RFR: 8261534: Test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java fails on platforms where no nsslib artifacts are defined

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

RFR: 8261534: Test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java fails on platforms where no nsslib artifacts are defined

Christoph Langer
Fix exception in test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java:

java.security.AccessControlException: access denied ("java.security.SecurityPermission" "removeProvider.SUN")
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
at java.base/java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1521)
at java.base/java.security.Security.check(Security.java:832)
at java.base/java.security.Security.removeProvider(Security.java:444)
at IllegalPackageAccess.main(IllegalPackageAccess.java:81)
at PKCS11Test.premain(PKCS11Test.java:171)
at PKCS11Test.testNSS(PKCS11Test.java:568)
at PKCS11Test.main(PKCS11Test.java:207)
at IllegalPackageAccess.main(IllegalPackageAccess.java:69)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:78)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
at java.base/java.lang.Thread.run(Thread.java:831)

Root cause is that the test materializes and installs a policy by [obtaining the current policy](https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/test/jdk/sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java#L46). At the time it [tries to remove a provider](https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/test/jdk/sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java#L80), the materialized policy is used for an access check, due to some intricacies of the [java.security.Policy implementation](https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/src/java.base/share/classes/java/security/Policy.java#L293). This policy does not allow the removal of a provider.
On platforms where the test runs through [PKCS11Test::fetchNssLib](https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/test/jdk/sun/security/pkcs11/PKCS11Test.java#L859), the default policy is reset  which makes the test work. But if we don't pass there, the test fails.

The fix is to unconditionally call Policy.setPolicy(null); in IllegalPackageAccess before installing MyPolicy.

-------------

Commit messages:
 - JDK-8261534

Changes: https://git.openjdk.java.net/jdk/pull/2518/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=2518&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8261534
  Stats: 1 line in 1 file changed: 1 ins; 0 del; 0 mod
  Patch: https://git.openjdk.java.net/jdk/pull/2518.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/2518/head:pull/2518

PR: https://git.openjdk.java.net/jdk/pull/2518
Reply | Threaded
Open this post in threaded view
|

Re: RFR: 8261534: Test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java fails on platforms where no nsslib artifacts are defined

Matthias Baesken
On Wed, 10 Feb 2021 23:29:14 GMT, Christoph Langer <[hidden email]> wrote:

> Fix exception in test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java:
>
> java.security.AccessControlException: access denied ("java.security.SecurityPermission" "removeProvider.SUN")
> at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
> at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
> at java.base/java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1521)
> at java.base/java.security.Security.check(Security.java:832)
> at java.base/java.security.Security.removeProvider(Security.java:444)
> at IllegalPackageAccess.main(IllegalPackageAccess.java:81)
> at PKCS11Test.premain(PKCS11Test.java:171)
> at PKCS11Test.testNSS(PKCS11Test.java:568)
> at PKCS11Test.main(PKCS11Test.java:207)
> at IllegalPackageAccess.main(IllegalPackageAccess.java:69)
> at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:78)
> at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
> at java.base/java.lang.Thread.run(Thread.java:831)
>
> Root cause is that the test materializes and installs a policy by [obtaining the current policy](https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/test/jdk/sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java#L46). At the time it [tries to remove a provider](https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/test/jdk/sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java#L80), the materialized policy is used for an access check, due to some intricacies of the [java.security.Policy implementation](https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/src/java.base/share/classes/java/security/Policy.java#L293). This policy does not allow the removal of a provider.
> On platforms where the test runs through [PKCS11Test::fetchNssLib](https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/test/jdk/sun/security/pkcs11/PKCS11Test.java#L859), the default policy is reset  which makes the test work. But if we don't pass there, the test fails.
>
> The fix is to unconditionally call Policy.setPolicy(null); in IllegalPackageAccess before installing MyPolicy.

LGTM

-------------

Marked as reviewed by mbaesken (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/2518
Reply | Threaded
Open this post in threaded view
|

Re: RFR: 8261534: Test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java fails on platforms where no nsslib artifacts are defined

Martin Balao-2
On Fri, 12 Feb 2021 11:05:22 GMT, Matthias Baesken <[hidden email]> wrote:

>> Fix exception in test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java:
>>
>> java.security.AccessControlException: access denied ("java.security.SecurityPermission" "removeProvider.SUN")
>> at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
>> at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
>> at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
>> at java.base/java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1521)
>> at java.base/java.security.Security.check(Security.java:832)
>> at java.base/java.security.Security.removeProvider(Security.java:444)
>> at IllegalPackageAccess.main(IllegalPackageAccess.java:81)
>> at PKCS11Test.premain(PKCS11Test.java:171)
>> at PKCS11Test.testNSS(PKCS11Test.java:568)
>> at PKCS11Test.main(PKCS11Test.java:207)
>> at IllegalPackageAccess.main(IllegalPackageAccess.java:69)
>> at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:78)
>> at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>> at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
>> at java.base/java.lang.Thread.run(Thread.java:831)
>>
>> Root cause is that the test materializes and installs a policy by [obtaining the current policy](https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/test/jdk/sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java#L46). At the time it [tries to remove a provider](https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/test/jdk/sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java#L80), the materialized policy is used for an access check, due to some intricacies of the [java.security.Policy implementation](https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/src/java.base/share/classes/java/security/Policy.java#L293). This policy does not allow the removal of a provider.
>> On platforms where the test runs through [PKCS11Test::fetchNssLib](https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/test/jdk/sun/security/pkcs11/PKCS11Test.java#L859), the default policy is reset  which makes the test work. But if we don't pass there, the test fails.
>>
>> The fix is to unconditionally call Policy.setPolicy(null); in IllegalPackageAccess before installing MyPolicy.
>
> LGTM

I'm not a JDK main line reviewer but the proposed fix looks good to me as well.

-------------

PR: https://git.openjdk.java.net/jdk/pull/2518
Reply | Threaded
Open this post in threaded view
|

Re: RFR: 8261534: Test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java fails on platforms where no nsslib artifacts are defined

Christoph Langer
On Fri, 12 Feb 2021 19:10:36 GMT, Martin Balao <[hidden email]> wrote:

>> LGTM
>
> I'm not a JDK main line reviewer but the proposed fix looks good to me as well.

Thanks for the reviews!

-------------

PR: https://git.openjdk.java.net/jdk/pull/2518
Reply | Threaded
Open this post in threaded view
|

Integrated: 8261534: Test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java fails on platforms where no nsslib artifacts are defined

Christoph Langer
In reply to this post by Christoph Langer
On Wed, 10 Feb 2021 23:29:14 GMT, Christoph Langer <[hidden email]> wrote:

> Fix exception in test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java:
>
> java.security.AccessControlException: access denied ("java.security.SecurityPermission" "removeProvider.SUN")
> at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
> at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
> at java.base/java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1521)
> at java.base/java.security.Security.check(Security.java:832)
> at java.base/java.security.Security.removeProvider(Security.java:444)
> at IllegalPackageAccess.main(IllegalPackageAccess.java:81)
> at PKCS11Test.premain(PKCS11Test.java:171)
> at PKCS11Test.testNSS(PKCS11Test.java:568)
> at PKCS11Test.main(PKCS11Test.java:207)
> at IllegalPackageAccess.main(IllegalPackageAccess.java:69)
> at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:78)
> at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
> at java.base/java.lang.Thread.run(Thread.java:831)
>
> Root cause is that the test materializes and installs a policy by [obtaining the current policy](https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/test/jdk/sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java#L46). At the time it [tries to remove a provider](https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/test/jdk/sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java#L80), the materialized policy is used for an access check, due to some intricacies of the [java.security.Policy implementation](https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/src/java.base/share/classes/java/security/Policy.java#L293). This policy does not allow the removal of a provider.
> On platforms where the test runs through [PKCS11Test::fetchNssLib](https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/test/jdk/sun/security/pkcs11/PKCS11Test.java#L859), the default policy is reset  which makes the test work. But if we don't pass there, the test fails.
>
> The fix is to unconditionally call Policy.setPolicy(null); in IllegalPackageAccess before installing MyPolicy.

This pull request has now been integrated.

Changeset: dc46aa85
Author:    Christoph Langer <[hidden email]>
URL:       https://git.openjdk.java.net/jdk/commit/dc46aa85
Stats:     1 line in 1 file changed: 1 ins; 0 del; 0 mod

8261534: Test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java fails on platforms where no nsslib artifacts are defined

Reviewed-by: mbaesken

-------------

PR: https://git.openjdk.java.net/jdk/pull/2518