diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/GcmTls12NonceGeneratorUtil.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/GcmTls12NonceGeneratorUtil.java deleted file mode 100644 index 5b6eb958f5..0000000000 --- a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/GcmTls12NonceGeneratorUtil.java +++ /dev/null @@ -1,21 +0,0 @@ -package org.bouncycastle.tls.crypto.impl; - -public final class GcmTls12NonceGeneratorUtil -{ - private static volatile AEADNonceGeneratorFactory globalFactory = null; - - public static void setGcmTlsNonceGeneratorFactory(AEADNonceGeneratorFactory factory) - { - globalFactory = factory; - } - - public static boolean isGcmFipsNonceGeneratorFactorySet() - { - return globalFactory != null; - } - - public static AEADNonceGenerator createGcmFipsNonceGenerator(byte[] baseNonce, int counterSizeInBits) - { - return globalFactory == null ? null : globalFactory.create(baseNonce, counterSizeInBits); - } -} diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/TlsAEADCipher.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/TlsAEADCipher.java index d91efb00d5..8ac3ccec6b 100644 --- a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/TlsAEADCipher.java +++ b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/TlsAEADCipher.java @@ -45,10 +45,18 @@ public final class TlsAEADCipher private final boolean isTLSv13; private final int nonceMode; - private final AEADNonceGenerator gcmFipsNonceGenerator; + private final AEADNonceGenerator nonceGenerator; - public TlsAEADCipher(TlsCryptoParameters cryptoParams, TlsAEADCipherImpl encryptCipher, TlsAEADCipherImpl decryptCipher, - int keySize, int macSize, int aeadType) throws IOException + /** @deprecated Use version with extra 'nonceGeneratorFactory' parameter */ + public TlsAEADCipher(TlsCryptoParameters cryptoParams, TlsAEADCipherImpl encryptCipher, + TlsAEADCipherImpl decryptCipher, int keySize, int macSize, int aeadType) throws IOException + { + this(cryptoParams, encryptCipher, decryptCipher, keySize, macSize, aeadType, null); + } + + public TlsAEADCipher(TlsCryptoParameters cryptoParams, TlsAEADCipherImpl encryptCipher, + TlsAEADCipherImpl decryptCipher, int keySize, int macSize, int aeadType, + AEADNonceGeneratorFactory nonceGeneratorFactory) throws IOException { final SecurityParameters securityParameters = cryptoParams.getSecurityParametersHandshake(); final ProtocolVersion negotiatedVersion = securityParameters.getNegotiatedVersion(); @@ -94,7 +102,7 @@ public TlsAEADCipher(TlsCryptoParameters cryptoParams, TlsAEADCipherImpl encrypt final boolean isServer = cryptoParams.isServer(); if (isTLSv13) { - gcmFipsNonceGenerator = null; + nonceGenerator = null; rekeyCipher(securityParameters, decryptCipher, decryptNonce, !isServer); rekeyCipher(securityParameters, encryptCipher, encryptNonce, isServer); return; @@ -126,7 +134,7 @@ public TlsAEADCipher(TlsCryptoParameters cryptoParams, TlsAEADCipherImpl encrypt throw new TlsFatalAlert(AlertDescription.internal_error); } - if (AEAD_GCM == aeadType && GcmTls12NonceGeneratorUtil.isGcmFipsNonceGeneratorFactorySet()) + if (AEAD_GCM == aeadType && nonceGeneratorFactory != null) { int nonceLength = fixed_iv_length + record_iv_length; byte[] baseNonce = Arrays.copyOf(encryptNonce, nonceLength); @@ -141,12 +149,11 @@ public TlsAEADCipher(TlsCryptoParameters cryptoParams, TlsAEADCipherImpl encrypt { counterSizeInBits = record_iv_length * 8; // 64 } - gcmFipsNonceGenerator = GcmTls12NonceGeneratorUtil.createGcmFipsNonceGenerator(baseNonce, - counterSizeInBits); + nonceGenerator = nonceGeneratorFactory.create(baseNonce, counterSizeInBits); } else { - gcmFipsNonceGenerator = null; + nonceGenerator = null; } } @@ -183,9 +190,9 @@ public TlsEncodeResult encodePlaintext(long seqNo, short contentType, ProtocolVe { byte[] nonce = new byte[encryptNonce.length + record_iv_length]; - if (null != gcmFipsNonceGenerator) + if (null != nonceGenerator) { - gcmFipsNonceGenerator.generateNonce(nonce); + nonceGenerator.generateNonce(nonce); } else { diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcTlsCrypto.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcTlsCrypto.java index 52dd24f05d..c30d8d7025 100644 --- a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcTlsCrypto.java +++ b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcTlsCrypto.java @@ -63,6 +63,7 @@ import org.bouncycastle.tls.crypto.TlsSRP6VerifierGenerator; import org.bouncycastle.tls.crypto.TlsSRPConfig; import org.bouncycastle.tls.crypto.TlsSecret; +import org.bouncycastle.tls.crypto.impl.AEADNonceGeneratorFactory; import org.bouncycastle.tls.crypto.impl.AbstractTlsCrypto; import org.bouncycastle.tls.crypto.impl.TlsAEADCipher; import org.bouncycastle.tls.crypto.impl.TlsBlockCipher; @@ -594,7 +595,7 @@ protected BlockCipher createCBCBlockCipher(int encryptionAlgorithm) protected TlsCipher createChaCha20Poly1305(TlsCryptoParameters cryptoParams) throws IOException { return new TlsAEADCipher(cryptoParams, new BcChaCha20Poly1305(true), new BcChaCha20Poly1305(false), 32, 16, - TlsAEADCipher.AEAD_CHACHA20_POLY1305); + TlsAEADCipher.AEAD_CHACHA20_POLY1305, null); } protected TlsAEADCipher createCipher_AES_CCM(TlsCryptoParameters cryptoParams, int cipherKeySize, int macSize) @@ -603,7 +604,8 @@ protected TlsAEADCipher createCipher_AES_CCM(TlsCryptoParameters cryptoParams, i BcTlsAEADCipherImpl encrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_AES_CCM(), true); BcTlsAEADCipherImpl decrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_AES_CCM(), false); - return new TlsAEADCipher(cryptoParams, encrypt, decrypt, cipherKeySize, macSize, TlsAEADCipher.AEAD_CCM); + return new TlsAEADCipher(cryptoParams, encrypt, decrypt, cipherKeySize, macSize, TlsAEADCipher.AEAD_CCM, + null); } protected TlsAEADCipher createCipher_AES_GCM(TlsCryptoParameters cryptoParams, int cipherKeySize, int macSize) @@ -612,7 +614,8 @@ protected TlsAEADCipher createCipher_AES_GCM(TlsCryptoParameters cryptoParams, i BcTlsAEADCipherImpl encrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_AES_GCM(), true); BcTlsAEADCipherImpl decrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_AES_GCM(), false); - return new TlsAEADCipher(cryptoParams, encrypt, decrypt, cipherKeySize, macSize, TlsAEADCipher.AEAD_GCM); + return new TlsAEADCipher(cryptoParams, encrypt, decrypt, cipherKeySize, macSize, TlsAEADCipher.AEAD_GCM, + getGCMNonceGeneratorFactory()); } protected TlsAEADCipher createCipher_ARIA_GCM(TlsCryptoParameters cryptoParams, int cipherKeySize, int macSize) @@ -621,7 +624,8 @@ protected TlsAEADCipher createCipher_ARIA_GCM(TlsCryptoParameters cryptoParams, BcTlsAEADCipherImpl encrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_ARIA_GCM(), true); BcTlsAEADCipherImpl decrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_ARIA_GCM(), false); - return new TlsAEADCipher(cryptoParams, encrypt, decrypt, cipherKeySize, macSize, TlsAEADCipher.AEAD_GCM); + return new TlsAEADCipher(cryptoParams, encrypt, decrypt, cipherKeySize, macSize, TlsAEADCipher.AEAD_GCM, + getGCMNonceGeneratorFactory()); } protected TlsAEADCipher createCipher_Camellia_GCM(TlsCryptoParameters cryptoParams, int cipherKeySize, int macSize) @@ -630,7 +634,8 @@ protected TlsAEADCipher createCipher_Camellia_GCM(TlsCryptoParameters cryptoPara BcTlsAEADCipherImpl encrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_Camellia_GCM(), true); BcTlsAEADCipherImpl decrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_Camellia_GCM(), false); - return new TlsAEADCipher(cryptoParams, encrypt, decrypt, cipherKeySize, macSize, TlsAEADCipher.AEAD_GCM); + return new TlsAEADCipher(cryptoParams, encrypt, decrypt, cipherKeySize, macSize, TlsAEADCipher.AEAD_GCM, + getGCMNonceGeneratorFactory()); } protected TlsCipher createCipher_CBC(TlsCryptoParameters cryptoParams, int encryptionAlgorithm, int cipherKeySize, @@ -651,7 +656,7 @@ protected TlsAEADCipher createCipher_SM4_CCM(TlsCryptoParameters cryptoParams) BcTlsAEADCipherImpl encrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_SM4_CCM(), true); BcTlsAEADCipherImpl decrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_SM4_CCM(), false); - return new TlsAEADCipher(cryptoParams, encrypt, decrypt, 16, 16, TlsAEADCipher.AEAD_CCM); + return new TlsAEADCipher(cryptoParams, encrypt, decrypt, 16, 16, TlsAEADCipher.AEAD_CCM, null); } protected TlsAEADCipher createCipher_SM4_GCM(TlsCryptoParameters cryptoParams) @@ -660,7 +665,8 @@ protected TlsAEADCipher createCipher_SM4_GCM(TlsCryptoParameters cryptoParams) BcTlsAEADCipherImpl encrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_SM4_GCM(), true); BcTlsAEADCipherImpl decrypt = new BcTlsAEADCipherImpl(createAEADBlockCipher_SM4_GCM(), false); - return new TlsAEADCipher(cryptoParams, encrypt, decrypt, 16, 16, TlsAEADCipher.AEAD_GCM); + return new TlsAEADCipher(cryptoParams, encrypt, decrypt, 16, 16, TlsAEADCipher.AEAD_GCM, + getGCMNonceGeneratorFactory()); } protected TlsNullCipher createNullCipher(TlsCryptoParameters cryptoParams, int macAlgorithm) @@ -741,6 +747,11 @@ protected AEADBlockCipher createAEADBlockCipher_SM4_GCM() return createGCMMode(createSM4Engine()); } + protected AEADNonceGeneratorFactory getGCMNonceGeneratorFactory() + { + return null; + } + public TlsHMAC createHMAC(int macAlgorithm) { switch (macAlgorithm) diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/GCMUtil.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/GCMUtil.java index c61091c5dd..9a7bcd7eba 100644 --- a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/GCMUtil.java +++ b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/GCMUtil.java @@ -6,6 +6,7 @@ import java.security.PrivilegedExceptionAction; import java.security.spec.AlgorithmParameterSpec; +import org.bouncycastle.tls.crypto.impl.AEADNonceGeneratorFactory; import org.bouncycastle.util.Integers; class GCMUtil @@ -30,6 +31,11 @@ public AlgorithmParameterSpec run() }); } + static AEADNonceGeneratorFactory getDefaultNonceGeneratorFactory() + { + return null; + } + static boolean isGCMParameterSpecAvailable() { return gcmParameterSpec != null; diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCrypto.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCrypto.java index de665765b9..f4b5e3c364 100644 --- a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCrypto.java +++ b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCrypto.java @@ -58,6 +58,7 @@ import org.bouncycastle.tls.crypto.TlsSecret; import org.bouncycastle.tls.crypto.TlsStreamSigner; import org.bouncycastle.tls.crypto.TlsStreamVerifier; +import org.bouncycastle.tls.crypto.impl.AEADNonceGeneratorFactory; import org.bouncycastle.tls.crypto.impl.AbstractTlsCrypto; import org.bouncycastle.tls.crypto.impl.TlsAEADCipher; import org.bouncycastle.tls.crypto.impl.TlsAEADCipherImpl; @@ -1226,7 +1227,7 @@ private TlsCipher createChaCha20Poly1305(TlsCryptoParameters cryptoParams) throws IOException, GeneralSecurityException { return new TlsAEADCipher(cryptoParams, new JceChaCha20Poly1305(this, helper, true), - new JceChaCha20Poly1305(this, helper, false), 32, 16, TlsAEADCipher.AEAD_CHACHA20_POLY1305); + new JceChaCha20Poly1305(this, helper, false), 32, 16, TlsAEADCipher.AEAD_CHACHA20_POLY1305, null); } private TlsAEADCipher createCipher_AES_CCM(TlsCryptoParameters cryptoParams, int cipherKeySize, int macSize) @@ -1234,7 +1235,7 @@ private TlsAEADCipher createCipher_AES_CCM(TlsCryptoParameters cryptoParams, int { return new TlsAEADCipher(cryptoParams, createAEADCipher("AES/CCM/NoPadding", "AES", cipherKeySize, true), createAEADCipher("AES/CCM/NoPadding", "AES", cipherKeySize, false), cipherKeySize, macSize, - TlsAEADCipher.AEAD_CCM); + TlsAEADCipher.AEAD_CCM, null); } private TlsAEADCipher createCipher_AES_GCM(TlsCryptoParameters cryptoParams, int cipherKeySize, int macSize) @@ -1242,7 +1243,7 @@ private TlsAEADCipher createCipher_AES_GCM(TlsCryptoParameters cryptoParams, int { return new TlsAEADCipher(cryptoParams, createAEADCipher("AES/GCM/NoPadding", "AES", cipherKeySize, true), createAEADCipher("AES/GCM/NoPadding", "AES", cipherKeySize, false), cipherKeySize, macSize, - TlsAEADCipher.AEAD_GCM); + TlsAEADCipher.AEAD_GCM, getGCMNonceGeneratorFactory()); } private TlsAEADCipher createCipher_ARIA_GCM(TlsCryptoParameters cryptoParams, int cipherKeySize, int macSize) @@ -1250,7 +1251,7 @@ private TlsAEADCipher createCipher_ARIA_GCM(TlsCryptoParameters cryptoParams, in { return new TlsAEADCipher(cryptoParams, createAEADCipher("ARIA/GCM/NoPadding", "ARIA", cipherKeySize, true), createAEADCipher("ARIA/GCM/NoPadding", "ARIA", cipherKeySize, false), cipherKeySize, macSize, - TlsAEADCipher.AEAD_GCM); + TlsAEADCipher.AEAD_GCM, getGCMNonceGeneratorFactory()); } private TlsAEADCipher createCipher_Camellia_GCM(TlsCryptoParameters cryptoParams, int cipherKeySize, int macSize) @@ -1259,7 +1260,7 @@ private TlsAEADCipher createCipher_Camellia_GCM(TlsCryptoParameters cryptoParams return new TlsAEADCipher(cryptoParams, createAEADCipher("Camellia/GCM/NoPadding", "Camellia", cipherKeySize, true), createAEADCipher("Camellia/GCM/NoPadding", "Camellia", cipherKeySize, false), cipherKeySize, macSize, - TlsAEADCipher.AEAD_GCM); + TlsAEADCipher.AEAD_GCM, getGCMNonceGeneratorFactory()); } protected TlsCipher createCipher_CBC(TlsCryptoParameters cryptoParams, String algorithm, int cipherKeySize, @@ -1280,7 +1281,7 @@ private TlsAEADCipher createCipher_SM4_CCM(TlsCryptoParameters cryptoParams) int cipherKeySize = 16, macSize = 16; return new TlsAEADCipher(cryptoParams, createAEADCipher("SM4/CCM/NoPadding", "SM4", cipherKeySize, true), createAEADCipher("SM4/CCM/NoPadding", "SM4", cipherKeySize, false), cipherKeySize, macSize, - TlsAEADCipher.AEAD_CCM); + TlsAEADCipher.AEAD_CCM, null); } private TlsAEADCipher createCipher_SM4_GCM(TlsCryptoParameters cryptoParams) @@ -1289,7 +1290,12 @@ private TlsAEADCipher createCipher_SM4_GCM(TlsCryptoParameters cryptoParams) int cipherKeySize = 16, macSize = 16; return new TlsAEADCipher(cryptoParams, createAEADCipher("SM4/GCM/NoPadding", "SM4", cipherKeySize, true), createAEADCipher("SM4/GCM/NoPadding", "SM4", cipherKeySize, false), cipherKeySize, macSize, - TlsAEADCipher.AEAD_GCM); + TlsAEADCipher.AEAD_GCM, getGCMNonceGeneratorFactory()); + } + + protected AEADNonceGeneratorFactory getGCMNonceGeneratorFactory() + { + return GCMUtil.getDefaultNonceGeneratorFactory(); } String getDigestName(int cryptoHashAlgorithm) diff --git a/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesEngineTestCase.java b/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesEngineTestCase.java index 528d8d8141..458d0dd109 100644 --- a/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesEngineTestCase.java +++ b/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesEngineTestCase.java @@ -44,14 +44,6 @@ public CipherSuitesEngineTestCase(CipherSuitesTestConfig config) this.config = config; } - protected void setUp() - { - if (config != null) - { - ProviderUtils.setupHighPriority(config.fips); - } - } - public void testDummy() { // Avoid "No tests found" warning from junit diff --git a/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesEngineTestSuite.java b/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesEngineTestSuite.java index 5026e01a17..e67985c24b 100644 --- a/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesEngineTestSuite.java +++ b/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesEngineTestSuite.java @@ -9,6 +9,7 @@ import org.junit.Assert; +import junit.extensions.TestSetup; import junit.framework.Test; import junit.framework.TestSuite; @@ -23,7 +24,9 @@ public CipherSuitesEngineTestSuite() public static Test suite() throws Exception { - return createSuite(new CipherSuitesEngineTestSuite(), null, false, new CipherSuitesFilter() + ProviderUtils.setupHighPriority(false); + + TestSuite suite = createSuite(new CipherSuitesEngineTestSuite(), null, false, new CipherSuitesFilter() { public boolean isIgnored(String cipherSuite) { @@ -40,14 +43,20 @@ public boolean isPermitted(String cipherSuite) return true; } }); + + return new TestSetup(suite) + { + @Override + protected void setUp() throws Exception + { + ProviderUtils.setupHighPriority(false); + } + }; } - static Test createSuite(TestSuite testSuite, String category, boolean fips, CipherSuitesFilter filter) + static TestSuite createSuite(TestSuite testSuite, String category, boolean fips, CipherSuitesFilter filter) throws Exception { - // TODO Consider configuring BCJSSE with explicit crypto provider (maybe only when in fips mode?) - ProviderUtils.setupHighPriority(fips); - char[] serverPassword = "serverPassword".toCharArray(); KeyPair caKeyPairDSA = TestUtils.generateDSAKeyPair(); @@ -126,7 +135,6 @@ static Test createSuite(TestSuite testSuite, String category, boolean fips, Ciph config.category = category; config.cipherSuite = cipherSuite; config.clientTrustStore = ts; - config.fips = fips; config.protocol = protocol; config.serverKeyStore = ks; config.serverPassword = serverPassword; diff --git a/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesTestCase.java b/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesTestCase.java index 61d1badd58..8fc7ec87e0 100644 --- a/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesTestCase.java +++ b/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesTestCase.java @@ -47,14 +47,6 @@ public CipherSuitesTestCase(CipherSuitesTestConfig config) this.config = config; } - protected void setUp() - { - if (config != null) - { - ProviderUtils.setupHighPriority(config.fips); - } - } - public void testDummy() { // Avoid "No tests found" warning from junit diff --git a/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesTestConfig.java b/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesTestConfig.java index 6d15796bcd..19843b32e9 100644 --- a/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesTestConfig.java +++ b/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesTestConfig.java @@ -7,7 +7,6 @@ public class CipherSuitesTestConfig public String category = null; public String cipherSuite = null; public KeyStore clientTrustStore = null; - public boolean fips = false; public String protocol = null; public KeyStore serverKeyStore = null; public char[] serverPassword = null; diff --git a/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesTestSuite.java b/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesTestSuite.java index 4c38503051..a9393f884b 100644 --- a/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesTestSuite.java +++ b/tls/src/test/java/org/bouncycastle/jsse/provider/test/CipherSuitesTestSuite.java @@ -7,6 +7,7 @@ import javax.net.ssl.SSLContext; +import junit.extensions.TestSetup; import junit.framework.Assert; import junit.framework.Test; import junit.framework.TestSuite; @@ -22,7 +23,9 @@ public CipherSuitesTestSuite() public static Test suite() throws Exception { - return createSuite(new CipherSuitesTestSuite(), null, false, new CipherSuitesFilter() + ProviderUtils.setupHighPriority(false); + + TestSuite suite = createSuite(new CipherSuitesTestSuite(), null, false, new CipherSuitesFilter() { public boolean isIgnored(String cipherSuite) { @@ -39,14 +42,20 @@ public boolean isPermitted(String cipherSuite) return true; } }); + + return new TestSetup(suite) + { + @Override + protected void setUp() throws Exception + { + ProviderUtils.setupHighPriority(false); + } + }; } - static Test createSuite(TestSuite testSuite, String category, boolean fips, CipherSuitesFilter filter) + static TestSuite createSuite(TestSuite testSuite, String category, boolean fips, CipherSuitesFilter filter) throws Exception { - // TODO Consider configuring BCJSSE with explicit crypto provider (maybe only when in fips mode?) - ProviderUtils.setupHighPriority(fips); - char[] serverPassword = "serverPassword".toCharArray(); KeyPair caKeyPairDSA = TestUtils.generateDSAKeyPair(); @@ -125,7 +134,6 @@ static Test createSuite(TestSuite testSuite, String category, boolean fips, Ciph config.category = category; config.cipherSuite = cipherSuite; config.clientTrustStore = ts; - config.fips = fips; config.protocol = protocol; config.serverKeyStore = ks; config.serverPassword = serverPassword; diff --git a/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsCipherSuitesEngineTestSuite.java b/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsCipherSuitesEngineTestSuite.java index 251a829fab..8f69139688 100644 --- a/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsCipherSuitesEngineTestSuite.java +++ b/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsCipherSuitesEngineTestSuite.java @@ -1,5 +1,6 @@ package org.bouncycastle.jsse.provider.test; +import junit.extensions.TestSetup; import junit.framework.Test; import junit.framework.TestSuite; @@ -14,7 +15,10 @@ public FipsCipherSuitesEngineTestSuite() public static Test suite() throws Exception { - return CipherSuitesEngineTestSuite.createSuite(new FipsCipherSuitesEngineTestSuite(), "FIPS", true, new CipherSuitesFilter() + FipsTestUtils.setupFipsSuite(); + + TestSuite suite = CipherSuitesEngineTestSuite.createSuite(new FipsCipherSuitesEngineTestSuite(), "FIPS", true, + new CipherSuitesFilter() { public boolean isIgnored(String cipherSuite) { @@ -26,5 +30,22 @@ public boolean isPermitted(String cipherSuite) return FipsCipherSuitesTestSuite.isFipsSupportedCipherSuite(cipherSuite); } }); + + FipsTestUtils.teardownFipsSuite(); + + return new TestSetup(suite) + { + @Override + protected void setUp() throws Exception + { + FipsTestUtils.setupFipsSuite(); + } + + @Override + protected void tearDown() throws Exception + { + FipsTestUtils.teardownFipsSuite(); + } + }; } } diff --git a/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsCipherSuitesTestSuite.java b/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsCipherSuitesTestSuite.java index 9988443e5d..db389e8276 100644 --- a/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsCipherSuitesTestSuite.java +++ b/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsCipherSuitesTestSuite.java @@ -4,15 +4,13 @@ import java.util.HashSet; import java.util.Set; +import junit.extensions.TestSetup; import junit.framework.Test; import junit.framework.TestSuite; public class FipsCipherSuitesTestSuite extends TestSuite { - private static final boolean provAllowGCMCiphersIn12 = false; - private static final boolean provAllowRSAKeyExchange = true; - private static final Set FIPS_SUPPORTED_CIPHERSUITES = createFipsSupportedCipherSuites(); private static Set createFipsSupportedCipherSuites() @@ -80,7 +78,7 @@ private static Set createFipsSupportedCipherSuites() cs.add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"); cs.add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"); - if (provAllowGCMCiphersIn12) + if (FipsTestUtils.provAllowGCMCiphersIn12) { // cs.add("TLS_DH_DSS_WITH_AES_128_GCM_SHA256"); // cs.add("TLS_DH_DSS_WITH_AES_256_GCM_SHA384"); @@ -107,7 +105,7 @@ private static Set createFipsSupportedCipherSuites() cs.add("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"); } - if (provAllowRSAKeyExchange) + if (FipsTestUtils.provAllowRSAKeyExchange) { cs.add("TLS_RSA_WITH_AES_128_CBC_SHA"); cs.add("TLS_RSA_WITH_AES_128_CBC_SHA256"); @@ -118,7 +116,7 @@ private static Set createFipsSupportedCipherSuites() cs.add("TLS_RSA_WITH_AES_256_CCM"); cs.add("TLS_RSA_WITH_AES_256_CCM_8"); - if (provAllowGCMCiphersIn12) + if (FipsTestUtils.provAllowGCMCiphersIn12) { cs.add("TLS_RSA_WITH_AES_128_GCM_SHA256"); cs.add("TLS_RSA_WITH_AES_256_GCM_SHA384"); @@ -141,7 +139,10 @@ public FipsCipherSuitesTestSuite() public static Test suite() throws Exception { - return CipherSuitesTestSuite.createSuite(new FipsCipherSuitesTestSuite(), "FIPS", true, new CipherSuitesFilter() + FipsTestUtils.setupFipsSuite(); + + TestSuite suite = CipherSuitesTestSuite.createSuite(new FipsCipherSuitesTestSuite(), "FIPS", true, + new CipherSuitesFilter() { public boolean isIgnored(String cipherSuite) { @@ -153,5 +154,22 @@ public boolean isPermitted(String cipherSuite) return isFipsSupportedCipherSuite(cipherSuite); } }); + + FipsTestUtils.teardownFipsSuite(); + + return new TestSetup(suite) + { + @Override + protected void setUp() throws Exception + { + FipsTestUtils.setupFipsSuite(); + } + + @Override + protected void tearDown() throws Exception + { + FipsTestUtils.teardownFipsSuite(); + } + }; } } diff --git a/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsJcaTlsCrypto.java b/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsJcaTlsCrypto.java new file mode 100644 index 0000000000..76b6be06b5 --- /dev/null +++ b/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsJcaTlsCrypto.java @@ -0,0 +1,22 @@ +package org.bouncycastle.jsse.provider.test; + +import java.security.SecureRandom; + +import org.bouncycastle.jcajce.util.JcaJceHelper; +import org.bouncycastle.tls.crypto.impl.AEADNonceGeneratorFactory; +import org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto; +import org.bouncycastle.tls.test.TestAEADGeneratorFactory; + +public class FipsJcaTlsCrypto extends JcaTlsCrypto +{ + public FipsJcaTlsCrypto(JcaJceHelper helper, SecureRandom entropySource, SecureRandom nonceEntropySource) + { + super(helper, entropySource, nonceEntropySource); + } + + @Override + protected AEADNonceGeneratorFactory getGCMNonceGeneratorFactory() + { + return FipsTestUtils.provAllowGCMCiphersIn12 ? TestAEADGeneratorFactory.INSTANCE : null; + } +} diff --git a/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsJcaTlsCryptoProvider.java b/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsJcaTlsCryptoProvider.java new file mode 100644 index 0000000000..8bb004e806 --- /dev/null +++ b/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsJcaTlsCryptoProvider.java @@ -0,0 +1,15 @@ +package org.bouncycastle.jsse.provider.test; + +import java.security.SecureRandom; + +import org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto; +import org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider; + +public class FipsJcaTlsCryptoProvider extends JcaTlsCryptoProvider +{ + @Override + public JcaTlsCrypto create(SecureRandom keyRandom, SecureRandom nonceRandom) + { + return new FipsJcaTlsCrypto(getHelper(), keyRandom, nonceRandom); + } +} diff --git a/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsTestUtils.java b/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsTestUtils.java new file mode 100644 index 0000000000..274b847fae --- /dev/null +++ b/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsTestUtils.java @@ -0,0 +1,48 @@ +package org.bouncycastle.jsse.provider.test; + +import java.security.Provider; +import java.security.Security; + +abstract class FipsTestUtils +{ + static final boolean provAllowGCMCiphersIn12 = + "true".equalsIgnoreCase(System.getProperty("org.bouncycastle.jsse.fips.allowGCMCiphersIn12")); + + static final boolean provAllowRSAKeyExchange = + "true".equalsIgnoreCase(System.getProperty("org.bouncycastle.jsse.fips.allowRSAKeyExchange")); + + static void setupFipsSuite() + { + if (!provAllowGCMCiphersIn12) + { + ProviderUtils.setupHighPriority(true); + return; + } + + Provider bc = ProviderUtils.getProviderBC(); + + if (bc == null) + { + bc = ProviderUtils.createProviderBC(); + } + else + { + ProviderUtils.removeProviderBC(); + } + + ProviderUtils.removeProviderBCJSSE(); + + Provider bcjsse = ProviderUtils.createProviderBCJSSE(true, new FipsJcaTlsCryptoProvider().setProvider(bc)); + + Security.insertProviderAt(bc, 1); + Security.insertProviderAt(bcjsse, 2); + } + + static void teardownFipsSuite() + { + if (provAllowGCMCiphersIn12) + { + ProviderUtils.removeProviderBCJSSE(); + } + } +} diff --git a/tls/src/test/java/org/bouncycastle/jsse/provider/test/ProviderUtils.java b/tls/src/test/java/org/bouncycastle/jsse/provider/test/ProviderUtils.java index b71881e8eb..d9242d792b 100644 --- a/tls/src/test/java/org/bouncycastle/jsse/provider/test/ProviderUtils.java +++ b/tls/src/test/java/org/bouncycastle/jsse/provider/test/ProviderUtils.java @@ -24,9 +24,7 @@ static Provider createProviderBCJSSE() static Provider createProviderBCJSSE(boolean fips) { - // TODO Use new constructor when available -// return new BouncyCastleJsseProvider(fips); - return new BouncyCastleJsseProvider(fips, new JcaTlsCryptoProvider()); + return new BouncyCastleJsseProvider(fips); } static Provider createProviderBCJSSE(Provider bc) @@ -44,6 +42,11 @@ static Provider createProviderBCJSSE(String config) return new BouncyCastleJsseProvider(config); } + static Provider createProviderBCJSSE(boolean fips, JcaTlsCryptoProvider cryptoProvider) + { + return new BouncyCastleJsseProvider(fips, cryptoProvider); + } + static Provider getProviderBC() { return Security.getProvider(PROVIDER_NAME_BC); diff --git a/tls/src/test/java/org/bouncycastle/tls/test/AllTests.java b/tls/src/test/java/org/bouncycastle/tls/test/AllTests.java index 61098a7a4d..64b985fe45 100644 --- a/tls/src/test/java/org/bouncycastle/tls/test/AllTests.java +++ b/tls/src/test/java/org/bouncycastle/tls/test/AllTests.java @@ -1,6 +1,5 @@ package org.bouncycastle.tls.test; -import org.bouncycastle.tls.crypto.impl.GcmTls12NonceGeneratorUtil; import org.bouncycastle.test.PrintTestResult; import junit.extensions.TestSetup; @@ -15,13 +14,6 @@ public static void main(String[] args) throws Exception { PrintTestResult.printResult(junit.textui.TestRunner.run(suite())); - PrintTestResult.printResult(junit.textui.TestRunner.run(suiteWithCustomNonceGeneratorForTls12())); - } - - public static Test suiteWithCustomNonceGeneratorForTls12() throws Exception - { - GcmTls12NonceGeneratorUtil.setGcmTlsNonceGeneratorFactory(TestAEADGeneratorFactory.INSTANCE); - return suite(); } public static Test suite() diff --git a/tls/src/test/java/org/bouncycastle/tls/test/TestAEADGeneratorFactory.java b/tls/src/test/java/org/bouncycastle/tls/test/TestAEADGeneratorFactory.java index eb26841355..98ee98976b 100644 --- a/tls/src/test/java/org/bouncycastle/tls/test/TestAEADGeneratorFactory.java +++ b/tls/src/test/java/org/bouncycastle/tls/test/TestAEADGeneratorFactory.java @@ -3,7 +3,7 @@ import org.bouncycastle.tls.crypto.impl.AEADNonceGenerator; import org.bouncycastle.tls.crypto.impl.AEADNonceGeneratorFactory; -class TestAEADGeneratorFactory +public class TestAEADGeneratorFactory implements AEADNonceGeneratorFactory { public static final AEADNonceGeneratorFactory INSTANCE = new TestAEADGeneratorFactory();