Skip to content

Commit

Permalink
Check RestrictedSecurity profile for errors
Browse files Browse the repository at this point in the history 
This commit checks the misspelled properties and provider order
numbers in RestrictedSecurity mode. If there is a misspelled
property or the provider order numbers are not consecutive. The
RestrictedSecurity mode initialization will stop and throw errors.

Signed-off-by: Tao Liu <tao.liu@ibm.com>
  • Loading branch information
@taoliult
taoliult committed Oct 1, 2024
1 parent 9d684ea commit 8371a22
Showing 1 changed file with 54 additions and 2 deletions.
56 changes: 54 additions & 2 deletions closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,10 @@
import java.time.format.DateTimeParseException;
import java.util.ArrayList;
import java.util.Deque;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
Expand Down Expand Up @@ -996,6 +996,9 @@ private static final class ProfileParser {
// The java.security properties.
private final Properties securityProps;

private final Set<String> profileCheckPropertyNames;
private final Set<String> profileCheckProviderNames;

/**
*
* @param id the restricted security custom profile ID
Expand All @@ -1018,8 +1021,13 @@ private ProfileParser(String id, Properties props) {

parsedProfiles = new HashSet<>();

profileCheckPropertyNames = new HashSet<>();
profileCheckProviderNames = new HashSet<>();

// Initialize the properties.
init(profileID);

checkProfileCheck(profileID);
}

private RestrictedSecurityProperties getProperties() {
Expand All @@ -1042,12 +1050,17 @@ private void init(String profileID) {
printStackTraceAndExit(profileID + " has already been parsed. Potential infinite recursion.");
}

String potentialExtendsProfileID = parseProperty(securityProps.getProperty(profileID + ".extends"));
loadProfileCheck(profileID);

String profileExtends = profileID + ".extends";
String potentialExtendsProfileID = parseProperty(securityProps.getProperty(profileExtends));
if (potentialExtendsProfileID != null) { // If profile extends another profile.
if (debug != null) {
debug.println("\t'" + profileID + "' extends '" + potentialExtendsProfileID + "'.");
}

profileCheckPropertyNames.remove(profileExtends);

// Check if extended profile exists.
String extendsProfileID = null;
if (potentialExtendsProfileID.indexOf('.') != potentialExtendsProfileID.lastIndexOf('.')) {
Expand Down Expand Up @@ -1103,6 +1116,7 @@ private void init(String profileID) {
// Save info to be hashed and expected result to be checked later.
profilesHashes.put(profileID, hashValue);
profilesInfo.put(profileID, allInfo);
profileCheckPropertyNames.remove(hashProperty);
} else if (!isFIPS1402Profile(profileID)) {
// A hash is mandatory, but not for older 140-2 profiles.
printStackTraceAndExit(profileID + " is a base profile, so a hash value is mandatory.");
Expand Down Expand Up @@ -1139,6 +1153,7 @@ private void update(String profileExtensionId) {
// Save info to be hashed and expected result to be checked later.
profilesHashes.put(profileID, hashValue);
profilesInfo.put(profileID, allInfo);
profileCheckPropertyNames.remove(hashProperty);
}
} catch (Exception e) {
if (debug != null) {
Expand Down Expand Up @@ -1259,6 +1274,7 @@ private void initProviders(String profileID, List<String> allInfo) {
allInfo.add(property + "=" + providerInfo);

parseProvider(providerInfo, pNum, false);
profileCheckProviderNames.remove(property);
}

if (providers.isEmpty()) {
Expand Down Expand Up @@ -1289,6 +1305,7 @@ private void updateProviders(String profileExtensionId, List<String> allInfo) {
removedProvider = true;
break;
}
profileCheckProviderNames.remove(property);
}
}

Expand Down Expand Up @@ -1316,6 +1333,7 @@ private void updateProviders(String profileExtensionId, List<String> allInfo) {
allInfo.add(property + "=" + providerInfo);

parseProvider(providerInfo, i, false);
profileCheckProviderNames.remove(property);
}
}

Expand Down Expand Up @@ -1640,6 +1658,7 @@ private boolean setProperty(String property, String propertyKey, List<String> al
newValue = value;
}
profileProperties.put(property, newValue);
profileCheckPropertyNames.remove(propertyKey);
return true;
}
if (debug != null) {
Expand Down Expand Up @@ -1712,6 +1731,39 @@ private static void checkProviderFormat(String providerInfo, boolean update) {
printStackTraceAndExit("Provider format is incorrect: " + providerInfo);
}
}

private void loadProfileCheck(String profileID) {
Enumeration<?> pNames = securityProps.propertyNames();
String profileDot = profileID + '.';
while (pNames.hasMoreElements()) {
String name = (String) pNames.nextElement();
if (name.startsWith(profileDot)) {
if (name.contains(".jce.provider.")) {
profileCheckProviderNames.add(name);
} else {
profileCheckPropertyNames.add(name);
}
}
}
}

private void checkProfileCheck(String profileID) {
if (!profileCheckProviderNames.isEmpty()) {
printStackTraceAndExit(
"The order numbers of providers in profile " + profileID
+ " (or a base profile) are not consecutive.");
}
if (!profileCheckPropertyNames.isEmpty()) {
printStackTraceAndExit(
"The property names: "
+ profileCheckPropertyNames
.stream()
.sorted()
.collect(Collectors.joining(", "))
+ " in profile " + profileID
+ " (or a base profile) are not recognized.");
}
}
}

/**
Expand Down

0 comments on commit 8371a22

Please sign in to comment.