From f91e4dfbaf6061da346aec300f1e52901c7ff8bb Mon Sep 17 00:00:00 2001
From: Sean Mullan <mullan@openjdk.org>
Date: Mon, 17 Oct 2016 15:31:50 +0000
Subject: [PATCH] 8165712: Grant permission to read specific properties instead
 of all to the jdk.crypto.ucrypto module

Reviewed-by: xuelei
---
 .../solaris/lib/security/default.policy       |  5 ++++-
 .../security/ucrypto/UcryptoProvider.java     | 20 +++++++++----------
 .../com/oracle/security/ucrypto/TestAES.java  |  6 ++++--
 .../com/oracle/security/ucrypto/empty.policy  |  0
 4 files changed, 18 insertions(+), 13 deletions(-)
 create mode 100644 jdk/test/com/oracle/security/ucrypto/empty.policy

diff --git a/jdk/src/java.base/solaris/lib/security/default.policy b/jdk/src/java.base/solaris/lib/security/default.policy
index 4f36083b634..73c2b948c32 100644
--- a/jdk/src/java.base/solaris/lib/security/default.policy
+++ b/jdk/src/java.base/solaris/lib/security/default.policy
@@ -4,7 +4,10 @@ grant codeBase "jrt:/jdk.crypto.ucrypto" {
     permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
     permission java.lang.RuntimePermission "loadLibrary.j2ucrypto";
     // need "com.oracle.security.ucrypto.debug" for debugging
-    permission java.util.PropertyPermission "*", "read";
+    permission java.util.PropertyPermission "com.oracle.security.ucrypto.debug", "read";
+    permission java.util.PropertyPermission "file.separator", "read";
+    permission java.util.PropertyPermission "java.home", "read";
+    permission java.util.PropertyPermission "os.name", "read";
     permission java.security.SecurityPermission
                    "putProviderProperty.OracleUcrypto";
     permission java.security.SecurityPermission
diff --git a/jdk/src/jdk.crypto.ucrypto/solaris/classes/com/oracle/security/ucrypto/UcryptoProvider.java b/jdk/src/jdk.crypto.ucrypto/solaris/classes/com/oracle/security/ucrypto/UcryptoProvider.java
index 090f96df227..a1a7cc15508 100644
--- a/jdk/src/jdk.crypto.ucrypto/solaris/classes/com/oracle/security/ucrypto/UcryptoProvider.java
+++ b/jdk/src/jdk.crypto.ucrypto/solaris/classes/com/oracle/security/ucrypto/UcryptoProvider.java
@@ -50,12 +50,13 @@ public final class UcryptoProvider extends Provider {
         try {
             // cannot use LoadLibraryAction because that would make the native
             // library available to the bootclassloader, but we run in the
-            // extension classloader.
-            String osname = System.getProperty("os.name");
-            if (osname.startsWith("SunOS")) {
-                provProp = AccessController.doPrivileged
-                    (new PrivilegedAction<HashMap<String, ServiceDesc>>() {
-                        public HashMap<String, ServiceDesc> run() {
+            // platform classloader.
+            provProp = AccessController.doPrivileged
+                (new PrivilegedAction<>() {
+                    @Override
+                    public HashMap<String, ServiceDesc> run() {
+                        String osname = System.getProperty("os.name");
+                        if (osname.startsWith("SunOS")) {
                             try {
                                 DEBUG = Boolean.parseBoolean(System.getProperty("com.oracle.security.ucrypto.debug"));
                                 String javaHome = System.getProperty("java.home");
@@ -66,14 +67,13 @@ public final class UcryptoProvider extends Provider {
                                 return new HashMap<>();
                             } catch (Error err) {
                                 if (DEBUG) err.printStackTrace();
-                                return null;
                             } catch (SecurityException se) {
                                 if (DEBUG) se.printStackTrace();
-                                return null;
                             }
                         }
-                    });
-            }
+                        return null;
+                    }
+                });
             if (provProp != null) {
                 boolean[] result = loadLibraries();
                 if (result.length == 2) {
diff --git a/jdk/test/com/oracle/security/ucrypto/TestAES.java b/jdk/test/com/oracle/security/ucrypto/TestAES.java
index 4ed48659c86..717e3186d97 100644
--- a/jdk/test/com/oracle/security/ucrypto/TestAES.java
+++ b/jdk/test/com/oracle/security/ucrypto/TestAES.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,9 +23,11 @@
 
 /*
  * @test
- * @bug 7088989 8014374
+ * @bug 7088989 8014374 8167512
  * @summary Ensure the AES ciphers of OracleUcrypto provider works correctly
  * @key randomness
+ * @run main TestAES
+ * @run main/othervm/java.security.policy==empty.policy TestAES
  */
 
 import java.io.*;
diff --git a/jdk/test/com/oracle/security/ucrypto/empty.policy b/jdk/test/com/oracle/security/ucrypto/empty.policy
new file mode 100644
index 00000000000..e69de29bb2d