Merge remote-tracking branch 'upstream/master'

gluonhq · Jun 19, 2021 · b84b275 · b84b275
2 parents 3803f1c + 5a34e71
commit b84b275
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 3 deletions.
diff --git a/substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/SecuritySubstitutions.java b/substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/SecuritySubstitutions.java
@@ -49,6 +49,8 @@
 import jdk.vm.ci.meta.MetaAccessProvider;
 import jdk.vm.ci.meta.ResolvedJavaField;
 import org.graalvm.compiler.serviceprovider.JavaVersionUtil;
+import org.graalvm.nativeimage.Platform;
+import org.graalvm.nativeimage.Platforms;
 import org.graalvm.nativeimage.hosted.Feature;
 import org.graalvm.word.Pointer;
 
@@ -235,6 +237,52 @@ final class Target_javax_crypto_CryptoAllPermission {
     static Target_javax_crypto_CryptoAllPermission INSTANCE;
 }
 
+@Platforms(Platform.WINDOWS.class)
+@TargetClass(value = java.security.Provider.class)
+final class Target_java_security_Provider {
+    @Alias //
+    private transient boolean initialized;
+
+    @Alias //
+    String name;
+
+    /*
+     * `Provider.checkInitialized` is called from all other Provider API methods, before any
+     * computation, so it is a convenient location to do our own initialization, e.g., to ensure
+     * that the required native libraries are loaded.
+     */
+    @Substitute
+    private void checkInitialized() {
+        if (!initialized) {
+            throw new IllegalStateException();
+        }
+        /* Do our own initialization. */
+        ProviderUtil.initialize(this);
+    }
+}
+
+final class ProviderUtil {
+    private static volatile boolean initialized = false;
+
+    static void initialize(Target_java_security_Provider provider) {
+        if (initialized) {
+            return;
+        }
+
+        if (provider.name.equals("SunMSCAPI")) {
+            try {
+                System.loadLibrary("sunmscapi");
+            } catch (Throwable ignored) {
+                /*
+                 * If the loading fails, later calls to native methods will also fail. So, in order
+                 * not to confuse users with unexpected stack traces, we ignore the exceptions here.
+                 */
+            }
+            initialized = true;
+        }
+    }
+}
+
 @TargetClass(className = "javax.crypto.ProviderVerifier", onlyWith = JDK11OrLater.class)
 @SuppressWarnings({"unused"})
 final class Target_javax_crypto_ProviderVerifier {

diff --git a/substratevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/SecurityServicesFeature.java b/substratevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/SecurityServicesFeature.java
@@ -243,6 +243,10 @@ public void duringSetup(DuringSetupAccess a) {
              * result of SeedGenerator.getSystemEntropy().
              */
             rci.rerunInitialization(clazz(access, "sun.security.provider.AbstractDrbg$SeederHolder"), "for substitutions");
+            if (isWindows()) {
+                /* PRNG.<clinit> creates a Cleaner (see JDK-8210476), which starts its thread. */
+                rci.rerunInitialization(clazz(access, "sun.security.mscapi.PRNG"), "for substitutions");
+            }
         }
 
         if (JavaVersionUtil.JAVA_SPEC > 8) {

diff --git a/...atevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/jdk/JNIRegistrationSupport.java b/...atevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/jdk/JNIRegistrationSupport.java
@@ -80,6 +80,7 @@ class JNIRegistrationSupport extends JNIRegistrationUtil implements GraalFeature
 
     private final ConcurrentMap<String, Boolean> registeredLibraries = new ConcurrentHashMap<>();
     private NativeLibraries nativeLibraries = null;
+    private boolean isSunMSCAPIProviderReachable = false;
 
     public static JNIRegistrationSupport singleton() {
         return ImageSingletons.lookup(JNIRegistrationSupport.class);
@@ -90,6 +91,13 @@ public void beforeAnalysis(BeforeAnalysisAccess access) {
         nativeLibraries = ((BeforeAnalysisAccessImpl) access).getNativeLibraries();
     }
 
+    @Override
+    public void afterAnalysis(AfterAnalysisAccess access) {
+        if (isWindows()) {
+            isSunMSCAPIProviderReachable = access.isReachable(clazz(access, "sun.security.mscapi.SunMSCAPI"));
+        }
+    }
+
     @Override
     public void registerGraphBuilderPlugins(Providers providers, Plugins plugins, ParsingReason reason) {
         registerLoadLibraryPlugin(plugins, System.class);
@@ -186,10 +194,10 @@ private void copyJDKLibraries(Path jdkLibDir) {
                     continue;
                 }
 
-                if (libname.equals("sunec")) {
+                if (libname.equals("sunmscapi") && !isSunMSCAPIProviderReachable) {
                     /*
-                     * Ignore `sunec` library if it is not statically linked (we will use `SunEC` in
-                     * mode without full ECC implementation anyway).
+                     * Ignore `sunmscapi` library if `SunMSCAPI` provider is not reachable (it's
+                     * always registered as a workaround in `Target_java_security_Provider`).
                      */
                     debug.log(DebugContext.INFO_LEVEL, "%s: IGNORED", library);
                     continue;