Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[23.0] Fix javax.crypto.JceSecurity substitutions in JDK >= 17.0.10 #609

Merged
merged 1 commit into from
Nov 9, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
/*
* Copyright (c) 2021, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package com.oracle.svm.core.jdk;

import java.util.function.BooleanSupplier;

public class JceSecurityHasInnerClassIdentityWrapper implements BooleanSupplier {

@Override
public boolean getAsBoolean() {
try {
Class.forName("javax.crypto.JceSecurity$IdentityWrapper");
return true;
} catch (ClassNotFoundException e) {
return false;
}
}

}
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
/*
* Copyright (c) 2021, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package com.oracle.svm.core.jdk;

import java.util.function.BooleanSupplier;

public class JceSecurityHasInnerClassWeakIdentityWrapper implements BooleanSupplier {

@Override
public boolean getAsBoolean() {
try {
Class.forName("javax.crypto.JceSecurity$WeakIdentityWrapper");
return true;
} catch (ClassNotFoundException e) {
return false;
}
}

}
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2013, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand All @@ -26,6 +26,7 @@

import static com.oracle.svm.core.snippets.KnownIntrinsics.readCallerStackPointer;

import java.lang.ref.ReferenceQueue;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.net.URL;
Expand All @@ -43,6 +44,7 @@
import java.security.SecureRandom;
import java.util.List;
import java.util.Map;
import java.util.function.BooleanSupplier;
import java.util.function.Predicate;

import org.graalvm.compiler.serviceprovider.JavaVersionUtil;
Expand Down Expand Up @@ -317,10 +319,26 @@ static boolean isTrustedCryptoProvider(Provider provider) {
}
}

final class QueueFieldPresent implements BooleanSupplier {
@Override
public boolean getAsBoolean() {
try {
Class<?> jceSecurity = Class.forName("javax.crypto.JceSecurity");
jceSecurity.getDeclaredField("queue");
return true;
} catch (ClassNotFoundException | NoSuchFieldException e) {
return false;
}
}
}

@TargetClass(className = "javax.crypto.JceSecurity")
@SuppressWarnings({"unused"})
final class Target_javax_crypto_JceSecurity {

@Alias @TargetElement(onlyWith = QueueFieldPresent.class)//
public static ReferenceQueue<Object> queue;

/*
* Lazily recompute the RANDOM field at runtime. We cannot push the entire static initialization
* of JceSecurity to run time because we want the JceSecurity.verificationResults initialized at
Expand Down Expand Up @@ -393,8 +411,7 @@ public Object transform(Object receiver, Object originalValue) {
}
}

@TargetClass(className = "javax.crypto.JceSecurity", innerClass = "IdentityWrapper", onlyWith = JDK17OrLater.class)
@SuppressWarnings({"unused"})
@TargetClass(className = "javax.crypto.JceSecurity", innerClass = "IdentityWrapper", onlyWith = JceSecurityHasInnerClassIdentityWrapper.class)
final class Target_javax_crypto_JceSecurity_IdentityWrapper {
@Alias //
Provider obj;
Expand All @@ -405,6 +422,14 @@ final class Target_javax_crypto_JceSecurity_IdentityWrapper {
}
}

@TargetClass(className = "javax.crypto.JceSecurity", innerClass = "WeakIdentityWrapper", onlyWith = JceSecurityHasInnerClassWeakIdentityWrapper.class)
final class Target_javax_crypto_JceSecurity_WeakIdentityWrapper {
@Alias //
Target_javax_crypto_JceSecurity_WeakIdentityWrapper(Provider obj, ReferenceQueue<Object> queue) {
// Do nothing this is just an alias
}
}

class JceSecurityAccessor {
private static volatile SecureRandom RANDOM;

Expand Down Expand Up @@ -436,7 +461,12 @@ static Object providerKey(Provider p) {
if (JavaVersionUtil.JAVA_SPEC <= 11) {
return p;
}

/* Starting with JDK 17 the verification results map key is an identity wrapper object. */
if (new JceSecurityHasInnerClassWeakIdentityWrapper().getAsBoolean()) {
return new Target_javax_crypto_JceSecurity_WeakIdentityWrapper(p, Target_javax_crypto_JceSecurity.queue);
}

return new Target_javax_crypto_JceSecurity_IdentityWrapper(p);
}

Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -31,6 +31,7 @@
import java.io.FileWriter;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.ref.Reference;
import java.lang.reflect.Executable;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
Expand Down Expand Up @@ -87,6 +88,7 @@
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;

import com.oracle.svm.core.jdk.JceSecurityHasInnerClassWeakIdentityWrapper;
import org.graalvm.compiler.options.Option;
import org.graalvm.compiler.serviceprovider.JavaVersionUtil;
import org.graalvm.nativeimage.ImageSingletons;
Expand Down Expand Up @@ -885,7 +887,33 @@ private Function<Object, Object> constructVerificationCacheCleaner(Class<?> jceS
};
}
/*
* For JDK 17 and later, the verification cache is an IdentityWrapper -> Verification result
* For JDK 17.0.10 and later, the verification cache is a WeakIdentityWrapper ->
* Verification result ConcurrentHashMap. The WeakIdentityWrapper contains the actual
* provider in the 'obj' field.
*/
if (new JceSecurityHasInnerClassWeakIdentityWrapper().getAsBoolean()) {
Method getReferent = ReflectionUtil.lookupMethod(Reference.class, "get");
Predicate<Object> listRemovalPredicate = wrapper -> {
try {
return shouldRemoveProvider((Provider) getReferent.invoke(wrapper));
} catch (IllegalAccessException | InvocationTargetException e) {
throw VMError.shouldNotReachHere(e);
}
};

return obj -> {
Map<Object, Object> original = (Map<Object, Object>) obj;
Map<Object, Object> verificationResults = new ConcurrentHashMap<>(original);

verificationResults.keySet().removeIf(listRemovalPredicate);

return verificationResults;
};

}

/*
* For JDK 17 up to 17.0.10, the verification cache is an IdentityWrapper -> Verification result
* ConcurrentHashMap. The IdentityWrapper contains the actual provider in the 'obj' field.
*/
Class<?> identityWrapper = loader.findClassOrFail("javax.crypto.JceSecurity$IdentityWrapper");
Expand Down
Loading