Merge pull request #991 from KostasTsiounis/checkhash_problem

Check RestrictedSecurity profile hash after Providers init

Author: keithc-ca

closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java

@@ -77,6 +77,8 @@ public final class RestrictedSecurity {
 
     private static ProfileParser profileParser;
 
+    private static boolean enableCheckHashes;
+
     private static RestrictedSecurityProperties restricts;
 
     private static final Set<String> unmodifiableProperties = new HashSet<>();
@@ -180,11 +182,20 @@ private static boolean isJarVerifierInStackTrace() {
      * extending profiles, instead of altering them, a digest of the profile
      * is calculated and compared to the expected value.
      */
-    private static void checkHashValues() {
+    public static void checkHashValues() {
+        checkHashValues(true);
+    }
+
+    private static void checkHashValues(boolean fromProviders) {
         ProfileParser parser = profileParser;
-        if ((parser != null) && !isJarVerifierInStackTrace()) {
-            profileParser = null;
-            parser.checkHashValues();
+        if (parser != null) {
+            if (fromProviders) {
+                enableCheckHashes = true;
+            }
+            if (enableCheckHashes && !isJarVerifierInStackTrace()) {
+                profileParser = null;
+                parser.checkHashValues();
+            }
         }
     }
 
@@ -257,7 +268,7 @@ public static boolean isFIPSEnabled() {
      */
     public static boolean isServiceAllowed(Service service) {
         if (securityEnabled) {
-            checkHashValues();
+            checkHashValues(false);
             return restricts.isRestrictedServiceAllowed(service, true);
         }
         return true;
@@ -271,7 +282,7 @@ public static boolean isServiceAllowed(Service service) {
      */
     public static boolean canServiceBeRegistered(Service service) {
         if (securityEnabled) {
-            checkHashValues();
+            checkHashValues(false);
             return restricts.isRestrictedServiceAllowed(service, false);
         }
         return true;
@@ -285,7 +296,7 @@ public static boolean canServiceBeRegistered(Service service) {
      */
     public static boolean isProviderAllowed(String providerName) {
         if (securityEnabled) {
-            checkHashValues();
+            checkHashValues(false);
             // Remove argument, e.g. -NSS-FIPS, if present.
             int pos = providerName.indexOf('-');
             if (pos >= 0) {
@@ -305,7 +316,7 @@ public static boolean isProviderAllowed(String providerName) {
      */
     public static boolean isProviderAllowed(Class<?> providerClazz) {
         if (securityEnabled) {
-            checkHashValues();
+            checkHashValues(false);
             String providerClassName = providerClazz.getName();
 
             // Check if the specified class extends java.security.Provider.

src/java.base/share/classes/sun/security/jca/Providers.java

@@ -111,6 +111,7 @@ private Providers() {
         // triggers a getInstance() call (although that should not happen)
         providerList = ProviderList.EMPTY;
         providerList = ProviderList.fromSecurityProperties();
+        RestrictedSecurity.checkHashValues();
     }
 
     // Return Sun provider.