Skip to content

Commit

Permalink
Fix javax.crypto.JceSecurity substitutions in JDK >= 17.0.10
Browse files Browse the repository at this point in the history
Closes #607
  • Loading branch information
zakkak committed Nov 9, 2023
1 parent 34be002 commit 4ceec14
Show file tree
Hide file tree
Showing 4 changed files with 127 additions and 5 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
/*
* Copyright (c) 2021, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package com.oracle.svm.core.jdk;

import org.graalvm.compiler.serviceprovider.GraalServices;
import org.graalvm.compiler.serviceprovider.JavaVersionUtil;

import java.util.function.BooleanSupplier;

public class JDK17_0_10OrLater implements BooleanSupplier {

@Override
public boolean getAsBoolean() {
return JavaVersionUtil.JAVA_SPEC > 17 ||
(JavaVersionUtil.JAVA_SPEC == 17 && GraalServices.getJavaUpdateVersion() >= 10);
}

}
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
/*
* Copyright (c) 2021, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package com.oracle.svm.core.jdk;

import org.graalvm.compiler.serviceprovider.GraalServices;
import org.graalvm.compiler.serviceprovider.JavaVersionUtil;

import java.util.function.BooleanSupplier;

public class JDK17_0_9OrEarlier implements BooleanSupplier {

@Override
public boolean getAsBoolean() {
return JavaVersionUtil.JAVA_SPEC < 17 ||
(JavaVersionUtil.JAVA_SPEC == 17 && GraalServices.getJavaUpdateVersion() <= 9);
}

}
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2013, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand All @@ -26,6 +26,8 @@

import static com.oracle.svm.core.snippets.KnownIntrinsics.readCallerStackPointer;

import java.lang.ref.ReferenceQueue;
import java.lang.ref.WeakReference;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.net.URL;
Expand All @@ -45,6 +47,7 @@
import java.util.Map;
import java.util.function.Predicate;

import org.graalvm.compiler.serviceprovider.GraalServices;
import org.graalvm.compiler.serviceprovider.JavaVersionUtil;
import org.graalvm.nativeimage.Platform;
import org.graalvm.nativeimage.Platforms;
Expand Down Expand Up @@ -321,6 +324,10 @@ static boolean isTrustedCryptoProvider(Provider provider) {
@SuppressWarnings({"unused"})
final class Target_javax_crypto_JceSecurity {


@Alias @TargetElement(onlyWith = JDK17_0_10OrLater.class)//
public static ReferenceQueue<Object> queue;

/*
* Lazily recompute the RANDOM field at runtime. We cannot push the entire static initialization
* of JceSecurity to run time because we want the JceSecurity.verificationResults initialized at
Expand Down Expand Up @@ -393,8 +400,7 @@ public Object transform(Object receiver, Object originalValue) {
}
}

@TargetClass(className = "javax.crypto.JceSecurity", innerClass = "IdentityWrapper", onlyWith = JDK17OrLater.class)
@SuppressWarnings({"unused"})
@TargetClass(className = "javax.crypto.JceSecurity", innerClass = "IdentityWrapper", onlyWith = {JDK17OrLater.class, JDK17_0_9OrEarlier.class})
final class Target_javax_crypto_JceSecurity_IdentityWrapper {
@Alias //
Provider obj;
Expand All @@ -405,6 +411,14 @@ final class Target_javax_crypto_JceSecurity_IdentityWrapper {
}
}

@TargetClass(className = "javax.crypto.JceSecurity", innerClass = "WeakIdentityWrapper", onlyWith = JDK17_0_10OrLater.class)
final class Target_javax_crypto_JceSecurity_WeakIdentityWrapper {
@Alias //
Target_javax_crypto_JceSecurity_WeakIdentityWrapper(Provider obj, ReferenceQueue<Object> queue) {
// Do nothing this is just an alias
}
}

class JceSecurityAccessor {
private static volatile SecureRandom RANDOM;

Expand Down Expand Up @@ -436,7 +450,12 @@ static Object providerKey(Provider p) {
if (JavaVersionUtil.JAVA_SPEC <= 11) {
return p;
}

/* Starting with JDK 17 the verification results map key is an identity wrapper object. */
if (JavaVersionUtil.JAVA_SPEC == 17 && GraalServices.getJavaUpdateVersion() >= 10) {
return new Target_javax_crypto_JceSecurity_WeakIdentityWrapper(p, Target_javax_crypto_JceSecurity.queue);
}

return new Target_javax_crypto_JceSecurity_IdentityWrapper(p);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
import java.io.FileWriter;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.ref.Reference;
import java.lang.reflect.Executable;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
Expand Down Expand Up @@ -88,6 +89,7 @@
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;

import org.graalvm.compiler.options.Option;
import org.graalvm.compiler.serviceprovider.GraalServices;
import org.graalvm.compiler.serviceprovider.JavaVersionUtil;
import org.graalvm.nativeimage.ImageSingletons;
import org.graalvm.nativeimage.hosted.RuntimeJNIAccess;
Expand Down Expand Up @@ -885,9 +887,30 @@ private Function<Object, Object> constructVerificationCacheCleaner(Class<?> jceS
};
}
/*
* For JDK 17 and later, the verification cache is an IdentityWrapper -> Verification result
* ConcurrentHashMap. The IdentityWrapper contains the actual provider in the 'obj' field.
* For JDK 17.0.10 and later, the verification cache is a WeakIdentityWrapper -> Verification result
* ConcurrentHashMap. The WeakIdentityWrapper contains the actual provider in the 'obj' field.
*/
if (JavaVersionUtil.JAVA_SPEC == 17 && GraalServices.getJavaUpdateVersion() >= 10) {
Method getReferent = ReflectionUtil.lookupMethod(Reference.class, "get");
Predicate<Object> listRemovalPredicate = wrapper -> {
try {
return shouldRemoveProvider((Provider) getReferent.invoke(wrapper));
} catch (IllegalAccessException | InvocationTargetException e) {
throw VMError.shouldNotReachHere(e);
}
};

return obj -> {
Map<Object, Object> original = (Map<Object, Object>) obj;
Map<Object, Object> verificationResults = new ConcurrentHashMap<>(original);

verificationResults.keySet().removeIf(listRemovalPredicate);

return verificationResults;
};

}

Class<?> identityWrapper = loader.findClassOrFail("javax.crypto.JceSecurity$IdentityWrapper");
Field providerField = ReflectionUtil.lookupField(identityWrapper, "obj");

Expand Down

0 comments on commit 4ceec14

Please sign in to comment.