Initialize security providers at run time and hide behind --feature-defaults flags.

Add a test for security provider run time registration.

Add entry to a CHANGELOG.md

Parse java.security.properties file at run time.

Author: jovanstevanovic

substratevm/CHANGELOG.md

@@ -24,6 +24,7 @@ This changelog summarizes major changes to GraalVM Native Image.
 * (GR-59869) Implemented initial optimization of Java Vector API (JEP 338) operations in native images. See the compiler changelog for more details.
 * (GR-63268) Reflection and JNI queries do not require metadata entries to throw the expected JDK exception when querying a class that doesn't exist under `--exact-reachability-metadata` if the query cannot possibly be a valid class name
 * (GR-47881) Remove the total number of loaded types, fields, and methods from the build output, deprecated these metrics in the build output schema, and removed already deprecated build output metrics.
+* (GR-57827) Move the initialization of security providers from build time to runtime.
 
 ## GraalVM for JDK 24 (Internal Version 24.2.0)
 * (GR-59717) Added `DuringSetupAccess.registerObjectReachabilityHandler` to allow registering a callback that is executed when an object of a specified type is marked as reachable during heap scanning.

substratevm/mx.substratevm/suite.py

@@ -361,9 +361,12 @@
                     "sun.reflect.generics.reflectiveObjects",
                     "sun.reflect.generics.repository",
                     "sun.reflect.generics.tree",
+                    "sun.security.rsa",
                     "sun.security.jca",
                     "sun.security.ssl",
                     "sun.security.util",
+                    "sun.security.provider",
+                    "com.sun.crypto.provider",
                     "sun.text.spi",
                     "sun.util",
                     "sun.util.locale",

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/FutureDefaultsOptions.java

@@ -118,4 +118,8 @@ public static boolean allFutureDefaults() {
     public static boolean isJDKInitializedAtRunTime() {
         return allFutureDefaults() || getFutureDefaults().contains(RUN_TIME_INITIALIZE_JDK_NAME);
     }
+
+    public static boolean isJDKInitializedAtBuildTime() {
+        return !isJDKInitializedAtRunTime();
+    }
 }

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/SecurityProvidersSupport.java

@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 2024, 2024, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package com.oracle.svm.core.jdk;
+
+import java.lang.reflect.Constructor;
+import java.lang.reflect.InvocationTargetException;
+import java.security.Provider;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+
+import org.graalvm.nativeimage.ImageSingletons;
+import org.graalvm.nativeimage.Platform;
+import org.graalvm.nativeimage.Platforms;
+
+import com.oracle.svm.core.util.VMError;
+
+import jdk.graal.compiler.api.replacements.Fold;
+
+/**
+ * The class that holds various build-time and run-time structures necessary for security providers.
+ */
+public final class SecurityProvidersSupport {
+    /**
+     * A set of providers to be loaded using the service-loading technique at runtime, but not
+     * discoverable at build-time when processing services in the feature (see
+     * ServiceLoaderFeature#handleServiceClassIsReachable). This occurs when the user does not
+     * explicitly request a provider, but the provider is discovered via static analysis from a
+     * JCA-compliant security service used by the user's code (see
+     * SecurityServicesFeature#registerServiceReachabilityHandlers).
+     */
+    @Platforms(Platform.HOSTED_ONLY.class)//
+    private final Set<String> markedAsNotLoaded = Collections.synchronizedSet(new HashSet<>());
+
+    /** Set of fully qualified provider names, required for runtime resource access. */
+    private final Set<String> userRequestedSecurityProviders = Collections.synchronizedSet(new HashSet<>());
+
+    /**
+     * A map of providers, identified by their names (see {@link Provider#getName()}), and the
+     * results of their verification (see javax.crypto.JceSecurity#getVerificationResult). This
+     * structure is used instead of the (see javax.crypto.JceSecurity#verifyingProviders) map to
+     * avoid keeping provider objects in the image heap.
+     */
+    private final Map<String, Object> verifiedSecurityProviders = Collections.synchronizedMap(new HashMap<>());
+
+    private Properties savedInitialSecurityProperties;
+
+    private Constructor<?> sunECConstructor;
+
+    @Platforms(Platform.HOSTED_ONLY.class)
+    public SecurityProvidersSupport(List<String> userRequestedSecurityProviders) {
+        this.userRequestedSecurityProviders.addAll(userRequestedSecurityProviders);
+    }
+
+    @Fold
+    public static SecurityProvidersSupport singleton() {
+        return ImageSingletons.lookup(SecurityProvidersSupport.class);
+    }
+
+    @Platforms(Platform.HOSTED_ONLY.class)
+    public void addVerifiedSecurityProvider(String key, Object value) {
+        verifiedSecurityProviders.put(key, value);
+    }
+
+    public Object getSecurityProviderVerificationResult(String key) {
+        return verifiedSecurityProviders.get(key);
+    }
+
+    @Platforms(Platform.HOSTED_ONLY.class)
+    public void markSecurityProviderAsNotLoaded(String provider) {
+        markedAsNotLoaded.add(provider);
+    }
+
+    @Platforms(Platform.HOSTED_ONLY.class)
+    public boolean isSecurityProviderNotLoaded(String provider) {
+        return markedAsNotLoaded.contains(provider);
+    }
+
+    @Platforms(Platform.HOSTED_ONLY.class)
+    public boolean isUserRequestedSecurityProvider(String provider) {
+        return userRequestedSecurityProviders.contains(provider);
+    }
+
+    /**
+     * Returns {@code true} if the provider, identified by either its name (e.g., SUN) or fully
+     * qualified name (e.g., sun.security.provider.Sun), is either user-requested or reachable via a
+     * security service.
+     */
+    public boolean isSecurityProviderExpected(String providerName, String providerFQName) {
+        return verifiedSecurityProviders.containsKey(providerName) || userRequestedSecurityProviders.contains(providerFQName);
+    }
+
+    @Platforms(Platform.HOSTED_ONLY.class)
+    public void setSunECConstructor(Constructor<?> sunECConstructor) {
+        this.sunECConstructor = sunECConstructor;
+    }
+
+    public Provider allocateSunECProvider() {
+        try {
+            return (Provider) sunECConstructor.newInstance();
+        } catch (InstantiationException | IllegalAccessException | InvocationTargetException e) {
+            throw VMError.shouldNotReachHere("The SunEC constructor is not present.");
+        }
+    }
+
+    public void setSavedInitialSecurityProperties(Properties savedSecurityProperties) {
+        this.savedInitialSecurityProperties = savedSecurityProperties;
+    }
+
+    public Properties getSavedInitialSecurityProperties() {
+        return savedInitialSecurityProperties;
+    }
+}

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/SecuritySubstitutions.java

@@ -244,7 +244,7 @@ private static void setJavaHome(String newJavaHome) {
     }
 }
 
-@TargetClass(className = "javax.crypto.JceSecurity")
+@TargetClass(className = "javax.crypto.JceSecurity", onlyWith = JDKInitializedAtBuildTime.class)
 @BasedOnJDKFile("https://github.com/openjdk/jdk/blob/jdk-24+27/src/java.base/share/classes/javax/crypto/JceSecurity.java.template")
 @SuppressWarnings({"unused"})
 final class Target_javax_crypto_JceSecurity {
@@ -302,7 +302,7 @@ static Exception getVerificationResult(Provider p) {
     }
 }
 
-@TargetClass(className = "javax.crypto.JceSecurity", innerClass = "WeakIdentityWrapper")
+@TargetClass(className = "javax.crypto.JceSecurity", innerClass = "WeakIdentityWrapper", onlyWith = JDKInitializedAtBuildTime.class)
 @SuppressWarnings({"unused"})
 final class Target_javax_crypto_JceSecurity_WeakIdentityWrapper {
 
@@ -401,7 +401,7 @@ public boolean implies(ProtectionDomain domain, Permission permission) {
     }
 }
 
-@TargetClass(className = "sun.security.jca.ProviderConfig")
+@TargetClass(className = "sun.security.jca.ProviderConfig", onlyWith = JDKInitializedAtBuildTime.class)
 @SuppressWarnings({"unused", "static-method"})
 final class Target_sun_security_jca_ProviderConfig {
 

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/Target_sun_security_ssl_TrustStoreManager.java

@@ -29,6 +29,7 @@
 import java.security.cert.X509Certificate;
 import java.util.Set;
 
+import com.oracle.svm.core.FutureDefaultsOptions;
 import org.graalvm.nativeimage.ImageSingletons;
 import org.graalvm.nativeimage.impl.RuntimeClassInitializationSupport;
 
@@ -89,13 +90,15 @@ public void afterRegistration(AfterRegistrationAccess access) {
          */
         RuntimeClassInitializationSupport rci = ImageSingletons.lookup(RuntimeClassInitializationSupport.class);
         rci.initializeAtBuildTime("sun.security.util.UntrustedCertificates", "Required for TrustStoreManager");
-        /*
-         * All security providers must be registered (and initialized) at buildtime (see
-         * SecuritySubstitutions.java). XMLDSigRI is used for validating XML Signatures from
-         * certificate files while generating X509Certificates.
-         */
-        rci.initializeAtBuildTime("org.jcp.xml.dsig.internal.dom.XMLDSigRI", "Required for TrustStoreManager");
-        rci.initializeAtBuildTime("org.jcp.xml.dsig.internal.dom.XMLDSigRI$ProviderService", "Required for TrustStoreManager");
+        if(!FutureDefaultsOptions.isJDKInitializedAtRunTime()) {
+            /*
+             * All security providers must be registered (and initialized) at buildtime (see
+             * SecuritySubstitutions.java). XMLDSigRI is used for validating XML Signatures from
+             * certificate files while generating X509Certificates.
+             */
+            rci.initializeAtBuildTime("org.jcp.xml.dsig.internal.dom.XMLDSigRI", "Required for TrustStoreManager");
+            rci.initializeAtBuildTime("org.jcp.xml.dsig.internal.dom.XMLDSigRI$ProviderService", "Required for TrustStoreManager");
+        }
     }
 }