Mercurial > hg > release > icedtea8-3.0
changeset 2534:4005e0143bc8
PR1291: Ensure unlimited crypto policy is in place.
2013-06-05 Andrew John Hughes <gnu.andrew@member.fsf.org>
PR1291: Ensure unlimited crypto policy is in place.
* Makefile.am:
(CRYPTO_CHECK_BUILD_DIR): New variable.
(CRYPTO_CHECK_SRCS): Likewise.
(EXTRA_DIST): Add CRYPTO_CHECK_SRCS.
(.PHONY): Add new clean targets.
(check-crypto): Run the crypto checker on a normal
stage 2 build.
(clean-check-crypto): Delete the check-crypto stamp.
(check-crypto-debug): Run the crypto checker on a
debug stage 2 build.
(clean-check-crypto-debug): Delete the
check-crypto-debug stamp.
(icedtea-stage2): Depend on check-crypto.
(clean-icedtea-stage2): Depend on clean-check-crypto.
(icedtea-debug-stage2): Depend on check-crypto-debug.
(clean-icedtea-debug-stage2): Depend on
clean-check-crypto-debug.
(check-crypto-boot): Run the crypto checker on
the stage 1 build.
(clean-check-crypto-boot): Delete the
check-crypto-boot stamp.
(icedtea-stage1): Depend on check-crypto-boot.
(clean-icedtea-stage1): Depend on
clean-check-crypto-boot.
(cryptocheck): Build the crypto checker.
(clean-cryptocheck): Revert cryptocheck.
* NEWS: Updated.
* TestCryptoLevel.java:
Checks whether the unlimited crypto policy is in
place or not.
author | Andrew John Hughes <gnu_andrew@member.fsf.org> |
---|---|
date | Wed, 04 Mar 2015 16:20:09 +0000 |
parents | ad09cd636ff8 |
children | 0b1bc8378f34 |
files | ChangeLog Makefile.am NEWS TestCryptoLevel.java |
diffstat | 4 files changed, 178 insertions(+), 7 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Wed Mar 04 15:09:23 2015 +0000 +++ b/ChangeLog Wed Mar 04 16:20:09 2015 +0000 @@ -1,3 +1,37 @@ +2013-06-05 Andrew John Hughes <gnu.andrew@member.fsf.org> + + PR1291: Ensure unlimited crypto policy is in place. + * Makefile.am: + (CRYPTO_CHECK_BUILD_DIR): New variable. + (CRYPTO_CHECK_SRCS): Likewise. + (EXTRA_DIST): Add CRYPTO_CHECK_SRCS. + (.PHONY): Add new clean targets. + (check-crypto): Run the crypto checker on a normal + stage 2 build. + (clean-check-crypto): Delete the check-crypto stamp. + (check-crypto-debug): Run the crypto checker on a + debug stage 2 build. + (clean-check-crypto-debug): Delete the + check-crypto-debug stamp. + (icedtea-stage2): Depend on check-crypto. + (clean-icedtea-stage2): Depend on clean-check-crypto. + (icedtea-debug-stage2): Depend on check-crypto-debug. + (clean-icedtea-debug-stage2): Depend on + clean-check-crypto-debug. + (check-crypto-boot): Run the crypto checker on + the stage 1 build. + (clean-check-crypto-boot): Delete the + check-crypto-boot stamp. + (icedtea-stage1): Depend on check-crypto-boot. + (clean-icedtea-stage1): Depend on + clean-check-crypto-boot. + (cryptocheck): Build the crypto checker. + (clean-cryptocheck): Revert cryptocheck. + * NEWS: Updated. + * TestCryptoLevel.java: + Checks whether the unlimited crypto policy is in + place or not. + 2012-05-30 Andrew John Hughes <ahughes@redhat.com> * Makefile.am:
--- a/Makefile.am Wed Mar 04 15:09:23 2015 +0000 +++ b/Makefile.am Wed Mar 04 16:20:09 2015 +0000 @@ -63,6 +63,7 @@ STAGE1_BOOT_DIR = $(abs_top_builddir)/bootstrap/boot STAGE2_BOOT_DIR = $(abs_top_builddir)/bootstrap/icedtea JAMVM_IMPORT_PATH = $(abs_top_builddir)/jamvm/install/hotspot +CRYPTO_CHECK_BUILD_DIR = $(abs_top_builddir)/cryptocheck.build # Source directories @@ -209,6 +210,7 @@ # Sources list REWRITER_SRCS = $(top_srcdir)/rewriter/com/redhat/rewriter/ClassRewriter.java +CRYPTO_CHECK_SRCS = $(top_srcdir)/TestCryptoLevel.java # Patch list @@ -488,7 +490,8 @@ scripts/jni_desc \ rewriter/agpl-3.0.txt \ $(REWRITER_SRCS) \ - THANKYOU test/tapset + THANKYOU test/tapset \ + $(CRYPTO_CHECK_SRCS) # Top-Level Targets # ================= @@ -541,6 +544,7 @@ clean-jamvm clean-extract-jamvm clean-add-jamvm clean-add-jamvm-debug \ clean-extract-hotspot clean-sanitise-openjdk clean-icedtea-debug \ clean-download-nashorn clean-extract-nashorn clean-download-hotspot \ + clean-check-crypto clean-check-crypto-debug clean-check-crypto-boot \ clean-add-archive clean-add-archive-debug clean-add-archive-boot \ clean-tests clean-tapset-report @@ -1591,6 +1595,16 @@ rm -f stamps/icedtea-debug-configure.stamp rm -f stamps/icedtea-debug.stamp +stamps/check-crypto.stamp: stamps/cryptocheck.stamp + if [ -e $(BUILD_IMAGE_DIR)/j2sdk-image/bin/java ] ; then \ + $(BUILD_IMAGE_DIR)/j2sdk-image/bin/java -cp $(CRYPTO_CHECK_BUILD_DIR) TestCryptoLevel ; \ + fi + mkdir -p stamps + touch $@ + +clean-check-crypto: + rm -f stamps/check-crypto.stamp + stamps/add-archive.stamp: stamps/icedtea.stamp if !ENABLE_JAMVM if !ENABLE_CACAO @@ -1607,6 +1621,16 @@ rm -vf $(BUILD_IMAGE_DIR)/j2sdk-image/jre/lib/$(INSTALL_ARCH_DIR)/*/*.jsa rm -f stamps/add-archive.stamp +stamps/check-crypto-debug.stamp: stamps/cryptocheck.stamp + if [ -e $(BUILD_DEBUG_IMAGE_DIR)/j2sdk-image/bin/java ] ; then \ + $(BUILD_DEBUG_IMAGE_DIR)/j2sdk-image/bin/java -cp $(CRYPTO_CHECK_BUILD_DIR) TestCryptoLevel ; \ + fi + mkdir -p stamps + touch $@ + +clean-check-crypto-debug: + rm -f stamps/check-crypto-debug.stamp + stamps/add-archive-debug.stamp: stamps/icedtea-debug.stamp if !ENABLE_JAMVM if !ENABLE_CACAO @@ -1624,20 +1648,22 @@ rm -f stamps/add-archive-debug.stamp stamps/icedtea-stage2.stamp: stamps/icedtea.stamp stamps/add-cacao.stamp \ - stamps/add-zero.stamp stamps/add-jamvm.stamp stamps/add-archive.stamp + stamps/add-zero.stamp stamps/add-jamvm.stamp stamps/check-crypto.stamp \ + stamps/add-archive.stamp mkdir -p stamps touch $@ -clean-icedtea-stage2: clean-add-jamvm clean-add-archive +clean-icedtea-stage2: clean-add-jamvm clean-check-crypto clean-add-archive rm -f stamps/icedtea-stage2.stamp stamps/icedtea-debug-stage2.stamp: stamps/icedtea-debug.stamp \ stamps/add-cacao-debug.stamp stamps/add-zero-debug.stamp stamps/add-jamvm-debug.stamp \ - stamps/add-archive-debug.stamp + stamps/check-crypto-debug.stamp stamps/add-archive-debug.stamp mkdir -p stamps touch $@ -clean-icedtea-debug-stage2: clean-add-jamvm-debug clean-add-archive-debug +clean-icedtea-debug-stage2: clean-add-jamvm-debug clean-check-crypto-debug \ + clean-add-archive-debug rm -f stamps/icedtea-debug-stage2.stamp # OpenJDK boot Targets @@ -1703,6 +1729,16 @@ rm -f stamps/icedtea-boot-configure.stamp rm -f stamps/icedtea-boot.stamp +stamps/check-crypto-boot.stamp: stamps/cryptocheck.stamp + if [ -e $(BUILD_BOOT_IMAGE_DIR)/j2sdk-image/bin/java ] ; then \ + $(BUILD_BOOT_IMAGE_DIR)/j2sdk-image/bin/java -cp $(CRYPTO_CHECK_BUILD_DIR) TestCryptoLevel ; \ + fi + mkdir -p stamps + touch $@ + +clean-check-crypto-boot: + rm -f stamps/check-crypto-boot.stamp + stamps/add-archive-boot.stamp: stamps/icedtea-boot.stamp if !ENABLE_JAMVM if !ENABLE_CACAO @@ -1719,11 +1755,12 @@ rm -vf $(BUILD_BOOT_IMAGE_DIR)/j2sdk-image/jre/lib/$(INSTALL_ARCH_DIR)/*/*.jsa rm -f stamps/add-archive-boot.stamp -stamps/icedtea-stage1.stamp: stamps/icedtea-boot.stamp stamps/add-archive-boot.stamp +stamps/icedtea-stage1.stamp: stamps/icedtea-boot.stamp stamps/check-crypto-boot.stamp \ + stamps/add-archive-boot.stamp mkdir -p stamps touch $@ -clean-icedtea-stage1: clean-add-archive-boot +clean-icedtea-stage1: clean-check-crypto-boot clean-add-archive-boot rm -f stamps/icedtea-stage1.stamp # PulseAudio based mixer @@ -2254,6 +2291,19 @@ cp $(SYSTEM_JDK_DIR)/jre/lib/rt.jar $(STAGE1_BOOT_DIR)/jre/lib ; \ fi +# Crypto Level Check + +stamps/cryptocheck.stamp: $(INITIAL_BOOTSTRAP_LINK_STAMP) + mkdir -p $(CRYPTO_CHECK_BUILD_DIR) + $(BOOT_DIR)/bin/javac $(IT_JAVACFLAGS) \ + -d $(CRYPTO_CHECK_BUILD_DIR) $(CRYPTO_CHECK_SRCS) + mkdir -p stamps + touch $@ + +clean-cryptocheck: + rm -rf $(CRYPTO_CHECK_BUILD_DIR) + rm -f stamps/cryptocheck.stamp + # Target Aliases # =============== @@ -2277,8 +2327,16 @@ cacao: stamps/cacao.stamp +check-crypto: stamps/check-crypto.stamp + +check-crypto-boot: stamps/check-crypto-boot.stamp + +check-crypto-debug: stamps/check-crypto-debug.stamp + clone-boot: stamps/clone-boot.stamp +cryptocheck: stamps/cryptocheck.stamp + download: stamps/download.stamp download-cacao: stamps/download-cacao.stamp
--- a/NEWS Wed Mar 04 15:09:23 2015 +0000 +++ b/NEWS Wed Mar 04 16:20:09 2015 +0000 @@ -27,6 +27,7 @@ - PR1275: Provide option to turn off downloading of tarballs - PR1279: Synchronise CACAO versions between IcedTea6/7/8 where possible - PR1281, RH513605: Updating/Installing OpenJDK should recreate the shared class-data archive + - PR1291: Ensure unlimited crypto policy is in place. - PR1325: Only add classes to rt-source-files.txt if actually needed - PR1346: Filter out -j option to make - PR1347: Update list of checked JDKs
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/TestCryptoLevel.java Wed Mar 04 16:20:09 2015 +0000 @@ -0,0 +1,78 @@ +/* TestCryptoLevel -- Ensure unlimited crypto policy is in use. + Copyright (C) 2012 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +import java.lang.reflect.Field; +import java.lang.reflect.Method; +import java.lang.reflect.InvocationTargetException; + +import java.security.Permission; +import java.security.PermissionCollection; + +public class TestCryptoLevel +{ + public static void main(String[] args) + throws NoSuchFieldException, ClassNotFoundException, + IllegalAccessException, InvocationTargetException + { + Class<?> cls = null; + Method def = null, exempt = null; + + try + { + cls = Class.forName("javax.crypto.JceSecurity"); + } + catch (ClassNotFoundException ex) + { + System.err.println("Running a non-Sun JDK."); + System.exit(0); + } + catch (ExceptionInInitializerError err) + { + System.err.println("Failed to initialise JceSecurity: " + + err.getCause().getCause().getMessage()); + System.exit(-2); + } + try + { + def = cls.getDeclaredMethod("getDefaultPolicy"); + exempt = cls.getDeclaredMethod("getExemptPolicy"); + } + catch (NoSuchMethodException ex) + { + System.err.println("Running IcedTea with the original crypto patch."); + System.exit(0); + } + def.setAccessible(true); + exempt.setAccessible(true); + PermissionCollection defPerms = (PermissionCollection) def.invoke(null); + PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null); + Class<?> apCls = Class.forName("javax.crypto.CryptoAllPermission"); + Field apField = apCls.getDeclaredField("INSTANCE"); + apField.setAccessible(true); + Permission allPerms = (Permission) apField.get(null); + if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms))) + { + System.err.println("Running with the unlimited policy."); + System.exit(0); + } + else + { + System.err.println("WARNING: Running with a restricted crypto policy."); + System.exit(-1); + } + } +}