stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8344366: Remove Security Manager dependencies from javax.net.ssl and sun.security.ssl packages

Browse Source 
Reviewed-by: coffeys, ascarpino, hchao
This commit is contained in:
Sean Mullan 2024-11-25 13:10:59 +00:00
parent 965aace297
commit ddc8a9d5da
26 changed files with 147 additions and 440 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/java.base/share/classes/javax/net/ssl/HttpsURLConnection.java
View File

@ -227,11 +227,6 @@ public abstract class HttpsURLConnection extends HttpURLConnection {
"no default HostnameVerifier specified");
}
@SuppressWarnings("removal")
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new SSLPermission("setHostnameVerifier"));
}
defaultHostnameVerifier = v;
}
@ -306,11 +301,6 @@ public abstract class HttpsURLConnection extends HttpURLConnection {
"no default SSLSocketFactory specified");
}
@SuppressWarnings("removal")
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkSetFactory();
}
defaultSSLSocketFactory = sf;
}
@ -353,11 +343,6 @@ public abstract class HttpsURLConnection extends HttpURLConnection {
"no SSLSocketFactory specified");
}
@SuppressWarnings("removal")
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkSetFactory();
}
sslSocketFactory = sf;
}

8
src/java.base/share/classes/javax/net/ssl/KeyManagerFactory.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,7 +25,6 @@
package javax.net.ssl;
import java.security.Security;
import java.security.*;
import java.util.Objects;
@ -62,11 +61,8 @@ public class KeyManagerFactory {
* {@code ssl.KeyManagerFactory.algorithm} security property, or an
* implementation-specific default if no such property exists.
*/
@SuppressWarnings("removal")
public static final String getDefaultAlgorithm() {
String type;
type = AccessController.doPrivileged((PrivilegedAction<String>) () ->
Security.getProperty("ssl.KeyManagerFactory.algorithm"));
String type = Security.getProperty("ssl.KeyManagerFactory.algorithm");
if (type == null) {
type = "SunX509";
}

5
src/java.base/share/classes/javax/net/ssl/SSLContext.java
View File

@ -129,11 +129,6 @@ public class SSLContext {
if (context == null) {
throw new NullPointerException();
}
@SuppressWarnings("removal")
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new SSLPermission("setDefaultSSLContext"));
}
defaultContext = context;
}

21
src/java.base/share/classes/javax/net/ssl/SSLSocketFactory.java
View File

@ -33,8 +33,6 @@ import java.io.InputStream;
import java.security.*;
import java.util.Locale;
import sun.security.action.GetPropertyAction;
/**
* <code>SSLSocketFactory</code>s create <code>SSLSocket</code>s.
*
@ -46,7 +44,7 @@ public abstract class SSLSocketFactory extends SocketFactory {
static final boolean DEBUG;
static {
String s = GetPropertyAction.privilegedGetProperty(
String s = System.getProperty(
"javax.net.debug", "").toLowerCase(Locale.ENGLISH);
DEBUG = s.contains("all") || s.contains("ssl");
}
@ -86,18 +84,15 @@ public abstract class SSLSocketFactory extends SocketFactory {
}
}
@SuppressWarnings("removal")
static String getSecurityProperty(final String name) {
return AccessController.doPrivileged((PrivilegedAction<String>) () -> {
String s = Security.getProperty(name);
if (s != null) {
s = s.trim();
if (s.isEmpty()) {
s = null;
}
String s = Security.getProperty(name);
if (s != null) {
s = s.trim();
if (s.isEmpty()) {
s = null;
}
return s;
});
}
return s;
}
/**

8
src/java.base/share/classes/javax/net/ssl/TrustManagerFactory.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,7 +25,6 @@
package javax.net.ssl;
import java.security.Security;
import java.security.*;
import java.util.Objects;
@ -74,11 +73,8 @@ public class TrustManagerFactory {
* {@code ssl.TrustManagerFactory.algorithm} security property, or an
* implementation-specific default if no such property exists.
*/
@SuppressWarnings("removal")
public static final String getDefaultAlgorithm() {
String type;
type = AccessController.doPrivileged((PrivilegedAction<String>) () ->
Security.getProperty( "ssl.TrustManagerFactory.algorithm"));
String type = Security.getProperty("ssl.TrustManagerFactory.algorithm");
if (type == null) {
type = "SunX509";
}

53
src/java.base/share/classes/sun/security/action/OpenFileInputStreamAction.java
View File

@ -1,53 +0,0 @@
/*
* Copyright (c) 2002, 2004, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.action;
import java.io.*;
import java.security.PrivilegedExceptionAction;
/**
* A convenience class for opening a FileInputStream as a privileged action.
*
* @author Andreas Sterbenz
*/
public class OpenFileInputStreamAction
implements PrivilegedExceptionAction<FileInputStream> {
private final File file;
public OpenFileInputStreamAction(File file) {
this.file = file;
}
public OpenFileInputStreamAction(String filename) {
this.file = new File(filename);
}
public FileInputStream run() throws Exception {
return new FileInputStream(file);
}
}

9
src/java.base/share/classes/sun/security/ssl/AlpnExtension.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -28,8 +28,6 @@ package sun.security.ssl;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.charset.Charset;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.Security;
import java.util.*;
import javax.net.ssl.SSLEngine;
@ -63,10 +61,7 @@ final class AlpnExtension {
static final Charset alpnCharset;
static {
@SuppressWarnings("removal")
String alpnCharsetString = AccessController.doPrivileged(
(PrivilegedAction<String>) ()
-> Security.getProperty("jdk.tls.alpnCharset"));
String alpnCharsetString = Security.getProperty("jdk.tls.alpnCharset");
if ((alpnCharsetString == null)
|| (alpnCharsetString.length() == 0)) {
alpnCharsetString = "ISO_8859_1";

6
src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -40,7 +40,6 @@ import java.security.spec.InvalidKeySpecException;
import javax.crypto.interfaces.DHPublicKey;
import javax.crypto.spec.DHParameterSpec;
import javax.crypto.spec.DHPublicKeySpec;
import sun.security.action.GetPropertyAction;
import sun.security.ssl.NamedGroup.NamedGroupSpec;
import sun.security.ssl.X509Authentication.X509Possession;
import sun.security.util.KeyUtil;
@ -261,8 +260,7 @@ final class DHKeyExchange {
private final boolean exportable;
static {
String property = GetPropertyAction.privilegedGetProperty(
"jdk.tls.ephemeralDHKeySize");
String property = System.getProperty("jdk.tls.ephemeralDHKeySize");
if (property == null || property.isEmpty()) {
useLegacyEphemeralDHKeys = false;
useSmartEphemeralDHKeys = false;

6
src/java.base/share/classes/sun/security/ssl/NamedGroup.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2019, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2019, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -39,7 +39,6 @@ import javax.crypto.KeyAgreement;
import javax.crypto.spec.DHParameterSpec;
import sun.security.ssl.ECDHKeyExchange.ECDHEPossession;
import sun.security.util.CurveDB;
import sun.security.action.GetPropertyAction;
/**
* An enum containing all known named groups for use in TLS.
@ -752,8 +751,7 @@ enum NamedGroup {
//
// If the System Property is not defined or the value is empty, the
// default groups and preferences will be used.
String property = GetPropertyAction
.privilegedGetProperty("jdk.tls.namedGroups");
String property = System.getProperty("jdk.tls.namedGroups");
if (property != null && !property.isEmpty()) {
// remove double quote marks from beginning/end of the property
if (property.length() > 1 && property.charAt(0) == '"' &&

10
src/java.base/share/classes/sun/security/ssl/PredefinedDHParameterSpecs.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2017, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2017, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -230,13 +230,7 @@ final class PredefinedDHParameterSpecs {
static final Map<Integer, DHParameterSpec> ffdheParams;
static {
@SuppressWarnings("removal")
String property = AccessController.doPrivileged(
new PrivilegedAction<String>() {
public String run() {
return Security.getProperty(PROPERTY_NAME);
}
});
String property = Security.getProperty(PROPERTY_NAME);
if (property != null && !property.isEmpty()) {
// remove double quote marks from beginning/end of the property

11
src/java.base/share/classes/sun/security/ssl/SSLCipher.java
View File

@ -36,13 +36,11 @@ import javax.crypto.ShortBufferException;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.IvParameterSpec;
import java.nio.ByteBuffer;
import java.security.AccessController;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedAction;
import java.security.SecureRandom;
import java.security.Security;
import java.security.spec.AlgorithmParameterSpec;
@ -380,14 +378,7 @@ enum SSLCipher {
static {
final long max = 4611686018427387904L; // 2^62
@SuppressWarnings("removal")
String prop = AccessController.doPrivileged(
new PrivilegedAction<String>() {
@Override
public String run() {
return Security.getProperty("jdk.tls.keyLimits");
}
});
String prop = Security.getProperty("jdk.tls.keyLimits");
if (prop != null) {
String[] propvalue = prop.split(",");

31
src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java
View File

@ -25,8 +25,6 @@
package sun.security.ssl;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.AlgorithmConstraints;
import java.security.NoSuchAlgorithmException;
import java.util.*;
@ -38,8 +36,6 @@ import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import sun.security.action.GetIntegerAction;
import sun.security.action.GetPropertyAction;
import sun.security.ssl.SSLExtension.ClientExtensions;
import sun.security.ssl.SSLExtension.ServerExtensions;
@ -78,9 +74,7 @@ final class SSLConfiguration implements Cloneable {
BiFunction<SSLSocket, List<String>, String> socketAPSelector;
BiFunction<SSLEngine, List<String>, String> engineAPSelector;
@SuppressWarnings("removal")
HashMap<HandshakeCompletedListener, AccessControlContext>
handshakeListeners;
HashSet<HandshakeCompletedListener> handshakeListeners;
boolean noSniExtension;
boolean noSniMatcher;
@ -105,7 +99,7 @@ final class SSLConfiguration implements Cloneable {
"jdk.tls.acknowledgeCloseNotify", false);
// Set the max size limit for Handshake Message to 2^15
static final int maxHandshakeMessageSize = GetIntegerAction.privilegedGetProperty(
static final int maxHandshakeMessageSize = Integer.getInteger(
"jdk.tls.maxHandshakeMessageSize", 32768);
// Limit the certificate chain length accepted from clients
@ -147,7 +141,7 @@ final class SSLConfiguration implements Cloneable {
* jdk.tls.maxCertificateChainLength system property works for both
* server and client modes.
*/
Integer maxCertificateChainLength = GetIntegerAction.privilegedGetProperty(
Integer maxCertificateChainLength = Integer.getInteger(
"jdk.tls.maxCertificateChainLength");
if (maxCertificateChainLength != null && maxCertificateChainLength >= 0) {
globalPropSet = true;
@ -164,7 +158,7 @@ final class SSLConfiguration implements Cloneable {
* property is set and its value >= 0, it uses that value.
* - Otherwise it is set to a default value of 8.
*/
Integer inboundClientLen = GetIntegerAction.privilegedGetProperty(
Integer inboundClientLen = Integer.getInteger(
"jdk.tls.server.maxInboundCertificateChainLength");
// Default for jdk.tls.server.maxInboundCertificateChainLength is 8
@ -186,7 +180,7 @@ final class SSLConfiguration implements Cloneable {
* property is set and its value >= 0, it uses that value.
* - Otherwise it is set to a default value of 10.
*/
Integer inboundServerLen = GetIntegerAction.privilegedGetProperty(
Integer inboundServerLen = Integer.getInteger(
"jdk.tls.client.maxInboundCertificateChainLength");
// Default for jdk.tls.client.maxInboundCertificateChainLength is 10
@ -203,7 +197,7 @@ final class SSLConfiguration implements Cloneable {
* client. The value must be between 0 and 10. Default is defined by
* SERVER_NST_DEFAULT.
*/
Integer nstServerCount = GetIntegerAction.privilegedGetProperty(
Integer nstServerCount = Integer.getInteger(
"jdk.tls.server.newSessionTicketCount");
if (nstServerCount == null || nstServerCount < 0 ||
nstServerCount > 10) {
@ -384,15 +378,14 @@ final class SSLConfiguration implements Cloneable {
}
// SSLSocket only
@SuppressWarnings("removal")
void addHandshakeCompletedListener(
HandshakeCompletedListener listener) {
if (handshakeListeners == null) {
handshakeListeners = new HashMap<>(4);
handshakeListeners = new HashSet<>(4);
}
handshakeListeners.put(listener, AccessController.getContext());
handshakeListeners.add(listener);
}
// SSLSocket only
@ -403,7 +396,7 @@ final class SSLConfiguration implements Cloneable {
throw new IllegalArgumentException("no listeners");
}
if (handshakeListeners.remove(listener) == null) {
if (!handshakeListeners.remove(listener)) {
throw new IllegalArgumentException("listener not registered");
}
@ -532,14 +525,14 @@ final class SSLConfiguration implements Cloneable {
}
@Override
@SuppressWarnings({"removal","unchecked", "CloneDeclaresCloneNotSupported"})
@SuppressWarnings({"unchecked", "CloneDeclaresCloneNotSupported"})
public Object clone() {
// Note that only references to the configurations are copied.
try {
SSLConfiguration config = (SSLConfiguration)super.clone();
if (handshakeListeners != null) {
config.handshakeListeners =
(HashMap<HandshakeCompletedListener, AccessControlContext>)
(HashSet<HandshakeCompletedListener>)
handshakeListeners.clone();
}
@ -573,7 +566,7 @@ final class SSLConfiguration implements Cloneable {
* system property.
*/
private static String[] getCustomizedSignatureScheme(String propertyName) {
String property = GetPropertyAction.privilegedGetProperty(propertyName);
String property = System.getProperty(propertyName);
if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
SSLLogger.fine(
"System property " + propertyName + " is set to '" +

45
src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -32,7 +32,6 @@ import java.security.cert.*;
import java.util.*;
import java.util.concurrent.locks.ReentrantLock;
import javax.net.ssl.*;
import sun.security.action.GetPropertyAction;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.validator.Validator;
@ -409,7 +408,7 @@ public abstract class SSLContextImpl extends SSLContextSpi {
private static Collection<CipherSuite> getCustomizedCipherSuites(
String propertyName) {
String property = GetPropertyAction.privilegedGetProperty(propertyName);
String property = System.getProperty(propertyName);
if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
SSLLogger.fine(
"System property " + propertyName + " is set to '" +
@ -742,7 +741,7 @@ public abstract class SSLContextImpl extends SSLContextSpi {
private static void populate(String propname,
ArrayList<ProtocolVersion> arrayList) {
String property = GetPropertyAction.privilegedGetProperty(propname);
String property = System.getProperty(propname);
if (property == null) {
return;
}
@ -957,28 +956,20 @@ public abstract class SSLContextImpl extends SSLContextSpi {
return tmf.getTrustManagers();
}
@SuppressWarnings("removal")
private static KeyManager[] getKeyManagers() throws Exception {
final Map<String,String> props = new HashMap<>();
AccessController.doPrivileged(
new PrivilegedExceptionAction<Object>() {
@Override
public Object run() {
props.put("keyStore", System.getProperty(
"javax.net.ssl.keyStore", ""));
props.put("keyStoreType", System.getProperty(
"javax.net.ssl.keyStoreType",
KeyStore.getDefaultType()));
props.put("keyStoreProvider", System.getProperty(
"javax.net.ssl.keyStoreProvider", ""));
props.put("keyStorePasswd", System.getProperty(
"javax.net.ssl.keyStorePassword", ""));
return null;
}
});
Map<String,String> props = new HashMap<>();
props.put("keyStore", System.getProperty(
"javax.net.ssl.keyStore", ""));
props.put("keyStoreType", System.getProperty(
"javax.net.ssl.keyStoreType",
KeyStore.getDefaultType()));
props.put("keyStoreProvider", System.getProperty(
"javax.net.ssl.keyStoreProvider", ""));
props.put("keyStorePasswd", System.getProperty(
"javax.net.ssl.keyStorePassword", ""));
final String defaultKeyStore = props.get("keyStore");
String defaultKeyStore = props.get("keyStore");
String defaultKeyStoreType = props.get("keyStoreType");
String defaultKeyStoreProvider = props.get("keyStoreProvider");
if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
@ -1001,13 +992,7 @@ public abstract class SSLContextImpl extends SSLContextSpi {
try {
if (!defaultKeyStore.isEmpty() &&
!NONE.equals(defaultKeyStore)) {
fs = AccessController.doPrivileged(
new PrivilegedExceptionAction<FileInputStream>() {
@Override
public FileInputStream run() throws Exception {
return new FileInputStream(defaultKeyStore);
}
});
fs = new FileInputStream(defaultKeyStore);
}
String defaultKeyStorePassword = props.get("keyStorePasswd");

55
src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -28,9 +28,6 @@ package sun.security.ssl;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.ReadOnlyBufferException;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.List;
import java.util.Map;
import java.util.concurrent.locks.ReentrantLock;
@ -1202,17 +1199,25 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
}
try {
@SuppressWarnings("removal")
var dummy = AccessController.doPrivileged(
new DelegatedAction(hc), engine.conContext.acc);
} catch (PrivilegedActionException pae) {
while (!hc.delegatedActions.isEmpty()) {
Map.Entry<Byte, ByteBuffer> me =
hc.delegatedActions.poll();
if (me != null) {
try {
hc.dispatch(me.getKey(), me.getValue());
} catch (Exception e) {
throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unhandled exception", e);
}
}
}
} catch (SSLException se) {
// Get the handshake context again in case the
// handshaking has completed.
Exception reportedException = pae.getException();
// Report to both the TransportContext...
if (engine.conContext.delegatedThrown == null) {
engine.conContext.delegatedThrown = reportedException;
engine.conContext.delegatedThrown = se;
}
// ...and the HandshakeContext in case condition
@ -1220,11 +1225,10 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
// around.
hc = engine.conContext.handshakeContext;
if (hc != null) {
hc.delegatedThrown = reportedException;
hc.delegatedThrown = se;
} else if (engine.conContext.closeReason != null) {
// Update the reason in case there was a previous.
engine.conContext.closeReason =
getTaskThrown(reportedException);
engine.conContext.closeReason = getTaskThrown(se);
}
} catch (RuntimeException rte) {
// Get the handshake context again in case the
@ -1257,30 +1261,5 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
engine.engineLock.unlock();
}
}
private static class DelegatedAction
implements PrivilegedExceptionAction<Void> {
final HandshakeContext context;
DelegatedAction(HandshakeContext context) {
this.context = context;
}
@Override
public Void run() throws Exception {
while (!context.delegatedActions.isEmpty()) {
Map.Entry<Byte, ByteBuffer> me =
context.delegatedActions.poll();
if (me != null) {
try {
context.dispatch(me.getKey(), me.getValue());
} catch (Exception e) {
throw context.conContext.fatal(Alert.INTERNAL_ERROR,
"Unhandled exception", e);
}
}
}
return null;
}
}
}
}

3
src/java.base/share/classes/sun/security/ssl/SSLExtension.java
View File

@ -30,7 +30,6 @@ import java.nio.ByteBuffer;
import java.text.MessageFormat;
import java.util.*;
import sun.security.action.GetPropertyAction;
import sun.security.ssl.SSLHandshake.HandshakeMessage;
import sun.security.util.HexDumpEncoder;
@ -820,7 +819,7 @@ enum SSLExtension implements SSLStringizer {
// Get disabled extensions, which could be customized with System Properties.
private static Collection<String> getDisabledExtensions(
String propertyName) {
String property = GetPropertyAction.privilegedGetProperty(propertyName);
String property = System.getProperty(propertyName);
if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
SSLLogger.fine(
"System property " + propertyName + " is set to '" +

5
src/java.base/share/classes/sun/security/ssl/SSLLogger.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2023, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -41,7 +41,6 @@ import java.time.ZoneId;
import java.time.format.DateTimeFormatter;
import java.util.*;
import sun.security.action.GetPropertyAction;
import sun.security.util.HexDumpEncoder;
import sun.security.util.Debug;
import sun.security.x509.*;
@ -64,7 +63,7 @@ public final class SSLLogger {
public static final boolean isOn;
static {
String p = GetPropertyAction.privilegedGetProperty("javax.net.debug");
String p = System.getProperty("javax.net.debug");
if (p != null) {
if (p.isEmpty()) {
property = "";

10
src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java
View File

@ -36,8 +36,6 @@ import java.util.concurrent.ConcurrentHashMap;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSessionContext;
import sun.security.action.GetIntegerAction;
import sun.security.action.GetPropertyAction;
import sun.security.util.Cache;
@ -324,10 +322,10 @@ final class SSLSessionContextImpl implements SSLSessionContext {
// Property for Session Cache state
if (server) {
st = GetPropertyAction.privilegedGetProperty(
st = System.getProperty(
"jdk.tls.server.enableSessionTicketExtension", "true");
} else {
st = GetPropertyAction.privilegedGetProperty(
st = System.getProperty(
"jdk.tls.client.enableSessionTicketExtension", "true");
}
@ -337,7 +335,7 @@ final class SSLSessionContextImpl implements SSLSessionContext {
// Property for Session Ticket Timeout. The value can be changed
// by SSLSessionContext.setSessionTimeout(int)
String s = GetPropertyAction.privilegedGetProperty(
String s = System.getProperty(
"jdk.tls.server.sessionTicketTimeout");
if (s != null) {
try {
@ -364,7 +362,7 @@ final class SSLSessionContextImpl implements SSLSessionContext {
}
}
int defaultCacheLimit = GetIntegerAction.privilegedGetProperty(
int defaultCacheLimit = Integer.getInteger(
"javax.net.ssl.sessionCacheSize", DEFAULT_MAX_CACHE_SIZE);
if (defaultCacheLimit >= 0) {

87
src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java
View File

@ -49,7 +49,6 @@ import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLPermission;
import javax.net.ssl.SSLSessionBindingEvent;
import javax.net.ssl.SSLSessionBindingListener;
import javax.net.ssl.SSLSessionContext;
@ -913,24 +912,8 @@ final class SSLSessionImpl extends ExtendedSSLSession {
* are currently valid in this process. For client sessions,
* this returns null.
*/
@SuppressWarnings("removal")
@Override
public SSLSessionContext getSessionContext() {
/*
* An interim security policy until we can do something
* more specific in 1.2. Only allow trusted code (code which
* can set system properties) to get an
* SSLSessionContext. This is to limit the ability of code to
* look up specific sessions or enumerate over them. Otherwise,
* code can only get session objects from successful SSL
* connections which implies that they must have had permission
* to make the network connection in the first place.
*/
SecurityManager sm;
if ((sm = System.getSecurityManager()) != null) {
sm.checkPermission(new SSLPermission("getSSLSessionContext"));
}
return context;
}
@ -1236,10 +1219,9 @@ final class SSLSessionImpl extends ExtendedSSLSession {
/*
* Table of application-specific session data indexed by an application
* key and the calling security context. This is important since
* sessions can be shared across different protection domains.
* key.
*/
private final ConcurrentHashMap<SecureKey, Object> boundValues;
private final ConcurrentHashMap<String, Object> boundValues;
/**
* Assigns a session value. Session change events are given if
@ -1251,8 +1233,7 @@ final class SSLSessionImpl extends ExtendedSSLSession {
throw new IllegalArgumentException("arguments can not be null");
}
SecureKey secureKey = new SecureKey(key);
Object oldValue = boundValues.put(secureKey, value);
Object oldValue = boundValues.put(key, value);
if (oldValue instanceof SSLSessionBindingListener) {
SSLSessionBindingEvent e;
@ -1280,8 +1261,7 @@ final class SSLSessionImpl extends ExtendedSSLSession {
throw new IllegalArgumentException("argument can not be null");
}
SecureKey secureKey = new SecureKey(key);
return boundValues.get(secureKey);
return boundValues.get(key);
}
@ -1295,8 +1275,7 @@ final class SSLSessionImpl extends ExtendedSSLSession {
throw new IllegalArgumentException("argument can not be null");
}
SecureKey secureKey = new SecureKey(key);
Object value = boundValues.remove(secureKey);
Object value = boundValues.remove(key);
if (value instanceof SSLSessionBindingListener) {
SSLSessionBindingEvent e;
@ -1315,15 +1294,7 @@ final class SSLSessionImpl extends ExtendedSSLSession {
*/
@Override
public String[] getValueNames() {
ArrayList<Object> v = new ArrayList<>();
Object securityCtx = SecureKey.getCurrentSecurityContext();
for (SecureKey key : boundValues.keySet()) {
if (securityCtx.equals(key.getSecurityContext())) {
v.add(key.getAppKey());
}
}
return v.toArray(new String[0]);
return boundValues.keySet().toArray(new String[0]);
}
/**
@ -1522,49 +1493,3 @@ final class SSLSessionImpl extends ExtendedSSLSession {
return "Session(" + creationTime + "|" + getCipherSuite() + ")";
}
}
/**
* This "struct" class serves as a Hash Key that combines an
* application-specific key and a security context.
*/
class SecureKey {
private static final Object nullObject = new Object();
private final Object appKey;
private final Object securityCtx;
static Object getCurrentSecurityContext() {
@SuppressWarnings("removal")
SecurityManager sm = System.getSecurityManager();
Object context = null;
if (sm != null)
context = sm.getSecurityContext();
if (context == null)
context = nullObject;
return context;
}
SecureKey(Object key) {
this.appKey = key;
this.securityCtx = getCurrentSecurityContext();
}
Object getAppKey() {
return appKey;
}
Object getSecurityContext() {
return securityCtx;
}
@Override
public int hashCode() {
return appKey.hashCode() ^ securityCtx.hashCode();
}
@Override
public boolean equals(Object o) {
return o instanceof SecureKey && ((SecureKey)o).appKey.equals(appKey)
&& ((SecureKey)o).securityCtx.equals(securityCtx);
}
}

9
src/java.base/share/classes/sun/security/ssl/ServerHandshakeContext.java
View File

@ -27,9 +27,7 @@ package sun.security.ssl;
import java.io.IOException;
import java.security.AlgorithmConstraints;
import java.security.AccessController;
import sun.security.util.LegacyAlgorithmConstraints;
import sun.security.action.GetLongAction;
class ServerHandshakeContext extends HandshakeContext {
// To prevent the TLS renegotiation issues, by setting system property
@ -61,10 +59,9 @@ class ServerHandshakeContext extends HandshakeContext {
ServerHandshakeContext(SSLContextImpl sslContext,
TransportContext conContext) throws IOException {
super(sslContext, conContext);
@SuppressWarnings("removal")
long respTimeOut = AccessController.doPrivileged(
new GetLongAction("jdk.tls.stapling.responseTimeout",
DEFAULT_STATUS_RESP_DELAY));
long respTimeOut = Long.getLong(
"jdk.tls.stapling.responseTimeout",
DEFAULT_STATUS_RESP_DELAY);
statusRespTimeout = respTimeOut >= 0 ? respTimeOut :
DEFAULT_STATUS_RESP_DELAY;
handshakeConsumers.put(

6
src/java.base/share/classes/sun/security/ssl/SessionTicketExtension.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2019, 2023, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2019, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -41,7 +41,6 @@ import javax.net.ssl.SSLSessionContext;
import static sun.security.ssl.SSLExtension.CH_SESSION_TICKET;
import static sun.security.ssl.SSLExtension.SH_SESSION_TICKET;
import sun.security.action.GetPropertyAction;
import sun.security.ssl.SSLExtension.ExtensionConsumer;
import sun.security.ssl.SSLExtension.SSLExtensionSpec;
import sun.security.ssl.SSLHandshake.HandshakeMessage;
@ -78,8 +77,7 @@ final class SessionTicketExtension {
private static final int KEYLEN = 256;
static {
String s = GetPropertyAction.privilegedGetProperty(
"jdk.tls.server.statelessKeyTimeout");
String s = System.getProperty("jdk.tls.server.statelessKeyTimeout");
if (s != null) {
int kt;
try {

28
src/java.base/share/classes/sun/security/ssl/StatusResponseManager.java
View File

@ -27,14 +27,10 @@ package sun.security.ssl;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.AccessController;
import java.security.cert.Extension;
import java.security.cert.X509Certificate;
import java.util.*;
import java.util.concurrent.*;
import sun.security.action.GetBooleanAction;
import sun.security.action.GetIntegerAction;
import sun.security.action.GetPropertyAction;
import sun.security.provider.certpath.CertId;
import sun.security.provider.certpath.OCSP;
import sun.security.provider.certpath.OCSPResponse;
@ -63,20 +59,17 @@ final class StatusResponseManager {
* Create a StatusResponseManager with default parameters.
*/
StatusResponseManager() {
@SuppressWarnings("removal")
int cap = AccessController.doPrivileged(
new GetIntegerAction("jdk.tls.stapling.cacheSize",
DEFAULT_CACHE_SIZE));
int cap = Integer.getInteger(
"jdk.tls.stapling.cacheSize",
DEFAULT_CACHE_SIZE);
cacheCapacity = cap > 0 ? cap : 0;
@SuppressWarnings("removal")
int life = AccessController.doPrivileged(
new GetIntegerAction("jdk.tls.stapling.cacheLifetime",
DEFAULT_CACHE_LIFETIME));
int life = Integer.getInteger(
"jdk.tls.stapling.cacheLifetime",
DEFAULT_CACHE_LIFETIME);
cacheLifetime = life > 0 ? life : 0;
String uriStr = GetPropertyAction
.privilegedGetProperty("jdk.tls.stapling.responderURI");
String uriStr = System.getProperty("jdk.tls.stapling.responderURI");
URI tmpURI;
try {
tmpURI = ((uriStr != null && !uriStr.isEmpty()) ?
@ -86,10 +79,9 @@ final class StatusResponseManager {
}
defaultResponder = tmpURI;
respOverride = GetBooleanAction
.privilegedGetProperty("jdk.tls.stapling.responderOverride");
ignoreExtensions = GetBooleanAction
.privilegedGetProperty("jdk.tls.stapling.ignoreExtensions");
respOverride = Boolean.getBoolean("jdk.tls.stapling.responderOverride");
ignoreExtensions = Boolean.getBoolean
("jdk.tls.stapling.ignoreExtensions");
threadMgr = new ScheduledThreadPoolExecutor(DEFAULT_CORE_THREADS,
r -> {

12
src/java.base/share/classes/sun/security/ssl/SunJSSE.java
View File

@ -25,7 +25,7 @@
package sun.security.ssl;
import java.security.*;
import java.security.Provider;
import java.util.*;
import static sun.security.util.SecurityConstants.PROVIDER_VER;
@ -46,20 +46,12 @@ public class SunJSSE extends java.security.Provider {
registerAlgorithms();
}
@SuppressWarnings("removal")
private void registerAlgorithms() {
AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
doRegister();
return null;
});
}
private void ps(String type, String algo, String cn,
List<String> a, HashMap<String, String> attrs) {
putService(new Provider.Service(this, type, algo, cn, a, attrs));
}
private void doRegister() {
private void registerAlgorithms() {
ps("Signature", "MD5andSHA1withRSA",
"sun.security.ssl.RSASignature", null, null);

31
src/java.base/share/classes/sun/security/ssl/TransportContext.java
View File

@ -27,9 +27,6 @@ package sun.security.ssl;
import java.io.IOException;
import java.net.SocketException;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
@ -49,8 +46,6 @@ final class TransportContext implements ConnectionContext {
// registered plaintext consumers
final Map<Byte, SSLConsumer> consumers;
@SuppressWarnings("removal")
final AccessControlContext acc;
final SSLContextImpl sslContext;
final SSLConfiguration sslConfig;
@ -134,7 +129,6 @@ final class TransportContext implements ConnectionContext {
inputRecord, outputRecord, false);
}
@SuppressWarnings("removal")
private TransportContext(SSLContextImpl sslContext, SSLTransport transport,
SSLConfiguration sslConfig, InputRecord inputRecord,
OutputRecord outputRecord, boolean isUnsureMode) {
@ -154,7 +148,6 @@ final class TransportContext implements ConnectionContext {
this.clientVerifyData = emptyByteArray;
this.serverVerifyData = emptyByteArray;
this.acc = AccessController.getContext();
this.consumers = new HashMap<>();
if (inputRecord instanceof DTLSInputRecord dtlsInputRecord) {
@ -677,34 +670,22 @@ final class TransportContext implements ConnectionContext {
// A separate thread is allocated to deliver handshake completion
// events.
private static class NotifyHandshake implements Runnable {
@SuppressWarnings("removal")
private final Set<Map.Entry<HandshakeCompletedListener,
AccessControlContext>> targets; // who gets notified
private final Set<HandshakeCompletedListener>
targets; // who gets notified
private final HandshakeCompletedEvent event; // the notification
NotifyHandshake(
@SuppressWarnings("removal")
Map<HandshakeCompletedListener,AccessControlContext> listeners,
Set<HandshakeCompletedListener> listeners,
HandshakeCompletedEvent event) {
this.targets = new HashSet<>(listeners.entrySet()); // clone
this.targets = new HashSet<>(listeners); // clone
this.event = event;
}
@SuppressWarnings("removal")
@Override
public void run() {
// Don't need to synchronize, as it only runs in one thread.
for (Map.Entry<HandshakeCompletedListener,
AccessControlContext> entry : targets) {
final HandshakeCompletedListener listener = entry.getKey();
AccessControlContext acc = entry.getValue();
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
public Void run() {
listener.handshakeCompleted(event);
return null;
}
}, acc);
for (HandshakeCompletedListener listener : targets) {
listener.handshakeCompleted(event);
}
}
}

94
src/java.base/share/classes/sun/security/ssl/TrustStoreManager.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -27,11 +27,10 @@ package sun.security.ssl;
import java.io.*;
import java.lang.ref.WeakReference;
import java.security.*;
import java.security.KeyStore;
import java.security.cert.*;
import java.util.*;
import java.util.concurrent.locks.ReentrantLock;
import sun.security.action.*;
import sun.security.util.FilePaths;
import sun.security.validator.TrustStoreUtil;
@ -75,7 +74,7 @@ final class TrustStoreManager {
private static final class TrustStoreDescriptor {
private static final String fileSep = File.separator;
private static final String defaultStorePath =
GetPropertyAction.privilegedGetProperty("java.home") +
System.getProperty("java.home") +
fileSep + "lib" + fileSep + "security";
private static final String defaultStore = FilePaths.cacerts();
private static final String jsseDefaultStore =
@ -122,57 +121,50 @@ final class TrustStoreManager {
* Create an instance of TrustStoreDescriptor for the default
* trusted KeyStore.
*/
@SuppressWarnings({"removal","Convert2Lambda"})
@SuppressWarnings("Convert2Lambda")
static TrustStoreDescriptor createInstance() {
return AccessController.doPrivileged(
new PrivilegedAction<TrustStoreDescriptor>() {
// Get the system properties for trust store.
String storePropName = System.getProperty(
"javax.net.ssl.trustStore", jsseDefaultStore);
String storePropType = System.getProperty(
"javax.net.ssl.trustStoreType",
KeyStore.getDefaultType());
String storePropProvider = System.getProperty(
"javax.net.ssl.trustStoreProvider", "");
String storePropPassword = System.getProperty(
"javax.net.ssl.trustStorePassword", "");
@Override
public TrustStoreDescriptor run() {
// Get the system properties for trust store.
String storePropName = System.getProperty(
"javax.net.ssl.trustStore", jsseDefaultStore);
String storePropType = System.getProperty(
"javax.net.ssl.trustStoreType",
KeyStore.getDefaultType());
String storePropProvider = System.getProperty(
"javax.net.ssl.trustStoreProvider", "");
String storePropPassword = System.getProperty(
"javax.net.ssl.trustStorePassword", "");
String temporaryName = "";
File temporaryFile = null;
long temporaryTime = 0L;
if (!"NONE".equals(storePropName)) {
String[] fileNames =
new String[] {storePropName, defaultStore};
for (String fileName : fileNames) {
File f = new File(fileName);
if (f.isFile() && f.canRead()) {
temporaryName = fileName;
temporaryFile = f;
temporaryTime = f.lastModified();
String temporaryName = "";
File temporaryFile = null;
long temporaryTime = 0L;
if (!"NONE".equals(storePropName)) {
String[] fileNames =
new String[] {storePropName, defaultStore};
for (String fileName : fileNames) {
File f = new File(fileName);
if (f.isFile() && f.canRead()) {
temporaryName = fileName;
temporaryFile = f;
temporaryTime = f.lastModified();
break;
}
// Not break, the file is inaccessible.
if (SSLLogger.isOn &&
SSLLogger.isOn("trustmanager")) {
SSLLogger.fine(
"Inaccessible trust store: " +
fileName);
}
}
} else {
temporaryName = storePropName;
break;
}
return new TrustStoreDescriptor(
temporaryName, storePropType, storePropProvider,
storePropPassword, temporaryFile, temporaryTime);
// Not break, the file is inaccessible.
if (SSLLogger.isOn &&
SSLLogger.isOn("trustmanager")) {
SSLLogger.fine(
"Inaccessible trust store: " +
fileName);
}
}
});
} else {
temporaryName = storePropName;
}
return new TrustStoreDescriptor(
temporaryName, storePropType, storePropProvider,
storePropPassword, temporaryFile, temporaryTime);
}
@Override
@ -384,8 +376,8 @@ final class TrustStoreManager {
}
if (!"NONE".equals(descriptor.storeName)) {
try (@SuppressWarnings("removal") FileInputStream fis = AccessController.doPrivileged(
new OpenFileInputStreamAction(descriptor.storeFile))) {
try (FileInputStream fis =
new FileInputStream(descriptor.storeFile)) {
ks.load(fis, password);
} catch (FileNotFoundException fnfe) {
// No file available, no KeyStore available.

7
src/java.base/share/classes/sun/security/ssl/Utilities.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2012, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -30,7 +30,6 @@ import java.util.*;
import java.util.regex.Pattern;
import javax.net.ssl.*;
import sun.net.util.IPAddressUtil;
import sun.security.action.GetPropertyAction;
/**
* A utility class to share the static methods.
@ -128,12 +127,10 @@ final class Utilities {
/**
* Return the value of the boolean System property propName.
*
* Note use of privileged action. Do NOT make accessible to applications.
*/
static boolean getBooleanProperty(String propName, boolean defaultValue) {
// if set, require value of either true or false
String b = GetPropertyAction.privilegedGetProperty(propName);
String b = System.getProperty(propName);
if (b == null) {
return defaultValue;
} else if (b.equalsIgnoreCase("false")) {

12
test/jdk/sun/security/action/Generify.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -28,7 +28,6 @@
* @modules java.base/sun.security.action
*/
import java.io.*;
import java.security.*;
import sun.security.action.*;
@ -74,14 +73,5 @@ public class Generify {
} else {
throw new SecurityException("property test failed");
}
File f = new File(System.getProperty("test.src", "."), "Generify.java");
FileInputStream fis = AccessController.doPrivileged
(new OpenFileInputStreamAction(f));
if (fis != null) {
System.out.println("file test passed");
} else {
throw new SecurityException("file test failed");
}
}
}