[GR-11927] Fix security services.

PullRequest: graal/2262

substratevm/JCA-SECURITY-SERVICES.md

@@ -13,7 +13,7 @@ The image builder captures the list of providers and their preference order from
 
 ### Native implementations
 
-Some security providers, like SunEC, are implemented in native code and accessed via JNI. When `--enable-all-security-services` is used then JNI support is enabled by default. If your app uses a provider implemented in a native library that library needs to be delivered together with the generated native image. For example the SunEC provider requires `libsunec.so` for its full implementation. This library is loaded via `System.loadLibrary("sunec")` at run time, the first time services from SunEC are accessed. To use this provider's services the `java.library.path` system property needs to be set accordingly to point to a location that contains `libsunec.so`. Note that if `java.library.path` is not set it defaults to the current working directory.
+Some security providers, like SunEC, are implemented in native code and accessed via JNI. When `--enable-all-security-services` is used then JNI support is enabled by default. If your app uses a provider implemented in a native library that library needs to be delivered together with the generated native image. For example the SunEC provider requires `libsunec.so` for its full implementation. This library is usually shipped as part of the JDK and can be found under `<JAVA_HOME>/jre/lib/<platform>/libsunec.so`. It is loaded at run time via `System.loadLibrary("sunec")`, the first time services from SunEC are accessed. To use this provider's services the `java.library.path` system property needs to be set accordingly to point to a location that contains `libsunec.so`. Note that if `java.library.path` is not set it defaults to the current working directory.
 
 ### Alternative to `--enable-all-security-services`
 

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/SecuritySubstitutions.java

@@ -201,7 +201,12 @@ private static synchronized void initOnce() {
                  * those algorithms are actually used an java.lang.UnsatisfiedLinkError will be
                  * thrown. Just warn the user that the library could not be loaded.
                  */
-                Log.log().string("WARNING: The sunec native library could not be loaded.").newline();
+                Log.log().string("WARNING: The sunec native library, required by the SunEC provider, could not be loaded. " +
+                                "This library is usually shipped as part of the JDK and can be found under <JAVA_HOME>/jre/lib/<platform>/libsunec.so. " +
+                                "It is loaded at run time via System.loadLibrary(\"sunec\"), the first time services from SunEC are accessed. " +
+                                "To use this provider's services the java.library.path system property needs to be set accordingly " +
+                                "to point to a location that contains libsunec.so. " +
+                                "Note that if java.library.path is not set it defaults to the current working directory.").newline();
             }
             initialized = true;
         }

substratevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/SecurityServicesFeature.java

@@ -105,12 +105,17 @@ public void duringSetup(DuringSetupAccess access) {
         /* java.util.UUID$Holder has a static final SecureRandom field. */
         RuntimeClassInitialization.rerunClassInitialization(access.findClassByName("java.util.UUID$Holder"));
 
-        if (SubstrateOptions.EnableAllSecurityServices.getValue()) {
-            /* These classes have a static final SecureRandom field. */
-            RuntimeClassInitialization.rerunClassInitialization(access.findClassByName("com.sun.crypto.provider.SunJCE$SecureRandomHolder"));
-            RuntimeClassInitialization.rerunClassInitialization(access.findClassByName("sun.security.jca.JCAUtil$CachedSecureRandomHolder"));
-            RuntimeClassInitialization.rerunClassInitialization(access.findClassByName("sun.security.krb5.Confounder"));
+        /*
+         * The classes bellow have a static final SecureRandom field. Note that if the classes are
+         * not found as reachable by the analaysis registering them form class initialization rerun
+         * doesn't have any effect.
+         */
+        RuntimeClassInitialization.rerunClassInitialization(access.findClassByName("sun.security.jca.JCAUtil$CachedSecureRandomHolder"));
+        RuntimeClassInitialization.rerunClassInitialization(access.findClassByName("com.sun.crypto.provider.SunJCE$SecureRandomHolder"));
+        RuntimeClassInitialization.rerunClassInitialization(access.findClassByName("sun.security.krb5.Confounder"));
+        RuntimeClassInitialization.rerunClassInitialization(javax.net.ssl.SSLContext.class);
 
+        if (SubstrateOptions.EnableAllSecurityServices.getValue()) {
             /* Prepare SunEC native library access. */
             prepareSunEC();
         }
@@ -184,6 +189,14 @@ public void beforeAnalysis(BeforeAnalysisAccess access) {
                 VMError.shouldNotReachHere(e);
             }
 
+            /*
+             * Register the default JavaKeyStore, JKS. It is not returned by the
+             * provider.getServices() enumeration.
+             */
+            Class<?> javaKeyStoreJks = access.findClassByName("sun.security.provider.JavaKeyStore$JKS");
+            registerForReflection(javaKeyStoreJks);
+            trace("Class registered for reflection: " + javaKeyStoreJks);
+
             try {
                 /* Register the x509 certificate extension classes for reflection. */
                 trace("Registering X.509 certificate extensions...");