stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8344120: Remove Security Manager dependencies from jdk.crypto.cryptoki module

Browse Source 
Reviewed-by: rriggs, ascarpino
This commit is contained in:
Sean Mullan 2024-11-14 14:15:16 +00:00
parent a73226b18e
commit 4d1a51cb85
6 changed files with 77 additions and 194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java
View File

@ -31,8 +31,6 @@ import java.math.BigInteger;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.util.*; import java.util.*;
import java.security.*;
import sun.security.util.PropertyExpander; import sun.security.util.PropertyExpander;
import sun.security.pkcs11.wrapper.*; import sun.security.pkcs11.wrapper.*;
@ -58,31 +56,16 @@ final class Config {
// will accept single threaded modules regardless of the setting in their // will accept single threaded modules regardless of the setting in their
// config files. // config files.
private static final boolean staticAllowSingleThreadedModules; private static final boolean staticAllowSingleThreadedModules;
private static final String osName;
private static final String osArch;
static { static {
@SuppressWarnings("removal") String allowSingleThreadedModules =
List<String> props = AccessController.doPrivileged(
new PrivilegedAction<>() {
@Override
public List<String> run() {
return List.of(
System.getProperty( System.getProperty(
"sun.security.pkcs11.allowSingleThreadedModules", "sun.security.pkcs11.allowSingleThreadedModules", "true");
"true"), if ("false".equalsIgnoreCase(allowSingleThreadedModules)) {
System.getProperty("os.name"),
System.getProperty("os.arch"));
}
}
);
if ("false".equalsIgnoreCase(props.get(0))) {
staticAllowSingleThreadedModules = false; staticAllowSingleThreadedModules = false;
} else { } else {
staticAllowSingleThreadedModules = true; staticAllowSingleThreadedModules = true;
} }
osName = props.get(1);
osArch = props.get(2);
} }
private static final boolean DEBUG = false; private static final boolean DEBUG = false;

7
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
View File

@ -108,12 +108,9 @@ abstract class P11Key implements Key, Length {
* *
*/ */
static { static {
PrivilegedAction<String> getKeyExtractionProp =
() -> System.getProperty(
"sun.security.pkcs11.disableKeyExtraction", "false");
@SuppressWarnings("removal")
String disableKeyExtraction = String disableKeyExtraction =
AccessController.doPrivileged(getKeyExtractionProp); System.getProperty(
"sun.security.pkcs11.disableKeyExtraction", "false");
DISABLE_NATIVE_KEYS_EXTRACTION = DISABLE_NATIVE_KEYS_EXTRACTION =
"true".equalsIgnoreCase(disableKeyExtraction); "true".equalsIgnoreCase(disableKeyExtraction);
} }

12
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyAgreement.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2003, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -71,14 +71,8 @@ final class P11KeyAgreement extends KeyAgreementSpi {
private static class AllowKDF { private static class AllowKDF {
private static final boolean VALUE = getValue(); private static final boolean VALUE =
Boolean.getBoolean("jdk.crypto.KeyAgreement.legacyKDF");
@SuppressWarnings("removal")
private static boolean getValue() {
return AccessController.doPrivileged(
(PrivilegedAction<Boolean>)
() -> Boolean.getBoolean("jdk.crypto.KeyAgreement.legacyKDF"));
}
} }
P11KeyAgreement(Token token, String algorithm, long mechanism) { P11KeyAgreement(Token token, String algorithm, long mechanism) {

20
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2003, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -130,7 +130,7 @@ public final class P11Util {
return p; return p;
} }
@SuppressWarnings("removal") @SuppressWarnings("deprecation")
private static Provider getProvider(Provider p, String providerName, private static Provider getProvider(Provider p, String providerName,
String className) { String className) {
if (p != null) { if (p != null) {
@ -140,22 +140,8 @@ public final class P11Util {
if (p == null) { if (p == null) {
try { try {
final Class<?> c = Class.forName(className); final Class<?> c = Class.forName(className);
p = AccessController.doPrivileged( p = (Provider) c.newInstance();
new PrivilegedAction<Provider>() {
public Provider run() {
try {
@SuppressWarnings("deprecation")
Object o = c.newInstance();
return (Provider) o;
} catch (Exception e) { } catch (Exception e) {
throw new ProviderException(
"Could not find provider " +
providerName, e);
}
}
}, null, new RuntimePermission(
"accessClassInPackage." + c.getPackageName()));
} catch (ClassNotFoundException e) {
// Unexpected, as className is not a user but a // Unexpected, as className is not a user but a
// P11Util-internal value. // P11Util-internal value.
throw new ProviderException("Could not find provider " + throw new ProviderException("Could not find provider " +

92
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
View File

@ -117,19 +117,13 @@ public final class SunPKCS11 extends AuthProvider {
poller = null; poller = null;
} }
@SuppressWarnings("removal")
@Override @Override
public Provider configure(String configArg) throws InvalidParameterException { public Provider configure(String configArg) throws InvalidParameterException {
final String newConfigName = checkNull(configArg); final String newConfigName = checkNull(configArg);
try { try {
return AccessController.doPrivileged(new PrivilegedExceptionAction<>() {
@Override
public SunPKCS11 run() throws Exception {
return new SunPKCS11(new Config(newConfigName)); return new SunPKCS11(new Config(newConfigName));
} } catch (IOException ioe) {
}); throw new InvalidParameterException("Error configuring SunPKCS11 provider", ioe);
} catch (PrivilegedActionException pae) {
throw new InvalidParameterException("Error configuring SunPKCS11 provider", pae.getException());
} }
} }
@ -1117,7 +1111,6 @@ public final class SunPKCS11 extends AuthProvider {
} }
// create the poller thread, if not already active // create the poller thread, if not already active
@SuppressWarnings("removal")
private void createPoller() { private void createPoller() {
if (poller != null) { if (poller != null) {
return; return;
@ -1197,7 +1190,6 @@ public final class SunPKCS11 extends AuthProvider {
} }
// create the cleaner thread, if not already active // create the cleaner thread, if not already active
@SuppressWarnings("removal")
private void createCleaner() { private void createCleaner() {
cleaner = new NativeResourceCleaner(); cleaner = new NativeResourceCleaner();
Thread t = InnocuousThread.newSystemThread( Thread t = InnocuousThread.newSystemThread(
@ -1210,7 +1202,6 @@ public final class SunPKCS11 extends AuthProvider {
} }
// destroy the token. Called if we detect that it has been removed // destroy the token. Called if we detect that it has been removed
@SuppressWarnings("removal")
synchronized void uninitToken(Token token) { synchronized void uninitToken(Token token) {
if (this.token != token) { if (this.token != token) {
// mismatch, our token must already be destroyed // mismatch, our token must already be destroyed
@ -1219,12 +1210,7 @@ public final class SunPKCS11 extends AuthProvider {
destroyPoller(); destroyPoller();
this.token = null; this.token = null;
// unregister all algorithms // unregister all algorithms
AccessController.doPrivileged(new PrivilegedAction<Object>() {
public Object run() {
clear(); clear();
return null;
}
});
// keep polling for token insertion unless configured not to // keep polling for token insertion unless configured not to
if (removable && !config.getDestroyTokenAfterLogout()) { if (removable && !config.getDestroyTokenAfterLogout()) {
createPoller(); createPoller();
@ -1386,11 +1372,7 @@ public final class SunPKCS11 extends AuthProvider {
} }
// register algorithms in provider // register algorithms in provider
@SuppressWarnings("removal") for (Map.Entry<Descriptor,Integer> entry : supportedAlgs.entrySet()) {
var dummy = AccessController.doPrivileged(new PrivilegedAction<Object>() {
public Object run() {
for (Map.Entry<Descriptor,Integer> entry
: supportedAlgs.entrySet()) {
Descriptor d = entry.getKey(); Descriptor d = entry.getKey();
int mechanism = entry.getValue().intValue(); int mechanism = entry.getValue().intValue();
Service s = d.service(token, mechanism); Service s = d.service(token, mechanism);
@ -1413,9 +1395,6 @@ public final class SunPKCS11 extends AuthProvider {
List.of("PKCS11-" + config.getName()), List.of("PKCS11-" + config.getName()),
PCKM_KEYSTORE)); PCKM_KEYSTORE));
} }
return null;
}
});
this.token = token; this.token = token;
if (cleaner == null) { if (cleaner == null) {
@ -1621,10 +1600,6 @@ public final class SunPKCS11 extends AuthProvider {
* @throws IllegalStateException if the provider requires configuration * @throws IllegalStateException if the provider requires configuration
* and Provider.configure has not been called * and Provider.configure has not been called
* @throws LoginException if the login operation fails * @throws LoginException if the login operation fails
* @throws SecurityException if the does not pass a security check for
* <code>SecurityPermission("authProvider.<i>name</i>")</code>,
* where <i>name</i> is the value returned by
* this provider's <code>getName</code> method
*/ */
public void login(Subject subject, CallbackHandler handler) public void login(Subject subject, CallbackHandler handler)
throws LoginException { throws LoginException {
@ -1633,17 +1608,6 @@ public final class SunPKCS11 extends AuthProvider {
throw new IllegalStateException("Configuration is required"); throw new IllegalStateException("Configuration is required");
} }
// security check
@SuppressWarnings("removal")
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
if (debug != null) {
debug.println("checking login permission");
}
sm.checkPermission(new SecurityPermission
("authProvider." + this.getName()));
}
if (!hasValidToken()) { if (!hasValidToken()) {
throw new LoginException("No token present"); throw new LoginException("No token present");
@ -1753,24 +1717,12 @@ public final class SunPKCS11 extends AuthProvider {
* @throws IllegalStateException if the provider requires configuration * @throws IllegalStateException if the provider requires configuration
* and Provider.configure has not been called * and Provider.configure has not been called
* @throws LoginException if the logout operation fails * @throws LoginException if the logout operation fails
* @throws SecurityException if the does not pass a security check for
* <code>SecurityPermission("authProvider.<i>name</i>")</code>,
* where <i>name</i> is the value returned by
* this provider's <code>getName</code> method
*/ */
public void logout() throws LoginException { public void logout() throws LoginException {
if (!isConfigured()) { if (!isConfigured()) {
throw new IllegalStateException("Configuration is required"); throw new IllegalStateException("Configuration is required");
} }
// security check
@SuppressWarnings("removal")
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission
(new SecurityPermission("authProvider." + this.getName()));
}
if (!hasValidToken()) { if (!hasValidToken()) {
// app may call logout for cleanup, allow // app may call logout for cleanup, allow
return; return;
@ -1844,11 +1796,6 @@ public final class SunPKCS11 extends AuthProvider {
* *
* @throws IllegalStateException if the provider requires configuration * @throws IllegalStateException if the provider requires configuration
* and Provider.configure has not been called * and Provider.configure has not been called
* @throws SecurityException if the caller does not pass a
* security check for
* <code>SecurityPermission("authProvider.<i>name</i>")</code>,
* where <i>name</i> is the value returned by
* this provider's <code>getName</code> method
*/ */
public void setCallbackHandler(CallbackHandler handler) { public void setCallbackHandler(CallbackHandler handler) {
@ -1856,14 +1803,6 @@ public final class SunPKCS11 extends AuthProvider {
throw new IllegalStateException("Configuration is required"); throw new IllegalStateException("Configuration is required");
} }
// security check
@SuppressWarnings("removal")
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission
(new SecurityPermission("authProvider." + this.getName()));
}
synchronized (LOCK_HANDLER) { synchronized (LOCK_HANDLER) {
pHandler = handler; pHandler = handler;
} }
@ -1887,22 +1826,14 @@ public final class SunPKCS11 extends AuthProvider {
return pHandler; return pHandler;
} }
try {
if (debug != null) { if (debug != null) {
debug.println("getting default callback handler"); debug.println("getting default callback handler");
} }
@SuppressWarnings("removal") String defaultHandler = Security.getProperty
CallbackHandler myHandler = AccessController.doPrivileged
(new PrivilegedExceptionAction<CallbackHandler>() {
public CallbackHandler run() throws Exception {
String defaultHandler =
java.security.Security.getProperty
("auth.login.defaultCallbackHandler"); ("auth.login.defaultCallbackHandler");
if (defaultHandler == null || if (defaultHandler == null || defaultHandler.length() == 0) {
defaultHandler.length() == 0) {
// ok // ok
if (debug != null) { if (debug != null) {
@ -1911,11 +1842,12 @@ public final class SunPKCS11 extends AuthProvider {
return null; return null;
} }
try {
Class<?> c = Class.forName Class<?> c = Class.forName
(defaultHandler, (defaultHandler,
true, true,
Thread.currentThread().getContextClassLoader()); Thread.currentThread().getContextClassLoader());
if (!javax.security.auth.callback.CallbackHandler.class.isAssignableFrom(c)) { if (!CallbackHandler.class.isAssignableFrom(c)) {
// not the right subtype // not the right subtype
if (debug != null) { if (debug != null) {
debug.println("default handler " + defaultHandler + debug.println("default handler " + defaultHandler +
@ -1925,23 +1857,21 @@ public final class SunPKCS11 extends AuthProvider {
} }
@SuppressWarnings("deprecation") @SuppressWarnings("deprecation")
Object result = c.newInstance(); Object result = c.newInstance();
return (CallbackHandler)result; CallbackHandler myHandler = (CallbackHandler)result;
}
});
// save it // save it
pHandler = myHandler; pHandler = myHandler;
return myHandler; return myHandler;
} catch (PrivilegedActionException pae) { } catch (ReflectiveOperationException roe) {
// ok // ok
if (debug != null) { if (debug != null) {
debug.println("Unable to load default callback handler"); debug.println("Unable to load default callback handler");
pae.printStackTrace(); roe.printStackTrace();
}
} }
} }
return null; return null;
} }
}
private Object writeReplace() throws ObjectStreamException { private Object writeReplace() throws ObjectStreamException {
return new SunPKCS11Rep(this); return new SunPKCS11Rep(this);

17
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
View File

@ -51,9 +51,6 @@ import java.io.File;
import java.io.IOException; import java.io.IOException;
import java.util.*; import java.util.*;
import java.security.AccessController;
import java.security.PrivilegedAction;
import sun.security.util.Debug; import sun.security.util.Debug;
import sun.security.pkcs11.P11Util; import sun.security.pkcs11.P11Util;
@ -80,16 +77,12 @@ public class PKCS11 {
private static final String PKCS11_WRAPPER = "j2pkcs11"; private static final String PKCS11_WRAPPER = "j2pkcs11";
static { static {
// cannot use LoadLibraryAction because that would make the native loadAndInitializeLibrary();
// library available to the bootclassloader, but we run in the
// extension classloader.
@SuppressWarnings({"removal", "restricted"})
var dummy = AccessController.doPrivileged(new PrivilegedAction<Object>() {
public Object run() {
System.loadLibrary(PKCS11_WRAPPER);
return null;
} }
});
@SuppressWarnings("restricted")
private static void loadAndInitializeLibrary() {
System.loadLibrary(PKCS11_WRAPPER);
boolean enableDebug = Debug.getInstance("sunpkcs11") != null; boolean enableDebug = Debug.getInstance("sunpkcs11") != null;
initializeLibrary(enableDebug); initializeLibrary(enableDebug);
} }