diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java index 67e2765b639..664728457b7 100644 --- a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java +++ b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java @@ -255,7 +255,20 @@ public static boolean isFIPSEnabled() { */ public static boolean isServiceAllowed(Service service) { if (securityEnabled) { - return restricts.isRestrictedServiceAllowed(service); + return restricts.isRestrictedServiceAllowed(service, false); + } + return true; + } + + /** + * Check if the service is allowed in restricted security mode. + * + * @param service the service to check + * @return true if the service is allowed + */ + public static boolean canServiceBeAdded(Service service) { + if (securityEnabled) { + return restricts.isRestrictedServiceAllowed(service, true); } return true; } @@ -759,7 +772,7 @@ private RestrictedSecurityProperties(String profileID, ProfileParser parser) { * @param service the Service to check * @return true if the Service is allowed */ - boolean isRestrictedServiceAllowed(Service service) { + boolean isRestrictedServiceAllowed(Service service, boolean isServiceAdded) { Provider provider = service.getProvider(); String providerClassName = provider.getClass().getName(); @@ -795,7 +808,7 @@ boolean isRestrictedServiceAllowed(Service service) { String cType = constraint.type; String cAlgorithm = constraint.algorithm; String cAttribute = constraint.attributes; - String cAcceptedUses = constraint.acceptedUses; + String cAcceptedUses = constraint.acceptedUses.substring(1).strip(); if (debug != null) { debug.println("Checking provider constraint:" + "\n\tService type: " + cType @@ -857,10 +870,13 @@ boolean isRestrictedServiceAllowed(Service service) { // See if a regex for accepted uses has been specified and apply // it to the call stack. - if (!isNullOrBlank(cAcceptedUses)) { + if (!isServiceAdded && !isNullOrBlank(cAcceptedUses)) { StackTraceElement[] stackElements = Thread.currentThread().getStackTrace(); boolean found = false; for (StackTraceElement stackElement : stackElements) { + if (debug != null) { + debug.println("Attempting to match " + stackElement + "using the regex: " + cAcceptedUses); + } Pattern p = Pattern.compile(cAcceptedUses); Matcher m = p.matcher(stackElement.getClassName()); // If a matching class is found in call stack, stop looking. diff --git a/src/java.base/share/classes/java/security/Provider.java b/src/java.base/share/classes/java/security/Provider.java index 7463578af6c..5ba43259b56 100644 --- a/src/java.base/share/classes/java/security/Provider.java +++ b/src/java.base/share/classes/java/security/Provider.java @@ -1239,7 +1239,7 @@ protected void putService(Service s) { throw new IllegalArgumentException ("service.getProvider() must match this Provider object"); } - if (!RestrictedSecurity.isServiceAllowed(s)) { + if (!RestrictedSecurity.canServiceBeAdded(s)) { // We're in restricted security mode which does not allow this service, // return without registering. return; diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security index 7798e5afd3c..1360550c7bc 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -283,7 +283,7 @@ RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.jce.provider.1 = com.ibm.crypto.plu {KeyGenerator, SunTlsMasterSecret, *}, \ {KeyGenerator, SunTlsPrf, *}, \ {KeyGenerator, SunTlsRsaPremasterSecret, *}, \ - {KeyPairGenerator, EC, *, \S*StackConstraints\S*}, \ + {KeyPairGenerator, EC, *, \\S*StackConstraints\\S*}, \ {KeyPairGenerator, RSA, *}, \ {KeyPairGenerator, RSAPSS, *}, \ {Mac, HmacSHA224, *}, \