Java Restricted Security Mode

[taoliult]

Signed-off-by: Tao Liu tao.liu@ibm.com

This is a backport PR from JDKNext PR ibmruntimes/openj9-openjdk-jdk#544 to JDK8.

[taoliult]

@keithc-ca @pshipton

Java Restricted Security Mode backport PR created from JDKNext PR ibmruntimes/openj9-openjdk-jdk#544 to JDK8. And there are some updates only for the JDK8. Please help to review and advice.

And for the copyright check, it said below. Do we also need to add the copyright for the java.security file?

17:04:02  The following files were modified and have incorrect copyrights
[Pipeline] echo
17:04:02  jdk/src/share/lib/security/java.security-linux
17:04:02  	IBM Portions Copyright should be used in this file

@jasonkatonica @WilburZjh

FYI.

[keithc-ca]

If the configuration is expected to use fully-qualified names (as is done here), I think the code should do likewise and not remove the package name.

In newer versions, there are several "attributes" specified for these providers: why are they not copied here?

[taoliult]

In JDK8, the security.provider lists are the provider class names with packages. In JDK11 and above version, the security.provider lists are the provider names which defined in provider construction method. But no matter it is provider class name or the provider name defined in provider construction method, the new added getProvidersSimpleName() method will return the provider name defined in provider construction method, and then store it into the providersSimpleName string list.

But right now, for the following provider classes and their provider names, I did not add them into the getProvidersSimpleName() method. Because they are not FIPS allowed providers.

sun.security.jgss.SunProvider  SunJGSS
com.sun.security.sasl.Provider SunSASL
org.jcp.xml.dsig.internal.dom.XMLDSigRI. XMLDSig

In JDK8 providers SUN and SunEC, they are using the legacy method Provider.put() to register service, its alias and its attribute. And it did one by one, example as follow. For “AlgorithmParameters.EC” attributes “KeySize” and “ImplementedIn”, there are two items/attributes in the map.

        /*
         * Algorithm Parameter engine
         */
        map.put("AlgorithmParameters.EC", "sun.security.util.ECParameters");
        map.put("Alg.Alias.AlgorithmParameters.EllipticCurve", "EC");
        map.put("Alg.Alias.AlgorithmParameters.1.2.840.10045.2.1", "EC");
        map.put("AlgorithmParameters.EC KeySize", "256");
        map.put("AlgorithmParameters.EC ImplementedIn", "Software");

And then, in the Provider.parseLegacyPut() method, the items/attributes will be read one by one, and then using addAttribute() method to put into Service.

Our check is in the Provider.parseLegacyPut() method, it will check for each item/attribute in the map. So, if the service has more than two items/attributes in the map. We can’t check it correctly, because our isServiceAllowed() method will check the service and all its attributes.

So, first, what I thought is to remove the attributes (set it as *). Because when I went through those providers’ services, I did not find any service which has the same type and algorithms, but different attributes. That mean, only according to the type and algorithms, we can find the specific services, so checking attributes or not, actually doesn’t matter.

But, right now, there is a better way, that is to add the isServiceAllowed() check in Provider.removeInvalidServices() method. This method will be called after the Provider.parseLegacyPut() went through all the items in the map and added them as services into legacyMap. So, we can check each service from the legacyMap in Provider.removeInvalidServices() method, to remove them if the service is not allowed. In this case, the isServiceAllowed() check will work correctly.

[taoliult]

@keithc-ca Some reviews updated the codes, the others replied the questions. Please help to review and advise.

@jasonkatonica @WilburZjh FYI.

[keithc-ca]

In jdk11, type is case-sensitive and algorithm is not: why is this different?

[taoliult]

Right now, it doesn’t affect any functions. Because the algorithms from the java.security restricted security provider constraint list, are exactly same as the ones which registered in the provider java codes. But, since the type is using “equalsIgnoreCase()”, so I would like to use the same “equalsIgnoreCase()” for the algorithms, to make them look the same(by using the same equalsIgnoreCase() method). So, I will create a PR on OpenJDK Next first and then backport this change back.

[keithc-ca]

Why are you changing debug message (as compared with newer versions)?
See also line 835.

[taoliult]

Compared to the other debug messages in this method, others had a “colon” right after the “is allowed in provider”. For example this debug message:

                debug.println(
                        "Security constraints check."
                                + " Service type: " + type
                                + " Algorithm: " + algorithm
                                + " Attribute: " + cAttribute
                                + " is allowed in provider: " + providerName);

So, for look as the same, I updated this line 788 and line 831 by adding a “:” in the debug message. I will make the same changes for JDK11 and above version by another PR.

[keithc-ca]

Why is this section different than newer versions (e.g. Java 11)?

[taoliult]

In OpenJDK11 and above version, there are two PRs update this “RestrictedSecurity1.tls.disabledAlgorithms” list. First PR for the Java Restricted Security Mode add this list, second PR remove the AES-GCM mode from the disable list because the latest FIPS policy support the AES-GCM mode.

So, for the OpenJDK8, I updated to the latest FIPS policy and also removed the AES-GCM mode from this disable list. So, the list will be same as the current OpenJDK11 and above version, and we don’t need a separate PR for updating the FIPS policy and removing the AES-GCM mode again.

[keithc-ca]

Other than the provider names, why is this different than newer versions (e.g. Java 11)?

[taoliult]

In OpenJDK8, the attribute of KeyFactory EC is different with the OpenJDK11 and above version, KeyFactory EC only has one attribute in OpenJDK8 SunEC provider. So, that is why the KeyFactory EC attribute is different between OpenJDK8 and OpenJDK11 and above version.

[taoliult]

@keithc-ca Some reviews updated the codes, the others replied the questions. Please help to review and advise.

[keithc-ca]

Jenkins test sanity,extended xlinux jdk8

[keithc-ca]

Test failure is unrelated to this change:

testJITServer_1:
//// can't bind server address: Address already in use