From 47366a564e15b6c9301be7e621761122f0b09036 Mon Sep 17 00:00:00 2001
From: Tao Liu <tao.liu@ibm.com>
Date: Wed, 22 Jan 2025 18:01:08 -0500
Subject: [PATCH] Add a check to detect the OpenJCEPlus module

Add a check to detect the OpenJCEPlus module. If the module
is missing but the restricted security profile requires it,
print an error message and exit.

Signed-off-by: Tao Liu <tao.liu@ibm.com>
---
 .../internal/security/RestrictedSecurity.java      | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java
index 9e8d2f23a96..4b0f174f025 100644
--- a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java
+++ b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java
@@ -1,6 +1,6 @@
 /*
  * ===========================================================================
- * (c) Copyright IBM Corp. 2022, 2024 All Rights Reserved
+ * (c) Copyright IBM Corp. 2022, 2025 All Rights Reserved
  * ===========================================================================
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -42,6 +42,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.Optional;
 import java.util.Properties;
 import java.util.Set;
 import java.util.regex.Matcher;
@@ -67,6 +68,7 @@ public final class RestrictedSecurity {
 
     private static final boolean isNSSSupported;
     private static final boolean isOpenJCEPlusSupported;
+    private static final boolean isOpenJCEPlusModuleExist;
 
     private static final boolean userSetProfile;
     private static final boolean shouldEnableSecurity;
@@ -137,6 +139,11 @@ public String[] run() {
         }
         isOpenJCEPlusSupported = isOsSupported && isArchSupported;
 
+        // Check whether the OpenJCEPlus module exists.
+        ModuleLayer layer = ModuleLayer.boot();
+        Optional<Module> module = layer.findModule("openjceplus");
+        isOpenJCEPlusModuleExist = module.isPresent();
+
         // Check the default solution to see if FIPS is supported.
         isFIPSSupported = isNSSSupported;
 
@@ -387,6 +394,11 @@ private static void checkIfKnownProfileSupported() {
                     + " on this platform.");
         }
 
+        if (!isOpenJCEPlusModuleExist && profileID.contains("OpenJCEPlus")) {
+            printStackTraceAndExit("FIPS 140-3 profile specified. Required OpenJCEPlus"
+                    + " module not found.");
+        }
+
         if (debug != null) {
             debug.println("RestrictedSecurity profile " + profileID
                     + " is supported on this platform.");