diff --git a/closed/test/jdk/TEST.ROOT b/closed/test/jdk/TEST.ROOT new file mode 100644 index 00000000000..dbac953bb69 --- /dev/null +++ b/closed/test/jdk/TEST.ROOT @@ -0,0 +1,3 @@ +# Path to libraries in the topmost test directory. This is needed so @library +# does not need ../../../ notation to reach them +external.lib.roots = ../../../ diff --git a/closed/test/jdk/openj9/internal/security/TestProperties.java b/closed/test/jdk/openj9/internal/security/TestProperties.java new file mode 100644 index 00000000000..a83d34fdbb1 --- /dev/null +++ b/closed/test/jdk/openj9/internal/security/TestProperties.java @@ -0,0 +1,184 @@ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved + * =========================================================================== + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * IBM designates this particular file as subject to the "Classpath" exception + * as provided by IBM in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, see . + * + * =========================================================================== + */ + + /* + * @test + * @summary Test Restricted Security Mode Properties + * @library /test/lib + * @run junit TestProperties + */ + +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.Arguments; +import org.junit.jupiter.params.provider.MethodSource; + +import java.security.Provider; +import java.security.Security; + +import java.util.stream.Stream; + +import jdk.test.lib.process.OutputAnalyzer; +import jdk.test.lib.process.ProcessTools; + +public class TestProperties { + + private static Stream patternMatches_expectedExitValue1() { + return Stream.of( + // 1 - Test profile - base profile misspell properties + Arguments.of("Test-Profile.Base", + System.getProperty("test.src") + "/property-java.security", + "The property names: RestrictedSecurity.Test-Profile.Base.tls.disabledAlgorithmsWrongTypo " + + "in profile RestrictedSecurity.Test-Profile.Base \\(or a base profile\\) are not recognized"), + // 2 - Test profile - extenstion profile misspell properties + Arguments.of("Test-Profile.Extended_1", + System.getProperty("test.src") + "/property-java.security", + "The property names: RestrictedSecurity.Test-Profile.Extended_1.desc.nameWrongTypo, " + + "RestrictedSecurity.Test-Profile.Extended_1.jce.providerWrongTypo in profile " + + "RestrictedSecurity.Test-Profile.Extended_1 \\(or a base profile\\) are not recognized"), + // 3 - Test profile - extension profile from another extension profile misspell properties + Arguments.of("Test-Profile.Extended_2", + System.getProperty("test.src") + "/property-java.security", + "The property names: RestrictedSecurity.Test-Profile.Extended_2.jce.providerWrongTypo " + + "in profile RestrictedSecurity.Test-Profile.Extended_2 \\(or a base profile\\) are not recognized"), + // 4 - Test profile - profile not exist + Arguments.of("Test-Profile-NotExist.Base", + System.getProperty("test.src") + "/property-java.security", + "Test-Profile.NotExist.Base is not present in the java.security file."), + // 5 - Test profile - Multi Default profile + Arguments.of("Test-Profile-MultiDefault", + System.getProperty("test.src") + "/property-java.security", + "Multiple default RestrictedSecurity profiles for Test-Profile-MultiDefault"), + // 6 - Test profile - no default profile + Arguments.of("Test-Profile-NoDefault", + System.getProperty("test.src") + "/property-java.security", + "No default RestrictedSecurity profile was found for Test-Profile-NoDefault"), + // 7 - Test profile - base profile not exist + Arguments.of("Test-Profile.Extended_3", + System.getProperty("test.src") + "/property-java.security", + "RestrictedSecurity.Test-Profile.BaseNotExist that is supposed to extend \\'RestrictedSecurity.Test-Profile.Extended_3\\' " + + "is not present in the java.security file or any appended files"), + // 8 - Test profile - base profile not full profile name + Arguments.of("Test-Profile.Extended_4", + System.getProperty("test.src") + "/property-java.security", + "RestrictedSecurity.BaseNotFullProfileName that is supposed to extend \\'RestrictedSecurity.Test-Profile.Extended_4\\' " + + "is not a full profile name"), + // 9 - Test profile - base profile without hash value + Arguments.of("Test-Profile-BaseWithoutHash", + System.getProperty("test.src") + "/property-java.security", + "Test-Profile-BaseWithoutHash is a base profile, so a hash value is mandatory"), + // 10 - Test profile - incorrect definition of hash value + Arguments.of("Test-Profile-Hash_1", + System.getProperty("test.src") + "/property-java.security", + "Incorrect definition of hash value for RestrictedSecurity.Test-Profile-Hash_1"), + // 11 - Test profile - incorrect hash value + Arguments.of("Test-Profile-Hash_2", + System.getProperty("test.src") + "/property-java.security", + "Hex produced from profile is not the same is a base profile, so a hash value is mandatory"), + // 12 - Test property - property not appendable + Arguments.of("Test-Profile-SetProperty.Extension_1", + System.getProperty("test.src") + "/property-java.security", + "Property \\'jdkSecureRandomProvider\\' is not appendable"), + // 13 - Test property - property does not exist in parent profile, cannot append + Arguments.of("Test-Profile-SetProperty.Extension_2", + System.getProperty("test.src") + "/property-java.security", + "Property \\'jdkTlsDisabledNamedCurves\\' does not exist in parent profile or java.security file. Cannot append"), + // 14 - Test property - property value is not in existing values + Arguments.of("Test-Profile-SetProperty.Extension_3", + System.getProperty("test.src") + "/property-java.security", + "Value \\'TestDisabledlgorithms\\' is not in existing values"), + // 15 - Test property - policy sunset + Arguments.of("Test-Profile-PolicySunset.Base", + System.getProperty("test.src") + "/property-java.security", + "Restricted security policy expired"), + // 16 - Test property - policy sunset format + Arguments.of("Test-Profile-PolicySunsetFormat.Base", + System.getProperty("test.src") + "/property-java.security", + "Restricted security policy sunset date is incorrect, the correct format is yyyy-MM-dd"), + // 17 - Test property - secure random check 1 + Arguments.of("Test-Profile-SecureRandomCheck_1", + System.getProperty("test.src") + "/property-java.security", + "Restricted security mode secure random is missing"), + // 18 - Test property - secure random check 2 + Arguments.of("Test-Profile-SecureRandomCheck_2", + System.getProperty("test.src") + "/property-java.security", + "Restricted security mode secure random is missing"), + // 19 - Test constraint - constraint check 1 + Arguments.of("Test-Profile-Constraint_1", + System.getProperty("test.src") + "/property-java.security", + "Provider format is incorrect"), + // 20 - Test constraint - constraint check 2 + Arguments.of("Test-Profile-Constraint_2", + System.getProperty("test.src") + "/property-java.security", + "Incorrect constraint definition for provider"), + // 21 - Test constraint - constraint check 3 + Arguments.of("Test-Profile-Constraint_3", + System.getProperty("test.src") + "/property-java.security", + "Incorrect constraint definition for provider"), + // 22 - Test constraint - constraint attributes check + Arguments.of("Test-Profile-Constraint_Attributes", + System.getProperty("test.src") + "/property-java.security", + "Constraint attributes format is incorrect"), + // 23 - Test constraint - constraint changed 1 + Arguments.of("Test-Profile-ConstraintChanged_1.Extension", + System.getProperty("test.src") + "/property-java.security", + "Cannot append or remove constraints since the provider (.*?) " + + "wasn't in this position in the profile extended"), + // 24 - Test constraint - constraint changed 2 + Arguments.of("Test-Profile-ConstraintChanged_2.Extension", + System.getProperty("test.src") + "/property-java.security", + "Constraint (.*?)is not part of existing constraints"), + // 25 - Test constraint - constraint changed 3 + Arguments.of("Test-Profile-ConstraintChanged_3.Base", + System.getProperty("test.src") + "/property-java.security", + "You cannot add or remove to provider (.*?). This is the base profile.") + ); + } + + @ParameterizedTest + @MethodSource("patternMatches_expectedExitValue1") + public void shouldContain_expectedExitValue1(String customprofile, String securityPropertyFile, String expected) throws Exception { + OutputAnalyzer outputAnalyzer = ProcessTools.executeTestJava( + "-Dsemeru.fips=true", + "-Dsemeru.customprofile=" + customprofile, + "-Djava.security.properties=" + securityPropertyFile, + //"-Djava.security.debug=semerufips", + "TestProperties" + ); + outputAnalyzer.reportDiagnosticSummary(); + outputAnalyzer.shouldHaveExitValue(1).shouldMatch(expected); + } + + public static void main(String[] args) throws Exception { + // Something to trigger "properties" debug output + try { + Provider p[] = Security.getProviders(); + for (int i = 0; i < p.length; i++) { + System.out.println("Provider Name: " + p[i].getName()); + System.out.println("Provider Version: " + p[i].getVersion()); + } + } catch (Exception e) { + System.out.println(e); + } + } +} diff --git a/closed/test/jdk/openj9/internal/security/TestProviders.java b/closed/test/jdk/openj9/internal/security/TestProviders.java new file mode 100644 index 00000000000..c5b3427a626 --- /dev/null +++ b/closed/test/jdk/openj9/internal/security/TestProviders.java @@ -0,0 +1,162 @@ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved + * =========================================================================== + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * IBM designates this particular file as subject to the "Classpath" exception + * as provided by IBM in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, see . + * + * =========================================================================== + */ + + /* + * @test + * @summary Test Restricted Security Mode Provider List + * @library /test/lib + * @run junit TestProviders + */ + +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.Arguments; +import org.junit.jupiter.params.provider.MethodSource; + +import java.security.Provider; +import java.security.Security; + +import java.util.stream.Stream; + +import jdk.test.lib.process.OutputAnalyzer; +import jdk.test.lib.process.ProcessTools; + +public class TestProviders { + + private static Stream patternMatches_expectedExitValue0() { + return Stream.of( + // Test OpenJCEPlusFIPS strict profile provider list + Arguments.of("OpenJCEPlusFIPS.FIPS140-3", + System.getProperty("test.src") + "/provider-java.security", + "(?s)(?=.*OpenJCEPlusFIPS)(?=.*\\bSUN\\b)(?=.*SunJSSE)"), + // Test OpenJCEPlusFIPS default profile provider list + Arguments.of("OpenJCEPlusFIPS", + System.getProperty("test.src") + "/provider-java.security", + "(?s)(?=.*OpenJCEPlusFIPS)(?=.*\\bSUN\\b)(?=.*SunRsaSign)" + + "(?=.*SunEC)(?=.*SunJSSE)(?=.*SunJCE)(?=.*SunJGSS)(?=.*SunSASL)" + + "(?=.*XMLDSig)(?=.*SunPCSC)(?=.*JdkLDAP)(?=.*JdkSASL)"), + // Test OpenJCEPlusFIPS weakly enforced profile provider list + Arguments.of("OpenJCEPlusFIPS.FIPS140-3-Weakly-Enforced", + System.getProperty("test.src") + "/provider-java.security", + "(?s)(?=.*OpenJCEPlusFIPS)(?=.*\\bSUN\\b)(?=.*SunRsaSign)" + + "(?=.*SunEC)(?=.*SunJSSE)(?=.*SunJCE)(?=.*SunJGSS)(?=.*SunSASL)" + + "(?=.*XMLDSig)(?=.*SunPCSC)(?=.*JdkLDAP)(?=.*JdkSASL)"), + // Test update provider list with value + Arguments.of("Test-Profile.Updated_1", + System.getProperty("test.src") + "/provider-java.security", + "(?s)(?=.*OpenJCEPlusFIPS)(?=.*\\bSUN\\b)(?=.*SunSASL)"), + // Test update provider list with null + Arguments.of("Test-Profile.Updated_2", + System.getProperty("test.src") + "/provider-java.security", + "(?s)(?=.*OpenJCEPlusFIPS)(?=.*\\bSUN\\b)(?=.*SunJSSE)") + ); + } + + private static Stream patternMatches_expectedExitValue1() { + return Stream.of( + // Test base profile - provider order numbers are not consecutive + Arguments.of("Test-Profile.Base", + System.getProperty("test.src") + "/provider-java.security", + "The order numbers of providers in profile RestrictedSecurity.Test-Profile.Base " + + "\\(or a base profile\\) are not consecutive"), + // Test extended profile, provider order numbers are not consecutive + Arguments.of("Test-Profile.Extended_1", + System.getProperty("test.src") + "/provider-java.security", + "The order numbers of providers in profile RestrictedSecurity.Test-Profile.Extended_1 " + + "\\(or a base profile\\) are not consecutive."), + // Test extended profile from another extended profile, provider order numbers are not consecutive + Arguments.of("Test-Profile.Extended_2", + System.getProperty("test.src") + "/provider-java.security", + "The order numbers of providers in profile RestrictedSecurity.Test-Profile.Extended_2 " + + "\\(or a base profile\\) are not consecutive."), + // Test update provider list with empty, the empty is the last one in base profile + Arguments.of("Test-Profile.Updated_3", + System.getProperty("test.src") + "/provider-java.security", + "Cannot add a provider in position \\d+ after removing the ones in previous positions"), + // Test update provider list with empty, the empty is NOT the last one in base profile + Arguments.of("Test-Profile.Updated_4", + System.getProperty("test.src") + "/provider-java.security", + "Cannot specify an empty provider in position \\d+ when non-empty ones are specified after it"), + // Test base profile - one of the provider in list empty + Arguments.of("Test-Profile.BaseOneProviderEmpty", + System.getProperty("test.src") + "/provider-java.security", + "Cannot specify an empty provider in position \\d+. Nothing specified before"), + // Test extended profile - one of the provider in list empty + Arguments.of("Test-Profile.ExtendedOneProviderEmpty", + System.getProperty("test.src") + "/provider-java.security", + "Cannot specify an empty provider in position \\d+. Nothing specified before"), + // Test base profile - no provider list + Arguments.of("Test-Profile.BaseNoProviderList", + System.getProperty("test.src") + "/provider-java.security", + "No providers are specified as part of the Restricted Security profile"), + // Test profile - provider must be specified using the fully-qualified class name + Arguments.of("Test-Profile.ProviderClassName", + System.getProperty("test.src") + "/provider-java.security", + "Provider must be specified using the fully-qualified class name"), + // Test profile - provider format is incorrect + Arguments.of("Test-Profile.ProviderFormat", + System.getProperty("test.src") + "/provider-java.security", + "Provider format is incorrect") + ); + } + + @ParameterizedTest + @MethodSource("patternMatches_expectedExitValue0") + public void shouldContain_expectedExitValue0(String customprofile, String securityPropertyFile, String expected) throws Exception { + OutputAnalyzer outputAnalyzer = ProcessTools.executeTestJava( + "-Dsemeru.fips=true", + "-Dsemeru.customprofile=" + customprofile, + "-Djava.security.properties=" + securityPropertyFile, + //"-Djava.security.debug=semerufips", + "TestProviders" + ); + outputAnalyzer.reportDiagnosticSummary(); + outputAnalyzer.shouldHaveExitValue(0).shouldMatch(expected); + } + + @ParameterizedTest + @MethodSource("patternMatches_expectedExitValue1") + public void shouldContain_expectedExitValue1(String customprofile, String securityPropertyFile, String expected) throws Exception { + OutputAnalyzer outputAnalyzer = ProcessTools.executeTestJava( + "-Dsemeru.fips=true", + "-Dsemeru.customprofile=" + customprofile, + "-Djava.security.properties=" + securityPropertyFile, + //"-Djava.security.debug=semerufips", + "TestProviders" + ); + outputAnalyzer.reportDiagnosticSummary(); + outputAnalyzer.shouldHaveExitValue(1).shouldMatch(expected); + } + + public static void main(String[] args) throws Exception { + try { + Provider p[] = Security.getProviders(); + for (int i = 0; i < p.length; i++) { + System.out.println("Provider Name: " + p[i].getName()); + System.out.println("Provider Version: " + p[i].getVersion()); + } + } catch (Exception e) { + System.out.println(e); + } + } +} diff --git a/closed/test/jdk/openj9/internal/security/property-java.security b/closed/test/jdk/openj9/internal/security/property-java.security new file mode 100644 index 00000000000..8fd3253ba38 --- /dev/null +++ b/closed/test/jdk/openj9/internal/security/property-java.security @@ -0,0 +1,508 @@ +RestrictedSecurity.TestBase.Version.desc.name = Test Base Profile +RestrictedSecurity.TestBase.Version.desc.default = false +RestrictedSecurity.TestBase.Version.desc.fips = true +RestrictedSecurity.TestBase.Version.desc.hash = SHA256:1d216c0b9032a83521c185273e753a960b8e1695bb06da0f193dffe0f6ed9898 +RestrictedSecurity.TestBase.Version.desc.number = Certificate #XXX +RestrictedSecurity.TestBase.Version.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.TestBase.Version.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.TestBase.Version.fips.mode = 140-3 + +RestrictedSecurity.TestBase.Version.tls.disabledNamedCurves = +RestrictedSecurity.TestBase.Version.tls.disabledAlgorithms = +RestrictedSecurity.TestBase.Version.tls.ephemeralDHKeySize = +RestrictedSecurity.TestBase.Version.tls.legacyAlgorithms = + +RestrictedSecurity.TestBase.Version.jce.certpath.disabledAlgorithms = +RestrictedSecurity.TestBase.Version.jce.legacyAlgorithms = +RestrictedSecurity.TestBase.Version.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS +RestrictedSecurity.TestBase.Version.jce.provider.2 = sun.security.provider.Sun +RestrictedSecurity.TestBase.Version.jce.provider.3 = sun.security.ssl.SunJSSE + +RestrictedSecurity.TestBase.Version.javax.net.ssl.keyStore = NONE +RestrictedSecurity.TestBase.Version.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.TestBase.Version.securerandom.algorithm = SHA512DRBG + +RestrictedSecurity.TestBase.Version-Extended.desc.name = Test Base Profile Extended +RestrictedSecurity.TestBase.Version-Extended.desc.default = true +RestrictedSecurity.TestBase.Version-Extended.extends = RestrictedSecurity.TestBase.Version +RestrictedSecurity.TestBase.Version-Extended.tls.disabledAlgorithms = + +RestrictedSecurity.TestBase.Version-Extended.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS +RestrictedSecurity.TestBase.Version-Extended.jce.provider.2 = sun.security.provider.Sun +RestrictedSecurity.TestBase.Version-Extended.jce.provider.3 = sun.security.rsa.SunRsaSign +RestrictedSecurity.TestBase.Version-Extended.jce.provider.4 = sun.security.ec.SunEC +RestrictedSecurity.TestBase.Version-Extended.jce.provider.5 = sun.security.ssl.SunJSSE +RestrictedSecurity.TestBase.Version-Extended.jce.provider.6 = com.sun.crypto.provider.SunJCE +RestrictedSecurity.TestBase.Version-Extended.jce.provider.7 = sun.security.jgss.SunProvider +RestrictedSecurity.TestBase.Version-Extended.jce.provider.8 = com.sun.security.sasl.Provider +RestrictedSecurity.TestBase.Version-Extended.jce.provider.9 = org.jcp.xml.dsig.internal.dom.XMLDSigRI +RestrictedSecurity.TestBase.Version-Extended.jce.provider.10 = sun.security.smartcardio.SunPCSC +RestrictedSecurity.TestBase.Version-Extended.jce.provider.11 = sun.security.provider.certpath.ldap.JdkLDAP +RestrictedSecurity.TestBase.Version-Extended.jce.provider.12 = com.sun.security.sasl.gsskerb.JdkSASL + +# +# Test-Profile.Base +# Test profile - base profile misspell properties +# +RestrictedSecurity.Test-Profile.Base.desc.name = Test-Profile.Base +RestrictedSecurity.Test-Profile.Base.desc.default = true +RestrictedSecurity.Test-Profile.Base.desc.fips = true +RestrictedSecurity.Test-Profile.Base.desc.hash = SHA256:4fab3014e91072587e76c6ebb393ceea710d76582069d46a70eab31c30f57e45 +RestrictedSecurity.Test-Profile.Base.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile.Base.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile.Base.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile.Base.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile.Base.tls.disabledAlgorithmsWrongTypo = + +RestrictedSecurity.Test-Profile.Base.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile.Base.jce.provider.2 = sun.security.provider.Sun +RestrictedSecurity.Test-Profile.Base.jce.provider.3 = sun.security.ssl.SunJSSE + +RestrictedSecurity.Test-Profile.Base.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile.Base.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile.Extended_1 +# Test profile - extenstion profile misspell properties +# +RestrictedSecurity.Test-Profile.Extended_1.desc.nameWrongTypo = Test-Profile.Extended_1 +RestrictedSecurity.Test-Profile.Extended_1.desc.default = true +RestrictedSecurity.Test-Profile.Extended_1.extends = RestrictedSecurity.TestBase.Version +RestrictedSecurity.Test-Profile.Extended_1.tls.disabledAlgorithms = + +RestrictedSecurity.Test-Profile.Extended_1.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile.Extended_1.jce.provider.2 = sun.security.provider.Sun +RestrictedSecurity.Test-Profile.Extended_1.jce.providerWrongTypo = sun.security.rsa.SunRsaSign +RestrictedSecurity.Test-Profile.Extended_1.jce.provider.4 = sun.security.ec.SunEC +RestrictedSecurity.Test-Profile.Extended_1.jce.provider.5 = sun.security.ssl.SunJSSE + +# +# Test-Profile.Extended_2 +# Test profile - extension profile from another extension profile misspell properties +# +RestrictedSecurity.Test-Profile.Extended_2.desc.name = Test-Profile.Extended_2 +RestrictedSecurity.Test-Profile.Extended_2.desc.default = false +RestrictedSecurity.Test-Profile.Extended_2.extends = RestrictedSecurity.TestBase.Version-Extended +RestrictedSecurity.Test-Profile.Extended_2.tls.disabledAlgorithms = + +RestrictedSecurity.Test-Profile.Extended_2.jce.providerWrongTypo = sun.security.pkcs11.SunPKCS11 + +# +# Test-Profile-NotExist.Base +# Test profile - profile not exist +# + +# +# Test-Profile-MultiDefault.Base +# Test profile - Multi Default Base profile +# +RestrictedSecurity.Test-Profile-MultiDefault.Base.desc.name = Test-Profile-MultiDefault.Base +RestrictedSecurity.Test-Profile-MultiDefault.Base.desc.default = true +RestrictedSecurity.Test-Profile-MultiDefault.Base.desc.fips = true +RestrictedSecurity.Test-Profile-MultiDefault.Base.desc.hash = SHA256:adf136024d9c047f3ffb1dac41e5f553eee5e7b6dec13bfc13b431a2a8a2525d +RestrictedSecurity.Test-Profile-MultiDefault.Base.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile-MultiDefault.Base.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile-MultiDefault.Base.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile-MultiDefault.Base.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile-MultiDefault.Base.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile-MultiDefault.Base.jce.provider.2 = sun.security.provider.Sun +RestrictedSecurity.Test-Profile-MultiDefault.Base.jce.provider.3 = sun.security.ssl.SunJSSE + +RestrictedSecurity.Test-Profile-MultiDefault.Base.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile-MultiDefault.Base.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile-MultiDefault.Extension +# Test profile - Multi Default Extension profile +# +RestrictedSecurity.Test-Profile-MultiDefault.Extension.desc.name = Test-Profile-MultiDefault.Extension +RestrictedSecurity.Test-Profile-MultiDefault.Extension.desc.default = true +RestrictedSecurity.Test-Profile-MultiDefault.Extension.extends = RestrictedSecurity.Test-Profile-MultiDefault.Base +RestrictedSecurity.Test-Profile-MultiDefault.Extension.tls.disabledAlgorithms = + +RestrictedSecurity.Test-Profile-MultiDefault.Extension.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS + +# +# Test-Profile-NoDefault +# Test profile - no default profile +# +RestrictedSecurity.Test-Profile-NoDefault.desc.name = Test-Profile-NoDefault +RestrictedSecurity.Test-Profile-NoDefault.desc.default = false +RestrictedSecurity.Test-Profile-NoDefault.extends = RestrictedSecurity.TestBase.Version +RestrictedSecurity.Test-Profile-NoDefault.tls.disabledAlgorithms = + +RestrictedSecurity.Test-Profile-NoDefault.jce.providerWrongTypo.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS + +# +# Test-Profile.Extended_3 +# Test profile - base profile not exist +# +RestrictedSecurity.Test-Profile.Extended_3.desc.name = Test-Profile.Extended_3 +RestrictedSecurity.Test-Profile.Extended_3.desc.default = false +RestrictedSecurity.Test-Profile.Extended_3.extends = RestrictedSecurity.Test-Profile.BaseNotExist +RestrictedSecurity.Test-Profile.Extended_3.tls.disabledAlgorithms = + +RestrictedSecurity.Test-Profile.Extended_3.jce.providerWrongTypo.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS + +# +# Test-Profile.Extended_4 +# Test profile - base profile not full profile name +# +RestrictedSecurity.Test-Profile.Extended_4.desc.name = Test-Profile.Extended_4 +RestrictedSecurity.Test-Profile.Extended_4.desc.default = false +RestrictedSecurity.Test-Profile.Extended_4.extends = RestrictedSecurity.BaseNotFullProfileName +RestrictedSecurity.Test-Profile.Extended_4.tls.disabledAlgorithms = + +RestrictedSecurity.Test-Profile.Extended_4.jce.providerWrongTypo.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS + +# +# Test-Profile-BaseWithoutHash +# Test profile - base profile without hash value +# +RestrictedSecurity.Test-Profile-BaseWithoutHash.desc.name = Test-Profile-BaseWithoutHash +RestrictedSecurity.Test-Profile-BaseWithoutHash.desc.default = true +RestrictedSecurity.Test-Profile-BaseWithoutHash.desc.fips = true +RestrictedSecurity.Test-Profile-BaseWithoutHash.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile-BaseWithoutHash.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile-BaseWithoutHash.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile-BaseWithoutHash.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile-BaseWithoutHash.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS + +RestrictedSecurity.Test-Profile-BaseWithoutHash.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile-BaseWithoutHash.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile-Hash_1 +# Test profile - incorrect definition of hash value +# +RestrictedSecurity.Test-Profile-Hash_1.desc.name = Test-Profile-Hash_1 +RestrictedSecurity.Test-Profile-Hash_1.desc.default = true +RestrictedSecurity.Test-Profile-Hash_1.desc.fips = true +RestrictedSecurity.Test-Profile-Hash_1.desc.hash = SHA2564fab3014e91072587e76c6ebb393ceea710d76582069d46a70eab31c30f57e45 +RestrictedSecurity.Test-Profile-Hash_1.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile-Hash_1.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile-Hash_1.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile-Hash_1.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile-Hash_1.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS + +RestrictedSecurity.Test-Profile-Hash_1.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile-Hash_1.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile-Hash_2 +# Test profile - incorrect hash value +# +RestrictedSecurity.Test-Profile-Hash_2.desc.name = Test-Profile-Hash_2 +RestrictedSecurity.Test-Profile-Hash_2.desc.default = true +RestrictedSecurity.Test-Profile-Hash_2.desc.fips = true +RestrictedSecurity.Test-Profile-Hash_2.desc.hash = SHA256:4fab3014e91072587e76c6ebb393ceea710d76582069d46a70eab31c30f57e45 +RestrictedSecurity.Test-Profile-Hash_2.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile-Hash_2.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile-Hash_2.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile-Hash_2.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile-Hash_2.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS + +RestrictedSecurity.Test-Profile-Hash_2.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile-Hash_2.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile-SetProperty.Base +# Test profile set property base +# +RestrictedSecurity.Test-Profile-SetProperty.Base.desc.name = Test-Profile-SetProperty.Base +RestrictedSecurity.Test-Profile-SetProperty.Base.desc.default = false +RestrictedSecurity.Test-Profile-SetProperty.Base.desc.fips = true +RestrictedSecurity.Test-Profile-SetProperty.Base.desc.hash = SHA256:c6348b840ab42f891e3bde552b8d908be37571804750312aabe8f17e48830564 +RestrictedSecurity.Test-Profile-SetProperty.Base.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile-SetProperty.Base.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile-SetProperty.Base.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile-SetProperty.Base.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile-SetProperty.Base.tls.disabledAlgorithms = \ + 3DES_EDE_CBC, \ + TLSv1, \ + TLSv1.1, \ + X25519, \ + X448 +RestrictedSecurity.Test-Profile-SetProperty.Base.tls.ephemeralDHKeySize = + +RestrictedSecurity.Test-Profile-SetProperty.Base.jce.certpath.disabledAlgorithms = +RestrictedSecurity.Test-Profile-SetProperty.Base.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile-SetProperty.Base.jce.provider.2 = sun.security.provider.Sun +RestrictedSecurity.Test-Profile-SetProperty.Base.jce.provider.3 = sun.security.ssl.SunJSSE + +RestrictedSecurity.Test-Profile-SetProperty.Base.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile-SetProperty.Base.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile-SetProperty.Extension_1 +# Test property - property not appendable +# +RestrictedSecurity.Test-Profile-SetProperty.Extension_1.desc.name = Test-Profile-SetProperty.Extension_1 +RestrictedSecurity.Test-Profile-SetProperty.Extension_1.desc.default = true +RestrictedSecurity.Test-Profile-SetProperty.Extension_1.extends = RestrictedSecurity.Test-Profile-SetProperty.Base +RestrictedSecurity.Test-Profile-SetProperty.Extension_1.securerandom.provider = + Sun + +RestrictedSecurity.Test-Profile-SetProperty.Extension_1.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS + +# +# Test-Profile-SetProperty.Extension_2 +# Test property - property does not exist in parent profile, cannot append +# +RestrictedSecurity.Test-Profile-SetProperty.Extension_2.desc.name = Test-Profile-SetProperty.Extension_2 +RestrictedSecurity.Test-Profile-SetProperty.Extension_2.desc.default = true +RestrictedSecurity.Test-Profile-SetProperty.Extension_2.extends = RestrictedSecurity.Test-Profile-SetProperty.Base +RestrictedSecurity.Test-Profile-SetProperty.Extension_2.tls.disabledNamedCurves = + TestNamedCurves + +RestrictedSecurity.Test-Profile-SetProperty.Extension_2.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS + +# +# Test-Profile-SetProperty.Extension_3 +# Test property - property value is not in existing values +# +RestrictedSecurity.Test-Profile-SetProperty.Extension_3.desc.name = Test-Profile-SetProperty.Extension_3 +RestrictedSecurity.Test-Profile-SetProperty.Extension_3.desc.default = true +RestrictedSecurity.Test-Profile-SetProperty.Extension_3.extends = RestrictedSecurity.Test-Profile-SetProperty.Base +RestrictedSecurity.Test-Profile-SetProperty.Extension_3.tls.disabledAlgorithms = - TestDisabledlgorithms + +RestrictedSecurity.Test-Profile-SetProperty.Extension_3.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS + +# +# Test-Profile-PolicySunset.Base +# Test property - policy sunset +# +RestrictedSecurity.Test-Profile-PolicySunset.Base.desc.name = Test-Profile-PolicySunset.Base +RestrictedSecurity.Test-Profile-PolicySunset.Base.desc.default = true +RestrictedSecurity.Test-Profile-PolicySunset.Base.desc.fips = true +RestrictedSecurity.Test-Profile-PolicySunset.Base.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile-PolicySunset.Base.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile-PolicySunset.Base.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile-PolicySunset.Base.desc.sunsetDate = 2023-09-21 +RestrictedSecurity.Test-Profile-PolicySunset.Base.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile-PolicySunset.Base.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS + +RestrictedSecurity.Test-Profile-PolicySunset.Base.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile-PolicySunset.Base.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile-PolicySunsetFormat.Base +# Test property - policy sunset format +# +RestrictedSecurity.Test-Profile-PolicySunsetFormat.Base.desc.name = Test-Profile-PolicySunsetFormat.Base +RestrictedSecurity.Test-Profile-PolicySunsetFormat.Base.desc.default = true +RestrictedSecurity.Test-Profile-PolicySunsetFormat.Base.desc.fips = true +RestrictedSecurity.Test-Profile-PolicySunsetFormat.Base.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile-PolicySunsetFormat.Base.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile-PolicySunsetFormat.Base.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile-PolicySunsetFormat.Base.desc.sunsetDate = 09-21-2024 +RestrictedSecurity.Test-Profile-PolicySunsetFormat.Base.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile-PolicySunsetFormat.Base.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS + +RestrictedSecurity.Test-Profile-PolicySunsetFormat.Base.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile-PolicySunsetFormat.Base.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile-SecureRandomCheck_1 +# Test property - secure random check +# +RestrictedSecurity.Test-Profile-SecureRandomCheck_1.desc.name = Test-Profile-SecureRandomCheck_1 +RestrictedSecurity.Test-Profile-SecureRandomCheck_1.desc.default = true +RestrictedSecurity.Test-Profile-SecureRandomCheck_1.desc.fips = true +RestrictedSecurity.Test-Profile-SecureRandomCheck_1.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile-SecureRandomCheck_1.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile-SecureRandomCheck_1.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile-SecureRandomCheck_1.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile-SecureRandomCheck_1.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile-SecureRandomCheck_1.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS + +RestrictedSecurity.Test-Profile-SecureRandomCheck_1.securerandom.provider = +RestrictedSecurity.Test-Profile-SecureRandomCheck_1.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile-SecureRandomCheck_2 +# Test property - secure random check +# +RestrictedSecurity.Test-Profile-SecureRandomCheck_2.desc.name = Test-Profile-SecureRandomCheck_2 +RestrictedSecurity.Test-Profile-SecureRandomCheck_2.desc.default = true +RestrictedSecurity.Test-Profile-SecureRandomCheck_2.desc.fips = true +RestrictedSecurity.Test-Profile-SecureRandomCheck_2.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile-SecureRandomCheck_2.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile-SecureRandomCheck_2.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile-SecureRandomCheck_2.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile-SecureRandomCheck_2.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile-SecureRandomCheck_2.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS + +RestrictedSecurity.Test-Profile-SecureRandomCheck_2.securerandom.provider = OpenJCEPlusFIPS + +# +# Test-Profile-Constraint_1 +# Test constraint - constraint check 1 +# +RestrictedSecurity.Test-Profile-Constraint_1.desc.name = Test-Profile-Constraint_1 +RestrictedSecurity.Test-Profile-Constraint_1.desc.default = true +RestrictedSecurity.Test-Profile-Constraint_1.desc.fips = true +RestrictedSecurity.Test-Profile-Constraint_1.desc.hash = SHA256:76dacdfdc5b5811d9b45e72b5b154de6419616556f8f7479819971bba89c41bb +RestrictedSecurity.Test-Profile-Constraint_1.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile-Constraint_1.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile-Constraint_1.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile-Constraint_1.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile-Constraint_1.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS \ + {AlgorithmParameterGenerator, AESGCM, *}, \ + {AlgorithmParameterGenerator, CCM, *}] + +RestrictedSecurity.Test-Profile-Constraint_1.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile-Constraint_1.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile-Constraint_2 +# Test constraint - constraint check 2 +# +RestrictedSecurity.Test-Profile-Constraint_2.desc.name = Test-Profile-Constraint_2 +RestrictedSecurity.Test-Profile-Constraint_2.desc.default = true +RestrictedSecurity.Test-Profile-Constraint_2.desc.fips = true +RestrictedSecurity.Test-Profile-Constraint_2.desc.hash = SHA256:76dacdfdc5b5811d9b45e72b5b154de6419616556f8f7479819971bba89c41bb +RestrictedSecurity.Test-Profile-Constraint_2.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile-Constraint_2.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile-Constraint_2.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile-Constraint_2.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile-Constraint_2.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS [ \ + {AlgorithmParameterGenerator, AESGCM, *} \ + {AlgorithmParameterGenerator, CCM, *}] + +RestrictedSecurity.Test-Profile-Constraint_2.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile-Constraint_2.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile-Constraint_3 +# Test constraint - constraint check 3 +# +RestrictedSecurity.Test-Profile-Constraint_3.desc.name = Test-Profile-Constraint_3 +RestrictedSecurity.Test-Profile-Constraint_3.desc.default = true +RestrictedSecurity.Test-Profile-Constraint_3.desc.fips = true +RestrictedSecurity.Test-Profile-Constraint_3.desc.hash = SHA256:76dacdfdc5b5811d9b45e72b5b154de6419616556f8f7479819971bba89c41bb +RestrictedSecurity.Test-Profile-Constraint_3.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile-Constraint_3.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile-Constraint_3.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile-Constraint_3.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile-Constraint_3.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS [ {} ] + +RestrictedSecurity.Test-Profile-Constraint_3.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile-Constraint_3.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile-Constraint_Attributes +# Test constraint - constraint attributes check +# +RestrictedSecurity.Test-Profile-Constraint_Attributes.desc.name = Test-Profile-Constraint_Attributes +RestrictedSecurity.Test-Profile-Constraint_Attributes.desc.default = true +RestrictedSecurity.Test-Profile-Constraint_Attributes.desc.fips = true +RestrictedSecurity.Test-Profile-Constraint_Attributes.desc.hash = SHA256:76dacdfdc5b5811d9b45e72b5b154de6419616556f8f7479819971bba89c41bb +RestrictedSecurity.Test-Profile-Constraint_Attributes.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile-Constraint_Attributes.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile-Constraint_Attributes.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile-Constraint_Attributes.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile-Constraint_Attributes.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile-Constraint_Attributes.jce.provider.2 = sun.security.provider.Sun [ \ + {CertificateFactory, X.509, ImplementedInSoftware}] + +RestrictedSecurity.Test-Profile-Constraint_Attributes.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile-Constraint_Attributes.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile-ConstraintChanged_1.Base +# Test constraint - constraint changed 1 base +# +RestrictedSecurity.Test-Profile-ConstraintChanged_1.Base.desc.name = Test-Profile-ConstraintChanged_1.Base +RestrictedSecurity.Test-Profile-ConstraintChanged_1.Base.desc.default = false +RestrictedSecurity.Test-Profile-ConstraintChanged_1.Base.desc.fips = true +RestrictedSecurity.Test-Profile-ConstraintChanged_1.Base.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile-ConstraintChanged_1.Base.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile-ConstraintChanged_1.Base.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile-ConstraintChanged_1.Base.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile-ConstraintChanged_1.Base.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile-ConstraintChanged_1.Base.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS [ \ + {AlgorithmParameterGenerator, AESGCM, *}, \ + {AlgorithmParameterGenerator, CCM, *}] +RestrictedSecurity.Test-Profile-ConstraintChanged_1.Base.jce.provider.2 = sun.security.provider.Sun [ \ + {CertificateFactory, X.509, ImplementedIn=Software}] + +RestrictedSecurity.Test-Profile-ConstraintChanged_1.Base.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile-ConstraintChanged_1.Base.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile-ConstraintChanged_1.Extension +# Test constraint - constraint changed 1 extension +# +RestrictedSecurity.Test-Profile-ConstraintChanged_1.Extension.desc.name = Test-Profile-ConstraintChanged_1.Extension +RestrictedSecurity.Test-Profile-ConstraintChanged_1.Extension.desc.default = true +RestrictedSecurity.Test-Profile-ConstraintChanged_1.Extension.extends = RestrictedSecurity.Test-Profile-ConstraintChanged_1.Base + +RestrictedSecurity.Test-Profile-ConstraintChanged_1.Extension.jce.provider.1 = sun.security.provider.Sun [ + \ + {CertificateFactory, X.509, ImplementedIn=Software}] + +# +# Test-Profile-ConstraintChanged_2.Base +# Test constraint - constraint changed 2 base +# +RestrictedSecurity.Test-Profile-ConstraintChanged_2.Base.desc.name = Test-Profile-ConstraintChanged_2.Base +RestrictedSecurity.Test-Profile-ConstraintChanged_2.Base.desc.default = false +RestrictedSecurity.Test-Profile-ConstraintChanged_2.Base.desc.fips = true +RestrictedSecurity.Test-Profile-ConstraintChanged_2.Base.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile-ConstraintChanged_2.Base.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile-ConstraintChanged_2.Base.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile-ConstraintChanged_2.Base.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile-ConstraintChanged_2.Base.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile-ConstraintChanged_2.Base.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS [ \ + {AlgorithmParameterGenerator, AESGCM, *}, \ + {AlgorithmParameterGenerator, CCM, *}] +RestrictedSecurity.Test-Profile-ConstraintChanged_2.Base.jce.provider.2 = sun.security.provider.Sun [ \ + {CertificateFactory, X.509, ImplementedIn=Software}] + +RestrictedSecurity.Test-Profile-ConstraintChanged_2.Base.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile-ConstraintChanged_2.Base.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile-ConstraintChanged_2.Extension +# Test constraint - constraint changed 2 extension +# +RestrictedSecurity.Test-Profile-ConstraintChanged_2.Extension.desc.name = Test-Profile-ConstraintChanged_2.Extension +RestrictedSecurity.Test-Profile-ConstraintChanged_2.Extension.desc.default = true +RestrictedSecurity.Test-Profile-ConstraintChanged_2.Extension.extends = RestrictedSecurity.Test-Profile-ConstraintChanged_2.Base + +RestrictedSecurity.Test-Profile-ConstraintChanged_2.Extension.jce.provider.2 = sun.security.provider.Sun [ - \ + {CertStore, Collection, ImplementedIn=Software}] + +# +# Test-Profile-ConstraintChanged_3.Base +# Test constraint - constraint changed 3 base +# +RestrictedSecurity.Test-Profile-ConstraintChanged_3.Base.desc.name = Test-Profile-ConstraintChanged_3.Base +RestrictedSecurity.Test-Profile-ConstraintChanged_3.Base.desc.default = true +RestrictedSecurity.Test-Profile-ConstraintChanged_3.Base.desc.fips = true +RestrictedSecurity.Test-Profile-ConstraintChanged_3.Base.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile-ConstraintChanged_3.Base.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile-ConstraintChanged_3.Base.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile-ConstraintChanged_3.Base.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile-ConstraintChanged_3.Base.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile-ConstraintChanged_3.Base.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS [ + \ + {AlgorithmParameterGenerator, AESGCM, *} \ + {AlgorithmParameterGenerator, CCM, *}] + +RestrictedSecurity.Test-Profile-ConstraintChanged_3.Base.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile-ConstraintChanged_3.Base.securerandom.algorithm = SHA512DRBG diff --git a/closed/test/jdk/openj9/internal/security/provider-java.security b/closed/test/jdk/openj9/internal/security/provider-java.security new file mode 100644 index 00000000000..b06a3df02dc --- /dev/null +++ b/closed/test/jdk/openj9/internal/security/provider-java.security @@ -0,0 +1,196 @@ +RestrictedSecurity.TestBase.Version.desc.name = Test Base Profile +RestrictedSecurity.TestBase.Version.desc.default = false +RestrictedSecurity.TestBase.Version.desc.fips = true +RestrictedSecurity.TestBase.Version.desc.hash = SHA256:1d216c0b9032a83521c185273e753a960b8e1695bb06da0f193dffe0f6ed9898 +RestrictedSecurity.TestBase.Version.desc.number = Certificate #XXX +RestrictedSecurity.TestBase.Version.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.TestBase.Version.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.TestBase.Version.fips.mode = 140-3 + +RestrictedSecurity.TestBase.Version.tls.disabledNamedCurves = +RestrictedSecurity.TestBase.Version.tls.disabledAlgorithms = +RestrictedSecurity.TestBase.Version.tls.ephemeralDHKeySize = +RestrictedSecurity.TestBase.Version.tls.legacyAlgorithms = + +RestrictedSecurity.TestBase.Version.jce.certpath.disabledAlgorithms = +RestrictedSecurity.TestBase.Version.jce.legacyAlgorithms = +RestrictedSecurity.TestBase.Version.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS +RestrictedSecurity.TestBase.Version.jce.provider.2 = sun.security.provider.Sun +RestrictedSecurity.TestBase.Version.jce.provider.3 = sun.security.ssl.SunJSSE + +RestrictedSecurity.TestBase.Version.javax.net.ssl.keyStore = NONE +RestrictedSecurity.TestBase.Version.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.TestBase.Version.securerandom.algorithm = SHA512DRBG + +RestrictedSecurity.TestBase.Version-Extended.desc.name = Test Base Profile Extended +RestrictedSecurity.TestBase.Version-Extended.desc.default = true +RestrictedSecurity.TestBase.Version-Extended.extends = RestrictedSecurity.TestBase.Version +RestrictedSecurity.TestBase.Version-Extended.tls.disabledAlgorithms = + +RestrictedSecurity.TestBase.Version-Extended.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS +RestrictedSecurity.TestBase.Version-Extended.jce.provider.2 = sun.security.provider.Sun +RestrictedSecurity.TestBase.Version-Extended.jce.provider.3 = sun.security.rsa.SunRsaSign +RestrictedSecurity.TestBase.Version-Extended.jce.provider.4 = sun.security.ec.SunEC +RestrictedSecurity.TestBase.Version-Extended.jce.provider.5 = sun.security.ssl.SunJSSE +RestrictedSecurity.TestBase.Version-Extended.jce.provider.6 = com.sun.crypto.provider.SunJCE +RestrictedSecurity.TestBase.Version-Extended.jce.provider.7 = sun.security.jgss.SunProvider +RestrictedSecurity.TestBase.Version-Extended.jce.provider.8 = com.sun.security.sasl.Provider +RestrictedSecurity.TestBase.Version-Extended.jce.provider.9 = org.jcp.xml.dsig.internal.dom.XMLDSigRI +RestrictedSecurity.TestBase.Version-Extended.jce.provider.10 = sun.security.smartcardio.SunPCSC +RestrictedSecurity.TestBase.Version-Extended.jce.provider.11 = sun.security.provider.certpath.ldap.JdkLDAP +RestrictedSecurity.TestBase.Version-Extended.jce.provider.12 = com.sun.security.sasl.gsskerb.JdkSASL + +# +# Test-Profile.Updated_1 +# Test update provider list with value +# +RestrictedSecurity.Test-Profile.Updated_1.desc.name = Test Updated Profile 1 +RestrictedSecurity.Test-Profile.Updated_1.desc.default = true +RestrictedSecurity.Test-Profile.Updated_1.extends = RestrictedSecurity.TestBase.Version +RestrictedSecurity.Test-Profile.Updated_1.tls.disabledAlgorithms = + +RestrictedSecurity.Test-Profile.Updated_1.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile.Updated_1.jce.provider.2 = sun.security.provider.Sun +RestrictedSecurity.Test-Profile.Updated_1.jce.provider.3 = com.sun.security.sasl.Provider + +# +# Test-Profile.Updated_2 +# Test update provider list with null +# +RestrictedSecurity.Test-Profile.Updated_2.desc.name = Test Updated Profile 2 +RestrictedSecurity.Test-Profile.Updated_2.desc.default = true +RestrictedSecurity.Test-Profile.Updated_2.extends = RestrictedSecurity.TestBase.Version +RestrictedSecurity.Test-Profile.Updated_2.tls.disabledAlgorithms = + +RestrictedSecurity.Test-Profile.Updated_2.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile.Updated_2.jce.provider.3 = sun.security.ssl.SunJSSE + +# +# Test-Profile.Updated_3 +# Test update provider list with empty, the empty is the last one in base profile +# +RestrictedSecurity.Test-Profile.Updated_3.desc.name = Test Updated Profile 3 +RestrictedSecurity.Test-Profile.Updated_3.desc.default = true +RestrictedSecurity.Test-Profile.Updated_3.extends = RestrictedSecurity.TestBase.Version +RestrictedSecurity.Test-Profile.Updated_3.tls.disabledAlgorithms = + +RestrictedSecurity.Test-Profile.Updated_3.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile.Updated_3.jce.provider.2 = sun.security.provider.Sun +RestrictedSecurity.Test-Profile.Updated_3.jce.provider.3 = +RestrictedSecurity.Test-Profile.Updated_3.jce.provider.4 = sun.security.ec.SunEC +RestrictedSecurity.Test-Profile.Updated_3.jce.provider.5 = sun.security.ssl.SunJSSE + +# +# Test-Profile.Updated_4 +# Test update provider list with empty, the empty is NOT the last one in base profile +# +RestrictedSecurity.Test-Profile.Updated_4.desc.name = Test Updated Profile 3 +RestrictedSecurity.Test-Profile.Updated_4.desc.default = true +RestrictedSecurity.Test-Profile.Updated_4.extends = RestrictedSecurity.TestBase.Version +RestrictedSecurity.Test-Profile.Updated_4.tls.disabledAlgorithms = + +RestrictedSecurity.Test-Profile.Updated_4.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile.Updated_4.jce.provider.2 = +RestrictedSecurity.Test-Profile.Updated_4.jce.provider.3 = sun.security.ec.SunEC +RestrictedSecurity.Test-Profile.Updated_4.jce.provider.4 = sun.security.ssl.SunJSSE + +# +# Test-Profile.Base +# Test base profile - provider order numbers are not consecutive +# +RestrictedSecurity.Test-Profile.Base.desc.name = Test Base Profile +RestrictedSecurity.Test-Profile.Base.desc.default = true +RestrictedSecurity.Test-Profile.Base.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile.Base.tls.disabledAlgorithms = + +RestrictedSecurity.Test-Profile.Base.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile.Base.jce.provider.2 = sun.security.provider.Sun +RestrictedSecurity.Test-Profile.Base.jce.provider.4 = sun.security.ssl.SunJSSE + +# +# Test-Profile.Extended_1 +# Test extended profile, provider order numbers are not consecutive +# +RestrictedSecurity.Test-Profile.Extended_1.desc.name = Test Extended_1 +RestrictedSecurity.Test-Profile.Extended_1.desc.default = true +RestrictedSecurity.Test-Profile.Extended_1.extends = RestrictedSecurity.TestBase.Version +RestrictedSecurity.Test-Profile.Extended_1.tls.disabledAlgorithms = + +RestrictedSecurity.Test-Profile.Extended_1.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile.Extended_1.jce.provider.2 = sun.security.provider.Sun +RestrictedSecurity.Test-Profile.Extended_1.jce.provider.3 = sun.security.rsa.SunRsaSign +RestrictedSecurity.Test-Profile.Extended_1.jce.provider.5 = sun.security.ssl.SunJSSE + +# +# Test-Profile.Extended_2 +# Test extended profile from another extended profile, provider order numbers are not consecutive +# +RestrictedSecurity.Test-Profile.Extended_2.desc.name = Test Extended_2 +RestrictedSecurity.Test-Profile.Extended_2.desc.default = false +RestrictedSecurity.Test-Profile.Extended_2.extends = RestrictedSecurity.TestBase.Version-Extended +RestrictedSecurity.Test-Profile.Extended_2.tls.disabledAlgorithms = + +RestrictedSecurity.Test-Profile.Extended_2.jce.provider.14 = sun.security.pkcs11.SunPKCS11 + +# +# Test-Profile.BaseOneProviderEmpty +# Test base profile - one of the provider in list empty +# +RestrictedSecurity.Test-Profile.BaseOneProviderEmpty.desc.name = Test Base One Provider Empty +RestrictedSecurity.Test-Profile.BaseOneProviderEmpty.desc.default = true +RestrictedSecurity.Test-Profile.BaseOneProviderEmpty.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile.BaseOneProviderEmpty.tls.disabledAlgorithms = + +RestrictedSecurity.Test-Profile.BaseOneProviderEmpty.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile.BaseOneProviderEmpty.jce.provider.2 = sun.security.provider.Sun +RestrictedSecurity.Test-Profile.BaseOneProviderEmpty.jce.provider.3 = +RestrictedSecurity.Test-Profile.BaseOneProviderEmpty.jce.provider.4 = sun.security.ssl.SunJSSE + +# +# Test-Profile.ExtendedOneProviderEmpty +# Test extended profile - one of the provider in list empty +# +RestrictedSecurity.Test-Profile.ExtendedOneProviderEmpty.desc.name = Test Extended One Provider Empty +RestrictedSecurity.Test-Profile.ExtendedOneProviderEmpty.desc.default = true +RestrictedSecurity.Test-Profile.ExtendedOneProviderEmpty.extends = RestrictedSecurity.TestBase.Version +RestrictedSecurity.Test-Profile.ExtendedOneProviderEmpty.tls.disabledAlgorithms = + +RestrictedSecurity.Test-Profile.ExtendedOneProviderEmpty.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile.ExtendedOneProviderEmpty.jce.provider.2 = sun.security.provider.Sun +RestrictedSecurity.Test-Profile.ExtendedOneProviderEmpty.jce.provider.3 = sun.security.ssl.SunJSSE +RestrictedSecurity.Test-Profile.ExtendedOneProviderEmpty.jce.provider.4 = sun.security.ec.SunEC +RestrictedSecurity.Test-Profile.ExtendedOneProviderEmpty.jce.provider.5 = +RestrictedSecurity.Test-Profile.ExtendedOneProviderEmpty.jce.provider.6 = com.sun.crypto.provider.SunJCE + +# +# Test-Profile.BaseNoProviderList +# Test base profile - no provider list +# +RestrictedSecurity.Test-Profile.BaseNoProviderList.desc.name = Test Base Profile +RestrictedSecurity.Test-Profile.BaseNoProviderList.desc.default = true +RestrictedSecurity.Test-Profile.BaseNoProviderList.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile.BaseNoProviderList.tls.disabledAlgorithms = + +# +# Test-Profile.ProviderClassName +# Test profile - provider must be specified using the fully-qualified class name +# +RestrictedSecurity.Test-Profile.ProviderClassName.desc.name = Test Provider Class Name +RestrictedSecurity.Test-Profile.ProviderClassName.desc.default = true +RestrictedSecurity.Test-Profile.ProviderClassName.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile.ProviderClassName.tls.disabledAlgorithms = + +RestrictedSecurity.Test-Profile.ProviderClassName.jce.provider.1 = OpenJCEPlusFIPS + +# +# Test-Profile.ProviderFormat +# Test profile - provider format is incorrect +# +RestrictedSecurity.Test-Profile.ProviderFormat.desc.name = Test Provider Format +RestrictedSecurity.Test-Profile.ProviderFormat.desc.default = true +RestrictedSecurity.Test-Profile.ProviderFormat.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile.ProviderFormat.tls.disabledAlgorithms = + +RestrictedSecurity.Test-Profile.ProviderFormat.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS [ \ + {AlgorithmParameterGenerator, AESGCM, *), \ + {Signature, SHA512withRSA, *}]