-
Bug
-
Resolution: Fixed
-
P3
-
11.0.11, 17
-
b05
-
b10
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8282349 | 15.0.7 | Yuri Nesterenko | P3 | Resolved | Fixed | b02 |
JDK-8279898 | 11.0.15-oracle | Prasadarao Koppula | P3 | Resolved | Fixed | b03 |
JDK-8262016 | 11.0.11 | Christoph Langer | P3 | Resolved | Fixed | b04 |
java.security.AccessControlException: access denied ("java.security.SecurityPermission" "removeProvider.SUN")
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
at java.base/java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1521)
at java.base/java.security.Security.check(Security.java:832)
at java.base/java.security.Security.removeProvider(Security.java:444)
at IllegalPackageAccess.main(IllegalPackageAccess.java:81)
at PKCS11Test.premain(PKCS11Test.java:171)
at PKCS11Test.testNSS(PKCS11Test.java:568)
at PKCS11Test.main(PKCS11Test.java:207)
at IllegalPackageAccess.main(IllegalPackageAccess.java:69)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:78)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
at java.base/java.lang.Thread.run(Thread.java:831)
Root cause is that the test materializes and installs a policy by obtaining the current policy (https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/test/jdk/sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java#L46). At the time it tries to remove a provider (https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/test/jdk/sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java#L80), the materialized policy is used for an access check, due to some intricacies of the java.security.Policy implementation (https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/src/java.base/share/classes/java/security/Policy.java#L293). This policy does not allow the removal of a provider.
On platforms where the test runs through PKCS11Test::fetchNssLib, the default policy is reset (https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/test/jdk/sun/security/pkcs11/PKCS11Test.java#L859) which makes the test work. But if we don't pass there, the test fails.
Fix would be to unconditionally call Policy.setPolicy(null); in IllegalPackageAccess before installing MyPolicy or alternatively have MyPolicy::implies always return true unless it's about "accessClassInPackage.com.sun.crypto.provider".
- backported by
-
JDK-8262016 Test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java fails on platforms where no nsslib artifacts are defined
-
- Resolved
-
-
JDK-8279898 Test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java fails on platforms where no nsslib artifacts are defined
-
- Resolved
-
-
JDK-8282349 Test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java fails on platforms where no nsslib artifacts are defined
-
- Resolved
-
- relates to
-
JDK-8259319 Illegal package access when SunPKCS11 requires SunJCE's classes
-
- Resolved
-
- links to
-
Commit openjdk/jdk15u-dev/1a1dec4b
-
Commit openjdk/jdk/dc46aa85
-
Review openjdk/jdk15u-dev/182
-
Review openjdk/jdk/2518