/hg/icedtea6: 3 new changesets

andrew at icedtea.classpath.org andrew at icedtea.classpath.org
Wed Dec 18 06:51:42 PST 2013


changeset 7c63c22bfa05 in /hg/icedtea6
details: http://icedtea.classpath.org/hg/icedtea6?cmd=changeset;node=7c63c22bfa05
author: Andrew John Hughes <gnu.andrew at redhat.com>
date: Wed Dec 18 13:56:16 2013 +0000

	PR1290: Ensure unlimited crypto policy is in place.

	2013-06-05  Andrew John Hughes  <gnu.andrew at member.fsf.org>

		PR1290: Ensure unlimited crypto policy is in place.
		* Makefile.am:
		(CRYPTO_CHECK_BUILD_DIR): New variable.
		(CRYPTO_CHECK_SRCS): Likewise.
		(EXTRA_DIST): Add crypto check sources.
		(.PHONY): Add new clean targets.
		(icedtea-against-icedtea): Depend on check-crypto.
		(clean-icedtea-against-icedtea): Depend on
		clean-check-crypto.
		(icedtea-debug-against-icedtea): Depend on
		check-crypto-debug.
		(clean-icedtea-debug-against-icedtea): Depend on
		clean-check-crypto-debug.
		(check-crypto): Run the crypto checker on a normal
		stage 2 build.
		(clean-check-crypto): Delete the check-crypto stamp.
		(check-crypto-debug): Run the crypto checker on a
		debug stage 2 build.
		(clean-check-crypto-debug): Delete the
		check-crypto-debug stamp.
		(icedtea-against-ecj): Depend on
		check-crypto-boot.
		(clean-icedtea-against-ecj): Depend on
		clean-check-crypto-boot.
		(check-crypto-boot): Run the crypto checker on
		the stage 1 build.
		(clean-check-crypto-boot): Delete the
		check-crypto-boot stamp.
		(cryptocheck): Build the crypto checker.
		(clean-cryptocheck): Revert cryptocheck.
		* NEWS: Updated.
		* TestCryptoLevel.java:
		Checks whether the unlimited crypto policy is in
		place or not.


changeset 7e1b45672b18 in /hg/icedtea6
details: http://icedtea.classpath.org/hg/icedtea6?cmd=changeset;node=7e1b45672b18
author: Andrew John Hughes <gnu.andrew at redhat.com>
date: Wed Dec 18 13:59:03 2013 +0000

	Make clean-crypto targets depend on JDK being built.

	2013-06-05  Andrew John Hughes  <gnu.andrew at member.fsf.org>

		* Makefile.am:
		(check-crypto): Depend on icedtea.stamp.
		(check-crypto-debug): Depend on icedtea-debug.stamp.
		(clean-crypto-boot): Depend on icedtea-ecj.stamp.


changeset be0e350adea7 in /hg/icedtea6
details: http://icedtea.classpath.org/hg/icedtea6?cmd=changeset;node=be0e350adea7
author: Andrew John Hughes <gnu.andrew at redhat.com>
date: Wed Dec 18 14:01:07 2013 +0000

	Actually invoke clean-cryptocheck.

	2013-06-06  Andrew John Hughes  <gnu.andrew at member.fsf.org>

		* Makefile.am:
		(.PHONY): Add clean-cryptocheck.
		(clean-local): Likewise.


diffstat:

 ChangeLog            |  50 +++++++++++++++++++++++++++++++++
 Makefile.am          |  73 ++++++++++++++++++++++++++++++++++++++++++------
 NEWS                 |   1 +
 TestCryptoLevel.java |  78 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 193 insertions(+), 9 deletions(-)

diffs (324 lines):

diff -r eeeac5962554 -r be0e350adea7 ChangeLog
--- a/ChangeLog	Mon Dec 09 22:28:23 2013 +0000
+++ b/ChangeLog	Wed Dec 18 14:01:07 2013 +0000
@@ -1,3 +1,53 @@
+2013-06-06  Andrew John Hughes  <gnu.andrew at member.fsf.org>
+
+	* Makefile.am:
+	(.PHONY): Add clean-cryptocheck.
+	(clean-local): Likewise.
+
+2013-06-05  Andrew John Hughes  <gnu.andrew at member.fsf.org>
+
+	* Makefile.am:
+	(check-crypto): Depend on icedtea.stamp.
+	(check-crypto-debug): Depend on icedtea-debug.stamp.
+	(clean-crypto-boot): Depend on icedtea-ecj.stamp.
+
+2013-06-05  Andrew John Hughes  <gnu.andrew at member.fsf.org>
+
+	PR1290: Ensure unlimited crypto policy is in place.
+	* Makefile.am:
+	(CRYPTO_CHECK_BUILD_DIR): New variable.
+	(CRYPTO_CHECK_SRCS): Likewise.
+	(EXTRA_DIST): Add crypto check sources.
+	(.PHONY): Add new clean targets.
+	(icedtea-against-icedtea): Depend on check-crypto.
+	(clean-icedtea-against-icedtea): Depend on
+	clean-check-crypto.
+	(icedtea-debug-against-icedtea): Depend on
+	check-crypto-debug.
+	(clean-icedtea-debug-against-icedtea): Depend on
+	clean-check-crypto-debug.
+	(check-crypto): Run the crypto checker on a normal
+	stage 2 build.
+	(clean-check-crypto): Delete the check-crypto stamp.
+	(check-crypto-debug): Run the crypto checker on a
+	debug stage 2 build.
+	(clean-check-crypto-debug): Delete the
+	check-crypto-debug stamp.
+	(icedtea-against-ecj): Depend on
+	check-crypto-boot.
+	(clean-icedtea-against-ecj): Depend on
+	clean-check-crypto-boot.
+	(check-crypto-boot): Run the crypto checker on
+	the stage 1 build.
+	(clean-check-crypto-boot): Delete the
+	check-crypto-boot stamp.
+	(cryptocheck): Build the crypto checker.
+	(clean-cryptocheck): Revert cryptocheck.
+	* NEWS: Updated.
+	* TestCryptoLevel.java:
+	Checks whether the unlimited crypto policy is in
+	place or not.
+
 2013-12-09  Andrew John Hughes  <gnu.andrew at redhat.com>
 
 	* Makefile.am:
diff -r eeeac5962554 -r be0e350adea7 Makefile.am
--- a/Makefile.am	Mon Dec 09 22:28:23 2013 +0000
+++ b/Makefile.am	Wed Dec 18 14:01:07 2013 +0000
@@ -39,6 +39,7 @@
 FONTCONFIG_PATH = openjdk/jdk/src/solaris/classes/sun/awt/fontconfigs
 REWRITER_BUILD_DIR = $(abs_top_builddir)/rewriter.build
 GENERATED_BUILD_DIR = $(abs_top_builddir)/generated.build
+CRYPTO_CHECK_BUILD_DIR = $(abs_top_builddir)/cryptocheck.build
 
 # Source directories
 
@@ -258,6 +259,8 @@
 # Sources list
 
 REWRITER_SRCS = $(top_srcdir)/rewriter/com/redhat/rewriter/ClassRewriter.java
+CRYPTO_CHECK_SRCS = $(top_srcdir)/TestCryptoLevel.java
+
 # Relative path to JTreg tool
 JTREG_DIR = src/jtreg
 JTREG_SRCS = $(top_srcdir)/$(JTREG_DIR)
@@ -882,7 +885,8 @@
 	scripts/jni_desc \
 	rewriter/agpl-3.0.txt \
 	$(REWRITER_SRCS) \
-	$(TAPSET_TEST_SRCS)
+	$(TAPSET_TEST_SRCS) \
+	$(CRYPTO_CHECK_SRCS)
 
 # Top-Level Targets
 # =================
@@ -904,7 +908,7 @@
  clean-icedtea-against-ecj clean-extract-ecj clean-generated clean-replace-hotspot \
  clean-rewriter clean-rewrite-rhino clean-rt clean-bootstrap-directory \
  clean-bootstrap-directory-ecj clean-bootstrap-directory-symlink \
- clean-bootstrap-directory-symlink-ecj clean-fonts
+ clean-bootstrap-directory-symlink-ecj clean-fonts clean-cryptocheck
 	if [ -e bootstrap ]; then \
 	  rmdir bootstrap ; \
 	fi
@@ -943,7 +947,8 @@
 	clean-add-tzdata-support clean-add-tzdata-support-debug clean-add-systemtap-ecj \
 	clean-add-pulseaudio-ecj clean-add-nss-ecj clean-add-tzdata-support-ecj clean-fonts \
 	clean-download-hotspot clean-tests clean-tapset-report jtregcheck clean-pax-mark-vm \
-	clean-pax-mark-vm-debug clean-pax-mark-vm-ecj
+	clean-pax-mark-vm-debug clean-pax-mark-vm-ecj clean-check-crypto clean-check-crypto-debug \
+	clean-check-crypto-boot clean-cryptocheck
 
 env:
 	@echo 'unset JAVA_HOME'
@@ -1646,27 +1651,28 @@
 stamps/icedtea-against-icedtea.stamp: stamps/icedtea.stamp \
  stamps/add-jamvm.stamp stamps/add-cacao.stamp stamps/add-zero.stamp \
  stamps/add-systemtap.stamp stamps/add-pulseaudio.stamp stamps/add-nss.stamp \
- stamps/add-tzdata-support.stamp stamps/add-archive.stamp stamps/pax-mark-vm.stamp
+ stamps/add-tzdata-support.stamp stamps/add-archive.stamp stamps/pax-mark-vm.stamp \
+ stamps/check-crypto.stamp
 	mkdir -p stamps
 	touch stamps/icedtea-against-icedtea.stamp
 
 clean-icedtea-against-icedtea: clean-add-jamvm clean-add-zero clean-add-cacao \
  clean-add-systemtap clean-add-pulseaudio clean-add-nss clean-add-tzdata-support \
- clean-add-archive clean-pax-mark-vm
+ clean-add-archive clean-pax-mark-vm clean-check-crypto
 	rm -f stamps/icedtea-against-icedtea.stamp
 
 stamps/icedtea-debug-against-icedtea.stamp: stamps/icedtea-debug.stamp \
  stamps/add-jamvm-debug.stamp stamps/add-cacao-debug.stamp \
  stamps/add-zero-debug.stamp stamps/add-systemtap-debug.stamp stamps/add-pulseaudio-debug.stamp \
  stamps/add-nss-debug.stamp stamps/add-tzdata-support-debug.stamp stamps/add-archive-debug.stamp \
- stamps/pax-mark-vm-debug.stamp
+ stamps/pax-mark-vm-debug.stamp stamps/check-crypto-debug.stamp
 	mkdir -p stamps
 	touch stamps/icedtea-debug-against-icedtea.stamp
 
 clean-icedtea-debug-against-icedtea: clean-add-zero-debug \
  clean-add-jamvm-debug clean-add-cacao-debug clean-add-systemtap-debug \
  clean-add-pulseaudio-debug clean-add-nss-debug clean-add-tzdata-support-debug \
- clean-add-archive-debug clean-pax-mark-vm-debug
+ clean-add-archive-debug clean-pax-mark-vm-debug clean-check-crypto-debug
 	rm -f stamps/icedtea-debug-against-icedtea.stamp
 
 stamps/add-systemtap.stamp: stamps/icedtea.stamp
@@ -1958,6 +1964,24 @@
 clean-pax-mark-vm-debug:
 	rm -f stamps/pax-mark-vm-debug.stamp
 
+stamps/check-crypto.stamp: stamps/cryptocheck.stamp stamps/icedtea.stamp
+	if [ -e $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/java ] ; then \
+	  $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/java -cp $(CRYPTO_CHECK_BUILD_DIR) TestCryptoLevel ; \
+	fi
+	mkdir -p stamps
+	touch $@
+
+clean-check-crypto:
+	rm -f stamps/check-crypto.stamp
+
+stamps/check-crypto-debug.stamp: stamps/cryptocheck.stamp stamps/icedtea-debug.stamp
+	if [ -e $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/bin/java ] ; then \
+	  $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/bin/java -cp $(CRYPTO_CHECK_BUILD_DIR) TestCryptoLevel ; \
+	fi
+
+clean-check-crypto-debug:
+	rm -f stamps/check-crypto-debug.stamp
+
 # OpenJDK ecj Targets
 # ===================
 
@@ -1979,12 +2003,12 @@
 
 stamps/icedtea-against-ecj.stamp: stamps/icedtea-ecj.stamp stamps/add-systemtap-ecj.stamp \
  stamps/add-pulseaudio-ecj.stamp stamps/add-nss-ecj.stamp stamps/add-tzdata-support-ecj.stamp \
- stamps/add-archive-ecj.stamp stamps/pax-mark-vm-ecj.stamp
+ stamps/add-archive-ecj.stamp stamps/pax-mark-vm-ecj.stamp stamps/check-crypto-boot.stamp
 	mkdir -p stamps
 	touch stamps/icedtea-against-ecj.stamp
 
 clean-icedtea-against-ecj: clean-add-systemtap-ecj clean-add-pulseaudio-ecj clean-add-nss-ecj \
- clean-add-tzdata-support-ecj clean-add-archive-ecj clean-pax-mark-vm-ecj
+ clean-add-tzdata-support-ecj clean-add-archive-ecj clean-pax-mark-vm-ecj clean-check-crypto-boot
 	rm -f stamps/icedtea-against-ecj.stamp
 
 stamps/add-systemtap-ecj.stamp: stamps/icedtea-ecj.stamp
@@ -2132,6 +2156,16 @@
 clean-pax-mark-vm-ecj:
 	rm -f stamps/pax-mark-vm-ecj.stamp
 
+stamps/check-crypto-boot.stamp: stamps/cryptocheck.stamp stamps/icedtea-ecj.stamp
+	if [ -e $(ECJ_BUILD_OUTPUT_DIR)/j2sdk-image/bin/java ] ; then \
+	  $(ECJ_BUILD_OUTPUT_DIR)/j2sdk-image/bin/java -cp $(CRYPTO_CHECK_BUILD_DIR) TestCryptoLevel ; \
+	fi
+	mkdir -p stamps
+	touch $@
+
+clean-check-crypto-boot:
+	rm -f stamps/check-crypto-boot.stamp
+
 # Rebuild targets
 
 rebuild:
@@ -2720,6 +2754,19 @@
 endif
 	touch stamps/rt.stamp
 
+# Crypto Level Check
+
+stamps/cryptocheck.stamp: $(INITIAL_BOOTSTRAP_LINK_STAMP)
+	mkdir -p $(CRYPTO_CHECK_BUILD_DIR)
+	$(BOOT_DIR)/bin/javac $(IT_JAVACFLAGS) \
+	  -d $(CRYPTO_CHECK_BUILD_DIR) $(CRYPTO_CHECK_SRCS)
+	mkdir -p stamps
+	touch $@
+
+clean-cryptocheck:
+	rm -rf $(CRYPTO_CHECK_BUILD_DIR)
+	rm -f stamps/cryptocheck.stamp
+
 # Target Aliases
 # ===============
 
@@ -2739,6 +2786,14 @@
 
 cacao: stamps/cacao.stamp
 
+check-crypto: stamps/check-crypto.stamp
+
+check-crypto-boot: stamps/check-crypto-boot.stamp
+
+check-crypto-debug: stamps/check-crypto-debug.stamp
+
+cryptocheck: stamps/cryptocheck.stamp
+
 nbplatform: stamps/nbplatform.stamp
 
 download: stamps/download.stamp
diff -r eeeac5962554 -r be0e350adea7 NEWS
--- a/NEWS	Mon Dec 09 22:28:23 2013 +0000
+++ b/NEWS	Wed Dec 18 14:01:07 2013 +0000
@@ -878,6 +878,7 @@
   - RH902004: very bad performance with E-Porto Add-In für OpenOffice Writer installed (hs23 only)
   - RH991170: java does not use correct kerberos credential cache
   - PR1535: Allow use of system Kerberos to obtain cache location
+  - PR1290: Ensure unlimited crypto policy is in place.
 * JamVM
   - JSR 335: Lambda Expressions
   - JEP 171: Implement fence methods in sun.misc.Unsafe
diff -r eeeac5962554 -r be0e350adea7 TestCryptoLevel.java
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/TestCryptoLevel.java	Wed Dec 18 14:01:07 2013 +0000
@@ -0,0 +1,78 @@
+/* TestCryptoLevel -- Ensure unlimited crypto policy is in use.
+   Copyright (C) 2012 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.lang.reflect.InvocationTargetException;
+
+import java.security.Permission;
+import java.security.PermissionCollection;
+
+public class TestCryptoLevel
+{
+  public static void main(String[] args)
+    throws NoSuchFieldException, ClassNotFoundException,
+           IllegalAccessException, InvocationTargetException
+  {
+    Class<?> cls = null;
+    Method def = null, exempt = null;
+
+    try
+      {
+        cls = Class.forName("javax.crypto.JceSecurity");
+      }
+    catch (ClassNotFoundException ex)
+      {
+        System.err.println("Running a non-Sun JDK.");
+        System.exit(0);
+      }
+    catch (ExceptionInInitializerError err)
+      {
+        System.err.println("Failed to initialise JceSecurity: "
+                           + err.getCause().getCause().getMessage());
+        System.exit(-2);
+      }
+    try
+      {
+        def = cls.getDeclaredMethod("getDefaultPolicy");
+        exempt = cls.getDeclaredMethod("getExemptPolicy");
+      }
+    catch (NoSuchMethodException ex)
+      {
+        System.err.println("Running IcedTea with the original crypto patch.");
+        System.exit(0);
+      }
+    def.setAccessible(true);
+    exempt.setAccessible(true);
+    PermissionCollection defPerms = (PermissionCollection) def.invoke(null);
+    PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null);
+    Class<?> apCls = Class.forName("javax.crypto.CryptoAllPermission");
+    Field apField = apCls.getDeclaredField("INSTANCE");
+    apField.setAccessible(true);
+    Permission allPerms = (Permission) apField.get(null);
+    if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms)))
+      {
+        System.err.println("Running with the unlimited policy.");
+        System.exit(0);
+      }
+    else
+      {
+        System.err.println("WARNING: Running with a restricted crypto policy.");
+        System.exit(-1);
+      }
+  }
+}


More information about the distro-pkg-dev mailing list