8322971: KEM.getInstance() should check if a 3rd-party security provider is signed

Reviewed-by: mullan, valeriep
2025-08-27 14:54:52 +02:00 · 2024-01-11 13:45:40 +00:00 · 2024-01-11 13:45:40 +00:00 · 9fd855ed47
commit 9fd855ed47
parent b8ae4a8c09
4 changed files with 90 additions and 45 deletions
--- a/src/java.base/share/classes/javax/crypto/KEM.java
+++ b/src/java.base/share/classes/javax/crypto/KEM.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2023, 2024, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -29,6 +29,7 @@ import sun.security.jca.GetInstance;
 import java.security.*;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.spec.AlgorithmParameterSpec;
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Objects;

@ -539,10 +540,19 @@ public final class KEM {
        List<Provider.Service> list = GetInstance.getServices(
                "KEM",
                Objects.requireNonNull(algorithm, "null algorithm name"));
-        if (list.isEmpty()) {
-            throw new NoSuchAlgorithmException(algorithm + " KEM not available");
+        List<Provider.Service> allowed = new ArrayList<>();
+        for (Provider.Service s : list) {
+            if (!JceSecurity.canUseProvider(s.getProvider())) {
+                continue;
+            }
+            allowed.add(s);
        }
-        return new KEM(algorithm, new DelayedKEM(list.toArray(new Provider.Service[0])));
+        if (allowed.isEmpty()) {
+            throw new NoSuchAlgorithmException
+                    (algorithm + " KEM not available");
+        }
+
+        return new KEM(algorithm, new DelayedKEM(allowed.toArray(new Provider.Service[0])));
    }

    /**
@ -568,7 +578,7 @@ public final class KEM {
        if (provider == null) {
            return getInstance(algorithm);
        }
-        GetInstance.Instance instance = GetInstance.getInstance(
+        GetInstance.Instance instance = JceSecurity.getInstance(
                "KEM",
                KEMSpi.class,
                Objects.requireNonNull(algorithm, "null algorithm name"),
@ -601,7 +611,7 @@ public final class KEM {
        if (provider == null) {
            return getInstance(algorithm);
        }
-        GetInstance.Instance instance = GetInstance.getInstance(
+        GetInstance.Instance instance = JceSecurity.getInstance(
                "KEM",
                KEMSpi.class,
                Objects.requireNonNull(algorithm, "null algorithm name"),