From 4d1a51cb859150005c93827f33e40a3a37f1524f Mon Sep 17 00:00:00 2001 From: Sean Mullan Date: Thu, 14 Nov 2024 14:15:16 +0000 Subject: [PATCH] 8344120: Remove Security Manager dependencies from jdk.crypto.cryptoki module Reviewed-by: rriggs, ascarpino --- .../classes/sun/security/pkcs11/Config.java | 25 +-- .../classes/sun/security/pkcs11/P11Key.java | 7 +- .../sun/security/pkcs11/P11KeyAgreement.java | 12 +- .../classes/sun/security/pkcs11/P11Util.java | 22 +-- .../sun/security/pkcs11/SunPKCS11.java | 186 ++++++------------ .../sun/security/pkcs11/wrapper/PKCS11.java | 19 +- 6 files changed, 77 insertions(+), 194 deletions(-) diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java index 18ccda542a0..88a74e73eda 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java @@ -31,8 +31,6 @@ import java.math.BigInteger; import java.nio.charset.StandardCharsets; import java.util.*; -import java.security.*; - import sun.security.util.PropertyExpander; import sun.security.pkcs11.wrapper.*; @@ -58,31 +56,16 @@ final class Config { // will accept single threaded modules regardless of the setting in their // config files. private static final boolean staticAllowSingleThreadedModules; - private static final String osName; - private static final String osArch; static { - @SuppressWarnings("removal") - List props = AccessController.doPrivileged( - new PrivilegedAction<>() { - @Override - public List run() { - return List.of( - System.getProperty( - "sun.security.pkcs11.allowSingleThreadedModules", - "true"), - System.getProperty("os.name"), - System.getProperty("os.arch")); - } - } - ); - if ("false".equalsIgnoreCase(props.get(0))) { + String allowSingleThreadedModules = + System.getProperty( + "sun.security.pkcs11.allowSingleThreadedModules", "true"); + if ("false".equalsIgnoreCase(allowSingleThreadedModules)) { staticAllowSingleThreadedModules = false; } else { staticAllowSingleThreadedModules = true; } - osName = props.get(1); - osArch = props.get(2); } private static final boolean DEBUG = false; diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java index 49718e254b3..5d83fa106fd 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java @@ -108,12 +108,9 @@ abstract class P11Key implements Key, Length { * */ static { - PrivilegedAction getKeyExtractionProp = - () -> System.getProperty( - "sun.security.pkcs11.disableKeyExtraction", "false"); - @SuppressWarnings("removal") String disableKeyExtraction = - AccessController.doPrivileged(getKeyExtractionProp); + System.getProperty( + "sun.security.pkcs11.disableKeyExtraction", "false"); DISABLE_NATIVE_KEYS_EXTRACTION = "true".equalsIgnoreCase(disableKeyExtraction); } diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyAgreement.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyAgreement.java index 7a47f147bf4..6c010a4a513 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyAgreement.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyAgreement.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -71,14 +71,8 @@ final class P11KeyAgreement extends KeyAgreementSpi { private static class AllowKDF { - private static final boolean VALUE = getValue(); - - @SuppressWarnings("removal") - private static boolean getValue() { - return AccessController.doPrivileged( - (PrivilegedAction) - () -> Boolean.getBoolean("jdk.crypto.KeyAgreement.legacyKDF")); - } + private static final boolean VALUE = + Boolean.getBoolean("jdk.crypto.KeyAgreement.legacyKDF"); } P11KeyAgreement(Token token, String algorithm, long mechanism) { diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java index 8a2b745fe38..5c95e381f5c 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -130,7 +130,7 @@ public final class P11Util { return p; } - @SuppressWarnings("removal") + @SuppressWarnings("deprecation") private static Provider getProvider(Provider p, String providerName, String className) { if (p != null) { @@ -140,22 +140,8 @@ public final class P11Util { if (p == null) { try { final Class c = Class.forName(className); - p = AccessController.doPrivileged( - new PrivilegedAction() { - public Provider run() { - try { - @SuppressWarnings("deprecation") - Object o = c.newInstance(); - return (Provider) o; - } catch (Exception e) { - throw new ProviderException( - "Could not find provider " + - providerName, e); - } - } - }, null, new RuntimePermission( - "accessClassInPackage." + c.getPackageName())); - } catch (ClassNotFoundException e) { + p = (Provider) c.newInstance(); + } catch (Exception e) { // Unexpected, as className is not a user but a // P11Util-internal value. throw new ProviderException("Could not find provider " + diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java index e77edc98399..19d56dec93c 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -117,19 +117,13 @@ public final class SunPKCS11 extends AuthProvider { poller = null; } - @SuppressWarnings("removal") @Override public Provider configure(String configArg) throws InvalidParameterException { final String newConfigName = checkNull(configArg); try { - return AccessController.doPrivileged(new PrivilegedExceptionAction<>() { - @Override - public SunPKCS11 run() throws Exception { - return new SunPKCS11(new Config(newConfigName)); - } - }); - } catch (PrivilegedActionException pae) { - throw new InvalidParameterException("Error configuring SunPKCS11 provider", pae.getException()); + return new SunPKCS11(new Config(newConfigName)); + } catch (IOException ioe) { + throw new InvalidParameterException("Error configuring SunPKCS11 provider", ioe); } } @@ -1117,7 +1111,6 @@ public final class SunPKCS11 extends AuthProvider { } // create the poller thread, if not already active - @SuppressWarnings("removal") private void createPoller() { if (poller != null) { return; @@ -1197,7 +1190,6 @@ public final class SunPKCS11 extends AuthProvider { } // create the cleaner thread, if not already active - @SuppressWarnings("removal") private void createCleaner() { cleaner = new NativeResourceCleaner(); Thread t = InnocuousThread.newSystemThread( @@ -1210,7 +1202,6 @@ public final class SunPKCS11 extends AuthProvider { } // destroy the token. Called if we detect that it has been removed - @SuppressWarnings("removal") synchronized void uninitToken(Token token) { if (this.token != token) { // mismatch, our token must already be destroyed @@ -1219,12 +1210,7 @@ public final class SunPKCS11 extends AuthProvider { destroyPoller(); this.token = null; // unregister all algorithms - AccessController.doPrivileged(new PrivilegedAction() { - public Object run() { - clear(); - return null; - } - }); + clear(); // keep polling for token insertion unless configured not to if (removable && !config.getDestroyTokenAfterLogout()) { createPoller(); @@ -1386,36 +1372,29 @@ public final class SunPKCS11 extends AuthProvider { } // register algorithms in provider - @SuppressWarnings("removal") - var dummy = AccessController.doPrivileged(new PrivilegedAction() { - public Object run() { - for (Map.Entry entry - : supportedAlgs.entrySet()) { - Descriptor d = entry.getKey(); - int mechanism = entry.getValue().intValue(); - Service s = d.service(token, mechanism); - putService(s); - } - if (((token.tokenInfo.flags & CKF_RNG) != 0) - && config.isEnabled(PCKM_SECURERANDOM) - && !token.sessionManager.lowMaxSessions()) { - // do not register SecureRandom if the token does - // not support many sessions. if we did, we might - // run out of sessions in the middle of a - // nextBytes() call where we cannot fail over. - putService(new P11Service(token, SR, "PKCS11", - "sun.security.pkcs11.P11SecureRandom", null, - PCKM_SECURERANDOM)); - } - if (config.isEnabled(PCKM_KEYSTORE)) { - putService(new P11Service(token, KS, "PKCS11", - "sun.security.pkcs11.P11KeyStore", - List.of("PKCS11-" + config.getName()), - PCKM_KEYSTORE)); - } - return null; - } - }); + for (Map.Entry entry : supportedAlgs.entrySet()) { + Descriptor d = entry.getKey(); + int mechanism = entry.getValue().intValue(); + Service s = d.service(token, mechanism); + putService(s); + } + if (((token.tokenInfo.flags & CKF_RNG) != 0) + && config.isEnabled(PCKM_SECURERANDOM) + && !token.sessionManager.lowMaxSessions()) { + // do not register SecureRandom if the token does + // not support many sessions. if we did, we might + // run out of sessions in the middle of a + // nextBytes() call where we cannot fail over. + putService(new P11Service(token, SR, "PKCS11", + "sun.security.pkcs11.P11SecureRandom", null, + PCKM_SECURERANDOM)); + } + if (config.isEnabled(PCKM_KEYSTORE)) { + putService(new P11Service(token, KS, "PKCS11", + "sun.security.pkcs11.P11KeyStore", + List.of("PKCS11-" + config.getName()), + PCKM_KEYSTORE)); + } this.token = token; if (cleaner == null) { @@ -1621,10 +1600,6 @@ public final class SunPKCS11 extends AuthProvider { * @throws IllegalStateException if the provider requires configuration * and Provider.configure has not been called * @throws LoginException if the login operation fails - * @throws SecurityException if the does not pass a security check for - * SecurityPermission("authProvider.name"), - * where name is the value returned by - * this provider's getName method */ public void login(Subject subject, CallbackHandler handler) throws LoginException { @@ -1633,17 +1608,6 @@ public final class SunPKCS11 extends AuthProvider { throw new IllegalStateException("Configuration is required"); } - // security check - @SuppressWarnings("removal") - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - if (debug != null) { - debug.println("checking login permission"); - } - sm.checkPermission(new SecurityPermission - ("authProvider." + this.getName())); - } - if (!hasValidToken()) { throw new LoginException("No token present"); @@ -1753,24 +1717,12 @@ public final class SunPKCS11 extends AuthProvider { * @throws IllegalStateException if the provider requires configuration * and Provider.configure has not been called * @throws LoginException if the logout operation fails - * @throws SecurityException if the does not pass a security check for - * SecurityPermission("authProvider.name"), - * where name is the value returned by - * this provider's getName method */ public void logout() throws LoginException { if (!isConfigured()) { throw new IllegalStateException("Configuration is required"); } - // security check - @SuppressWarnings("removal") - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission - (new SecurityPermission("authProvider." + this.getName())); - } - if (!hasValidToken()) { // app may call logout for cleanup, allow return; @@ -1844,11 +1796,6 @@ public final class SunPKCS11 extends AuthProvider { * * @throws IllegalStateException if the provider requires configuration * and Provider.configure has not been called - * @throws SecurityException if the caller does not pass a - * security check for - * SecurityPermission("authProvider.name"), - * where name is the value returned by - * this provider's getName method */ public void setCallbackHandler(CallbackHandler handler) { @@ -1856,14 +1803,6 @@ public final class SunPKCS11 extends AuthProvider { throw new IllegalStateException("Configuration is required"); } - // security check - @SuppressWarnings("removal") - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission - (new SecurityPermission("authProvider." + this.getName())); - } - synchronized (LOCK_HANDLER) { pHandler = handler; } @@ -1887,60 +1826,51 @@ public final class SunPKCS11 extends AuthProvider { return pHandler; } - try { + if (debug != null) { + debug.println("getting default callback handler"); + } + + String defaultHandler = Security.getProperty + ("auth.login.defaultCallbackHandler"); + + if (defaultHandler == null || defaultHandler.length() == 0) { + + // ok if (debug != null) { - debug.println("getting default callback handler"); + debug.println("no default handler set"); } + return null; + } - @SuppressWarnings("removal") - CallbackHandler myHandler = AccessController.doPrivileged - (new PrivilegedExceptionAction() { - public CallbackHandler run() throws Exception { - - String defaultHandler = - java.security.Security.getProperty - ("auth.login.defaultCallbackHandler"); - - if (defaultHandler == null || - defaultHandler.length() == 0) { - - // ok - if (debug != null) { - debug.println("no default handler set"); - } - return null; - } - - Class c = Class.forName - (defaultHandler, - true, - Thread.currentThread().getContextClassLoader()); - if (!javax.security.auth.callback.CallbackHandler.class.isAssignableFrom(c)) { - // not the right subtype - if (debug != null) { - debug.println("default handler " + defaultHandler + - " is not a CallbackHandler"); - } - return null; - } - @SuppressWarnings("deprecation") - Object result = c.newInstance(); - return (CallbackHandler)result; + try { + Class c = Class.forName + (defaultHandler, + true, + Thread.currentThread().getContextClassLoader()); + if (!CallbackHandler.class.isAssignableFrom(c)) { + // not the right subtype + if (debug != null) { + debug.println("default handler " + defaultHandler + + " is not a CallbackHandler"); } - }); + return null; + } + @SuppressWarnings("deprecation") + Object result = c.newInstance(); + CallbackHandler myHandler = (CallbackHandler)result; // save it pHandler = myHandler; return myHandler; - } catch (PrivilegedActionException pae) { + } catch (ReflectiveOperationException roe) { // ok if (debug != null) { debug.println("Unable to load default callback handler"); - pae.printStackTrace(); + roe.printStackTrace(); } } + return null; } - return null; } private Object writeReplace() throws ObjectStreamException { diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java index f7dfd055000..6ce50d9d695 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java @@ -51,9 +51,6 @@ import java.io.File; import java.io.IOException; import java.util.*; -import java.security.AccessController; -import java.security.PrivilegedAction; - import sun.security.util.Debug; import sun.security.pkcs11.P11Util; @@ -80,16 +77,12 @@ public class PKCS11 { private static final String PKCS11_WRAPPER = "j2pkcs11"; static { - // cannot use LoadLibraryAction because that would make the native - // library available to the bootclassloader, but we run in the - // extension classloader. - @SuppressWarnings({"removal", "restricted"}) - var dummy = AccessController.doPrivileged(new PrivilegedAction() { - public Object run() { - System.loadLibrary(PKCS11_WRAPPER); - return null; - } - }); + loadAndInitializeLibrary(); + } + + @SuppressWarnings("restricted") + private static void loadAndInitializeLibrary() { + System.loadLibrary(PKCS11_WRAPPER); boolean enableDebug = Debug.getInstance("sunpkcs11") != null; initializeLibrary(enableDebug); }