-
Notifications
You must be signed in to change notification settings - Fork 114
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Java Restricted Security Mode #586
Conversation
1f66434
to
381be89
Compare
thanks @taoliult - please provide a summary paragraph as to the content of this commit |
fyi @mstoodle |
@alon-sh The summary paragraph added. |
@keithc-ca please review, updating FIPS code for both short and long term goals |
1ade2f0
to
955312b
Compare
@keithc-ca @alon-sh |
closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java
Outdated
Show resolved
Hide resolved
closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java
Outdated
Show resolved
Hide resolved
closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java
Outdated
Show resolved
Hide resolved
closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java
Outdated
Show resolved
Hide resolved
closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java
Outdated
Show resolved
Hide resolved
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
Outdated
Show resolved
Hide resolved
1a844e6
to
db8d413
Compare
@keithc-ca The codes updated according to the review suggestions. And I also replied those questions. Please help to review and advise. |
02e754f
to
50fe664
Compare
closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java
Outdated
Show resolved
Hide resolved
closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java
Outdated
Show resolved
Hide resolved
closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java
Outdated
Show resolved
Hide resolved
closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java
Outdated
Show resolved
Hide resolved
closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java
Outdated
Show resolved
Hide resolved
closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java
Outdated
Show resolved
Hide resolved
4a096c4
to
4e6ad2b
Compare
691714e
to
ed047d1
Compare
This PR on JDK11 is ready. It has all the code review updates from JDKNext PR ibmruntimes/openj9-openjdk-jdk#544 @jasonkatonica @WilburZjh FYI. |
I will consider this after equivalent changes have been merged into jdk20, jdk19 and jdk17 (in that order). |
I think we should skip jdk19, I don't plan to add the change to the 0.37 release branch, and the jdk19 head stream won't be used for another release. |
That works for me. |
@keithc-ca @pshipton @jasonkatonica @WilburZjh fyi. |
@keithc-ca |
Signed-off-by: Tao Liu <[email protected]>
@keithc-ca |
Jenkins test sanity zlinux jdk11 |
Signed-off-by: Tao Liu [email protected]
This PR is for adding the codes of Java Restricted Security Mode.
The Java Restricted Security Mode is used to restrict the providers and algorithms, by the properties configured in the java.security file.
The properties will be of the following format:
The new runtime command line arguments:
The options can be combined: e.g. -Dsemeru.restrictedsecurity=1,trace,audit
During the process of reading the java.security properties file, the JDK will detect if Restricted Security mode as selected and the selected policy. This detection will be done as a check in the JCA code to see if the flag "semeru.restrictedsecurity" was used, if it is used, the specific policy number will be extracted, the code will then check the properties file to see if such a policy number exist. If a valid policy is selected, two configuration steps will occur:
JSSE Configuration during start up. If a valid policy was selected, the properties in java.security file will be read and mapped during the start up.
Cryptography available. The existing providers will be removed and only the compliant providers (defined by “SecurityRestrict(n).jce.provider”) will be added. And also, a list of permitted services that each provider may provide. A provider without any additional constraints will have all its services enabled. A provider with the constraints will only register the allowed constraints. For example: