Mercurial > hg > icedtea9

--- a/ChangeLog	Wed Mar 04 15:09:23 2015 +0000
+++ b/ChangeLog	Wed Mar 04 16:20:09 2015 +0000
@@ -1,3 +1,37 @@
+2013-06-05  Andrew John Hughes  <gnu.andrew@member.fsf.org>
+
+	PR1291: Ensure unlimited crypto policy is in place.
+	* Makefile.am:
+	(CRYPTO_CHECK_BUILD_DIR): New variable.
+	(CRYPTO_CHECK_SRCS): Likewise.
+	(EXTRA_DIST): Add CRYPTO_CHECK_SRCS.
+	(.PHONY): Add new clean targets.
+	(check-crypto): Run the crypto checker on a normal
+	stage 2 build.
+	(clean-check-crypto): Delete the check-crypto stamp.
+	(check-crypto-debug): Run the crypto checker on a
+	debug stage 2 build.
+	(clean-check-crypto-debug): Delete the
+	check-crypto-debug stamp.
+	(icedtea-stage2): Depend on check-crypto.
+	(clean-icedtea-stage2): Depend on clean-check-crypto.
+	(icedtea-debug-stage2): Depend on check-crypto-debug.
+	(clean-icedtea-debug-stage2): Depend on
+	clean-check-crypto-debug.
+	(check-crypto-boot): Run the crypto checker on
+	the stage 1 build.
+	(clean-check-crypto-boot): Delete the
+	check-crypto-boot stamp.
+	(icedtea-stage1): Depend on check-crypto-boot.
+	(clean-icedtea-stage1): Depend on
+	clean-check-crypto-boot.
+	(cryptocheck): Build the crypto checker.
+	(clean-cryptocheck): Revert cryptocheck.
+	* NEWS: Updated.
+	* TestCryptoLevel.java:
+	Checks whether the unlimited crypto policy is in
+	place or not.
+
 2012-05-30  Andrew John Hughes  <ahughes@redhat.com>

 	* Makefile.am:
--- a/Makefile.am	Wed Mar 04 15:09:23 2015 +0000
+++ b/Makefile.am	Wed Mar 04 16:20:09 2015 +0000
@@ -63,6 +63,7 @@
 STAGE1_BOOT_DIR = $(abs_top_builddir)/bootstrap/boot
 STAGE2_BOOT_DIR = $(abs_top_builddir)/bootstrap/icedtea
 JAMVM_IMPORT_PATH = $(abs_top_builddir)/jamvm/install/hotspot
+CRYPTO_CHECK_BUILD_DIR = $(abs_top_builddir)/cryptocheck.build

 # Source directories

@@ -209,6 +210,7 @@
 # Sources list

 REWRITER_SRCS = $(top_srcdir)/rewriter/com/redhat/rewriter/ClassRewriter.java
+CRYPTO_CHECK_SRCS = $(top_srcdir)/TestCryptoLevel.java

 # Patch list

@@ -488,7 +490,8 @@
 	scripts/jni_desc \
 	rewriter/agpl-3.0.txt \
 	$(REWRITER_SRCS) \
-	THANKYOU test/tapset
+	THANKYOU test/tapset \
+	$(CRYPTO_CHECK_SRCS)

 # Top-Level Targets
 # =================
@@ -541,6 +544,7 @@
 	clean-jamvm clean-extract-jamvm clean-add-jamvm clean-add-jamvm-debug \
 	clean-extract-hotspot clean-sanitise-openjdk clean-icedtea-debug \
 	clean-download-nashorn clean-extract-nashorn clean-download-hotspot \
+	clean-check-crypto clean-check-crypto-debug clean-check-crypto-boot \
 	clean-add-archive clean-add-archive-debug clean-add-archive-boot \
 	clean-tests clean-tapset-report

@@ -1591,6 +1595,16 @@
 	rm -f stamps/icedtea-debug-configure.stamp
 	rm -f stamps/icedtea-debug.stamp

+stamps/check-crypto.stamp: stamps/cryptocheck.stamp
+	if [ -e $(BUILD_IMAGE_DIR)/j2sdk-image/bin/java ] ; then \
+	  $(BUILD_IMAGE_DIR)/j2sdk-image/bin/java -cp $(CRYPTO_CHECK_BUILD_DIR) TestCryptoLevel ; \
+	fi
+	mkdir -p stamps
+	touch $@
+
+clean-check-crypto:
+	rm -f stamps/check-crypto.stamp
+
 stamps/add-archive.stamp: stamps/icedtea.stamp
 if !ENABLE_JAMVM
 if !ENABLE_CACAO
@@ -1607,6 +1621,16 @@
 	rm -vf $(BUILD_IMAGE_DIR)/j2sdk-image/jre/lib/$(INSTALL_ARCH_DIR)/*/*.jsa
 	rm -f stamps/add-archive.stamp

+stamps/check-crypto-debug.stamp: stamps/cryptocheck.stamp
+	if [ -e $(BUILD_DEBUG_IMAGE_DIR)/j2sdk-image/bin/java ] ; then \
+	  $(BUILD_DEBUG_IMAGE_DIR)/j2sdk-image/bin/java -cp $(CRYPTO_CHECK_BUILD_DIR) TestCryptoLevel ; \
+	fi
+	mkdir -p stamps
+	touch $@
+
+clean-check-crypto-debug:
+	rm -f stamps/check-crypto-debug.stamp
+
 stamps/add-archive-debug.stamp: stamps/icedtea-debug.stamp
 if !ENABLE_JAMVM
 if !ENABLE_CACAO
@@ -1624,20 +1648,22 @@
 	rm -f stamps/add-archive-debug.stamp

 stamps/icedtea-stage2.stamp: stamps/icedtea.stamp stamps/add-cacao.stamp \
- stamps/add-zero.stamp stamps/add-jamvm.stamp stamps/add-archive.stamp
+ stamps/add-zero.stamp stamps/add-jamvm.stamp stamps/check-crypto.stamp \
+ stamps/add-archive.stamp
 	mkdir -p stamps
 	touch $@

-clean-icedtea-stage2: clean-add-jamvm clean-add-archive
+clean-icedtea-stage2: clean-add-jamvm clean-check-crypto clean-add-archive
 	rm -f stamps/icedtea-stage2.stamp

 stamps/icedtea-debug-stage2.stamp: stamps/icedtea-debug.stamp \
  stamps/add-cacao-debug.stamp stamps/add-zero-debug.stamp stamps/add-jamvm-debug.stamp \
- stamps/add-archive-debug.stamp
+ stamps/check-crypto-debug.stamp stamps/add-archive-debug.stamp
 	mkdir -p stamps
 	touch $@

-clean-icedtea-debug-stage2: clean-add-jamvm-debug clean-add-archive-debug
+clean-icedtea-debug-stage2: clean-add-jamvm-debug clean-check-crypto-debug \
+ clean-add-archive-debug
 	rm -f stamps/icedtea-debug-stage2.stamp

 # OpenJDK boot Targets
@@ -1703,6 +1729,16 @@
 	rm -f stamps/icedtea-boot-configure.stamp
 	rm -f stamps/icedtea-boot.stamp

+stamps/check-crypto-boot.stamp: stamps/cryptocheck.stamp
+	if [ -e $(BUILD_BOOT_IMAGE_DIR)/j2sdk-image/bin/java ] ; then \
+	  $(BUILD_BOOT_IMAGE_DIR)/j2sdk-image/bin/java -cp $(CRYPTO_CHECK_BUILD_DIR) TestCryptoLevel ; \
+	fi
+	mkdir -p stamps
+	touch $@
+
+clean-check-crypto-boot:
+	rm -f stamps/check-crypto-boot.stamp
+
 stamps/add-archive-boot.stamp: stamps/icedtea-boot.stamp
 if !ENABLE_JAMVM
 if !ENABLE_CACAO
@@ -1719,11 +1755,12 @@
 	rm -vf $(BUILD_BOOT_IMAGE_DIR)/j2sdk-image/jre/lib/$(INSTALL_ARCH_DIR)/*/*.jsa
 	rm -f stamps/add-archive-boot.stamp

-stamps/icedtea-stage1.stamp: stamps/icedtea-boot.stamp stamps/add-archive-boot.stamp
+stamps/icedtea-stage1.stamp: stamps/icedtea-boot.stamp stamps/check-crypto-boot.stamp \
+ stamps/add-archive-boot.stamp
 	mkdir -p stamps
 	touch $@

-clean-icedtea-stage1: clean-add-archive-boot
+clean-icedtea-stage1: clean-check-crypto-boot clean-add-archive-boot
 	rm -f stamps/icedtea-stage1.stamp

 # PulseAudio based mixer
@@ -2254,6 +2291,19 @@
 	  cp $(SYSTEM_JDK_DIR)/jre/lib/rt.jar $(STAGE1_BOOT_DIR)/jre/lib ; \
 	fi

+# Crypto Level Check
+
+stamps/cryptocheck.stamp: $(INITIAL_BOOTSTRAP_LINK_STAMP)
+	mkdir -p $(CRYPTO_CHECK_BUILD_DIR)
+	$(BOOT_DIR)/bin/javac $(IT_JAVACFLAGS) \
+	  -d $(CRYPTO_CHECK_BUILD_DIR) $(CRYPTO_CHECK_SRCS)
+	mkdir -p stamps
+	touch $@
+
+clean-cryptocheck:
+	rm -rf $(CRYPTO_CHECK_BUILD_DIR)
+	rm -f stamps/cryptocheck.stamp
+
 # Target Aliases
 # ===============

@@ -2277,8 +2327,16 @@

 cacao: stamps/cacao.stamp

+check-crypto: stamps/check-crypto.stamp
+
+check-crypto-boot: stamps/check-crypto-boot.stamp
+
+check-crypto-debug: stamps/check-crypto-debug.stamp
+
 clone-boot: stamps/clone-boot.stamp

+cryptocheck: stamps/cryptocheck.stamp
+
 download: stamps/download.stamp

 download-cacao: stamps/download-cacao.stamp
--- a/NEWS	Wed Mar 04 15:09:23 2015 +0000
+++ b/NEWS	Wed Mar 04 16:20:09 2015 +0000
@@ -27,6 +27,7 @@
   - PR1275: Provide option to turn off downloading of tarballs
   - PR1279: Synchronise CACAO versions between IcedTea6/7/8 where possible
   - PR1281, RH513605: Updating/Installing OpenJDK should recreate the shared class-data archive
+  - PR1291: Ensure unlimited crypto policy is in place.
   - PR1325: Only add classes to rt-source-files.txt if actually needed
   - PR1346: Filter out -j option to make
   - PR1347: Update list of checked JDKs
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/TestCryptoLevel.java	Wed Mar 04 16:20:09 2015 +0000
@@ -0,0 +1,78 @@
+/* TestCryptoLevel -- Ensure unlimited crypto policy is in use.
+   Copyright (C) 2012 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.lang.reflect.InvocationTargetException;
+
+import java.security.Permission;
+import java.security.PermissionCollection;
+
+public class TestCryptoLevel
+{
+  public static void main(String[] args)
+    throws NoSuchFieldException, ClassNotFoundException,
+           IllegalAccessException, InvocationTargetException
+  {
+    Class<?> cls = null;
+    Method def = null, exempt = null;
+
+    try
+      {
+        cls = Class.forName("javax.crypto.JceSecurity");
+      }
+    catch (ClassNotFoundException ex)
+      {
+        System.err.println("Running a non-Sun JDK.");
+        System.exit(0);
+      }
+    catch (ExceptionInInitializerError err)
+      {
+        System.err.println("Failed to initialise JceSecurity: "
+                           + err.getCause().getCause().getMessage());
+        System.exit(-2);
+      }
+    try
+      {
+        def = cls.getDeclaredMethod("getDefaultPolicy");
+        exempt = cls.getDeclaredMethod("getExemptPolicy");
+      }
+    catch (NoSuchMethodException ex)
+      {
+        System.err.println("Running IcedTea with the original crypto patch.");
+        System.exit(0);
+      }
+    def.setAccessible(true);
+    exempt.setAccessible(true);
+    PermissionCollection defPerms = (PermissionCollection) def.invoke(null);
+    PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null);
+    Class<?> apCls = Class.forName("javax.crypto.CryptoAllPermission");
+    Field apField = apCls.getDeclaredField("INSTANCE");
+    apField.setAccessible(true);
+    Permission allPerms = (Permission) apField.get(null);
+    if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms)))
+      {
+        System.err.println("Running with the unlimited policy.");
+        System.exit(0);
+      }
+    else
+      {
+        System.err.println("WARNING: Running with a restricted crypto policy.");
+        System.exit(-1);
+      }
+  }
+}