Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: jruby/jruby
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 72ac6a88f1bf
Choose a base ref
...
head repository: jruby/jruby
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: d0dedf983602
Choose a head ref
  • 2 commits
  • 2 files changed
  • 1 contributor

Commits on Aug 24, 2016

  1. patch around JceSecurity.isRestricted being final since J8u102

    ... also now won't change field value is its not restricted 'already'
    kares committed Aug 24, 2016
    Copy the full SHA
    f205427 View commit details
  2. move the 'naive' JCE crypto hack into a standalone security helper

    keeps things ~ as before Java8u102 (additional checks for OracleJDK)
    could be avoided in the future entirely by helping with JCE pack install
    
    closes #4101
    kares committed Aug 24, 2016
    Copy the full SHA
    d0dedf9 View commit details
Showing with 67 additions and 14 deletions.
  1. +3 −14 core/src/main/java/org/jruby/Ruby.java
  2. +64 −0 core/src/main/java/org/jruby/util/SecurityHelper.java
17 changes: 3 additions & 14 deletions core/src/main/java/org/jruby/Ruby.java
Original file line number Diff line number Diff line change
@@ -61,7 +61,6 @@
import org.jruby.parser.StaticScope;
import org.jruby.runtime.JavaSites;
import org.jruby.runtime.invokedynamic.InvokeDynamicSupport;
import org.jruby.util.ClassDefiningClassLoader;
import org.objectweb.asm.util.TraceClassVisitor;

import jnr.constants.Constant;
@@ -142,8 +141,10 @@
import org.jruby.runtime.scope.ManyVarsDynamicScope;
import org.jruby.threading.DaemonThreadFactory;
import org.jruby.util.ByteList;
import org.jruby.util.ClassDefiningClassLoader;
import org.jruby.util.DefinedMessage;
import org.jruby.util.JRubyClassLoader;
import org.jruby.util.SecurityHelper;
import org.jruby.util.SelfFirstJRubyClassLoader;
import org.jruby.util.IOInputStream;
import org.jruby.util.IOOutputStream;
@@ -169,7 +170,6 @@
import java.lang.invoke.MethodHandle;
import java.lang.ref.WeakReference;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.net.BindException;
import java.net.MalformedURLException;
import java.net.URL;
@@ -1284,18 +1284,7 @@ && getInstanceConfig().getCompileMode() != CompileMode.TRUFFLE) {
loadService.require("jruby");
}

// attempt to enable unlimited-strength crypto on OpenJDK
try {
Class jceSecurity = Class.forName("javax.crypto.JceSecurity");
Field isRestricted = jceSecurity.getDeclaredField("isRestricted");
isRestricted.setAccessible(true);
isRestricted.set(null, false);
isRestricted.setAccessible(false);
} catch (Exception e) {
if (isDebug() || LOG.isDebugEnabled()) {
LOG.debug("unable to enable unlimited-strength crypto", e);
}
}
SecurityHelper.checkCryptoRestrictions(this);

// out of base boot mode
bootingCore = false;
64 changes: 64 additions & 0 deletions core/src/main/java/org/jruby/util/SecurityHelper.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
package org.jruby.util;

import org.jruby.Ruby;
import org.jruby.util.log.Logger;
import org.jruby.util.log.LoggerFactory;

import java.lang.reflect.Field;
import java.lang.reflect.Modifier;

public abstract class SecurityHelper {

private static final Logger LOG = LoggerFactory.getLogger(SecurityHelper.class);

// attempt to enable unlimited-strength crypto on OracleJDK
public static void checkCryptoRestrictions(final Ruby runtime) {
if ( isOracleJRE() ) {
setNonRestricted();
// NOTE: this is not 'really' enough and there's more to be done :
// JceSecurity#defaultPolicy should add: javax.crypto.CryptoAllPermission
//
// ... but instead of further hacking we shall advise on installing JCE pack
// JRuby-OpenSSL uses BC thus might not care much for un-limiting the built-in crypto provider
}
}

private static boolean setNonRestricted() {
try {
Class jceSecurity = Class.forName("javax.crypto.JceSecurity");
Field isRestricted = jceSecurity.getDeclaredField("isRestricted");
if ( Boolean.TRUE.equals(isRestricted.get(null)) ) {
if ( Modifier.isFinal(isRestricted.getModifiers()) ) {
Field modifiers = Field.class.getDeclaredField("modifiers");
modifiers.setAccessible(true);
modifiers.setInt(isRestricted, isRestricted.getModifiers() & ~Modifier.FINAL);
}
isRestricted.setAccessible(true);
isRestricted.setBoolean(null, false); // isRestricted = false;
isRestricted.setAccessible(false);
return true;
}
}
catch (ClassNotFoundException e) {
LOG.info("unable un-restrict jce security: " + e);
}
catch (Exception e) {
LOG.debug("unable un-restrict jce security: ", e);
}
return false;
}

private static boolean isOracleJRE() {
try {
String name = System.getProperty("java.vendor"); // "Oracle Corporation"
if ( name == null || ! name.contains("Oracle") ) return false;
name = System.getProperty("java.runtime.name"); // make sure we're not OpenJDK
if ( name == null || name.contains("OpenJDK") ) return false;
return true;
}
catch (SecurityException e) {
return false;
}
}

}