Skip to content

Commit

Permalink
8264277: java.xml.crypto module should be granted FilePermission and …
Browse files Browse the repository at this point in the history 
…SocketPermission

Reviewed-by: mullan
  • Loading branch information
@wangweij
wangweij committed Apr 19, 2021
1 parent 5303ccb commit 8bec6fe
Show file tree
Hide file tree
Showing 2 changed files with 140 additions and 0 deletions.
2 changes: 2 additions & 0 deletions src/java.base/share/lib/security/default.policy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,8 @@ grant codeBase "jrt:/java.xml.crypto" {
"accessClassInPackage.com.sun.org.apache.xpath.internal";
permission java.lang.RuntimePermission
"accessClassInPackage.com.sun.org.apache.xpath.internal.*";
permission java.io.FilePermission "<<ALL FILES>>","read";
permission java.net.SocketPermission "*", "connect,resolve";
};


Expand Down
138 changes: 138 additions & 0 deletions test/jdk/javax/xml/crypto/dsig/FileSocketPermissions.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
/*
* Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/

/**
* @test
* @bug 8264277
* @library /test/lib
* @modules jdk.httpserver
* java.base/jdk.internal.misc
* @requires os.family != "windows"
* @summary check permissions for XML signature
*/

import com.sun.net.httpserver.HttpServer;
import jdk.test.lib.Asserts;
import jdk.test.lib.process.Proc;
import jdk.test.lib.security.XMLUtils;

import java.io.File;
import java.io.FilePermission;
import java.net.InetSocketAddress;
import java.net.SocketPermission;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.KeyPair;
import java.security.KeyPairGenerator;

// Note: This test does not run fine on Windows because the format by
// Path.toUri.toString (file:///c:/path/to/file) is not supported by
// ResolverLocalFilesystem.translateUriToFilename.
public class FileSocketPermissions {
public static void main(String[] args) throws Exception {
if (args.length == 0) {
Path plain = Files.writeString(
Path.of(System.getProperty("user.dir"), "a.xml"), "<a>x</a>");
HttpServer server = HttpServer.create(new InetSocketAddress(0), 0);
server.createContext("/", ex -> {
ex.sendResponseHeaders(200, 0);
ex.getResponseBody().write("<a>x</a>".getBytes(StandardCharsets.UTF_8));
ex.close();
});
server.start();
try {
String httpDoc = "http://localhost:" + server.getAddress().getPort() + "/b.xml";
System.out.println(httpDoc);

// No permission granted.
Proc p0 = Proc.create("FileSocketPermissions")
.prop("java.security.manager", "")
.debug("S")
.args("sign", plain.toUri().toString(), httpDoc)
.start();
Asserts.assertEQ(p0.readData(), "Error");
Asserts.assertEQ(p0.readData(), "Error");

// Permission to file and socket granted.
Proc p = Proc.create("FileSocketPermissions")
.prop("java.security.manager", "")
.grant(new File(System.getProperty("test.classes")))
.perm(new FilePermission(plain.toString(), "read"))
.perm(new SocketPermission("localhost", "resolve,connect"))
.debug("S2")
.args("sign", plain.toUri().toString(), httpDoc)
.start();

Proc p2 = Proc.create("FileSocketPermissions")
.prop("java.security.manager", "")
.grant(new File(System.getProperty("test.classes")))
.perm(new FilePermission(plain.toString(), "read"))
.perm(new SocketPermission("localhost", "resolve,connect"))
.debug("V")
.args("validate")
.start();

while (true) {
String in = p.readData(); // read signed XML from signer
p2.println(in); // send signed XML to validator
if (in.equals("Over")) {
break;
}
if (!p2.readData().equals("true")) { // read validator result
throw new Exception("Validation error");
}
}
} finally {
server.stop(0);
}
} else if (args[0].equals("sign")) {
KeyPairGenerator g = KeyPairGenerator.getInstance("EC");
KeyPair p = g.generateKeyPair();
var signer = XMLUtils.signer(p.getPrivate(), p.getPublic());
for (int i = 1; i < args.length; i++) {
try {
// Multiple line XML. Send as raw bytes (in Base64)
Proc.binOut(XMLUtils.doc2string(signer.sign(new URI(args[i])))
.getBytes(StandardCharsets.UTF_8));
} catch (Exception se) {
se.printStackTrace();
Proc.textOut("Error");
}
}
Proc.textOut("Over");
} else if (args[0].equals("validate")) {
// Turn secureValidation off. Will read external data
var validator = XMLUtils.validator().secureValidation(false);
while (true) {
String in = new String(Proc.binIn());
if (in.equals("Over")) {
Proc.textOut("Over");
break;
}
Proc.textOut(Boolean.toString(validator.validate(XMLUtils.string2doc(in))));
}
}
}
}

1 comment on commit 8bec6fe

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review

Issues

Please sign in to comment.