Mercurial Mercurial > jdk-sandbox / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
8168313: Tighten permissions granted to jdk.crypto.pkcs11 module
authormullan
Fri, 21 Oct 2016 09:02:57 -0400
changeset 41603 bb9d97b4c21b
parent 41601 d04193dcb0f7
child 41604 95f4b6dbc5c9
8168313: Tighten permissions granted to jdk.crypto.pkcs11 module Reviewed-by: ascarpino
jdk/src/java.base/share/classes/module-info.java file | annotate | diff | comparison | revisions
jdk/src/java.base/share/lib/security/default.policy file | annotate | diff | comparison | revisions
jdk/src/jdk.crypto.pkcs11/share/classes/sun/security/pkcs11/Config.java file | annotate | diff | comparison | revisions
jdk/src/jdk.crypto.pkcs11/share/classes/sun/security/pkcs11/wrapper/Constants.java file | annotate | diff | comparison | revisions 
--- a/jdk/src/java.base/share/classes/module-info.java	Fri Oct 21 12:31:50 2016 +0100
+++ b/jdk/src/java.base/share/classes/module-info.java	Fri Oct 21 09:02:57 2016 -0400
@@ -240,8 +240,7 @@
         java.xml.ws;
     exports sun.security.action to
         java.desktop,
-        java.security.jgss,
-        jdk.crypto.pkcs11;
+        java.security.jgss;
     exports sun.security.internal.interfaces to
         jdk.crypto.pkcs11;
     exports sun.security.internal.spec to
--- a/jdk/src/java.base/share/lib/security/default.policy	Fri Oct 21 12:31:50 2016 +0100
+++ b/jdk/src/java.base/share/lib/security/default.policy	Fri Oct 21 09:02:57 2016 -0400
@@ -111,11 +111,11 @@
 grant codeBase "jrt:/jdk.crypto.pkcs11" {
     permission java.lang.RuntimePermission
                    "accessClassInPackage.sun.security.*";
-    permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
     permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
     permission java.lang.RuntimePermission "loadLibrary.j2pkcs11";
-    // needs "security.pkcs11.allowSingleThreadedModules"
-    permission java.util.PropertyPermission "*", "read";
+    permission java.util.PropertyPermission "sun.security.pkcs11.allowSingleThreadedModules", "read";
+    permission java.util.PropertyPermission "os.name", "read";
+    permission java.util.PropertyPermission "os.arch", "read";
     permission java.security.SecurityPermission "putProviderProperty.*";
     permission java.security.SecurityPermission "clearProviderProperties.*";
     permission java.security.SecurityPermission "removeProviderProperty.*";
--- a/jdk/src/jdk.crypto.pkcs11/share/classes/sun/security/pkcs11/Config.java	Fri Oct 21 12:31:50 2016 +0100
+++ b/jdk/src/jdk.crypto.pkcs11/share/classes/sun/security/pkcs11/Config.java	Fri Oct 21 09:02:57 2016 -0400
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -32,7 +32,6 @@
 
 import java.security.*;
 
-import sun.security.action.GetPropertyAction;
 import sun.security.util.PropertyExpander;
 
 import sun.security.pkcs11.wrapper.*;
@@ -58,15 +57,30 @@
     // will accept single threaded modules regardless of the setting in their
     // config files.
     private static final boolean staticAllowSingleThreadedModules;
+    private static final String osName;
+    private static final String osArch;
 
     static {
-        String p = "sun.security.pkcs11.allowSingleThreadedModules";
-        String s = AccessController.doPrivileged(new GetPropertyAction(p));
-        if ("false".equalsIgnoreCase(s)) {
+        List<String> props = AccessController.doPrivileged(
+            new PrivilegedAction<>() {
+                @Override
+                public List<String> run() {
+                    return List.of(
+                        System.getProperty(
+                            "sun.security.pkcs11.allowSingleThreadedModules",
+                            "true"),
+                        System.getProperty("os.name"),
+                        System.getProperty("os.arch"));
+                }
+            }
+        );
+        if ("false".equalsIgnoreCase(props.get(0))) {
             staticAllowSingleThreadedModules = false;
         } else {
             staticAllowSingleThreadedModules = true;
         }
+        osName = props.get(1);
+        osArch = props.get(2);
     }
 
     private final static boolean DEBUG = false;
@@ -650,8 +664,6 @@
             // replace "/$ISA/" with "/sparcv9/" on 64-bit Solaris SPARC
             // and with "/amd64/" on Solaris AMD64.
             // On all other platforms, just turn it into a "/"
-            String osName = System.getProperty("os.name", "");
-            String osArch = System.getProperty("os.arch", "");
             String prefix = lib.substring(0, i);
             String suffix = lib.substring(i + 5);
             if (osName.equals("SunOS") && osArch.equals("sparcv9")) {
--- a/jdk/src/jdk.crypto.pkcs11/share/classes/sun/security/pkcs11/wrapper/Constants.java	Fri Oct 21 12:31:50 2016 +0100
+++ b/jdk/src/jdk.crypto.pkcs11/share/classes/sun/security/pkcs11/wrapper/Constants.java	Fri Oct 21 09:02:57 2016 -0400
@@ -58,7 +58,7 @@
  */
 public class Constants {
 
-    public static final String NEWLINE = System.getProperty("line.separator");
+    public static final String NEWLINE = System.lineSeparator();
 
     public static final String INDENT = "  ";
jdk-sandbox