Merge pull request #794 from KostasTsiounis/update_jarlist

Add fully-qualified class names of jar verification providers
ibmruntimes · Jul 16, 2024 · 3024b8f · 3024b8f
2 parents fa2af55 + 29b80da
commit 3024b8f
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/src/java.base/share/classes/sun/security/jca/Providers.java b/src/java.base/share/classes/sun/security/jca/Providers.java
@@ -99,6 +99,20 @@ private Providers() {
  "SunJCE",
  };
 
+ // Hardcoded fully-qualified class names of providers to use for JAR
+ // verification when RestrictedSecurity is enabled (similar to
+ // jarVerificationProviders array).
+ //
+ // MUST NOT be on the bootclasspath and not in signed JAR files.
+ private static final String[] restrictedJarVerificationProviders = {
+ "sun.security.provider.Sun",
+ "sun.security.rsa.SunRsaSign",
+ // Note: when SunEC is in a signed JAR file, it's not signed
+ // by EC algorithms. So it's still safe to be listed here.
+ "sun.security.ec.SunEC",
+ "com.sun.crypto.provider.SunJCE",
+ };
+
  // Return Sun provider.
  // This method should only be called by
  // sun.security.util.ManifestEntryVerifier and java.security.SecureRandom.
@@ -114,7 +128,10 @@ public static Provider getSunProvider() {
  */
  public static Object startJarVerification() {
  ProviderList currentList = getProviderList();
- ProviderList jarList = currentList.getJarList(jarVerificationProviders);
+ ProviderList jarList = currentList.getJarList(
+ RestrictedSecurity.isEnabled()
+ ? restrictedJarVerificationProviders
+ : jarVerificationProviders);
  if (jarList.getProvider("SUN") == null) {
  // add backup provider
  Provider p;