From ba60c69c0657b225374f799ff64d71314fbd9b05 Mon Sep 17 00:00:00 2001
From: Kostas Tsiounis <kostas.tsiounis@ibm.com>
Date: Wed, 10 Jul 2024 13:26:08 -0400
Subject: [PATCH] Add fully-qualified class names of jar verification providers

Additional entries, pertaining to the fully-qualified class
names of the providers, are added to the list used to populate
the ProviderList that is utilized for Jar verification.

Signed-off-by: Kostas Tsiounis <kostas.tsiounis@ibm.com>
---
 .../classes/sun/security/jca/Providers.java   | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/java.base/share/classes/sun/security/jca/Providers.java b/src/java.base/share/classes/sun/security/jca/Providers.java
index a94d491c008..642a9f33332 100644
--- a/src/java.base/share/classes/sun/security/jca/Providers.java
+++ b/src/java.base/share/classes/sun/security/jca/Providers.java
@@ -100,6 +100,20 @@ private Providers() {
         "SunJCE",
     };
 
+    // Hardcoded fully-qualified class names of providers to use for JAR
+    // verification when RestrictedSecurity is enabled (similar to
+    // jarVerificationProviders array).
+    //
+    // MUST NOT be on the bootclasspath and not in signed JAR files.
+    private static final String[] restrictedJarVerificationProviders = {
+        "sun.security.provider.Sun",
+        "sun.security.rsa.SunRsaSign",
+        // Note: when SunEC is in a signed JAR file, it's not signed
+        // by EC algorithms. So it's still safe to be listed here.
+        "sun.security.ec.SunEC",
+        "com.sun.crypto.provider.SunJCE",
+    };
+
     // Return Sun provider.
     // This method should only be called by
     // sun.security.util.ManifestEntryVerifier and java.security.SecureRandom.
@@ -115,7 +129,10 @@ public static Provider getSunProvider() {
      */
     public static Object startJarVerification() {
         ProviderList currentList = getProviderList();
-        ProviderList jarList = currentList.getJarList(jarVerificationProviders);
+        ProviderList jarList = currentList.getJarList(
+                RestrictedSecurity.isEnabled()
+                        ? restrictedJarVerificationProviders
+                        : jarVerificationProviders);
         if (jarList.getProvider("SUN") == null) {
             // add backup provider
             Provider p;