From d97ea4d1771c6d2d8b2414e547dfa270ccd25eea Mon Sep 17 00:00:00 2001 From: ulvii Date: Thu, 24 Aug 2017 17:52:04 -0700 Subject: [PATCH 1/4] Removing fipsProvider connection property --- .../microsoft/sqlserver/jdbc/IOBuffer.java | 39 ++++---------- .../sqlserver/jdbc/SQLServerDataSource.java | 8 --- .../sqlserver/jdbc/SQLServerDriver.java | 2 - .../sqlserver/jdbc/SQLServerResource.java | 7 +-- .../sqlserver/jdbc/fips/FipsTest.java | 53 ++----------------- 5 files changed, 16 insertions(+), 93 deletions(-) diff --git a/src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java b/src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java index 60ca4fbc5..6aa666a6e 100644 --- a/src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java +++ b/src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java @@ -1579,7 +1579,6 @@ void enableSSL(String host, boolean isFips = false; String trustStoreType = null; - String fipsProvider = null; String sslProtocol = null; // If anything in here fails, terminate the connection and throw an exception @@ -1598,12 +1597,11 @@ void enableSSL(String host, trustStoreType = SQLServerDriverStringProperty.TRUST_STORE_TYPE.getDefaultValue(); } - fipsProvider = con.activeConnectionProperties.getProperty(SQLServerDriverStringProperty.FIPS_PROVIDER.toString()); isFips = Boolean.valueOf(con.activeConnectionProperties.getProperty(SQLServerDriverBooleanProperty.FIPS.toString())); sslProtocol = con.activeConnectionProperties.getProperty(SQLServerDriverStringProperty.SSL_PROTOCOL.toString()); if (isFips) { - validateFips(fipsProvider, trustStoreType, trustStoreFileName); + validateFips(trustStoreType, trustStoreFileName); } assert TDS.ENCRYPT_OFF == con.getRequestedEncryptionLevel() || // Login only SSL @@ -1649,12 +1647,8 @@ void enableSSL(String host, if (logger.isLoggable(Level.FINEST)) logger.finest(toString() + " Finding key store interface"); - if (isFips) { - ks = KeyStore.getInstance(trustStoreType, fipsProvider); - } - else { - ks = KeyStore.getInstance(trustStoreType); - } + + ks = KeyStore.getInstance(trustStoreType); ksProvider = ks.getProvider(); // Next, load up the trust store file from the specified location. @@ -1828,57 +1822,44 @@ void enableSSL(String host, * Valid FIPS settings: *
  • Encrypt should be true *
  • trustServerCertificate should be false - *
  • if certificate is not installed FIPSProvider & TrustStoreType should be present. + *
  • if certificate is not installed TrustStoreType should be present. * - * @param fipsProvider - * FIPS Provider * @param trustStoreType * @param trustStoreFileName * @throws SQLServerException * @since 6.1.4 */ - private void validateFips(final String fipsProvider, - final String trustStoreType, + private void validateFips(final String trustStoreType, final String trustStoreFileName) throws SQLServerException { boolean isValid = false; boolean isEncryptOn; boolean isValidTrustStoreType; boolean isValidTrustStore; boolean isTrustServerCertificate; - boolean isValidFipsProvider; String strError = SQLServerException.getErrString("R_invalidFipsConfig"); isEncryptOn = (TDS.ENCRYPT_ON == con.getRequestedEncryptionLevel()); - // Here different FIPS provider supports different KeyStore type along with different JVM Implementation. - isValidFipsProvider = !StringUtils.isEmpty(fipsProvider); isValidTrustStoreType = !StringUtils.isEmpty(trustStoreType); isValidTrustStore = !StringUtils.isEmpty(trustStoreFileName); isTrustServerCertificate = con.trustServerCertificate(); if (isEncryptOn && !isTrustServerCertificate) { if (logger.isLoggable(Level.FINER)) - logger.finer(toString() + " Found parameters are encrypt is true & trustServerCertificate false"); + logger.finer(toString() + "Found parameters are encrypt is true & trustServerCertificate false"); isValid = true; if (isValidTrustStore) { - // In case of valid trust store we need to check fipsProvider and TrustStoreType. - if (!isValidFipsProvider || !isValidTrustStoreType) { - isValid = false; - strError = SQLServerException.getErrString("R_invalidFipsProviderConfig"); - + // In case of valid trust store we need to check TrustStoreType. + if (!isValidTrustStoreType) { + isValid = false; if (logger.isLoggable(Level.FINER)) - logger.finer(toString() + " FIPS provider & TrustStoreType should pass with TrustStore."); + logger.finer(toString() + "TrustStoreType is requiered alongside with TrustStore."); } - if (logger.isLoggable(Level.FINER)) - logger.finer(toString() + " Found FIPS parameters seems to be valid."); } } - else { - strError = SQLServerException.getErrString("R_invalidFipsEncryptConfig"); - } if (!isValid) { throw new SQLServerException(strError, null, 0, null); diff --git a/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerDataSource.java b/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerDataSource.java index abb54db84..16891f3f0 100644 --- a/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerDataSource.java +++ b/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerDataSource.java @@ -585,14 +585,6 @@ public boolean getFIPS() { return getBooleanProperty(connectionProps, SQLServerDriverBooleanProperty.FIPS.toString(), SQLServerDriverBooleanProperty.FIPS.getDefaultValue()); } - - public void setFIPSProvider(String fipsProvider) { - setStringProperty(connectionProps, SQLServerDriverStringProperty.FIPS_PROVIDER.toString(), fipsProvider); - } - - public String getFIPSProvider() { - return getStringProperty(connectionProps, SQLServerDriverStringProperty.FIPS_PROVIDER.toString(), null); - } public void setSSLProtocol(String sslProtocol) { setStringProperty(connectionProps, SQLServerDriverStringProperty.SSL_PROTOCOL.toString(), sslProtocol); diff --git a/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerDriver.java b/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerDriver.java index 25a0032b4..290be39ae 100644 --- a/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerDriver.java +++ b/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerDriver.java @@ -286,7 +286,6 @@ enum SQLServerDriverStringProperty KEY_STORE_AUTHENTICATION ("keyStoreAuthentication", ""), KEY_STORE_SECRET ("keyStoreSecret", ""), KEY_STORE_LOCATION ("keyStoreLocation", ""), - FIPS_PROVIDER ("fipsProvider", ""), SSL_PROTOCOL ("sslProtocol", SSLProtocol.TLS.toString()), ; @@ -418,7 +417,6 @@ public final class SQLServerDriver implements java.sql.Driver { new SQLServerDriverPropertyInfo(SQLServerDriverBooleanProperty.XOPEN_STATES.toString(), Boolean.toString(SQLServerDriverBooleanProperty.XOPEN_STATES.getDefaultValue()), false, TRUE_FALSE), new SQLServerDriverPropertyInfo(SQLServerDriverStringProperty.AUTHENTICATION_SCHEME.toString(), SQLServerDriverStringProperty.AUTHENTICATION_SCHEME.getDefaultValue(), false, new String[] {AuthenticationScheme.javaKerberos.toString(),AuthenticationScheme.nativeAuthentication.toString()}), new SQLServerDriverPropertyInfo(SQLServerDriverStringProperty.AUTHENTICATION.toString(), SQLServerDriverStringProperty.AUTHENTICATION.getDefaultValue(), false, new String[] {SqlAuthentication.NotSpecified.toString(),SqlAuthentication.SqlPassword.toString(),SqlAuthentication.ActiveDirectoryPassword.toString(),SqlAuthentication.ActiveDirectoryIntegrated.toString()}), - new SQLServerDriverPropertyInfo(SQLServerDriverStringProperty.FIPS_PROVIDER.toString(), SQLServerDriverStringProperty.FIPS_PROVIDER.getDefaultValue(), false, null), new SQLServerDriverPropertyInfo(SQLServerDriverIntProperty.SOCKET_TIMEOUT.toString(), Integer.toString(SQLServerDriverIntProperty.SOCKET_TIMEOUT.getDefaultValue()), false, null), new SQLServerDriverPropertyInfo(SQLServerDriverBooleanProperty.FIPS.toString(), Boolean.toString(SQLServerDriverBooleanProperty.FIPS.getDefaultValue()), false, TRUE_FALSE), new SQLServerDriverPropertyInfo(SQLServerDriverBooleanProperty.ENABLE_PREPARE_ON_FIRST_PREPARED_STATEMENT.toString(), Boolean.toString(SQLServerDriverBooleanProperty.ENABLE_PREPARE_ON_FIRST_PREPARED_STATEMENT.getDefaultValue()), false,TRUE_FALSE), diff --git a/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerResource.java b/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerResource.java index 6539a5802..489b71157 100644 --- a/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerResource.java +++ b/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerResource.java @@ -363,7 +363,6 @@ protected Object[][] getContents() { {"R_keyStoreAuthenticationPropertyDescription", "The name that identifies a key store."}, {"R_keyStoreSecretPropertyDescription", "The authentication secret or information needed to locate the secret."}, {"R_keyStoreLocationPropertyDescription", "The key store location."}, - {"R_fipsProviderPropertyDescription", "FIPS Provider."}, {"R_keyStoreAuthenticationNotSet", "\"keyStoreAuthentication\" connection string keyword must be specified, if \"{0}\" is specified."}, {"R_keyStoreSecretOrLocationNotSet", "Both \"keyStoreSecret\" and \"keyStoreLocation\" must be set, if \"keyStoreAuthentication=JavaKeyStorePassword\" has been specified in the connection string."}, {"R_certificateStoreInvalidKeyword", "Cannot set \"keyStoreSecret\", if \"keyStoreAuthentication=CertificateStore\" has been specified in the connection string."}, @@ -375,10 +374,8 @@ protected Object[][] getContents() { {"R_TVPnotWorkWithSetObjectResultSet" , "setObject() with ResultSet is not supported for Table-Valued Parameter. Please use setStructured()."}, {"R_invalidQueryTimeout", "The queryTimeout {0} is not valid."}, {"R_invalidSocketTimeout", "The socketTimeout {0} is not valid."}, - {"R_fipsPropertyDescription", "Determines if enable FIPS compliant SSL connection between the client and the server."}, - {"R_invalidFipsConfig", "Could not enable FIPS."}, - {"R_invalidFipsEncryptConfig", "Could not enable FIPS due to either encrypt is not true or using trusted certificate settings."}, - {"R_invalidFipsProviderConfig", "Could not enable FIPS due to invalid FIPSProvider or TrustStoreType."}, + {"R_fipsPropertyDescription", "Determines if FIPS mode is enabled."}, + {"R_invalidFipsConfig", "Unable to verify FIPS mode settings."}, {"R_serverPreparedStatementDiscardThreshold", "The serverPreparedStatementDiscardThreshold {0} is not valid."}, {"R_statementPoolingCacheSize", "The statementPoolingCacheSize {0} is not valid."}, {"R_kerberosLoginFailedForUsername", "Cannot login with Kerberos principal {0}, check your credentials. {1}"}, diff --git a/src/test/java/com/microsoft/sqlserver/jdbc/fips/FipsTest.java b/src/test/java/com/microsoft/sqlserver/jdbc/fips/FipsTest.java index 83f8a9f71..2254bfb6b 100644 --- a/src/test/java/com/microsoft/sqlserver/jdbc/fips/FipsTest.java +++ b/src/test/java/com/microsoft/sqlserver/jdbc/fips/FipsTest.java @@ -52,8 +52,7 @@ public void fipsTrustServerCertificateTest() throws Exception { } catch (SQLServerException e) { Assertions.assertTrue( - e.getMessage().contains("Could not enable FIPS due to either encrypt is not true or using trusted certificate settings."), - "Should create exception for invalid TrustServerCertificate value"); + e.getMessage().contains("Unable to verify FIPS mode settings.")); } } @@ -72,31 +71,11 @@ public void fipsEncryptTest() throws Exception { } catch (SQLServerException e) { Assertions.assertTrue( - e.getMessage().contains("Could not enable FIPS due to either encrypt is not true or using trusted certificate settings."), + e.getMessage().contains("Unable to verify FIPS mode settings."), "Should create exception for invalid encrypt value"); } } - /** - * Test after removing FIPS PROVIDER - * - * @throws Exception - */ - @Test - public void fipsProviderTest() throws Exception { - try { - Properties props = buildConnectionProperties(); - props.remove("fipsProvider"); - props.setProperty("trustStore", "/SOME_PATH"); - Connection con = PrepUtil.getConnection(connectionString, props); - Assertions.fail("It should fail as we are not passing appropriate params"); - } - catch (SQLServerException e) { - Assertions.assertTrue(e.getMessage().contains("Could not enable FIPS due to invalid FIPSProvider or TrustStoreType"), - "Should create exception for invalid FIPSProvider"); - } - } - /** * Test after removing fips, encrypt & trustStore it should work appropriately. * @@ -124,7 +103,6 @@ public void fipsDataSourcePropertyTest() throws Exception { SQLServerDataSource ds = new SQLServerDataSource(); setDataSourceProperties(ds); ds.setFIPS(false); - ds.setFIPSProvider(""); ds.setEncrypt(false); ds.setTrustStoreType("JKS"); Connection con = ds.getConnection(); @@ -148,32 +126,11 @@ public void fipsDatSourceEncrypt() { } catch (SQLServerException e) { Assertions.assertTrue( - e.getMessage().contains("Could not enable FIPS due to either encrypt is not true or using trusted certificate settings."), + e.getMessage().contains("Unable to verify FIPS mode settings."), "Should create exception for invalid encrypt value"); } } - /** - * Test after removing FIPS PROVIDER - * - * @throws Exception - */ - @Test - public void fipsDataSourceProviderTest() throws Exception { - try { - SQLServerDataSource ds = new SQLServerDataSource(); - setDataSourceProperties(ds); - ds.setFIPSProvider(""); - ds.setTrustStore("/SOME_PATH"); - Connection con = ds.getConnection(); - Assertions.fail("It should fail as we are not passing appropriate params"); - } - catch (SQLServerException e) { - Assertions.assertTrue(e.getMessage().contains("Could not enable FIPS due to invalid FIPSProvider or TrustStoreType"), - "Should create exception for invalid FIPSProvider"); - } - } - /** * Test after setting TrustServerCertificate as true. * @@ -190,7 +147,7 @@ public void fipsDataSourceTrustServerCertificateTest() throws Exception { } catch (SQLServerException e) { Assertions.assertTrue( - e.getMessage().contains("Could not enable FIPS due to either encrypt is not true or using trusted certificate settings."), + e.getMessage().contains("Unable to verify FIPS mode settings."), "Should create exception for invalid TrustServerCertificate value"); } } @@ -216,7 +173,6 @@ private void setDataSourceProperties(SQLServerDataSource ds) { ds.setTrustServerCertificate(false); ds.setIntegratedSecurity(false); ds.setTrustStoreType("PKCS12"); - ds.setFIPSProvider("BCFIPS"); } /** @@ -235,7 +191,6 @@ private Properties buildConnectionProperties() { // For New Code connectionProps.setProperty("trustStoreType", "PKCS12"); - connectionProps.setProperty("fipsProvider", "BCFIPS"); connectionProps.setProperty("fips", "true"); return connectionProps; From a5794e9a735da9d78784adebd8d53c77d6a87cf2 Mon Sep 17 00:00:00 2001 From: ulvii Date: Thu, 24 Aug 2017 17:56:23 -0700 Subject: [PATCH 2/4] Minor fix --- src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java b/src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java index 6aa666a6e..85c42360f 100644 --- a/src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java +++ b/src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java @@ -1845,12 +1845,8 @@ private void validateFips(final String trustStoreType, isValidTrustStore = !StringUtils.isEmpty(trustStoreFileName); isTrustServerCertificate = con.trustServerCertificate(); - if (isEncryptOn && !isTrustServerCertificate) { - if (logger.isLoggable(Level.FINER)) - logger.finer(toString() + "Found parameters are encrypt is true & trustServerCertificate false"); - + if (isEncryptOn && !isTrustServerCertificate) { isValid = true; - if (isValidTrustStore) { // In case of valid trust store we need to check TrustStoreType. if (!isValidTrustStoreType) { From 376a06dab405f11e3e429a5f99c8039fe2782591 Mon Sep 17 00:00:00 2001 From: ulvii Date: Wed, 30 Aug 2017 17:44:25 -0700 Subject: [PATCH 3/4] Update IOBuffer.java Fix typo --- src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java b/src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java index 85c42360f..25856348b 100644 --- a/src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java +++ b/src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java @@ -1852,7 +1852,7 @@ private void validateFips(final String trustStoreType, if (!isValidTrustStoreType) { isValid = false; if (logger.isLoggable(Level.FINER)) - logger.finer(toString() + "TrustStoreType is requiered alongside with TrustStore."); + logger.finer(toString() + "TrustStoreType is required alongside with TrustStore."); } } } From 6b2664800760b17ef118cc94f93ff1aeba07e638 Mon Sep 17 00:00:00 2001 From: ulvii Date: Wed, 30 Aug 2017 18:08:48 -0700 Subject: [PATCH 4/4] update FipsTest --- src/test/java/com/microsoft/sqlserver/jdbc/fips/FipsTest.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/test/java/com/microsoft/sqlserver/jdbc/fips/FipsTest.java b/src/test/java/com/microsoft/sqlserver/jdbc/fips/FipsTest.java index 2254bfb6b..3a257328a 100644 --- a/src/test/java/com/microsoft/sqlserver/jdbc/fips/FipsTest.java +++ b/src/test/java/com/microsoft/sqlserver/jdbc/fips/FipsTest.java @@ -52,7 +52,8 @@ public void fipsTrustServerCertificateTest() throws Exception { } catch (SQLServerException e) { Assertions.assertTrue( - e.getMessage().contains("Unable to verify FIPS mode settings.")); + e.getMessage().contains("Unable to verify FIPS mode settings."), + "Should create exception for invalid TrustServerCertificate value"); } }