[Backport 2.x] Fix permissions issues while reading keys in PKCS#1 format (#3322)

cwperks · web-flow · commit 552de1b41d04 · 2023-09-06T12:40:57.000-04:00
Backport #3289 to 2.x Signed-off-by: Craig Perkins <cwperx@amazon.com>
diff --git a/plugin-security.policy b/plugin-security.policy
@@ -37,7 +37,6 @@ grant {
   permission java.util.PropertyPermission "*","read,write";
 
   //Enable when we switch to UnboundID LDAP SDK
-  //permission java.util.PropertyPermission "*", "read,write";
   //permission java.lang.RuntimePermission "setFactory";
   //permission javax.net.ssl.SSLPermission "setHostnameVerifier";
 
@@ -61,11 +60,12 @@ grant {
   permission java.security.SecurityPermission "insertProvider.BC";
   permission java.security.SecurityPermission "removeProviderProperty.BC";
   permission java.util.PropertyPermission "jdk.tls.rejectClientInitiatedRenegotiation", "write";
+  permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_size";
+  permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_mr_tests";
 
   permission java.lang.RuntimePermission "accessUserInformation";
   
   permission java.security.SecurityPermission "org.apache.xml.security.register";
-  permission java.util.PropertyPermission "org.apache.xml.security.ignoreLineBreaks", "write";
   
   permission java.lang.RuntimePermission "createClassLoader";
   
diff --git a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java
@@ -958,19 +958,32 @@ private SslContext buildSSLServerContext(
         final ClientAuth authMode
     ) throws SSLException {
 
-        final SslContextBuilder _sslContextBuilder = SslContextBuilder.forServer(_key, _cert)
-            .ciphers(ciphers)
-            .applicationProtocolConfig(ApplicationProtocolConfig.DISABLED)
-            .clientAuth(Objects.requireNonNull(authMode)) // https://github.com/netty/netty/issues/4722
-            .sessionCacheSize(0)
-            .sessionTimeout(0)
-            .sslProvider(sslProvider);
+        try {
+            final SslContextBuilder _sslContextBuilder = AccessController.doPrivileged(new PrivilegedExceptionAction<SslContextBuilder>() {
+                @Override
+                public SslContextBuilder run() throws Exception {
+                    return SslContextBuilder.forServer(_key, _cert)
+                        .ciphers(ciphers)
+                        .applicationProtocolConfig(ApplicationProtocolConfig.DISABLED)
+                        .clientAuth(Objects.requireNonNull(authMode)) // https://github.com/netty/netty/issues/4722
+                        .sessionCacheSize(0)
+                        .sessionTimeout(0)
+                        .sslProvider(sslProvider);
+                }
+            });
 
-        if (_trustedCerts != null && _trustedCerts.length > 0) {
-            _sslContextBuilder.trustManager(_trustedCerts);
-        }
+            if (_trustedCerts != null && _trustedCerts.length > 0) {
+                _sslContextBuilder.trustManager(_trustedCerts);
+            }
 
-        return buildSSLContext0(_sslContextBuilder);
+            return buildSSLContext0(_sslContextBuilder);
+        } catch (final PrivilegedActionException e) {
+            if (e.getCause() instanceof SSLException) {
+                throw (SSLException) e.getCause();
+            } else {
+                throw new RuntimeException(e);
+            }
+        }
     }
 
     private SslContext buildSSLServerContext(
@@ -982,20 +995,38 @@ private SslContext buildSSLServerContext(
         final SslProvider sslProvider,
         final ClientAuth authMode
     ) throws SSLException {
+        final SecurityManager sm = System.getSecurityManager();
 
-        final SslContextBuilder _sslContextBuilder = SslContextBuilder.forServer(_cert, _key, pwd)
-            .ciphers(ciphers)
-            .applicationProtocolConfig(ApplicationProtocolConfig.DISABLED)
-            .clientAuth(Objects.requireNonNull(authMode)) // https://github.com/netty/netty/issues/4722
-            .sessionCacheSize(0)
-            .sessionTimeout(0)
-            .sslProvider(sslProvider);
-
-        if (_trustedCerts != null) {
-            _sslContextBuilder.trustManager(_trustedCerts);
+        if (sm != null) {
+            sm.checkPermission(new SpecialPermission());
         }
 
-        return buildSSLContext0(_sslContextBuilder);
+        try {
+            final SslContextBuilder _sslContextBuilder = AccessController.doPrivileged(new PrivilegedExceptionAction<SslContextBuilder>() {
+                @Override
+                public SslContextBuilder run() throws Exception {
+                    return SslContextBuilder.forServer(_cert, _key, pwd)
+                        .ciphers(ciphers)
+                        .applicationProtocolConfig(ApplicationProtocolConfig.DISABLED)
+                        .clientAuth(Objects.requireNonNull(authMode)) // https://github.com/netty/netty/issues/4722
+                        .sessionCacheSize(0)
+                        .sessionTimeout(0)
+                        .sslProvider(sslProvider);
+                }
+            });
+
+            if (_trustedCerts != null) {
+                _sslContextBuilder.trustManager(_trustedCerts);
+            }
+
+            return buildSSLContext0(_sslContextBuilder);
+        } catch (final PrivilegedActionException e) {
+            if (e.getCause() instanceof SSLException) {
+                throw (SSLException) e.getCause();
+            } else {
+                throw new RuntimeException(e);
+            }
+        }
     }
 
     private SslContext buildSSLClientContext(
@@ -1059,7 +1090,11 @@ public SslContext run() throws Exception {
                 }
             });
         } catch (final PrivilegedActionException e) {
-            throw (SSLException) e.getCause();
+            if (e.getCause() instanceof SSLException) {
+                throw (SSLException) e.getCause();
+            } else {
+                throw new RuntimeException(e);
+            }
         }
 
         return sslContext;
