diff --git a/closed/test/jdk/openj9/internal/security/TestProperties.java b/closed/test/jdk/openj9/internal/security/TestProperties.java index d805601613f..0da887830c4 100644 --- a/closed/test/jdk/openj9/internal/security/TestProperties.java +++ b/closed/test/jdk/openj9/internal/security/TestProperties.java @@ -54,71 +54,112 @@ public class TestProperties { private static Stream patternMatches_expectedExitValue1() { return Stream.of( - // Test base profile - misspell properties - Arguments.of("Test-Profile.Base", + // // Test profile - base profile misspell properties + // Arguments.of("Test-Profile.Base", + // System.getProperty("test.src") + "/property-java.security", + // " The property names: RestrictedSecurity.Test-Profile.Base.tls.disabledAlgorithmsWrongTypo " + + // "in profile RestrictedSecurity.Test-Profile.Base \\(or a base profile\\) are not recognized"), + // // Test profile - extenstion profile misspell properties + // Arguments.of("Test-Profile.Extended_1", + // System.getProperty("test.src") + "/property-java.security", + // "The property names: RestrictedSecurity.Test-Profile.Extended_1.desc.nameWrongTypo, " + + // "RestrictedSecurity.Test-Profile.Extended_1.jce.providerWrongTypo in profile " + + // "RestrictedSecurity.Test-Profile.Extended_1 \\(or a base profile\\) are not recognized"), + // // Test profile - extension profile from another extension profile misspell properties + // Arguments.of("Test-Profile.Extended_2", + // System.getProperty("test.src") + "/property-java.security", + // "The property names: RestrictedSecurity.Test-Profile.Extended_2.jce.providerWrongTypo " + + // "in profile RestrictedSecurity.Test-Profile.Extended_2 \\(or a base profile\\) are not recognized"), + // // Test profile - profile not exist + // Arguments.of("Test-Profile.NotExist", + // System.getProperty("test.src") + "/property-java.security", + // "Test-Profile.NotExist is not present in the java.security file."), + // Test profile - Multi Default profile + Arguments.of("Test-Profile-MultiDefault.Extension", System.getProperty("test.src") + "/property-java.security", - " The property names: RestrictedSecurity.Test-Profile.Base.tls.disabledAlgorithmsWrongTypo " + - "in profile RestrictedSecurity.Test-Profile.Base \\(or a base profile\\) are not recognized"), - // Test extended profile - misspell properties - Arguments.of("Test-Profile.Extended_1", - System.getProperty("test.src") + "/property-java.security", - "The property names: RestrictedSecurity.Test-Profile.Extended_1.desc.nameWrongTypo, " + - "RestrictedSecurity.Test-Profile.Extended_1.jce.providerWrongTypo.3 in profile " + - "RestrictedSecurity.Test-Profile.Extended_1 \\(or a base profile\\) are not recognized"), - // Test extended profile from another extended profile - misspell properties - Arguments.of("Test-Profile.Extended_2", - System.getProperty("test.src") + "/property-java.security", - "The property names: RestrictedSecurity.Test-Profile.Extended_2.jce.providerWrongTypo.13 " + - "in profile RestrictedSecurity.Test-Profile.Extended_2 \\(or a base profile\\) are not recognized"), - // Test profile - profile not exist - Arguments.of("Test-Profile.NotExist", - System.getProperty("test.src") + "/property-java.security", - "Test-Profile.NotExist is not present in the java.security file."), - // Test profile - multi default profile - Arguments.of("Test-Profile.MultiDefault", - System.getProperty("test.src") + "/property-java.security", - "Multiple default RestrictedSecurity profiles for Test-Profile.MultiDefault"), - // Test profile - no default profile - Arguments.of("Test-Profile.NoDefault", - System.getProperty("test.src") + "/property-java.security", - "No default RestrictedSecurity profile was found for Test-Profile.NoDefault"), - // Test extended profile - base profile not exist - Arguments.of("Test-Profile.Extended_3", - System.getProperty("test.src") + "/property-java.security", - "Test-Profile.Extended_3 that is supposed to extend Test-Profile.BaseNotExist is not present " + - "in the java.security file or any appended files"), - // Test extended profile - base profile not full profile name - Arguments.of("Test-Profile.Extended_4", - System.getProperty("test.src") + "/property-java.security", - "Test-Profile.Extended_4 that is supposed to extend BaseNotFullProfileName is not a full profile name"), - // Test profile - base profile without hash value - Arguments.of("Test-Profile.BaseWithoutHash", - System.getProperty("test.src") + "/property-java.security", - "Test-Profile.BaseWithoutHash is a base profile, so a hash value is mandatory"), - // Test profile - incorrect definition of hash value - Arguments.of("Test-Profile.Hash_1", - System.getProperty("test.src") + "/property-java.security", - "Incorrect definition of hash value for Test-Profile.Hash_1"), - // Test profile - incorrect hash value - Arguments.of("Test-Profile.Hash_2", - System.getProperty("test.src") + "/property-java.security", - "Hex produced from profile is not the same is a base profile, so a hash value is mandatory"), - // Test property not appendable - Arguments.of("Test-Profile.SetProperty_1", - System.getProperty("test.src") + "/property-java.security", - "Property jdkSecureRandomProvider is not appendable"), - // Test property does not exist in parent profile, cannot append - Arguments.of("Test-Profile.SetProperty_2", - System.getProperty("test.src") + "/property-java.security", - "Property jdkTlsDisabledNamedCurves does not exist in parent profile. Cannot append"), - // Test property does not exist in parent profile, cannot remove - Arguments.of("Test-Profile.SetProperty_3", - System.getProperty("test.src") + "/property-java.security", - "Property jdkTlsLegacyAlgorithms does not exist in parent profile. Cannot remove"), - // Test property value is not in existing values - Arguments.of("Test-Profile.SetProperty_4", - System.getProperty("test.src") + "/property-java.security", - "Value TestDisabledlgorithms is not in existing values") + "Multiple default RestrictedSecurity profiles for Test-Profile-MultiDefault.Extension") + // // Test profile - no default profile + // Arguments.of("Test-Profile.NoDefault", + // System.getProperty("test.src") + "/property-java.security", + // "No default RestrictedSecurity profile was found for Test-Profile.NoDefault"), + // // Test extended profile - base profile not exist + // Arguments.of("Test-Profile.Extended_3", + // System.getProperty("test.src") + "/property-java.security", + // "Test-Profile.Extended_3 that is supposed to extend Test-Profile.BaseNotExist is not present " + + // "in the java.security file or any appended files"), + // // Test extended profile - base profile not full profile name + // Arguments.of("Test-Profile.Extended_4", + // System.getProperty("test.src") + "/property-java.security", + // "Test-Profile.Extended_4 that is supposed to extend BaseNotFullProfileName is not a full profile name"), + // // Test profile - base profile without hash value + // Arguments.of("Test-Profile.BaseWithoutHash", + // System.getProperty("test.src") + "/property-java.security", + // "Test-Profile.BaseWithoutHash is a base profile, so a hash value is mandatory"), + // // Test profile - incorrect definition of hash value + // Arguments.of("Test-Profile.Hash_1", + // System.getProperty("test.src") + "/property-java.security", + // "Incorrect definition of hash value for Test-Profile.Hash_1"), + // // Test profile - incorrect hash value + // Arguments.of("Test-Profile.Hash_2", + // System.getProperty("test.src") + "/property-java.security", + // "Hex produced from profile is not the same is a base profile, so a hash value is mandatory"), + // // Test property not appendable + // Arguments.of("Test-Profile.SetProperty_1", + // System.getProperty("test.src") + "/property-java.security", + // "Property jdkSecureRandomProvider is not appendable"), + // // Test property does not exist in parent profile, cannot append + // Arguments.of("Test-Profile.SetProperty_2", + // System.getProperty("test.src") + "/property-java.security", + // "Property jdkTlsDisabledNamedCurves does not exist in parent profile. Cannot append"), + // // Test property does not exist in parent profile, cannot remove + // Arguments.of("Test-Profile.SetProperty_3", + // System.getProperty("test.src") + "/property-java.security", + // "Property jdkTlsLegacyAlgorithms does not exist in parent profile. Cannot remove"), + // // Test property value is not in existing values + // Arguments.of("Test-Profile.SetProperty_4", + // System.getProperty("test.src") + "/property-java.security", + // "Value TestDisabledlgorithms is not in existing values"), + // // Test profile - policy sunset + // Arguments.of("Test-Profile.PolicySunset", + // System.getProperty("test.src") + "/property-java.security", + // "Restricted security policy expired"), + // // Test profile - policy sunset format + // Arguments.of("Test-Profile.PolicySunsetFormat", + // System.getProperty("test.src") + "/property-java.security", + // "Restricted security policy sunset date is incorrect, the correct format is yyyy-MM-dd"), + // // Test profile - secure random check + // Arguments.of("Test-Profile.SecureRandomCheck", + // System.getProperty("test.src") + "/property-java.security", + // "Restricted security mode secure random is missing"), + // // Test profile - constraint check 1 + // Arguments.of("Test-Profile.Constraint_1", + // System.getProperty("test.src") + "/property-java.security", + // "Incorrect constraint definition for provider"), + // // Test profile - constraint check 2 + // Arguments.of("Test-Profile.Constraint_2", + // System.getProperty("test.src") + "/property-java.security", + // "Incorrect constraint definition for provider"), + // // Test profile - constraint check 3 + // Arguments.of("Test-Profile.Constraint_3", + // System.getProperty("test.src") + "/property-java.security", + // "Incorrect constraint definition for provider"), + // // Test profile - constraint attributes check + // Arguments.of("Test-Profile.Constraint_Attributes", + // System.getProperty("test.src") + "/property-java.security", + // "Constraint attributes format is incorrect"), + // // Test profile - Constraint Changed 1 + // Arguments.of("Test-Profile.ConstraintChanged_1_Extension", + // System.getProperty("test.src") + "/property-java.security", + // "Cannot append or remove constraints since the provider (.*?) " + + // "wasn't in this position in the profile extended"), + // // Test profile - Constraint Changed 2 + // Arguments.of("Test-Profile.ConstraintChanged_2_Extension", + // System.getProperty("test.src") + "/property-java.security", + // "Constraint (.*?) is not part of existing constraints"), + // // Test profile - Constraint Changed 3 + // Arguments.of("Test-Profile.ConstraintChanged_3_Base", + // System.getProperty("test.src") + "/property-java.security", + // "You cannot add or remove to provider (.*?). This is the base profile.") ); } diff --git a/closed/test/jdk/openj9/internal/security/property-java.security b/closed/test/jdk/openj9/internal/security/property-java.security index 09cffc70934..1ffb7d5c380 100644 --- a/closed/test/jdk/openj9/internal/security/property-java.security +++ b/closed/test/jdk/openj9/internal/security/property-java.security @@ -1,87 +1,3 @@ -# -# List of providers and their preference orders (see above): -# -security.provider.1=SUN -security.provider.2=SunRsaSign -security.provider.3=SunEC -security.provider.4=SunJSSE -security.provider.5=SunJCE -security.provider.6=SunJGSS -security.provider.7=SunSASL -security.provider.8=XMLDSig -security.provider.9=SunPCSC -security.provider.10=JdkLDAP -security.provider.11=JdkSASL -security.provider.12=SunPKCS11 - -# -# Java Restricted Security Mode -# -RestrictedSecurity.NSS.140-2.desc.name = Red Hat Enterprise Linux 8 NSS Cryptographic Module FIPS 140-2 -RestrictedSecurity.NSS.140-2.desc.default = true -RestrictedSecurity.NSS.140-2.desc.fips = true -RestrictedSecurity.NSS.140-2.desc.number = Certificate #4413 -RestrictedSecurity.NSS.140-2.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4413 -RestrictedSecurity.NSS.140-2.desc.sunsetDate = 2026-09-21 -RestrictedSecurity.NSS.140-2.fips.mode = 140-2 - -RestrictedSecurity.NSS.140-2.tls.disabledNamedCurves = -RestrictedSecurity.NSS.140-2.tls.disabledAlgorithms = \ - SSLv3, \ - TLS_AES_128_GCM_SHA256, \ - TLS_AES_256_GCM_SHA384, \ - TLS_CHACHA20_POLY1305_SHA256, \ - TLS_DHE_DSS_WITH_AES_128_CBC_SHA, \ - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, \ - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, \ - TLS_DHE_DSS_WITH_AES_256_CBC_SHA, \ - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, \ - TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, \ - TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \ - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \ - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, \ - TLS_DHE_RSA_WITH_AES_256_CBC_SHA, \ - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, \ - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, \ - TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, \ - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, \ - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, \ - TLS_EMPTY_RENEGOTIATION_INFO_SCSV, \ - TLS_RSA_WITH_AES_128_CBC_SHA, \ - TLS_RSA_WITH_AES_128_CBC_SHA256, \ - TLS_RSA_WITH_AES_128_GCM_SHA256, \ - TLS_RSA_WITH_AES_256_CBC_SHA, \ - TLS_RSA_WITH_AES_256_CBC_SHA256, \ - TLS_RSA_WITH_AES_256_GCM_SHA384, \ - TLSv1, \ - TLSv1.1, \ - X25519, \ - X448 -RestrictedSecurity.NSS.140-2.tls.ephemeralDHKeySize = -RestrictedSecurity.NSS.140-2.tls.legacyAlgorithms = - -RestrictedSecurity.NSS.140-2.jce.certpath.disabledAlgorithms = -RestrictedSecurity.NSS.140-2.jce.legacyAlgorithms = -RestrictedSecurity.NSS.140-2.jce.provider.1 = sun.security.pkcs11.SunPKCS11 ${java.home}/conf/security/nss.fips.cfg -RestrictedSecurity.NSS.140-2.jce.provider.2 = sun.security.provider.Sun [ \ - {CertificateFactory, X.509, ImplementedIn=Software}, \ - {CertStore, Collection, ImplementedIn=Software}, \ - {CertStore, com.sun.security.IndexedCollection, ImplementedIn=Software}, \ - {Policy, JavaPolicy, *}, {Configuration, JavaLoginConfig, *}, \ - {CertPathBuilder, PKIX, ValidationAlgorithm=RFC5280:ImplementedIn=Software}, \ - {CertPathValidator, PKIX, ValidationAlgorithm=RFC5280:ImplementedIn=Software}, \ - {KeyStore, PKCS12, *}] -RestrictedSecurity.NSS.140-2.jce.provider.3 = sun.security.ec.SunEC [{KeyFactory, EC, ImplementedIn=Software: \ - SupportedKeyClasses=java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey: \ - KeySize=256}, {AlgorithmParameters, EC, *}] -RestrictedSecurity.NSS.140-2.jce.provider.4 = sun.security.ssl.SunJSSE - -RestrictedSecurity.NSS.140-2.keystore.type = PKCS11 -RestrictedSecurity.NSS.140-2.javax.net.ssl.keyStore = NONE - -RestrictedSecurity.NSS.140-2.securerandom.provider = SunPKCS11-NSS-FIPS -RestrictedSecurity.NSS.140-2.securerandom.algorithm = PKCS11 - # # Strict Restricted Security mode profile for FIPS 140-3. This policy represents only allowable # approved cryptography in the OpenJCEPlusFIPS provider along with other non-cryptographic algorithms @@ -271,9 +187,9 @@ RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Weakly-Enforced.jce.provider.12 = c # # Test-Profile.Base -# Test base profile - misspell properties +# Test profile - base profile misspell properties # -RestrictedSecurity.Test-Profile.Base.desc.name = Test Base Profile +RestrictedSecurity.Test-Profile.Base.desc.name = Test-Profile.Base RestrictedSecurity.Test-Profile.Base.desc.default = true RestrictedSecurity.Test-Profile.Base.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 RestrictedSecurity.Test-Profile.Base.tls.disabledAlgorithmsWrongTypo = @@ -284,40 +200,72 @@ RestrictedSecurity.Test-Profile.Base.jce.provider.3 = sun.security.ssl.SunJSSE # # Test-Profile.Extended_1 -# Test extended profile - misspell properties +# Test profile - extenstion profile misspell properties # -RestrictedSecurity.Test-Profile.Extended_1.desc.nameWrongTypo = Test Extended_1 +RestrictedSecurity.Test-Profile.Extended_1.desc.nameWrongTypo = Test-Profile.Extended_1 RestrictedSecurity.Test-Profile.Extended_1.desc.default = true RestrictedSecurity.Test-Profile.Extended_1.extends = RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3 RestrictedSecurity.Test-Profile.Extended_1.tls.disabledAlgorithms = RestrictedSecurity.Test-Profile.Extended_1.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS RestrictedSecurity.Test-Profile.Extended_1.jce.provider.2 = sun.security.provider.Sun -RestrictedSecurity.Test-Profile.Extended_1.jce.providerWrongTypo.3 = sun.security.rsa.SunRsaSign +RestrictedSecurity.Test-Profile.Extended_1.jce.providerWrongTypo = sun.security.rsa.SunRsaSign RestrictedSecurity.Test-Profile.Extended_1.jce.provider.4 = sun.security.ec.SunEC RestrictedSecurity.Test-Profile.Extended_1.jce.provider.5 = sun.security.ssl.SunJSSE # # Test-Profile.Extended_2 -# Test extended profile from another extended profile - misspell properties +# Test profile - extension profile from another extension profile misspell properties # -RestrictedSecurity.Test-Profile.Extended_2.desc.name = Test Extended_2 +RestrictedSecurity.Test-Profile.Extended_2.desc.name = Test-Profile.Extended_2 RestrictedSecurity.Test-Profile.Extended_2.desc.default = false RestrictedSecurity.Test-Profile.Extended_2.extends = RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Weakly-Enforced RestrictedSecurity.Test-Profile.Extended_2.tls.disabledAlgorithms = -RestrictedSecurity.Test-Profile.Extended_2.jce.providerWrongTypo.13 = sun.security.pkcs11.SunPKCS11 +RestrictedSecurity.Test-Profile.Extended_2.jce.providerWrongTypo = sun.security.pkcs11.SunPKCS11 # -# Test-Profile.MultiDefault -# Test profile - multi default profile +# Test-Profile.NotExist +# Test profile - profile not exist # -RestrictedSecurity.Test-Profile.MultiDefault.desc.name = Test Multi Default -RestrictedSecurity.Test-Profile.MultiDefault.desc.default = true -RestrictedSecurity.Test-Profile.MultiDefault.extends = RestrictedSecurity.Test-Profile.Base -RestrictedSecurity.Test-Profile.MultiDefault.tls.disabledAlgorithms = -RestrictedSecurity.Test-Profile.MultiDefault.jce.providerWrongTypo.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS + + + +# +# Test-Profile-MultiDefault.Base +# Test profile - Multi Default Base profile +# +RestrictedSecurity.Test-Profile-MultiDefault.Base.desc.name = Test-Profile-MultiDefault.Base +RestrictedSecurity.Test-Profile-MultiDefault.Base.desc.default = true +RestrictedSecurity.Test-Profile-MultiDefault.Base.desc.fips = true +RestrictedSecurity.Test-Profile-MultiDefault.Base.desc.hash = SHA256:4a85dc0db2f257388155b3ada7378773884edc89c80c8d715f4bdde84cc3d8bd +RestrictedSecurity.Test-Profile-MultiDefault.Base.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile-MultiDefault.Base.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile-MultiDefault.Base.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile-MultiDefault.Base.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile-MultiDefault.Base.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile-MultiDefault.Base.jce.provider.2 = sun.security.provider.Sun +RestrictedSecurity.Test-Profile-MultiDefault.Base.jce.provider.3 = sun.security.ssl.SunJSSE + +RestrictedSecurity.Test-Profile-MultiDefault.Base.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile-MultiDefault.Base.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile-MultiDefault.Extension +# Test profile - Multi Default Extension profile +# +RestrictedSecurity.Test-Profile-MultiDefault.Extension.desc.name = Test-Profile-MultiDefault.Extension +RestrictedSecurity.Test-Profile-MultiDefault.Extension.desc.default = true +RestrictedSecurity.Test-Profile-MultiDefault.Extension.extends = RestrictedSecurity.Test-Profile-MultiDefault.Base +RestrictedSecurity.Test-Profile-MultiDefault.Extension.tls.disabledAlgorithms = + +RestrictedSecurity.Test-Profile-MultiDefault.Extension.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS + + + + # # Test-Profile.NoDefault @@ -461,3 +409,233 @@ RestrictedSecurity.Test-Profile.SetProperty_4.tls.disabledAlgorithms = - TestDis RestrictedSecurity.Test-Profile.SetProperty_4.jce.providerWrongTypo.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS +# +# Test-Profile.PolicySunset +# Test profile - policy sunset +# +RestrictedSecurity.Test-Profile.PolicySunset.desc.name = Test Profile Policy Sunset +RestrictedSecurity.Test-Profile.PolicySunset.desc.default = false +RestrictedSecurity.Test-Profile.PolicySunset.desc.fips = true +RestrictedSecurity.Test-Profile.PolicySunset.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile.PolicySunset.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile.PolicySunset.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile.PolicySunset.desc.sunsetDate = 2023-09-21 +RestrictedSecurity.Test-Profile.PolicySunset.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile.PolicySunset.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS + +# +# Test-Profile.PolicySunsetFormat +# Test profile - policy sunset format +# +RestrictedSecurity.Test-Profile.PolicySunsetFormat.desc.name = Test Profile Policy Sunset Format +RestrictedSecurity.Test-Profile.PolicySunsetFormat.desc.default = false +RestrictedSecurity.Test-Profile.PolicySunsetFormat.desc.fips = true +RestrictedSecurity.Test-Profile.PolicySunsetFormat.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile.PolicySunsetFormat.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile.PolicySunsetFormat.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile.PolicySunsetFormat.desc.sunsetDate = 09-21-2024 +RestrictedSecurity.Test-Profile.PolicySunsetFormat.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile.PolicySunsetFormat.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS + + +# +# Test-Profile.SecureRandomCheck +# Test profile - secure random check +# +RestrictedSecurity.Test-Profile.SecureRandomCheck.desc.name = Test Profile Secure Random +RestrictedSecurity.Test-Profile.SecureRandomCheck.desc.default = false +RestrictedSecurity.Test-Profile.SecureRandomCheck.desc.fips = true +RestrictedSecurity.Test-Profile.SecureRandomCheck.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile.SecureRandomCheck.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile.SecureRandomCheck.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS + +RestrictedSecurity.Test-Profile.SecureRandomCheck.securerandom.provider = +RestrictedSecurity.Test-Profile.SecureRandomCheck.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile.Constraint_1 +# Test profile - constraint check 1 +# +RestrictedSecurity.Test-Profile.Constraint_1.desc.name = Test-Profile.Constraint_1 +RestrictedSecurity.Test-Profile.Constraint_1.desc.default = false +RestrictedSecurity.Test-Profile.Constraint_1.desc.fips = true +RestrictedSecurity.Test-Profile.Constraint_1.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile.Constraint_1.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile.Constraint_1.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile.Constraint_1.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile.Constraint_1.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile.Constraint_1.jce.certpath.disabledAlgorithms = +RestrictedSecurity.Test-Profile.Constraint_1.jce.legacyAlgorithms = +RestrictedSecurity.Test-Profile.Constraint_1.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS \ + {AlgorithmParameterGenerator, AESGCM, *}, \ + {AlgorithmParameterGenerator, CCM, *}] + +RestrictedSecurity.Test-Profile.Constraint_1.javax.net.ssl.keyStore = NONE +RestrictedSecurity.Test-Profile.Constraint_1.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile.Constraint_1.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile.Constraint_2 +# Test profile - constraint check 2 +# +RestrictedSecurity.Test-Profile.Constraint_2.desc.name = Test-Profile.Constraint_2 +RestrictedSecurity.Test-Profile.Constraint_2.desc.default = false +RestrictedSecurity.Test-Profile.Constraint_2.desc.fips = true +RestrictedSecurity.Test-Profile.Constraint_2.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile.Constraint_2.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile.Constraint_2.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile.Constraint_2.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile.Constraint_2.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile.Constraint_2.jce.certpath.disabledAlgorithms = +RestrictedSecurity.Test-Profile.Constraint_2.jce.legacyAlgorithms = +RestrictedSecurity.Test-Profile.Constraint_2.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS [ \ + {AlgorithmParameterGenerator, AESGCM, *}, \ + {AlgorithmParameterGenerator, CCM, *] + +RestrictedSecurity.Test-Profile.Constraint_2.javax.net.ssl.keyStore = NONE +RestrictedSecurity.Test-Profile.Constraint_2.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile.Constraint_2.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile.Constraint_3 +# Test profile - constraint check 3 +# +RestrictedSecurity.Test-Profile.Constraint_3.desc.name = Test-Profile.Constraint_3 +RestrictedSecurity.Test-Profile.Constraint_3.desc.default = false +RestrictedSecurity.Test-Profile.Constraint_3.desc.fips = true +RestrictedSecurity.Test-Profile.Constraint_3.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile.Constraint_3.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile.Constraint_3.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile.Constraint_3.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile.Constraint_3.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile.Constraint_3.jce.certpath.disabledAlgorithms = +RestrictedSecurity.Test-Profile.Constraint_3.jce.legacyAlgorithms = +RestrictedSecurity.Test-Profile.Constraint_3.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS [ ] + +RestrictedSecurity.Test-Profile.Constraint_3.javax.net.ssl.keyStore = NONE +RestrictedSecurity.Test-Profile.Constraint_3.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile.Constraint_3.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile.Constraint_Attributes +# Test profile - constraint attributes check +# +RestrictedSecurity.Test-Profile.Constraint_Attributes.desc.name = Test-Profile.Constraint_Attributes +RestrictedSecurity.Test-Profile.Constraint_Attributes.desc.default = false +RestrictedSecurity.Test-Profile.Constraint_Attributes.desc.fips = true +RestrictedSecurity.Test-Profile.Constraint_Attributes.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile.Constraint_Attributes.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile.Constraint_Attributes.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile.Constraint_Attributes.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile.Constraint_Attributes.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile.Constraint_Attributes.jce.certpath.disabledAlgorithms = +RestrictedSecurity.Test-Profile.Constraint_Attributes.jce.legacyAlgorithms = +RestrictedSecurity.Test-Profile.Constraint_Attributes.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile.Constraint_Attributes.jce.provider.2 = sun.security.provider.Sun [ \ + {CertificateFactory, X.509, ImplementedInSoftware}] + +RestrictedSecurity.Test-Profile.Constraint_Attributes.javax.net.ssl.keyStore = NONE +RestrictedSecurity.Test-Profile.Constraint_Attributes.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile.Constraint_Attributes.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile.ConstraintChanged_1_Base +# Test profile - Constraint Changed 1 Base +# +RestrictedSecurity.Test-Profile.ConstraintChanged_1_Base.desc.name = Test-Profile.ConstraintChanged_1_Base +RestrictedSecurity.Test-Profile.ConstraintChanged_1_Base.desc.default = false +RestrictedSecurity.Test-Profile.ConstraintChanged_1_Base.desc.fips = true +RestrictedSecurity.Test-Profile.ConstraintChanged_1_Base.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile.ConstraintChanged_1_Base.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile.ConstraintChanged_1_Base.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile.ConstraintChanged_1_Base.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile.ConstraintChanged_1_Base.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile.ConstraintChanged_1_Base.jce.certpath.disabledAlgorithms = +RestrictedSecurity.Test-Profile.ConstraintChanged_1_Base.jce.legacyAlgorithms = +RestrictedSecurity.Test-Profile.ConstraintChanged_1_Base.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS [ \ + {AlgorithmParameterGenerator, AESGCM, *} \ + {AlgorithmParameterGenerator, CCM, *}] +RestrictedSecurity.Test-Profile.ConstraintChanged_1_Base.jce.provider.2 = sun.security.provider.Sun [ \ + {CertificateFactory, X.509, ImplementedIn=Software}] + +RestrictedSecurity.Test-Profile.ConstraintChanged_1_Base.javax.net.ssl.keyStore = NONE +RestrictedSecurity.Test-Profile.ConstraintChanged_1_Base.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile.ConstraintChanged_1_Base.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile.ConstraintChanged_1_Extension +# Test profile - Constraint Changed 1 Extension +# +RestrictedSecurity.Test-Profile.ConstraintChanged_1_Extension.desc.name = Test-Profile.ConstraintChanged_1_Extension +RestrictedSecurity.Test-Profile.ConstraintChanged_1_Extension.desc.default = true +RestrictedSecurity.Test-Profile.ConstraintChanged_1_Extension.extends = RestrictedSecurity.ConstraintChanged_1_Base + +RestrictedSecurity.Test-Profile.ConstraintChanged_1_Extension.jce.provider.1 = sun.security.provider.Sun [ + \ + {CertificateFactory, X.509, ImplementedIn=Software}] + +# +# Test-Profile.ConstraintChanged_2_Base +# Test profile - Constraint Changed 2 Base +# +RestrictedSecurity.Test-Profile.ConstraintChanged_2_Base.desc.name = Test-Profile.ConstraintChanged_2_Base +RestrictedSecurity.Test-Profile.ConstraintChanged_2_Base.desc.default = false +RestrictedSecurity.Test-Profile.ConstraintChanged_2_Base.desc.fips = true +RestrictedSecurity.Test-Profile.ConstraintChanged_2_Base.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile.ConstraintChanged_2_Base.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile.ConstraintChanged_2_Base.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile.ConstraintChanged_2_Base.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile.ConstraintChanged_2_Base.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile.ConstraintChanged_2_Base.jce.certpath.disabledAlgorithms = +RestrictedSecurity.Test-Profile.ConstraintChanged_2_Base.jce.legacyAlgorithms = +RestrictedSecurity.Test-Profile.ConstraintChanged_2_Base.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS [ \ + {AlgorithmParameterGenerator, AESGCM, *} \ + {AlgorithmParameterGenerator, CCM, *}] +RestrictedSecurity.Test-Profile.ConstraintChanged_2_Base.jce.provider.2 = sun.security.provider.Sun [ \ + {CertificateFactory, X.509, ImplementedIn=Software}] + +RestrictedSecurity.Test-Profile.ConstraintChanged_2_Base.javax.net.ssl.keyStore = NONE +RestrictedSecurity.Test-Profile.ConstraintChanged_2_Base.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile.ConstraintChanged_2_Base.securerandom.algorithm = SHA512DRBG + +# +# Test-Profile.ConstraintChanged_2_Extension +# Test profile - Constraint Changed 2 Extension +# +RestrictedSecurity.Test-Profile.ConstraintChanged_2_Extension.desc.name = Test-Profile.ConstraintChanged_2_Extension +RestrictedSecurity.Test-Profile.ConstraintChanged_2_Extension.desc.default = true +RestrictedSecurity.Test-Profile.ConstraintChanged_2_Extension.extends = RestrictedSecurity.ConstraintChanged_1_Base + +RestrictedSecurity.Test-Profile.ConstraintChanged_2_Extension.jce.provider.2 = sun.security.provider.Sun [ - \ + {CertStore, Collection, ImplementedIn=Software}] + +# +# Test-Profile.ConstraintChanged_3_Base +# Test profile - Constraint Changed 3 Base +# +RestrictedSecurity.Test-Profile.ConstraintChanged_3_Base.desc.name = Test-Profile.ConstraintChanged_3_Base +RestrictedSecurity.Test-Profile.ConstraintChanged_3_Base.desc.default = false +RestrictedSecurity.Test-Profile.ConstraintChanged_3_Base.desc.fips = true +RestrictedSecurity.Test-Profile.ConstraintChanged_3_Base.desc.hash = SHA256:e71c49d65fd291efe75993ccbe6999e6cfb26bf9ef3e8424cb086c7e2a225ce6 +RestrictedSecurity.Test-Profile.ConstraintChanged_3_Base.desc.number = Certificate #XXX +RestrictedSecurity.Test-Profile.ConstraintChanged_3_Base.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ +RestrictedSecurity.Test-Profile.ConstraintChanged_3_Base.desc.sunsetDate = 2026-09-21 +RestrictedSecurity.Test-Profile.ConstraintChanged_3_Base.fips.mode = 140-3 + +RestrictedSecurity.Test-Profile.ConstraintChanged_3_Base.jce.certpath.disabledAlgorithms = +RestrictedSecurity.Test-Profile.ConstraintChanged_3_Base.jce.legacyAlgorithms = +RestrictedSecurity.Test-Profile.ConstraintChanged_3_Base.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS [ + \ + {AlgorithmParameterGenerator, AESGCM, *} \ + {AlgorithmParameterGenerator, CCM, *}] + +RestrictedSecurity.Test-Profile.ConstraintChanged_3_Base.javax.net.ssl.keyStore = NONE +RestrictedSecurity.Test-Profile.ConstraintChanged_3_Base.securerandom.provider = OpenJCEPlusFIPS +RestrictedSecurity.Test-Profile.ConstraintChanged_3_Base.securerandom.algorithm = SHA512DRBG \ No newline at end of file