Address review comments

KostasTsiounis · KostasTsiounis · commit e2e14f711172 · 2025-02-24T14:07:00.000-05:00
diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java
@@ -23,6 +23,7 @@
  */
 package openj9.internal.security;
 
+import java.lang.StringBuilder;
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
@@ -239,7 +240,7 @@ public static boolean isFIPSEnabled() {
      */
     public static boolean isServiceAllowed(Service service) {
         if (securityEnabled) {
-            return restricts.isRestrictedServiceAllowed(service, false);
+            return restricts.isRestrictedServiceAllowed(service, true);
         }
         return true;
     }
@@ -252,7 +253,7 @@ public static boolean isServiceAllowed(Service service) {
      */
     public static boolean canServiceBeRegistered(Service service) {
         if (securityEnabled) {
-            return restricts.isRestrictedServiceAllowed(service, true);
+            return restricts.isRestrictedServiceAllowed(service, false);
         }
         return true;
     }
@@ -753,10 +754,11 @@ private RestrictedSecurityProperties(String profileID, ProfileParser parser) {
         /**
          * Check if the Service is allowed in restricted security mode.
          *
-         * @param service the Service to check
+         * @param service   the Service to check
+         * @param checkUse  should its attempted use be checked against the accepted
          * @return true if the Service is allowed
          */
-        boolean isRestrictedServiceAllowed(Service service, boolean isServiceAdded) {
+        boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {
             Provider provider = service.getProvider();
             String providerClassName = provider.getClass().getName();
 
@@ -854,12 +856,8 @@ boolean isRestrictedServiceAllowed(Service service, boolean isServiceAdded) {
 
                 // See if accepted uses have been specified and apply
                 // them to the call stack.
-                if (!isServiceAdded && !isNullOrBlank(cAcceptedUses)) {
+                if (checkUse && !isNullOrBlank(cAcceptedUses)) {
                     String[] optionAndValue = cAcceptedUses.split(":");
-                    if (optionAndValue.length != 2) {
-                        printStackTraceAndExit("Incorrect specification of accepted uses in constraint: '"
-                            + constraint + "'. Couldn't find option and value separated by ':'");
-                    }
                     String option = optionAndValue[0];
                     String value = optionAndValue[1];
                     StackTraceElement[] stackElements = Thread.currentThread().getStackTrace();
@@ -870,43 +868,33 @@ boolean isRestrictedServiceAllowed(Service service, boolean isServiceAdded) {
                         }
                         String stackElemModule = stackElement.getModuleName();
                         String stackElemFullClassName = stackElement.getClassName();
-                        int stackElemEnd = stackElemFullClassName.lastIndexOf(".");
+                        int stackElemEnd = stackElemFullClassName.lastIndexOf('.');
                         String stackElemPackage = null;
                         if (stackElemEnd != -1) {
                             stackElemPackage = stackElemFullClassName.substring(0, stackElemEnd);
                         }
                         String module;
                         switch (option) {
-                            case "ModuleAndFullClassName":
-                                String[] moduleAndFullClassName = value.split("/");
-                                if (moduleAndFullClassName.length != 2) {
-                                    printStackTraceAndExit("Incorrect specification of accepted uses in constraint: '"
-                                        + constraint + "'. Couldn't find module and classname separated by '/'");
-                                }
-                                module = moduleAndFullClassName[0];
-                                String fullClassName = moduleAndFullClassName[1];
-                                found = (stackElemModule != null) && stackElemModule.equals(module)
-                                        && stackElemFullClassName.equals(fullClassName);
-                                break;
-                            case "ModuleAndPackage":
-                                String[] moduleAndPackage = value.split("/");
-                                if (moduleAndPackage.length != 2) {
-                                    printStackTraceAndExit("Incorrect specification of accepted uses in constraint: '"
-                                        + constraint + "'. Couldn't find module and classname separated by '/'");
-                                }
-                                module = moduleAndPackage[0];
-                                String packageValue = moduleAndPackage[1];
-                                found = (stackElemModule != null) && stackElemModule.equals(module)
-                                        && (stackElemPackage != null) && stackElemPackage.equals(packageValue);
-                                break;
-                            case "FullClassName":
-                                found = stackElemFullClassName.equals(value);
-                                break;
-                            case "Package":
-                                found = (stackElemPackage != null) && stackElemPackage.equals(value);
-                                break;
-                            default:
-                                printStackTraceAndExit("Incorrect option to match in constraint: " + constraint);
+                        case "ModuleAndFullClassName":
+                            String[] moduleAndFullClassName = value.split("/");
+                            module = moduleAndFullClassName[0];
+                            String fullClassName = moduleAndFullClassName[1];
+                            found = module.equals(stackElemModule) && stackElemFullClassName.equals(fullClassName);
+                            break;
+                        case "ModuleAndPackage":
+                            String[] moduleAndPackage = value.split("/");
+                            module = moduleAndPackage[0];
+                            String packageValue = moduleAndPackage[1];
+                            found = module.equals(stackElemModule) && packageValue.equals(stackElemPackage);
+                            break;
+                        case "FullClassName":
+                            found = stackElemFullClassName.equals(value);
+                            break;
+                        case "Package":
+                            found = value.equals(stackElemPackage);
+                            break;
+                        default:
+                            printStackTraceAndExit("Incorrect option to match in constraint: " + constraint);
                         }
 
                         if (found) {
@@ -1549,10 +1537,40 @@ private void setConstraints(String providerName, String providerInfo, boolean pr
                 String inAttributes = m.group(3);
                 String inAcceptedUses = m.group(4);
 
-                if (isNullOrBlank(inAcceptedUses)) {
-                    inAcceptedUses = null;
-                } else {
+                if (inAcceptedUses != null) {
                     inAcceptedUses = inAcceptedUses.substring(1);
+                    boolean isSpecIncorrect = false;
+                    String[] optionAndValue = inAcceptedUses.split(":");
+                    if (optionAndValue.length != 2) {
+                        isSpecIncorrect = true;
+                    }
+                    String option = optionAndValue[0];
+                    String value = optionAndValue[1];
+                    switch (option) {
+                    case "ModuleAndFullClassName":
+                        String[] moduleAndFullClassName = value.split("/");
+                        if (moduleAndFullClassName.length != 2) {
+                            isSpecIncorrect = true;
+                        }
+                        break;
+                    case "ModuleAndPackage":
+                        String[] moduleAndPackage = value.split("/");
+                        if (moduleAndPackage.length != 2) {
+                            isSpecIncorrect = true;
+                        }
+                        break;
+                    case "FullClassName":
+                    case "Package":
+                        // Nothing further to check in those options.
+                        break;
+                    default:
+                        isSpecIncorrect = true;
+                        break;
+                    }
+                    if (isSpecIncorrect) {
+                        printStackTraceAndExit("Incorrect specification of accepted uses in constraint for "
+                                + inType + ", " + inAlgorithm + ": " + inAcceptedUses);
+                    }
                 }
 
                 // Each attribute must includes 2 fields (key and value) or *.
@@ -1913,9 +1931,15 @@ private static final class Constraint {
 
         @Override
         public String toString() {
-            String constraintInfo = type + ", " + algorithm + ", " + attributes;
-            constraintInfo = (acceptedUses != null) ? constraintInfo + acceptedUses : constraintInfo;
-            return "{" + constraintInfo + "}";
+            StringBuilder buffer = new StringBuilder();
+            buffer.append("{").append(type);
+            buffer.append(", ").append(algorithm);
+            buffer.append(", ").append(attributes);
+            if (acceptedUses != null) {
+                buffer.append(", ").append(acceptedUses);
+            }
+            buffer.append("}");
+            return buffer.toString();
         }
 
         @Override
diff --git a/closed/test/jdk/openj9/internal/security/TestConstraintsFailure.java b/closed/test/jdk/openj9/internal/security/TestConstraintsFailure.java
@@ -36,9 +36,9 @@
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.MessageDigest;
-import java.security.cert.CertificateException;
 import java.security.NoSuchAlgorithmException;
 import java.security.Signature;
+import java.security.cert.CertificateException;
 import java.security.cert.CertPathValidator;
 import java.security.cert.CertStore;
 import java.security.cert.CertificateFactory;
@@ -61,110 +61,110 @@ public class TestConstraintsFailure {
     private static void getInstances() throws Exception {
         try {
             CertificateFactory.getInstance("X.509");
-            throw new RuntimeException("A NoSuchAlgorithmException should have been thrown");
-        } catch(CertificateException ce) {
+            throw new RuntimeException("A CertificateException should have been thrown");
+        } catch (CertificateException ce) {
             // Do nothing. This is expected.
         }
         try {
             CertPathValidator.getInstance("PKIX");
             throw new RuntimeException("A NoSuchAlgorithmException should have been thrown");
-        } catch(NoSuchAlgorithmException nsae) {
+        } catch (NoSuchAlgorithmException nsae) {
             // Do nothing. This is expected.
         }
         try {
             MessageDigest.getInstance("SHA-512");
             throw new RuntimeException("A NoSuchAlgorithmException should have been thrown");
-        } catch(NoSuchAlgorithmException nsae) {
+        } catch (NoSuchAlgorithmException nsae) {
             // Do nothing. This is expected.
         }
         try {
             KeyStore.getInstance("PKCS12");
-            throw new RuntimeException("A NoSuchAlgorithmException should have been thrown");
-        } catch(KeyStoreException ke) {
+            throw new RuntimeException("A KeyStoreException should have been thrown");
+        } catch (KeyStoreException ke) {
             // Do nothing. This is expected.
         }
-
         try {
             Signature.getInstance("SHA256withECDSA");
             throw new RuntimeException("A NoSuchAlgorithmException should have been thrown");
-        } catch(NoSuchAlgorithmException nsae) {
+        } catch (NoSuchAlgorithmException nsae) {
             // Do nothing. This is expected.
         }
         try {
             KeyPairGenerator.getInstance("EC");
             throw new RuntimeException("A NoSuchAlgorithmException should have been thrown");
-        } catch(NoSuchAlgorithmException nsae) {
+        } catch (NoSuchAlgorithmException nsae) {
             // Do nothing. This is expected.
         }
         try {
             KeyAgreement.getInstance("ECDH");
             throw new RuntimeException("A NoSuchAlgorithmException should have been thrown");
-        } catch(NoSuchAlgorithmException nsae) {
+        } catch (NoSuchAlgorithmException nsae) {
             // Do nothing. This is expected.
         }
         try {
             KeyFactory.getInstance("EC");
             throw new RuntimeException("A NoSuchAlgorithmException should have been thrown");
-        } catch(NoSuchAlgorithmException nsae) {
+        } catch (NoSuchAlgorithmException nsae) {
             // Do nothing. This is expected.
         }
-
         try {
             Cipher.getInstance("RSA");
             throw new RuntimeException("A NoSuchAlgorithmException should have been thrown");
-        } catch(NoSuchAlgorithmException nsae) {
+        } catch (NoSuchAlgorithmException nsae) {
             // Do nothing. This is expected.
         }
         try {
             KeyGenerator.getInstance("AES");
             throw new RuntimeException("A NoSuchAlgorithmException should have been thrown");
-        } catch(NoSuchAlgorithmException nsae) {
+        } catch (NoSuchAlgorithmException nsae) {
             // Do nothing. This is expected.
         }
         try {
             AlgorithmParameterGenerator.getInstance("DiffieHellman");
             throw new RuntimeException("A NoSuchAlgorithmException should have been thrown");
-        } catch(NoSuchAlgorithmException nsae) {
+        } catch (NoSuchAlgorithmException nsae) {
             // Do nothing. This is expected.
         }
 
         // Still a preview, but can be enabled in future versions.
-        /*try {
+        /*
+        try {
             KDF.getInstance("HKDF-SHA256");
             throw new RuntimeException("A NoSuchAlgorithmException should have been thrown");
-        } catch(NoSuchAlgorithmException nsae) {
+        } catch (NoSuchAlgorithmException nsae) {
             // Do nothing. This is expected.
-        }*/
+        }
+        */
 
         try {
             SecretKeyFactory.getInstance("PBEWithMD5AndDES");
             throw new RuntimeException("A NoSuchAlgorithmException should have been thrown");
-        } catch(NoSuchAlgorithmException nsae) {
+        } catch (NoSuchAlgorithmException nsae) {
             // Do nothing. This is expected.
         }
         try {
             Mac.getInstance("HmacSHA256");
             throw new RuntimeException("A NoSuchAlgorithmException should have been thrown");
-        } catch(NoSuchAlgorithmException nsae) {
+        } catch (NoSuchAlgorithmException nsae) {
             // Do nothing. This is expected.
         }
 
         try {
             KeyManagerFactory.getInstance("SunX509");
             throw new RuntimeException("A NoSuchAlgorithmException should have been thrown");
-        } catch(NoSuchAlgorithmException nsae) {
+        } catch (NoSuchAlgorithmException nsae) {
             // Do nothing. This is expected.
         }
         try {
             TrustManagerFactory.getInstance("SunX509");
             throw new RuntimeException("A NoSuchAlgorithmException should have been thrown");
-        } catch(NoSuchAlgorithmException nsae) {
+        } catch (NoSuchAlgorithmException nsae) {
             // Do nothing. This is expected.
         }
         try {
             SSLContext.getInstance("TLSv1.3");
             throw new RuntimeException("A NoSuchAlgorithmException should have been thrown");
-        } catch(NoSuchAlgorithmException nsae) {
+        } catch (NoSuchAlgorithmException nsae) {
             // Do nothing. This is expected.
         }
     }
diff --git a/closed/test/jdk/openj9/internal/security/TestConstraintsSuccess.java b/closed/test/jdk/openj9/internal/security/TestConstraintsSuccess.java
@@ -37,9 +37,9 @@
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.Signature;
+import java.security.cert.CertificateFactory;
 import java.security.cert.CertPathValidator;
 import java.security.cert.CertStore;
-import java.security.cert.CertificateFactory;
 
 import javax.crypto.Cipher;
 //import javax.crypto.KDF;
@@ -61,12 +61,10 @@ private static void getInstances() throws Exception {
         CertPathValidator.getInstance("PKIX");
         MessageDigest.getInstance("SHA-512");
         KeyStore.getInstance("PKCS12");
-
         Signature.getInstance("SHA256withECDSA");
         KeyPairGenerator.getInstance("EC");
         KeyAgreement.getInstance("ECDH");
         KeyFactory.getInstance("EC");
-
         Cipher.getInstance("RSA");
         KeyGenerator.getInstance("AES");
         AlgorithmParameterGenerator.getInstance("DiffieHellman");
@@ -76,7 +74,6 @@ private static void getInstances() throws Exception {
 
         SecretKeyFactory.getInstance("PBEWithMD5AndDES");
         Mac.getInstance("HmacSHA256");
-
         KeyManagerFactory.getInstance("SunX509");
         TrustManagerFactory.getInstance("SunX509");
         SSLContext.getInstance("TLSv1.3");
