Skip to content

Commit

Permalink
[Backport 2.x] Fix permissions issues while reading keys in PKCS#1 fo…
Browse files Browse the repository at this point in the history
…rmat (#3322)

Backport #3289 to 2.x

Signed-off-by: Craig Perkins <cwperx@amazon.com>
  • Loading branch information
cwperks authored Sep 6, 2023
1 parent 3d191b8 commit 552de1b
Show file tree
Hide file tree
Showing 2 changed files with 60 additions and 25 deletions.
4 changes: 2 additions & 2 deletions plugin-security.policy
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,6 @@ grant {
permission java.util.PropertyPermission "*","read,write";

//Enable when we switch to UnboundID LDAP SDK
//permission java.util.PropertyPermission "*", "read,write";
//permission java.lang.RuntimePermission "setFactory";
//permission javax.net.ssl.SSLPermission "setHostnameVerifier";

Expand All @@ -61,11 +60,12 @@ grant {
permission java.security.SecurityPermission "insertProvider.BC";
permission java.security.SecurityPermission "removeProviderProperty.BC";
permission java.util.PropertyPermission "jdk.tls.rejectClientInitiatedRenegotiation", "write";
permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_size";
permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_mr_tests";

permission java.lang.RuntimePermission "accessUserInformation";

permission java.security.SecurityPermission "org.apache.xml.security.register";
permission java.util.PropertyPermission "org.apache.xml.security.ignoreLineBreaks", "write";

permission java.lang.RuntimePermission "createClassLoader";

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -958,19 +958,32 @@ private SslContext buildSSLServerContext(
final ClientAuth authMode
) throws SSLException {

final SslContextBuilder _sslContextBuilder = SslContextBuilder.forServer(_key, _cert)
.ciphers(ciphers)
.applicationProtocolConfig(ApplicationProtocolConfig.DISABLED)
.clientAuth(Objects.requireNonNull(authMode)) // https://github.com/netty/netty/issues/4722
.sessionCacheSize(0)
.sessionTimeout(0)
.sslProvider(sslProvider);
try {
final SslContextBuilder _sslContextBuilder = AccessController.doPrivileged(new PrivilegedExceptionAction<SslContextBuilder>() {
@Override
public SslContextBuilder run() throws Exception {
return SslContextBuilder.forServer(_key, _cert)
.ciphers(ciphers)
.applicationProtocolConfig(ApplicationProtocolConfig.DISABLED)
.clientAuth(Objects.requireNonNull(authMode)) // https://github.com/netty/netty/issues/4722
.sessionCacheSize(0)
.sessionTimeout(0)
.sslProvider(sslProvider);
}
});

if (_trustedCerts != null && _trustedCerts.length > 0) {
_sslContextBuilder.trustManager(_trustedCerts);
}
if (_trustedCerts != null && _trustedCerts.length > 0) {
_sslContextBuilder.trustManager(_trustedCerts);
}

return buildSSLContext0(_sslContextBuilder);
return buildSSLContext0(_sslContextBuilder);
} catch (final PrivilegedActionException e) {
if (e.getCause() instanceof SSLException) {
throw (SSLException) e.getCause();
} else {
throw new RuntimeException(e);
}
}
}

private SslContext buildSSLServerContext(
Expand All @@ -982,20 +995,38 @@ private SslContext buildSSLServerContext(
final SslProvider sslProvider,
final ClientAuth authMode
) throws SSLException {
final SecurityManager sm = System.getSecurityManager();

final SslContextBuilder _sslContextBuilder = SslContextBuilder.forServer(_cert, _key, pwd)
.ciphers(ciphers)
.applicationProtocolConfig(ApplicationProtocolConfig.DISABLED)
.clientAuth(Objects.requireNonNull(authMode)) // https://github.com/netty/netty/issues/4722
.sessionCacheSize(0)
.sessionTimeout(0)
.sslProvider(sslProvider);

if (_trustedCerts != null) {
_sslContextBuilder.trustManager(_trustedCerts);
if (sm != null) {
sm.checkPermission(new SpecialPermission());
}

return buildSSLContext0(_sslContextBuilder);
try {
final SslContextBuilder _sslContextBuilder = AccessController.doPrivileged(new PrivilegedExceptionAction<SslContextBuilder>() {
@Override
public SslContextBuilder run() throws Exception {
return SslContextBuilder.forServer(_cert, _key, pwd)
.ciphers(ciphers)
.applicationProtocolConfig(ApplicationProtocolConfig.DISABLED)
.clientAuth(Objects.requireNonNull(authMode)) // https://github.com/netty/netty/issues/4722
.sessionCacheSize(0)
.sessionTimeout(0)
.sslProvider(sslProvider);
}
});

if (_trustedCerts != null) {
_sslContextBuilder.trustManager(_trustedCerts);
}

return buildSSLContext0(_sslContextBuilder);
} catch (final PrivilegedActionException e) {
if (e.getCause() instanceof SSLException) {
throw (SSLException) e.getCause();
} else {
throw new RuntimeException(e);
}
}
}

private SslContext buildSSLClientContext(
Expand Down Expand Up @@ -1059,7 +1090,11 @@ public SslContext run() throws Exception {
}
});
} catch (final PrivilegedActionException e) {
throw (SSLException) e.getCause();
if (e.getCause() instanceof SSLException) {
throw (SSLException) e.getCause();
} else {
throw new RuntimeException(e);
}
}

return sslContext;
Expand Down

0 comments on commit 552de1b

Please sign in to comment.