Address review comments

KostasTsiounis · KostasTsiounis · commit fa5078e0c27c · 2025-03-24T12:57:03.000-04:00
diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java
@@ -23,6 +23,7 @@
  */
 package openj9.internal.security;
 
+import java.lang.StackWalker.Option;
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
@@ -79,8 +80,6 @@ public final class RestrictedSecurity {
 
     private static RestrictedSecurityProperties restricts;
 
-    private static boolean profileHashChecked = false;
-
     private static final Set<String> unmodifiableProperties = new HashSet<>();
 
     private static final Map<String, List<String>> supportedPlatformsNSS = new HashMap<>();
@@ -163,20 +162,6 @@ private RestrictedSecurity() {
         super();
     }
 
-    /**
-     * Check loaded profiles' hash values.
-     *
-     * In order to avoid unintentional changes in profiles and incentivize
-     * extending profiles, instead of altering them, a digest of the profile
-     * is calculated and compared to the expected value.
-     */
-    public static void checkHashValues() {
-        if (profileParser != null) {
-            profileParser.checkHashValues();
-            profileParser = null;
-        }
-    }
-
     /**
      * Check if restricted security mode is enabled.
      *
@@ -246,9 +231,10 @@ public static boolean isFIPSEnabled() {
      */
     public static boolean isServiceAllowed(Service service) {
         if (securityEnabled) {
-            if (!(profileHashChecked || isJarVerifierinStackTrace())) {
-                profileHashChecked = true;
-                checkHashValues();
+            ProfileParser parser = profileParser;
+            if ((parser != null) && !isJarVerifierInStackTrace()) {
+                profileParser = null;
+                parser.checkHashValues();
             }
             return restricts.isRestrictedServiceAllowed(service, true);
         }
@@ -263,9 +249,10 @@ public static boolean isServiceAllowed(Service service) {
      */
     public static boolean canServiceBeRegistered(Service service) {
         if (securityEnabled) {
-            if (!(profileHashChecked || isJarVerifierinStackTrace())) {
-                profileHashChecked = true;
-                checkHashValues();
+            ProfileParser parser = profileParser;
+            if ((parser != null) && !isJarVerifierInStackTrace()) {
+                profileParser = null;
+                parser.checkHashValues();
             }
             return restricts.isRestrictedServiceAllowed(service, false);
         }
@@ -280,9 +267,10 @@ public static boolean canServiceBeRegistered(Service service) {
      */
     public static boolean isProviderAllowed(String providerName) {
         if (securityEnabled) {
-            if (!(profileHashChecked || isJarVerifierinStackTrace())) {
-                profileHashChecked = true;
-                checkHashValues();
+            ProfileParser parser = profileParser;
+            if ((parser != null) && !isJarVerifierInStackTrace()) {
+                profileParser = null;
+                parser.checkHashValues();
             }
             // Remove argument, e.g. -NSS-FIPS, if present.
             int pos = providerName.indexOf('-');
@@ -303,9 +291,10 @@ public static boolean isProviderAllowed(String providerName) {
      */
     public static boolean isProviderAllowed(Class<?> providerClazz) {
         if (securityEnabled) {
-            if (!(profileHashChecked || isJarVerifierinStackTrace())) {
-                profileHashChecked = true;
-                checkHashValues();
+            ProfileParser parser = profileParser;
+            if ((parser != null) && !isJarVerifierInStackTrace()) {
+                profileParser = null;
+                parser.checkHashValues();
             }
             String providerClassName = providerClazz.getName();
 
@@ -397,15 +386,12 @@ private static void getProfileID(Properties props) {
     }
 
     private static boolean isJarVerifierinStackTrace() {
-        StackTraceElement[] elements = Thread.currentThread().getStackTrace();
-        for (int i = 1; i < elements.length; i++) {
-            StackTraceElement stackTraceElement = elements[i];
-            if ("java.util.jar.JarVerifier".equals(stackTraceElement.getClassName())
-                && "java.base".equals(stackTraceElement.getModuleName())) {
-                return true;
-            }
-        }
-        return false;
+        return StackWalker.getInstance(Option.RETAIN_CLASS_REFERENCE)
+                          .walk(sf -> sf.map(s -> s.toStackTraceElement())
+                                        .anyMatch(s -> ("java.util.jar.JarVerifier".equals(s.getClassName())
+                                                            && "java.base".equals(s.getModuleName()))
+                                            )
+                               );
     }
 
     private static void checkIfKnownProfileSupported() {
