8159488: Deprivilege java.xml.crypto
Summary: Update java.policy with the necessary permissions and minor code refactoring
Reviewed-by: mullan
--- a/jdk/src/java.base/share/conf/security/java.policy Tue Jul 26 15:41:40 2016 -0700
+++ b/jdk/src/java.base/share/conf/security/java.policy Wed Jul 27 01:24:09 2016 +0000
@@ -122,6 +122,14 @@
permission java.util.PropertyPermission "*", "read";
};
+grant codeBase "jrt:/java.xml.crypto" {
+ permission java.util.PropertyPermission "*", "read";
+ permission java.security.SecurityPermission "putProviderProperty.XMLDSig";
+ permission java.security.SecurityPermission "clearProviderProperties.XMLDSig";
+ permission java.security.SecurityPermission "removeProviderProperty.XMLDSig";
+ permission java.security.SecurityPermission "com.sun.org.apache.xml.internal.security.register";
+};
+
grant codeBase "jrt:/java.xml.ws" {
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.xml.internal.*";
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.istack.internal";
--- a/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/TransformService.java Tue Jul 26 15:41:40 2016 -0700
+++ b/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/TransformService.java Wed Jul 27 01:24:09 2016 +0000
@@ -39,8 +39,6 @@
import javax.xml.crypto.XMLCryptoContext;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
-import sun.security.jca.*;
-import sun.security.jca.GetInstance.Instance;
/**
* A Service Provider Interface for transform and canonicalization algorithms.
@@ -165,18 +163,23 @@
if (mechanismType.equals("DOM")) {
dom = true;
}
- List<Service> services = GetInstance.getServices("TransformService", algorithm);
- for (Iterator<Service> t = services.iterator(); t.hasNext(); ) {
- Service s = t.next();
- String value = s.getAttribute("MechanismType");
- if ((value == null && dom) ||
- (value != null && value.equals(mechanismType))) {
- Instance instance = GetInstance.getInstance(s, null);
- TransformService ts = (TransformService) instance.impl;
- ts.algorithm = algorithm;
- ts.mechanism = mechanismType;
- ts.provider = instance.provider;
- return ts;
+
+ Provider[] provs = Security.getProviders();
+ for (Provider p : provs) {
+ Service s = p.getService("TransformService", algorithm);
+ if (s != null) {
+ String value = s.getAttribute("MechanismType");
+ if ((value == null && dom) ||
+ (value != null && value.equals(mechanismType))) {
+ Object obj = s.newInstance(null);
+ if (obj instanceof TransformService) {
+ TransformService ts = (TransformService) obj;
+ ts.algorithm = algorithm;
+ ts.mechanism = mechanismType;
+ ts.provider = p;
+ return ts;
+ }
+ }
}
}
throw new NoSuchAlgorithmException
@@ -215,21 +218,24 @@
if (mechanismType.equals("DOM")) {
dom = true;
}
- Service s = GetInstance.getService
- ("TransformService", algorithm, provider);
- String value = s.getAttribute("MechanismType");
- if ((value == null && dom) ||
- (value != null && value.equals(mechanismType))) {
- Instance instance = GetInstance.getInstance(s, null);
- TransformService ts = (TransformService) instance.impl;
- ts.algorithm = algorithm;
- ts.mechanism = mechanismType;
- ts.provider = instance.provider;
- return ts;
+ Service s = provider.getService("TransformService", algorithm);
+ if (s != null) {
+ String value = s.getAttribute("MechanismType");
+ if ((value == null && dom) ||
+ (value != null && value.equals(mechanismType))) {
+ Object obj = s.newInstance(null);
+ if (obj instanceof TransformService) {
+ TransformService ts = (TransformService) obj;
+ ts.algorithm = algorithm;
+ ts.mechanism = mechanismType;
+ ts.provider = provider;
+ return ts;
+ }
+ }
}
throw new NoSuchAlgorithmException
(algorithm + " algorithm and " + mechanismType
- + " mechanism not available");
+ + " mechanism not available from " + provider.getName());
}
/**
@@ -268,21 +274,25 @@
if (mechanismType.equals("DOM")) {
dom = true;
}
- Service s = GetInstance.getService
- ("TransformService", algorithm, provider);
- String value = s.getAttribute("MechanismType");
- if ((value == null && dom) ||
- (value != null && value.equals(mechanismType))) {
- Instance instance = GetInstance.getInstance(s, null);
- TransformService ts = (TransformService) instance.impl;
- ts.algorithm = algorithm;
- ts.mechanism = mechanismType;
- ts.provider = instance.provider;
- return ts;
+ Provider p = Security.getProvider(provider);
+ Service s = p.getService("TransformService", algorithm);
+ if (s != null) {
+ String value = s.getAttribute("MechanismType");
+ if ((value == null && dom) ||
+ (value != null && value.equals(mechanismType))) {
+ Object obj = s.newInstance(null);
+ if (obj instanceof TransformService) {
+ TransformService ts = (TransformService) obj;
+ ts.algorithm = algorithm;
+ ts.mechanism = mechanismType;
+ ts.provider = p;
+ return ts;
+ }
+ }
}
throw new NoSuchAlgorithmException
(algorithm + " algorithm and " + mechanismType
- + " mechanism not available");
+ + " mechanism not available from " + provider);
}
private static class MechanismMapEntry implements Map.Entry<String,String> {
--- a/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/XMLSignatureFactory.java Tue Jul 26 15:41:40 2016 -0700
+++ b/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/XMLSignatureFactory.java Wed Jul 27 01:24:09 2016 +0000
@@ -43,11 +43,10 @@
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Provider;
+import java.security.Provider.Service;
import java.security.Security;
import java.util.List;
-import sun.security.jca.*;
-import sun.security.jca.GetInstance.Instance;
/**
* A factory for creating {@link XMLSignature} objects from scratch or
@@ -198,17 +197,26 @@
if (mechanismType == null) {
throw new NullPointerException("mechanismType cannot be null");
}
- Instance instance;
- try {
- instance = GetInstance.getInstance
- ("XMLSignatureFactory", null, mechanismType);
- } catch (NoSuchAlgorithmException nsae) {
- throw new NoSuchMechanismException(nsae);
+ Provider[] provs = Security.getProviders();
+ for (Provider p : provs) {
+ Service s = p.getService("XMLSignatureFactory", mechanismType);
+ if (s != null) {
+ Object obj = null;
+ try {
+ obj = s.newInstance(null);
+ } catch (NoSuchAlgorithmException nsae) {
+ throw new NoSuchMechanismException(nsae);
+ }
+ if (obj instanceof XMLSignatureFactory) {
+ XMLSignatureFactory factory = (XMLSignatureFactory) obj;
+ factory.mechanismType = mechanismType;
+ factory.provider = p;
+ return factory;
+ }
+ }
}
- XMLSignatureFactory factory = (XMLSignatureFactory) instance.impl;
- factory.mechanismType = mechanismType;
- factory.provider = instance.provider;
- return factory;
+ throw new NoSuchMechanismException
+ ("Mechanism " + mechanismType + " not available");
}
/**
@@ -240,17 +248,25 @@
throw new NullPointerException("provider cannot be null");
}
- Instance instance;
- try {
- instance = GetInstance.getInstance
- ("XMLSignatureFactory", null, mechanismType, provider);
- } catch (NoSuchAlgorithmException nsae) {
- throw new NoSuchMechanismException(nsae);
+ Service s = provider.getService("XMLSignatureFactory", mechanismType);
+ if (s != null) {
+ Object obj = null;
+ try {
+ obj = s.newInstance(null);
+ } catch (NoSuchAlgorithmException nsae) {
+ throw new NoSuchMechanismException(nsae);
+ }
+
+ if (obj instanceof XMLSignatureFactory) {
+ XMLSignatureFactory factory = (XMLSignatureFactory) obj;
+ factory.mechanismType = mechanismType;
+ factory.provider = provider;
+ return factory;
+ }
}
- XMLSignatureFactory factory = (XMLSignatureFactory) instance.impl;
- factory.mechanismType = mechanismType;
- factory.provider = instance.provider;
- return factory;
+ throw new NoSuchMechanismException
+ ("Mechanism " + mechanismType + " not available from " +
+ provider.getName());
}
/**
@@ -288,17 +304,24 @@
throw new NoSuchProviderException();
}
- Instance instance;
- try {
- instance = GetInstance.getInstance
- ("XMLSignatureFactory", null, mechanismType, provider);
- } catch (NoSuchAlgorithmException nsae) {
- throw new NoSuchMechanismException(nsae);
+ Provider p = Security.getProvider(provider);
+ Service s = p.getService("XMLSignatureFactory", mechanismType);
+ if (s != null) {
+ Object obj = null;
+ try {
+ obj = s.newInstance(null);
+ } catch (NoSuchAlgorithmException nsae) {
+ throw new NoSuchMechanismException(nsae);
+ }
+ if (obj instanceof XMLSignatureFactory) {
+ XMLSignatureFactory factory = (XMLSignatureFactory) obj;
+ factory.mechanismType = mechanismType;
+ factory.provider = p;
+ return factory;
+ }
}
- XMLSignatureFactory factory = (XMLSignatureFactory) instance.impl;
- factory.mechanismType = mechanismType;
- factory.provider = instance.provider;
- return factory;
+ throw new NoSuchMechanismException
+ ("Mechanism " + mechanismType + " not available from " + provider);
}
/**
--- a/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/keyinfo/KeyInfoFactory.java Tue Jul 26 15:41:40 2016 -0700
+++ b/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/keyinfo/KeyInfoFactory.java Wed Jul 27 01:24:09 2016 +0000
@@ -32,6 +32,7 @@
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Provider;
+import java.security.Provider.Service;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.X509CRL;
@@ -43,8 +44,6 @@
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.*;
-import sun.security.jca.*;
-import sun.security.jca.GetInstance.Instance;
/**
* A factory for creating {@link KeyInfo} objects from scratch or for
@@ -153,17 +152,26 @@
if (mechanismType == null) {
throw new NullPointerException("mechanismType cannot be null");
}
- Instance instance;
- try {
- instance = GetInstance.getInstance
- ("KeyInfoFactory", null, mechanismType);
- } catch (NoSuchAlgorithmException nsae) {
- throw new NoSuchMechanismException(nsae);
+ Provider[] provs = Security.getProviders();
+ for (Provider p : provs) {
+ Service s = p.getService("KeyInfoFactory", mechanismType);
+ if (s != null) {
+ Object obj = null;
+ try {
+ obj = s.newInstance(null);
+ } catch (NoSuchAlgorithmException nsae) {
+ throw new NoSuchMechanismException(nsae);
+ }
+ if (obj instanceof KeyInfoFactory) {
+ KeyInfoFactory factory = (KeyInfoFactory) obj;
+ factory.mechanismType = mechanismType;
+ factory.provider = p;
+ return factory;
+ }
+ }
}
- KeyInfoFactory factory = (KeyInfoFactory) instance.impl;
- factory.mechanismType = mechanismType;
- factory.provider = instance.provider;
- return factory;
+ throw new NoSuchMechanismException
+ ("Mechanism " + mechanismType + " not available");
}
/**
@@ -195,17 +203,24 @@
throw new NullPointerException("provider cannot be null");
}
- Instance instance;
- try {
- instance = GetInstance.getInstance
- ("KeyInfoFactory", null, mechanismType, provider);
- } catch (NoSuchAlgorithmException nsae) {
- throw new NoSuchMechanismException(nsae);
+ Service s = provider.getService("KeyInfoFactory", mechanismType);
+ if (s != null) {
+ Object obj = null;
+ try {
+ obj = s.newInstance(null);
+ } catch (NoSuchAlgorithmException nsae) {
+ throw new NoSuchMechanismException(nsae);
+ }
+
+ if (obj instanceof KeyInfoFactory) {
+ KeyInfoFactory factory = (KeyInfoFactory) obj;
+ factory.mechanismType = mechanismType;
+ factory.provider = provider;
+ return factory;
+ }
}
- KeyInfoFactory factory = (KeyInfoFactory) instance.impl;
- factory.mechanismType = mechanismType;
- factory.provider = instance.provider;
- return factory;
+ throw new NoSuchMechanismException
+ ("Mechanism " + mechanismType + " not available from " + provider.getName());
}
/**
@@ -242,18 +257,24 @@
} else if (provider.length() == 0) {
throw new NoSuchProviderException();
}
-
- Instance instance;
- try {
- instance = GetInstance.getInstance
- ("KeyInfoFactory", null, mechanismType, provider);
- } catch (NoSuchAlgorithmException nsae) {
- throw new NoSuchMechanismException(nsae);
+ Provider p = Security.getProvider(provider);
+ Service s = p.getService("KeyInfoFactory", mechanismType);
+ if (s != null) {
+ Object obj = null;
+ try {
+ obj = s.newInstance(null);
+ } catch (NoSuchAlgorithmException nsae) {
+ throw new NoSuchMechanismException(nsae);
+ }
+ if (obj instanceof KeyInfoFactory) {
+ KeyInfoFactory factory = (KeyInfoFactory) obj;
+ factory.mechanismType = mechanismType;
+ factory.provider = p;
+ return factory;
+ }
}
- KeyInfoFactory factory = (KeyInfoFactory) instance.impl;
- factory.mechanismType = mechanismType;
- factory.provider = instance.provider;
- return factory;
+ throw new NoSuchMechanismException
+ ("Mechanism " + mechanismType + " not available from " + provider);
}
/**
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/javax/xml/crypto/dsig/GetInstanceTests.java Wed Jul 27 01:24:09 2016 +0000
@@ -0,0 +1,97 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 8159488
+ * @summary Basic tests for the various getInstance() methods of
+ * XMLSignatureFactory, TransformService, and KeyInfoFactory classes
+ * @run main GetInstanceTests
+ */
+import java.security.*;
+import javax.xml.crypto.dsig.*;
+import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
+
+
+public class GetInstanceTests {
+
+ public static void main(String[] argv) throws Exception {
+ TestTransformService(CanonicalizationMethod.INCLUSIVE, "DOM");
+ TestTransformService(CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS, "DOM");
+ TestTransformService(Transform.BASE64, "DOM");
+ TestTransformService(Transform.XPATH2, "DOM");
+ TestXMLSignatureFactory();
+ TestKeyInfoFactory();
+ }
+
+ private static void TestTransformService(String algo,
+ String mechType) throws Exception {
+ TransformService ts = TransformService.getInstance(algo, mechType);
+ Provider p = ts.getProvider();
+ try {
+ ts = TransformService.getInstance(algo, mechType, p);
+ ts = TransformService.getInstance(algo, mechType, p.getName());
+ } catch (Exception ex) {
+ throw new RuntimeException("Error: Unexpected exception", ex);
+ }
+ }
+
+ private static void TestXMLSignatureFactory() throws Exception {
+ XMLSignatureFactory fac = XMLSignatureFactory.getInstance();
+ Provider p = fac.getProvider();
+ String mechType = fac.getMechanismType();
+ Provider p2;
+ try {
+ fac = XMLSignatureFactory.getInstance(mechType);
+ p2 = fac.getProvider();
+ fac = XMLSignatureFactory.getInstance(mechType, p);
+ fac = XMLSignatureFactory.getInstance(mechType, p.getName());
+ } catch (Exception ex) {
+ throw new RuntimeException("Error: Unexpected exception", ex);
+ }
+ if (p2.getName() != p.getName()) {
+ throw new RuntimeException("Error: Provider equality check failed");
+ }
+ if (p2.getName() != p.getName()) {
+ throw new RuntimeException("Error: Provider equality check failed");
+ }
+ }
+
+ private static void TestKeyInfoFactory() throws Exception {
+ KeyInfoFactory fac = KeyInfoFactory.getInstance();
+ Provider p = fac.getProvider();
+ String mechType = fac.getMechanismType();
+ Provider p2;
+ try {
+ fac = KeyInfoFactory.getInstance(mechType);
+ p2 = fac.getProvider();
+ fac = KeyInfoFactory.getInstance(mechType, p);
+ fac = KeyInfoFactory.getInstance(mechType, p.getName());
+ } catch (Exception ex) {
+ throw new RuntimeException("Error: Unexpected exception", ex);
+ }
+ if (p2.getName() != p.getName()) {
+ throw new RuntimeException("Error: Provider equality check failed");
+ }
+ }
+}