Skip to content
Permalink
Browse files
8267543: Post JEP 411 refactoring: security
Reviewed-by: mullan
  • Loading branch information
wangweij committed Jun 2, 2021
1 parent 4767758 commit 40d23a0c0b955ae4636800be183da7a71665f79f
Showing 19 changed files with 80 additions and 79 deletions.
@@ -683,7 +683,6 @@ public void engineStore(OutputStream stream, char[] password)
* @exception CertificateException if any of the certificates in the
* keystore could not be loaded
*/
@SuppressWarnings("removal")
public void engineLoad(InputStream stream, char[] password)
throws IOException, NoSuchAlgorithmException, CertificateException
{
@@ -838,7 +837,8 @@ public void engineLoad(InputStream stream, char[] password)
ois = new ObjectInputStream(dis);
final ObjectInputStream ois2 = ois;
// Set a deserialization checker
AccessController.doPrivileged(
@SuppressWarnings("removal")
var dummy = AccessController.doPrivileged(
(PrivilegedAction<Void>)() -> {
ois2.setObjectInputFilter(
new DeserializationChecker(fullLength));
@@ -987,10 +987,9 @@ public static KeyStore getInstance(String type, Provider provider)
* if no such property exists.
* @see java.security.Security security properties
*/
@SuppressWarnings("removal")
public static final String getDefaultType() {
String kstype;
kstype = AccessController.doPrivileged(new PrivilegedAction<>() {
@SuppressWarnings("removal")
String kstype = AccessController.doPrivileged(new PrivilegedAction<>() {
public String run() {
return Security.getProperty(KEYSTORE_TYPE);
}
@@ -1957,7 +1956,6 @@ public ProtectionParameter getProtectionParameter(String alias)
* of either PasswordProtection or CallbackHandlerProtection; or
* if file does not exist or does not refer to a normal file
*/
@SuppressWarnings("removal")
public static Builder newInstance(String type, Provider provider,
File file, ProtectionParameter protection) {
if ((type == null) || (file == null) || (protection == null)) {
@@ -1974,8 +1972,9 @@ public static Builder newInstance(String type, Provider provider,
("File does not exist or it does not refer " +
"to a normal file: " + file);
}
return new FileBuilder(type, provider, file, protection,
AccessController.getContext());
@SuppressWarnings("removal")
var acc = AccessController.getContext();
return new FileBuilder(type, provider, file, protection, acc);
}

/**
@@ -51,7 +51,6 @@
* @since 1.1
*/

@SuppressWarnings("removal")
public final class Security {

/* Are we debugging? -- for developers */
@@ -72,7 +71,8 @@ private static class ProviderProperty {
// things in initialize that might require privs.
// (the FileInputStream call and the File.exists call,
// the securityPropFile call, etc)
AccessController.doPrivileged(new PrivilegedAction<>() {
@SuppressWarnings("removal")
var dummy = AccessController.doPrivileged(new PrivilegedAction<>() {
public Void run() {
initialize();
return null;
@@ -761,6 +761,7 @@ static Object[] getImpl(String algorithm, String type, Provider provider,
* @see java.security.SecurityPermission
*/
public static String getProperty(String key) {
@SuppressWarnings("removal")
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new SecurityPermission("getProperty."+
@@ -828,13 +829,15 @@ private static void invalidateSMCache(String key) {
}

private static void check(String directive) {
@SuppressWarnings("removal")
SecurityManager security = System.getSecurityManager();
if (security != null) {
security.checkSecurityAccess(directive);
}
}

private static void checkInsertProvider(String name) {
@SuppressWarnings("removal")
SecurityManager security = System.getSecurityManager();
if (security != null) {
try {
@@ -83,7 +83,6 @@ final class ProviderVerifier {
* In OpenJDK, we just need to examine the "cryptoperms" file to see
* if any permissions were bundled together with this jar file.
*/
@SuppressWarnings("removal")
void verify() throws IOException {

// Short-circuit. If we weren't asked to save any, we're done.
@@ -102,7 +101,8 @@ void verify() throws IOException {

// Get a link to the Jarfile to search.
try {
jf = AccessController.doPrivileged(
@SuppressWarnings("removal")
var tmp = AccessController.doPrivileged(
new PrivilegedExceptionAction<JarFile>() {
public JarFile run() throws Exception {
JarURLConnection conn =
@@ -113,6 +113,7 @@ public JarFile run() throws Exception {
return conn.getJarFile();
}
});
jf = tmp;
} catch (java.security.PrivilegedActionException pae) {
throw new SecurityException("Cannot load " + url.toString(),
pae.getCause());
@@ -160,7 +160,7 @@ public String toString() {
/**
* Get the provider object. Loads the provider if it is not already loaded.
*/
@SuppressWarnings({"removal","deprecation"})
@SuppressWarnings("deprecation")
Provider getProvider() {
// volatile variable load
Provider p = provider;
@@ -188,7 +188,8 @@ Provider getProvider() {
p = new sun.security.ssl.SunJSSE();
} else if (provName.equals("Apple") || provName.equals("apple.security.AppleProvider")) {
// need to use reflection since this class only exists on MacOsx
p = AccessController.doPrivileged(new PrivilegedAction<Provider>() {
@SuppressWarnings("removal")
var tmp = AccessController.doPrivileged(new PrivilegedAction<Provider>() {
public Provider run() {
try {
Class<?> c = Class.forName("apple.security.AppleProvider");
@@ -208,6 +209,7 @@ public Provider run() {
}
}
});
p = tmp;
} else {
if (isLoading) {
// because this method is synchronized, this can only
@@ -43,7 +43,6 @@
*
* @author Andreas Sterbenz
*/
@SuppressWarnings("removal")
public final class MD4 extends DigestBase {

// state of this object
@@ -71,7 +70,8 @@ public final class MD4 extends DigestBase {
@java.io.Serial
private static final long serialVersionUID = -8850464997518327965L;
};
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@SuppressWarnings("removal")
var dummy = AccessController.doPrivileged(new PrivilegedAction<Void>() {
public Void run() {
md4Provider.put("MessageDigest.MD4", "sun.security.provider.MD4");
return null;
@@ -81,7 +81,6 @@
* - JavaLoginConfig is the default file-based LoginModule Configuration type.
*/

@SuppressWarnings("removal")
public final class SunEntries {

// the default algo used by SecureRandom class for new SecureRandom() calls
@@ -325,10 +324,8 @@ private void addWithAlias(Provider p, String type, String algo, String cn,
static final String URL_DEV_RANDOM = "file:/dev/random";
static final String URL_DEV_URANDOM = "file:/dev/urandom";

private static final String seedSource;

static {
seedSource = AccessController.doPrivileged(
@SuppressWarnings("removal")
private static final String seedSource = AccessController.doPrivileged(
new PrivilegedAction<String>() {

@Override
@@ -345,6 +342,7 @@ public String run() {
}
});

static {
DEF_SECURE_RANDOM_ALGO = (NativePRNG.isAvailable() &&
(seedSource.equals(URL_DEV_URANDOM) ||
seedSource.equals(URL_DEV_RANDOM)) ?
@@ -1195,7 +1195,6 @@ private static class DelegatedTask implements Runnable {
this.engine = engineInstance;
}

@SuppressWarnings("removal")
@Override
public void run() {
engine.engineLock.lock();
@@ -1206,7 +1205,8 @@ public void run() {
}

try {
AccessController.doPrivileged(
@SuppressWarnings("removal")
var dummy = AccessController.doPrivileged(
new DelegatedAction(hc), engine.conContext.acc);
} catch (PrivilegedActionException pae) {
// Get the handshake context again in case the
@@ -43,7 +43,6 @@
* The purpose of this class is to determine the trust anchor certificates is in
* the cacerts file. This is used for PKIX CertPath checking.
*/
@SuppressWarnings("removal")
public class AnchorCertificates {

private static final Debug debug = Debug.getInstance("certpath");
@@ -52,7 +51,8 @@ public class AnchorCertificates {
private static Set<X500Principal> certIssuers = Collections.emptySet();

static {
AccessController.doPrivileged(new PrivilegedAction<>() {
@SuppressWarnings("removal")
var dummy = AccessController.doPrivileged(new PrivilegedAction<>() {
@Override
public Void run() {
File f = new File(FilePaths.cacerts());
@@ -55,17 +55,17 @@ public class KeyStoreDelegator extends KeyStoreSpi {
private KeyStoreSpi keystore; // the delegate
private boolean compatModeEnabled = true;

@SuppressWarnings("removal")
public KeyStoreDelegator(
String primaryType,
Class<? extends KeyStoreSpi> primaryKeyStore,
String secondaryType,
Class<? extends KeyStoreSpi> secondaryKeyStore) {

// Check whether compatibility mode has been disabled
compatModeEnabled = "true".equalsIgnoreCase(
AccessController.doPrivileged((PrivilegedAction<String>) () ->
Security.getProperty(KEYSTORE_TYPE_COMPAT)));
@SuppressWarnings("removal")
var prop = AccessController.doPrivileged((PrivilegedAction<String>) () ->
Security.getProperty(KEYSTORE_TYPE_COMPAT));
compatModeEnabled = "true".equalsIgnoreCase(prop);

if (compatModeEnabled) {
this.primaryType = primaryType;
@@ -42,7 +42,6 @@
* <b>Attention</b>: This check is NOT meant to replace the standard PKI-defined
* validation check, neither is it used as an alternative to CRL.
*/
@SuppressWarnings("removal")
public final class UntrustedCertificates {

private static final Debug debug = Debug.getInstance("certpath");
@@ -52,7 +51,8 @@ public final class UntrustedCertificates {
private static final String algorithm;

static {
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@SuppressWarnings("removal")
var dummy = AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
public Void run() {
File f = new File(StaticProperty.javaHome(),
@@ -85,7 +85,6 @@ public final class JMXPluggableAuthenticator implements JMXAuthenticator {
* @exception SecurityException if the authentication mechanism cannot be
* initialized.
*/
@SuppressWarnings("removal")
public JMXPluggableAuthenticator(Map<?, ?> env) {

String loginConfigName = null;
@@ -107,6 +106,7 @@ public JMXPluggableAuthenticator(Map<?, ?> env) {

} else {
// use the default JAAS login configuration (file-based)
@SuppressWarnings("removal")
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(
@@ -117,7 +117,8 @@ public JMXPluggableAuthenticator(Map<?, ?> env) {
final String pf = passwordFile;
final String hashPass = hashPasswords;
try {
loginContext = AccessController.doPrivileged(
@SuppressWarnings("removal")
var tmp = AccessController.doPrivileged(
new PrivilegedExceptionAction<LoginContext>() {
public LoginContext run() throws LoginException {
return new LoginContext(
@@ -127,6 +128,7 @@ public LoginContext run() throws LoginException {
new FileLoginConfig(pf, hashPass));
}
});
loginContext = tmp;
} catch (PrivilegedActionException pae) {
throw (LoginException) pae.getException();
}
@@ -156,7 +158,6 @@ public LoginContext run() throws LoginException {
* @exception SecurityException if the server cannot authenticate the user
* with the provided credentials.
*/
@SuppressWarnings("removal")
public Subject authenticate(Object credentials) {
// Verify that credentials is of type String[].
//
@@ -193,7 +194,8 @@ public Subject authenticate(Object credentials) {
try {
loginContext.login();
final Subject subject = loginContext.getSubject();
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@SuppressWarnings("removal")
var dummy = AccessController.doPrivileged(new PrivilegedAction<Void>() {
public Void run() {
subject.setReadOnly();
return null;
@@ -592,7 +592,6 @@ public final boolean isProtReady() {
* to send the token to its peer for processing.
* @exception GSSException
*/
@SuppressWarnings("removal")
public final byte[] initSecContext(InputStream is, int mechTokenSize)
throws GSSException {

@@ -642,14 +641,16 @@ public final byte[] initSecContext(InputStream is, int mechTokenSize)
* for this service in the Subject and reuse it
*/

@SuppressWarnings("removal")
final AccessControlContext acc =
AccessController.getContext();

if (GSSUtil.useSubjectCredsOnly(caller)) {
KerberosTicket kerbTicket = null;
try {
// get service ticket from caller's subject
kerbTicket = AccessController.doPrivileged(
@SuppressWarnings("removal")
var tmp = AccessController.doPrivileged(
new PrivilegedExceptionAction<KerberosTicket>() {
public KerberosTicket run() throws Exception {
// XXX to be cleaned
@@ -667,6 +668,7 @@ public KerberosTicket run() throws Exception {
peerName.getKrb5PrincipalName().getName(),
acc);
}});
kerbTicket = tmp;
} catch (PrivilegedActionException e) {
if (DEBUG) {
System.out.println("Attempt to obtain service"
@@ -706,6 +708,7 @@ public KerberosTicket run() throws Exception {
tgt);
}
if (GSSUtil.useSubjectCredsOnly(caller)) {
@SuppressWarnings("removal")
final Subject subject =
AccessController.doPrivileged(
new java.security.PrivilegedAction<Subject>() {
@@ -724,7 +727,8 @@ public Subject run() {
*/
final KerberosTicket kt =
Krb5Util.credsToTicket(serviceCreds);
AccessController.doPrivileged (
@SuppressWarnings("removal")
var dummy = AccessController.doPrivileged (
new java.security.PrivilegedAction<Void>() {
public Void run() {
subject.getPrivateCredentials().add(kt);

1 comment on commit 40d23a0

@openjdk-notifier
Copy link

@openjdk-notifier openjdk-notifier bot commented on 40d23a0 Jun 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.