stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8061842: Package jurisdiction policy files as something other than JAR

Browse Source 
Reviewed-by: xuelei, weijun, mullan
This commit is contained in:
Bradford Wetmore 2016-08-26 13:44:20 -07:00
parent f894a28859
commit 9cda798a33
16 changed files with 374 additions and 225 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
jdk/make/gendata/Gendata-java.base.gmk
View File

@ -34,7 +34,7 @@ include GendataTZDB.gmk
include GendataBlacklistedCerts.gmk
include GendataPolicyJars.gmk
include GendataCryptoPolicy.gmk
################################################################################
@ -64,13 +64,19 @@ TARGETS += $(GENDATA_CURDATA)
GENDATA_JAVA_SECURITY_SRC := $(JDK_TOPDIR)/src/java.base/share/conf/security/java.security
GENDATA_JAVA_SECURITY := $(SUPPORT_OUTPUTDIR)/modules_conf/java.base/security/java.security
ifeq ($(UNLIMITED_CRYPTO), true)
CRYPTO.POLICY := unlimited
else
CRYPTO.POLICY := limited
endif
# RESTRICTED_PKGS_SRC is optionally set in custom extension for this makefile
$(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS) $(GENDATA_JAVA_SECURITY_SRC) $(RESTRICTED_PKGS_SRC)
$(call LogInfo, Generating java.security)
$(call MakeDir, $(@D))
$(TOOL_MAKEJAVASECURITY) $(GENDATA_JAVA_SECURITY_SRC) $@ $(OPENJDK_TARGET_OS) \
$(OPENJDK_TARGET_CPU_ARCH) $(RESTRICTED_PKGS_SRC)
$(OPENJDK_TARGET_CPU_ARCH) $(CRYPTO.POLICY) $(RESTRICTED_PKGS_SRC)
TARGETS += $(GENDATA_JAVA_SECURITY)

72
jdk/make/gendata/GendataCryptoPolicy.gmk Normal file
View File

@ -0,0 +1,72 @@
#
# Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation. Oracle designates this
# particular file as subject to the "Classpath" exception as provided
# by Oracle in the LICENSE file that accompanied this code.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
# or visit www.oracle.com if you need additional information or have any
# questions.
#
#
# In pre-JDK9 releases, Oracle JDK has had a separately downloadable set
# of policy files which has been a nightmare for deployment.
#
# We now create 2 complete initial sets of policy files and package into
# 2 different directories. The crypto.policy Security property will select
# the active policy.
#
# It will be up to the user/deployer to make an informed choice
# as to whether they are legally entitled to use the unlimited policy
# file in their environment. The $(UNLIMITED_CRYPTO) make variable
# determines the default directory/policy.
#
default: all
include $(SPEC)
include MakeBase.gmk
################################################################################
POLICY_DIR := $(SUPPORT_OUTPUTDIR)/modules_conf/java.base/security/policy
LIMITED_POLICY_DIR := $(POLICY_DIR)/limited
UNLIMITED_POLICY_DIR := $(POLICY_DIR)/unlimited
POLICY_SRC_DIR := $(JDK_TOPDIR)/src/java.base/share/conf/security/policy
LIMITED_POLICY_SRC_DIR := $(POLICY_SRC_DIR)/limited
UNLIMITED_POLICY_SRC_DIR := $(POLICY_SRC_DIR)/unlimited
$(POLICY_DIR)/README.txt: $(POLICY_SRC_DIR)/README.txt
$(install-file)
$(LIMITED_POLICY_DIR)/%: $(LIMITED_POLICY_SRC_DIR)/%
$(install-file)
$(UNLIMITED_POLICY_DIR)/%: $(UNLIMITED_POLICY_SRC_DIR)/%
$(install-file)
TARGETS += \
$(POLICY_DIR)/README.txt \
$(LIMITED_POLICY_DIR)/default_US_export.policy \
$(LIMITED_POLICY_DIR)/default_local.policy \
$(LIMITED_POLICY_DIR)/exempt_local.policy \
$(UNLIMITED_POLICY_DIR)/default_US_export.policy \
$(UNLIMITED_POLICY_DIR)/default_local.policy \
################################################################################

150
jdk/make/gendata/GendataPolicyJars.gmk
View File

@ -1,150 +0,0 @@
#
# Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation. Oracle designates this
# particular file as subject to the "Classpath" exception as provided
# by Oracle in the LICENSE file that accompanied this code.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
# or visit www.oracle.com if you need additional information or have any
# questions.
#
default: all
include $(SPEC)
include MakeBase.gmk
include JarArchive.gmk
################################################################################
US_EXPORT_POLICY_JAR_DST := \
$(SUPPORT_OUTPUTDIR)/modules_libs/java.base/security/US_export_policy.jar
US_EXPORT_POLICY_JAR_LIMITED := \
$(SUPPORT_OUTPUTDIR)/jce/policy/limited/US_export_policy.jar
US_EXPORT_POLICY_JAR_UNLIMITED := \
$(SUPPORT_OUTPUTDIR)/jce/policy/unlimited/US_export_policy.jar
#
# TODO fix so that SetupJarArchive does not write files into SRCS
# then we don't need this extra copying
#
# NOTE: We currently do not place restrictions on our limited export
# policy. This was not a typo. This means we are shipping the same file
# for both limited and unlimited US_export_policy.jar. Only the local
# policy file currently has restrictions.
#
US_EXPORT_POLICY_JAR_SRC_DIR := \
$(JDK_TOPDIR)/make/data/cryptopolicy/unlimited
US_EXPORT_POLICY_JAR_TMP := \
$(SUPPORT_OUTPUTDIR)/jce/policy/unlimited/US_export_policy_jar.tmp
$(US_EXPORT_POLICY_JAR_TMP)/%: $(US_EXPORT_POLICY_JAR_SRC_DIR)/%
$(install-file)
US_EXPORT_POLICY_JAR_DEPS := \
$(US_EXPORT_POLICY_JAR_TMP)/default_US_export.policy
$(eval $(call SetupJarArchive, BUILD_US_EXPORT_POLICY_JAR, \
DEPENDENCIES := $(US_EXPORT_POLICY_JAR_DEPS), \
SRCS := $(US_EXPORT_POLICY_JAR_TMP), \
SUFFIXES := .policy, \
JAR := $(US_EXPORT_POLICY_JAR_UNLIMITED), \
EXTRA_MANIFEST_ATTR := Crypto-Strength: unlimited, \
SKIP_METAINF := true, \
))
$(US_EXPORT_POLICY_JAR_LIMITED): \
$(US_EXPORT_POLICY_JAR_UNLIMITED)
$(call LogInfo, Copying unlimited $(patsubst $(OUTPUT_ROOT)/%,%,$@))
$(install-file)
TARGETS += $(US_EXPORT_POLICY_JAR_LIMITED) $(US_EXPORT_POLICY_JAR_UNLIMITED)
ifeq ($(UNLIMITED_CRYPTO), true)
$(US_EXPORT_POLICY_JAR_DST): $(US_EXPORT_POLICY_JAR_UNLIMITED)
$(install-file)
else
$(US_EXPORT_POLICY_JAR_DST): $(US_EXPORT_POLICY_JAR_LIMITED)
$(install-file)
endif
POLICY_JARS += $(US_EXPORT_POLICY_JAR_DST)
################################################################################
LOCAL_POLICY_JAR_DST := \
$(SUPPORT_OUTPUTDIR)/modules_libs/java.base/security/local_policy.jar
LOCAL_POLICY_JAR_LIMITED := \
$(SUPPORT_OUTPUTDIR)/jce/policy/limited/local_policy.jar
LOCAL_POLICY_JAR_UNLIMITED := \
$(SUPPORT_OUTPUTDIR)/jce/policy/unlimited/local_policy.jar
#
# TODO fix so that SetupJarArchive does not write files into SRCS
# then we don't need this extra copying
#
LOCAL_POLICY_JAR_LIMITED_TMP := \
$(SUPPORT_OUTPUTDIR)/jce/policy/limited/local_policy_jar.tmp
LOCAL_POLICY_JAR_UNLIMITED_TMP := \
$(SUPPORT_OUTPUTDIR)/jce/policy/unlimited/local_policy_jar.tmp
$(LOCAL_POLICY_JAR_LIMITED_TMP)/%: \
$(JDK_TOPDIR)/make/data/cryptopolicy/limited/%
$(install-file)
$(LOCAL_POLICY_JAR_UNLIMITED_TMP)/%: \
$(JDK_TOPDIR)/make/data/cryptopolicy/unlimited/%
$(install-file)
$(eval $(call SetupJarArchive, BUILD_LOCAL_POLICY_JAR_LIMITED, \
DEPENDENCIES := $(LOCAL_POLICY_JAR_LIMITED_TMP)/exempt_local.policy \
$(LOCAL_POLICY_JAR_LIMITED_TMP)/default_local.policy, \
SRCS := $(LOCAL_POLICY_JAR_LIMITED_TMP), \
SUFFIXES := .policy, \
JAR := $(LOCAL_POLICY_JAR_LIMITED), \
EXTRA_MANIFEST_ATTR := Crypto-Strength: limited, \
SKIP_METAINF := true, \
))
$(eval $(call SetupJarArchive, BUILD_LOCAL_POLICY_JAR_UNLIMITED, \
DEPENDENCIES := $(LOCAL_POLICY_JAR_UNLIMITED_TMP)/default_local.policy, \
SRCS := $(LOCAL_POLICY_JAR_UNLIMITED_TMP), \
SUFFIXES := .policy, \
JAR := $(LOCAL_POLICY_JAR_UNLIMITED), \
EXTRA_MANIFEST_ATTR := Crypto-Strength: unlimited, \
SKIP_METAINF := true, \
))
TARGETS += $(LOCAL_POLICY_JAR_LIMITED) $(LOCAL_POLICY_JAR_UNLIMITED)
ifeq ($(UNLIMITED_CRYPTO), true)
$(LOCAL_POLICY_JAR_DST): $(LOCAL_POLICY_JAR_UNLIMITED)
$(install-file)
else
$(LOCAL_POLICY_JAR_DST): $(LOCAL_POLICY_JAR_LIMITED)
$(install-file)
endif
POLICY_JARS += $(LOCAL_POLICY_JAR_DST)
TARGETS += $(POLICY_JARS)
################################################################################
$(eval $(call IncludeCustomExtension, jdk, gendata/GendataPolicyJars.gmk))

22
jdk/make/src/classes/build/tools/makejavasecurity/MakeJavaSecurity.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2013, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -35,7 +35,8 @@ import java.util.*;
*
* 1. Adds additional packages to the package.access and
* package.definition security properties.
* 2. Filter out platform-unrelated parts
* 2. Filter out platform-unrelated parts.
* 3. Set the JCE jurisdiction policy directory.
*
* In order to easily maintain platform-related entries, every item
* (including the last line) in package.access and package.definition
@ -50,12 +51,13 @@ public class MakeJavaSecurity {
public static void main(String[] args) throws Exception {
if (args.length < 4) {
if (args.length < 5) {
System.err.println("Usage: java MakeJavaSecurity " +
"[input java.security file name] " +
"[output java.security file name] " +
"[openjdk target os] " +
"[openjdk target cpu architecture]" +
"[JCE jurisdiction policy directory]" +
"[more restricted packages file name?]");
System.exit(1);
@ -63,8 +65,8 @@ public class MakeJavaSecurity {
// more restricted packages
List<String> extraLines;
if (args.length == 5) {
extraLines = Files.readAllLines(Paths.get(args[4]));
if (args.length == 6) {
extraLines = Files.readAllLines(Paths.get(args[5]));
} else {
extraLines = Collections.emptyList();
}
@ -135,6 +137,16 @@ public class MakeJavaSecurity {
}
}
// Set the JCE policy value
for (int i = 0; i < lines.size(); i++) {
String line = lines.get(i);
int index = line.indexOf("crypto.policydir-tbd");
if (index >= 0) {
String prefix = line.substring(0, index);
lines.set(i, prefix + args[4]);
}
}
// Clean up the last line of PKG_ACC and PKG_DEF blocks.
// Not really necessary since a blank line follows.
boolean inBlock = false;

138
jdk/src/java.base/share/classes/javax/crypto/JceSecurity.java
View File

@ -29,6 +29,7 @@ import java.util.*;
import java.util.jar.*;
import java.io.*;
import java.net.URL;
import java.nio.file.*;
import java.security.*;
import java.security.Provider.Service;
@ -206,7 +207,7 @@ final class JceSecurity {
static {
try {
NULL_URL = new URL("http://null.sun.com/");
NULL_URL = new URL("http://null.oracle.com/");
} catch (Exception e) {
throw new RuntimeException(e);
}
@ -243,83 +244,94 @@ final class JceSecurity {
}
}
// This is called from within an doPrivileged block.
private static void setupJurisdictionPolicies() throws Exception {
String javaHomeDir = System.getProperty("java.home");
String sep = File.separator;
String pathToPolicyJar = javaHomeDir + sep + "lib" + sep +
"security" + sep;
File exportJar = new File(pathToPolicyJar, "US_export_policy.jar");
File importJar = new File(pathToPolicyJar, "local_policy.jar");
// Sanity check the crypto.policy Security property. Single
// directory entry, no pseudo-directories (".", "..", leading/trailing
// path separators). normalize()/getParent() will help later.
String cryptoPolicyProperty = Security.getProperty("crypto.policy");
Path cpPath = Paths.get(cryptoPolicyProperty);
if (!exportJar.exists() || !importJar.exists()) {
throw new SecurityException
("Cannot locate policy or framework files!");
if ((cryptoPolicyProperty == null) ||
(cpPath.getNameCount() != 1) ||
(cpPath.compareTo(cpPath.getFileName()) != 0)) {
throw new SecurityException(
"Invalid policy directory name format: " +
cryptoPolicyProperty);
}
// Read jurisdiction policies.
CryptoPermissions defaultExport = new CryptoPermissions();
CryptoPermissions exemptExport = new CryptoPermissions();
loadPolicies(exportJar, defaultExport, exemptExport);
// Prepend java.home to get the full path. normalize() in
// case an extra "." or ".." snuck in somehow.
String javaHomeProperty = System.getProperty("java.home");
Path javaHomePolicyPath = Paths.get(javaHomeProperty, "conf",
"security", "policy").normalize();
Path cryptoPolicyPath = Paths.get(javaHomeProperty, "conf", "security",
"policy", cryptoPolicyProperty).normalize();
CryptoPermissions defaultImport = new CryptoPermissions();
CryptoPermissions exemptImport = new CryptoPermissions();
loadPolicies(importJar, defaultImport, exemptImport);
// Merge the export and import policies for default applications.
if (defaultExport.isEmpty() || defaultImport.isEmpty()) {
throw new SecurityException("Missing mandatory jurisdiction " +
"policy files");
if (cryptoPolicyPath.getParent().compareTo(javaHomePolicyPath) != 0) {
throw new SecurityException(
"Invalid cryptographic jurisdiction policy directory path: " +
cryptoPolicyProperty);
}
defaultPolicy = defaultExport.getMinimum(defaultImport);
// Merge the export and import policies for exempt applications.
if (exemptExport.isEmpty()) {
exemptPolicy = exemptImport.isEmpty() ? null : exemptImport;
} else {
exemptPolicy = exemptExport.getMinimum(exemptImport);
if (!Files.isDirectory(cryptoPolicyPath)
|| !Files.isReadable(cryptoPolicyPath)) {
throw new SecurityException(
"Can't read cryptographic policy directory: " +
cryptoPolicyProperty);
}
}
/**
* Load the policies from the specified file. Also checks that the
* policies are correctly signed.
*/
private static void loadPolicies(File jarPathName,
CryptoPermissions defaultPolicy,
CryptoPermissions exemptPolicy)
throws Exception {
try (DirectoryStream<Path> stream = Files.newDirectoryStream(
cryptoPolicyPath, "{default,exempt}_*.policy")) {
for (Path entry : stream) {
try (InputStream is = new BufferedInputStream(
Files.newInputStream(entry))) {
String filename = entry.getFileName().toString();
JarFile jf = new JarFile(jarPathName);
CryptoPermissions tmpPerms = new CryptoPermissions();
tmpPerms.load(is);
Enumeration<JarEntry> entries = jf.entries();
while (entries.hasMoreElements()) {
JarEntry je = entries.nextElement();
InputStream is = null;
try {
if (je.getName().startsWith("default_")) {
is = jf.getInputStream(je);
defaultPolicy.load(is);
} else if (je.getName().startsWith("exempt_")) {
is = jf.getInputStream(je);
exemptPolicy.load(is);
} else {
continue;
}
} finally {
if (is != null) {
is.close();
if (filename.startsWith("default_")) {
// Did we find a default perms?
defaultPolicy = ((defaultPolicy == null) ? tmpPerms :
defaultPolicy.getMinimum(tmpPerms));
} else if (filename.startsWith("exempt_")) {
// Did we find a exempt perms?
exemptPolicy = ((exemptPolicy == null) ? tmpPerms :
exemptPolicy.getMinimum(tmpPerms));
} else {
// This should never happen. newDirectoryStream
// should only throw return "{default,exempt}_*.policy"
throw new SecurityException(
"Unexpected jurisdiction policy files in : " +
cryptoPolicyProperty);
}
} catch (Exception e) {
throw new SecurityException(
"Couldn't parse jurisdiction policy files in: " +
cryptoPolicyProperty);
}
}
// Enforce the signer restraint, i.e. signer of JCE framework
// jar should also be the signer of the two jurisdiction policy
// jar files.
ProviderVerifier.verifyPolicySigned(je.getCertificates());
} catch (DirectoryIteratorException ex) {
// I/O error encountered during the iteration,
// the cause is an IOException
throw new SecurityException(
"Couldn't iterate through the jurisdiction policy files: " +
cryptoPolicyProperty);
}
// Must have a default policy
if ((defaultPolicy == null) || defaultPolicy.isEmpty()) {
throw new SecurityException(
"Missing mandatory jurisdiction policy files: " +
cryptoPolicyProperty);
}
// If there was an empty exempt policy file, ignore it.
if ((exemptPolicy != null) && exemptPolicy.isEmpty()) {
exemptPolicy = null;
}
// Close and nullify the JarFile reference to help GC.
jf.close();
jf = null;
}
static CryptoPermissions getDefaultPolicy() {

50
jdk/src/java.base/share/conf/security/java.security
View File

@ -804,6 +804,56 @@ jdk.tls.legacyAlgorithms= \
# EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
# FFFFFFFF FFFFFFFF, 2}
# Cryptographic Jurisdiction Policy defaults
#
# Due to the import control restrictions of some countries, the default
# JCE policy files allow for strong but "limited" cryptographic key
# lengths to be used. If your country's cryptographic regulations allow,
# the "unlimited" strength policy files can be used instead, which contain
# no restrictions on cryptographic strengths.
#
# If your country has restrictions that don't fit either "limited" or
# "unlimited", an appropriate set of policy files should be created and
# configured before using this distribution. The jurisdiction policy file
# configuration must reflect the cryptographic restrictions appropriate
# for your country.
#
# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
# TO DETERMINE THE EXACT REQUIREMENTS.
#
# The policy files are flat text files organized into subdirectories of
# <java-home>/conf/security/policy. Each directory contains a complete
# set of policy files.
#
# The "crypto.policy" Security property controls the directory selection,
# and thus the effective cryptographic policy.
#
# The default set of directories is:
#
# limited | unlimited
#
# however other directories can be created and configured.
#
# Within a directory, the effective policy is the combined minimum
# permissions of the grant statements in the file(s) with the filename
# pattern "default_*.policy". At least one grant is required. For
# example:
#
# limited = Export (all) + Import (limited) = Limited
# unlimited = Export (all) + Import (all) = Unlimited
#
# The effective exemption policy is the combined minimum permissions
# of the grant statements in the file(s) with the filename pattern
# "exempt_*.policy". Exemption grants are optional.
#
# limited = grants exemption permissions, by which the
# effective policy can be circumvented.
# e.g. KeyRecovery/Escrow/Weakening.
#
# Please see the JCA documentation for additional information on these
# files and formats.
crypto.policy=crypto.policydir-tbd
#
# The policy for the XML Signature secure validation mode. The mode is
# enabled by setting the property "org.jcp.xml.dsig.secureValidation" to

35
jdk/src/java.base/share/conf/security/policy/README.txt Normal file
View File

@ -0,0 +1,35 @@
Java(TM) Cryptography Extension Policy Files
for the Java(TM) Platform, Standard Edition Runtime Environment
README
------------------------------------------------------------------------
The JCE architecture allows flexible cryptographic strength to be
configured via the jurisdiction policy files contained within these
directories.
Due to import control restrictions of some countries, the default
JCE policy files bundled in this Java Runtime Environment allow
for strong but "limited" cryptographic strengths. For convenience,
this build also contains the "unlimited strength" policy files which
contain no restrictions on cryptographic strengths, but they must be
specifically activated by updating the "crypto.policy" Security property
(e.g. <java-home>/conf/security/java.security) to point to the appropriate
directory.
Each subdirectory contains a complete policy configuration, and additional
subdirectories can be added/removed to reflect local regulations.
JCE for Java SE has been through the U.S. export review process. The JCE
framework, along with the various JCE providers that come standard with it
(SunJCE, SunEC, SunPKCS11, SunMSCAPI, etc), is exportable from the
United States.
You are advised to consult your export/import control counsel or attorney
to determine the exact requirements of your location, and what policy
settings should be used.
Please see The Java(TM) Cryptography Architecture (JCA) Reference
Guide and the java.security file for more information.

3
jdk/make/data/cryptopolicy/unlimited/default_US_export.policy → jdk/src/java.base/share/conf/security/policy/limited/default_US_export.policy
View File

@ -1,4 +1,5 @@
// Manufacturing policy file.
// Default US Export policy file.
grant {
// There is no restriction to any algorithms.
permission javax.crypto.CryptoAllPermission;

0
jdk/make/data/cryptopolicy/limited/default_local.policy → jdk/src/java.base/share/conf/security/policy/limited/default_local.policy
View File

4
jdk/make/data/cryptopolicy/limited/exempt_local.policy → jdk/src/java.base/share/conf/security/policy/limited/exempt_local.policy
View File

@ -1,5 +1,5 @@
// Some countries have import limits on crypto strength. So this file
// will be useful.
// Some countries have import limits on crypto strength, but may allow for
// these exemptions if the exemption mechanism is used.
grant {
// There is no restriction to any algorithms if KeyRecovery is enforced.

6
jdk/src/java.base/share/conf/security/policy/unlimited/default_US_export.policy Normal file
View File

@ -0,0 +1,6 @@
// Default US Export policy file.
grant {
// There is no restriction to any algorithms.
permission javax.crypto.CryptoAllPermission;
};

1
jdk/make/data/cryptopolicy/unlimited/default_local.policy → jdk/src/java.base/share/conf/security/policy/unlimited/default_local.policy
View File

@ -1,4 +1,5 @@
// Country-specific policy file for countries with no limits on crypto strength.
grant {
// There is no restriction to any algorithms.
permission javax.crypto.CryptoAllPermission;

96
jdk/test/javax/crypto/CryptoPermissions/TestUnlimited.java Normal file
View File

@ -0,0 +1,96 @@
/*
* Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/**
* @test
* @bug 8061842
* @summary Package jurisdiction policy files as something other than JAR
* @run main/othervm TestUnlimited "" exception
* @run main/othervm TestUnlimited limited fail
* @run main/othervm TestUnlimited unlimited pass
* @run main/othervm TestUnlimited unlimited/ pass
* @run main/othervm TestUnlimited NosuchDir exception
* @run main/othervm TestUnlimited . exception
* @run main/othervm TestUnlimited /tmp/unlimited exception
* @run main/othervm TestUnlimited ../policy/unlimited exception
* @run main/othervm TestUnlimited ./unlimited exception
* @run main/othervm TestUnlimited /unlimited exception
*/
import javax.crypto.*;
import java.security.Security;
public class TestUnlimited {
public static void main(String[] args) throws Exception {
/*
* Override the Security property to allow for unlimited policy.
* Would need appropriate permissions if Security Manager were
* active.
*/
if (args.length != 2) {
throw new Exception("Two args required");
}
boolean expected = args[1].equals("pass");
boolean exception = args[1].equals("exception");
boolean result = false;
System.out.println("Testing: " + args[0]);
if (args[0].equals("\"\"")) {
Security.setProperty("crypto.policy", "");
} else {
Security.setProperty("crypto.policy", args[0]);
}
/*
* Use the AES as the test Cipher
* If there is an error initializing, we will never get past here.
*/
try {
int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
System.out.println("max AES key len:" + maxKeyLen);
if (maxKeyLen > 128) {
System.out.println("Unlimited policy is active");
result = true;
} else {
System.out.println("Unlimited policy is NOT active");
result = false;
}
} catch (Throwable e) {
if (!exception) {
throw new Exception();
}
}
System.out.println(
"Expected:\t" + expected + "\nResult:\t\t" + result);
if (expected != result) {
throw new Exception();
}
System.out.println("DONE!");
}
}

1
jdk/test/jdk/security/JavaDotSecurity/final_java_security
View File

@ -10,6 +10,7 @@ foo.5=8
foo.6=9a
foo.7=10
foo.8=12
crypto.policy=somepolicy
package.access=sun.,\
solaris.,\

10
jdk/test/jdk/security/JavaDotSecurity/ifdefs.sh
View File

@ -46,7 +46,13 @@ if [ ! -f $TOOLSRC ]; then
fi
$JAVAC -d . $TOOLSRC
$JAVA $TOOLNAME $TESTSRC/raw_java_security outfile solaris sparc $TESTSRC/more_restricted
$JAVA $TOOLNAME \
$TESTSRC/raw_java_security \
outfile \
solaris \
sparc \
somepolicy \
$TESTSRC/more_restricted
# On Windows, line end could be different. -b is a cross-platform option.
diff -b outfile $TESTSRC/final_java_security
diff -b outfile $TESTSRC/final_java_security

1
jdk/test/jdk/security/JavaDotSecurity/raw_java_security
View File

@ -44,6 +44,7 @@ foo.tbd=11
#ifndef macosx-x64
foo.tbd=12
#endif
crypto.policy=crypto.policydir-tbd
package.access=sun.,\
#ifdef solaris