Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend RestrictedSecurity constraints #935

Merged
merged 1 commit into from
Feb 25, 2025
Merged

Extend RestrictedSecurity constraints #935

merged 1 commit into from
Feb 25, 2025

Conversation

KostasTsiounis
Copy link
Contributor

The functionality of the provider constraints in RestrictedSecurity profiles is extended. Instead of allowing them to be universally used, one can optionally indicate the specific module and/or class from where a particular cryptographic algorithm can be called.

Tests are, also, added to test the new functionality offered through RestrictedSecurity profiles.

Signed-off-by: Kostas Tsiounis [email protected]

@KostasTsiounis KostasTsiounis force-pushed the constraint_stack_strict branch from 0e832f3 to 67cd84a Compare February 13, 2025 19:38
@pshipton pshipton requested a review from keithc-ca February 14, 2025 03:36
@KostasTsiounis KostasTsiounis force-pushed the constraint_stack_strict branch 3 times, most recently from f71ed5a to f42c9c3 Compare February 20, 2025 17:22
keithc-ca
keithc-ca requested changes Feb 24, 2025
View reviewed changes
Copy link
Member

@keithc-ca keithc-ca left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should support more than one use for any given algorithm. For example, we might want to allow both UUID and TestConstraintsSuccess to use MD5:

    {MessageDigest, MD5, *, ModuleAndFullClassName:java.base/java.util.UUID, FullClassName:TestConstraintsSuccess}

(ignore for the moment whether comma is the right separator for acceptable uses)

@KostasTsiounis
Copy link
Contributor Author

I think this should support more than one use for any given algorithm. For example, we might want to allow both UUID and TestConstraintsSuccess to use MD5:

    {MessageDigest, MD5, *, ModuleAndFullClassName:java.base/java.util.UUID, FullClassName:TestConstraintsSuccess}

(ignore for the moment whether comma is the right separator for acceptable uses)

We considered this as an option, but we came to the conclusion that it might become convoluted and is kind of error prone. Instead, one can have multiple constraints per algorithm. For example:

 {MessageDigest, MD5, *, ModuleAndFullClassName:java.base/java.util.UUID},
 {MessageDigest, MD5, *, FullClassName:TestConstraintsSuccess}

keithc-ca
keithc-ca reviewed Feb 25, 2025
View reviewed changes
Copy link
Member

@keithc-ca keithc-ca left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please squash.

@KostasTsiounis
Extend RestrictedSecurity constraints
4237eac 
The functionality of the provider constraints in
RestrictedSecurity profiles is extended. Instead of
allowing them to be universally used, one can optionally
indicate the specific module and/or class from where
a particular cryptographic algorithm can be called.

Tests are, also, added to test the new functionality
offered through RestrictedSecurity profiles.

Signed-off-by: Kostas Tsiounis <[email protected]>
@KostasTsiounis KostasTsiounis force-pushed the constraint_stack_strict branch from 5cb4c5a to 4237eac Compare February 25, 2025 14:42
@keithc-ca
Copy link
Member

Jenkins test sanity alinux jdknext

@keithc-ca
Copy link
Member

The sanity.openjdk failure should be resolved by adoptium/ci-jenkins-pipelines#1191.

@keithc-ca keithc-ca merged commit eb93195 into ibmruntimes:openj9 Feb 25, 2025
4 of 6 checks passed
This was referenced Feb 26, 2025
Merged
Merged
Merged
Merged
This was referenced Feb 28, 2025
Open
Merged
@KostasTsiounis KostasTsiounis mentioned this pull request Mar 4, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@keithc-ca keithc-ca keithc-ca approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@KostasTsiounis @keithc-ca