Skip to content

Commit 4237eac

Browse files
KostasTsiounisKostasTsiounis
committed
Extend RestrictedSecurity constraints
The functionality of the provider constraints in RestrictedSecurity profiles is extended. Instead of allowing them to be universally used, one can optionally indicate the specific module and/or class from where a particular cryptographic algorithm can be called. Tests are, also, added to test the new functionality offered through RestrictedSecurity profiles. Signed-off-by: Kostas Tsiounis <[email protected]>
1 parent 92ed2df commit 4237eac

File tree

6 files changed

+515
-45
lines changed

6 files changed

+515
-45
lines changed

closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java

+165-42
Original file line numberDiff line numberDiff line change
@@ -232,14 +232,27 @@ public static boolean isFIPSEnabled() {
232232
}
233233

234234
/**
235-
* Check if the service is allowed in restricted security mode.
235+
* Check if the service is allowed to be used in restricted security mode.
236236
*
237237
* @param service the service to check
238-
* @return true if the service is allowed
238+
* @return true if the service is allowed to be used
239239
*/
240240
public static boolean isServiceAllowed(Service service) {
241241
if (securityEnabled) {
242-
return restricts.isRestrictedServiceAllowed(service);
242+
return restricts.isRestrictedServiceAllowed(service, true);
243+
}
244+
return true;
245+
}
246+
247+
/**
248+
* Check if the service is allowed to be registered in restricted security mode.
249+
*
250+
* @param service the service to check
251+
* @return true if the service is allowed to be registered
252+
*/
253+
public static boolean canServiceBeRegistered(Service service) {
254+
if (securityEnabled) {
255+
return restricts.isRestrictedServiceAllowed(service, false);
243256
}
244257
return true;
245258
}
@@ -740,10 +753,11 @@ private RestrictedSecurityProperties(String profileID, ProfileParser parser) {
740753
/**
741754
* Check if the Service is allowed in restricted security mode.
742755
*
743-
* @param service the Service to check
756+
* @param service the Service to check
757+
* @param checkUse should its attempted use be checked against the accepted
744758
* @return true if the Service is allowed
745759
*/
746-
boolean isRestrictedServiceAllowed(Service service) {
760+
boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {
747761
Provider provider = service.getProvider();
748762
String providerClassName = provider.getClass().getName();
749763

@@ -779,11 +793,13 @@ boolean isRestrictedServiceAllowed(Service service) {
779793
String cType = constraint.type;
780794
String cAlgorithm = constraint.algorithm;
781795
String cAttribute = constraint.attributes;
796+
String cAcceptedUses = constraint.acceptedUses;
782797
if (debug != null) {
783798
debug.println("Checking provider constraint:"
784799
+ "\n\tService type: " + cType
785800
+ "\n\tAlgorithm: " + cAlgorithm
786-
+ "\n\tAttributes: " + cAttribute);
801+
+ "\n\tAttributes: " + cAttribute
802+
+ "\n\tAccepted uses: " + cAcceptedUses);
787803
}
788804

789805
if (!isAsterisk(cType) && !type.equals(cType)) {
@@ -801,56 +817,114 @@ boolean isRestrictedServiceAllowed(Service service) {
801817
continue;
802818
}
803819

804-
// For type and algorithm match, and attribute is *.
805-
if (isAsterisk(cAttribute)) {
806-
if (debug != null) {
807-
debug.println("The following service:"
808-
+ "\n\tService type: " + type
809-
+ "\n\tAlgorithm: " + algorithm
810-
+ "\nis allowed in provider: " + providerClassName);
811-
}
812-
return true;
813-
}
814-
815820
// For type and algorithm match, and attribute is not *.
816821
// Then continue checking attributes.
817-
String[] cAttributeArray = cAttribute.split(":");
822+
if (!isAsterisk(cAttribute)) {
823+
String[] cAttributeArray = cAttribute.split(":");
818824

819-
// For each attribute, must be all matched for return allowed.
820-
for (String attribute : cAttributeArray) {
821-
String[] input = attribute.split("=", 2);
825+
// For each attribute, must be all matched for return allowed.
826+
for (String attribute : cAttributeArray) {
827+
String[] input = attribute.split("=", 2);
822828

823-
String cName = input[0].trim();
824-
String cValue = input[1].trim();
825-
String sValue = service.getAttribute(cName);
826-
if (debug != null) {
827-
debug.println("Checking specific attribute with:"
828-
+ "\n\tName: " + cName
829-
+ "\n\tValue: " + cValue
830-
+ "\nagainst the service attribute value: " + sValue);
829+
String cName = input[0].trim();
830+
String cValue = input[1].trim();
831+
String sValue = service.getAttribute(cName);
832+
if (debug != null) {
833+
debug.println("Checking specific attribute with:"
834+
+ "\n\tName: " + cName
835+
+ "\n\tValue: " + cValue
836+
+ "\nagainst the service attribute value: " + sValue);
837+
}
838+
if ((sValue == null) || !cValue.equalsIgnoreCase(sValue)) {
839+
// If any attribute doesn't match, return service is not allowed.
840+
if (debug != null) {
841+
debug.println("Attributes don't match!");
842+
debug.println("The following service:"
843+
+ "\n\tService type: " + type
844+
+ "\n\tAlgorithm: " + algorithm
845+
+ "\n\tAttribute: " + cAttribute
846+
+ "\nis NOT allowed in provider: " + providerClassName);
847+
}
848+
return false;
849+
}
850+
if (debug != null) {
851+
debug.println("Attributes match!");
852+
}
831853
}
832-
if ((sValue == null) || !cValue.equalsIgnoreCase(sValue)) {
833-
// If any attribute doesn't match, return service is not allowed.
854+
}
855+
856+
// See if accepted uses have been specified and apply
857+
// them to the call stack.
858+
if (checkUse && (cAcceptedUses != null)) {
859+
String[] optionAndValue = cAcceptedUses.split(":");
860+
String option = optionAndValue[0];
861+
String value = optionAndValue[1];
862+
StackTraceElement[] stackElements = Thread.currentThread().getStackTrace();
863+
boolean found = false;
864+
for (StackTraceElement stackElement : stackElements) {
834865
if (debug != null) {
835-
debug.println("Attributes don't match!");
866+
debug.println("Attempting to match " + stackElement + " with: " + option + " : " + value);
867+
}
868+
String stackElemModule = stackElement.getModuleName();
869+
String stackElemFullClassName = stackElement.getClassName();
870+
int stackElemEnd = stackElemFullClassName.lastIndexOf('.');
871+
String stackElemPackage = null;
872+
if (stackElemEnd != -1) {
873+
stackElemPackage = stackElemFullClassName.substring(0, stackElemEnd);
874+
}
875+
String module;
876+
switch (option) {
877+
case "ModuleAndFullClassName":
878+
String[] moduleAndFullClassName = value.split("/");
879+
module = moduleAndFullClassName[0];
880+
String fullClassName = moduleAndFullClassName[1];
881+
found = module.equals(stackElemModule) && stackElemFullClassName.equals(fullClassName);
882+
break;
883+
case "ModuleAndPackage":
884+
String[] moduleAndPackage = value.split("/");
885+
module = moduleAndPackage[0];
886+
String packageValue = moduleAndPackage[1];
887+
found = module.equals(stackElemModule) && packageValue.equals(stackElemPackage);
888+
break;
889+
case "FullClassName":
890+
found = stackElemFullClassName.equals(value);
891+
break;
892+
case "Package":
893+
found = value.equals(stackElemPackage);
894+
break;
895+
default:
896+
printStackTraceAndExit("Incorrect option to match in constraint: " + constraint);
897+
break;
898+
}
899+
900+
if (found) {
901+
break;
902+
}
903+
}
904+
905+
// If nothing matching the accepted uses is found in the call stack,
906+
// this service is not allowed.
907+
if (!found) {
908+
if (debug != null) {
909+
debug.println("Classes in call stack are not part of accepted uses!");
836910
debug.println("The following service:"
837911
+ "\n\tService type: " + type
838912
+ "\n\tAlgorithm: " + algorithm
839913
+ "\n\tAttribute: " + cAttribute
914+
+ "\n\tAccepted uses: " + cAcceptedUses
840915
+ "\nis NOT allowed in provider: " + providerClassName);
841916
}
842917
return false;
843918
}
844-
if (debug != null) {
845-
debug.println("Attributes match!");
846-
}
847919
}
920+
848921
if (debug != null) {
849922
debug.println("All attributes matched!");
850923
debug.println("The following service:"
851924
+ "\n\tService type: " + type
852925
+ "\n\tAlgorithm: " + algorithm
853926
+ "\n\tAttribute: " + cAttribute
927+
+ "\n\tAccepted uses: " + cAcceptedUses
854928
+ "\nis allowed in provider: " + providerClassName);
855929
}
856930
return true;
@@ -1437,7 +1511,8 @@ private void setConstraints(String providerName, String providerInfo, boolean pr
14371511
final String typeRE = "\\w+";
14381512
final String algoRE = "[A-Za-z0-9./_-]+";
14391513
final String attrRE = "[A-Za-z0-9=*|.:]+";
1440-
final String consRE = "\\{(" + typeRE + "),(" + algoRE + "),(" + attrRE + ")\\}";
1514+
final String usesRE = "[A-Za-z0-9._:/$]+";
1515+
final String consRE = "\\{(" + typeRE + "),(" + algoRE + "),(" + attrRE + ")(," + usesRE + ")?\\}";
14411516
p = Pattern.compile(
14421517
"\\["
14431518
+ "([+-]?)" // option to append or remove
@@ -1460,6 +1535,42 @@ private void setConstraints(String providerName, String providerInfo, boolean pr
14601535
String inType = m.group(1);
14611536
String inAlgorithm = m.group(2);
14621537
String inAttributes = m.group(3);
1538+
String inAcceptedUses = m.group(4);
1539+
1540+
if (inAcceptedUses != null) {
1541+
inAcceptedUses = inAcceptedUses.substring(1);
1542+
boolean isSpecIncorrect = false;
1543+
String[] optionAndValue = inAcceptedUses.split(":");
1544+
if (optionAndValue.length != 2) {
1545+
isSpecIncorrect = true;
1546+
} else {
1547+
String option = optionAndValue[0];
1548+
String value = optionAndValue[1];
1549+
switch (option) {
1550+
case "ModuleAndFullClassName":
1551+
if (value.split("/").length != 2) {
1552+
isSpecIncorrect = true;
1553+
}
1554+
break;
1555+
case "ModuleAndPackage":
1556+
if (value.split("/").length != 2) {
1557+
isSpecIncorrect = true;
1558+
}
1559+
break;
1560+
case "FullClassName":
1561+
case "Package":
1562+
// Nothing further to check in those options.
1563+
break;
1564+
default:
1565+
isSpecIncorrect = true;
1566+
break;
1567+
}
1568+
}
1569+
if (isSpecIncorrect) {
1570+
printStackTraceAndExit("Incorrect specification of accepted uses in constraint for "
1571+
+ inType + ", " + inAlgorithm + ": " + inAcceptedUses);
1572+
}
1573+
}
14631574

14641575
// Each attribute must includes 2 fields (key and value) or *.
14651576
if (!isAsterisk(inAttributes)) {
@@ -1472,7 +1583,8 @@ private void setConstraints(String providerName, String providerInfo, boolean pr
14721583
}
14731584
}
14741585
}
1475-
Constraint constraint = new Constraint(inType, inAlgorithm, inAttributes);
1586+
1587+
Constraint constraint = new Constraint(inType, inAlgorithm, inAttributes, inAcceptedUses);
14761588
constraints.add(constraint);
14771589
}
14781590

@@ -1743,7 +1855,7 @@ private static void checkProviderFormat(String providerInfo, boolean update) {
17431855
+ "(\\[" // constraints [optional]
17441856
+ "\\s*"
17451857
+ "([+-])?" // action [optional]
1746-
+ "[A-Za-z0-9{}.=*|:,/_\\s-]+" // constraint definition
1858+
+ "[A-Za-z0-9{}.=*|:$,/_\\s-]+" // constraint definition
17471859
+ "\\])?"
17481860
+ "\\s*"
17491861
+ "$");
@@ -1806,17 +1918,27 @@ private static final class Constraint {
18061918
final String type;
18071919
final String algorithm;
18081920
final String attributes;
1921+
final String acceptedUses;
18091922

1810-
Constraint(String type, String algorithm, String attributes) {
1923+
Constraint(String type, String algorithm, String attributes, String acceptedUses) {
18111924
super();
18121925
this.type = type;
18131926
this.algorithm = algorithm;
18141927
this.attributes = attributes;
1928+
this.acceptedUses = acceptedUses;
18151929
}
18161930

18171931
@Override
18181932
public String toString() {
1819-
return "{" + type + ", " + algorithm + ", " + attributes + "}";
1933+
StringBuilder buffer = new StringBuilder();
1934+
buffer.append("{").append(type);
1935+
buffer.append(", ").append(algorithm);
1936+
buffer.append(", ").append(attributes);
1937+
if (acceptedUses != null) {
1938+
buffer.append(", ").append(acceptedUses);
1939+
}
1940+
buffer.append("}");
1941+
return buffer.toString();
18201942
}
18211943

18221944
@Override
@@ -1827,14 +1949,15 @@ public boolean equals(Object obj) {
18271949
if (obj instanceof Constraint other) {
18281950
return Objects.equals(type, other.type)
18291951
&& Objects.equals(algorithm, other.algorithm)
1830-
&& Objects.equals(attributes, other.attributes);
1952+
&& Objects.equals(attributes, other.attributes)
1953+
&& Objects.equals(acceptedUses, other.acceptedUses);
18311954
}
18321955
return false;
18331956
}
18341957

18351958
@Override
18361959
public int hashCode() {
1837-
return Objects.hash(type, algorithm, attributes);
1960+
return Objects.hash(type, algorithm, attributes, acceptedUses);
18381961
}
18391962
}
18401963
}

0 commit comments

Comments
 (0)