "Signature",
+ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
+ new String[] { "1.2.840.10045.4.3.4", "OID.1.2.840.10045.4.3.4" },
+ ATTRS));
+
+ putService(new ProviderService(this, "Signature",
+ "NONEwithECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$RawinP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA1withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA224withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA256withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA384withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA512withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
+
+ /*
+ * Key Pair Generator engine
+ */
+ putService(new ProviderService(this, "KeyPairGenerator",
+ "EC", "sun.security.ec.ECKeyPairGenerator",
+ new String[] { "EllipticCurve" }, ATTRS));
+
+ /*
+ * Key Agreement engine
+ */
+ if (useNativeEC && NativeCrypto.isAllowedAndLoaded()) {
+ putService(new ProviderService(this, "KeyAgreement",
+ "ECDH", "sun.security.ec.NativeECDHKeyAgreement", null, ATTRS));
+ } else {
+ putService(new ProviderService(this, "KeyAgreement",
+ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
}
}