opensearch-project · stephen-crawford · Sep 5, 2023 · Sep 1, 2023 · Sep 1, 2023 · Sep 1, 2023
@@ -37,7 +37,6 @@ grant {
   permission java.util.PropertyPermission "*","read,write";
 
   //Enable when we switch to UnboundID LDAP SDK
-  //permission java.util.PropertyPermission "*", "read,write";
   //permission java.lang.RuntimePermission "setFactory";
   //permission javax.net.ssl.SSLPermission "setHostnameVerifier";
 
@@ -60,11 +59,12 @@ grant {
   permission java.security.SecurityPermission "putProviderProperty.BC";
   permission java.security.SecurityPermission "insertProvider.BC";
   permission java.security.SecurityPermission "removeProviderProperty.BC";
+  permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_size";
+  permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_mr_tests";
 
   permission java.lang.RuntimePermission "accessUserInformation";
 
   permission java.security.SecurityPermission "org.apache.xml.security.register";
-  permission java.util.PropertyPermission "org.apache.xml.security.ignoreLineBreaks", "write";
 
   permission java.lang.RuntimePermission "createClassLoader";
 

@@ -968,18 +968,26 @@ private SslContext buildSSLServerContext(
         final ClientAuth authMode
     ) throws SSLException {
 
-        final SslContextBuilder _sslContextBuilder = configureSSLServerContextBuilder(
-            SslContextBuilder.forServer(_key, _cert),
-            sslProvider,
-            ciphers,
-            authMode
-        );
+        try {
+            final SslContextBuilder _sslContextBuilder = AccessController.doPrivileged(new PrivilegedExceptionAction<SslContextBuilder>() {
+                @Override
+                public SslContextBuilder run() throws Exception {
+                    return configureSSLServerContextBuilder(SslContextBuilder.forServer(_key, _cert), sslProvider, ciphers, authMode);
+                }
+            });
 
-        if (_trustedCerts != null && _trustedCerts.length > 0) {
-            _sslContextBuilder.trustManager(_trustedCerts);
-        }
+            if (_trustedCerts != null && _trustedCerts.length > 0) {
+                _sslContextBuilder.trustManager(_trustedCerts);
+            }
 
-        return buildSSLContext0(_sslContextBuilder);
+            return buildSSLContext0(_sslContextBuilder);
+        } catch (final PrivilegedActionException e) {
+            if (e.getCause() instanceof SSLException) {
+                throw (SSLException) e.getCause();
+            } else {
+                throw new RuntimeException(e);
+            }
+        }
     }
 
     private SslContext buildSSLServerContext(
@@ -991,19 +999,32 @@ private SslContext buildSSLServerContext(
         final SslProvider sslProvider,
         final ClientAuth authMode
     ) throws SSLException {
+        final SecurityManager sm = System.getSecurityManager();
 
-        final SslContextBuilder _sslContextBuilder = configureSSLServerContextBuilder(
-            SslContextBuilder.forServer(_cert, _key, pwd),
-            sslProvider,
-            ciphers,
-            authMode
-        );
-
-        if (_trustedCerts != null) {
-            _sslContextBuilder.trustManager(_trustedCerts);
+        if (sm != null) {
+            sm.checkPermission(new SpecialPermission());
         }
 
-        return buildSSLContext0(_sslContextBuilder);
+        try {
+            final SslContextBuilder _sslContextBuilder = AccessController.doPrivileged(new PrivilegedExceptionAction<SslContextBuilder>() {
+                @Override
+                public SslContextBuilder run() throws Exception {
+                    return configureSSLServerContextBuilder(SslContextBuilder.forServer(_cert, _key, pwd), sslProvider, ciphers, authMode);
+                }
+            });
+
+            if (_trustedCerts != null) {
+                _sslContextBuilder.trustManager(_trustedCerts);
+            }
+
+            return buildSSLContext0(_sslContextBuilder);
+        } catch (final PrivilegedActionException e) {
+            if (e.getCause() instanceof SSLException) {
+                throw (SSLException) e.getCause();
+            } else {
+                throw new RuntimeException(e);
+            }
+        }
     }
 
     private SslContextBuilder configureSSLServerContextBuilder(
@@ -1095,7 +1116,11 @@ public SslContext run() throws Exception {
                 }
             });
         } catch (final PrivilegedActionException e) {
-            throw (SSLException) e.getCause();
+            if (e.getCause() instanceof SSLException) {
+                throw (SSLException) e.getCause();
+            } else {
+                throw new RuntimeException(e);
+            }
         }
 
         return sslContext;