diff --git a/plugin-security.policy b/plugin-security.policy index 7bb18f76c9..6391695390 100644 --- a/plugin-security.policy +++ b/plugin-security.policy @@ -37,7 +37,6 @@ grant { permission java.util.PropertyPermission "*","read,write"; //Enable when we switch to UnboundID LDAP SDK - //permission java.util.PropertyPermission "*", "read,write"; //permission java.lang.RuntimePermission "setFactory"; //permission javax.net.ssl.SSLPermission "setHostnameVerifier"; @@ -61,11 +60,12 @@ grant { permission java.security.SecurityPermission "insertProvider.BC"; permission java.security.SecurityPermission "removeProviderProperty.BC"; permission java.util.PropertyPermission "jdk.tls.rejectClientInitiatedRenegotiation", "write"; + permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_size"; + permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_mr_tests"; permission java.lang.RuntimePermission "accessUserInformation"; permission java.security.SecurityPermission "org.apache.xml.security.register"; - permission java.util.PropertyPermission "org.apache.xml.security.ignoreLineBreaks", "write"; permission java.lang.RuntimePermission "createClassLoader"; diff --git a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java index 4adaf2dc9b..d85e6a1d32 100644 --- a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java +++ b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java @@ -958,19 +958,32 @@ private SslContext buildSSLServerContext( final ClientAuth authMode ) throws SSLException { - final SslContextBuilder _sslContextBuilder = SslContextBuilder.forServer(_key, _cert) - .ciphers(ciphers) - .applicationProtocolConfig(ApplicationProtocolConfig.DISABLED) - .clientAuth(Objects.requireNonNull(authMode)) // https://github.com/netty/netty/issues/4722 - .sessionCacheSize(0) - .sessionTimeout(0) - .sslProvider(sslProvider); + try { + final SslContextBuilder _sslContextBuilder = AccessController.doPrivileged(new PrivilegedExceptionAction() { + @Override + public SslContextBuilder run() throws Exception { + return SslContextBuilder.forServer(_key, _cert) + .ciphers(ciphers) + .applicationProtocolConfig(ApplicationProtocolConfig.DISABLED) + .clientAuth(Objects.requireNonNull(authMode)) // https://github.com/netty/netty/issues/4722 + .sessionCacheSize(0) + .sessionTimeout(0) + .sslProvider(sslProvider); + } + }); - if (_trustedCerts != null && _trustedCerts.length > 0) { - _sslContextBuilder.trustManager(_trustedCerts); - } + if (_trustedCerts != null && _trustedCerts.length > 0) { + _sslContextBuilder.trustManager(_trustedCerts); + } - return buildSSLContext0(_sslContextBuilder); + return buildSSLContext0(_sslContextBuilder); + } catch (final PrivilegedActionException e) { + if (e.getCause() instanceof SSLException) { + throw (SSLException) e.getCause(); + } else { + throw new RuntimeException(e); + } + } } private SslContext buildSSLServerContext( @@ -982,20 +995,38 @@ private SslContext buildSSLServerContext( final SslProvider sslProvider, final ClientAuth authMode ) throws SSLException { + final SecurityManager sm = System.getSecurityManager(); - final SslContextBuilder _sslContextBuilder = SslContextBuilder.forServer(_cert, _key, pwd) - .ciphers(ciphers) - .applicationProtocolConfig(ApplicationProtocolConfig.DISABLED) - .clientAuth(Objects.requireNonNull(authMode)) // https://github.com/netty/netty/issues/4722 - .sessionCacheSize(0) - .sessionTimeout(0) - .sslProvider(sslProvider); - - if (_trustedCerts != null) { - _sslContextBuilder.trustManager(_trustedCerts); + if (sm != null) { + sm.checkPermission(new SpecialPermission()); } - return buildSSLContext0(_sslContextBuilder); + try { + final SslContextBuilder _sslContextBuilder = AccessController.doPrivileged(new PrivilegedExceptionAction() { + @Override + public SslContextBuilder run() throws Exception { + return SslContextBuilder.forServer(_cert, _key, pwd) + .ciphers(ciphers) + .applicationProtocolConfig(ApplicationProtocolConfig.DISABLED) + .clientAuth(Objects.requireNonNull(authMode)) // https://github.com/netty/netty/issues/4722 + .sessionCacheSize(0) + .sessionTimeout(0) + .sslProvider(sslProvider); + } + }); + + if (_trustedCerts != null) { + _sslContextBuilder.trustManager(_trustedCerts); + } + + return buildSSLContext0(_sslContextBuilder); + } catch (final PrivilegedActionException e) { + if (e.getCause() instanceof SSLException) { + throw (SSLException) e.getCause(); + } else { + throw new RuntimeException(e); + } + } } private SslContext buildSSLClientContext( @@ -1059,7 +1090,11 @@ public SslContext run() throws Exception { } }); } catch (final PrivilegedActionException e) { - throw (SSLException) e.getCause(); + if (e.getCause() instanceof SSLException) { + throw (SSLException) e.getCause(); + } else { + throw new RuntimeException(e); + } } return sslContext;