From 32fcac39d6dea2a24dced5a27e2d4257d2082bc6 Mon Sep 17 00:00:00 2001 From: Tom Shull Date: Thu, 8 Jul 2021 13:19:38 +0200 Subject: [PATCH] Add support for runtime configuration of default TrustStore. --- .../native-image/CertificateManagement.md | 65 +++++++ docs/security/security-guide.md | 9 + ...et_sun_security_ssl_TrustStoreManager.java | 178 +++++++++++++++--- 3 files changed, 226 insertions(+), 26 deletions(-) create mode 100644 docs/reference-manual/native-image/CertificateManagement.md diff --git a/docs/reference-manual/native-image/CertificateManagement.md b/docs/reference-manual/native-image/CertificateManagement.md new file mode 100644 index 000000000000..bf75632ad19e --- /dev/null +++ b/docs/reference-manual/native-image/CertificateManagement.md @@ -0,0 +1,65 @@ +--- +layout: docs +toc_group: native-image +link_title: Certificate Management in Native Image +permalink: /reference-manual/native-image/CertificateManagement/ +--- +# Certificate Management in Native Image + +Native-image provides multiple ways to specify the certificate file used to +define the default TrustStore. In the following sections we describe the +available buildtime and runtime options. Note the default behavior for +native-image is to capture and use the default TrustStore from the buildtime +host environment. + +## Buildtime Options + +During the image building process, native-image captures the host environment's +default TrustStore and embeds it into the native image. This TrustStore is +by default created from the root certificate file provided within the JDK, but +can be changed to use a different certificate file by setting the buildtime +system property "javax.net.ssl.trustStore" (see [Properties](Properties.md) for +how to do so). + +Since the contents of the buildtime certificate file is embedded into the image +executable, the file itself does not need to present in the target environment. + +## Runtime Options + +The certificate file can also be changed dynamically at runtime via setting +the "javax.net.ssl.trustStore\*" system properties. + +If any of the following system properties are set during image execution, +native-image also requires "javax.net.ssl.trustStore" to be set and for it +to point to an accessible certificate file: +- javax.net.ssl.trustStore +- javax.net.ssl.trustStoreType +- javax.net.ssl.trustStoreProvider +- javax.net.ssl.trustStorePassword + +If any of these properties are set and "javax.net.ssl.trustStore" does not point +to an accessible file, then an UnsupportedFeatureError will be thrown. + +Note that this behavior is different than OpenJDK. When the +"javax.net.ssl.trustStore" system property is unset/invalid, OpenJDK will +fallback to using a certificate file shipped within the JDK; however, such +files will not be present alongside the image executable and hence cannot be +used as a fallback. + +During the execution, it also possible to dynamically change the +"javax.net.ssl.trustStore\*" properties and for the default TrustStore to be +updated accordingly. + +Finally, whenever all of the "javax.net.ssl.trustStore\*" system properties +listed above are unset, the default TrustStore will be the one captured during +buildtime, as described in the [prior section](#buildtime-options). + +## Untrusted Certificates + +During the image building process, a list of untrusted certificates is loaded +from the file /lib/security/blacklisted.certs. This file is used +when validating certificates at both buildtime and runtime. In other words, +when a new certificate file is specified at runtime via setting the +"javax.net.ssl.trustStore\*" system properties, the new certificates will still +be checked against the /lib/security/blacklisted.certs loaded at +image buildtime. diff --git a/docs/security/security-guide.md b/docs/security/security-guide.md index 0b74ca20aae5..a1b65bd0b2c0 100644 --- a/docs/security/security-guide.md +++ b/docs/security/security-guide.md @@ -109,6 +109,15 @@ This can either result in sensitive data ending up in the snapshot or fixing ini Developers can request static initializers that process sensitive information to be instead executed at runtime by either specifying the `--initialize-at-run-time` CLI parameter when building a native image, or making use of the `RuntimeClassInitialization` API. +Native-image provides multiple ways to specify the certificate file used to +define the default TrustStore. While the default behavior for native-image is +to capture and use the default TrustStore from the buildtime host environment, +this can be changed at runtime by setting the "javax.net.ssl.trustStore\*" +system properties. Please see the +[documentation](/reference-manual/native-image/CertificateManagement/) for more +details. + + In addition, developers can run the native image builder in a dedicated environment, such as a container, that does not contain any sensitive information in the first place. ### Serialization in Native Image diff --git a/substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/Target_sun_security_ssl_TrustStoreManager.java b/substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/Target_sun_security_ssl_TrustStoreManager.java index e2ca85f0db61..ccadf0ed1f6c 100644 --- a/substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/Target_sun_security_ssl_TrustStoreManager.java +++ b/substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/Target_sun_security_ssl_TrustStoreManager.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2019, 2019, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2019, 2021, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -24,6 +24,7 @@ */ package com.oracle.svm.core.jdk; +import java.io.File; import java.security.KeyStore; import java.security.cert.X509Certificate; import java.util.Set; @@ -32,25 +33,34 @@ import org.graalvm.nativeimage.hosted.Feature; import org.graalvm.nativeimage.hosted.RuntimeClassInitialization; +import com.oracle.svm.core.annotate.Alias; import com.oracle.svm.core.annotate.AutomaticFeature; import com.oracle.svm.core.annotate.Delete; +import com.oracle.svm.core.annotate.RecomputeFieldValue; import com.oracle.svm.core.annotate.Substitute; import com.oracle.svm.core.annotate.TargetClass; import com.oracle.svm.core.util.VMError; import com.oracle.svm.util.ReflectionUtil; +// Checkstyle: stop +import sun.security.ssl.SSLLogger; +// Checkstyle: resume + /** - * Native image uses the principle of "immutable security" for the root certificates: They are fixed - * at image build time based on the the certificate configuration used for the image generator. This - * avoids shipping a `cacerts` file or requiring to set a system property to set up root - * certificates that are provided by the OS where the image runs. + * Root certificates in native image are fixed/embedded into the image, at image build time, based + * on the certificate configuration used for the image generator. This avoids the need to ship a + * `cacerts` file alongside the image executable. * - * As a consequence, system properties such as `javax.net.ssl.trustStore` do not have an effect at - * run time. They need to be provided at image build time. + *

+ * Users are also allowed to override the embedded root certificate at run time by setting the + * `javax.net.ssl.trustStore*` system properties. For more details about both buildtime and runtime + * certificate management, please refer to CertificateManagement.md. * - * The implementation "freezes" the return values of TrustStoreManager managers by invoking them at - * image build time (using reflection because the class is non-public) and returning the frozen - * values using a substitution. + *

+ * For embedding the build time root certificates, the implementation "freezes" the return values of + * TrustStoreManager managers by invoking them at image build time (using reflection because the + * class is non-public) and returning the frozen values using a substitution. */ @AutomaticFeature final class TrustStoreManagerFeature implements Feature { @@ -73,48 +83,164 @@ public void afterRegistration(AfterRegistrationAccess access) { /* * The class initializer of UntrustedCertificates loads the file * lib/security/blacklisted.certs, so this class must be initialized at image build time. - * This is the default anyway for code JDK classes, but since this this class is relevant - * for security we spell it out explicitly. + * This is the default anyway for code JDK classes, but since this class is relevant for + * security we spell it out explicitly. + * + * Note when a runtime certificate file is specified, we still honor/use the build time + * lib/security/blacklisted.certs file */ RuntimeClassInitialization.initializeAtBuildTime(sun.security.util.UntrustedCertificates.class); - RuntimeClassInitialization.initializeAtBuildTime(org.jcp.xml.dsig.internal.dom.XMLDSigRI.class); } } final class TrustStoreManagerSupport { - final Set trustedCerts; - final KeyStore trustedKeyStore; - TrustStoreManagerSupport(Set trustedCerts, KeyStore trustedKeyStore) { - this.trustedCerts = trustedCerts; - this.trustedKeyStore = trustedKeyStore; + final Set buildtimeTrustedCerts; + final KeyStore buildtimeTrustedKeyStore; + + TrustStoreManagerSupport(Set buildtimeTrustedCerts, KeyStore buildtimeTrustedKeyStore) { + this.buildtimeTrustedCerts = buildtimeTrustedCerts; + this.buildtimeTrustedKeyStore = buildtimeTrustedKeyStore; } + + /** + * This method creates a TrustStoreDescriptor if any of the "javax.net.ssl.trustStore*" + * properties are set, or otherwise returns null. + */ + static Target_sun_security_ssl_TrustStoreManager_TrustStoreDescriptor getRuntimeTrustStoreDescriptor() { + /* First read current system properties. */ + String storePropName = System.getProperty("javax.net.ssl.trustStore"); + String storePropType = System.getProperty("javax.net.ssl.trustStoreType"); + String storePropProvider = System.getProperty("javax.net.ssl.trustStoreProvider"); + String storePropPassword = System.getProperty("javax.net.ssl.trustStorePassword"); + + /* + * Check if any of the properties are set. If not, then should not attempt to create a trust + * store descriptor. + */ + if (storePropName == null && storePropType == null && storePropProvider == null && storePropPassword == null) { + return null; + } + + if (storePropName == null) { + throw VMError.unsupportedFeature( + "System property javax.net.ssl.trustStore must be also set if any of javax.net.ssl.trustStore(Type|Provider|Password) are set." + + "See https://www.graalvm.org/reference-manual/native-image/CertificateManagement#runtime-options for more details about runtime certificate management."); + } + + /* Setting remaining properties to defaults if unset. */ + if (storePropType == null) { + storePropType = KeyStore.getDefaultType(); + } + if (storePropProvider == null) { + storePropProvider = ""; + } + if (storePropPassword == null) { + storePropPassword = ""; + } + + /* Creating TrustStoreDescriptor. */ + Target_sun_security_ssl_TrustStoreManager_TrustStoreDescriptor descriptor = createTrustStoreDescriptor(storePropName, storePropType, storePropProvider, + storePropPassword); + + /* + * Checking if TrustStoreDescriptor was able to find a valid trust store. + */ + if (descriptor == null) { + throw VMError.unsupportedFeature("Inaccessible trust store: " + storePropName + + " See https://www.graalvm.org/reference-manual/native-image/CertificateManagement#runtime-options for more details about runtime certificate management."); + } + + return descriptor; + } + + /** + * Creates a new TrustStoreDescriptor object. + * + * @return A new TrustStoreDescriptor or {@code null} if an appropriate descriptor for the + * provided parameters could not be found. + */ + private static Target_sun_security_ssl_TrustStoreManager_TrustStoreDescriptor createTrustStoreDescriptor(String storePropName, String storePropType, String storePropProvider, + String storePropPassword) { + /* This code is largely taken from the JDK. */ + String temporaryName = ""; + File temporaryFile = null; + long temporaryTime = 0L; + if (!"NONE".equals(storePropName)) { + File f = new File(storePropName); + if (f.isFile() && f.canRead()) { + temporaryName = storePropName; + temporaryFile = f; + temporaryTime = f.lastModified(); + } else { + // The file is inaccessible. + if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) { + SSLLogger.fine("Inaccessible trust store: " + storePropName); + } + + return null; + } + } else { + temporaryName = storePropName; + } + + return new Target_sun_security_ssl_TrustStoreManager_TrustStoreDescriptor( + temporaryName, storePropType, storePropProvider, + storePropPassword, temporaryFile, temporaryTime); + } + } @TargetClass(className = TrustStoreManagerFeature.TRUST_STORE_MANAGER_CLASS_NAME) final class Target_sun_security_ssl_TrustStoreManager { + /* + * This singleton object caches the last retrieved trusted KeyStore and set of trusted + * certificates. + */ + @Alias @RecomputeFieldValue(kind = RecomputeFieldValue.Kind.NewInstance, declClassName = TrustStoreManagerFeature.TRUST_STORE_MANAGER_CLASS_NAME + + "$TrustAnchorManager") private static Target_sun_security_ssl_TrustStoreManager_TrustAnchorManager tam; @Substitute private static Set getTrustedCerts() throws Exception { - return ImageSingletons.lookup(TrustStoreManagerSupport.class).trustedCerts; + Target_sun_security_ssl_TrustStoreManager_TrustStoreDescriptor runtimeDescriptor = TrustStoreManagerSupport.getRuntimeTrustStoreDescriptor(); + if (runtimeDescriptor == null) { + return ImageSingletons.lookup(TrustStoreManagerSupport.class).buildtimeTrustedCerts; + } + return tam.getTrustedCerts(runtimeDescriptor); } @Substitute private static KeyStore getTrustedKeyStore() throws Exception { - return ImageSingletons.lookup(TrustStoreManagerSupport.class).trustedKeyStore; + Target_sun_security_ssl_TrustStoreManager_TrustStoreDescriptor runtimeDescriptor = TrustStoreManagerSupport.getRuntimeTrustStoreDescriptor(); + if (runtimeDescriptor == null) { + return ImageSingletons.lookup(TrustStoreManagerSupport.class).buildtimeTrustedKeyStore; + } + return tam.getKeyStore(runtimeDescriptor); } } -/* - * The internal classes to describe and load root certificates must not be reachable at run time. - */ - -@Delete @TargetClass(className = TrustStoreManagerFeature.TRUST_STORE_MANAGER_CLASS_NAME, innerClass = "TrustStoreDescriptor") final class Target_sun_security_ssl_TrustStoreManager_TrustStoreDescriptor { + @Delete private static String defaultStorePath; + @Delete private static String defaultStore; + @Delete private static String jsseDefaultStore; + + @Delete + static native Target_sun_security_ssl_TrustStoreManager_TrustStoreDescriptor createInstance(); + + @Alias + @SuppressWarnings("unused") + Target_sun_security_ssl_TrustStoreManager_TrustStoreDescriptor(String storeName, String storeType, String storeProvider, String storePassword, File storeFile, long lastModified) { + throw VMError.shouldNotReachHere("This is an alias to the original constructor in the target class, so this code is unreachable"); + } } -@Delete @TargetClass(className = TrustStoreManagerFeature.TRUST_STORE_MANAGER_CLASS_NAME, innerClass = "TrustAnchorManager") final class Target_sun_security_ssl_TrustStoreManager_TrustAnchorManager { + + @Alias + native Set getTrustedCerts(Target_sun_security_ssl_TrustStoreManager_TrustStoreDescriptor descriptor) throws Exception; + + @Alias + native KeyStore getKeyStore(Target_sun_security_ssl_TrustStoreManager_TrustStoreDescriptor descriptor) throws Exception; }