Allow multiple constraints for each algorithm

KostasTsiounis · KostasTsiounis · commit 5a9311ca5e36 · 2025-02-28T16:46:48.000-05:00
If a constraint for an algorithm is found and the attributes
don't match or the class attempting to utilize it doesn't
match the accepted uses, the algorithm is considered not allowed
and loading it does not succeed.

Instead, we want to check all available constraints for an
algorithm before deciding if it is allowed to be used or not.

Signed-off-by: Kostas Tsiounis &lt;kostas.tsiounis@ibm.com&gt;
diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java
@@ -789,6 +789,7 @@ boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {
             if (debug != null) {
                 debug.println("Security constraints check of provider.");
             }
+            constraints:
             for (Constraint constraint : constraints) {
                 String cType = constraint.type;
                 String cAlgorithm = constraint.algorithm;
@@ -807,14 +808,14 @@ boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {
                     if (debug != null) {
                         debug.println("The constraint doesn't apply to the service type.");
                     }
-                    continue;
+                    continue constraints;
                 }
                 if (!isAsterisk(cAlgorithm) && !algorithm.equalsIgnoreCase(cAlgorithm)) {
                     // The constraint doesn't apply to the service algorithm.
                     if (debug != null) {
                         debug.println("The constraint doesn't apply to the service algorithm.");
                     }
-                    continue;
+                    continue constraints;
                 }
 
                 // For type and algorithm match, and attribute is not *.
@@ -836,7 +837,8 @@ boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {
                                     + "\nagainst the service attribute value: " + sValue);
                         }
                         if ((sValue == null) || !cValue.equalsIgnoreCase(sValue)) {
-                            // If any attribute doesn't match, return service is not allowed.
+                            // If any of the attributes don't match,
+                            // then this constraint doesn't match so move on.
                             if (debug != null) {
                                 debug.println("Attributes don't match!");
                                 debug.println("The following service:"
@@ -845,7 +847,7 @@ boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {
                                             + "\n\tAttribute: " + cAttribute
                                             + "\nis NOT allowed in provider: " + providerClassName);
                             }
-                            return false;
+                            continue constraints;
                         }
                         if (debug != null) {
                             debug.println("Attributes match!");
@@ -903,7 +905,7 @@ boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {
                     }
 
                     // If nothing matching the accepted uses is found in the call stack,
-                    // this service is not allowed.
+                    // then this constraint doesn't match so move on.
                     if (!found) {
                         if (debug != null) {
                             debug.println("Classes in call stack are not part of accepted uses!");
@@ -914,7 +916,7 @@ boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {
                                         + "\n\tAccepted uses: " + cAcceptedUses
                                         + "\nis NOT allowed in provider: " + providerClassName);
                         }
-                        return false;
+                        continue constraints;
                     }
                 }
 

Original file line number	Diff line number	Diff line change
`@@ -789,6 +789,7 @@ boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {`
`789`	`789`	`if (debug != null) {`
`790`	`790`	`debug.println("Security constraints check of provider.");`
`791`	`791`	`}`
	`792`	`+ constraints:`
`792`	`793`	`for (Constraint constraint : constraints) {`
`793`	`794`	`String cType = constraint.type;`
`794`	`795`	`String cAlgorithm = constraint.algorithm;`
`@@ -807,14 +808,14 @@ boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {`
`807`	`808`	`if (debug != null) {`
`808`	`809`	`debug.println("The constraint doesn't apply to the service type.");`
`809`	`810`	`}`
`810`		`- continue;`
	`811`	`+ continue constraints;`
`811`	`812`	`}`
`812`	`813`	`if (!isAsterisk(cAlgorithm) && !algorithm.equalsIgnoreCase(cAlgorithm)) {`
`813`	`814`	`// The constraint doesn't apply to the service algorithm.`
`814`	`815`	`if (debug != null) {`
`815`	`816`	`debug.println("The constraint doesn't apply to the service algorithm.");`
`816`	`817`	`}`
`817`		`- continue;`
	`818`	`+ continue constraints;`
`818`	`819`	`}`
`819`	`820`
`820`	`821`	`// For type and algorithm match, and attribute is not *.`
`@@ -836,7 +837,8 @@ boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {`
`836`	`837`	`+ "\nagainst the service attribute value: " + sValue);`
`837`	`838`	`}`
`838`	`839`	`if ((sValue == null) \|\| !cValue.equalsIgnoreCase(sValue)) {`
`839`		`- // If any attribute doesn't match, return service is not allowed.`
	`840`	`+ // If any of the attributes don't match,`
	`841`	`+ // then this constraint doesn't match so move on.`
`840`	`842`	`if (debug != null) {`
`841`	`843`	`debug.println("Attributes don't match!");`
`842`	`844`	`debug.println("The following service:"`
`@@ -845,7 +847,7 @@ boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {`
`845`	`847`	`+ "\n\tAttribute: " + cAttribute`
`846`	`848`	`+ "\nis NOT allowed in provider: " + providerClassName);`
`847`	`849`	`}`
`848`		`- return false;`
	`850`	`+ continue constraints;`
`849`	`851`	`}`
`850`	`852`	`if (debug != null) {`
`851`	`853`	`debug.println("Attributes match!");`
`@@ -903,7 +905,7 @@ boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {`
`903`	`905`	`}`
`904`	`906`
`905`	`907`	`// If nothing matching the accepted uses is found in the call stack,`
`906`		`- // this service is not allowed.`
	`908`	`+ // then this constraint doesn't match so move on.`
`907`	`909`	`if (!found) {`
`908`	`910`	`if (debug != null) {`
`909`	`911`	`debug.println("Classes in call stack are not part of accepted uses!");`
`@@ -914,7 +916,7 @@ boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {`
`914`	`916`	`+ "\n\tAccepted uses: " + cAcceptedUses`
`915`	`917`	`+ "\nis NOT allowed in provider: " + providerClassName);`
`916`	`918`	`}`
`917`		`- return false;`
	`919`	`+ continue constraints;`
`918`	`920`	`}`
`919`	`921`	`}`
`920`	`922`