From a12b1a060cf581ebffda80d8bee79ce53bee59ef Mon Sep 17 00:00:00 2001
From: Tao Liu <tao.liu@ibm.com>
Date: Wed, 27 Sep 2023 13:48:26 -0400
Subject: [PATCH] Add provider SunSASL in FIPS mode

---
 .../internal/security/RestrictedSecurity.java | 51 ++++++++++++++-----
 .../share/conf/security/java.security         |  1 +
 test/jdk/ProblemList-fips.txt                 | 30 +++++------
 3 files changed, 53 insertions(+), 29 deletions(-)

diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java
index 9bacf62f094..3d972a23f00 100644
--- a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java
+++ b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java
@@ -585,13 +585,8 @@ private void initProviders() {
                 // Provider with argument (provider name + optional argument).
                 providers.add(pNum - 1, providerName);
 
-                // Remove the provider's optional arguments if there are.
-                pos = providerName.indexOf(' ');
-                providerName = (pos < 0) ? providerName.trim() : providerName.substring(0, pos).trim();
-                // Remove the provider's class package names if there are.
-                pos = providerName.lastIndexOf('.');
-                providerName = (pos < 0) ? providerName : providerName.substring(pos + 1, providerName.length());
-                // Provider without arguments and package names.
+                // Provider name defined in provider construction method.
+                providerName = getProvidersSimpleName(providerName);
                 providersSimpleName.add(pNum - 1, providerName);
 
                 if (debug != null) {
@@ -849,13 +844,7 @@ boolean isRestrictedProviderAllowed(String providerName) {
                 debug.println("Checking the provider " + providerName + " in restricted security mode.");
             }
 
-            // Remove argument, e.g. -NSS-FIPS, if there is.
-            int pos = providerName.indexOf('-');
-            providerName = (pos < 0) ? providerName : providerName.substring(0, pos);
-
-            // Remove the provider class package name if there is.
-            pos = providerName.lastIndexOf('.');
-            providerName = (pos < 0) ? providerName : providerName.substring(pos + 1, providerName.length());
+            providerName = getProvidersSimpleName(providerName);
 
             // Check if the provider is in restricted security provider list.
             // If not, the provider won't be registered.
@@ -880,6 +869,40 @@ boolean isRestrictedProviderAllowed(String providerName) {
             return false;
         }
 
+        /**
+         * Get the provider name defined in provider construction method.
+         *
+         * @param providerName provider name or provider with packages or arguments
+         * @return provider name defined in provider construction method
+         */
+        private static String getProvidersSimpleName(String providerName) {
+            // Remove the provider's optional arguments if present.
+            int pos = providerName.indexOf(' ');
+            providerName = (pos < 0) ? providerName.trim() : providerName.substring(0, pos).trim();
+
+            // Remove argument, e.g. -NSS-FIPS, if present.
+            pos = providerName.indexOf('-');
+            providerName = (pos < 0) ? providerName : providerName.substring(0, pos);
+
+            if (providerName.equals("com.sun.net.ssl.internal.ssl.Provider")) {
+                // In JDK 8, the main class for the SunJSSE provider is
+                // com.sun.net.ssl.internal.ssl.Provider
+                return "SunJSSE";
+            } else if (providerName.equals("sun.security.provider.Sun")) {
+                // In JDK 8, the main class for the SUN provider is sun.security.provider.Sun
+                return "SUN";
+            } else if (providerName.equals("com.sun.security.sasl.Provider")) {
+                // The main class for the SunSASL provider is com.sun.security.sasl.Provider
+                return "SunSASL";
+            } else {
+                // Remove the provider's class package names if present.
+                pos = providerName.lastIndexOf('.');
+                providerName = (pos < 0) ? providerName : providerName.substring(pos + 1);
+                // Provider without arguments and package names.
+                return providerName;
+            }
+        }
+
         /**
          * List audit info if userSecurityAudit is true, default as false.
          */
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
index e5d19a6bdc5..84606b0eae5 100644
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -146,6 +146,7 @@ RestrictedSecurity1.jce.provider.3 = SunEC [{KeyFactory, EC, ImplementedIn=Softw
     SupportedKeyClasses=java.security.interfaces.ECPublicKey|java.security.interfaces.ECPrivateKey: \
     KeySize=256}, {AlgorithmParameters, EC, *}]
 RestrictedSecurity1.jce.provider.4 = SunJSSE
+RestrictedSecurity1.jce.provider.5 = SunSASL
 
 RestrictedSecurity1.keystore.type = PKCS11
 RestrictedSecurity1.javax.net.ssl.keyStore = NONE
diff --git a/test/jdk/ProblemList-fips.txt b/test/jdk/ProblemList-fips.txt
index db2984c4603..b77b6a12d2c 100644
--- a/test/jdk/ProblemList-fips.txt
+++ b/test/jdk/ProblemList-fips.txt
@@ -571,21 +571,21 @@ com/sun/org/apache/xml/internal/security/ShortECDSA.java	https://github.com/ibmr
 
 # Module java.security.sasl related. Unable to find client impl for CRAM-MD5 or DIGEST-MD5.
 
-com/sun/security/sasl/ntlm/NTLMTest.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
-com/sun/security/sasl/ntlm/Conformance.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
-com/sun/security/sasl/digest/Unbound.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
-com/sun/security/sasl/digest/PrivacyRc4.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
-com/sun/security/sasl/digest/Privacy.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
-com/sun/security/sasl/digest/NoQuoteParams.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
-com/sun/security/sasl/digest/Integrity.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
-com/sun/security/sasl/digest/CheckNegotiatedQOPs.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
-com/sun/security/sasl/digest/AuthRealms.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
-com/sun/security/sasl/digest/AuthRealmChoices.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
-com/sun/security/sasl/digest/AuthOnly.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
-com/sun/security/sasl/digest/AuthNoUtf8.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
-com/sun/security/sasl/Cram.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
-javax/security/sasl/Sasl/DisabledMechanisms.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
-javax/security/sasl/Sasl/ClientServerTest.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
+#com/sun/security/sasl/ntlm/NTLMTest.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
+#com/sun/security/sasl/ntlm/Conformance.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
+#com/sun/security/sasl/digest/Unbound.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
+#com/sun/security/sasl/digest/PrivacyRc4.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
+#com/sun/security/sasl/digest/Privacy.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
+#com/sun/security/sasl/digest/NoQuoteParams.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
+#com/sun/security/sasl/digest/Integrity.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
+#com/sun/security/sasl/digest/CheckNegotiatedQOPs.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
+#com/sun/security/sasl/digest/AuthRealms.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
+#com/sun/security/sasl/digest/AuthRealmChoices.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
+#com/sun/security/sasl/digest/AuthOnly.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
+#com/sun/security/sasl/digest/AuthNoUtf8.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
+#com/sun/security/sasl/Cram.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
+#javax/security/sasl/Sasl/DisabledMechanisms.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
+#javax/security/sasl/Sasl/ClientServerTest.java	https://github.com/ibmruntimes/openj9-openjdk-jdk11/issues/547	linux-x64
 
 # NoSuchAlgorithmException: JKS KeyStore not available or KeyStore file related.