2323 */
2424package openj9 .internal .security ;
2525
26- import java .lang .StackWalker .Option ;
2726import java .nio .charset .StandardCharsets ;
2827import java .security .MessageDigest ;
2928import java .security .NoSuchAlgorithmException ;
@@ -162,6 +161,21 @@ private RestrictedSecurity() {
162161 super ();
163162 }
164163
164+ /**
165+ * Check loaded profiles' hash values.
166+ *
167+ * In order to avoid unintentional changes in profiles and incentivize
168+ * extending profiles, instead of altering them, a digest of the profile
169+ * is calculated and compared to the expected value.
170+ */
171+ private static void checkHashValues () {
172+ ProfileParser parser = profileParser ;
173+ if ((parser != null ) && !isJarVerifierInStackTrace ()) {
174+ profileParser = null ;
175+ parser .checkHashValues ();
176+ }
177+ }
178+
165179 /**
166180 * Check if restricted security mode is enabled.
167181 *
@@ -231,11 +245,7 @@ public static boolean isFIPSEnabled() {
231245 */
232246 public static boolean isServiceAllowed (Service service ) {
233247 if (securityEnabled ) {
234- ProfileParser parser = profileParser ;
235- if ((parser != null ) && !isJarVerifierInStackTrace ()) {
236- profileParser = null ;
237- parser .checkHashValues ();
238- }
248+ checkHashValues ();
239249 return restricts .isRestrictedServiceAllowed (service , true );
240250 }
241251 return true ;
@@ -249,11 +259,7 @@ public static boolean isServiceAllowed(Service service) {
249259 */
250260 public static boolean canServiceBeRegistered (Service service ) {
251261 if (securityEnabled ) {
252- ProfileParser parser = profileParser ;
253- if ((parser != null ) && !isJarVerifierInStackTrace ()) {
254- profileParser = null ;
255- parser .checkHashValues ();
256- }
262+ checkHashValues ();
257263 return restricts .isRestrictedServiceAllowed (service , false );
258264 }
259265 return true ;
@@ -267,11 +273,7 @@ public static boolean canServiceBeRegistered(Service service) {
267273 */
268274 public static boolean isProviderAllowed (String providerName ) {
269275 if (securityEnabled ) {
270- ProfileParser parser = profileParser ;
271- if ((parser != null ) && !isJarVerifierInStackTrace ()) {
272- profileParser = null ;
273- parser .checkHashValues ();
274- }
276+ checkHashValues ();
275277 // Remove argument, e.g. -NSS-FIPS, if present.
276278 int pos = providerName .indexOf ('-' );
277279 if (pos >= 0 ) {
@@ -291,11 +293,7 @@ public static boolean isProviderAllowed(String providerName) {
291293 */
292294 public static boolean isProviderAllowed (Class <?> providerClazz ) {
293295 if (securityEnabled ) {
294- ProfileParser parser = profileParser ;
295- if ((parser != null ) && !isJarVerifierInStackTrace ()) {
296- profileParser = null ;
297- parser .checkHashValues ();
298- }
296+ checkHashValues ();
299297 String providerClassName = providerClazz .getName ();
300298
301299 // Check if the specified class extends java.security.Provider.
@@ -386,11 +384,11 @@ private static void getProfileID(Properties props) {
386384 }
387385
388386 private static boolean isJarVerifierInStackTrace () {
389- return StackWalker .getInstance (Option .RETAIN_CLASS_REFERENCE )
390- .walk (sf -> sf .map (s -> s .toStackTraceElement ())
391- .anyMatch (s -> ("java.util.jar.JarVerifier" .equals (s .getClassName ())
392- && "java.base" .equals (s .getModuleName ()))
393- )
387+ return StackWalker .getInstance (StackWalker . Option .RETAIN_CLASS_REFERENCE )
388+ .walk (sf -> sf .map (s -> s .getDeclaringClass ())
389+ .anyMatch (s -> ("java.util.jar.JarVerifier" .equals (s .getName ())
390+ && "java.base" .equals (s .getModule (). getName ()))
391+ )
394392 );
395393 }
396394
0 commit comments