From 29b80dab55292f2240e926f10a7d0e5072623900 Mon Sep 17 00:00:00 2001 From: Kostas Tsiounis Date: Wed, 10 Jul 2024 13:26:08 -0400 Subject: [PATCH] Add fully-qualified class names of jar verification providers Additional entries, pertaining to the fully-qualified class names of the providers, are added to the list used to populate the ProviderList that is utilized for Jar verification. Signed-off-by: Kostas Tsiounis --- .../classes/sun/security/jca/Providers.java | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/src/java.base/share/classes/sun/security/jca/Providers.java b/src/java.base/share/classes/sun/security/jca/Providers.java index 2cb3ced6da..6d52933a82 100644 --- a/src/java.base/share/classes/sun/security/jca/Providers.java +++ b/src/java.base/share/classes/sun/security/jca/Providers.java @@ -99,6 +99,20 @@ private Providers() { "SunJCE", }; + // Hardcoded fully-qualified class names of providers to use for JAR + // verification when RestrictedSecurity is enabled (similar to + // jarVerificationProviders array). + // + // MUST NOT be on the bootclasspath and not in signed JAR files. + private static final String[] restrictedJarVerificationProviders = { + "sun.security.provider.Sun", + "sun.security.rsa.SunRsaSign", + // Note: when SunEC is in a signed JAR file, it's not signed + // by EC algorithms. So it's still safe to be listed here. + "sun.security.ec.SunEC", + "com.sun.crypto.provider.SunJCE", + }; + // Return Sun provider. // This method should only be called by // sun.security.util.ManifestEntryVerifier and java.security.SecureRandom. @@ -114,7 +128,10 @@ public static Provider getSunProvider() { */ public static Object startJarVerification() { ProviderList currentList = getProviderList(); - ProviderList jarList = currentList.getJarList(jarVerificationProviders); + ProviderList jarList = currentList.getJarList( + RestrictedSecurity.isEnabled() + ? restrictedJarVerificationProviders + : jarVerificationProviders); if (jarList.getProvider("SUN") == null) { // add backup provider Provider p;