From ddc8a9d5da28f67071a0d6bed981ab4ad70337be Mon Sep 17 00:00:00 2001 From: Sean Mullan Date: Mon, 25 Nov 2024 13:10:59 +0000 Subject: [PATCH] 8344366: Remove Security Manager dependencies from javax.net.ssl and sun.security.ssl packages Reviewed-by: coffeys, ascarpino, hchao --- .../javax/net/ssl/HttpsURLConnection.java | 15 --- .../javax/net/ssl/KeyManagerFactory.java | 8 +- .../classes/javax/net/ssl/SSLContext.java | 5 - .../javax/net/ssl/SSLSocketFactory.java | 21 ++--- .../javax/net/ssl/TrustManagerFactory.java | 8 +- .../action/OpenFileInputStreamAction.java | 53 ----------- .../sun/security/ssl/AlpnExtension.java | 9 +- .../sun/security/ssl/DHKeyExchange.java | 6 +- .../classes/sun/security/ssl/NamedGroup.java | 6 +- .../ssl/PredefinedDHParameterSpecs.java | 10 +- .../classes/sun/security/ssl/SSLCipher.java | 11 +-- .../sun/security/ssl/SSLConfiguration.java | 31 +++--- .../sun/security/ssl/SSLContextImpl.java | 45 +++------ .../sun/security/ssl/SSLEngineImpl.java | 55 ++++------- .../sun/security/ssl/SSLExtension.java | 3 +- .../classes/sun/security/ssl/SSLLogger.java | 5 +- .../security/ssl/SSLSessionContextImpl.java | 10 +- .../sun/security/ssl/SSLSessionImpl.java | 87 ++--------------- .../security/ssl/ServerHandshakeContext.java | 9 +- .../security/ssl/SessionTicketExtension.java | 6 +- .../security/ssl/StatusResponseManager.java | 28 ++---- .../classes/sun/security/ssl/SunJSSE.java | 12 +-- .../sun/security/ssl/TransportContext.java | 31 ++---- .../sun/security/ssl/TrustStoreManager.java | 94 +++++++++---------- .../classes/sun/security/ssl/Utilities.java | 7 +- test/jdk/sun/security/action/Generify.java | 12 +-- 26 files changed, 147 insertions(+), 440 deletions(-) delete mode 100644 src/java.base/share/classes/sun/security/action/OpenFileInputStreamAction.java diff --git a/src/java.base/share/classes/javax/net/ssl/HttpsURLConnection.java b/src/java.base/share/classes/javax/net/ssl/HttpsURLConnection.java index d3308741ece..61bd8d140d2 100644 --- a/src/java.base/share/classes/javax/net/ssl/HttpsURLConnection.java +++ b/src/java.base/share/classes/javax/net/ssl/HttpsURLConnection.java @@ -227,11 +227,6 @@ public abstract class HttpsURLConnection extends HttpURLConnection { "no default HostnameVerifier specified"); } - @SuppressWarnings("removal") - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(new SSLPermission("setHostnameVerifier")); - } defaultHostnameVerifier = v; } @@ -306,11 +301,6 @@ public abstract class HttpsURLConnection extends HttpURLConnection { "no default SSLSocketFactory specified"); } - @SuppressWarnings("removal") - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkSetFactory(); - } defaultSSLSocketFactory = sf; } @@ -353,11 +343,6 @@ public abstract class HttpsURLConnection extends HttpURLConnection { "no SSLSocketFactory specified"); } - @SuppressWarnings("removal") - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkSetFactory(); - } sslSocketFactory = sf; } diff --git a/src/java.base/share/classes/javax/net/ssl/KeyManagerFactory.java b/src/java.base/share/classes/javax/net/ssl/KeyManagerFactory.java index 5f7c7135fa8..4ff8d35f717 100644 --- a/src/java.base/share/classes/javax/net/ssl/KeyManagerFactory.java +++ b/src/java.base/share/classes/javax/net/ssl/KeyManagerFactory.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2022, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,7 +25,6 @@ package javax.net.ssl; -import java.security.Security; import java.security.*; import java.util.Objects; @@ -62,11 +61,8 @@ public class KeyManagerFactory { * {@code ssl.KeyManagerFactory.algorithm} security property, or an * implementation-specific default if no such property exists. */ - @SuppressWarnings("removal") public static final String getDefaultAlgorithm() { - String type; - type = AccessController.doPrivileged((PrivilegedAction) () -> - Security.getProperty("ssl.KeyManagerFactory.algorithm")); + String type = Security.getProperty("ssl.KeyManagerFactory.algorithm"); if (type == null) { type = "SunX509"; } diff --git a/src/java.base/share/classes/javax/net/ssl/SSLContext.java b/src/java.base/share/classes/javax/net/ssl/SSLContext.java index fe6d00daf4a..0c2087efa88 100644 --- a/src/java.base/share/classes/javax/net/ssl/SSLContext.java +++ b/src/java.base/share/classes/javax/net/ssl/SSLContext.java @@ -129,11 +129,6 @@ public class SSLContext { if (context == null) { throw new NullPointerException(); } - @SuppressWarnings("removal") - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(new SSLPermission("setDefaultSSLContext")); - } defaultContext = context; } diff --git a/src/java.base/share/classes/javax/net/ssl/SSLSocketFactory.java b/src/java.base/share/classes/javax/net/ssl/SSLSocketFactory.java index cb5e3318052..b90a9d4c25c 100644 --- a/src/java.base/share/classes/javax/net/ssl/SSLSocketFactory.java +++ b/src/java.base/share/classes/javax/net/ssl/SSLSocketFactory.java @@ -33,8 +33,6 @@ import java.io.InputStream; import java.security.*; import java.util.Locale; -import sun.security.action.GetPropertyAction; - /** * SSLSocketFactorys create SSLSockets. * @@ -46,7 +44,7 @@ public abstract class SSLSocketFactory extends SocketFactory { static final boolean DEBUG; static { - String s = GetPropertyAction.privilegedGetProperty( + String s = System.getProperty( "javax.net.debug", "").toLowerCase(Locale.ENGLISH); DEBUG = s.contains("all") || s.contains("ssl"); } @@ -86,18 +84,15 @@ public abstract class SSLSocketFactory extends SocketFactory { } } - @SuppressWarnings("removal") static String getSecurityProperty(final String name) { - return AccessController.doPrivileged((PrivilegedAction) () -> { - String s = Security.getProperty(name); - if (s != null) { - s = s.trim(); - if (s.isEmpty()) { - s = null; - } + String s = Security.getProperty(name); + if (s != null) { + s = s.trim(); + if (s.isEmpty()) { + s = null; } - return s; - }); + } + return s; } /** diff --git a/src/java.base/share/classes/javax/net/ssl/TrustManagerFactory.java b/src/java.base/share/classes/javax/net/ssl/TrustManagerFactory.java index 429800ab169..af08d97f0d2 100644 --- a/src/java.base/share/classes/javax/net/ssl/TrustManagerFactory.java +++ b/src/java.base/share/classes/javax/net/ssl/TrustManagerFactory.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2022, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,7 +25,6 @@ package javax.net.ssl; -import java.security.Security; import java.security.*; import java.util.Objects; @@ -74,11 +73,8 @@ public class TrustManagerFactory { * {@code ssl.TrustManagerFactory.algorithm} security property, or an * implementation-specific default if no such property exists. */ - @SuppressWarnings("removal") public static final String getDefaultAlgorithm() { - String type; - type = AccessController.doPrivileged((PrivilegedAction) () -> - Security.getProperty( "ssl.TrustManagerFactory.algorithm")); + String type = Security.getProperty("ssl.TrustManagerFactory.algorithm"); if (type == null) { type = "SunX509"; } diff --git a/src/java.base/share/classes/sun/security/action/OpenFileInputStreamAction.java b/src/java.base/share/classes/sun/security/action/OpenFileInputStreamAction.java deleted file mode 100644 index 4692a22eb41..00000000000 --- a/src/java.base/share/classes/sun/security/action/OpenFileInputStreamAction.java +++ /dev/null @@ -1,53 +0,0 @@ -/* - * Copyright (c) 2002, 2004, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.action; - -import java.io.*; - -import java.security.PrivilegedExceptionAction; - -/** - * A convenience class for opening a FileInputStream as a privileged action. - * - * @author Andreas Sterbenz - */ -public class OpenFileInputStreamAction - implements PrivilegedExceptionAction { - - private final File file; - - public OpenFileInputStreamAction(File file) { - this.file = file; - } - - public OpenFileInputStreamAction(String filename) { - this.file = new File(filename); - } - - public FileInputStream run() throws Exception { - return new FileInputStream(file); - } -} diff --git a/src/java.base/share/classes/sun/security/ssl/AlpnExtension.java b/src/java.base/share/classes/sun/security/ssl/AlpnExtension.java index 45e911a73bf..d44ec034411 100644 --- a/src/java.base/share/classes/sun/security/ssl/AlpnExtension.java +++ b/src/java.base/share/classes/sun/security/ssl/AlpnExtension.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2022, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,8 +28,6 @@ package sun.security.ssl; import java.io.IOException; import java.nio.ByteBuffer; import java.nio.charset.Charset; -import java.security.AccessController; -import java.security.PrivilegedAction; import java.security.Security; import java.util.*; import javax.net.ssl.SSLEngine; @@ -63,10 +61,7 @@ final class AlpnExtension { static final Charset alpnCharset; static { - @SuppressWarnings("removal") - String alpnCharsetString = AccessController.doPrivileged( - (PrivilegedAction) () - -> Security.getProperty("jdk.tls.alpnCharset")); + String alpnCharsetString = Security.getProperty("jdk.tls.alpnCharset"); if ((alpnCharsetString == null) || (alpnCharsetString.length() == 0)) { alpnCharsetString = "ISO_8859_1"; diff --git a/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java b/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java index 6706e24e22a..1fc9d07cdd8 100644 --- a/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java +++ b/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -40,7 +40,6 @@ import java.security.spec.InvalidKeySpecException; import javax.crypto.interfaces.DHPublicKey; import javax.crypto.spec.DHParameterSpec; import javax.crypto.spec.DHPublicKeySpec; -import sun.security.action.GetPropertyAction; import sun.security.ssl.NamedGroup.NamedGroupSpec; import sun.security.ssl.X509Authentication.X509Possession; import sun.security.util.KeyUtil; @@ -261,8 +260,7 @@ final class DHKeyExchange { private final boolean exportable; static { - String property = GetPropertyAction.privilegedGetProperty( - "jdk.tls.ephemeralDHKeySize"); + String property = System.getProperty("jdk.tls.ephemeralDHKeySize"); if (property == null || property.isEmpty()) { useLegacyEphemeralDHKeys = false; useSmartEphemeralDHKeys = false; diff --git a/src/java.base/share/classes/sun/security/ssl/NamedGroup.java b/src/java.base/share/classes/sun/security/ssl/NamedGroup.java index 2a6c966a254..46280a05355 100644 --- a/src/java.base/share/classes/sun/security/ssl/NamedGroup.java +++ b/src/java.base/share/classes/sun/security/ssl/NamedGroup.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2019, 2022, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2019, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -39,7 +39,6 @@ import javax.crypto.KeyAgreement; import javax.crypto.spec.DHParameterSpec; import sun.security.ssl.ECDHKeyExchange.ECDHEPossession; import sun.security.util.CurveDB; -import sun.security.action.GetPropertyAction; /** * An enum containing all known named groups for use in TLS. @@ -752,8 +751,7 @@ enum NamedGroup { // // If the System Property is not defined or the value is empty, the // default groups and preferences will be used. - String property = GetPropertyAction - .privilegedGetProperty("jdk.tls.namedGroups"); + String property = System.getProperty("jdk.tls.namedGroups"); if (property != null && !property.isEmpty()) { // remove double quote marks from beginning/end of the property if (property.length() > 1 && property.charAt(0) == '"' && diff --git a/src/java.base/share/classes/sun/security/ssl/PredefinedDHParameterSpecs.java b/src/java.base/share/classes/sun/security/ssl/PredefinedDHParameterSpecs.java index 14f4a9b4d90..e510fe92b0e 100644 --- a/src/java.base/share/classes/sun/security/ssl/PredefinedDHParameterSpecs.java +++ b/src/java.base/share/classes/sun/security/ssl/PredefinedDHParameterSpecs.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017, 2022, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2017, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -230,13 +230,7 @@ final class PredefinedDHParameterSpecs { static final Map ffdheParams; static { - @SuppressWarnings("removal") - String property = AccessController.doPrivileged( - new PrivilegedAction() { - public String run() { - return Security.getProperty(PROPERTY_NAME); - } - }); + String property = Security.getProperty(PROPERTY_NAME); if (property != null && !property.isEmpty()) { // remove double quote marks from beginning/end of the property diff --git a/src/java.base/share/classes/sun/security/ssl/SSLCipher.java b/src/java.base/share/classes/sun/security/ssl/SSLCipher.java index fa6bfe0bed6..d11ffc96b47 100644 --- a/src/java.base/share/classes/sun/security/ssl/SSLCipher.java +++ b/src/java.base/share/classes/sun/security/ssl/SSLCipher.java @@ -36,13 +36,11 @@ import javax.crypto.ShortBufferException; import javax.crypto.spec.GCMParameterSpec; import javax.crypto.spec.IvParameterSpec; import java.nio.ByteBuffer; -import java.security.AccessController; import java.security.GeneralSecurityException; import java.security.InvalidAlgorithmParameterException; import java.security.InvalidKeyException; import java.security.Key; import java.security.NoSuchAlgorithmException; -import java.security.PrivilegedAction; import java.security.SecureRandom; import java.security.Security; import java.security.spec.AlgorithmParameterSpec; @@ -380,14 +378,7 @@ enum SSLCipher { static { final long max = 4611686018427387904L; // 2^62 - @SuppressWarnings("removal") - String prop = AccessController.doPrivileged( - new PrivilegedAction() { - @Override - public String run() { - return Security.getProperty("jdk.tls.keyLimits"); - } - }); + String prop = Security.getProperty("jdk.tls.keyLimits"); if (prop != null) { String[] propvalue = prop.split(","); diff --git a/src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java b/src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java index 421867aa4c4..bb032e019d3 100644 --- a/src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java +++ b/src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java @@ -25,8 +25,6 @@ package sun.security.ssl; -import java.security.AccessControlContext; -import java.security.AccessController; import java.security.AlgorithmConstraints; import java.security.NoSuchAlgorithmException; import java.util.*; @@ -38,8 +36,6 @@ import javax.net.ssl.SNIServerName; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLParameters; import javax.net.ssl.SSLSocket; -import sun.security.action.GetIntegerAction; -import sun.security.action.GetPropertyAction; import sun.security.ssl.SSLExtension.ClientExtensions; import sun.security.ssl.SSLExtension.ServerExtensions; @@ -78,9 +74,7 @@ final class SSLConfiguration implements Cloneable { BiFunction, String> socketAPSelector; BiFunction, String> engineAPSelector; - @SuppressWarnings("removal") - HashMap - handshakeListeners; + HashSet handshakeListeners; boolean noSniExtension; boolean noSniMatcher; @@ -105,7 +99,7 @@ final class SSLConfiguration implements Cloneable { "jdk.tls.acknowledgeCloseNotify", false); // Set the max size limit for Handshake Message to 2^15 - static final int maxHandshakeMessageSize = GetIntegerAction.privilegedGetProperty( + static final int maxHandshakeMessageSize = Integer.getInteger( "jdk.tls.maxHandshakeMessageSize", 32768); // Limit the certificate chain length accepted from clients @@ -147,7 +141,7 @@ final class SSLConfiguration implements Cloneable { * jdk.tls.maxCertificateChainLength system property works for both * server and client modes. */ - Integer maxCertificateChainLength = GetIntegerAction.privilegedGetProperty( + Integer maxCertificateChainLength = Integer.getInteger( "jdk.tls.maxCertificateChainLength"); if (maxCertificateChainLength != null && maxCertificateChainLength >= 0) { globalPropSet = true; @@ -164,7 +158,7 @@ final class SSLConfiguration implements Cloneable { * property is set and its value >= 0, it uses that value. * - Otherwise it is set to a default value of 8. */ - Integer inboundClientLen = GetIntegerAction.privilegedGetProperty( + Integer inboundClientLen = Integer.getInteger( "jdk.tls.server.maxInboundCertificateChainLength"); // Default for jdk.tls.server.maxInboundCertificateChainLength is 8 @@ -186,7 +180,7 @@ final class SSLConfiguration implements Cloneable { * property is set and its value >= 0, it uses that value. * - Otherwise it is set to a default value of 10. */ - Integer inboundServerLen = GetIntegerAction.privilegedGetProperty( + Integer inboundServerLen = Integer.getInteger( "jdk.tls.client.maxInboundCertificateChainLength"); // Default for jdk.tls.client.maxInboundCertificateChainLength is 10 @@ -203,7 +197,7 @@ final class SSLConfiguration implements Cloneable { * client. The value must be between 0 and 10. Default is defined by * SERVER_NST_DEFAULT. */ - Integer nstServerCount = GetIntegerAction.privilegedGetProperty( + Integer nstServerCount = Integer.getInteger( "jdk.tls.server.newSessionTicketCount"); if (nstServerCount == null || nstServerCount < 0 || nstServerCount > 10) { @@ -384,15 +378,14 @@ final class SSLConfiguration implements Cloneable { } // SSLSocket only - @SuppressWarnings("removal") void addHandshakeCompletedListener( HandshakeCompletedListener listener) { if (handshakeListeners == null) { - handshakeListeners = new HashMap<>(4); + handshakeListeners = new HashSet<>(4); } - handshakeListeners.put(listener, AccessController.getContext()); + handshakeListeners.add(listener); } // SSLSocket only @@ -403,7 +396,7 @@ final class SSLConfiguration implements Cloneable { throw new IllegalArgumentException("no listeners"); } - if (handshakeListeners.remove(listener) == null) { + if (!handshakeListeners.remove(listener)) { throw new IllegalArgumentException("listener not registered"); } @@ -532,14 +525,14 @@ final class SSLConfiguration implements Cloneable { } @Override - @SuppressWarnings({"removal","unchecked", "CloneDeclaresCloneNotSupported"}) + @SuppressWarnings({"unchecked", "CloneDeclaresCloneNotSupported"}) public Object clone() { // Note that only references to the configurations are copied. try { SSLConfiguration config = (SSLConfiguration)super.clone(); if (handshakeListeners != null) { config.handshakeListeners = - (HashMap) + (HashSet) handshakeListeners.clone(); } @@ -573,7 +566,7 @@ final class SSLConfiguration implements Cloneable { * system property. */ private static String[] getCustomizedSignatureScheme(String propertyName) { - String property = GetPropertyAction.privilegedGetProperty(propertyName); + String property = System.getProperty(propertyName); if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) { SSLLogger.fine( "System property " + propertyName + " is set to '" + diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java index 04bca94f0c0..f09270aa9e6 100644 --- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -32,7 +32,6 @@ import java.security.cert.*; import java.util.*; import java.util.concurrent.locks.ReentrantLock; import javax.net.ssl.*; -import sun.security.action.GetPropertyAction; import sun.security.provider.certpath.AlgorithmChecker; import sun.security.validator.Validator; @@ -409,7 +408,7 @@ public abstract class SSLContextImpl extends SSLContextSpi { private static Collection getCustomizedCipherSuites( String propertyName) { - String property = GetPropertyAction.privilegedGetProperty(propertyName); + String property = System.getProperty(propertyName); if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) { SSLLogger.fine( "System property " + propertyName + " is set to '" + @@ -742,7 +741,7 @@ public abstract class SSLContextImpl extends SSLContextSpi { private static void populate(String propname, ArrayList arrayList) { - String property = GetPropertyAction.privilegedGetProperty(propname); + String property = System.getProperty(propname); if (property == null) { return; } @@ -957,28 +956,20 @@ public abstract class SSLContextImpl extends SSLContextSpi { return tmf.getTrustManagers(); } - @SuppressWarnings("removal") private static KeyManager[] getKeyManagers() throws Exception { - final Map props = new HashMap<>(); - AccessController.doPrivileged( - new PrivilegedExceptionAction() { - @Override - public Object run() { - props.put("keyStore", System.getProperty( - "javax.net.ssl.keyStore", "")); - props.put("keyStoreType", System.getProperty( - "javax.net.ssl.keyStoreType", - KeyStore.getDefaultType())); - props.put("keyStoreProvider", System.getProperty( - "javax.net.ssl.keyStoreProvider", "")); - props.put("keyStorePasswd", System.getProperty( - "javax.net.ssl.keyStorePassword", "")); - return null; - } - }); + Map props = new HashMap<>(); + props.put("keyStore", System.getProperty( + "javax.net.ssl.keyStore", "")); + props.put("keyStoreType", System.getProperty( + "javax.net.ssl.keyStoreType", + KeyStore.getDefaultType())); + props.put("keyStoreProvider", System.getProperty( + "javax.net.ssl.keyStoreProvider", "")); + props.put("keyStorePasswd", System.getProperty( + "javax.net.ssl.keyStorePassword", "")); - final String defaultKeyStore = props.get("keyStore"); + String defaultKeyStore = props.get("keyStore"); String defaultKeyStoreType = props.get("keyStoreType"); String defaultKeyStoreProvider = props.get("keyStoreProvider"); if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) { @@ -1001,13 +992,7 @@ public abstract class SSLContextImpl extends SSLContextSpi { try { if (!defaultKeyStore.isEmpty() && !NONE.equals(defaultKeyStore)) { - fs = AccessController.doPrivileged( - new PrivilegedExceptionAction() { - @Override - public FileInputStream run() throws Exception { - return new FileInputStream(defaultKeyStore); - } - }); + fs = new FileInputStream(defaultKeyStore); } String defaultKeyStorePassword = props.get("keyStorePasswd"); diff --git a/src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java index 36b5bd4a78c..4b19f5a9d7b 100644 --- a/src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java +++ b/src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,9 +28,6 @@ package sun.security.ssl; import java.io.IOException; import java.nio.ByteBuffer; import java.nio.ReadOnlyBufferException; -import java.security.AccessController; -import java.security.PrivilegedActionException; -import java.security.PrivilegedExceptionAction; import java.util.List; import java.util.Map; import java.util.concurrent.locks.ReentrantLock; @@ -1202,17 +1199,25 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport { } try { - @SuppressWarnings("removal") - var dummy = AccessController.doPrivileged( - new DelegatedAction(hc), engine.conContext.acc); - } catch (PrivilegedActionException pae) { + while (!hc.delegatedActions.isEmpty()) { + Map.Entry me = + hc.delegatedActions.poll(); + if (me != null) { + try { + hc.dispatch(me.getKey(), me.getValue()); + } catch (Exception e) { + throw hc.conContext.fatal(Alert.INTERNAL_ERROR, + "Unhandled exception", e); + } + } + } + } catch (SSLException se) { // Get the handshake context again in case the // handshaking has completed. - Exception reportedException = pae.getException(); // Report to both the TransportContext... if (engine.conContext.delegatedThrown == null) { - engine.conContext.delegatedThrown = reportedException; + engine.conContext.delegatedThrown = se; } // ...and the HandshakeContext in case condition @@ -1220,11 +1225,10 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport { // around. hc = engine.conContext.handshakeContext; if (hc != null) { - hc.delegatedThrown = reportedException; + hc.delegatedThrown = se; } else if (engine.conContext.closeReason != null) { // Update the reason in case there was a previous. - engine.conContext.closeReason = - getTaskThrown(reportedException); + engine.conContext.closeReason = getTaskThrown(se); } } catch (RuntimeException rte) { // Get the handshake context again in case the @@ -1257,30 +1261,5 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport { engine.engineLock.unlock(); } } - - private static class DelegatedAction - implements PrivilegedExceptionAction { - final HandshakeContext context; - DelegatedAction(HandshakeContext context) { - this.context = context; - } - - @Override - public Void run() throws Exception { - while (!context.delegatedActions.isEmpty()) { - Map.Entry me = - context.delegatedActions.poll(); - if (me != null) { - try { - context.dispatch(me.getKey(), me.getValue()); - } catch (Exception e) { - throw context.conContext.fatal(Alert.INTERNAL_ERROR, - "Unhandled exception", e); - } - } - } - return null; - } - } } } diff --git a/src/java.base/share/classes/sun/security/ssl/SSLExtension.java b/src/java.base/share/classes/sun/security/ssl/SSLExtension.java index 2cb74fb1056..b28ef763796 100644 --- a/src/java.base/share/classes/sun/security/ssl/SSLExtension.java +++ b/src/java.base/share/classes/sun/security/ssl/SSLExtension.java @@ -30,7 +30,6 @@ import java.nio.ByteBuffer; import java.text.MessageFormat; import java.util.*; -import sun.security.action.GetPropertyAction; import sun.security.ssl.SSLHandshake.HandshakeMessage; import sun.security.util.HexDumpEncoder; @@ -820,7 +819,7 @@ enum SSLExtension implements SSLStringizer { // Get disabled extensions, which could be customized with System Properties. private static Collection getDisabledExtensions( String propertyName) { - String property = GetPropertyAction.privilegedGetProperty(propertyName); + String property = System.getProperty(propertyName); if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) { SSLLogger.fine( "System property " + propertyName + " is set to '" + diff --git a/src/java.base/share/classes/sun/security/ssl/SSLLogger.java b/src/java.base/share/classes/sun/security/ssl/SSLLogger.java index 7783967836b..9736bfaba0d 100644 --- a/src/java.base/share/classes/sun/security/ssl/SSLLogger.java +++ b/src/java.base/share/classes/sun/security/ssl/SSLLogger.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -41,7 +41,6 @@ import java.time.ZoneId; import java.time.format.DateTimeFormatter; import java.util.*; -import sun.security.action.GetPropertyAction; import sun.security.util.HexDumpEncoder; import sun.security.util.Debug; import sun.security.x509.*; @@ -64,7 +63,7 @@ public final class SSLLogger { public static final boolean isOn; static { - String p = GetPropertyAction.privilegedGetProperty("javax.net.debug"); + String p = System.getProperty("javax.net.debug"); if (p != null) { if (p.isEmpty()) { property = ""; diff --git a/src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java index f3e22633ab4..0ff80f0c76c 100644 --- a/src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java +++ b/src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java @@ -36,8 +36,6 @@ import java.util.concurrent.ConcurrentHashMap; import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSessionContext; -import sun.security.action.GetIntegerAction; -import sun.security.action.GetPropertyAction; import sun.security.util.Cache; @@ -324,10 +322,10 @@ final class SSLSessionContextImpl implements SSLSessionContext { // Property for Session Cache state if (server) { - st = GetPropertyAction.privilegedGetProperty( + st = System.getProperty( "jdk.tls.server.enableSessionTicketExtension", "true"); } else { - st = GetPropertyAction.privilegedGetProperty( + st = System.getProperty( "jdk.tls.client.enableSessionTicketExtension", "true"); } @@ -337,7 +335,7 @@ final class SSLSessionContextImpl implements SSLSessionContext { // Property for Session Ticket Timeout. The value can be changed // by SSLSessionContext.setSessionTimeout(int) - String s = GetPropertyAction.privilegedGetProperty( + String s = System.getProperty( "jdk.tls.server.sessionTicketTimeout"); if (s != null) { try { @@ -364,7 +362,7 @@ final class SSLSessionContextImpl implements SSLSessionContext { } } - int defaultCacheLimit = GetIntegerAction.privilegedGetProperty( + int defaultCacheLimit = Integer.getInteger( "javax.net.ssl.sessionCacheSize", DEFAULT_MAX_CACHE_SIZE); if (defaultCacheLimit >= 0) { diff --git a/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java index b887eedd8dc..f02709bc31d 100644 --- a/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java +++ b/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java @@ -49,7 +49,6 @@ import javax.net.ssl.SNIHostName; import javax.net.ssl.SNIServerName; import javax.net.ssl.SSLException; import javax.net.ssl.SSLPeerUnverifiedException; -import javax.net.ssl.SSLPermission; import javax.net.ssl.SSLSessionBindingEvent; import javax.net.ssl.SSLSessionBindingListener; import javax.net.ssl.SSLSessionContext; @@ -913,24 +912,8 @@ final class SSLSessionImpl extends ExtendedSSLSession { * are currently valid in this process. For client sessions, * this returns null. */ - @SuppressWarnings("removal") @Override public SSLSessionContext getSessionContext() { - /* - * An interim security policy until we can do something - * more specific in 1.2. Only allow trusted code (code which - * can set system properties) to get an - * SSLSessionContext. This is to limit the ability of code to - * look up specific sessions or enumerate over them. Otherwise, - * code can only get session objects from successful SSL - * connections which implies that they must have had permission - * to make the network connection in the first place. - */ - SecurityManager sm; - if ((sm = System.getSecurityManager()) != null) { - sm.checkPermission(new SSLPermission("getSSLSessionContext")); - } - return context; } @@ -1236,10 +1219,9 @@ final class SSLSessionImpl extends ExtendedSSLSession { /* * Table of application-specific session data indexed by an application - * key and the calling security context. This is important since - * sessions can be shared across different protection domains. + * key. */ - private final ConcurrentHashMap boundValues; + private final ConcurrentHashMap boundValues; /** * Assigns a session value. Session change events are given if @@ -1251,8 +1233,7 @@ final class SSLSessionImpl extends ExtendedSSLSession { throw new IllegalArgumentException("arguments can not be null"); } - SecureKey secureKey = new SecureKey(key); - Object oldValue = boundValues.put(secureKey, value); + Object oldValue = boundValues.put(key, value); if (oldValue instanceof SSLSessionBindingListener) { SSLSessionBindingEvent e; @@ -1280,8 +1261,7 @@ final class SSLSessionImpl extends ExtendedSSLSession { throw new IllegalArgumentException("argument can not be null"); } - SecureKey secureKey = new SecureKey(key); - return boundValues.get(secureKey); + return boundValues.get(key); } @@ -1295,8 +1275,7 @@ final class SSLSessionImpl extends ExtendedSSLSession { throw new IllegalArgumentException("argument can not be null"); } - SecureKey secureKey = new SecureKey(key); - Object value = boundValues.remove(secureKey); + Object value = boundValues.remove(key); if (value instanceof SSLSessionBindingListener) { SSLSessionBindingEvent e; @@ -1315,15 +1294,7 @@ final class SSLSessionImpl extends ExtendedSSLSession { */ @Override public String[] getValueNames() { - ArrayList v = new ArrayList<>(); - Object securityCtx = SecureKey.getCurrentSecurityContext(); - for (SecureKey key : boundValues.keySet()) { - if (securityCtx.equals(key.getSecurityContext())) { - v.add(key.getAppKey()); - } - } - - return v.toArray(new String[0]); + return boundValues.keySet().toArray(new String[0]); } /** @@ -1522,49 +1493,3 @@ final class SSLSessionImpl extends ExtendedSSLSession { return "Session(" + creationTime + "|" + getCipherSuite() + ")"; } } - -/** - * This "struct" class serves as a Hash Key that combines an - * application-specific key and a security context. - */ -class SecureKey { - private static final Object nullObject = new Object(); - private final Object appKey; - private final Object securityCtx; - - static Object getCurrentSecurityContext() { - @SuppressWarnings("removal") - SecurityManager sm = System.getSecurityManager(); - Object context = null; - - if (sm != null) - context = sm.getSecurityContext(); - if (context == null) - context = nullObject; - return context; - } - - SecureKey(Object key) { - this.appKey = key; - this.securityCtx = getCurrentSecurityContext(); - } - - Object getAppKey() { - return appKey; - } - - Object getSecurityContext() { - return securityCtx; - } - - @Override - public int hashCode() { - return appKey.hashCode() ^ securityCtx.hashCode(); - } - - @Override - public boolean equals(Object o) { - return o instanceof SecureKey && ((SecureKey)o).appKey.equals(appKey) - && ((SecureKey)o).securityCtx.equals(securityCtx); - } -} diff --git a/src/java.base/share/classes/sun/security/ssl/ServerHandshakeContext.java b/src/java.base/share/classes/sun/security/ssl/ServerHandshakeContext.java index 11b625e5791..8bb7def0f57 100644 --- a/src/java.base/share/classes/sun/security/ssl/ServerHandshakeContext.java +++ b/src/java.base/share/classes/sun/security/ssl/ServerHandshakeContext.java @@ -27,9 +27,7 @@ package sun.security.ssl; import java.io.IOException; import java.security.AlgorithmConstraints; -import java.security.AccessController; import sun.security.util.LegacyAlgorithmConstraints; -import sun.security.action.GetLongAction; class ServerHandshakeContext extends HandshakeContext { // To prevent the TLS renegotiation issues, by setting system property @@ -61,10 +59,9 @@ class ServerHandshakeContext extends HandshakeContext { ServerHandshakeContext(SSLContextImpl sslContext, TransportContext conContext) throws IOException { super(sslContext, conContext); - @SuppressWarnings("removal") - long respTimeOut = AccessController.doPrivileged( - new GetLongAction("jdk.tls.stapling.responseTimeout", - DEFAULT_STATUS_RESP_DELAY)); + long respTimeOut = Long.getLong( + "jdk.tls.stapling.responseTimeout", + DEFAULT_STATUS_RESP_DELAY); statusRespTimeout = respTimeOut >= 0 ? respTimeOut : DEFAULT_STATUS_RESP_DELAY; handshakeConsumers.put( diff --git a/src/java.base/share/classes/sun/security/ssl/SessionTicketExtension.java b/src/java.base/share/classes/sun/security/ssl/SessionTicketExtension.java index acf2b175f55..e143dcb302e 100644 --- a/src/java.base/share/classes/sun/security/ssl/SessionTicketExtension.java +++ b/src/java.base/share/classes/sun/security/ssl/SessionTicketExtension.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2019, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2019, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -41,7 +41,6 @@ import javax.net.ssl.SSLSessionContext; import static sun.security.ssl.SSLExtension.CH_SESSION_TICKET; import static sun.security.ssl.SSLExtension.SH_SESSION_TICKET; -import sun.security.action.GetPropertyAction; import sun.security.ssl.SSLExtension.ExtensionConsumer; import sun.security.ssl.SSLExtension.SSLExtensionSpec; import sun.security.ssl.SSLHandshake.HandshakeMessage; @@ -78,8 +77,7 @@ final class SessionTicketExtension { private static final int KEYLEN = 256; static { - String s = GetPropertyAction.privilegedGetProperty( - "jdk.tls.server.statelessKeyTimeout"); + String s = System.getProperty("jdk.tls.server.statelessKeyTimeout"); if (s != null) { int kt; try { diff --git a/src/java.base/share/classes/sun/security/ssl/StatusResponseManager.java b/src/java.base/share/classes/sun/security/ssl/StatusResponseManager.java index 1baf3264122..1383db1ce82 100644 --- a/src/java.base/share/classes/sun/security/ssl/StatusResponseManager.java +++ b/src/java.base/share/classes/sun/security/ssl/StatusResponseManager.java @@ -27,14 +27,10 @@ package sun.security.ssl; import java.io.IOException; import java.net.URI; import java.net.URISyntaxException; -import java.security.AccessController; import java.security.cert.Extension; import java.security.cert.X509Certificate; import java.util.*; import java.util.concurrent.*; -import sun.security.action.GetBooleanAction; -import sun.security.action.GetIntegerAction; -import sun.security.action.GetPropertyAction; import sun.security.provider.certpath.CertId; import sun.security.provider.certpath.OCSP; import sun.security.provider.certpath.OCSPResponse; @@ -63,20 +59,17 @@ final class StatusResponseManager { * Create a StatusResponseManager with default parameters. */ StatusResponseManager() { - @SuppressWarnings("removal") - int cap = AccessController.doPrivileged( - new GetIntegerAction("jdk.tls.stapling.cacheSize", - DEFAULT_CACHE_SIZE)); + int cap = Integer.getInteger( + "jdk.tls.stapling.cacheSize", + DEFAULT_CACHE_SIZE); cacheCapacity = cap > 0 ? cap : 0; - @SuppressWarnings("removal") - int life = AccessController.doPrivileged( - new GetIntegerAction("jdk.tls.stapling.cacheLifetime", - DEFAULT_CACHE_LIFETIME)); + int life = Integer.getInteger( + "jdk.tls.stapling.cacheLifetime", + DEFAULT_CACHE_LIFETIME); cacheLifetime = life > 0 ? life : 0; - String uriStr = GetPropertyAction - .privilegedGetProperty("jdk.tls.stapling.responderURI"); + String uriStr = System.getProperty("jdk.tls.stapling.responderURI"); URI tmpURI; try { tmpURI = ((uriStr != null && !uriStr.isEmpty()) ? @@ -86,10 +79,9 @@ final class StatusResponseManager { } defaultResponder = tmpURI; - respOverride = GetBooleanAction - .privilegedGetProperty("jdk.tls.stapling.responderOverride"); - ignoreExtensions = GetBooleanAction - .privilegedGetProperty("jdk.tls.stapling.ignoreExtensions"); + respOverride = Boolean.getBoolean("jdk.tls.stapling.responderOverride"); + ignoreExtensions = Boolean.getBoolean + ("jdk.tls.stapling.ignoreExtensions"); threadMgr = new ScheduledThreadPoolExecutor(DEFAULT_CORE_THREADS, r -> { diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java index dce2aad8400..611a6588b4c 100644 --- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java +++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java @@ -25,7 +25,7 @@ package sun.security.ssl; -import java.security.*; +import java.security.Provider; import java.util.*; import static sun.security.util.SecurityConstants.PROVIDER_VER; @@ -46,20 +46,12 @@ public class SunJSSE extends java.security.Provider { registerAlgorithms(); } - @SuppressWarnings("removal") - private void registerAlgorithms() { - AccessController.doPrivileged((PrivilegedAction) () -> { - doRegister(); - return null; - }); - } - private void ps(String type, String algo, String cn, List a, HashMap attrs) { putService(new Provider.Service(this, type, algo, cn, a, attrs)); } - private void doRegister() { + private void registerAlgorithms() { ps("Signature", "MD5andSHA1withRSA", "sun.security.ssl.RSASignature", null, null); diff --git a/src/java.base/share/classes/sun/security/ssl/TransportContext.java b/src/java.base/share/classes/sun/security/ssl/TransportContext.java index f65a08dfcfe..717c81723ff 100644 --- a/src/java.base/share/classes/sun/security/ssl/TransportContext.java +++ b/src/java.base/share/classes/sun/security/ssl/TransportContext.java @@ -27,9 +27,6 @@ package sun.security.ssl; import java.io.IOException; import java.net.SocketException; -import java.security.AccessControlContext; -import java.security.AccessController; -import java.security.PrivilegedAction; import java.util.HashMap; import java.util.HashSet; import java.util.List; @@ -49,8 +46,6 @@ final class TransportContext implements ConnectionContext { // registered plaintext consumers final Map consumers; - @SuppressWarnings("removal") - final AccessControlContext acc; final SSLContextImpl sslContext; final SSLConfiguration sslConfig; @@ -134,7 +129,6 @@ final class TransportContext implements ConnectionContext { inputRecord, outputRecord, false); } - @SuppressWarnings("removal") private TransportContext(SSLContextImpl sslContext, SSLTransport transport, SSLConfiguration sslConfig, InputRecord inputRecord, OutputRecord outputRecord, boolean isUnsureMode) { @@ -154,7 +148,6 @@ final class TransportContext implements ConnectionContext { this.clientVerifyData = emptyByteArray; this.serverVerifyData = emptyByteArray; - this.acc = AccessController.getContext(); this.consumers = new HashMap<>(); if (inputRecord instanceof DTLSInputRecord dtlsInputRecord) { @@ -677,34 +670,22 @@ final class TransportContext implements ConnectionContext { // A separate thread is allocated to deliver handshake completion // events. private static class NotifyHandshake implements Runnable { - @SuppressWarnings("removal") - private final Set> targets; // who gets notified + private final Set + targets; // who gets notified private final HandshakeCompletedEvent event; // the notification NotifyHandshake( - @SuppressWarnings("removal") - Map listeners, + Set listeners, HandshakeCompletedEvent event) { - this.targets = new HashSet<>(listeners.entrySet()); // clone + this.targets = new HashSet<>(listeners); // clone this.event = event; } - @SuppressWarnings("removal") @Override public void run() { // Don't need to synchronize, as it only runs in one thread. - for (Map.Entry entry : targets) { - final HandshakeCompletedListener listener = entry.getKey(); - AccessControlContext acc = entry.getValue(); - AccessController.doPrivileged(new PrivilegedAction() { - @Override - public Void run() { - listener.handshakeCompleted(event); - return null; - } - }, acc); + for (HandshakeCompletedListener listener : targets) { + listener.handshakeCompleted(event); } } } diff --git a/src/java.base/share/classes/sun/security/ssl/TrustStoreManager.java b/src/java.base/share/classes/sun/security/ssl/TrustStoreManager.java index 79ac35397f8..8f464e058e2 100644 --- a/src/java.base/share/classes/sun/security/ssl/TrustStoreManager.java +++ b/src/java.base/share/classes/sun/security/ssl/TrustStoreManager.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,11 +27,10 @@ package sun.security.ssl; import java.io.*; import java.lang.ref.WeakReference; -import java.security.*; +import java.security.KeyStore; import java.security.cert.*; import java.util.*; import java.util.concurrent.locks.ReentrantLock; -import sun.security.action.*; import sun.security.util.FilePaths; import sun.security.validator.TrustStoreUtil; @@ -75,7 +74,7 @@ final class TrustStoreManager { private static final class TrustStoreDescriptor { private static final String fileSep = File.separator; private static final String defaultStorePath = - GetPropertyAction.privilegedGetProperty("java.home") + + System.getProperty("java.home") + fileSep + "lib" + fileSep + "security"; private static final String defaultStore = FilePaths.cacerts(); private static final String jsseDefaultStore = @@ -122,57 +121,50 @@ final class TrustStoreManager { * Create an instance of TrustStoreDescriptor for the default * trusted KeyStore. */ - @SuppressWarnings({"removal","Convert2Lambda"}) + @SuppressWarnings("Convert2Lambda") static TrustStoreDescriptor createInstance() { - return AccessController.doPrivileged( - new PrivilegedAction() { + // Get the system properties for trust store. + String storePropName = System.getProperty( + "javax.net.ssl.trustStore", jsseDefaultStore); + String storePropType = System.getProperty( + "javax.net.ssl.trustStoreType", + KeyStore.getDefaultType()); + String storePropProvider = System.getProperty( + "javax.net.ssl.trustStoreProvider", ""); + String storePropPassword = System.getProperty( + "javax.net.ssl.trustStorePassword", ""); - @Override - public TrustStoreDescriptor run() { - // Get the system properties for trust store. - String storePropName = System.getProperty( - "javax.net.ssl.trustStore", jsseDefaultStore); - String storePropType = System.getProperty( - "javax.net.ssl.trustStoreType", - KeyStore.getDefaultType()); - String storePropProvider = System.getProperty( - "javax.net.ssl.trustStoreProvider", ""); - String storePropPassword = System.getProperty( - "javax.net.ssl.trustStorePassword", ""); + String temporaryName = ""; + File temporaryFile = null; + long temporaryTime = 0L; + if (!"NONE".equals(storePropName)) { + String[] fileNames = + new String[] {storePropName, defaultStore}; + for (String fileName : fileNames) { + File f = new File(fileName); + if (f.isFile() && f.canRead()) { + temporaryName = fileName; + temporaryFile = f; + temporaryTime = f.lastModified(); - String temporaryName = ""; - File temporaryFile = null; - long temporaryTime = 0L; - if (!"NONE".equals(storePropName)) { - String[] fileNames = - new String[] {storePropName, defaultStore}; - for (String fileName : fileNames) { - File f = new File(fileName); - if (f.isFile() && f.canRead()) { - temporaryName = fileName; - temporaryFile = f; - temporaryTime = f.lastModified(); - - break; - } - - // Not break, the file is inaccessible. - if (SSLLogger.isOn && - SSLLogger.isOn("trustmanager")) { - SSLLogger.fine( - "Inaccessible trust store: " + - fileName); - } - } - } else { - temporaryName = storePropName; + break; } - return new TrustStoreDescriptor( - temporaryName, storePropType, storePropProvider, - storePropPassword, temporaryFile, temporaryTime); + // Not break, the file is inaccessible. + if (SSLLogger.isOn && + SSLLogger.isOn("trustmanager")) { + SSLLogger.fine( + "Inaccessible trust store: " + + fileName); + } } - }); + } else { + temporaryName = storePropName; + } + + return new TrustStoreDescriptor( + temporaryName, storePropType, storePropProvider, + storePropPassword, temporaryFile, temporaryTime); } @Override @@ -384,8 +376,8 @@ final class TrustStoreManager { } if (!"NONE".equals(descriptor.storeName)) { - try (@SuppressWarnings("removal") FileInputStream fis = AccessController.doPrivileged( - new OpenFileInputStreamAction(descriptor.storeFile))) { + try (FileInputStream fis = + new FileInputStream(descriptor.storeFile)) { ks.load(fis, password); } catch (FileNotFoundException fnfe) { // No file available, no KeyStore available. diff --git a/src/java.base/share/classes/sun/security/ssl/Utilities.java b/src/java.base/share/classes/sun/security/ssl/Utilities.java index f2a17323486..3ed022db382 100644 --- a/src/java.base/share/classes/sun/security/ssl/Utilities.java +++ b/src/java.base/share/classes/sun/security/ssl/Utilities.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012, 2022, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2012, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -30,7 +30,6 @@ import java.util.*; import java.util.regex.Pattern; import javax.net.ssl.*; import sun.net.util.IPAddressUtil; -import sun.security.action.GetPropertyAction; /** * A utility class to share the static methods. @@ -128,12 +127,10 @@ final class Utilities { /** * Return the value of the boolean System property propName. - * - * Note use of privileged action. Do NOT make accessible to applications. */ static boolean getBooleanProperty(String propName, boolean defaultValue) { // if set, require value of either true or false - String b = GetPropertyAction.privilegedGetProperty(propName); + String b = System.getProperty(propName); if (b == null) { return defaultValue; } else if (b.equalsIgnoreCase("false")) { diff --git a/test/jdk/sun/security/action/Generify.java b/test/jdk/sun/security/action/Generify.java index 55b0e7735db..09cbb3fbb42 100644 --- a/test/jdk/sun/security/action/Generify.java +++ b/test/jdk/sun/security/action/Generify.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,6 @@ * @modules java.base/sun.security.action */ -import java.io.*; import java.security.*; import sun.security.action.*; @@ -74,14 +73,5 @@ public class Generify { } else { throw new SecurityException("property test failed"); } - - File f = new File(System.getProperty("test.src", "."), "Generify.java"); - FileInputStream fis = AccessController.doPrivileged - (new OpenFileInputStreamAction(f)); - if (fis != null) { - System.out.println("file test passed"); - } else { - throw new SecurityException("file test failed"); - } } }