[Bug 3655] [IcedTea8] Allow use of system crypto policy to be disabled by the user
bugzilla-daemon at icedtea.classpath.org
bugzilla-daemon at icedtea.classpath.org
Wed Dec 19 05:50:21 UTC 2018
https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3655
--- Comment #2 from Andrew John Hughes <gnu.andrew at redhat.com> ---
No, security properties don't work like that. To override security properties,
-Djava.security.properties is used to specify an override file.
However, there is a problem with that approach with the current system
properties too. At the moment, the logic is:
1. Read ${java.home}/jre/lib/security.properties
2. Add system properties if security.useSystemPropertiesFile is set to true by
security.properties.
3. Add user properties from override file if security.overridePropertiesFile is
set to true by security.properties
Because the system properties have already been read before #3, the user can't
override it that way either.
So, in this fix, we'll swap #2 and #3 over so either the override file can turn
it off or the property -Djava.security.disableSystemPropertiesFile can be used
as a shorthand.
$ cat TestSecurityProperties.java
import java.security.Security;
public class TestSecurityProperties {
public static void main(String[] args) {
for (String property : new String[] { "jdk.certpath.disabledAlgorithms",
"security.useSystemPropertiesFile" }) {
System.out.printf("%s: %s\n", property,
Security.getProperty(property));
}
}
}
$ cat sysprop.override
security.useSystemPropertiesFile=false
Current:
$ /usr/lib/jvm/icedtea-8/bin/java -Djava.security.properties=sysprop.override
TestSecurityProperties
jdk.certpath.disabledAlgorithms: MD2, MD5, RSA keySize < 1023 <- sysprops
security.useSystemPropertiesFile: false
$ /usr/lib/jvm/icedtea-8/bin/java
-Djava.security.disableSystemPropertiesFile=true TestSecurityProperties
jdk.certpath.disabledAlgorithms: MD2, MD5, RSA keySize < 1023 <- sysprops
security.useSystemPropertiesFile: true
Patched:
$ /mnt/builder/icedtea8/images/j2sdk-image/bin/java
-Djava.security.properties=sysprop.override TestSecurityProperties
jdk.certpath.disabledAlgorithms: MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA
keySize < 1024, DSA keySize < 1024, EC keySize < 224 <- JDK
security.useSystemPropertiesFile: false
$ /mnt/builder/icedtea8/images/j2sdk-image/bin/java
-Djava.security.disableSystemPropertiesFile=true TestSecurityProperties
jdk.certpath.disabledAlgorithms: MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA
keySize < 1024, DSA keySize < 1024, EC keySize < 224 <- JDK
security.useSystemPropertiesFile: true
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20181219/4b984c23/attachment.html>
More information about the distro-pkg-dev
mailing list