8286779: javax.crypto.CryptoPolicyParser#isConsistent always returns 'true'

Reviewed-by: mullan, rhalade
2025-08-27 14:54:52 +02:00 · 2022-06-13 15:31:58 +00:00 · 2022-06-13 15:31:58 +00:00 · 8f400b9aab
commit 8f400b9aab
parent e0baf012b1
2 changed files with 100 additions and 7 deletions
--- a/src/java.base/share/classes/javax/crypto/CryptoPolicyParser.java
+++ b/src/java.base/share/classes/javax/crypto/CryptoPolicyParser.java
@ -71,6 +71,7 @@ final class CryptoPolicyParser {
    // Convenience variables for parsing
    private StreamTokenizer st;
    private int lookahead;
+    private boolean allPermEntryFound = false;

    /**
     * Creates a CryptoPolicyParser object.
@ -129,7 +130,7 @@ final class CryptoPolicyParser {
         * The crypto jurisdiction policy must be consistent. The
         * following hashtable is used for checking consistency.
         */
-        Hashtable<String, Vector<String>> processedPermissions = null;
+        Hashtable<String, Vector<String>> processedPermissions = new Hashtable<>();

        /*
         * The main parsing loop.  The loop is executed once for each entry
@ -191,6 +192,16 @@ final class CryptoPolicyParser {
        e.cryptoPermission = match("permission type");

        if (e.cryptoPermission.equals("javax.crypto.CryptoAllPermission")) {
+            /*
+             * This catches while processing the "javax.crypto.CryptoAllPermission"
+             * entry, but the "processedPermissions" Hashtable already contains
+             * an entry for "javax.crypto.CryptoPermission".
+             */
+            if (!processedPermissions.isEmpty()) {
+                throw new ParsingException(st.lineno(), "Inconsistent policy");
+            }
+            allPermEntryFound = true;
+
            // Done with the CryptoAllPermission entry.
            e.alg = CryptoAllPermission.ALG_NAME;
            e.maxKeySize = Integer.MAX_VALUE;
@ -494,18 +505,21 @@ final class CryptoPolicyParser {
        String thisExemptionMechanism =
            exemptionMechanism == null ? "none" : exemptionMechanism;

-        if (processedPermissions == null) {
-            processedPermissions = new Hashtable<>();
+        /*
+         * This catches while processing a "javax.crypto.CryptoPermission" entry, but
+         * "javax.crypto.CryptoAllPermission" entry already exists.
+         */
+        if (allPermEntryFound) {
+            return false;
+        }
+
+        if (processedPermissions.isEmpty()) {
            Vector<String> exemptionMechanisms = new Vector<>(1);
            exemptionMechanisms.addElement(thisExemptionMechanism);
            processedPermissions.put(alg, exemptionMechanisms);
            return true;
        }

-        if (processedPermissions.containsKey(CryptoAllPermission.ALG_NAME)) {
-            return false;
-        }
-
        Vector<String> exemptionMechanisms;

        if (processedPermissions.containsKey(alg)) {