8285662: Better permission resolution

Reviewed-by: rhalade, weijun, mullan
openjdk · Oct 18, 2022 · 48cc9a8 · 48cc9a8
1 parent ff18674
commit 48cc9a8
Showing 1 changed file with 49 additions and 41 deletions.
diff --git a/src/java.base/share/classes/java/security/UnresolvedPermission.java b/src/java.base/share/classes/java/security/UnresolvedPermission.java
@@ -153,7 +153,7 @@ public final class UnresolvedPermission extends Permission
      * Each chain is ordered bottom-to-top (i.e., with the signer certificate
      * first and the (root) certificate authority last). The signer
      * certificates are copied from the array. Subsequent changes to
-     * the array will not affect this UnsolvedPermission.
+     * the array will not affect this UnresolvedPermission.
      */
     public UnresolvedPermission(String type,
                                 String name,
@@ -165,59 +165,63 @@ public UnresolvedPermission(String type,
         if (type == null)
                 throw new NullPointerException("type can't be null");
 
+        // Perform a defensive copy and reassign certs if we have a non-null
+        // reference
+        if (certs != null) {
+            certs = certs.clone();
+        }
+
         this.type = type;
         this.name = name;
         this.actions = actions;
+
         if (certs != null) {
             // Extract the signer certs from the list of certificates.
-            for (int i=0; i<certs.length; i++) {
+            for (int i = 0; i < certs.length; i++) {
                 if (!(certs[i] instanceof X509Certificate)) {
                     // there is no concept of signer certs, so we store the
-                    // entire cert array
-                    this.certs = certs.clone();
-                    break;
+                    // entire cert array.  No further processing is necessary.
+                    this.certs = certs;
+                    return;
                 }
             }
 
-            if (this.certs == null) {
-                // Go through the list of certs and see if all the certs are
-                // signer certs.
-                int i = 0;
-                int count = 0;
-                while (i < certs.length) {
-                    count++;
-                    while (((i+1) < certs.length) &&
-                           ((X509Certificate)certs[i]).getIssuerX500Principal().equals(
-                               ((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
-                        i++;
-                    }
+            // Go through the list of certs and see if all the certs are
+            // signer certs.
+            int i = 0;
+            int count = 0;
+            while (i < certs.length) {
+                count++;
+                while (((i + 1) < certs.length) &&
+                       ((X509Certificate)certs[i]).getIssuerX500Principal().equals(
+                           ((X509Certificate)certs[i + 1]).getSubjectX500Principal())) {
                     i++;
                 }
-                if (count == certs.length) {
-                    // All the certs are signer certs, so we store the entire
-                    // array
-                    this.certs = certs.clone();
-                }
+                i++;
+            }
+            if (count == certs.length) {
+                // All the certs are signer certs, so we store the entire
+                // array.  No further processing is needed.
+                this.certs = certs;
+                return;
+            }
 
-                if (this.certs == null) {
-                    // extract the signer certs
-                    ArrayList<java.security.cert.Certificate> signerCerts =
-                        new ArrayList<>();
-                    i = 0;
-                    while (i < certs.length) {
-                        signerCerts.add(certs[i]);
-                        while (((i+1) < certs.length) &&
-                            ((X509Certificate)certs[i]).getIssuerX500Principal().equals(
-                              ((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
-                            i++;
-                        }
-                        i++;
-                    }
-                    this.certs =
-                        new java.security.cert.Certificate[signerCerts.size()];
-                    signerCerts.toArray(this.certs);
+            // extract the signer certs
+            ArrayList<java.security.cert.Certificate> signerCerts =
+                new ArrayList<>();
+            i = 0;
+            while (i < certs.length) {
+                signerCerts.add(certs[i]);
+                while (((i + 1) < certs.length) &&
+                    ((X509Certificate)certs[i]).getIssuerX500Principal().equals(
+                      ((X509Certificate)certs[i + 1]).getSubjectX500Principal())) {
+                    i++;
                 }
+                i++;
             }
+            this.certs =
+                new java.security.cert.Certificate[signerCerts.size()];
+            signerCerts.toArray(this.certs);
         }
     }
 
@@ -310,6 +314,7 @@ Permission resolve(Permission p, java.security.cert.Certificate[] certs) {
      *
      * @return {@code false}.
      */
+    @Override
     public boolean implies(Permission p) {
         return false;
     }
@@ -330,6 +335,7 @@ public boolean implies(Permission p) {
      * and has the same type (class) name, permission name, actions, and
      * certificates as this object.
      */
+    @Override
     public boolean equals(Object obj) {
         if (obj == this)
             return true;
@@ -402,7 +408,7 @@ public boolean equals(Object obj) {
      *
      * @return a hash code value for this object.
      */
-
+    @Override
     public int hashCode() {
         int hash = type.hashCode();
         if (name != null)
@@ -422,6 +428,7 @@ public int hashCode() {
      *
      * @return the empty string "".
      */
+    @Override
     public String getActions()
     {
         return "";
@@ -491,6 +498,7 @@ public java.security.cert.Certificate[] getUnresolvedCerts() {
      *
      * @return information about this {@code UnresolvedPermission}.
      */
+    @Override
     public String toString() {
         return "(unresolved " + type + " " + name + " " + actions + ")";
     }
@@ -502,7 +510,7 @@ public String toString() {
      * @return a new PermissionCollection object suitable for
      * storing {@code UnresolvedPermissions}.
      */
-
+    @Override
     public PermissionCollection newPermissionCollection() {
         return new UnresolvedPermissionCollection();
     }