JDK-8250787 : Provider.put no longer registering aliases in FIPS env
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Affected Version: 8u261,11.0.8-oracle
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2020-07-29
  • Updated: 2022-06-27
  • Resolved: 2020-08-11
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 8
11.0.10-oracle b01Fixed 8u271Fixed
Related Reports
Relates :  
JDK-7092821 - java.security.Provider.getService() is synchronized and became scalability bottleneck
Relates :  
JDK-8248505 - Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
Relates :  
JDK-8215430 - Remove the internal package com.sun.net.ssl
Description
Submitter seeing regression with JDK 8u261

When they enable FIPS, their code uses the JDK Security provider name Alias
feature to workaround the JDBC driver's SSL Context loading problem (i.e., in
CustomSSLSocketFactory.createSSLContext(), line 337

/*  337 */          SSLContext arg2 = SSLContext.getInstance("SSL");

The workaround is provided by OCI code JCEProviders.load(), with following
use of alias "TLS" for "SSL"

        // Remove default jsse provider, and add a BC FIPS compatible one
        com.sun.net.ssl.internal.ssl.Provider jsseProvider =
                new com.sun.net.ssl.internal.ssl.Provider(BouncyCastleFipsProvider.PROVIDER_NAME);

        jsseProvider.put("Alg.Alias.SSLContext.SSL", "TLS"); // Map SSL -> TLS for SSLContext
        Security.removeProvider(jsseProvider.getName());
        Security.insertProviderAt(jsseProvider, 2);
        log.info("Initialized JSSE provider with BouncyCastle-FIPS in position 2");


Now with latest JDK8 261 B33, this workaround no longer works, and saw
following exception when connecting to ATP Database by using JDBC8 driver

Exception in thread "main" java.sql.SQLRecoverableException: IO Error: The
Network Adapter could not establish the connection
        at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:801)
        at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:782)
        at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:39)
        at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:704)
        at java.sql.DriverManager.getConnection(DriverManager.java:664)
        at java.sql.DriverManager.getConnection(DriverManager.java:208)
        at com.oracle.oci.cnrc.jdbc.Main.getConnection(Main.java:86)
        at com.oracle.oci.cnrc.jdbc.Main.main(Main.java:42)
Caused by: oracle.net.ns.NetException: The Network Adapter could not establish the connection
        at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:569)
        at oracle.net.resolver.AddrResolution.resolveAndExecute(AddrResolution.java:521)
        at oracle.net.ns.NSProtocol.establishConnection(NSProtocol.java:660)
        at oracle.net.ns.NSProtocol.connect(NSProtocol.java:287)
        at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1481)
        at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:540)
        ... 7 more
Caused by: oracle.net.ns.NetException: Unable to initialize ssl context.
        atoracle.net.nt.CustomSSLSocketFactory.createSSLContext(CustomSSLSocketFactory.java:344)
        at oracle.net.nt.CustomSSLSocketFactory.getSSLContext(CustomSSLSocketFactory.java:305)
        at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketEngine(CustomSSLSocketFactory.java:271)
        at oracle.net.nt.TcpsNTAdapter.connect(TcpsNTAdapter.java:170)
        at oracle.net.nt.ConnOption.connect(ConnOption.java:172)
        at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:508)
        ... 12 more
Caused by: java.security.NoSuchAlgorithmException: SSL SSLContext not available
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
        at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
        at oracle.net.nt.CustomSSLSocketFactory.createSSLContext(CustomSSLSocketFactory.java:337)
        ... 17 more
Comments
[~alvdavi] Approved for 11.0.9. Please push to jdk-updates/jdk11u directly (not jdk11u-dev).
24-09-2020
Fix request (11u) Open P2 bug RFR: https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2020-September/003867.html
23-09-2020
This particular workaround (in the bug report) relies on SunJSSE provider doing its registration in the legacy way and stopped working when it's changed to use the Service-based model provider registration as part of JDK-7092821.
04-08-2020
JDK-8215430 removed the com.sun.net.ssl package in JDK 13. This issue most likely applicable to earlier JDK families only.
04-08-2020
Bumping to P2. I'm not aware of a workaround for this issue.
03-08-2020
JDK-7092821 modified code in the Provider registration area to move away from the Provider,put mechanism and instead use the putService Provider method. The alias mapping edits used in the code example use the com.sun.net.ssl.internal.ssl.Provider.put method to register an SSL alias for TLS SSLContext. Under the hoods, the alias mapping relies on the SSLContext mapping to have been registered using the legacy put method rather than the putService method. The put method populates a (per Provider) legacyMap. To register an alias in the form used, the alias addition assumes that the legacyMap contains an entry for SSLContext.TLS (and hence the impl class) - previously, it would register the alias with the same implClass. With JDK-7092821, that's no longer the case. The legacyMap is empty and the "Provider.put("Alg.Alias.SSLContext.SSL", "TLS");" - is the first call to populate that map. Since no TLS SSLContext is found, the mapping is not registered. removeInvalidServices(legacyMap) call is made is ensure that all entries contain a valid impl. class.
03-08-2020