Allow RestrictedSecurity property extension from default values

Author: KostasTsiounis

closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java

@@ -1090,7 +1090,7 @@ private void init(String profileID) {
                     // Load restricted security providers from java.security properties.
                     initProviders(profileID, allInfo);
                     // Load restricted security properties from java.security properties.
-                    loadProperties(profileID, allInfo);
+                    loadProperties(profileID, allInfo, true);
 
                     String hashProperty = profileID + ".desc.hash";
                     String hashValue = securityProps.getProperty(hashProperty);
@@ -1124,7 +1124,7 @@ private void update(String profileExtensionId) {
                 // Load restricted security providers from java.security properties.
                 updateProviders(profileExtensionId, allInfo);
                 // Load restricted security properties from java.security properties.
-                loadProperties(profileExtensionId, allInfo);
+                loadProperties(profileExtensionId, allInfo, false);
 
                 String hashProperty = profileExtensionId + ".desc.hash";
                 String hashValue = securityProps.getProperty(hashProperty);
@@ -1314,48 +1314,79 @@ private void updateProviders(String profileExtensionId, List<String> allInfo) {
             }
         }
 
+        private String getExistingValue(String property) {
+            // Look for values from profiles that this one extends.
+            String existingValue = profileProperties.get(property);
+
+            // If there is no value, look for non-profile values in java.security file.
+            if (existingValue == null) {
+                String propertyKey = null;
+                switch (property) {
+                case "jdkCertpathDisabledAlgorithms":
+                    propertyKey = "jdk.certpath.disabledAlgorithms";
+                    break;
+                case "jdkSecurityLegacyAlgorithms":
+                    propertyKey = "jdk.security.legacyAlgorithms";
+                    break;
+                case "jdkTlsDisabledAlgorithms":
+                    propertyKey = "jdk.tls.disabledAlgorithms";
+                    break;
+                case "jdkTlsDisabledNamedCurves":
+                    propertyKey = "jdk.tls.disabledNamedCurves";
+                    break;
+                case "jdkTlsLegacyAlgorithms":
+                    propertyKey = "jdk.tls.legacyAlgorithms";
+                    break;
+                default:
+                    propertyKey = "";
+                }
+                existingValue = securityProps.getProperty(propertyKey);
+            }
+            return existingValue;
+        }
+
         /**
          * Load restricted security properties.
          */
-        private void loadProperties(String profileID, List<String> allInfo) {
+        private void loadProperties(String profileID, List<String> allInfo, boolean isBaseProfile) {
             if (debug != null) {
                 debug.println("\tLoading properties of restricted security profile.");
             }
 
-            setProperty("descName", profileID + ".desc.name", allInfo);
-            if (setProperty("descIsDefaultString", profileID + ".desc.default", allInfo)) {
+            setProperty("descName", profileID + ".desc.name", allInfo, isBaseProfile);
+            if (setProperty("descIsDefaultString", profileID + ".desc.default", allInfo, isBaseProfile)) {
                 descIsDefault = Boolean.parseBoolean(profileProperties.get("descIsDefaultString"));
             }
-            if (setProperty("descIsFIPSString", profileID + ".desc.fips", allInfo)) {
+            if (setProperty("descIsFIPSString", profileID + ".desc.fips", allInfo, isBaseProfile)) {
                 descIsFIPS = Boolean.parseBoolean(profileProperties.get("descIsFIPSString"));
             }
-            setProperty("descNumber", profileID + ".desc.number", allInfo);
-            setProperty("descPolicy", profileID + ".desc.policy", allInfo);
-            setProperty("descSunsetDate", profileID + ".desc.sunsetDate", allInfo);
+            setProperty("descNumber", profileID + ".desc.number", allInfo, isBaseProfile);
+            setProperty("descPolicy", profileID + ".desc.policy", allInfo, isBaseProfile);
+            setProperty("descSunsetDate", profileID + ".desc.sunsetDate", allInfo, isBaseProfile);
 
             setProperty("jdkTlsDisabledNamedCurves",
-                    profileID + ".tls.disabledNamedCurves", allInfo);
+                    profileID + ".tls.disabledNamedCurves", allInfo, isBaseProfile);
             setProperty("jdkTlsDisabledAlgorithms",
-                    profileID + ".tls.disabledAlgorithms", allInfo);
+                    profileID + ".tls.disabledAlgorithms", allInfo, isBaseProfile);
             setProperty("jdkTlsEphemeralDHKeySize",
-                    profileID + ".tls.ephemeralDHKeySize", allInfo);
+                    profileID + ".tls.ephemeralDHKeySize", allInfo, isBaseProfile);
             setProperty("jdkTlsLegacyAlgorithms",
-                    profileID + ".tls.legacyAlgorithms", allInfo);
+                    profileID + ".tls.legacyAlgorithms", allInfo, isBaseProfile);
             setProperty("jdkCertpathDisabledAlgorithms",
-                    profileID + ".jce.certpath.disabledAlgorithms", allInfo);
+                    profileID + ".jce.certpath.disabledAlgorithms", allInfo, isBaseProfile);
             setProperty("jdkSecurityLegacyAlgorithms",
-                    profileID + ".jce.legacyAlgorithms", allInfo);
+                    profileID + ".jce.legacyAlgorithms", allInfo, isBaseProfile);
             setProperty("keyStoreType",
-                    profileID + ".keystore.type", allInfo);
+                    profileID + ".keystore.type", allInfo, isBaseProfile);
             setProperty("keyStore",
-                    profileID + ".javax.net.ssl.keyStore", allInfo);
+                    profileID + ".javax.net.ssl.keyStore", allInfo, isBaseProfile);
 
             setProperty("jdkSecureRandomProvider",
-                    profileID + ".securerandom.provider", allInfo);
+                    profileID + ".securerandom.provider", allInfo, isBaseProfile);
             setProperty("jdkSecureRandomAlgorithm",
-                    profileID + ".securerandom.algorithm", allInfo);
+                    profileID + ".securerandom.algorithm", allInfo, isBaseProfile);
             setProperty("jdkFipsMode",
-                    profileID + ".fips.mode", allInfo);
+                    profileID + ".fips.mode", allInfo, isBaseProfile);
 
             if (debug != null) {
                 debug.println("\tProperties of restricted security profile successfully loaded.");
@@ -1573,7 +1604,7 @@ private void printProfile(String profileToPrint) {
          * @param propertyKey   the property key in the java.security file
          * @return              whether the property was set
          */
-        private boolean setProperty(String property, String propertyKey, List<String> allInfo) {
+        private boolean setProperty(String property, String propertyKey, List<String> allInfo, boolean isBaseProfile) {
             if (debug != null) {
                 debug.println("Setting property: " + property);
             }
@@ -1585,7 +1616,7 @@ private boolean setProperty(String property, String propertyKey, List<String> al
                 allInfo.add(propertyKey + "=" + value);
 
                 // Check if property overrides, adds to or removes from previous value.
-                String existingValue = profileProperties.get(property);
+                String existingValue = getExistingValue(property);
                 if (value.startsWith("+")) {
                     if (!isPropertyAppendable(property)) {
                         printStackTraceAndExit("Property '" + property + "' is not appendable.");