From 65ec1f24f3147eae5932b6b21527f0622333d7d9 Mon Sep 17 00:00:00 2001 From: Tao Liu Date: Wed, 27 Sep 2023 13:48:26 -0400 Subject: [PATCH] Add provider name and class name mapping for SunSASL in FIPS --- .../internal/security/RestrictedSecurity.java | 51 ++++++++++++++----- 1 file changed, 37 insertions(+), 14 deletions(-) diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java index c4f318aa367..d5729cb4bb7 100644 --- a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java +++ b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java @@ -687,13 +687,8 @@ private void initProviders() { // Provider with argument (provider name + optional argument). providers.add(pNum - 1, providerName); - // Remove the provider's optional arguments if there are. - pos = providerName.indexOf(' '); - providerName = (pos < 0) ? providerName.trim() : providerName.substring(0, pos).trim(); - // Remove the provider's class package names if there are. - pos = providerName.lastIndexOf('.'); - providerName = (pos < 0) ? providerName : providerName.substring(pos + 1, providerName.length()); - // Provider without arguments and package names. + // Provider name defined in provider construction method. + providerName = getProvidersSimpleName(providerName); providersSimpleName.add(pNum - 1, providerName); } @@ -959,13 +954,7 @@ boolean isRestrictedProviderAllowed(String providerName) { debug.println("Checking the provider " + providerName + " in restricted security mode."); } - // Remove argument, e.g. -NSS-FIPS, if there is. - int pos = providerName.indexOf('-'); - providerName = (pos < 0) ? providerName : providerName.substring(0, pos); - - // Remove the provider class package name if there is. - pos = providerName.lastIndexOf('.'); - providerName = (pos < 0) ? providerName : providerName.substring(pos + 1, providerName.length()); + providerName = getProvidersSimpleName(providerName); // Check if the provider is in restricted security provider list. // If not, the provider won't be registered. @@ -990,6 +979,40 @@ boolean isRestrictedProviderAllowed(String providerName) { return false; } + /** + * Get the provider name defined in provider construction method. + * + * @param providerName provider name or provider with packages or arguments + * @return provider name defined in provider construction method + */ + private static String getProvidersSimpleName(String providerName) { + // Remove the provider's optional arguments if present. + int pos = providerName.indexOf(' '); + providerName = (pos < 0) ? providerName.trim() : providerName.substring(0, pos).trim(); + + // Remove argument, e.g. -NSS-FIPS, if present. + pos = providerName.indexOf('-'); + providerName = (pos < 0) ? providerName : providerName.substring(0, pos); + + if (providerName.equals("com.sun.net.ssl.internal.ssl.Provider")) { + // In JDK 8, the main class for the SunJSSE provider is + // com.sun.net.ssl.internal.ssl.Provider + return "SunJSSE"; + } else if (providerName.equals("sun.security.provider.Sun")) { + // In JDK 8, the main class for the SUN provider is sun.security.provider.Sun + return "SUN"; + } else if (providerName.equals("com.sun.security.sasl.Provider")) { + // The main class for the SunSASL provider is com.sun.security.sasl.Provider + return "SunSASL"; + } else { + // Remove the provider's class package names if present. + pos = providerName.lastIndexOf('.'); + providerName = (pos < 0) ? providerName : providerName.substring(pos + 1); + // Provider without arguments and package names. + return providerName; + } + } + /** * List audit info of all available RestrictedSecurity profiles. */