[PATCH FOR REVIEW] Allow OpenJDK to be built with the unlimited crypto policy

Brad Wetmore bradford.wetmore at oracle.com
Thu Sep 20 03:21:02 UTC 2012 

 > But I think someone from the security team should chime in on this.

I plan to look closer at this.  On the surface, it looks acceptable to 
me, but I've been heads down in the SNI code: likely for one more day. 
Wanted to also run this by one of my other colleagues.

One thought:  I'm wondering if we might want to have this switch in both 
Open and Closed.  As long as default is off, I don't immediately see a 
reason to not have it.

Brad



On 9/19/2012 7:34 PM, Kelly O'Hair wrote:
> It seems fine with me.
> But I think someone from the security team should chime in on this.
>
> -kto
>
> On Sep 18, 2012, at 7:39 AM, Andrew Hughes wrote:
>
>> This is an issue that has been with us for a while.  See:
>>
>> https://bugs.openjdk.java.net/show_bug.cgi?id=100062
>> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7188845
>>
>> for some background.
>>
>> The original proposed patch goes to far in removing most of the
>> infrastructure for restricting crypto levels and signing of crypto
>> jars.
>>
>> The following simple webrev will achieve what I think is needed:
>>
>> http://cr.openjdk.java.net/~andrew/100062/webrev.01/
>>
>> allowing OpenJDK to be built with the unlimited rather than limited
>> crypto policy in place.
>>
>> The build is only altered if both an OpenJDK build is being performed
>> and UNLIMITED_CRYPTO is defined.  In this case, the install-unlimited
>> rule is used to install policies.  Without UNLIMITED_CRYPTO being set,
>> OpenJDK builds still depend on install-limited as now.
>>
>> I believe this is a fairly unintrusive change which should allow GNU/Linux
>> distros to ship without crypto restrictions while still using upstream
>> OpenJDK rather than a variant with several classes removed.
>>
>> It's not clear to me why this approach wasn't taken before, so I hope I haven't
>> missed something.
>>
>> If this looks ok, I'll push it as the resolution for bug 7188845.
>> --
>> Andrew :)
>>
>> Free Java Software Engineer
>> Red Hat, Inc. (http://www.redhat.com)
>>
>> PGP Key: 248BDC07 (https://keys.indymedia.org/)
>> Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
>>
>

More information about the security-dev mailing list