-
Bug
-
Resolution: Fixed
-
P3
-
9
-
b142
-
Not verified
The jdk.crypto.pkcs11 module is granted the following permissions:
grant codeBase "jrt:/jdk.crypto.pkcs11" {
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.*";
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
permission java.lang.RuntimePermission "loadLibrary.j2pkcs11";
// needs "security.pkcs11.allowSingleThreadedModules"
permission java.util.PropertyPermission "*", "read";
permission java.security.SecurityPermission "putProviderProperty.*";
permission java.security.SecurityPermission "clearProviderProperties.*";
permission java.security.SecurityPermission "removeProviderProperty.*";
permission java.security.SecurityPermission
"getProperty.auth.login.defaultCallbackHandler";
permission java.security.SecurityPermission "authProvider.*";
// Needed for reading PKCS11 config file and NSS library check
permission java.io.FilePermission "<<ALL FILES>>", "read";
};
The java.lang.RuntimePermission "accessClassInPackage.sun.misc" is unnecessary and can be removed.
The java.util.PropertyPermission "*", "read" is too loose, it can be broken down to only allow reading a few properties.
grant codeBase "jrt:/jdk.crypto.pkcs11" {
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.*";
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
permission java.lang.RuntimePermission "loadLibrary.j2pkcs11";
// needs "security.pkcs11.allowSingleThreadedModules"
permission java.util.PropertyPermission "*", "read";
permission java.security.SecurityPermission "putProviderProperty.*";
permission java.security.SecurityPermission "clearProviderProperties.*";
permission java.security.SecurityPermission "removeProviderProperty.*";
permission java.security.SecurityPermission
"getProperty.auth.login.defaultCallbackHandler";
permission java.security.SecurityPermission "authProvider.*";
// Needed for reading PKCS11 config file and NSS library check
permission java.io.FilePermission "<<ALL FILES>>", "read";
};
The java.lang.RuntimePermission "accessClassInPackage.sun.misc" is unnecessary and can be removed.
The java.util.PropertyPermission "*", "read" is too loose, it can be broken down to only allow reading a few properties.