Skip to content

Commit

Permalink
Add FIPS services check in Provider put() method and debug info
Browse files Browse the repository at this point in the history
Signed-off-by: Tao Liu <[email protected]>

The legacy “put()” method is for adding the services and it is used by provider SUN and SunEC in Semeru OpenJDK8. From OpenJDK11 and above versions, all those usages of “put()” method changed to "putService()" method. But we still need to check the services which are added by the legacy “put()” method in Java Security Restricted Mode. So, updated the codes in Provider.java for checking the registered services, only allowed the needed services be stored in the "legacyMap". And this commit also added more debug info in RestrictedSecurity.java.
  • Loading branch information
taoliult committed Aug 2, 2023
1 parent eaf8e5f commit c2cab3d
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 10 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -585,10 +585,10 @@ private void initProviders() {
// Provider with argument (provider name + optional argument).
providers.add(pNum - 1, providerName);

// Remove the provider's optional arguments if there are.
// Remove the provider's optional arguments if present.
pos = providerName.indexOf(' ');
providerName = (pos < 0) ? providerName.trim() : providerName.substring(0, pos).trim();
// Remove the provider's class package names if there are.
// Remove the provider's class package names if present.
pos = providerName.lastIndexOf('.');
providerName = (pos < 0) ? providerName : providerName.substring(pos + 1, providerName.length());
// Provider without arguments and package names.
Expand Down Expand Up @@ -673,7 +673,7 @@ private void initConstraints() {
continue;
}

// Remove the whitespaces in the format separator if there are.
// Remove the whitespaces in the format separator if present.
providerInfo = providerInfo.trim()
.replaceAll("\\[\\s+\\{", "[{")
.replaceAll("\\}\\s+\\]", "}]")
Expand Down Expand Up @@ -759,6 +759,10 @@ boolean isRestrictedServiceAllowed(Service service) {

if (constraints == null) {
// Disallow unknown providers.
if (debug != null) {
debug.println("Security constraints check."
+ " Disallow unknown provider: " + providerName);
}
return false;
} else if (constraints.length == 0) {
// Allow this provider with no constraints.
Expand All @@ -779,7 +783,7 @@ boolean isRestrictedServiceAllowed(Service service) {
continue;
}
if (!isAsterisk(cAlgorithm) && !algorithm.equalsIgnoreCase(cAlgorithm)) {
// The constraint doesn't apply to the service algorith.
// The constraint doesn't apply to the service algorithm.
continue;
}

Expand All @@ -789,7 +793,7 @@ boolean isRestrictedServiceAllowed(Service service) {
debug.println("Security constraints check."
+ " Service type: " + type
+ " Algorithm: " + algorithm
+ " is allowed in provider " + providerName);
+ " is allowed in provider: " + providerName);
}
return true;
}
Expand Down Expand Up @@ -832,7 +836,7 @@ boolean isRestrictedServiceAllowed(Service service) {
debug.println("Security constraints check."
+ " Service type: " + type
+ " Algorithm: " + algorithm
+ " is NOT allowed in provider " + providerName);
+ " is NOT allowed in provider: " + providerName);
}
// No match for any constraint, return NOT allowed.
return false;
Expand All @@ -849,11 +853,11 @@ boolean isRestrictedProviderAllowed(String providerName) {
debug.println("Checking the provider " + providerName + " in restricted security mode.");
}

// Remove argument, e.g. -NSS-FIPS, if there is.
// Remove argument, e.g. -NSS-FIPS, if present.
int pos = providerName.indexOf('-');
providerName = (pos < 0) ? providerName : providerName.substring(0, pos);

// Remove the provider class package name if there is.
// Remove the provider class package name if present.
pos = providerName.lastIndexOf('.');
providerName = (pos < 0) ? providerName : providerName.substring(pos + 1, providerName.length());

Expand Down
6 changes: 4 additions & 2 deletions src/java.base/share/classes/java/security/Provider.java
Original file line number Diff line number Diff line change
Expand Up @@ -1293,8 +1293,10 @@ public Service getService(String type, String algorithm) {
Service s = serviceMap.get(key);
if (s == null) {
s = legacyMap.get(key);
if (s != null && !s.isValid()) {
if (s != null && (!s.isValid() || !RestrictedSecurity.isServiceAllowed(s))) {
legacyMap.remove(key, s);
// don't return invalid or disallowed legacy services
s = null;
}
}

Expand Down Expand Up @@ -1336,7 +1338,7 @@ public Set<Service> getServices() {
}
if (!legacyMap.isEmpty()) {
legacyMap.entrySet().forEach(entry -> {
if (!entry.getValue().isValid()) {
if (!entry.getValue().isValid() || !RestrictedSecurity.isServiceAllowed(entry.getValue())) {
legacyMap.remove(entry.getKey(), entry.getValue());
} else {
set.add(entry.getValue());
Expand Down

0 comments on commit c2cab3d

Please sign in to comment.