# HG changeset patch # User ascarpino # Date 1445301318 25200 # Node ID 27eb2d6abda96fff979bdea3ffe86af7203b4c9b # Parent 346a88a88fee0dc92b8adb5fbd03b3f983026703 8133151: Preferred provider configuration for JCE Reviewed-by: valeriep diff -r 346a88a88fee -r 27eb2d6abda9 jdk/make/gendata/Gendata-java.base.gmk --- a/jdk/make/gendata/Gendata-java.base.gmk Mon Oct 19 17:26:01 2015 -0700 +++ b/jdk/make/gendata/Gendata-java.base.gmk Mon Oct 19 17:35:18 2015 -0700 @@ -70,7 +70,7 @@ $(ECHO) "Generating java.security" $(MKDIR) -p $(@D) $(TOOL_MAKEJAVASECURITY) $(GENDATA_JAVA_SECURITY_SRC) $@ $(OPENJDK_TARGET_OS) \ - $(RESTRICTED_PKGS_SRC) || exit 1 + $(OPENJDK_TARGET_CPU_ARCH) $(RESTRICTED_PKGS_SRC) || exit 1 TARGETS += $(GENDATA_JAVA_SECURITY) diff -r 346a88a88fee -r 27eb2d6abda9 jdk/make/src/classes/build/tools/makejavasecurity/MakeJavaSecurity.java --- a/jdk/make/src/classes/build/tools/makejavasecurity/MakeJavaSecurity.java Mon Oct 19 17:26:01 2015 -0700 +++ b/jdk/make/src/classes/build/tools/makejavasecurity/MakeJavaSecurity.java Mon Oct 19 17:35:18 2015 -0700 @@ -50,19 +50,21 @@ public static void main(String[] args) throws Exception { - if (args.length < 3) { + if (args.length < 4) { System.err.println("Usage: java MakeJavaSecurity " + "[input java.security file name] " + "[output java.security file name] " + "[openjdk target os] " + + "[openjdk target cpu architecture]" + "[more restricted packages file name?]"); - System.exit(1); + + System.exit(1); } // more restricted packages List extraLines; - if (args.length == 4) { - extraLines = Files.readAllLines(Paths.get(args[3])); + if (args.length == 5) { + extraLines = Files.readAllLines(Paths.get(args[4])); } else { extraLines = Collections.emptyList(); } @@ -96,7 +98,11 @@ mode = 0; iter.remove(); } else if (line.startsWith("#ifdef ")) { - mode = line.endsWith(args[2])?1:2; + if (line.indexOf('-') > 0) { + mode = line.endsWith(args[2]+"-"+args[3]) ? 1 : 2; + } else { + mode = line.endsWith(args[2]) ? 1 : 2; + } iter.remove(); } else if (line.startsWith("#ifndef ")) { mode = line.endsWith(args[2])?2:1; diff -r 346a88a88fee -r 27eb2d6abda9 jdk/src/java.base/share/classes/java/security/AlgorithmParameterGenerator.java --- a/jdk/src/java.base/share/classes/java/security/AlgorithmParameterGenerator.java Mon Oct 19 17:26:01 2015 -0700 +++ b/jdk/src/java.base/share/classes/java/security/AlgorithmParameterGenerator.java Mon Oct 19 17:35:18 2015 -0700 @@ -138,6 +138,13 @@ *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param type the specified Configuration type. See the Configuration * section in the diff -r 346a88a88fee -r 27eb2d6abda9 jdk/src/java.base/share/classes/sun/security/jca/ProviderList.java --- a/jdk/src/java.base/share/classes/sun/security/jca/ProviderList.java Mon Oct 19 17:26:01 2015 -0700 +++ b/jdk/src/java.base/share/classes/sun/security/jca/ProviderList.java Mon Oct 19 17:35:18 2015 -0700 @@ -27,8 +27,11 @@ import java.util.*; -import java.security.*; +import java.security.AccessController; +import java.security.PrivilegedAction; +import java.security.Provider; import java.security.Provider.Service; +import java.security.Security; /** * List of Providers. Used to represent the provider preferences. @@ -65,6 +68,9 @@ // constant for an ProviderList with no elements static final ProviderList EMPTY = new ProviderList(PC0, true); + // list of all jdk.security.provider.preferred entries + static private PreferredList preferredPropList = null; + // dummy provider object to use during initialization // used to avoid explicit null checks in various places private static final Provider EMPTY_PROVIDER = @@ -162,11 +168,10 @@ */ private ProviderList() { List configList = new ArrayList<>(); - for (int i = 1; true; i++) { - String entry = Security.getProperty("security.provider." + i); - if (entry == null) { - break; - } + String entry; + int i = 1; + + while ((entry = Security.getProperty("security.provider." + i)) != null) { entry = entry.trim(); if (entry.length() == 0) { System.err.println("invalid entry for " + @@ -187,10 +192,36 @@ if (configList.contains(config) == false) { configList.add(config); } + i++; } configs = configList.toArray(PC0); + + // Load config entries for use when getInstance is called + entry = Security.getProperty("jdk.security.provider.preferred"); + if (entry != null && (entry = entry.trim()).length() > 0) { + String[] entries = entry.split(","); + if (ProviderList.preferredPropList == null) { + ProviderList.preferredPropList = new PreferredList(); + } + + for (String e : entries) { + i = e.indexOf(':'); + if (i < 0) { + if (debug != null) { + debug.println("invalid preferred entry skipped. " + + "Missing colon delimiter \"" + e + "\""); + } + continue; + } + ProviderList.preferredPropList.add(new PreferredEntry( + e.substring(0, i).trim(), e.substring(i + 1).trim())); + } + } + if (debug != null) { debug.println("provider configuration: " + configList); + debug.println("config configuration: " + + ProviderList.preferredPropList); } } @@ -327,7 +358,22 @@ * algorithm. */ public Service getService(String type, String name) { - for (int i = 0; i < configs.length; i++) { + ArrayList pList = null; + int i; + + // Preferred provider list + if (preferredPropList != null && + (pList = preferredPropList.getAll(type, name)) != null) { + for (i = 0; i < pList.size(); i++) { + Provider p = getProvider(pList.get(i).provider); + Service s = p.getService(type, name); + if (s != null) { + return s; + } + } + } + + for (i = 0; i < configs.length; i++) { Provider p = getProvider(i); Service s = p.getService(type, name); if (s != null) { @@ -394,7 +440,11 @@ private List services; // index into config[] of the next provider we need to query - private int providerIndex; + private int providerIndex = 0; + + // Matching preferred provider list for this ServiceList + ArrayList preferredList = null; + private int preferredIndex = 0; ServiceList(String type, String algorithm) { this.type = type; @@ -421,6 +471,14 @@ } private Service tryGet(int index) { + Provider p; + + // If preferred providers are configured, check for matches with + // the requested service. + if (preferredPropList != null && preferredList == null) { + preferredList = preferredPropList.getAll(this); + } + while (true) { if ((index == 0) && (firstService != null)) { return firstService; @@ -430,8 +488,27 @@ if (providerIndex >= configs.length) { return null; } - // check all algorithms in this provider before moving on - Provider p = getProvider(providerIndex++); + + // If there were matches with a preferred provider, iterate + // through the list first before going through the + // ordered list (java.security.provider.#) + if (preferredList != null && + preferredIndex < preferredList.size()) { + PreferredEntry entry = preferredList.get(preferredIndex++); + // Look for the provider name in the PreferredEntry + p = getProvider(entry.provider); + if (p == null) { + if (debug != null) { + debug.println("No provider found with name: " + + entry.provider); + } + continue; + } + } else { + // check all algorithms in this provider before moving on + p = getProvider(providerIndex++); + } + if (type != null) { // simple lookup Service s = p.getService(type, algorithm); @@ -502,4 +579,119 @@ } } + // Provider list defined by jdk.security.provider.preferred entry + static final class PreferredList { + ArrayList list = new ArrayList(); + + /* + * Return a list of all preferred entries that match the passed + * ServiceList. + */ + ArrayList getAll(ServiceList s) { + if (s.ids == null) { + return getAll(s.type, s.algorithm); + + } + + ArrayList l = new ArrayList(); + for (ServiceId id : s.ids) { + implGetAll(l, id.type, id.algorithm); + } + + return l; + } + + /* + * Return a list of all preferred entries that match the passed + * type and algorithm. + */ + ArrayList getAll(String type, String algorithm) { + ArrayList l = new ArrayList(); + implGetAll(l, type, algorithm); + return l; + } + + /* + * Compare each preferred entry against the passed type and + * algorithm, putting any matches in the passed ArrayList. + */ + private void implGetAll(ArrayList l, String type, + String algorithm) { + PreferredEntry e; + + for (int i = 0; i < size(); i++) { + e = list.get(i); + if (e.match(type, algorithm)) { + l.add(e); + } + } + } + + public PreferredEntry get(int i) { + return list.get(i); + } + + public int size() { + return list.size(); + } + + public boolean add(PreferredEntry e) { + return list.add(e); + } + + public String toString() { + String s = ""; + for (PreferredEntry e: list) { + s += e.toString(); + } + return s; + } + } + + // Individual preferred property entry from jdk.security.provider.preferred + private class PreferredEntry { + String type = null; + String algorithm; + String provider; + + PreferredEntry(String t, String p) { + int i = t.indexOf('.'); + if (i > 0) { + type = t.substring(0, i); + algorithm = t.substring(i + 1); + } else { + algorithm = t; + } + + provider = p; + } + + boolean match(String t, String a) { + if (debug != null) { + debug.println("Config match: " + toString() + " == [" + t + + ", " + a + "]"); + } + + // Compare service type if configured + if (type != null && type.compareToIgnoreCase(t) != 0) { + return false; + } + + // Compare the algorithm string. + if (a.compareToIgnoreCase(algorithm) == 0) { + if (debug != null) { + debug.println("Config entry found: " + toString()); + } + return true; + } + + // No match + return false; + } + + public String toString() { + return "[" + type + ", " + algorithm + " : " + provider + "] "; + } + } + } diff -r 346a88a88fee -r 27eb2d6abda9 jdk/src/java.base/share/conf/security/java.security --- a/jdk/src/java.base/share/conf/security/java.security Mon Oct 19 17:26:01 2015 -0700 +++ b/jdk/src/java.base/share/conf/security/java.security Mon Oct 19 17:35:18 2015 -0700 @@ -90,6 +90,31 @@ security.provider.tbd=sun.security.pkcs11.SunPKCS11 #endif +# +# A list of preferred providers for specific algorithms. These providers will +# be searched for matching algorithms before the list of registered providers. +# Entries containing errors (parsing, etc) will be ignored. Use the +# -Djava.security.debug=jca property to debug these errors. +# +# The property is a comma-separated list of serviceType.algorithm:provider +# entries. The serviceType (example: "MessageDigest") is optional, and if +# not specified, the algorithm applies to all service types that support it. +# The algorithm is the standard algorithm name or transformation. +# Transformations can be specified in their full standard name +# (ex: AES/CBC/PKCS5Padding), or as partial matches (ex: AES, AES/CBC). +# The provider is the name of the provider. Any provider that does not +# also appear in the registered list will be ignored. +# +# Example: +# jdk.security.provider.preferred=AES/GCM/NoPadding:SunJCE, \ +# MessageDigest.SHA-256:SUN +#ifdef solaris-sparc +jdk.security.provider.preferred=AES:SunJCE, SHA-256:SUN, SHA-384:SUN, SHA-512:SUN +#endif +#ifdef solaris-x86 +jdk.security.provider.preferred=AES:SunJCE, RSA:SunRsaSign +#endif + # # Sun Provider SecureRandom seed source. diff -r 346a88a88fee -r 27eb2d6abda9 jdk/src/java.security.sasl/share/classes/javax/security/sasl/Sasl.java --- a/jdk/src/java.security.sasl/share/classes/javax/security/sasl/Sasl.java Mon Oct 19 17:26:01 2015 -0700 +++ b/jdk/src/java.security.sasl/share/classes/javax/security/sasl/Sasl.java Mon Oct 19 17:35:18 2015 -0700 @@ -310,6 +310,13 @@ * for information about how to install and configure security service * providers. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param mechanisms The non-null list of mechanism names to try. Each is the * IANA-registered name of a SASL mechanism. (e.g. "GSSAPI", "CRAM-MD5"). * @param authorizationId The possibly null protocol-dependent @@ -452,6 +459,13 @@ * for information about how to install and configure security * service providers. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param mechanism The non-null mechanism name. It must be an * IANA-registered name of a SASL mechanism. (e.g. "GSSAPI", "CRAM-MD5"). * @param protocol The non-null string name of the protocol for which diff -r 346a88a88fee -r 27eb2d6abda9 jdk/src/java.smartcardio/share/classes/javax/smartcardio/TerminalFactory.java --- a/jdk/src/java.smartcardio/share/classes/javax/smartcardio/TerminalFactory.java Mon Oct 19 17:26:01 2015 -0700 +++ b/jdk/src/java.smartcardio/share/classes/javax/smartcardio/TerminalFactory.java Mon Oct 19 17:35:18 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -229,6 +229,13 @@ * specified parameters Object. The type of parameters * needed may vary between different types of TerminalFactorys. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param type the type of the requested TerminalFactory * @param params the parameters to pass to the TerminalFactorySpi * implementation, or null if no parameters are needed diff -r 346a88a88fee -r 27eb2d6abda9 jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/TransformService.java --- a/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/TransformService.java Mon Oct 19 17:26:01 2015 -0700 +++ b/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/TransformService.java Mon Oct 19 17:35:18 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -136,6 +136,13 @@ *