Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8322971: KEM.getInstance() should check if a 3rd-party security provider is signed #17253

Closed
wants to merge 1 commit into from

Conversation

wangweij
Copy link
Contributor

@wangweij wangweij commented Jan 3, 2024

KEM.getInstance now checks if the implementation is from a signed provider if it's not builtin to JDK.

Several adjustments to the test:

  1. Put one impl in SunEC to pretend it's builtin. This is necessary to test for provider selection.
  2. When there is no need to choose a provider, use reflection to create a KEM object that bypasses the getInstance call.

Progress

  • Change must be properly reviewed (1 review required, with at least 1 Reviewer)
  • Change must not contain extraneous whitespace
  • Change requires CSR request JDK-8322974 to be approved
  • Commit message must refer to an issue

Issues

  • JDK-8322971: KEM.getInstance() should check if a 3rd-party security provider is signed (Bug - P3)
  • JDK-8322974: KEM.getInstance() should check if a 3rd-party security provider is signed (CSR)

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/17253/head:pull/17253
$ git checkout pull/17253

Update a local copy of the PR:
$ git checkout pull/17253
$ git pull https://git.openjdk.org/jdk.git pull/17253/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 17253

View PR using the GUI difftool:
$ git pr show -t 17253

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/17253.diff

Webrev

Link to Webrev Comment

@bridgekeeper
Copy link

bridgekeeper bot commented Jan 3, 2024

👋 Welcome back weijun! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk openjdk bot added csr Pull request needs approved CSR before integration rfr Pull request is ready for review labels Jan 3, 2024
@openjdk
Copy link

openjdk bot commented Jan 3, 2024

@wangweij The following label will be automatically applied to this pull request:

  • security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

@openjdk openjdk bot added the security security-dev@openjdk.org label Jan 3, 2024
@mlbridge
Copy link

mlbridge bot commented Jan 3, 2024

Webrevs

throw new NoSuchAlgorithmException(algorithm + " KEM not available");
List<Provider.Service> allowed = new ArrayList<>();
for (Provider.Service s : list) {
if (!JceSecurity.canUseProvider(s.getProvider())) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a test that verifies a provider won't be used if it's not signed?

Should there also be a test that verifies that a provider signed with an unknown key is rejected?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I'll think about it. That said, OpenJDK builds usually do not perform this check so such tests will not be added in this repository.

@@ -122,6 +123,14 @@ public static void main(String[] args) throws Exception {
}
}

// To bypass the JCE security provider signature check
private static KEM getKemImpl(Provider p) throws Exception {
var ctor = KEM.class.getDeclaredConstructor(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about creating it this way only if java.runtime.name system property does not contain "OpenJDK"?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure if other OpenJDK vendors always include the "OpenJDK" name. Or, can call getInstance() and then fallback to this way if there is an exception?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True, although in that case the worse that would happen is that they use reflection instead of calling KEM.getInstance. Actually I am ok with this code now - as long as we have other tests that test KEM.getInstance.

Copy link

@valeriepeng valeriepeng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@openjdk
Copy link

openjdk bot commented Jan 11, 2024

@wangweij This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8322971: KEM.getInstance() should check if a 3rd-party security provider is signed

Reviewed-by: mullan, valeriep

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 169 new commits pushed to the master branch:

  • b530c02: 8317804: com/sun/jdi/JdwpAllowTest.java fails on Alpine 3.17 / 3.18
  • e70cb4e: 8322565: (zipfs) Files.setPosixPermissions should preserve 'external file attributes' bits
  • d89602a: 8322982: CTW fails to build after 8308753
  • 3bd9042: 8320788: The system properties page is missing some properties
  • 525063b: 8322878: Including sealing information Class.toGenericString()
  • c1282b5: 8323540: assert((!((((method)->is_trace_flag_set(((1 << 4) << 8))))))) failed: invariant
  • 5ba69e1: 8322477: order of subclasses in the permits clause can differ between compilations
  • c96cbe4: 8313083: Print 'rss' and 'cache' as part of the container information
  • a7db4fe: 8323428: Shenandoah: Unused memory in regions compacted during a full GC should be mangled
  • b86c3b7: 8309218: java/util/concurrent/locks/Lock/OOMEInAQS.java still times out with ZGC, Generational ZGC, and SerialGC
  • ... and 159 more: https://git.openjdk.org/jdk/compare/424c58f3e94927b68329510e38bf5621f6f6e1a1...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

@openjdk openjdk bot added ready Pull request is ready to be integrated and removed csr Pull request needs approved CSR before integration labels Jan 11, 2024
@wangweij
Copy link
Contributor Author

/integrate

@openjdk
Copy link

openjdk bot commented Jan 11, 2024

Going to push as commit 9fd855e.
Since your change was applied there have been 177 commits pushed to the master branch:

  • b8ae4a8: 8320890: [AIX] Find a better way to mimic dl handle equality
  • e5aed6b: 8323276: StressDirListings.java fails on AIX
  • b922f8d: 8319793: C2 compilation fails with "Bad graph detected in build_loop_late" after JDK-8279888
  • 35e9662: 8314515: java/util/concurrent/SynchronousQueue/Fairness.java failed with "Error: fair=false i=8 j=0"
  • cb1d25f: 8323330: [BACKOUT] JDK-8276809: java/awt/font/JNICheck/FreeTypeScalerJNICheck.java shows JNI warning on Windows
  • 2b7fc05: 8264102: JTable Keyboards Navigation differs with Test Instructions.
  • af942a6: 8323188: JFR: Needless RESOURCE_ARRAY when sending EventOSInformation
  • 26de9e2: 8321616: Retire binary test vectors in test/jdk/java/util/zip/ZipFile
  • b530c02: 8317804: com/sun/jdi/JdwpAllowTest.java fails on Alpine 3.17 / 3.18
  • e70cb4e: 8322565: (zipfs) Files.setPosixPermissions should preserve 'external file attributes' bits
  • ... and 167 more: https://git.openjdk.org/jdk/compare/424c58f3e94927b68329510e38bf5621f6f6e1a1...master

Your commit was automatically rebased without conflicts.

@openjdk openjdk bot added the integrated Pull request has been integrated label Jan 11, 2024
@openjdk openjdk bot closed this Jan 11, 2024
@openjdk openjdk bot removed ready Pull request is ready to be integrated rfr Pull request is ready for review labels Jan 11, 2024
@openjdk
Copy link

openjdk bot commented Jan 11, 2024

@wangweij Pushed as commit 9fd855e.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

@wangweij wangweij deleted the 8322971 branch January 13, 2024 03:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
integrated Pull request has been integrated security security-dev@openjdk.org
4 participants