Add a restricted security policy for CRIU

closed/src/java.base/share/classes/openj9/internal/criu/CRIUSECProvider.java → closed/src/java.base/share/classes/openj9/internal/criu/CRIUSEC.java

@@ -28,21 +28,21 @@
 import java.security.Provider;
 
 /**
- * The CRIUSECProvider is a security provider that is used as follows when CRIU
- * is enabled. During the checkpoint phase, all other security providers are
- * removed, except CRIUSECProvider, and the digests are cleared, to ensure that
- * no state is saved during checkpoint that is then restored during the restore
- * phase. During the resore phase, CRIUSECProvider is removed and the other
- * security providers are added back.
+ * The CRIUSEC is a security provider that is used as follows when CRIU is
+ * enabled. During the checkpoint phase, all other security providers are
+ * removed, except CRIUSEC, and the digests are cleared, to ensure that no
+ * state is saved during checkpoint that is then restored during the restore
+ * phase. During the resore phase, CRIUSEC is removed and the other security
+ * providers are added back.
  */
-public final class CRIUSECProvider extends Provider {
+public final class CRIUSEC extends Provider {
 
     private static final long serialVersionUID = -3240458633432287743L;
 
-    public CRIUSECProvider() {
+    public CRIUSEC() {
         super("CRIUSEC", "1", "CRIUSEC Provider");
 
-        String packageName = CRIUSECProvider.class.getPackage().getName() + ".";
+        String packageName = CRIUSEC.class.getPackage().getName() + ".";
 
         String[] aliases = new String[] { "SHA",
                                           "SHA1",

closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java

@@ -37,6 +37,10 @@
 
 import sun.security.util.Debug;
 
+/*[IF CRIU_SUPPORT]*/
+import openj9.internal.criu.InternalCRIUSupport;
+/*[ENDIF] CRIU_SUPPORT*/
+
 /**
  * Configures the security providers when in restricted security mode.
  */
@@ -72,8 +76,18 @@ public String[] run() {
                     }
                 });
         userEnabledFIPS = Boolean.parseBoolean(props[0]);
+        String securitySetting = props[1];
         // If semeru.fips is true, then ignore semeru.restrictedsecurity, use userSecurityNum 1.
-        userSecuritySetting = userEnabledFIPS ? "1" : props[1];
+        if (Boolean.parseBoolean(props[0])) {
+            securitySetting = "1";
+        }
+ /*[IF CRIU_SUPPORT]*/
+        // If CRIU checkpoint mode is enabled, use the 2nd restricted security policy.
+        if (InternalCRIUSupport.isCheckpointAllowed()) {
+            securitySetting = "2";
+        }
+ /*[ENDIF] CRIU_SUPPORT*/
+        userSecuritySetting = securitySetting;
         userEnabledSecurity = !isNullOrBlank(userSecuritySetting);
         isSecuritySupported = "Linux".equalsIgnoreCase(props[2])
                 && supportPlatforms.contains(props[3]);
@@ -86,14 +100,24 @@ private RestrictedSecurityConfigurator() {
 
     /**
      * Restricted security mode will be enabled only if the semeru.fips system
-     * property is true (default as false).
+     * property is true (default as false), or semeru.restrictedsecurity is set,
+     * or CRIU checkpoint mode is enabled.
      *
      * @return true if restricted security is enabled
      */
     public static boolean isEnabled() {
         return securityEnabled;
     }
 
+/*[IF CRIU_SUPPORT]*/
+    /**
+     * Disables the restricted security mode.
+     */
+    public static void disable() {
+        securityEnabled = false;
+    }
+/*[ENDIF] CRIU_SUPPORT*/
+
     /**
      * Remove the security providers and only add the restricted security providers.
      *

src/java.base/share/conf/security/java.security

@@ -135,6 +135,26 @@ RestrictedSecurity1.javax.net.ssl.keyStore = NONE
 
 RestrictedSecurity1.securerandom.provider = SunPKCS11-NSS-FIPS
 RestrictedSecurity1.securerandom.algorithm = PKCS11
+
+RestrictedSecurity2.desc.name = CRIU
+RestrictedSecurity2.desc.number = 1
+RestrictedSecurity2.desc.policy = Security
+RestrictedSecurity2.desc.sunsetDate = 2030-01-01
+
+RestrictedSecurity2.tls.disabledNamedCurves =
+RestrictedSecurity2.tls.disabledAlgorithms =
+RestrictedSecurity2.tls.ephemeralDHKeySize =
+RestrictedSecurity2.tls.legacyAlgorithms =
+
+RestrictedSecurity2.jce.certpath.disabledAlgorithms =
+RestrictedSecurity2.jce.legacyAlgorithms =
+RestrictedSecurity2.jce.provider.1 = openj9.internal.criu.CRIUSEC
+
+RestrictedSecurity2.keystore.type =
+RestrictedSecurity2.javax.net.ssl.keyStore =
+
+RestrictedSecurity2.securerandom.provider = CRIUSEC
+RestrictedSecurity2.securerandom.algorithm = SHA1PRNG
 #endif
 
 #