< prev index next >
src/share/classes/javax/crypto/JceSecurity.java
Print this page
rev 12525 : 8157561: Ship the unlimited policy files in JDK Updates
Reviewed-by: wetmore, erikj
@@ -27,16 +27,18 @@
import java.util.*;
import java.util.jar.*;
import java.io.*;
import java.net.URL;
+import java.nio.file.*;
import java.security.*;
import java.security.Provider.Service;
import sun.security.jca.*;
import sun.security.jca.GetInstance.Instance;
+import sun.security.util.Debug;
/**
* This class instantiates implementations of JCE engine classes from
* providers registered with the java.security.Security object.
*
@@ -64,10 +66,13 @@
private final static Map<Provider, Object> verifyingProviders =
new IdentityHashMap<>();
private static final boolean isRestricted;
+ private static final Debug debug =
+ Debug.getInstance("jca", "Cipher");
+
/*
* Don't let anyone instantiate this.
*/
private JceSecurity() {
}
@@ -202,11 +207,11 @@
// dummy object to represent null
private static final URL NULL_URL;
static {
try {
- NULL_URL = new URL("http://null.sun.com/");
+ NULL_URL = new URL("http://null.oracle.com/");
} catch (Exception e) {
throw new RuntimeException(e);
}
}
@@ -237,18 +242,74 @@
}
return (url == NULL_URL) ? null : url;
}
}
+ /*
+ * This is called from within an doPrivileged block.
+ *
+ * Following logic is used to decide what policy files are selected.
+ *
+ * If the new Security property (crypto.policy) is set in the
+ * java.security file, or has been set dynamically using the
+ * Security.setProperty() call before the JCE framework has
+ * been initialized, that setting will be used.
+ * Remember - this property is not defined by default. A conscious
+ * user edit or an application call is required.
+ *
+ * Otherwise, if user has policy jar files installed in the legacy
+ * jre/lib/security/ directory, the JDK will honor whatever
+ * setting is set by those policy files. (legacy/current behavior)
+ *
+ * If none of the above 2 conditions are met, the JDK will default
+ * to using the limited crypto policy files found in the
+ * jre/lib/security/policy/limited/ directory
+ */
private static void setupJurisdictionPolicies() throws Exception {
- String javaHomeDir = System.getProperty("java.home");
- String sep = File.separator;
- String pathToPolicyJar = javaHomeDir + sep + "lib" + sep +
- "security" + sep;
+ // Sanity check the crypto.policy Security property. Single
+ // directory entry, no pseudo-directories (".", "..", leading/trailing
+ // path separators). normalize()/getParent() will help later.
+ String javaHomeProperty = System.getProperty("java.home");
+ String cryptoPolicyProperty = Security.getProperty("crypto.policy");
+ Path cpPath = (cryptoPolicyProperty == null) ? null :
+ Paths.get(cryptoPolicyProperty);
+
+ if ((cpPath != null) && ((cpPath.getNameCount() != 1) ||
+ (cpPath.compareTo(cpPath.getFileName())) != 0)) {
+ throw new SecurityException(
+ "Invalid policy directory name format: " +
+ cryptoPolicyProperty);
+ }
+
+ if (cpPath == null) {
+ // Security property is not set, use default path
+ cpPath = Paths.get(javaHomeProperty, "lib", "security");
+ } else {
+ // populate with java.home
+ cpPath = Paths.get(javaHomeProperty, "lib", "security",
+ "policy", cryptoPolicyProperty);
+ }
+
+ if (debug != null) {
+ debug.println("crypto policy directory: " + cpPath);
+ }
+
+ File exportJar = new File(cpPath.toFile(),"US_export_policy.jar");
+ File importJar = new File(cpPath.toFile(),"local_policy.jar");
+
+ if (cryptoPolicyProperty == null && (!exportJar.exists() ||
+ !importJar.exists())) {
+ // Compatibility set up. If crypto.policy is not defined.
+ // check to see if legacy jars exist in lib directory. If
+ // they don't exist, we default to limited policy mode.
+ cpPath = Paths.get(
+ javaHomeProperty, "lib", "security", "policy", "limited");
+ // point to the new jar files in limited directory
+ exportJar = new File(cpPath.toFile(),"US_export_policy.jar");
+ importJar = new File(cpPath.toFile(),"local_policy.jar");
+ }
- File exportJar = new File(pathToPolicyJar, "US_export_policy.jar");
- File importJar = new File(pathToPolicyJar, "local_policy.jar");
URL jceCipherURL = ClassLoader.getSystemResource
("javax/crypto/Cipher.class");
if ((jceCipherURL == null) ||
!exportJar.exists() || !importJar.exists()) {
< prev index next >