Skip to content

Commit

Permalink
Fix javax.crypto.JceSecurity substitutions in JDK >= 17.0.10
Browse files Browse the repository at this point in the history
  • Loading branch information
zakkak committed Nov 9, 2023
1 parent 34be002 commit efaead0
Show file tree
Hide file tree
Showing 2 changed files with 85 additions and 6 deletions.
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2013, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand All @@ -26,6 +26,7 @@

import static com.oracle.svm.core.snippets.KnownIntrinsics.readCallerStackPointer;

import java.lang.ref.ReferenceQueue;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.net.URL;
Expand All @@ -43,8 +44,10 @@
import java.security.SecureRandom;
import java.util.List;
import java.util.Map;
import java.util.function.BooleanSupplier;
import java.util.function.Predicate;

import org.graalvm.compiler.serviceprovider.GraalServices;
import org.graalvm.compiler.serviceprovider.JavaVersionUtil;
import org.graalvm.nativeimage.Platform;
import org.graalvm.nativeimage.Platforms;
Expand Down Expand Up @@ -317,10 +320,26 @@ static boolean isTrustedCryptoProvider(Provider provider) {
}
}

final class QueueFieldPresent implements BooleanSupplier {
@Override
public boolean getAsBoolean() {
try {
Class<?> jceSecurity = Class.forName("javax.crypto.JceSecurity");
jceSecurity.getDeclaredField("queue");
return true;
} catch (ClassNotFoundException | NoSuchFieldException e) {
return false;
}
}
}

@TargetClass(className = "javax.crypto.JceSecurity")
@SuppressWarnings({"unused"})
final class Target_javax_crypto_JceSecurity {

@Alias @TargetElement(onlyWith = QueueFieldPresent.class)//
public static ReferenceQueue<Object> queue;

/*
* Lazily recompute the RANDOM field at runtime. We cannot push the entire static initialization
* of JceSecurity to run time because we want the JceSecurity.verificationResults initialized at
Expand Down Expand Up @@ -393,8 +412,19 @@ public Object transform(Object receiver, Object originalValue) {
}
}

@TargetClass(className = "javax.crypto.JceSecurity", innerClass = "IdentityWrapper", onlyWith = JDK17OrLater.class)
@SuppressWarnings({"unused"})
final class IdentityWrapperPresent implements BooleanSupplier {
@Override
public boolean getAsBoolean() {
try {
Class.forName("javax.crypto.JceSecurity$IdentityWrapper");
return true;
} catch (ClassNotFoundException e) {
return false;
}
}
}

@TargetClass(className = "javax.crypto.JceSecurity", innerClass = "IdentityWrapper", onlyWith = IdentityWrapperPresent.class)
final class Target_javax_crypto_JceSecurity_IdentityWrapper {
@Alias //
Provider obj;
Expand All @@ -405,6 +435,26 @@ final class Target_javax_crypto_JceSecurity_IdentityWrapper {
}
}

final class WeakIdentityWrapperPresent implements BooleanSupplier {
@Override
public boolean getAsBoolean() {
try {
Class.forName("javax.crypto.JceSecurity$WeakIdentityWrapper");
return true;
} catch (ClassNotFoundException e) {
return false;
}
}
}

@TargetClass(className = "javax.crypto.JceSecurity", innerClass = "WeakIdentityWrapper", onlyWith = WeakIdentityWrapperPresent.class)
final class Target_javax_crypto_JceSecurity_WeakIdentityWrapper {
@Alias //
Target_javax_crypto_JceSecurity_WeakIdentityWrapper(Provider obj, ReferenceQueue<Object> queue) {
// Do nothing this is just an alias
}
}

class JceSecurityAccessor {
private static volatile SecureRandom RANDOM;

Expand Down Expand Up @@ -436,7 +486,12 @@ static Object providerKey(Provider p) {
if (JavaVersionUtil.JAVA_SPEC <= 11) {
return p;
}

/* Starting with JDK 17 the verification results map key is an identity wrapper object. */
if (JavaVersionUtil.JAVA_SPEC == 17 && GraalServices.getJavaUpdateVersion() >= 10) {
return new Target_javax_crypto_JceSecurity_WeakIdentityWrapper(p, Target_javax_crypto_JceSecurity.queue);
}

return new Target_javax_crypto_JceSecurity_IdentityWrapper(p);
}

Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -31,6 +31,7 @@
import java.io.FileWriter;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.ref.Reference;
import java.lang.reflect.Executable;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
Expand Down Expand Up @@ -88,6 +89,7 @@
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;

import org.graalvm.compiler.options.Option;
import org.graalvm.compiler.serviceprovider.GraalServices;
import org.graalvm.compiler.serviceprovider.JavaVersionUtil;
import org.graalvm.nativeimage.ImageSingletons;
import org.graalvm.nativeimage.hosted.RuntimeJNIAccess;
Expand Down Expand Up @@ -885,9 +887,31 @@ private Function<Object, Object> constructVerificationCacheCleaner(Class<?> jceS
};
}
/*
* For JDK 17 and later, the verification cache is an IdentityWrapper -> Verification result
* ConcurrentHashMap. The IdentityWrapper contains the actual provider in the 'obj' field.
* For JDK 17.0.10 and later, the verification cache is a WeakIdentityWrapper ->
* Verification result ConcurrentHashMap. The WeakIdentityWrapper contains the actual
* provider in the 'obj' field.
*/
if (JavaVersionUtil.JAVA_SPEC == 17 && GraalServices.getJavaUpdateVersion() >= 10) {
Method getReferent = ReflectionUtil.lookupMethod(Reference.class, "get");
Predicate<Object> listRemovalPredicate = wrapper -> {
try {
return shouldRemoveProvider((Provider) getReferent.invoke(wrapper));
} catch (IllegalAccessException | InvocationTargetException e) {
throw VMError.shouldNotReachHere(e);
}
};

return obj -> {
Map<Object, Object> original = (Map<Object, Object>) obj;
Map<Object, Object> verificationResults = new ConcurrentHashMap<>(original);

verificationResults.keySet().removeIf(listRemovalPredicate);

return verificationResults;
};

}

Class<?> identityWrapper = loader.findClassOrFail("javax.crypto.JceSecurity$IdentityWrapper");
Field providerField = ReflectionUtil.lookupField(identityWrapper, "obj");

Expand Down

0 comments on commit efaead0

Please sign in to comment.