8058845: Update JCE environment for build improvements
Reviewed-by: mullan, alanb, erikj, mchung, katleman
This commit is contained in:
Bradford Wetmore
parent
e75c0c5e74
commit
3bfea67a9d
@ -709,7 +709,18 @@ $(IMAGES_OUTPUTDIR)/lib/sa-jdi.jar: $(HOTSPOT_DIST)/lib/sa-jdi.jar
|
||||
#
|
||||
$(eval $(call SetupZipArchive,BUILD_SEC_BIN_ZIP, \
|
||||
SRC := $(JDK_OUTPUTDIR), \
|
||||
INCLUDES := modules/java.base/javax/net \
|
||||
INCLUDES := \
|
||||
modules/java.base/javax/crypto \
|
||||
modules/java.base/javax/crypto/spec \
|
||||
modules/java.base/sun/security/internal/interfaces \
|
||||
modules/java.base/sun/security/internal/spec \
|
||||
modules/java.base/com/sun/crypto/provider \
|
||||
modules/jdk.crypto.ec/sun/security/ec \
|
||||
modules/jdk.crypto.mscapi/sun/security/mscapi \
|
||||
modules/jdk.crypto.pkcs11/sun/security/pkcs11 \
|
||||
modules/jdk.crypto.pkcs11/sun/security/pkcs11/wrapper \
|
||||
modules/jdk.crypto.ucrypto/com/oracle/security/ucrypto \
|
||||
modules/java.base/javax/net \
|
||||
modules/java.base/javax/security/cert \
|
||||
modules/java.base/com/sun/net/ssl \
|
||||
modules/java.base/com/sun/security/cert \
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
|
||||
# Copyright (c) 2013, 2014, Oracle and/or its affiliates. All rights reserved.
|
||||
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
#
|
||||
# This code is free software; you can redistribute it and/or modify it
|
||||
@ -41,52 +41,73 @@ ifneq ($(BUILD_CRYPTO), no)
|
||||
US_EXPORT_POLICY_JAR_UNLIMITED_UNSIGNED := \
|
||||
$(JDK_OUTPUTDIR)/jce/unsigned/policy/unlimited/US_export_policy.jar
|
||||
|
||||
ifndef OPENJDK
|
||||
#
|
||||
# In past releases, Oracle JDK has had a separately downloadable set of
|
||||
# policy files which has been a nightmare for deployment.
|
||||
#
|
||||
# Now if we're closed and limited (default for Oracle JDK), create
|
||||
# an "unlimited_policy" directory that contains the unlimited policy
|
||||
# files. It will be up to the user/deployer to make an informed choice
|
||||
# as to whether they are legally entitled to use the unlimited policy
|
||||
# file in their environment. Users/deployers simply need to overwrite
|
||||
# the files. Consult README.txt (below) for more info.
|
||||
#
|
||||
UNLIMITED_POLICY_DIR := $(JDK_OUTPUTDIR)/lib/security/unlimited_policy
|
||||
endif
|
||||
|
||||
#
|
||||
# TODO fix so that SetupArchive does not write files into SRCS
|
||||
# then we don't need this extra copying
|
||||
#
|
||||
# NOTE: We currently do not place restrictions on our limited export
|
||||
# policy. This was not a typo. This means we are shipping the same file
|
||||
# for both limimted and unlimited US_export_policy.jar.
|
||||
# for both limited and unlimited US_export_policy.jar. Only the local
|
||||
# policy file currently has restrictions.
|
||||
#
|
||||
US_EXPORT_POLICY_JAR_SRC_DIR := $(JDK_TOPDIR)/make/data/cryptopolicy/unlimited
|
||||
US_EXPORT_POLICY_JAR_SRC_DIR := \
|
||||
$(JDK_TOPDIR)/make/data/cryptopolicy/unlimited
|
||||
US_EXPORT_POLICY_JAR_TMP := \
|
||||
$(JDK_OUTPUTDIR)/jce/unsigned/policy/unlimited/US_export_policy_jar.tmp
|
||||
|
||||
$(US_EXPORT_POLICY_JAR_TMP)/%: $(US_EXPORT_POLICY_JAR_SRC_DIR)/%
|
||||
$(install-file)
|
||||
|
||||
US_EXPORT_POLICY_JAR_DEPS := $(US_EXPORT_POLICY_JAR_TMP)/default_US_export.policy
|
||||
US_EXPORT_POLICY_JAR_DEPS := \
|
||||
$(US_EXPORT_POLICY_JAR_TMP)/default_US_export.policy
|
||||
|
||||
$(eval $(call SetupArchive,BUILD_US_EXPORT_POLICY_JAR, $(US_EXPORT_POLICY_JAR_DEPS), \
|
||||
$(eval $(call SetupArchive,BUILD_US_EXPORT_POLICY_JAR, \
|
||||
$(US_EXPORT_POLICY_JAR_DEPS), \
|
||||
SRCS := $(US_EXPORT_POLICY_JAR_TMP), \
|
||||
SUFFIXES := .policy, \
|
||||
JAR := $(US_EXPORT_POLICY_JAR_UNLIMITED_UNSIGNED), \
|
||||
EXTRA_MANIFEST_ATTR := Crypto-Strength: unlimited, \
|
||||
SKIP_METAINF := true))
|
||||
|
||||
$(US_EXPORT_POLICY_JAR_LIMITED_UNSIGNED): $(US_EXPORT_POLICY_JAR_UNLIMITED_UNSIGNED)
|
||||
$(ECHO) $(LOG_INFO) Copying unlimited $(patsubst $(OUTPUT_ROOT)/%,%,$@)
|
||||
$(install-file)
|
||||
$(US_EXPORT_POLICY_JAR_LIMITED_UNSIGNED): \
|
||||
$(US_EXPORT_POLICY_JAR_UNLIMITED_UNSIGNED)
|
||||
$(ECHO) $(LOG_INFO) \
|
||||
Copying unlimited $(patsubst $(OUTPUT_ROOT)/%,%,$@)
|
||||
$(install-file)
|
||||
|
||||
TARGETS += $(US_EXPORT_POLICY_JAR_LIMITED_UNSIGNED) \
|
||||
$(US_EXPORT_POLICY_JAR_UNLIMITED_UNSIGNED)
|
||||
endif
|
||||
|
||||
ifndef OPENJDK
|
||||
ifeq ($(UNLIMITED_CRYPTO), true)
|
||||
$(error No prebuilt unlimited crypto jars available)
|
||||
endif
|
||||
$(US_EXPORT_POLICY_JAR_DST): $(JDK_TOPDIR)/make/closed/tools/crypto/jce/US_export_policy.jar
|
||||
$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
|
||||
ifeq ($(UNLIMITED_CRYPTO), true)
|
||||
$(US_EXPORT_POLICY_JAR_DST): $(US_EXPORT_POLICY_JAR_UNLIMITED_UNSIGNED)
|
||||
$(install-file)
|
||||
else
|
||||
ifeq ($(UNLIMITED_CRYPTO), true)
|
||||
$(US_EXPORT_POLICY_JAR_DST): $(US_EXPORT_POLICY_JAR_UNLIMITED_UNSIGNED)
|
||||
$(install-file)
|
||||
else
|
||||
$(US_EXPORT_POLICY_JAR_DST): $(US_EXPORT_POLICY_JAR_LIMITED_UNSIGNED)
|
||||
$(US_EXPORT_POLICY_JAR_DST): $(US_EXPORT_POLICY_JAR_LIMITED_UNSIGNED)
|
||||
$(install-file)
|
||||
endif
|
||||
|
||||
ifndef OPENJDK
|
||||
ifneq ($(UNLIMITED_CRYPTO), true)
|
||||
$(UNLIMITED_POLICY_DIR)/US_export_policy.jar: \
|
||||
$(US_EXPORT_POLICY_JAR_UNLIMITED_UNSIGNED)
|
||||
$(install-file)
|
||||
TARGETS += $(UNLIMITED_POLICY_DIR)/US_export_policy.jar
|
||||
endif
|
||||
endif
|
||||
|
||||
@ -112,11 +133,13 @@ ifneq ($(BUILD_CRYPTO), no)
|
||||
LOCAL_POLICY_JAR_UNLIMITED_TMP := \
|
||||
$(JDK_OUTPUTDIR)/jce/unsigned/policy/unlimited/local_policy_jar.tmp
|
||||
|
||||
$(LOCAL_POLICY_JAR_LIMITED_TMP)/%: $(JDK_TOPDIR)/make/data/cryptopolicy/limited/%
|
||||
$(install-file)
|
||||
$(LOCAL_POLICY_JAR_LIMITED_TMP)/%: \
|
||||
$(JDK_TOPDIR)/make/data/cryptopolicy/limited/%
|
||||
$(install-file)
|
||||
|
||||
$(LOCAL_POLICY_JAR_UNLIMITED_TMP)/%: $(JDK_TOPDIR)/make/data/cryptopolicy/unlimited/%
|
||||
$(install-file)
|
||||
$(LOCAL_POLICY_JAR_UNLIMITED_TMP)/%: \
|
||||
$(JDK_TOPDIR)/make/data/cryptopolicy/unlimited/%
|
||||
$(install-file)
|
||||
|
||||
$(eval $(call SetupArchive,BUILD_LOCAL_POLICY_JAR_LIMITED, \
|
||||
$(LOCAL_POLICY_JAR_LIMITED_TMP)/exempt_local.policy \
|
||||
@ -135,28 +158,34 @@ ifneq ($(BUILD_CRYPTO), no)
|
||||
EXTRA_MANIFEST_ATTR := Crypto-Strength: unlimited, \
|
||||
SKIP_METAINF := true))
|
||||
|
||||
TARGETS += $(LOCAL_POLICY_JAR_LIMITED_UNSIGNED) $(LOCAL_POLICY_JAR_UNLIMITED_UNSIGNED)
|
||||
TARGETS += $(LOCAL_POLICY_JAR_LIMITED_UNSIGNED) \
|
||||
$(LOCAL_POLICY_JAR_UNLIMITED_UNSIGNED)
|
||||
|
||||
ifndef OPENJDK
|
||||
$(JDK_OUTPUTDIR)/jce/unsigned/policy/unlimited/README.txt: \
|
||||
$(JDK_TOPDIR)/make/closed/javax/crypto/doc/README.txt
|
||||
ifneq ($(UNLIMITED_CRYPTO), true)
|
||||
$(UNLIMITED_POLICY_DIR)/README.txt: \
|
||||
$(JDK_TOPDIR)/make/closed/data/cryptopolicy/README.txt
|
||||
$(install-file)
|
||||
|
||||
TARGETS += $(JDK_OUTPUTDIR)/jce/unsigned/policy/unlimited/README.txt
|
||||
TARGETS += $(UNLIMITED_POLICY_DIR)/README.txt
|
||||
endif
|
||||
endif
|
||||
endif
|
||||
|
||||
ifeq ($(UNLIMITED_CRYPTO), true)
|
||||
$(LOCAL_POLICY_JAR_DST): $(LOCAL_POLICY_JAR_UNLIMITED_UNSIGNED)
|
||||
$(install-file)
|
||||
else
|
||||
$(LOCAL_POLICY_JAR_DST): $(LOCAL_POLICY_JAR_LIMITED_UNSIGNED)
|
||||
$(install-file)
|
||||
endif
|
||||
|
||||
ifndef OPENJDK
|
||||
$(LOCAL_POLICY_JAR_DST): $(JDK_TOPDIR)/make/closed/tools/crypto/jce/local_policy.jar
|
||||
$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
|
||||
$(install-file)
|
||||
else
|
||||
ifeq ($(UNLIMITED_CRYPTO), true)
|
||||
$(LOCAL_POLICY_JAR_DST): $(LOCAL_POLICY_JAR_UNLIMITED_UNSIGNED)
|
||||
$(install-file)
|
||||
else
|
||||
$(LOCAL_POLICY_JAR_DST): $(LOCAL_POLICY_JAR_LIMITED_UNSIGNED)
|
||||
$(install-file)
|
||||
ifneq ($(UNLIMITED_CRYPTO), true)
|
||||
$(UNLIMITED_POLICY_DIR)/local_policy.jar: \
|
||||
$(LOCAL_POLICY_JAR_UNLIMITED_UNSIGNED)
|
||||
$(install-file)
|
||||
TARGETS += $(UNLIMITED_POLICY_DIR)/local_policy.jar
|
||||
endif
|
||||
endif
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
|
||||
# Copyright (c) 2013, 2014, Oracle and/or its affiliates. All rights reserved.
|
||||
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
#
|
||||
# This code is free software; you can redistribute it and/or modify it
|
||||
@ -29,16 +29,13 @@ include $(SPEC)
|
||||
include MakeBase.gmk
|
||||
include JavaCompilation.gmk
|
||||
|
||||
# The jars created in this file are required for the exploded jdk image to function and
|
||||
# cannot wait to be built in the images target.
|
||||
|
||||
##########################################################################################
|
||||
# Create manifest for security jars
|
||||
#
|
||||
# Include these extra attributes for now, should probably take out.
|
||||
#
|
||||
MAINMANIFEST := $(JDK_TOPDIR)/make/data/mainmanifest/manifest.mf
|
||||
JCE_MANIFEST := $(JDK_OUTPUTDIR)/lib/_the.security.manifest.mf
|
||||
JCE_MANIFEST := $(JDK_OUTPUTDIR)/jce/unsigned/_the.security.manifest.mf
|
||||
|
||||
$(JCE_MANIFEST): $(MAINMANIFEST)
|
||||
$(MKDIR) -p $(@D)
|
||||
@ -48,18 +45,15 @@ $(JCE_MANIFEST): $(MAINMANIFEST)
|
||||
$(MAINMANIFEST) >> $@.tmp
|
||||
$(ECHO) "Extension-Name: javax.crypto" >> $@.tmp
|
||||
$(ECHO) "Implementation-Vendor-Id: com.sun" >> $@.tmp
|
||||
$(ECHO) "Release-Version: $(RELEASE)" >> $@.tmp
|
||||
$(MV) $@.tmp $@
|
||||
|
||||
##########################################################################################
|
||||
# For security and crypto jars, always build the jar, but for closed, install the prebuilt
|
||||
# signed version instead of the newly built jar. Unsigned jars are treated as intermediate
|
||||
# targets and explicitly added to the TARGETS list. For open, signing is not needed. See
|
||||
# SignJars.gmk for more information.
|
||||
# For crypto jars, always build the jar.
|
||||
#
|
||||
# The source for the crypto jars is not available for all licensees. The BUILD_CRYPTO
|
||||
# variable is set to no if these jars can't be built to skip that step of the build.
|
||||
# Note that for OPENJDK, the build will fail if BUILD_CRYPTO=no since then there is no
|
||||
# other way to get the jars than to build them.
|
||||
# The source for the crypto jars is not available for all licensees.
|
||||
# The BUILD_CRYPTO variable is set to no if these jars can't be built
|
||||
# to skip that step of the build.
|
||||
|
||||
SUNPKCS11_JAR_DST := $(JDK_OUTPUTDIR)/lib/ext/sunpkcs11.jar
|
||||
SUNPKCS11_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/jce/unsigned/sunpkcs11.jar
|
||||
@ -74,15 +68,8 @@ $(eval $(call SetupArchive,BUILD_SUNPKCS11_JAR, , \
|
||||
|
||||
$(SUNPKCS11_JAR_UNSIGNED): $(JCE_MANIFEST)
|
||||
|
||||
ifndef OPENJDK
|
||||
SUNPKCS11_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/pkcs11/sunpkcs11.jar
|
||||
$(SUNPKCS11_JAR_DST): $(SUNPKCS11_JAR_SRC)
|
||||
@$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
|
||||
$(SUNPKCS11_JAR_DST): $(SUNPKCS11_JAR_UNSIGNED)
|
||||
$(install-file)
|
||||
else
|
||||
$(SUNPKCS11_JAR_DST): $(SUNPKCS11_JAR_UNSIGNED)
|
||||
$(install-file)
|
||||
endif
|
||||
|
||||
TARGETS += $(SUNPKCS11_JAR_UNSIGNED) $(SUNPKCS11_JAR_DST)
|
||||
|
||||
@ -101,22 +88,16 @@ $(eval $(call SetupArchive,BUILD_SUNEC_JAR, , \
|
||||
|
||||
$(SUNEC_JAR_UNSIGNED): $(JCE_MANIFEST)
|
||||
|
||||
ifndef OPENJDK
|
||||
SUNEC_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/ec/sunec.jar
|
||||
$(SUNEC_JAR_DST): $(SUNEC_JAR_SRC)
|
||||
@$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
|
||||
$(SUNEC_JAR_DST): $(SUNEC_JAR_UNSIGNED)
|
||||
$(install-file)
|
||||
else
|
||||
$(SUNEC_JAR_DST): $(SUNEC_JAR_UNSIGNED)
|
||||
$(install-file)
|
||||
endif
|
||||
|
||||
TARGETS += $(SUNEC_JAR_UNSIGNED) $(SUNEC_JAR_DST)
|
||||
|
||||
##########################################################################################
|
||||
|
||||
SUNJCE_PROVIDER_JAR_DST := $(JDK_OUTPUTDIR)/lib/ext/sunjce_provider.jar
|
||||
SUNJCE_PROVIDER_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/jce/unsigned/sunjce_provider.jar
|
||||
SUNJCE_PROVIDER_JAR_UNSIGNED := \
|
||||
$(JDK_OUTPUTDIR)/jce/unsigned/sunjce_provider.jar
|
||||
|
||||
ifneq ($(BUILD_CRYPTO), no)
|
||||
$(eval $(call SetupArchive,BUILD_SUNJCE_PROVIDER_JAR, , \
|
||||
@ -132,15 +113,8 @@ ifneq ($(BUILD_CRYPTO), no)
|
||||
TARGETS += $(SUNJCE_PROVIDER_JAR_UNSIGNED)
|
||||
endif
|
||||
|
||||
ifndef OPENJDK
|
||||
SUNJCE_PROVIDER_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/jce/sunjce_provider.jar
|
||||
$(SUNJCE_PROVIDER_JAR_DST): $(SUNJCE_PROVIDER_JAR_SRC)
|
||||
@$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
|
||||
$(SUNJCE_PROVIDER_JAR_DST): $(SUNJCE_PROVIDER_JAR_UNSIGNED)
|
||||
$(install-file)
|
||||
else
|
||||
$(SUNJCE_PROVIDER_JAR_DST): $(SUNJCE_PROVIDER_JAR_UNSIGNED)
|
||||
$(install-file)
|
||||
endif
|
||||
|
||||
TARGETS += $(SUNJCE_PROVIDER_JAR_DST)
|
||||
|
||||
@ -163,15 +137,8 @@ ifneq ($(BUILD_CRYPTO), no)
|
||||
TARGETS += $(JCE_JAR_UNSIGNED)
|
||||
endif
|
||||
|
||||
ifndef OPENJDK
|
||||
JCE_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/jce/jce.jar
|
||||
$(JCE_JAR_DST): $(JCE_JAR_SRC)
|
||||
@$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
|
||||
$(JCE_JAR_DST): $(JCE_JAR_UNSIGNED)
|
||||
$(install-file)
|
||||
else
|
||||
$(JCE_JAR_DST): $(JCE_JAR_UNSIGNED)
|
||||
$(install-file)
|
||||
endif
|
||||
|
||||
TARGETS += $(JCE_JAR_DST)
|
||||
|
||||
@ -192,15 +159,8 @@ ifeq ($(OPENJDK_TARGET_OS), windows)
|
||||
|
||||
$(SUNMSCAPI_JAR_UNSIGNED): $(JCE_MANIFEST)
|
||||
|
||||
ifndef OPENJDK
|
||||
SUNMSCAPI_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/mscapi/sunmscapi.jar
|
||||
$(SUNMSCAPI_JAR_DST): $(SUNMSCAPI_JAR_SRC)
|
||||
@$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
|
||||
$(SUNMSCAPI_JAR_DST): $(SUNMSCAPI_JAR_UNSIGNED)
|
||||
$(install-file)
|
||||
else
|
||||
$(SUNMSCAPI_JAR_DST): $(SUNMSCAPI_JAR_UNSIGNED)
|
||||
$(install-file)
|
||||
endif
|
||||
|
||||
TARGETS += $(SUNMSCAPI_JAR_UNSIGNED) $(SUNMSCAPI_JAR_DST)
|
||||
|
||||
@ -213,7 +173,6 @@ ifeq ($(OPENJDK_TARGET_OS), solaris)
|
||||
|
||||
UCRYPTO_JAR_DST := $(JDK_OUTPUTDIR)/lib/ext/ucrypto.jar
|
||||
UCRYPTO_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/jce/unsigned/ucrypto.jar
|
||||
UCRYPTO_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/ucrypto/ucrypto.jar
|
||||
|
||||
$(eval $(call SetupArchive,BUILD_UCRYPTO_JAR, , \
|
||||
SRCS := $(JDK_OUTPUTDIR)/modules/jdk.crypto.ucrypto, \
|
||||
@ -225,8 +184,7 @@ ifeq ($(OPENJDK_TARGET_OS), solaris)
|
||||
|
||||
$(UCRYPTO_JAR_UNSIGNED): $(JCE_MANIFEST)
|
||||
|
||||
$(UCRYPTO_JAR_DST): $(UCRYPTO_JAR_SRC)
|
||||
@$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
|
||||
$(UCRYPTO_JAR_DST): $(UCRYPTO_JAR_UNSIGNED)
|
||||
$(install-file)
|
||||
|
||||
TARGETS += $(UCRYPTO_JAR_UNSIGNED) $(UCRYPTO_JAR_DST)
|
||||
|
||||
@ -1,126 +0,0 @@
|
||||
#
|
||||
# Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
|
||||
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
#
|
||||
# This code is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License version 2 only, as
|
||||
# published by the Free Software Foundation. Oracle designates this
|
||||
# particular file as subject to the "Classpath" exception as provided
|
||||
# by Oracle in the LICENSE file that accompanied this code.
|
||||
#
|
||||
# This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
# version 2 for more details (a copy is included in the LICENSE file that
|
||||
# accompanied this code).
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License version
|
||||
# 2 along with this work; if not, write to the Free Software Foundation,
|
||||
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||
# or visit www.oracle.com if you need additional information or have any
|
||||
# questions.
|
||||
#
|
||||
|
||||
include $(SPEC)
|
||||
include MakeBase.gmk
|
||||
|
||||
# (The terms "OpenJDK" and "JDK" below refer to OpenJDK and Oracle JDK
|
||||
# builds respectively.)
|
||||
#
|
||||
# JCE builds are very different between OpenJDK and JDK. The OpenJDK JCE
|
||||
# jar files do not require signing, but those for JDK do. If an unsigned
|
||||
# jar file is installed into JDK, things will break when the crypto
|
||||
# routines are called.
|
||||
#
|
||||
# All jars are created in CreateJars.gmk. This Makefile does the signing
|
||||
# of the jars for JDK.
|
||||
#
|
||||
# For JDK, the binaries use pre-built/pre-signed binary files stored in
|
||||
# the closed workspace that are not shipped in the OpenJDK workspaces.
|
||||
# We still build the JDK files to verify the files compile, and in
|
||||
# preparation for possible signing. Developers working on JCE in JDK
|
||||
# must sign the JCE files before testing. The JCE signing key is kept
|
||||
# separate from the JDK workspace to prevent its disclosure.
|
||||
#
|
||||
# SPECIAL NOTE TO JCE/JDK developers: The source files must eventually
|
||||
# be built, signed, and then the resulting jar files MUST BE CHECKED
|
||||
# INTO THE CLOSED PART OF THE WORKSPACE*. This separate step *MUST NOT
|
||||
# BE FORGOTTEN*, otherwise a bug fixed in the source code will not be
|
||||
# reflected in the shipped binaries.
|
||||
#
|
||||
# Please consult with Release Engineering, which is responsible for
|
||||
# creating the final JCE builds suitable for checkin.
|
||||
#
|
||||
|
||||
# Default target
|
||||
all:
|
||||
|
||||
ifndef OPENJDK
|
||||
|
||||
README-MAKEFILE_WARNING := \
|
||||
"\nPlease read jdk/make/SignJars.gmk for further build instructions.\n"
|
||||
|
||||
#
|
||||
# Location for JCE codesigning key.
|
||||
#
|
||||
SIGNING_KEY_DIR := /security/ws/JCE-signing/src
|
||||
SIGNING_KEYSTORE := $(SIGNING_KEY_DIR)/KeyStore.jks
|
||||
SIGNING_PASSPHRASE := $(SIGNING_KEY_DIR)/passphrase.txt
|
||||
SIGNING_ALIAS := oracle_jce_rsa
|
||||
|
||||
#
|
||||
# Defines for signing the various jar files.
|
||||
#
|
||||
check-keystore:
|
||||
@if [ ! -f $(SIGNING_KEYSTORE) -o ! -f $(SIGNING_PASSPHRASE) ]; then \
|
||||
$(PRINTF) "\n$(SIGNING_KEYSTORE): Signing mechanism *NOT* available..."; \
|
||||
$(PRINTF) $(README-MAKEFILE_WARNING); \
|
||||
exit 2; \
|
||||
fi
|
||||
|
||||
$(JDK_OUTPUTDIR)/jce/signed/%: $(JDK_OUTPUTDIR)/jce/unsigned/%
|
||||
$(call install-file)
|
||||
$(JARSIGNER) -keystore $(SIGNING_KEYSTORE) \
|
||||
$@ $(SIGNING_ALIAS) < $(SIGNING_PASSPHRASE)
|
||||
@$(PRINTF) "\nJar codesigning finished.\n"
|
||||
|
||||
JAR_LIST := \
|
||||
jce.jar \
|
||||
policy/limited/local_policy.jar \
|
||||
policy/limited/US_export_policy.jar \
|
||||
policy/unlimited/local_policy.jar \
|
||||
policy/unlimited/US_export_policy.jar \
|
||||
sunec.jar \
|
||||
sunjce_provider.jar \
|
||||
sunpkcs11.jar \
|
||||
sunmscapi.jar \
|
||||
ucrypto.jar \
|
||||
#
|
||||
|
||||
UNSIGNED_JARS := $(wildcard $(addprefix $(JDK_OUTPUTDIR)/jce/unsigned/, $(JAR_LIST)))
|
||||
|
||||
ifeq ($(UNSIGNED_JARS), )
|
||||
$(error No jars found in $(JDK_OUTPUTDIR)/jce/unsigned/)
|
||||
endif
|
||||
|
||||
SIGNED_JARS := $(patsubst $(JDK_OUTPUTDIR)/jce/unsigned/%,$(JDK_OUTPUTDIR)/jce/signed/%, \
|
||||
$(UNSIGNED_JARS))
|
||||
|
||||
$(SIGNED_JARS): check-keystore
|
||||
|
||||
$(JDK_OUTPUTDIR)/jce/signed/policy/unlimited/README.txt: \
|
||||
$(JDK_OUTPUTDIR)/jce/unsigned/policy/unlimited/README.txt
|
||||
$(install-file)
|
||||
|
||||
all: $(SIGNED_JARS) $(JDK_OUTPUTDIR)/jce/signed/policy/unlimited/README.txt
|
||||
@$(PRINTF) "\n*** The jar files built by the 'sign-jars' target are developer ***"
|
||||
@$(PRINTF) "\n*** builds only and *MUST NOT* be checked into the closed workspace. ***"
|
||||
@$(PRINTF) "\n*** ***"
|
||||
@$(PRINTF) "\n*** Please consult with Release Engineering: they will generate ***"
|
||||
@$(PRINTF) "\n*** the proper binaries for the closed workspace. ***"
|
||||
@$(PRINTF) "\n"
|
||||
@$(PRINTF) $(README-MAKEFILE_WARNING)
|
||||
|
||||
endif # !OPENJDK
|
||||
@ -77,6 +77,9 @@ PROFILE_1_JRE_LIB_FILES := \
|
||||
security/java.security \
|
||||
security/local_policy.jar \
|
||||
security/trusted.libraries \
|
||||
security/unlimited_policy/README.txt \
|
||||
security/unlimited_policy/US_export_policy.jar \
|
||||
security/unlimited_policy/local_policy.jar \
|
||||
tzdb.dat
|
||||
|
||||
PROFILE_1_JRE_OTHER_FILES := \
|
||||
@ -97,8 +100,9 @@ PROFILE_1_JRE_JAR_FILES := \
|
||||
resources.jar \
|
||||
rt.jar \
|
||||
security/US_export_policy.jar \
|
||||
security/local_policy.jar
|
||||
|
||||
security/local_policy.jar \
|
||||
security/unlimited_policy/US_export_policy.jar \
|
||||
security/unlimited_policy/local_policy.jar
|
||||
|
||||
PROFILE_2_JRE_BIN_FILES := \
|
||||
rmid$(EXE_SUFFIX) \
|
||||
|
||||
@ -263,9 +263,9 @@ public class Cipher {
|
||||
Provider provider,
|
||||
String transformation) {
|
||||
// See bug 4341369 & 4334690 for more info.
|
||||
// If the caller is trusted, then okey.
|
||||
// If the caller is trusted, then okay.
|
||||
// Otherwise throw a NullPointerException.
|
||||
if (!JceSecurityManager.INSTANCE.isCallerTrusted()) {
|
||||
if (!JceSecurityManager.INSTANCE.isCallerTrusted(provider)) {
|
||||
throw new NullPointerException();
|
||||
}
|
||||
this.spi = cipherSpi;
|
||||
|
||||
@ -76,12 +76,14 @@ final class JceSecurity {
|
||||
static {
|
||||
try {
|
||||
AccessController.doPrivileged(
|
||||
new PrivilegedExceptionAction<Object>() {
|
||||
public Object run() throws Exception {
|
||||
new PrivilegedExceptionAction<Void> () {
|
||||
@Override
|
||||
public Void run() throws Exception {
|
||||
setupJurisdictionPolicies();
|
||||
return null;
|
||||
}
|
||||
});
|
||||
}
|
||||
);
|
||||
|
||||
isRestricted = defaultPolicy.implies(
|
||||
CryptoAllPermission.INSTANCE) ? false : true;
|
||||
@ -143,9 +145,9 @@ final class JceSecurity {
|
||||
* @throws Exception on error
|
||||
*/
|
||||
static CryptoPermissions verifyExemptJar(URL codeBase) throws Exception {
|
||||
JarVerifier jv = new JarVerifier(codeBase, true);
|
||||
jv.verify();
|
||||
return jv.getPermissions();
|
||||
ProviderVerifier pv = new ProviderVerifier(codeBase, true);
|
||||
pv.verify();
|
||||
return pv.getPermissions();
|
||||
}
|
||||
|
||||
/**
|
||||
@ -153,11 +155,11 @@ final class JceSecurity {
|
||||
*
|
||||
* @throws Exception on error
|
||||
*/
|
||||
static void verifyProviderJar(URL codeBase) throws Exception {
|
||||
static void verifyProvider(URL codeBase, Provider p) throws Exception {
|
||||
// Verify the provider JAR file and all
|
||||
// supporting JAR files if there are any.
|
||||
JarVerifier jv = new JarVerifier(codeBase, false);
|
||||
jv.verify();
|
||||
ProviderVerifier pv = new ProviderVerifier(codeBase, p, false);
|
||||
pv.verify();
|
||||
}
|
||||
|
||||
private final static Object PROVIDER_VERIFIED = Boolean.TRUE;
|
||||
@ -183,7 +185,7 @@ final class JceSecurity {
|
||||
try {
|
||||
verifyingProviders.put(p, Boolean.FALSE);
|
||||
URL providerURL = getCodeBase(p.getClass());
|
||||
verifyProviderJar(providerURL);
|
||||
verifyProvider(providerURL, p);
|
||||
// Verified ok, cache result
|
||||
verificationResults.put(p, PROVIDER_VERIFIED);
|
||||
return null;
|
||||
@ -222,18 +224,20 @@ final class JceSecurity {
|
||||
synchronized (codeBaseCacheRef) {
|
||||
URL url = codeBaseCacheRef.get(clazz);
|
||||
if (url == null) {
|
||||
url = AccessController.doPrivileged(new PrivilegedAction<URL>() {
|
||||
public URL run() {
|
||||
ProtectionDomain pd = clazz.getProtectionDomain();
|
||||
if (pd != null) {
|
||||
CodeSource cs = pd.getCodeSource();
|
||||
if (cs != null) {
|
||||
return cs.getLocation();
|
||||
url = AccessController.doPrivileged(
|
||||
new PrivilegedAction<URL>() {
|
||||
@Override
|
||||
public URL run() {
|
||||
ProtectionDomain pd = clazz.getProtectionDomain();
|
||||
if (pd != null) {
|
||||
CodeSource cs = pd.getCodeSource();
|
||||
if (cs != null) {
|
||||
return cs.getLocation();
|
||||
}
|
||||
}
|
||||
return NULL_URL;
|
||||
}
|
||||
return NULL_URL;
|
||||
}
|
||||
});
|
||||
});
|
||||
codeBaseCacheRef.put(clazz, url);
|
||||
}
|
||||
return (url == NULL_URL) ? null : url;
|
||||
@ -315,7 +319,7 @@ final class JceSecurity {
|
||||
// Enforce the signer restraint, i.e. signer of JCE framework
|
||||
// jar should also be the signer of the two jurisdiction policy
|
||||
// jar files.
|
||||
JarVerifier.verifyPolicySigned(je.getCertificates());
|
||||
ProviderVerifier.verifyPolicySigned(je.getCertificates());
|
||||
}
|
||||
// Close and nullify the JarFile reference to help GC.
|
||||
jf.close();
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 1999, 2014, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -228,7 +228,7 @@ final class JceSecurityManager extends SecurityManager {
|
||||
}
|
||||
|
||||
// See bug 4341369 & 4334690 for more info.
|
||||
boolean isCallerTrusted() {
|
||||
boolean isCallerTrusted(Provider provider) {
|
||||
// Get the caller and its codebase.
|
||||
Class<?>[] context = getClassContext();
|
||||
URL callerCodeBase = null;
|
||||
@ -249,7 +249,7 @@ final class JceSecurityManager extends SecurityManager {
|
||||
}
|
||||
// Check whether the caller is a trusted provider.
|
||||
try {
|
||||
JceSecurity.verifyProviderJar(callerCodeBase);
|
||||
JceSecurity.verifyProvider(callerCodeBase, provider);
|
||||
} catch (Exception e2) {
|
||||
return false;
|
||||
}
|
||||
|
||||
@ -320,7 +320,7 @@ public class KeyGenerator {
|
||||
|
||||
/**
|
||||
* Update the active spi of this class and return the next
|
||||
* implementation for failover. If no more implemenations are
|
||||
* implementation for failover. If no more implementations are
|
||||
* available, this method returns null. However, the active spi of
|
||||
* this class is never set to null.
|
||||
*/
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -31,7 +31,8 @@ import java.security.*;
|
||||
import java.util.jar.*;
|
||||
|
||||
/**
|
||||
* This class verifies JAR files (and any supporting JAR files), and
|
||||
* This class verifies Provider/Policy resources found at a URL
|
||||
* (currently only JAR files and any supporting JAR files), and
|
||||
* determines whether they may be used in this implementation.
|
||||
*
|
||||
* The JCE in OpenJDK has an open cryptographic interface, meaning it
|
||||
@ -42,22 +43,36 @@ import java.util.jar.*;
|
||||
*
|
||||
* @since 1.7
|
||||
*/
|
||||
final class JarVerifier {
|
||||
final class ProviderVerifier {
|
||||
|
||||
// The URL for the JAR file we want to verify.
|
||||
private URL jarURL;
|
||||
private Provider provider;
|
||||
private boolean savePerms;
|
||||
private CryptoPermissions appPerms = null;
|
||||
|
||||
/**
|
||||
* Creates a JarVerifier object to verify the given URL.
|
||||
* Creates a ProviderVerifier object to verify the given URL.
|
||||
*
|
||||
* @param jarURL the JAR file to be verified.
|
||||
* @param savePerms if true, save the permissions allowed by the
|
||||
* exemption mechanism
|
||||
*/
|
||||
JarVerifier(URL jarURL, boolean savePerms) {
|
||||
ProviderVerifier(URL jarURL, boolean savePerms) {
|
||||
this(jarURL, null, savePerms);
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a ProviderVerifier object to verify the given URL.
|
||||
*
|
||||
* @param jarURL the JAR file to be verified
|
||||
* @param provider the corresponding provider.
|
||||
* @param savePerms if true, save the permissions allowed by the
|
||||
* exemption mechanism
|
||||
*/
|
||||
ProviderVerifier(URL jarURL, Provider provider, boolean savePerms) {
|
||||
this.jarURL = jarURL;
|
||||
this.provider = provider;
|
||||
this.savePerms = savePerms;
|
||||
}
|
||||
|
||||
@ -68,7 +83,7 @@ final class JarVerifier {
|
||||
* In OpenJDK, we just need to examine the "cryptoperms" file to see
|
||||
* if any permissions were bundled together with this jar file.
|
||||
*/
|
||||
void verify() throws JarException, IOException {
|
||||
void verify() throws IOException {
|
||||
|
||||
// Short-circuit. If we weren't asked to save any, we're done.
|
||||
if (!savePerms) {
|
||||
@ -98,7 +113,8 @@ final class JarVerifier {
|
||||
}
|
||||
});
|
||||
} catch (java.security.PrivilegedActionException pae) {
|
||||
throw new SecurityException("Cannot load " + url.toString(), pae);
|
||||
throw new SecurityException("Cannot load " + url.toString(),
|
||||
pae.getCause());
|
||||
}
|
||||
|
||||
if (jf != null) {
|
||||
@ -144,7 +160,7 @@ final class JarVerifier {
|
||||
* Returns the permissions which are bundled with the JAR file,
|
||||
* aka the "cryptoperms" file.
|
||||
*
|
||||
* NOTE: if this JarVerifier instance is constructed with "savePerms"
|
||||
* NOTE: if this ProviderVerifier instance is constructed with "savePerms"
|
||||
* equal to false, then this method would always return null.
|
||||
*/
|
||||
CryptoPermissions getPermissions() {
|
||||
Loading…
Reference in New Issue
Block a user