8344310: Remove Security Manager dependencies from javax.crypto and com.sun.crypto packages
Reviewed-by: jpai, ascarpino
This commit is contained in:
Sean Mullan
parent
92271af635
commit
de6e013e0e
@ -56,14 +56,8 @@ extends KeyAgreementSpi {
|
|||||||
|
|
||||||
private static class AllowKDF {
|
private static class AllowKDF {
|
||||||
|
|
||||||
private static final boolean VALUE = getValue();
|
private static final boolean VALUE =
|
||||||
|
Boolean.getBoolean("jdk.crypto.KeyAgreement.legacyKDF");
|
||||||
@SuppressWarnings("removal")
|
|
||||||
private static boolean getValue() {
|
|
||||||
return AccessController.doPrivileged(
|
|
||||||
(PrivilegedAction<Boolean>)
|
|
||||||
() -> Boolean.getBoolean("jdk.crypto.KeyAgreement.legacyKDF"));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@ -30,14 +30,12 @@ import sun.security.util.IOUtils;
|
|||||||
|
|
||||||
import java.io.*;
|
import java.io.*;
|
||||||
import java.util.*;
|
import java.util.*;
|
||||||
import java.security.AccessController;
|
|
||||||
import java.security.DigestInputStream;
|
import java.security.DigestInputStream;
|
||||||
import java.security.DigestOutputStream;
|
import java.security.DigestOutputStream;
|
||||||
import java.security.MessageDigest;
|
import java.security.MessageDigest;
|
||||||
import java.security.NoSuchAlgorithmException;
|
import java.security.NoSuchAlgorithmException;
|
||||||
import java.security.Key;
|
import java.security.Key;
|
||||||
import java.security.PrivateKey;
|
import java.security.PrivateKey;
|
||||||
import java.security.PrivilegedAction;
|
|
||||||
import java.security.KeyStoreSpi;
|
import java.security.KeyStoreSpi;
|
||||||
import java.security.KeyStoreException;
|
import java.security.KeyStoreException;
|
||||||
import java.security.UnrecoverableKeyException;
|
import java.security.UnrecoverableKeyException;
|
||||||
@ -835,15 +833,9 @@ public final class JceKeyStore extends KeyStoreSpi {
|
|||||||
// read the sealed key
|
// read the sealed key
|
||||||
try {
|
try {
|
||||||
ois = new ObjectInputStream(dis);
|
ois = new ObjectInputStream(dis);
|
||||||
final ObjectInputStream ois2 = ois;
|
|
||||||
// Set a deserialization checker
|
// Set a deserialization checker
|
||||||
@SuppressWarnings("removal")
|
ois.setObjectInputFilter(
|
||||||
var dummy = AccessController.doPrivileged(
|
new DeserializationChecker(fullLength));
|
||||||
(PrivilegedAction<Void>)() -> {
|
|
||||||
ois2.setObjectInputFilter(
|
|
||||||
new DeserializationChecker(fullLength));
|
|
||||||
return null;
|
|
||||||
});
|
|
||||||
entry.sealedKey = (SealedObject)ois.readObject();
|
entry.sealedKey = (SealedObject)ois.readObject();
|
||||||
entry.maxLength = fullLength;
|
entry.maxLength = fullLength;
|
||||||
// NOTE: don't close ois here since we are still
|
// NOTE: don't close ois here since we are still
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 1998, 2021, Oracle and/or its affiliates. All rights reserved.
|
* Copyright (c) 1998, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
*
|
*
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
@ -73,18 +73,13 @@ final class SealedObjectForKeyProtector extends SealedObject {
|
|||||||
return params;
|
return params;
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("removal")
|
|
||||||
final Key getKey(Cipher c, int maxLength)
|
final Key getKey(Cipher c, int maxLength)
|
||||||
throws IOException, ClassNotFoundException, IllegalBlockSizeException,
|
throws IOException, ClassNotFoundException, IllegalBlockSizeException,
|
||||||
BadPaddingException {
|
BadPaddingException {
|
||||||
|
|
||||||
try (ObjectInputStream ois = SharedSecrets.getJavaxCryptoSealedObjectAccess()
|
try (ObjectInputStream ois = SharedSecrets.getJavaxCryptoSealedObjectAccess()
|
||||||
.getExtObjectInputStream(this, c)) {
|
.getExtObjectInputStream(this, c)) {
|
||||||
AccessController.doPrivileged(
|
ois.setObjectInputFilter(new DeserializationChecker(maxLength));
|
||||||
(PrivilegedAction<Void>) () -> {
|
|
||||||
ois.setObjectInputFilter(new DeserializationChecker(maxLength));
|
|
||||||
return null;
|
|
||||||
});
|
|
||||||
try {
|
try {
|
||||||
@SuppressWarnings("unchecked")
|
@SuppressWarnings("unchecked")
|
||||||
Key t = (Key) ois.readObject();
|
Key t = (Key) ois.readObject();
|
||||||
@ -113,16 +108,8 @@ final class SealedObjectForKeyProtector extends SealedObject {
|
|||||||
private static final ObjectInputFilter OWN_FILTER;
|
private static final ObjectInputFilter OWN_FILTER;
|
||||||
|
|
||||||
static {
|
static {
|
||||||
@SuppressWarnings("removal")
|
String prop = System.getProperty(
|
||||||
String prop = AccessController.doPrivileged(
|
KEY_SERIAL_FILTER, Security.getProperty(KEY_SERIAL_FILTER));
|
||||||
(PrivilegedAction<String>) () -> {
|
|
||||||
String tmp = System.getProperty(KEY_SERIAL_FILTER);
|
|
||||||
if (tmp != null) {
|
|
||||||
return tmp;
|
|
||||||
} else {
|
|
||||||
return Security.getProperty(KEY_SERIAL_FILTER);
|
|
||||||
}
|
|
||||||
});
|
|
||||||
OWN_FILTER = prop == null
|
OWN_FILTER = prop == null
|
||||||
? null
|
? null
|
||||||
: ObjectInputFilter.Config.createFilter(prop);
|
: ObjectInputFilter.Config.createFilter(prop);
|
||||||
|
|||||||
@ -25,10 +25,8 @@
|
|||||||
|
|
||||||
package com.sun.crypto.provider;
|
package com.sun.crypto.provider;
|
||||||
|
|
||||||
import java.security.AccessController;
|
|
||||||
import java.security.Provider;
|
import java.security.Provider;
|
||||||
import java.security.SecureRandom;
|
import java.security.SecureRandom;
|
||||||
import java.security.PrivilegedAction;
|
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import static sun.security.util.SecurityConstants.PROVIDER_VER;
|
import static sun.security.util.SecurityConstants.PROVIDER_VER;
|
||||||
@ -121,24 +119,12 @@ public final class SunJCE extends Provider {
|
|||||||
attrs));
|
attrs));
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("removal")
|
|
||||||
public SunJCE() {
|
public SunJCE() {
|
||||||
/* We are the "SunJCE" provider */
|
/* We are the "SunJCE" provider */
|
||||||
super("SunJCE", PROVIDER_VER, info);
|
super("SunJCE", PROVIDER_VER, info);
|
||||||
|
|
||||||
// if there is no security manager installed, put directly into
|
putEntries();
|
||||||
// the provider
|
|
||||||
if (System.getSecurityManager() == null) {
|
|
||||||
putEntries();
|
|
||||||
} else {
|
|
||||||
AccessController.doPrivileged(new PrivilegedAction<Void>() {
|
|
||||||
@Override
|
|
||||||
public Void run() {
|
|
||||||
putEntries();
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
|
||||||
if (instance == null) {
|
if (instance == null) {
|
||||||
instance = this;
|
instance = this;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -76,7 +76,6 @@ import sun.security.util.Debug;
|
|||||||
* @since 1.4
|
* @since 1.4
|
||||||
*/
|
*/
|
||||||
|
|
||||||
@SuppressWarnings("removal")
|
|
||||||
final class JceSecurity {
|
final class JceSecurity {
|
||||||
|
|
||||||
private static final Debug debug = Debug.getInstance("jca");
|
private static final Debug debug = Debug.getInstance("jca");
|
||||||
@ -109,15 +108,7 @@ final class JceSecurity {
|
|||||||
|
|
||||||
static {
|
static {
|
||||||
try {
|
try {
|
||||||
AccessController.doPrivileged(
|
setupJurisdictionPolicies();
|
||||||
new PrivilegedExceptionAction<> () {
|
|
||||||
@Override
|
|
||||||
public Void run() throws Exception {
|
|
||||||
setupJurisdictionPolicies();
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
);
|
|
||||||
|
|
||||||
isRestricted = defaultPolicy.implies(
|
isRestricted = defaultPolicy.implies(
|
||||||
CryptoAllPermission.INSTANCE) ? false : true;
|
CryptoAllPermission.INSTANCE) ? false : true;
|
||||||
@ -285,20 +276,14 @@ final class JceSecurity {
|
|||||||
synchronized (codeBaseCacheRef) {
|
synchronized (codeBaseCacheRef) {
|
||||||
URL url = codeBaseCacheRef.get(clazz);
|
URL url = codeBaseCacheRef.get(clazz);
|
||||||
if (url == null) {
|
if (url == null) {
|
||||||
url = AccessController.doPrivileged(
|
url = NULL_URL;
|
||||||
new PrivilegedAction<>() {
|
ProtectionDomain pd = clazz.getProtectionDomain();
|
||||||
@Override
|
if (pd != null) {
|
||||||
public URL run() {
|
CodeSource cs = pd.getCodeSource();
|
||||||
ProtectionDomain pd = clazz.getProtectionDomain();
|
if (cs != null) {
|
||||||
if (pd != null) {
|
url = cs.getLocation();
|
||||||
CodeSource cs = pd.getCodeSource();
|
}
|
||||||
if (cs != null) {
|
}
|
||||||
return cs.getLocation();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return NULL_URL;
|
|
||||||
}
|
|
||||||
});
|
|
||||||
codeBaseCacheRef.put(clazz, url);
|
codeBaseCacheRef.put(clazz, url);
|
||||||
}
|
}
|
||||||
return (url == NULL_URL) ? null : url;
|
return (url == NULL_URL) ? null : url;
|
||||||
|
|||||||
@ -65,18 +65,10 @@ final class JceSecurityManager {
|
|||||||
exemptPolicy = JceSecurity.getExemptPolicy();
|
exemptPolicy = JceSecurity.getExemptPolicy();
|
||||||
allPerm = CryptoAllPermission.INSTANCE;
|
allPerm = CryptoAllPermission.INSTANCE;
|
||||||
|
|
||||||
PrivilegedAction<JceSecurityManager> paSM = JceSecurityManager::new;
|
INSTANCE = new JceSecurityManager();
|
||||||
@SuppressWarnings("removal")
|
|
||||||
JceSecurityManager dummySecurityManager =
|
|
||||||
AccessController.doPrivileged(paSM);
|
|
||||||
INSTANCE = dummySecurityManager;
|
|
||||||
|
|
||||||
PrivilegedAction<StackWalker> paWalker =
|
WALKER = StackWalker.getInstance(
|
||||||
() -> StackWalker.getInstance(Set.of(Option.DROP_METHOD_INFO, Option.RETAIN_CLASS_REFERENCE));
|
Set.of(Option.DROP_METHOD_INFO, Option.RETAIN_CLASS_REFERENCE));
|
||||||
@SuppressWarnings("removal")
|
|
||||||
StackWalker dummyWalker = AccessController.doPrivileged(paWalker);
|
|
||||||
|
|
||||||
WALKER = dummyWalker;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private JceSecurityManager() {
|
private JceSecurityManager() {
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 2007, 2022, Oracle and/or its affiliates. All rights reserved.
|
* Copyright (c) 2007, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
*
|
*
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
@ -100,20 +100,12 @@ final class ProviderVerifier {
|
|||||||
|
|
||||||
// Get a link to the Jarfile to search.
|
// Get a link to the Jarfile to search.
|
||||||
try {
|
try {
|
||||||
@SuppressWarnings("removal")
|
JarURLConnection conn = (JarURLConnection) url.openConnection();
|
||||||
var tmp = AccessController.doPrivileged(
|
// You could do some caching here as an optimization.
|
||||||
(PrivilegedExceptionAction<JarFile>) () -> {
|
conn.setUseCaches(false);
|
||||||
JarURLConnection conn =
|
jf = conn.getJarFile();
|
||||||
(JarURLConnection) url.openConnection();
|
} catch (IOException ioe) {
|
||||||
// You could do some caching here as
|
throw new SecurityException("Cannot load " + url, ioe);
|
||||||
// an optimization.
|
|
||||||
conn.setUseCaches(false);
|
|
||||||
return conn.getJarFile();
|
|
||||||
});
|
|
||||||
jf = tmp;
|
|
||||||
} catch (java.security.PrivilegedActionException pae) {
|
|
||||||
throw new SecurityException("Cannot load " + url,
|
|
||||||
pae.getCause());
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (jf != null) {
|
if (jf != null) {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user