stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8168313: Tighten permissions granted to jdk.crypto.pkcs11 module

Browse Source 
Reviewed-by: ascarpino
This commit is contained in:
Sean Mullan 2016-10-21 09:02:57 -04:00
parent cd99155eb8
commit ad82a519a8
4 changed files with 24 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
jdk/src/java.base/share/classes/module-info.java
View File

@ -240,8 +240,7 @@ module java.base {
java.xml.ws; java.xml.ws;
exports sun.security.action to exports sun.security.action to
java.desktop, java.desktop,
java.security.jgss, java.security.jgss;
jdk.crypto.pkcs11;
exports sun.security.internal.interfaces to exports sun.security.internal.interfaces to
jdk.crypto.pkcs11; jdk.crypto.pkcs11;
exports sun.security.internal.spec to exports sun.security.internal.spec to

6
jdk/src/java.base/share/lib/security/default.policy
View File

@ -111,11 +111,11 @@ grant codeBase "jrt:/jdk.crypto.ec" {
grant codeBase "jrt:/jdk.crypto.pkcs11" { grant codeBase "jrt:/jdk.crypto.pkcs11" {
permission java.lang.RuntimePermission permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.*"; "accessClassInPackage.sun.security.*";
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
permission java.lang.RuntimePermission "loadLibrary.j2pkcs11"; permission java.lang.RuntimePermission "loadLibrary.j2pkcs11";
// needs "security.pkcs11.allowSingleThreadedModules" permission java.util.PropertyPermission "sun.security.pkcs11.allowSingleThreadedModules", "read";
permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.security.SecurityPermission "putProviderProperty.*"; permission java.security.SecurityPermission "putProviderProperty.*";
permission java.security.SecurityPermission "clearProviderProperties.*"; permission java.security.SecurityPermission "clearProviderProperties.*";
permission java.security.SecurityPermission "removeProviderProperty.*"; permission java.security.SecurityPermission "removeProviderProperty.*";

26
jdk/src/jdk.crypto.pkcs11/share/classes/sun/security/pkcs11/Config.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -32,7 +32,6 @@ import java.util.*;
import java.security.*; import java.security.*;
import sun.security.action.GetPropertyAction;
import sun.security.util.PropertyExpander; import sun.security.util.PropertyExpander;
import sun.security.pkcs11.wrapper.*; import sun.security.pkcs11.wrapper.*;
@ -58,15 +57,30 @@ final class Config {
// will accept single threaded modules regardless of the setting in their // will accept single threaded modules regardless of the setting in their
// config files. // config files.
private static final boolean staticAllowSingleThreadedModules; private static final boolean staticAllowSingleThreadedModules;
private static final String osName;
private static final String osArch;
static { static {
String p = "sun.security.pkcs11.allowSingleThreadedModules"; List<String> props = AccessController.doPrivileged(
String s = AccessController.doPrivileged(new GetPropertyAction(p)); new PrivilegedAction<>() {
if ("false".equalsIgnoreCase(s)) { @Override
public List<String> run() {
return List.of(
System.getProperty(
"sun.security.pkcs11.allowSingleThreadedModules",
"true"),
System.getProperty("os.name"),
System.getProperty("os.arch"));
}
}
);
if ("false".equalsIgnoreCase(props.get(0))) {
staticAllowSingleThreadedModules = false; staticAllowSingleThreadedModules = false;
} else { } else {
staticAllowSingleThreadedModules = true; staticAllowSingleThreadedModules = true;
} }
osName = props.get(1);
osArch = props.get(2);
} }
private final static boolean DEBUG = false; private final static boolean DEBUG = false;
@ -650,8 +664,6 @@ final class Config {
// replace "/$ISA/" with "/sparcv9/" on 64-bit Solaris SPARC // replace "/$ISA/" with "/sparcv9/" on 64-bit Solaris SPARC
// and with "/amd64/" on Solaris AMD64. // and with "/amd64/" on Solaris AMD64.
// On all other platforms, just turn it into a "/" // On all other platforms, just turn it into a "/"
String osName = System.getProperty("os.name", "");
String osArch = System.getProperty("os.arch", "");
String prefix = lib.substring(0, i); String prefix = lib.substring(0, i);
String suffix = lib.substring(i + 5); String suffix = lib.substring(i + 5);
if (osName.equals("SunOS") && osArch.equals("sparcv9")) { if (osName.equals("SunOS") && osArch.equals("sparcv9")) {

2
jdk/src/jdk.crypto.pkcs11/share/classes/sun/security/pkcs11/wrapper/Constants.java
View File

@ -58,7 +58,7 @@ package sun.security.pkcs11.wrapper;
*/ */
public class Constants { public class Constants {
public static final String NEWLINE = System.getProperty("line.separator"); public static final String NEWLINE = System.lineSeparator();
public static final String INDENT = " "; public static final String INDENT = " ";