Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8259319

Illegal package access when SunPKCS11 requires SunJCE's classes

    XMLWordPrintable

Details

    Backports

      Description

        The SunPKCS11 security provider might, on some circumstances, require help from SunJCE. An example of the previous is parsing X.509 public keys in P11DHKeyFactory::implTranslatePublicKey method. Usually, SunJCE access is performed through the Security::getProvider scheme. However, a fallback scheme that directly creates an instance from the SunJCE class is in place; in case the SunJCE security provider is not enabled.

        The current JDK -probably any after JDK-8- is not ready to go through the fallback scheme when a Security Manager is installed due to access checks. There are a few issues preventing it:

        1) the 'java.base' module does not export 'com.sun.crypto.provider' package to the 'jdk.crypto.cryptoki' module;

        2) the default policy does not grant 'jrt:/jdk.crypto.cryptoki' code base 'accessClassInPackage.com.sun.crypto.provider' RuntimePermission; and,

        3) even if permission were granted, we need privileged access in P11Util::getProvider method to prevent the check from going through the stack until the AppClassLoader (which does not probably have this permission).

        Please note that the 'jdk.crypto.cryptoki' module already has permissions to access other 'java.base' packages such as 'sun.security.*'. Also note how this access requires the package to be exported to the module. I.e.: the 'sun.security.jca' package (from the 'java.base' module) is exported to the 'jdk.crypto.cryptoki' module.

        Update: while SunPKCS11 might need to directly create instances of SUN and SunRsaSign provider classes, it already has access permissions through the 'java.base' exported modules and the default policy.

        Attachments

          Issue Links

            backported by

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8260383 Illegal package access when SunPKCS11 requires SunJCE's classes

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8265080 Illegal package access when SunPKCS11 requires SunJCE's classes

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8279897 Illegal package access when SunPKCS11 requires SunJCE's classes

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved
            relates to

            Bug - A problem which impairs or prevents the functions of the product. JDK-8261534 Test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java fails on platforms where no nsslib artifacts are defined

            • P3 - Major loss of function.
            • Resolved
            links to

            Commit Commit openjdk/jdk15u-dev/ace2b56d

            Commit Commit openjdk/jdk/4be21734

            Review Review openjdk/jdk15u-dev/22

            Review Review openjdk/jdk/1961

            Activity

              People

                mbalao Martin Balao
                mbalao Martin Balao
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: