# HG changeset patch # User valeriep # Date 1469582649 0 # Node ID 21a9b8df49f52a15b8b60f7031d9506178771d16 # Parent 5dba95a26226a51d9d3f29e66ef56466b31bf6b2 8159488: Deprivilege java.xml.crypto Summary: Update java.policy with the necessary permissions and minor code refactoring Reviewed-by: mullan diff -r 5dba95a26226 -r 21a9b8df49f5 jdk/src/java.base/share/conf/security/java.policy --- a/jdk/src/java.base/share/conf/security/java.policy Tue Jul 26 15:41:40 2016 -0700 +++ b/jdk/src/java.base/share/conf/security/java.policy Wed Jul 27 01:24:09 2016 +0000 @@ -122,6 +122,14 @@ permission java.util.PropertyPermission "*", "read"; }; +grant codeBase "jrt:/java.xml.crypto" { + permission java.util.PropertyPermission "*", "read"; + permission java.security.SecurityPermission "putProviderProperty.XMLDSig"; + permission java.security.SecurityPermission "clearProviderProperties.XMLDSig"; + permission java.security.SecurityPermission "removeProviderProperty.XMLDSig"; + permission java.security.SecurityPermission "com.sun.org.apache.xml.internal.security.register"; +}; + grant codeBase "jrt:/java.xml.ws" { permission java.lang.RuntimePermission "accessClassInPackage.com.sun.xml.internal.*"; permission java.lang.RuntimePermission "accessClassInPackage.com.sun.istack.internal"; diff -r 5dba95a26226 -r 21a9b8df49f5 jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/TransformService.java --- a/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/TransformService.java Tue Jul 26 15:41:40 2016 -0700 +++ b/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/TransformService.java Wed Jul 27 01:24:09 2016 +0000 @@ -39,8 +39,6 @@ import javax.xml.crypto.XMLCryptoContext; import javax.xml.crypto.dsig.spec.TransformParameterSpec; -import sun.security.jca.*; -import sun.security.jca.GetInstance.Instance; /** * A Service Provider Interface for transform and canonicalization algorithms. @@ -165,18 +163,23 @@ if (mechanismType.equals("DOM")) { dom = true; } - List services = GetInstance.getServices("TransformService", algorithm); - for (Iterator t = services.iterator(); t.hasNext(); ) { - Service s = t.next(); - String value = s.getAttribute("MechanismType"); - if ((value == null && dom) || - (value != null && value.equals(mechanismType))) { - Instance instance = GetInstance.getInstance(s, null); - TransformService ts = (TransformService) instance.impl; - ts.algorithm = algorithm; - ts.mechanism = mechanismType; - ts.provider = instance.provider; - return ts; + + Provider[] provs = Security.getProviders(); + for (Provider p : provs) { + Service s = p.getService("TransformService", algorithm); + if (s != null) { + String value = s.getAttribute("MechanismType"); + if ((value == null && dom) || + (value != null && value.equals(mechanismType))) { + Object obj = s.newInstance(null); + if (obj instanceof TransformService) { + TransformService ts = (TransformService) obj; + ts.algorithm = algorithm; + ts.mechanism = mechanismType; + ts.provider = p; + return ts; + } + } } } throw new NoSuchAlgorithmException @@ -215,21 +218,24 @@ if (mechanismType.equals("DOM")) { dom = true; } - Service s = GetInstance.getService - ("TransformService", algorithm, provider); - String value = s.getAttribute("MechanismType"); - if ((value == null && dom) || - (value != null && value.equals(mechanismType))) { - Instance instance = GetInstance.getInstance(s, null); - TransformService ts = (TransformService) instance.impl; - ts.algorithm = algorithm; - ts.mechanism = mechanismType; - ts.provider = instance.provider; - return ts; + Service s = provider.getService("TransformService", algorithm); + if (s != null) { + String value = s.getAttribute("MechanismType"); + if ((value == null && dom) || + (value != null && value.equals(mechanismType))) { + Object obj = s.newInstance(null); + if (obj instanceof TransformService) { + TransformService ts = (TransformService) obj; + ts.algorithm = algorithm; + ts.mechanism = mechanismType; + ts.provider = provider; + return ts; + } + } } throw new NoSuchAlgorithmException (algorithm + " algorithm and " + mechanismType - + " mechanism not available"); + + " mechanism not available from " + provider.getName()); } /** @@ -268,21 +274,25 @@ if (mechanismType.equals("DOM")) { dom = true; } - Service s = GetInstance.getService - ("TransformService", algorithm, provider); - String value = s.getAttribute("MechanismType"); - if ((value == null && dom) || - (value != null && value.equals(mechanismType))) { - Instance instance = GetInstance.getInstance(s, null); - TransformService ts = (TransformService) instance.impl; - ts.algorithm = algorithm; - ts.mechanism = mechanismType; - ts.provider = instance.provider; - return ts; + Provider p = Security.getProvider(provider); + Service s = p.getService("TransformService", algorithm); + if (s != null) { + String value = s.getAttribute("MechanismType"); + if ((value == null && dom) || + (value != null && value.equals(mechanismType))) { + Object obj = s.newInstance(null); + if (obj instanceof TransformService) { + TransformService ts = (TransformService) obj; + ts.algorithm = algorithm; + ts.mechanism = mechanismType; + ts.provider = p; + return ts; + } + } } throw new NoSuchAlgorithmException (algorithm + " algorithm and " + mechanismType - + " mechanism not available"); + + " mechanism not available from " + provider); } private static class MechanismMapEntry implements Map.Entry { diff -r 5dba95a26226 -r 21a9b8df49f5 jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/XMLSignatureFactory.java --- a/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/XMLSignatureFactory.java Tue Jul 26 15:41:40 2016 -0700 +++ b/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/XMLSignatureFactory.java Wed Jul 27 01:24:09 2016 +0000 @@ -43,11 +43,10 @@ import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.Provider; +import java.security.Provider.Service; import java.security.Security; import java.util.List; -import sun.security.jca.*; -import sun.security.jca.GetInstance.Instance; /** * A factory for creating {@link XMLSignature} objects from scratch or @@ -198,17 +197,26 @@ if (mechanismType == null) { throw new NullPointerException("mechanismType cannot be null"); } - Instance instance; - try { - instance = GetInstance.getInstance - ("XMLSignatureFactory", null, mechanismType); - } catch (NoSuchAlgorithmException nsae) { - throw new NoSuchMechanismException(nsae); + Provider[] provs = Security.getProviders(); + for (Provider p : provs) { + Service s = p.getService("XMLSignatureFactory", mechanismType); + if (s != null) { + Object obj = null; + try { + obj = s.newInstance(null); + } catch (NoSuchAlgorithmException nsae) { + throw new NoSuchMechanismException(nsae); + } + if (obj instanceof XMLSignatureFactory) { + XMLSignatureFactory factory = (XMLSignatureFactory) obj; + factory.mechanismType = mechanismType; + factory.provider = p; + return factory; + } + } } - XMLSignatureFactory factory = (XMLSignatureFactory) instance.impl; - factory.mechanismType = mechanismType; - factory.provider = instance.provider; - return factory; + throw new NoSuchMechanismException + ("Mechanism " + mechanismType + " not available"); } /** @@ -240,17 +248,25 @@ throw new NullPointerException("provider cannot be null"); } - Instance instance; - try { - instance = GetInstance.getInstance - ("XMLSignatureFactory", null, mechanismType, provider); - } catch (NoSuchAlgorithmException nsae) { - throw new NoSuchMechanismException(nsae); + Service s = provider.getService("XMLSignatureFactory", mechanismType); + if (s != null) { + Object obj = null; + try { + obj = s.newInstance(null); + } catch (NoSuchAlgorithmException nsae) { + throw new NoSuchMechanismException(nsae); + } + + if (obj instanceof XMLSignatureFactory) { + XMLSignatureFactory factory = (XMLSignatureFactory) obj; + factory.mechanismType = mechanismType; + factory.provider = provider; + return factory; + } } - XMLSignatureFactory factory = (XMLSignatureFactory) instance.impl; - factory.mechanismType = mechanismType; - factory.provider = instance.provider; - return factory; + throw new NoSuchMechanismException + ("Mechanism " + mechanismType + " not available from " + + provider.getName()); } /** @@ -288,17 +304,24 @@ throw new NoSuchProviderException(); } - Instance instance; - try { - instance = GetInstance.getInstance - ("XMLSignatureFactory", null, mechanismType, provider); - } catch (NoSuchAlgorithmException nsae) { - throw new NoSuchMechanismException(nsae); + Provider p = Security.getProvider(provider); + Service s = p.getService("XMLSignatureFactory", mechanismType); + if (s != null) { + Object obj = null; + try { + obj = s.newInstance(null); + } catch (NoSuchAlgorithmException nsae) { + throw new NoSuchMechanismException(nsae); + } + if (obj instanceof XMLSignatureFactory) { + XMLSignatureFactory factory = (XMLSignatureFactory) obj; + factory.mechanismType = mechanismType; + factory.provider = p; + return factory; + } } - XMLSignatureFactory factory = (XMLSignatureFactory) instance.impl; - factory.mechanismType = mechanismType; - factory.provider = instance.provider; - return factory; + throw new NoSuchMechanismException + ("Mechanism " + mechanismType + " not available from " + provider); } /** diff -r 5dba95a26226 -r 21a9b8df49f5 jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/keyinfo/KeyInfoFactory.java --- a/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/keyinfo/KeyInfoFactory.java Tue Jul 26 15:41:40 2016 -0700 +++ b/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/keyinfo/KeyInfoFactory.java Wed Jul 27 01:24:09 2016 +0000 @@ -32,6 +32,7 @@ import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.Provider; +import java.security.Provider.Service; import java.security.PublicKey; import java.security.Security; import java.security.cert.X509CRL; @@ -43,8 +44,6 @@ import javax.xml.crypto.dom.DOMStructure; import javax.xml.crypto.dsig.*; -import sun.security.jca.*; -import sun.security.jca.GetInstance.Instance; /** * A factory for creating {@link KeyInfo} objects from scratch or for @@ -153,17 +152,26 @@ if (mechanismType == null) { throw new NullPointerException("mechanismType cannot be null"); } - Instance instance; - try { - instance = GetInstance.getInstance - ("KeyInfoFactory", null, mechanismType); - } catch (NoSuchAlgorithmException nsae) { - throw new NoSuchMechanismException(nsae); + Provider[] provs = Security.getProviders(); + for (Provider p : provs) { + Service s = p.getService("KeyInfoFactory", mechanismType); + if (s != null) { + Object obj = null; + try { + obj = s.newInstance(null); + } catch (NoSuchAlgorithmException nsae) { + throw new NoSuchMechanismException(nsae); + } + if (obj instanceof KeyInfoFactory) { + KeyInfoFactory factory = (KeyInfoFactory) obj; + factory.mechanismType = mechanismType; + factory.provider = p; + return factory; + } + } } - KeyInfoFactory factory = (KeyInfoFactory) instance.impl; - factory.mechanismType = mechanismType; - factory.provider = instance.provider; - return factory; + throw new NoSuchMechanismException + ("Mechanism " + mechanismType + " not available"); } /** @@ -195,17 +203,24 @@ throw new NullPointerException("provider cannot be null"); } - Instance instance; - try { - instance = GetInstance.getInstance - ("KeyInfoFactory", null, mechanismType, provider); - } catch (NoSuchAlgorithmException nsae) { - throw new NoSuchMechanismException(nsae); + Service s = provider.getService("KeyInfoFactory", mechanismType); + if (s != null) { + Object obj = null; + try { + obj = s.newInstance(null); + } catch (NoSuchAlgorithmException nsae) { + throw new NoSuchMechanismException(nsae); + } + + if (obj instanceof KeyInfoFactory) { + KeyInfoFactory factory = (KeyInfoFactory) obj; + factory.mechanismType = mechanismType; + factory.provider = provider; + return factory; + } } - KeyInfoFactory factory = (KeyInfoFactory) instance.impl; - factory.mechanismType = mechanismType; - factory.provider = instance.provider; - return factory; + throw new NoSuchMechanismException + ("Mechanism " + mechanismType + " not available from " + provider.getName()); } /** @@ -242,18 +257,24 @@ } else if (provider.length() == 0) { throw new NoSuchProviderException(); } - - Instance instance; - try { - instance = GetInstance.getInstance - ("KeyInfoFactory", null, mechanismType, provider); - } catch (NoSuchAlgorithmException nsae) { - throw new NoSuchMechanismException(nsae); + Provider p = Security.getProvider(provider); + Service s = p.getService("KeyInfoFactory", mechanismType); + if (s != null) { + Object obj = null; + try { + obj = s.newInstance(null); + } catch (NoSuchAlgorithmException nsae) { + throw new NoSuchMechanismException(nsae); + } + if (obj instanceof KeyInfoFactory) { + KeyInfoFactory factory = (KeyInfoFactory) obj; + factory.mechanismType = mechanismType; + factory.provider = p; + return factory; + } } - KeyInfoFactory factory = (KeyInfoFactory) instance.impl; - factory.mechanismType = mechanismType; - factory.provider = instance.provider; - return factory; + throw new NoSuchMechanismException + ("Mechanism " + mechanismType + " not available from " + provider); } /** diff -r 5dba95a26226 -r 21a9b8df49f5 jdk/test/javax/xml/crypto/dsig/GetInstanceTests.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/jdk/test/javax/xml/crypto/dsig/GetInstanceTests.java Wed Jul 27 01:24:09 2016 +0000 @@ -0,0 +1,97 @@ +/* + * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/** + * @test + * @bug 8159488 + * @summary Basic tests for the various getInstance() methods of + * XMLSignatureFactory, TransformService, and KeyInfoFactory classes + * @run main GetInstanceTests + */ +import java.security.*; +import javax.xml.crypto.dsig.*; +import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory; + + +public class GetInstanceTests { + + public static void main(String[] argv) throws Exception { + TestTransformService(CanonicalizationMethod.INCLUSIVE, "DOM"); + TestTransformService(CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS, "DOM"); + TestTransformService(Transform.BASE64, "DOM"); + TestTransformService(Transform.XPATH2, "DOM"); + TestXMLSignatureFactory(); + TestKeyInfoFactory(); + } + + private static void TestTransformService(String algo, + String mechType) throws Exception { + TransformService ts = TransformService.getInstance(algo, mechType); + Provider p = ts.getProvider(); + try { + ts = TransformService.getInstance(algo, mechType, p); + ts = TransformService.getInstance(algo, mechType, p.getName()); + } catch (Exception ex) { + throw new RuntimeException("Error: Unexpected exception", ex); + } + } + + private static void TestXMLSignatureFactory() throws Exception { + XMLSignatureFactory fac = XMLSignatureFactory.getInstance(); + Provider p = fac.getProvider(); + String mechType = fac.getMechanismType(); + Provider p2; + try { + fac = XMLSignatureFactory.getInstance(mechType); + p2 = fac.getProvider(); + fac = XMLSignatureFactory.getInstance(mechType, p); + fac = XMLSignatureFactory.getInstance(mechType, p.getName()); + } catch (Exception ex) { + throw new RuntimeException("Error: Unexpected exception", ex); + } + if (p2.getName() != p.getName()) { + throw new RuntimeException("Error: Provider equality check failed"); + } + if (p2.getName() != p.getName()) { + throw new RuntimeException("Error: Provider equality check failed"); + } + } + + private static void TestKeyInfoFactory() throws Exception { + KeyInfoFactory fac = KeyInfoFactory.getInstance(); + Provider p = fac.getProvider(); + String mechType = fac.getMechanismType(); + Provider p2; + try { + fac = KeyInfoFactory.getInstance(mechType); + p2 = fac.getProvider(); + fac = KeyInfoFactory.getInstance(mechType, p); + fac = KeyInfoFactory.getInstance(mechType, p.getName()); + } catch (Exception ex) { + throw new RuntimeException("Error: Unexpected exception", ex); + } + if (p2.getName() != p.getName()) { + throw new RuntimeException("Error: Provider equality check failed"); + } + } +}