Differentiate between add and get

closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java

@@ -255,7 +255,20 @@ public static boolean isFIPSEnabled() {
      */
     public static boolean isServiceAllowed(Service service) {
         if (securityEnabled) {
-            return restricts.isRestrictedServiceAllowed(service);
+            return restricts.isRestrictedServiceAllowed(service, false);
+        }
+        return true;
+    }
+
+    /**
+     * Check if the service is allowed in restricted security mode.
+     *
+     * @param service the service to check
+     * @return true if the service is allowed
+     */
+    public static boolean canServiceBeAdded(Service service) {
+        if (securityEnabled) {
+            return restricts.isRestrictedServiceAllowed(service, true);
         }
         return true;
     }
@@ -759,7 +772,7 @@ private RestrictedSecurityProperties(String profileID, ProfileParser parser) {
          * @param service the Service to check
          * @return true if the Service is allowed
          */
-        boolean isRestrictedServiceAllowed(Service service) {
+        boolean isRestrictedServiceAllowed(Service service, boolean isServiceAdded) {
             Provider provider = service.getProvider();
             String providerClassName = provider.getClass().getName();
 
@@ -795,7 +808,7 @@ boolean isRestrictedServiceAllowed(Service service) {
                 String cType = constraint.type;
                 String cAlgorithm = constraint.algorithm;
                 String cAttribute = constraint.attributes;
-                String cAcceptedUses = constraint.acceptedUses;
+                String cAcceptedUses = constraint.acceptedUses.substring(1).strip();
                 if (debug != null) {
                     debug.println("Checking provider constraint:"
                                 + "\n\tService type: " + cType
@@ -857,10 +870,13 @@ boolean isRestrictedServiceAllowed(Service service) {
 
                 // See if a regex for accepted uses has been specified and apply
                 // it to the call stack.
-                if (!isNullOrBlank(cAcceptedUses)) {
+                if (!isServiceAdded && !isNullOrBlank(cAcceptedUses)) {
                     StackTraceElement[] stackElements = Thread.currentThread().getStackTrace();
                     boolean found = false;
                     for (StackTraceElement stackElement : stackElements) {
+                        if (debug != null) {
+                            debug.println("Attempting to match " + stackElement + "using the regex: " + cAcceptedUses);
+                        }
                         Pattern p = Pattern.compile(cAcceptedUses);
                         Matcher m = p.matcher(stackElement.getClassName());
                         // If a matching class is found in call stack, stop looking.

src/java.base/share/classes/java/security/Provider.java

@@ -1239,7 +1239,7 @@ protected void putService(Service s) {
             throw new IllegalArgumentException
                     ("service.getProvider() must match this Provider object");
         }
-        if (!RestrictedSecurity.isServiceAllowed(s)) {
+        if (!RestrictedSecurity.canServiceBeAdded(s)) {
             // We're in restricted security mode which does not allow this service,
             // return without registering.
             return;

src/java.base/share/conf/security/java.security

@@ -283,7 +283,7 @@ RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.jce.provider.1 = com.ibm.crypto.plu
     {KeyGenerator, SunTlsMasterSecret, *}, \
     {KeyGenerator, SunTlsPrf, *}, \
     {KeyGenerator, SunTlsRsaPremasterSecret, *}, \
-    {KeyPairGenerator, EC, *, \S*StackConstraints\S*}, \
+    {KeyPairGenerator, EC, *, \\S*StackConstraints\\S*}, \
     {KeyPairGenerator, RSA, *}, \
     {KeyPairGenerator, RSAPSS, *}, \
     {Mac, HmacSHA224, *}, \