stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8344310: Remove Security Manager dependencies from javax.crypto and com.sun.crypto packages

Browse Source 
Reviewed-by: jpai, ascarpino
This commit is contained in:
Sean Mullan 2024-11-18 19:35:42 +00:00
parent 92271af635
commit de6e013e0e
7 changed files with 29 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/java.base/share/classes/com/sun/crypto/provider/DHKeyAgreement.java
View File

@ -56,14 +56,8 @@ extends KeyAgreementSpi {
private static class AllowKDF {
private static final boolean VALUE = getValue();
@SuppressWarnings("removal")
private static boolean getValue() {
return AccessController.doPrivileged(
(PrivilegedAction<Boolean>)
() -> Boolean.getBoolean("jdk.crypto.KeyAgreement.legacyKDF"));
}
private static final boolean VALUE =
Boolean.getBoolean("jdk.crypto.KeyAgreement.legacyKDF");
}
/**

12
src/java.base/share/classes/com/sun/crypto/provider/JceKeyStore.java
View File

@ -30,14 +30,12 @@ import sun.security.util.IOUtils;
import java.io.*;
import java.util.*;
import java.security.AccessController;
import java.security.DigestInputStream;
import java.security.DigestOutputStream;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Key;
import java.security.PrivateKey;
import java.security.PrivilegedAction;
import java.security.KeyStoreSpi;
import java.security.KeyStoreException;
import java.security.UnrecoverableKeyException;
@ -835,15 +833,9 @@ public final class JceKeyStore extends KeyStoreSpi {
// read the sealed key
try {
ois = new ObjectInputStream(dis);
final ObjectInputStream ois2 = ois;
// Set a deserialization checker
@SuppressWarnings("removal")
var dummy = AccessController.doPrivileged(
(PrivilegedAction<Void>)() -> {
ois2.setObjectInputFilter(
new DeserializationChecker(fullLength));
return null;
});
ois.setObjectInputFilter(
new DeserializationChecker(fullLength));
entry.sealedKey = (SealedObject)ois.readObject();
entry.maxLength = fullLength;
// NOTE: don't close ois here since we are still

21
src/java.base/share/classes/com/sun/crypto/provider/SealedObjectForKeyProtector.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1998, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1998, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -73,18 +73,13 @@ final class SealedObjectForKeyProtector extends SealedObject {
return params;
}
@SuppressWarnings("removal")
final Key getKey(Cipher c, int maxLength)
throws IOException, ClassNotFoundException, IllegalBlockSizeException,
BadPaddingException {
try (ObjectInputStream ois = SharedSecrets.getJavaxCryptoSealedObjectAccess()
.getExtObjectInputStream(this, c)) {
AccessController.doPrivileged(
(PrivilegedAction<Void>) () -> {
ois.setObjectInputFilter(new DeserializationChecker(maxLength));
return null;
});
ois.setObjectInputFilter(new DeserializationChecker(maxLength));
try {
@SuppressWarnings("unchecked")
Key t = (Key) ois.readObject();
@ -113,16 +108,8 @@ final class SealedObjectForKeyProtector extends SealedObject {
private static final ObjectInputFilter OWN_FILTER;
static {
@SuppressWarnings("removal")
String prop = AccessController.doPrivileged(
(PrivilegedAction<String>) () -> {
String tmp = System.getProperty(KEY_SERIAL_FILTER);
if (tmp != null) {
return tmp;
} else {
return Security.getProperty(KEY_SERIAL_FILTER);
}
});
String prop = System.getProperty(
KEY_SERIAL_FILTER, Security.getProperty(KEY_SERIAL_FILTER));
OWN_FILTER = prop == null
? null
: ObjectInputFilter.Config.createFilter(prop);

18
src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
View File

@ -25,10 +25,8 @@
package com.sun.crypto.provider;
import java.security.AccessController;
import java.security.Provider;
import java.security.SecureRandom;
import java.security.PrivilegedAction;
import java.util.HashMap;
import java.util.List;
import static sun.security.util.SecurityConstants.PROVIDER_VER;
@ -121,24 +119,12 @@ public final class SunJCE extends Provider {
attrs));
}
@SuppressWarnings("removal")
public SunJCE() {
/* We are the "SunJCE" provider */
super("SunJCE", PROVIDER_VER, info);
// if there is no security manager installed, put directly into
// the provider
if (System.getSecurityManager() == null) {
putEntries();
} else {
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
public Void run() {
putEntries();
return null;
}
});
}
putEntries();
if (instance == null) {
instance = this;
}

33
src/java.base/share/classes/javax/crypto/JceSecurity.java.template
View File

@ -76,7 +76,6 @@ import sun.security.util.Debug;
* @since 1.4
*/
@SuppressWarnings("removal")
final class JceSecurity {
private static final Debug debug = Debug.getInstance("jca");
@ -109,15 +108,7 @@ final class JceSecurity {
static {
try {
AccessController.doPrivileged(
new PrivilegedExceptionAction<> () {
@Override
public Void run() throws Exception {
setupJurisdictionPolicies();
return null;
}
}
);
setupJurisdictionPolicies();
isRestricted = defaultPolicy.implies(
CryptoAllPermission.INSTANCE) ? false : true;
@ -285,20 +276,14 @@ final class JceSecurity {
synchronized (codeBaseCacheRef) {
URL url = codeBaseCacheRef.get(clazz);
if (url == null) {
url = AccessController.doPrivileged(
new PrivilegedAction<>() {
@Override
public URL run() {
ProtectionDomain pd = clazz.getProtectionDomain();
if (pd != null) {
CodeSource cs = pd.getCodeSource();
if (cs != null) {
return cs.getLocation();
}
}
return NULL_URL;
}
});
url = NULL_URL;
ProtectionDomain pd = clazz.getProtectionDomain();
if (pd != null) {
CodeSource cs = pd.getCodeSource();
if (cs != null) {
url = cs.getLocation();
}
}
codeBaseCacheRef.put(clazz, url);
}
return (url == NULL_URL) ? null : url;

14
src/java.base/share/classes/javax/crypto/JceSecurityManager.java
View File

@ -65,18 +65,10 @@ final class JceSecurityManager {
exemptPolicy = JceSecurity.getExemptPolicy();
allPerm = CryptoAllPermission.INSTANCE;
PrivilegedAction<JceSecurityManager> paSM = JceSecurityManager::new;
@SuppressWarnings("removal")
JceSecurityManager dummySecurityManager =
AccessController.doPrivileged(paSM);
INSTANCE = dummySecurityManager;
INSTANCE = new JceSecurityManager();
PrivilegedAction<StackWalker> paWalker =
() -> StackWalker.getInstance(Set.of(Option.DROP_METHOD_INFO, Option.RETAIN_CLASS_REFERENCE));
@SuppressWarnings("removal")
StackWalker dummyWalker = AccessController.doPrivileged(paWalker);
WALKER = dummyWalker;
WALKER = StackWalker.getInstance(
Set.of(Option.DROP_METHOD_INFO, Option.RETAIN_CLASS_REFERENCE));
}
private JceSecurityManager() {

22
src/java.base/share/classes/javax/crypto/ProviderVerifier.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2007, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2007, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -100,20 +100,12 @@ final class ProviderVerifier {
// Get a link to the Jarfile to search.
try {
@SuppressWarnings("removal")
var tmp = AccessController.doPrivileged(
(PrivilegedExceptionAction<JarFile>) () -> {
JarURLConnection conn =
(JarURLConnection) url.openConnection();
// You could do some caching here as
// an optimization.
conn.setUseCaches(false);
return conn.getJarFile();
});
jf = tmp;
} catch (java.security.PrivilegedActionException pae) {
throw new SecurityException("Cannot load " + url,
pae.getCause());
JarURLConnection conn = (JarURLConnection) url.openConnection();
// You could do some caching here as an optimization.
conn.setUseCaches(false);
jf = conn.getJarFile();
} catch (IOException ioe) {
throw new SecurityException("Cannot load " + url, ioe);
}
if (jf != null) {