Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8250787

Provider.put no longer registering aliases in FIPS env

        Submitter seeing regression with JDK 8u261

        When they enable FIPS, their code uses the JDK Security provider name Alias
        feature to workaround the JDBC driver's SSL Context loading problem (i.e., in
        CustomSSLSocketFactory.createSSLContext(), line 337

        /* 337 */ SSLContext arg2 = SSLContext.getInstance("SSL");

        The workaround is provided by OCI code JCEProviders.load(), with following
        use of alias "TLS" for "SSL"

                // Remove default jsse provider, and add a BC FIPS compatible one
                com.sun.net.ssl.internal.ssl.Provider jsseProvider =
                        new com.sun.net.ssl.internal.ssl.Provider(BouncyCastleFipsProvider.PROVIDER_NAME);

                jsseProvider.put("Alg.Alias.SSLContext.SSL", "TLS"); // Map SSL -> TLS for SSLContext
                Security.removeProvider(jsseProvider.getName());
                Security.insertProviderAt(jsseProvider, 2);
                log.info("Initialized JSSE provider with BouncyCastle-FIPS in position 2");


        Now with latest JDK8 261 B33, this workaround no longer works, and saw
        following exception when connecting to ATP Database by using JDBC8 driver

        Exception in thread "main" java.sql.SQLRecoverableException: IO Error: The
        Network Adapter could not establish the connection
                at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:801)
                at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:782)
                at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:39)
                at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:704)
                at java.sql.DriverManager.getConnection(DriverManager.java:664)
                at java.sql.DriverManager.getConnection(DriverManager.java:208)
                at com.oracle.oci.cnrc.jdbc.Main.getConnection(Main.java:86)
                at com.oracle.oci.cnrc.jdbc.Main.main(Main.java:42)
        Caused by: oracle.net.ns.NetException: The Network Adapter could not establish the connection
                at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:569)
                at oracle.net.resolver.AddrResolution.resolveAndExecute(AddrResolution.java:521)
                at oracle.net.ns.NSProtocol.establishConnection(NSProtocol.java:660)
                at oracle.net.ns.NSProtocol.connect(NSProtocol.java:287)
                at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1481)
                at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:540)
                ... 7 more
        Caused by: oracle.net.ns.NetException: Unable to initialize ssl context.
                atoracle.net.nt.CustomSSLSocketFactory.createSSLContext(CustomSSLSocketFactory.java:344)
                at oracle.net.nt.CustomSSLSocketFactory.getSSLContext(CustomSSLSocketFactory.java:305)
                at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketEngine(CustomSSLSocketFactory.java:271)
                at oracle.net.nt.TcpsNTAdapter.connect(TcpsNTAdapter.java:170)
                at oracle.net.nt.ConnOption.connect(ConnOption.java:172)
                at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:508)
                ... 12 more
        Caused by: java.security.NoSuchAlgorithmException: SSL SSLContext not available
                at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
                at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
                at oracle.net.nt.CustomSSLSocketFactory.createSSLContext(CustomSSLSocketFactory.java:337)
                ... 17 more

            [JDK-8250787] Provider.put no longer registering aliases in FIPS env

            [~alvdavi] Approved for 11.0.9. Please push to jdk-updates/jdk11u directly (not jdk11u-dev).

            Severin Gehwolf added a comment - [~alvdavi] Approved for 11.0.9. Please push to jdk-updates/jdk11u directly (not jdk11u-dev).

            David Alvarez added a comment -

            David Alvarez added a comment - Fix request (11u) Open P2 bug RFR: https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2020-September/003867.html

            Valerie Peng added a comment -
            This particular workaround (in the bug report) relies on SunJSSE provider doing its registration in the legacy way and stopped working when it's changed to use the Service-based model provider registration as part of JDK-7092821.

            Valerie Peng added a comment - This particular workaround (in the bug report) relies on SunJSSE provider doing its registration in the legacy way and stopped working when it's changed to use the Service-based model provider registration as part of JDK-7092821 .

            Sean Coffey added a comment -
            JDK-8215430 removed the com.sun.net.ssl package in JDK 13. This issue most likely applicable to earlier JDK families only.

            Sean Coffey added a comment - JDK-8215430 removed the com.sun.net.ssl package in JDK 13. This issue most likely applicable to earlier JDK families only.

            Sean Coffey added a comment -
            Bumping to P2. I'm not aware of a workaround for this issue.

            Sean Coffey added a comment - Bumping to P2. I'm not aware of a workaround for this issue.

            Sean Coffey added a comment -
            JDK-7092821 modified code in the Provider registration area to move away from the Provider,put mechanism and instead use the putService Provider method. The alias mapping edits used in the code example use the com.sun.net.ssl.internal.ssl.Provider.put method to register an SSL alias for TLS SSLContext. Under the hoods, the alias mapping relies on the SSLContext mapping to have been registered using the legacy put method rather than the putService method.

            The put method populates a (per Provider) legacyMap. To register an alias in the form used, the alias addition assumes that the legacyMap contains an entry for SSLContext.TLS (and hence the impl class) - previously, it would register the alias with the same implClass.

            With JDK-7092821, that's no longer the case. The legacyMap is empty and the "Provider.put("Alg.Alias.SSLContext.SSL", "TLS");" - is the first call to populate that map. Since no TLS SSLContext is found, the mapping is not registered. removeInvalidServices(legacyMap) call is made is ensure that all entries contain a valid impl. class.

            Sean Coffey added a comment - JDK-7092821 modified code in the Provider registration area to move away from the Provider,put mechanism and instead use the putService Provider method. The alias mapping edits used in the code example use the com.sun.net.ssl.internal.ssl.Provider.put method to register an SSL alias for TLS SSLContext. Under the hoods, the alias mapping relies on the SSLContext mapping to have been registered using the legacy put method rather than the putService method. The put method populates a (per Provider) legacyMap. To register an alias in the form used, the alias addition assumes that the legacyMap contains an entry for SSLContext.TLS (and hence the impl class) - previously, it would register the alias with the same implClass. With JDK-7092821 , that's no longer the case. The legacyMap is empty and the "Provider.put("Alg.Alias.SSLContext.SSL", "TLS");" - is the first call to populate that map. Since no TLS SSLContext is found, the mapping is not registered. removeInvalidServices(legacyMap) call is made is ensure that all entries contain a valid impl. class.

              coffeys Sean Coffey
              shadowbug Shadow Bug
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: