be less fatal on Java 9 -> will still require a lot of refactoring

kares · kares · commit b1bac76f5e47 · 2017-01-23T11:53:22.000+01:00
... won't attempt reflective SPIs when accessibility checks fail!
diff --git a/src/main/java/org/jruby/ext/openssl/OpenSSL.java b/src/main/java/org/jruby/ext/openssl/OpenSSL.java
@@ -268,6 +268,11 @@ static boolean javaVersion8(final boolean atLeast) {
         return atLeast ? gt <= 0 : gt == 0;
     }
 
+    static boolean javaVersion9(final boolean atLeast) {
+        final int gt = "9".compareTo( javaVersion("0").substring(0, 1) );
+        return atLeast ? gt <= 0 : gt == 0;
+    }
+
     private static String javaName(final String def) {
         // Sun Java 6 or Oracle Java 7/8
         // "Java HotSpot(TM) Server VM" or "Java HotSpot(TM) 64-Bit Server VM"
diff --git a/src/main/java/org/jruby/ext/openssl/SecurityHelper.java b/src/main/java/org/jruby/ext/openssl/SecurityHelper.java
@@ -139,7 +139,38 @@ public static Provider getSecurityProvider() {
         return securityProvider;
     }
 
+    static final boolean SPI_ACCESSIBLE;
+
+    static {
+        boolean canSetAccessible = true;
+        if ( OpenSSL.javaVersion9(true) ) {
+            final Provider provider = getSecurityProvider();
+            if ( provider != null ) {
+                try {
+                    // NOTE: some getXxx pieces might still work
+                    // where SPI are returned directly + there's a public <init> e.g. MessageDigest(...)
+                    getCertificateFactory("X.509", provider); // !!! disables EVERYTHING :(
+                }
+                catch (CertificateException ex) {
+                    debugStackTrace(ex);
+                    canSetAccessible = false;
+                }
+                catch (RuntimeException ex) {
+                    debugStackTrace(ex);
+                    // java.lang.reflect.InaccessibleObjectException (extends RuntimeException)
+                    canSetAccessible = false;
+                }
+            }
+        }
+        SPI_ACCESSIBLE = canSetAccessible;
+    }
+
+    static Provider getSecurityProviderIfAccessible() {
+        return SPI_ACCESSIBLE ? getSecurityProvider() : null;
+    }
+
     public static synchronized void setSecurityProvider(final Provider provider) {
+        if ( provider != null ) OpenSSL.debug("using provider: " + provider);
         securityProvider = provider;
     }
 
@@ -165,7 +196,7 @@ static boolean isProviderAvailable(final String name) {
         return Security.getProvider(name) != null;
     }
 
-    static boolean isProviderRegistered() {
+    public static boolean isProviderRegistered() {
         if ( securityProvider == null ) return false;
         return Security.getProvider(securityProvider.getName()) != null;
     }
@@ -190,7 +221,7 @@ private static void doRegisterProvider() {
     public static CertificateFactory getCertificateFactory(final String type)
         throws CertificateException {
         try {
-            final Provider provider = getSecurityProvider();
+            final Provider provider = getSecurityProviderIfAccessible();
             if ( provider != null ) return getCertificateFactory(type, provider);
         }
         catch (CertificateException e) { debugStackTrace(e); }
@@ -227,7 +258,7 @@ static CertificateFactory getCertificateFactory(final String type, final Provide
     public static KeyFactory getKeyFactory(final String algorithm)
         throws NoSuchAlgorithmException {
         try {
-            final Provider provider = getSecurityProvider();
+            final Provider provider = getSecurityProviderIfAccessible();
             if ( provider != null ) return getKeyFactory(algorithm, provider);
         }
         catch (NoSuchAlgorithmException e) { }
@@ -250,7 +281,7 @@ static KeyFactory getKeyFactory(final String algorithm, final Provider provider)
     public static KeyPairGenerator getKeyPairGenerator(final String algorithm)
         throws NoSuchAlgorithmException {
         try {
-            final Provider provider = getSecurityProvider();
+            final Provider provider = getSecurityProviderIfAccessible();
             if ( provider != null ) return getKeyPairGenerator(algorithm, provider);
         }
         catch (NoSuchAlgorithmException e) { }
@@ -290,7 +321,7 @@ static KeyPairGenerator getKeyPairGenerator(final String algorithm, final Provid
     public static KeyStore getKeyStore(final String type)
         throws KeyStoreException {
         try {
-            final Provider provider = getSecurityProvider();
+            final Provider provider = getSecurityProviderIfAccessible();
             if ( provider != null ) return getKeyStore(type, provider);
         }
         catch (KeyStoreException e) { }
@@ -307,7 +338,7 @@ static KeyStore getKeyStore(final String type, final Provider provider)
      */
     public static MessageDigest getMessageDigest(final String algorithm) throws NoSuchAlgorithmException {
         try {
-            final Provider provider = getSecurityProvider();
+            final Provider provider = getSecurityProviderIfAccessible();
             if ( provider != null ) return getMessageDigest(algorithm, provider);
         }
         catch (NoSuchAlgorithmException e) { }
@@ -341,7 +372,7 @@ static MessageDigest getMessageDigest(final String algorithm, final Provider pro
 
     public static SecureRandom getSecureRandom() {
         try {
-            final Provider provider = getSecurityProvider();
+            final Provider provider = getSecurityProviderIfAccessible();
             if ( provider != null ) {
                 final String algorithm = getSecureRandomAlgorithm(provider);
                 if ( algorithm != null ) {
@@ -473,7 +504,7 @@ private static Cipher getCipherInternal(String transformation, final Provider pr
      */
     public static Signature getSignature(final String algorithm) throws NoSuchAlgorithmException {
         try {
-            final Provider provider = getSecurityProvider();
+            final Provider provider = getSecurityProviderIfAccessible();
             if ( provider != null ) return getSignature(algorithm, provider);
         }
         catch (NoSuchAlgorithmException e) { }
@@ -509,7 +540,7 @@ static Signature getSignature(final String algorithm, final Provider provider)
      */
     public static Mac getMac(final String algorithm) throws NoSuchAlgorithmException {
         Mac mac = null;
-        final Provider provider = getSecurityProvider();
+        final Provider provider = getSecurityProviderIfAccessible();
         if ( provider != null ) {
             mac = getMac(algorithm, provider, true);
         }
@@ -540,7 +571,7 @@ private static Mac getMac(final String algorithm, final Provider provider, boole
      */
     public static KeyGenerator getKeyGenerator(final String algorithm) throws NoSuchAlgorithmException {
         try {
-            final Provider provider = getSecurityProvider();
+            final Provider provider = getSecurityProviderIfAccessible();
             if ( provider != null ) return getKeyGenerator(algorithm, provider);
         }
         catch (NoSuchAlgorithmException e) { }
@@ -564,7 +595,7 @@ static KeyGenerator getKeyGenerator(final String algorithm, final Provider provi
      */
     public static KeyAgreement getKeyAgreement(final String algorithm) throws NoSuchAlgorithmException {
         try {
-            final Provider provider = getSecurityProvider();
+            final Provider provider = getSecurityProviderIfAccessible();
             if ( provider != null ) return getKeyAgreement(algorithm, provider);
         }
         catch (NoSuchAlgorithmException e) { }
@@ -588,7 +619,7 @@ static KeyAgreement getKeyAgreement(final String algorithm, final Provider provi
      */
     public static SecretKeyFactory getSecretKeyFactory(final String algorithm) throws NoSuchAlgorithmException {
         try {
-            final Provider provider = getSecurityProvider();
+            final Provider provider = getSecurityProviderIfAccessible();
             if ( provider != null ) return getSecretKeyFactory(algorithm, provider);
         }
         catch (NoSuchAlgorithmException e) { }
@@ -613,7 +644,7 @@ public static SSLContext getSSLContext(final String protocol)
         throws NoSuchAlgorithmException {
         try {
             if ( providerSSLContext ) {
-                final Provider provider = getSecurityProvider();
+                final Provider provider = getSecurityProviderIfAccessible();
                 if ( provider != null ) {
                     return getSSLContext(protocol, provider);
                 }
