Skip to content

Commit

Permalink
Check RestrictedSecurity profile for errors
Browse files Browse the repository at this point in the history 
This commit checks the misspelled properties and provider order
numbers in RestrictedSecurity mode. If there is a misspelled
property or the provider order numbers are not consecutive. The
RestrictedSecurity mode initializion will stop and throw errors.

Signed-off-by: Tao Liu <[email protected]>
  • Loading branch information
@taoliult
taoliult committed Sep 23, 2024
1 parent 7dbd3e5 commit 4f7e6ea
Showing 1 changed file with 45 additions and 0 deletions.
45 changes: 45 additions & 0 deletions closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
import java.time.format.DateTimeParseException;
import java.util.ArrayList;
import java.util.Deque;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
Expand Down Expand Up @@ -994,6 +995,9 @@ private static final class ProfileParser {
// The java.security properties.
private final Properties securityProps;

private LinkedList<String> profileCheckPropertyNames;
private LinkedList<String> profileCheckProviderNames;

/**
*
* @param id the restricted security custom profile ID
Expand All @@ -1016,8 +1020,13 @@ private ProfileParser(String id, Properties props) {

parsedProfiles = new HashSet<>();

profileCheckPropertyNames = new LinkedList<>();
profileCheckProviderNames = new LinkedList<>();

// Initialize the properties.
init(profileID);

checkProfileCheck(profileID);
}

private RestrictedSecurityProperties getProperties() {
Expand All @@ -1040,12 +1049,16 @@ private void init(String profileID) {
printStackTraceAndExit(profileID + " has already been parsed. Potential infinite recursion.");
}

loadProfileCheck(profileID);

String potentialExtendsProfileID = parseProperty(securityProps.getProperty(profileID + ".extends"));
if (potentialExtendsProfileID != null) { // If profile extends another profile.
if (debug != null) {
debug.println("\t'" + profileID + "' extends '" + potentialExtendsProfileID + "'.");
}

profileCheckPropertyNames.remove(profileID + ".extends");

// Check if extended profile exists.
String extendsProfileID = null;
if (potentialExtendsProfileID.indexOf('.') != potentialExtendsProfileID.lastIndexOf('.')) {
Expand Down Expand Up @@ -1098,6 +1111,7 @@ private void init(String profileID) {
// Save info to be hashed and expected result to be checked later.
profilesHashes.put(profileID, hashValue);
profilesInfo.put(profileID, allInfo);
profileCheckPropertyNames.remove(hashProperty);
} else if (!isFIPS1402Profile(profileID)) {
// A hash is mandatory, but not for older 140-2 profiles.
printStackTraceAndExit(profileID + " is a base profile, so a hash value is mandatory.");
Expand Down Expand Up @@ -1134,6 +1148,7 @@ private void update(String profileExtensionId) {
// Save info to be hashed and expected result to be checked later.
profilesHashes.put(profileID, hashValue);
profilesInfo.put(profileID, allInfo);
profileCheckPropertyNames.remove(hashProperty);
}
} catch (Exception e) {
if (debug != null) {
Expand Down Expand Up @@ -1254,6 +1269,7 @@ private void initProviders(String profileID, List<String> allInfo) {
allInfo.add(property + "=" + providerInfo);

parseProvider(providerInfo, pNum, false);
profileCheckProviderNames.remove(property);
}

if (providers.isEmpty()) {
Expand Down Expand Up @@ -1284,6 +1300,7 @@ private void updateProviders(String profileExtensionId, List<String> allInfo) {
removedProvider = true;
break;
}
profileCheckProviderNames.remove(property);
}
}

Expand Down Expand Up @@ -1311,6 +1328,7 @@ private void updateProviders(String profileExtensionId, List<String> allInfo) {
allInfo.add(property + "=" + providerInfo);

parseProvider(providerInfo, i, false);
profileCheckProviderNames.remove(property);
}
}

Expand Down Expand Up @@ -1634,6 +1652,7 @@ private boolean setProperty(String property, String propertyKey, List<String> al
newValue = value;
}
profileProperties.put(property, newValue);
profileCheckPropertyNames.remove(propertyKey);
return true;
}
if (debug != null) {
Expand Down Expand Up @@ -1706,6 +1725,32 @@ private static void checkProviderFormat(String providerInfo, boolean update) {
printStackTraceAndExit("Provider format is incorrect: " + providerInfo);
}
}

private void loadProfileCheck(String profileID) {
Enumeration<?> pNames = securityProps.propertyNames();
while (pNames.hasMoreElements()) {
String name = (String) pNames.nextElement();
if (name.startsWith(profileID + '.') && name.contains(".jce.provider.")) {
profileCheckProviderNames.add(name);
} else if (name.startsWith(profileID + '.')) {
profileCheckPropertyNames.add(name);
}
}
}

private void checkProfileCheck(String profileID) {
if (!profileCheckProviderNames.isEmpty()) {
printStackTraceAndExit(
"The order of providers in profile " + profileID
+ " (or its base profile) is incorrect.");
}
if (!profileCheckPropertyNames.isEmpty()) {
printStackTraceAndExit(
"The property name: " + profileCheckPropertyNames.toString()
+ " in profile " + profileID
+ " may be misspelled.");
}
}
}

/**
Expand Down

0 comments on commit 4f7e6ea

Please sign in to comment.