invent a JCE crypto security hack to disable restrictions

... NOT meant for production use!

Author: kares

src/main/java/org/jruby/ext/openssl/OpenSSL.java

@@ -36,6 +36,7 @@
 import org.jruby.anno.JRubyMethod;
 import org.jruby.anno.JRubyModule;
 import org.jruby.runtime.ThreadContext;
+import org.jruby.runtime.Visibility;
 import org.jruby.runtime.builtin.IRubyObject;
 import org.jruby.util.ByteList;
 import org.jruby.util.SafePropertyAccessor;
@@ -188,22 +189,35 @@ public static IRubyObject set_fips_mode(ThreadContext context, IRubyObject self,
 
     // internal (package-level) helpers :
 
+    /**
+     * PRIMARILY MEANT FOR TESTING ONLY, USAGE IS DISCOURAGED!
+     * @see org.jruby.ext.openssl.util.CryptoSecurity
+     */
+    @JRubyMethod(name = "_disable_security_restrictions!", visibility = Visibility.PRIVATE, meta = true)
+    public static IRubyObject _disable_security_restrictions(ThreadContext context, IRubyObject self) {
+        Boolean unrestrict = org.jruby.ext.openssl.util.CryptoSecurity.unrestrictSecurity();
+        Boolean allPerm = org.jruby.ext.openssl.util.CryptoSecurity.setAllPermissionPolicy();
+        if ( unrestrict == null || allPerm == null ) return context.nil;
+        return context.runtime.newBoolean( unrestrict && allPerm );
+    }
+
+
     private static boolean debug;
 
     // on by default, warnings can be disabled using -Djruby.openssl.warn=false
     private static boolean warn = true;
 
     static boolean isDebug() { return debug; }
 
-    static void debugStackTrace(final Throwable e) {
+    public static void debugStackTrace(final Throwable e) {
         if ( isDebug() ) e.printStackTrace(System.out);
     }
 
-    static void debug(final String msg) {
+    public static void debug(final String msg) {
         if ( isDebug() ) System.out.println(msg);
     }
 
-    static void debug(final String msg, final Throwable e) {
+    public static void debug(final String msg, final Throwable e) {
         if ( isDebug() ) System.out.println(msg + ' ' + e);
     }
 
@@ -237,7 +251,7 @@ static void warn(final ThreadContext context, final IRubyObject msg) {
         if ( warn ) context.runtime.getModule("OpenSSL").callMethod(context, "warn", msg);
     }
 
-    private static String javaVersion(final String def) {
+    public static String javaVersion(final String def) {
         final String javaVersionProperty =
                 SafePropertyAccessor.getProperty("java.version", def);
         if ( javaVersionProperty == "0" ) return "1.7.0"; // Android
@@ -262,11 +276,11 @@ private static String javaName(final String def) {
         return SafePropertyAccessor.getProperty("java.vm.name", def);
     }
 
-    static boolean javaHotSpot() {
+    public static boolean javaHotSpot() {
         return javaName("").contains("HotSpot(TM)");
     }
 
-    static boolean javaOpenJDK() {
+    public static boolean javaOpenJDK() {
         return javaName("").contains("OpenJDK");
     }
 

src/main/java/org/jruby/ext/openssl/util/CryptoSecurity.java

@@ -0,0 +1,156 @@
+/***** BEGIN LICENSE BLOCK *****
+ * Version: EPL 1.0/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Eclipse Public
+ * License Version 1.0 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * Copyright (C) 2017 Karol Bucek <[email protected]>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either of the GNU General Public License Version 2 or later (the "GPL"),
+ * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the EPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the EPL, the GPL or the LGPL.
+ ***** END LICENSE BLOCK *****/
+package org.jruby.ext.openssl.util;
+
+import org.jruby.ext.openssl.OpenSSL;
+
+import java.lang.reflect.Field;
+import java.lang.reflect.Modifier;
+import java.security.Permission;
+import java.security.PermissionCollection;
+import java.security.Security;
+
+/**
+ * JCE security helper for disabling (default) imposed cryptographic restrictions.
+ *
+ * Using this class might be in **contrast with the license agreement** that came with your JRE.
+ *
+ * It's preferable to install:
+ *
+ * "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files"
+ *
+ * specific to your Java version!
+ *
+ * @see http://www.oracle.com/technetwork/java/javase/downloads/index.html
+ */
+public final class CryptoSecurity {
+
+    private CryptoSecurity() { /* no instances */ }
+
+    public static void disableJceRestrictions() {
+        unrestrictSecurity();
+        setAllPermissionPolicy();
+    }
+
+    public static Boolean setAllPermissionPolicy() {
+        if ( ! OpenSSL.javaHotSpot() ) return false;
+        try {
+            final Class JceSecurity = Class.forName("javax.crypto.JceSecurity");
+
+            final Class CryptoPermissions = Class.forName("javax.crypto.CryptoPermissions");
+            final Class CryptoAllPermission = Class.forName("javax.crypto.CryptoAllPermission");
+
+            Field defaultPolicy = JceSecurity.getDeclaredField("defaultPolicy");
+            defaultPolicy.setAccessible(true);
+
+            Field perms = CryptoPermissions.getDeclaredField("perms");
+            perms.setAccessible(true);
+
+            Field INSTANCE = CryptoAllPermission.getDeclaredField("INSTANCE");
+            INSTANCE.setAccessible(true);
+
+            synchronized (Security.class) {
+                final PermissionCollection defPolicy = (PermissionCollection) defaultPolicy.get(null);
+                final java.util.Map permsMap = (java.util.Map) perms.get(defPolicy);
+                if ( ! permsMap.isEmpty() ) {
+                    permsMap.clear();
+                    defPolicy.add((Permission) INSTANCE.get(null));
+                    return true;
+                }
+                return false;
+            }
+        }
+        catch (ClassNotFoundException e) {
+            OpenSSL.debug("unable un-restrict jce security: ", e);
+            return null;
+        }
+        catch (Exception e) {
+            OpenSSL.debug("unable un-restrict jce security: ");
+            OpenSSL.debugStackTrace(e);
+            return null;
+        }
+    }
+
+    public static Boolean unrestrictSecurity() {
+        if ( ! OpenSSL.javaHotSpot() ) return false;
+        if ( javaVersion9() ) {
+            return unrestrictJceSecurity9();
+        }
+        return unrestrictJceSecurity8();
+    }
+
+    static Boolean unrestrictJceSecurity9() {
+        try {
+            if (Security.getProperty("crypto.policy") == null) {
+                Security.setProperty("crypto.policy", "unlimited");
+                return true;
+            }
+            return false;
+        }
+        catch (Exception e) {
+            OpenSSL.debug("unable un-restrict jce security: ", e);
+            return null;
+        }
+    }
+
+    static Boolean unrestrictJceSecurity8() {
+        try {
+            final Class JceSecurity = Class.forName("javax.crypto.JceSecurity");
+
+            Field isRestricted = JceSecurity.getDeclaredField("isRestricted");
+
+            if ( Modifier.isFinal(isRestricted.getModifiers()) ) {
+                Field modifiers = Field.class.getDeclaredField("modifiers");
+                modifiers.setAccessible(true);
+                modifiers.setInt(isRestricted, isRestricted.getModifiers() & ~Modifier.FINAL);
+            }
+
+            isRestricted.setAccessible(true);
+            if (isRestricted.getBoolean(null) == false) {
+                isRestricted.setBoolean(null, false); // isRestricted = false;
+                return true;
+            }
+            return false;
+        }
+        catch (ClassNotFoundException e) {
+            OpenSSL.debug("unable un-restrict jce security: ", e);
+            return null;
+        }
+        catch (Exception e) {
+            OpenSSL.debug("unable un-restrict jce security: ");
+            OpenSSL.debugStackTrace(e);
+            return null;
+        }
+    }
+
+    private static boolean javaVersion9() {
+        final int gt = "1.8".compareTo( OpenSSL.javaVersion("0.0").substring(0, 3) );
+        return gt <= 0;
+    }
+
+}