8027963: Create unlimited policy jars.
authorerikj
Thu, 05 Dec 2013 09:25:31 +0100
changeset 21980 393509a81cc3
parent 21979 3dcd1bc15edd
child 21981 48b31d370bc9
8027963: Create unlimited policy jars. Reviewed-by: wetmore, ihse
jdk/make/CreateSecurityJars.gmk
jdk/make/SignJars.gmk
jdk/make/data/cryptopolicy/limited/LIMITED
jdk/make/data/cryptopolicy/unlimited/UNLIMITED
--- a/jdk/make/CreateSecurityJars.gmk	Wed Dec 04 17:37:25 2013 -0800
+++ b/jdk/make/CreateSecurityJars.gmk	Thu Dec 05 09:25:31 2013 +0100
@@ -54,7 +54,7 @@
 ##########################################################################################
 # For security and crypto jars, always build the jar, but for closed, install the prebuilt
 # signed version instead of the newly built jar. Unsigned jars are treated as intermediate
-# targets and explicitly added to the JARS list. For open, signing is not needed. See
+# targets and explicitly added to the TARGETS list. For open, signing is not needed. See
 # SignJars.gmk for more information.
 #
 # The source for the crypto jars is not available for all licensees. The BUILD_CRYPTO
@@ -63,7 +63,7 @@
 # other way to get the jars than to build them.
 
 SUNPKCS11_JAR_DST := $(JDK_OUTPUTDIR)/lib/ext/sunpkcs11.jar
-SUNPKCS11_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/unsigned/sunpkcs11.jar
+SUNPKCS11_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/jce/unsigned/sunpkcs11.jar
 
 $(eval $(call SetupArchive,BUILD_SUNPKCS11_JAR, , \
     SRCS := $(JDK_OUTPUTDIR)/classes_security, \
@@ -78,19 +78,19 @@
 ifndef OPENJDK
   SUNPKCS11_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/pkcs11/sunpkcs11.jar
   $(SUNPKCS11_JAR_DST): $(SUNPKCS11_JAR_SRC)
-	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt SunPKCS11 provider..."
+	@$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
 	$(install-file)
 else
   $(SUNPKCS11_JAR_DST): $(SUNPKCS11_JAR_UNSIGNED)
 	$(install-file)
 endif
 
-JARS += $(SUNPKCS11_JAR_UNSIGNED) $(SUNPKCS11_JAR_DST)
+TARGETS += $(SUNPKCS11_JAR_UNSIGNED) $(SUNPKCS11_JAR_DST)
 
 ##########################################################################################
 
 SUNEC_JAR_DST := $(JDK_OUTPUTDIR)/lib/ext/sunec.jar
-SUNEC_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/unsigned/sunec.jar
+SUNEC_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/jce/unsigned/sunec.jar
 
 $(eval $(call SetupArchive,BUILD_SUNEC_JAR, , \
     SRCS := $(JDK_OUTPUTDIR)/classes_security, \
@@ -105,19 +105,19 @@
 ifndef OPENJDK
   SUNEC_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/ec/sunec.jar
   $(SUNEC_JAR_DST): $(SUNEC_JAR_SRC)
-	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt SunEC provider..."
+	@$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
 	$(install-file)
 else
   $(SUNEC_JAR_DST): $(SUNEC_JAR_UNSIGNED)
 	$(install-file)
 endif
 
-JARS += $(SUNEC_JAR_UNSIGNED) $(SUNEC_JAR_DST)
+TARGETS += $(SUNEC_JAR_UNSIGNED) $(SUNEC_JAR_DST)
 
 ##########################################################################################
 
 SUNJCE_PROVIDER_JAR_DST := $(JDK_OUTPUTDIR)/lib/ext/sunjce_provider.jar
-SUNJCE_PROVIDER_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/unsigned/sunjce_provider.jar
+SUNJCE_PROVIDER_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/jce/unsigned/sunjce_provider.jar
 
 ifneq ($(BUILD_CRYPTO), no)
   $(eval $(call SetupArchive,BUILD_SUNJCE_PROVIDER_JAR, , \
@@ -130,25 +130,25 @@
 
   $(SUNJCE_PROVIDER_JAR_UNSIGNED): $(JCE_MANIFEST)
 
-  JARS += $(SUNJCE_PROVIDER_JAR_UNSIGNED)
+  TARGETS += $(SUNJCE_PROVIDER_JAR_UNSIGNED)
 endif
 
 ifndef OPENJDK
   SUNJCE_PROVIDER_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/jce/sunjce_provider.jar
   $(SUNJCE_PROVIDER_JAR_DST): $(SUNJCE_PROVIDER_JAR_SRC)
-	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt SunJCE provider..."
+	@$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
 	$(install-file)
 else
   $(SUNJCE_PROVIDER_JAR_DST): $(SUNJCE_PROVIDER_JAR_UNSIGNED)
 	$(install-file)
 endif
 
-JARS += $(SUNJCE_PROVIDER_JAR_DST)
+TARGETS += $(SUNJCE_PROVIDER_JAR_DST)
 
 ##########################################################################################
 
 JCE_JAR_DST := $(JDK_OUTPUTDIR)/lib/jce.jar
-JCE_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/unsigned/jce.jar
+JCE_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/jce/unsigned/jce.jar
 
 ifneq ($(BUILD_CRYPTO), no)
   $(eval $(call SetupArchive,BUILD_JCE_JAR, , \
@@ -161,36 +161,43 @@
 
   $(JCE_JAR_UNSIGNED): $(JCE_MANIFEST)
 
-  JARS += $(JCE_JAR_UNSIGNED)
+  TARGETS += $(JCE_JAR_UNSIGNED)
 endif
 
 ifndef OPENJDK
   JCE_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/jce/jce.jar
   $(JCE_JAR_DST): $(JCE_JAR_SRC)
-	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt jce.jar..."
+	@$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
 	$(install-file)
 else
   $(JCE_JAR_DST): $(JCE_JAR_UNSIGNED)
 	$(install-file)
 endif
 
-JARS += $(JCE_JAR_DST)
+TARGETS += $(JCE_JAR_DST)
 
 ##########################################################################################
 
 US_EXPORT_POLICY_JAR_DST := $(JDK_OUTPUTDIR)/lib/security/US_export_policy.jar
-US_EXPORT_POLICY_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/unsigned/US_export_policy.jar
 
 ifneq ($(BUILD_CRYPTO), no)
+
+  US_EXPORT_POLICY_JAR_LIMITED_UNSIGNED := \
+      $(JDK_OUTPUTDIR)/jce/unsigned/policy/limited/US_export_policy.jar
+  US_EXPORT_POLICY_JAR_UNLIMITED_UNSIGNED := \
+      $(JDK_OUTPUTDIR)/jce/unsigned/policy/unlimited/US_export_policy.jar
+
   #
   # TODO fix so that SetupArchive does not write files into SRCS
   # then we don't need this extra copying
   #
   # NOTE: We currently do not place restrictions on our limited export
-  # policy. This was not a typo.
+  # policy. This was not a typo. This means we are shipping the same file
+  # for both limimted and unlimited US_export_policy.jar.
   #
   US_EXPORT_POLICY_JAR_SRC_DIR := $(JDK_TOPDIR)/make/data/cryptopolicy/unlimited
-  US_EXPORT_POLICY_JAR_TMP := $(JDK_OUTPUTDIR)/US_export_policy_jar.tmp
+  US_EXPORT_POLICY_JAR_TMP := \
+      $(JDK_OUTPUTDIR)/jce/unsigned/policy/unlimited/US_export_policy_jar.tmp
 
   $(US_EXPORT_POLICY_JAR_TMP)/%: $(US_EXPORT_POLICY_JAR_SRC_DIR)/%
 	$(install-file)
@@ -200,77 +207,113 @@
   $(eval $(call SetupArchive,BUILD_US_EXPORT_POLICY_JAR, $(US_EXPORT_POLICY_JAR_DEPS), \
       SRCS := $(US_EXPORT_POLICY_JAR_TMP), \
       SUFFIXES := .policy, \
-      JAR := $(US_EXPORT_POLICY_JAR_UNSIGNED), \
+      JAR := $(US_EXPORT_POLICY_JAR_UNLIMITED_UNSIGNED), \
       EXTRA_MANIFEST_ATTR := Crypto-Strength: unlimited, \
       SKIP_METAINF := true))
 
-  JARS += $(US_EXPORT_POLICY_JAR_UNSIGNED)
+  $(US_EXPORT_POLICY_JAR_LIMITED_UNSIGNED): $(US_EXPORT_POLICY_JAR_UNLIMITED_UNSIGNED)
+	$(ECHO) $(LOG_INFO) Copying unlimited $(patsubst $(OUTPUT_ROOT)/%,%,$@)
+	$(install-file)
+
+  TARGETS += $(US_EXPORT_POLICY_JAR_LIMITED_UNSIGNED) \
+      $(US_EXPORT_POLICY_JAR_UNLIMITED_UNSIGNED)
 endif
 
 ifndef OPENJDK
+  ifeq ($(UNLIMITED_CRYPTO), true)
+    $(error No prebuilt unlimited crypto jars available)
+  endif
   $(US_EXPORT_POLICY_JAR_DST): $(JDK_TOPDIR)/make/closed/tools/crypto/jce/US_export_policy.jar
-	$(ECHO) $(LOG_INFO) Copying $(@F)
+	$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
 	$(install-file)
 else
-  $(US_EXPORT_POLICY_JAR_DST): $(US_EXPORT_POLICY_JAR_UNSIGNED)
+  ifeq ($(UNLIMITED_CRYPTO), true)
+    $(US_EXPORT_POLICY_JAR_DST): $(US_EXPORT_POLICY_JAR_UNLIMITED_UNSIGNED)
 	$(install-file)
+  else
+    $(US_EXPORT_POLICY_JAR_DST): $(US_EXPORT_POLICY_JAR_LIMITED_UNSIGNED)
+	$(install-file)
+  endif
 endif
 
-JARS += $(US_EXPORT_POLICY_JAR_DST)
+TARGETS += $(US_EXPORT_POLICY_JAR_DST)
 
 ##########################################################################################
 
 LOCAL_POLICY_JAR_DST := $(JDK_OUTPUTDIR)/lib/security/local_policy.jar
-LOCAL_POLICY_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/unsigned/local_policy.jar
 
 ifneq ($(BUILD_CRYPTO), no)
+
+  LOCAL_POLICY_JAR_LIMITED_UNSIGNED := \
+      $(JDK_OUTPUTDIR)/jce/unsigned/policy/limited/local_policy.jar
+  LOCAL_POLICY_JAR_UNLIMITED_UNSIGNED := \
+      $(JDK_OUTPUTDIR)/jce/unsigned/policy/unlimited/local_policy.jar
+
   #
   # TODO fix so that SetupArchive does not write files into SRCS
   # then we don't need this extra copying
   #
-  LOCAL_POLICY_JAR_TMP := $(JDK_OUTPUTDIR)/local_policy_jar.tmp
+  LOCAL_POLICY_JAR_LIMITED_TMP := \
+      $(JDK_OUTPUTDIR)/jce/unsigned/policy/limited/local_policy_jar.tmp
+  LOCAL_POLICY_JAR_UNLIMITED_TMP := \
+      $(JDK_OUTPUTDIR)/jce/unsigned/policy/unlimited/local_policy_jar.tmp
 
-  ifeq ($(UNLIMITED_CRYPTO), true)
-    LOCAL_POLICY_JAR_SRC_DIR := $(JDK_TOPDIR)/make/data/cryptopolicy/unlimited
-    LOCAL_POLICY_JAR_DEPS := $(LOCAL_POLICY_JAR_TMP)/default_local.policy
-    LOCAL_POLICY_JAR_ATTR := Crypto-Strength: unlimited
-  else
-    LOCAL_POLICY_JAR_SRC_DIR := $(JDK_TOPDIR)/make/data/cryptopolicy/limited
-    LOCAL_POLICY_JAR_DEPS := $(LOCAL_POLICY_JAR_TMP)/exempt_local.policy \
-        $(LOCAL_POLICY_JAR_TMP)/default_local.policy
-    LOCAL_POLICY_JAR_ATTR := Crypto-Strength: limited
-  endif
+  $(LOCAL_POLICY_JAR_LIMITED_TMP)/%: $(JDK_TOPDIR)/make/data/cryptopolicy/limited/%
+	$(install-file)
 
-  $(LOCAL_POLICY_JAR_TMP)/%: $(LOCAL_POLICY_JAR_SRC_DIR)/%
+  $(LOCAL_POLICY_JAR_UNLIMITED_TMP)/%: $(JDK_TOPDIR)/make/data/cryptopolicy/unlimited/%
 	$(install-file)
 
-  $(eval $(call SetupArchive,BUILD_LOCAL_POLICY_JAR, $(LOCAL_POLICY_JAR_DEPS), \
-      SRCS := $(LOCAL_POLICY_JAR_TMP), \
+  $(eval $(call SetupArchive,BUILD_LOCAL_POLICY_JAR_LIMITED, \
+      $(LOCAL_POLICY_JAR_LIMITED_TMP)/exempt_local.policy \
+      $(LOCAL_POLICY_JAR_LIMITED_TMP)/default_local.policy, \
+      SRCS := $(LOCAL_POLICY_JAR_LIMITED_TMP), \
       SUFFIXES := .policy, \
-      JAR := $(LOCAL_POLICY_JAR_UNSIGNED), \
-      EXTRA_MANIFEST_ATTR := $(LOCAL_POLICY_JAR_ATTR), \
+      JAR := $(LOCAL_POLICY_JAR_LIMITED_UNSIGNED), \
+      EXTRA_MANIFEST_ATTR := Crypto-Strength: limited, \
       SKIP_METAINF := true))
 
-  JARS += $(LOCAL_POLICY_JAR_UNSIGNED)
+  $(eval $(call SetupArchive,BUILD_LOCAL_POLICY_JAR_UNLIMITED, \
+      $(LOCAL_POLICY_JAR_UNLIMITED_TMP)/default_local.policy, \
+      SRCS := $(LOCAL_POLICY_JAR_UNLIMITED_TMP), \
+      SUFFIXES := .policy, \
+      JAR := $(LOCAL_POLICY_JAR_UNLIMITED_UNSIGNED), \
+      EXTRA_MANIFEST_ATTR := Crypto-Strength: unlimited, \
+      SKIP_METAINF := true))
+
+  TARGETS += $(LOCAL_POLICY_JAR_LIMITED_UNSIGNED) $(LOCAL_POLICY_JAR_UNLIMITED_UNSIGNED)
+
+  ifndef OPENJDK
+    $(JDK_OUTPUTDIR)/jce/unsigned/policy/unlimited/README.txt: \
+        $(JDK_TOPDIR)/make/closed/javax/crypto/doc/README.txt
+		$(install-file)
+
+    TARGETS += $(JDK_OUTPUTDIR)/jce/unsigned/policy/unlimited/README.txt
+  endif
 endif
 
 ifndef OPENJDK
   $(LOCAL_POLICY_JAR_DST): $(JDK_TOPDIR)/make/closed/tools/crypto/jce/local_policy.jar
-	$(ECHO) $(LOG_INFO) Copying $(@F)
+	$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
 	$(install-file)
 else
-  $(LOCAL_POLICY_JAR_DST): $(LOCAL_POLICY_JAR_UNSIGNED)
+  ifeq ($(UNLIMITED_CRYPTO), true)
+    $(LOCAL_POLICY_JAR_DST): $(LOCAL_POLICY_JAR_UNLIMITED_UNSIGNED)
 	$(install-file)
+  else
+    $(LOCAL_POLICY_JAR_DST): $(LOCAL_POLICY_JAR_LIMITED_UNSIGNED)
+	$(install-file)
+  endif
 endif
 
-JARS += $(LOCAL_POLICY_JAR_DST)
+TARGETS += $(LOCAL_POLICY_JAR_DST)
 
 ##########################################################################################
 
 ifeq ($(OPENJDK_TARGET_OS), windows)
 
   SUNMSCAPI_JAR_DST := $(JDK_OUTPUTDIR)/lib/ext/sunmscapi.jar
-  SUNMSCAPI_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/unsigned/sunmscapi.jar
+  SUNMSCAPI_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/jce/unsigned/sunmscapi.jar
 
   $(eval $(call SetupArchive,BUILD_SUNMSCAPI_JAR, , \
       SRCS := $(JDK_OUTPUTDIR)/classes_security, \
@@ -285,14 +328,14 @@
   ifndef OPENJDK
     SUNMSCAPI_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/mscapi/sunmscapi.jar
     $(SUNMSCAPI_JAR_DST): $(SUNMSCAPI_JAR_SRC)
-	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt SunMSCAPI provider..."
+	@$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
 	$(install-file)
   else
     $(SUNMSCAPI_JAR_DST): $(SUNMSCAPI_JAR_UNSIGNED)
 	$(install-file)
   endif
 
-  JARS += $(SUNMSCAPI_JAR_UNSIGNED) $(SUNMSCAPI_JAR_DST)
+  TARGETS += $(SUNMSCAPI_JAR_UNSIGNED) $(SUNMSCAPI_JAR_DST)
 
 endif
 
@@ -302,7 +345,7 @@
   ifndef OPENJDK
 
     UCRYPTO_JAR_DST := $(JDK_OUTPUTDIR)/lib/ext/ucrypto.jar
-    UCRYPTO_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/unsigned/ucrypto.jar
+    UCRYPTO_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/jce/unsigned/ucrypto.jar
     UCRYPTO_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/ucrypto/ucrypto.jar
 
     $(eval $(call SetupArchive,BUILD_UCRYPTO_JAR, , \
@@ -316,14 +359,14 @@
     $(UCRYPTO_JAR_UNSIGNED): $(JCE_MANIFEST)
 
     $(UCRYPTO_JAR_DST): $(UCRYPTO_JAR_SRC)
-	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt OracleUcrypto provider..."
+	@$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
 	$(install-file)
 
-    JARS += $(UCRYPTO_JAR_UNSIGNED) $(UCRYPTO_JAR_DST)
+    TARGETS += $(UCRYPTO_JAR_UNSIGNED) $(UCRYPTO_JAR_DST)
 
   endif
 endif
 
-all: $(JARS)
+all: $(TARGETS)
 
 .PHONY: default all
--- a/jdk/make/SignJars.gmk	Wed Dec 04 17:37:25 2013 -0800
+++ b/jdk/make/SignJars.gmk	Thu Dec 05 09:25:31 2013 +0100
@@ -80,7 +80,7 @@
 	  exit 2; \
 	fi
 
-$(JCE_OUTPUTDIR)/%: $(JDK_OUTPUTDIR)/unsigned/%
+$(JDK_OUTPUTDIR)/jce/signed/%: $(JDK_OUTPUTDIR)/jce/unsigned/%
 	$(call install-file)
 	$(JARSIGNER) -keystore $(SIGNING_KEYSTORE) \
 	    $@ $(SIGNING_ALIAS) < $(SIGNING_PASSPHRASE)
@@ -88,26 +88,33 @@
 
 JAR_LIST := \
     jce.jar \
-    local_policy.jar \
+    policy/limited/local_policy.jar \
+    policy/limited/US_export_policy.jar \
+    policy/unlimited/local_policy.jar \
+    policy/unlimited/US_export_policy.jar \
     sunec.jar \
     sunjce_provider.jar \
     sunpkcs11.jar \
-    US_export_policy.jar \
     sunmscapi.jar \
     ucrypto.jar \
     #
 
-UNSIGNED_JARS := $(wildcard $(addprefix $(JDK_OUTPUTDIR)/unsigned/, $(JAR_LIST)))
+UNSIGNED_JARS := $(wildcard $(addprefix $(JDK_OUTPUTDIR)/jce/unsigned/, $(JAR_LIST)))
 
 ifeq ($(UNSIGNED_JARS), )
-  $(error No jars found in $(JDK_OUTPUTDIR)/unsigned/)
+  $(error No jars found in $(JDK_OUTPUTDIR)/jce/unsigned/)
 endif
 
-SIGNED_JARS := $(patsubst $(JDK_OUTPUTDIR)/unsigned/%,$(JCE_OUTPUTDIR)/%, $(UNSIGNED_JARS))
+SIGNED_JARS := $(patsubst $(JDK_OUTPUTDIR)/jce/unsigned/%,$(JDK_OUTPUTDIR)/jce/signed/%, \
+    $(UNSIGNED_JARS))
 
 $(SIGNED_JARS): check-keystore
 
-all: $(SIGNED_JARS)
+$(JDK_OUTPUTDIR)/jce/signed/policy/unlimited/README.txt: \
+    $(JDK_OUTPUTDIR)/jce/unsigned/policy/unlimited/README.txt
+	$(install-file)
+
+all: $(SIGNED_JARS) $(JDK_OUTPUTDIR)/jce/signed/policy/unlimited/README.txt
 	@$(PRINTF) "\n*** The jar files built by the 'sign-jars' target are developer      ***"
 	@$(PRINTF) "\n*** builds only and *MUST NOT* be checked into the closed workspace. ***"
 	@$(PRINTF) "\n***                                                                  ***"
--- a/jdk/make/data/cryptopolicy/limited/LIMITED	Wed Dec 04 17:37:25 2013 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,1 +0,0 @@
-Crypto-Strength: limited
--- a/jdk/make/data/cryptopolicy/unlimited/UNLIMITED	Wed Dec 04 17:37:25 2013 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,1 +0,0 @@
-Crypto-Strength: unlimited