3762N/A * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A * The JSSE provider. 0N/A * The RSA implementation has been removed from JSSE, but we still need to 0N/A * register the same algorithms for compatibility. We just point to the RSA 0N/A * implementation in the SunRsaSign provider. This works because all classes 0N/A * are in the bootclasspath and therefore loaded by the same classloader. 0N/A * SunJSSE now supports an experimental FIPS compliant mode when used with an 0N/A * appropriate FIPS certified crypto provider. In FIPS mode, we: 2998N/A * . allow only TLS 1.0 or later 0N/A * . allow only FIPS approved ciphersuites 0N/A * . perform all crypto in the FIPS crypto provider 0N/A * It is currently not possible to use both FIPS compliant SunJSSE and 0N/A * standard JSSE at the same time because of the various static data structures 0N/A * However, we do want to allow FIPS mode to be enabled at runtime and without 0N/A * editing the java.security file. That means we need to allow 0N/A * Security.removeProvider("SunJSSE") to work, which creates an instance of 0N/A * this class in non-FIPS mode. That is why we delay the selection of the mode 0N/A * as long as possible. This is until we open an SSL/TLS connection and the 0N/A * data structures need to be initialized or until SunJSSE is initialized in 0N/A "Sun JSSE provider (FIPS mode, crypto provider ";
0N/A // null := no final decision made 0N/A // false := data structures initialized in non-FIPS mode 0N/A // true := data structures initialized in FIPS mode 0N/A // the FIPS certificate crypto provider that we use to perform all crypto 0N/A // operations. null in non-FIPS mode 0N/A protected static synchronized boolean isFIPS() {
0N/A // ensure we can use FIPS mode using the specified crypto provider. 0N/A // enable FIPS mode if not already enabled. 0N/A (
"SunJSSE already initialized in non-FIPS mode");
0N/A (
"SunJSSE already initialized with FIPS crypto provider " 0N/A // standard constructor 0N/A (
"SunJSSE is already initialized in FIPS mode");
0N/A // prefered constructor to enable FIPS mode at runtime 0N/A // constructor to enable FIPS mode from java.security file 0N/A // Calling Security.getProvider() will cause other providers to be 0N/A // loaded. That is not good but unavoidable here. 0N/A "sun.security.rsa.RSAKeyFactory");
0N/A put(
"Alg.Alias.KeyFactory.1.2.840.113549.1.1",
"RSA");
0N/A put(
"Alg.Alias.KeyFactory.OID.1.2.840.113549.1.1",
"RSA");
0N/A "sun.security.rsa.RSAKeyPairGenerator");
0N/A put(
"Alg.Alias.KeyPairGenerator.1.2.840.113549.1.1",
"RSA");
0N/A put(
"Alg.Alias.KeyPairGenerator.OID.1.2.840.113549.1.1",
"RSA");
0N/A "sun.security.rsa.RSASignature$MD2withRSA");
0N/A put(
"Alg.Alias.Signature.1.2.840.113549.1.1.2",
"MD2withRSA");
0N/A put(
"Alg.Alias.Signature.OID.1.2.840.113549.1.1.2",
0N/A "sun.security.rsa.RSASignature$MD5withRSA");
0N/A put(
"Alg.Alias.Signature.1.2.840.113549.1.1.4",
"MD5withRSA");
0N/A put(
"Alg.Alias.Signature.OID.1.2.840.113549.1.1.4",
0N/A "sun.security.rsa.RSASignature$SHA1withRSA");
0N/A put(
"Alg.Alias.Signature.1.2.840.113549.1.1.5",
"SHA1withRSA");
0N/A put(
"Alg.Alias.Signature.OID.1.2.840.113549.1.1.5",
0N/A put(
"Alg.Alias.Signature.1.3.14.3.2.29",
"SHA1withRSA");
0N/A put(
"Alg.Alias.Signature.OID.1.3.14.3.2.29",
"SHA1withRSA");
0N/A put(
"Signature.MD5andSHA1withRSA",
0N/A "sun.security.ssl.RSASignature");
0N/A put(
"KeyManagerFactory.SunX509",
0N/A "sun.security.ssl.KeyManagerFactoryImpl$SunX509");
0N/A put(
"KeyManagerFactory.NewSunX509",
0N/A "sun.security.ssl.KeyManagerFactoryImpl$X509");
3762N/A put(
"Alg.Alias.KeyManagerFactory.PKIX",
"NewSunX509");
0N/A put(
"TrustManagerFactory.SunX509",
0N/A "sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory");
0N/A put(
"TrustManagerFactory.PKIX",
0N/A "sun.security.ssl.TrustManagerFactoryImpl$PKIXFactory");
0N/A put(
"Alg.Alias.TrustManagerFactory.SunPKIX",
"PKIX");
0N/A put(
"Alg.Alias.TrustManagerFactory.X509",
"PKIX");
0N/A put(
"Alg.Alias.TrustManagerFactory.X.509",
"PKIX");
3988N/A "sun.security.ssl.SSLContextImpl$TLS10Context");
3988N/A put(
"Alg.Alias.SSLContext.SSLv3",
"TLSv1");
3988N/A "sun.security.ssl.SSLContextImpl$TLS11Context");
3988N/A "sun.security.ssl.SSLContextImpl$TLS12Context");
3988N/A "sun.security.ssl.SSLContextImpl$DefaultSSLContext");
0N/A "sun.security.pkcs12.PKCS12KeyStore");