On 08/17/2016 07:22 PM, Bradford Wetmore wrote:
- src/java.base/share/conf/security/java.security
854 crypto.policy=policydir-tbd
The policydir-tbd value is a little confusing in that it isn't a real
value. What about just setting this to the empty string?
It's a similar marker for the string replacement like was done for
security.provider.tbd.
Ok, but those are property names.
What about setting the default value to "limited"? And then this would
only be changed to "unlimited" if the build --enable-unlimited-crypto
option is specified?
I could change it to be delineated with <>:
"<policydir-tbd>" if you like?
- src/java.base/share/classes/javax/crypto/JceSecurity.java
255 String cryptoPolicyDir =
Security.getProperty("crypto.policy");
256 Path cryptoPolicyPath = Paths.get(cryptoPolicyDir);
What happens if crypto.policy is not set or is set to ""?
Good catch. Not set would NPE, "" would simply look at
<java-home>/conf/security/policy and fail to iterate the directory if no
files were actually there. I've added code for both those conditions,
and also switched to use Path.resolve().
253 // Sanity check the crypto.policy Security property. Single
254 // directory entry, no pseudo- or subdirectories.
255 String cryptoPolicyDir =
Security.getProperty("crypto.policy");
256
257 if (cryptoPolicyDir == null) {
258 throw new SecurityException(
259 "No cryptographic jurisdiction policy directory
value");
260 }
Instead of throwing an exception here, I wonder if it would make more
sense to assume a default value of "limited" if the property is not set
or is empty.
--Sean
