Changes according to commits.

Author: jovanstevanovic

docs/reference-manual/native-image/JCASecurityServices.md

@@ -36,17 +36,20 @@ The report will detail all registered service classes, the API methods that trig
 
 > Note: The `--enable-all-security-services` option is now deprecated and it will be removed in a future release.
 
-## Provider initialization
+## Provider Initialization
 
-Security providers are initialized at build time by default.
+Currently security providers are initialized at build time.
+To move their initialization to run time, use the option `--future-defaults=all` or `--future-defaults=run-time-initialized-jdk`. 
+Provider verification will still occur at build time. 
+Run-time initialization of security providers helps reduce image heap size.
 To move their initialization to run time, you can use the flag `--future-defaults=all` or `--future-defaults=run-time-initialized-jdk`.
 
 ## Provider Registration
 
 The `native-image` builder captures the list of providers and their preference order from the underlying JVM.
 The provider order is specified in the `java.security` file under `<java-home>/conf/security/java.security`.
 New security providers cannot be registered at run time by default (see the section above); all providers must be statically configured at executable build time.
-If the user specifies `--future-defaults=all` or `--future-defaults=run-time-initialized-jdk` (to move initialization to run time), then a specific properties file can be used via the command line flag `-Djava.security.properties=<path>`.
+If the user specifies `--future-defaults=all` or `--future-defaults=run-time-initialized-jdk` to move providers initialization to run time, then a specific properties file can be used via the command line option `-Djava.security.properties=<path>`.
 
 ## Providers Reordering at Run Time
 

substratevm/CHANGELOG.md

@@ -27,7 +27,8 @@ This changelog summarizes major changes to GraalVM Native Image.
 * (GR-64787) Enable `--install-exit-handlers` by default for executables and deprecate the option. If shared libraries were using this flag, the same functionality can be restored by using `-H:+InstallExitHandlers`.
 * (GR-47881) Remove the total number of loaded types, fields, and methods from the build output, deprecated these metrics in the build output schema, and removed already deprecated build output metrics.
 * (GR-64619) Missing registration errors are now subclasses of `LinkageError`
-* (GR-57827) Move the initialization of security providers from build time to runtime.
+* (GR-57827) Security providers can now be initialized at run time (instead of build time) when using the option `--future-defaults=all` or `--future-defaults=run-time-initialized-jdk`.
+Run-time initialization of security providers helps reduce image heap size by avoiding unnecessary objects inclusion.
 
 ## GraalVM for JDK 24 (Internal Version 24.2.0)
 * (GR-59717) Added `DuringSetupAccess.registerObjectReachabilityHandler` to allow registering a callback that is executed when an object of a specified type is marked as reachable during heap scanning.

substratevm/mx.substratevm/suite.py

@@ -352,6 +352,7 @@
             ],
             "requiresConcealed" : {
                 "java.base" : [
+                    "com.sun.crypto.provider",
                     "sun.invoke.util",
                     "sun.net",
                     "sun.net.www",
@@ -361,12 +362,11 @@
                     "sun.reflect.generics.reflectiveObjects",
                     "sun.reflect.generics.repository",
                     "sun.reflect.generics.tree",
-                    "sun.security.rsa",
                     "sun.security.jca",
+                    "sun.security.provider",
+                    "sun.security.rsa",
                     "sun.security.ssl",
                     "sun.security.util",
-                    "sun.security.provider",
-                    "com.sun.crypto.provider",
                     "sun.text.spi",
                     "sun.util",
                     "sun.util.locale",

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/SecurityProvidersSupport.java

@@ -85,8 +85,8 @@ public static SecurityProvidersSupport singleton() {
     }
 
     @Platforms(Platform.HOSTED_ONLY.class)
-    public void addVerifiedSecurityProvider(String key, Object value) {
-        verifiedSecurityProviders.put(key, value);
+    public void addVerifiedSecurityProvider(String key, Object verificationResult) {
+        verifiedSecurityProviders.put(key, verificationResult);
     }
 
     public Object getSecurityProviderVerificationResult(String key) {
@@ -113,7 +113,7 @@ public boolean isUserRequestedSecurityProvider(String provider) {
      * qualified name (e.g., sun.security.provider.Sun), is either user-requested or reachable via a
      * security service.
      */
-    public boolean isSecurityProviderExpected(String providerName, String providerFQName) {
+    public boolean isSecurityProviderRequested(String providerName, String providerFQName) {
         return verifiedSecurityProviders.containsKey(providerName) || userRequestedSecurityProviders.contains(providerFQName);
     }
 
@@ -130,6 +130,7 @@ public Provider allocateSunECProvider() {
         }
     }
 
+    @Platforms(Platform.HOSTED_ONLY.class)
     public void setSavedInitialSecurityProperties(Properties savedSecurityProperties) {
         this.savedInitialSecurityProperties = savedSecurityProperties;
     }

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/SecuritySubstitutions.java

@@ -36,7 +36,6 @@
 import java.security.Policy;
 import java.security.ProtectionDomain;
 import java.security.Provider;
-import java.security.SecureRandom;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
@@ -244,26 +243,28 @@ private static void setJavaHome(String newJavaHome) {
     }
 }
 
+/**
+ * The {@link javax.crypto.JceSecurity#verificationResults} cache is initialized by the
+ * SecurityServicesFeature at build time, for all registered providers. The cache is used by
+ * {@link javax.crypto.JceSecurity#canUseProvider} at run time to check whether a provider is
+ * properly signed and can be used by JCE. It does that via jar verification which we cannot
+ * support.
+ */
 @TargetClass(className = "javax.crypto.JceSecurity", onlyWith = JDKInitializedAtBuildTime.class)
 @BasedOnJDKFile("https://github.com/openjdk/jdk/blob/jdk-24+27/src/java.base/share/classes/javax/crypto/JceSecurity.java.template")
 @SuppressWarnings({"unused"})
 final class Target_javax_crypto_JceSecurity {
 
-    /*
-     * The JceSecurity.verificationResults cache is initialized by the SecurityServicesFeature at
-     * build time, for all registered providers. The cache is used by JceSecurity.canUseProvider()
-     * at runtime to check whether a provider is properly signed and can be used by JCE. It does
-     * that via jar verification which we cannot support.
-     */
-
     // Checkstyle: stop
     @Alias //
     private static Object PROVIDER_VERIFIED;
     // Checkstyle: resume
 
-    // Map<Provider,?> of the providers we already have verified
-    // value == PROVIDER_VERIFIED is successfully verified
-    // value is failure cause Exception in error case
+    /*
+     * Map<Provider, ?> of providers that have already been verified. A value of PROVIDER_VERIFIED
+     * indicates successful verification. Otherwise, the value is the Exception that caused the
+     * verification to fail.
+     */
     @Alias //
     private static Map<Object, Object> verificationResults;
 
@@ -281,7 +282,6 @@ final class Target_javax_crypto_JceSecurity {
 
     @Substitute
     static Exception getVerificationResult(Provider p) {
-        /* Start code block copied from original method. */
         /* The verification results map key is an identity wrapper object. */
         Object key = new Target_javax_crypto_JceSecurity_WeakIdentityWrapper(p, queue);
         Object o = verificationResults.get(key);
@@ -290,7 +290,6 @@ static Exception getVerificationResult(Provider p) {
         } else if (o != null) {
             return (Exception) o;
         }
-        /* End code block copied from original method. */
         /*
          * If the verification result is not found in the verificationResults map JDK proceeds to
          * verify it. That requires accessing the code base which we don't support. The substitution
@@ -311,31 +310,6 @@ final class Target_javax_crypto_JceSecurity_WeakIdentityWrapper {
     }
 }
 
-class JceSecurityAccessor {
-    private static volatile SecureRandom RANDOM;
-
-    static SecureRandom get() {
-        SecureRandom result = RANDOM;
-        if (result == null) {
-            /* Lazy initialization on first access. */
-            result = initializeOnce();
-        }
-        return result;
-    }
-
-    private static synchronized SecureRandom initializeOnce() {
-        SecureRandom result = RANDOM;
-        if (result != null) {
-            /* Double-checked locking is OK because INSTANCE is volatile. */
-            return result;
-        }
-
-        result = new SecureRandom();
-        RANDOM = result;
-        return result;
-    }
-}
-
 /**
  * JDK 8 has the class `javax.crypto.JarVerifier`, but in JDK 11 and later that class is only
  * available in Oracle builds, and not in OpenJDK builds.

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/Target_sun_security_ssl_TrustStoreManager.java

@@ -90,7 +90,7 @@ public void afterRegistration(AfterRegistrationAccess access) {
          */
         RuntimeClassInitializationSupport rci = ImageSingletons.lookup(RuntimeClassInitializationSupport.class);
         rci.initializeAtBuildTime("sun.security.util.UntrustedCertificates", "Required for TrustStoreManager");
-        if (FutureDefaultsOptions.isJDKInitializedAtBuildTime()) {
+        if (!FutureDefaultsOptions.isJDKInitializedAtRunTime()) {
             /*
              * All security providers must be registered (and initialized) at buildtime (see
              * SecuritySubstitutions.java). XMLDSigRI is used for validating XML Signatures from

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/runtimeinit/SecuritySubstitutionRuntimeInit.java

@@ -58,26 +58,23 @@ private static void loadMaster() {
     }
 }
 
+/**
+ * The {@link javax.crypto.JceSecurity#verificationResults} cache is initialized by the
+ * SecurityServicesFeature at build time, for all registered providers. The cache is used by
+ * {@link javax.crypto.JceSecurity#canUseProvider} at run time to check whether a provider is
+ * properly signed and can be used by JCE. It does that via jar verification which we cannot
+ * support.
+ */
 @TargetClass(className = "javax.crypto.JceSecurity", onlyWith = JDKInitializedAtRunTime.class)
 @BasedOnJDKFile("https://github.com/openjdk/jdk/blob/jdk-24+27/src/java.base/share/classes/javax/crypto/JceSecurity.java.template")
 @SuppressWarnings({"unused"})
 final class Target_javax_crypto_JceSecurity {
 
     /*
-     * The JceSecurity.verificationResults cache is initialized by the SecurityServicesFeature at
-     * build time, for all registered providers. The cache is used by JceSecurity.canUseProvider()
-     * at runtime to check whether a provider is properly signed and can be used by JCE. It does
-     * that via jar verification which we cannot support.
+     * Map<Provider, ?> of providers that have already been verified. A value of PROVIDER_VERIFIED
+     * indicates successful verification. Otherwise, the value is the Exception that caused the
+     * verification to fail.
      */
-
-    // Checkstyle: stop
-    @Alias //
-    private static Object PROVIDER_VERIFIED;
-    // Checkstyle: resume
-
-    // Map<Provider,?> of the providers we already have verified
-    // value == PROVIDER_VERIFIED is successfully verified
-    // value is failure cause Exception in error case
     @Alias //
     @RecomputeFieldValue(kind = RecomputeFieldValue.Kind.Reset) //
     private static Map<Object, Object> verificationResults;
@@ -92,15 +89,13 @@ final class Target_javax_crypto_JceSecurity {
 
     @Substitute
     static Exception getVerificationResult(Provider p) {
-        /* Start code block copied from original method. */
         /* The verification results map key is an identity wrapper object. */
         Object o = SecurityProvidersSupport.singleton().getSecurityProviderVerificationResult(p.getName());
-        if (o == PROVIDER_VERIFIED) {
+        if (o == Boolean.TRUE) {
             return null;
         } else if (o != null) {
             return (Exception) o;
         }
-        /* End code block copied from original method. */
         /*
          * If the verification result is not found in the verificationResults map JDK proceeds to
          * verify it. That requires accessing the code base which we don't support. The substitution
@@ -164,24 +159,24 @@ Provider getProvider() {
             SecurityProvidersSupport support = SecurityProvidersSupport.singleton();
             switch (provName) {
                 case "SUN", "sun.security.provider.Sun": {
-                    p = support.isSecurityProviderExpected("SUN", "sun.security.provider.Sun") ? new sun.security.provider.Sun() : null;
+                    p = support.isSecurityProviderRequested("SUN", "sun.security.provider.Sun") ? new sun.security.provider.Sun() : null;
                     break;
                 }
                 case "SunRsaSign", "sun.security.rsa.SunRsaSign": {
-                    p = support.isSecurityProviderExpected("SunRsaSign", "sun.security.rsa.SunRsaSign") ? new sun.security.rsa.SunRsaSign() : null;
+                    p = support.isSecurityProviderRequested("SunRsaSign", "sun.security.rsa.SunRsaSign") ? new sun.security.rsa.SunRsaSign() : null;
                     break;
                 }
                 case "SunJCE", "com.sun.crypto.provider.SunJCE": {
-                    p = support.isSecurityProviderExpected("SunJCE", "com.sun.crypto.provider.SunJCE") ? new com.sun.crypto.provider.SunJCE() : null;
+                    p = support.isSecurityProviderRequested("SunJCE", "com.sun.crypto.provider.SunJCE") ? new com.sun.crypto.provider.SunJCE() : null;
                     break;
                 }
                 case "SunJSSE": {
-                    p = support.isSecurityProviderExpected("SunJSSE", "sun.security.ssl.SunJSSE") ? new sun.security.ssl.SunJSSE() : null;
+                    p = support.isSecurityProviderRequested("SunJSSE", "sun.security.ssl.SunJSSE") ? new sun.security.ssl.SunJSSE() : null;
                     break;
                 }
                 case "SunEC": {
                     // Constructor inside method and then allocate. ModuleSupport to open.
-                    p = support.isSecurityProviderExpected("SunEC", "sun.security.ec.SunEC") ? support.allocateSunECProvider() : null;
+                    p = support.isSecurityProviderRequested("SunEC", "sun.security.ec.SunEC") ? support.allocateSunECProvider() : null;
                     break;
                 }
                 case "Apple", "apple.security.AppleProvider": {

substratevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/SecurityServicesFeature.java

@@ -238,7 +238,7 @@ public void afterRegistration(AfterRegistrationAccess a) {
     @Override
     public void duringSetup(DuringSetupAccess a) {
         DuringSetupAccessImpl access = (DuringSetupAccessImpl) a;
-        if (FutureDefaultsOptions.isJDKInitializedAtBuildTime()) {
+        if (!FutureDefaultsOptions.isJDKInitializedAtRunTime()) {
             addManuallyConfiguredUsedProviders(a);
 
             verificationResultsField = access.findField("javax.crypto.JceSecurity", "verificationResults");
@@ -251,22 +251,23 @@ public void duringSetup(DuringSetupAccess a) {
 
         RuntimeClassInitializationSupport rci = ImageSingletons.lookup(RuntimeClassInitializationSupport.class);
         if (FutureDefaultsOptions.isJDKInitializedAtRunTime()) {
+            SecurityProvidersSupport support = SecurityProvidersSupport.singleton();
             ModuleSupport.accessPackagesToClass(ModuleSupport.Access.OPEN, SecuritySubstitutions.class, false, "java.base", "sun.security.ec");
             Constructor<?> sunECConstructor = constructor(a, "sun.security.ec.SunEC");
-            SecurityProvidersSupport.singleton().setSunECConstructor(sunECConstructor);
+            support.setSunECConstructor(sunECConstructor);
 
             Properties securityProperties = SharedSecrets.getJavaSecurityPropertiesAccess().getInitialProperties();
-            SecurityProvidersSupport.singleton().setSavedInitialSecurityProperties(securityProperties);
+            support.setSavedInitialSecurityProperties(securityProperties);
 
             /*
              * Security providers will be initialized at run time because the class initialization
              * simulation will determine that automatically. For the three classes below, however,
              * we need to handle this explicitly because their packages are already marked for
              * initialization at build time by JdkInitializationFeature#afterRegistration.
              */
-            rci.initializeAtRunTime("java.security.Security", SECURITY_PROVIDERS_INITIALIZATION);
-            rci.initializeAtRunTime("sun.security.jca.Providers", SECURITY_PROVIDERS_INITIALIZATION);
-            rci.initializeAtRunTime("sun.security.provider.certpath.ldap.JdkLDAP", SECURITY_PROVIDERS_INITIALIZATION);
+            rci.initializeAtRunTime("java.security.Security", FutureDefaultsOptions.RUN_TIME_INITIALIZE_JDK_REASON);
+            rci.initializeAtRunTime("sun.security.jca.Providers", FutureDefaultsOptions.RUN_TIME_INITIALIZE_JDK_REASON);
+            rci.initializeAtRunTime("sun.security.provider.certpath.ldap.JdkLDAP", FutureDefaultsOptions.RUN_TIME_INITIALIZE_JDK_REASON);
         }
 
         /*
@@ -366,7 +367,7 @@ public void beforeAnalysis(BeforeAnalysisAccess a) {
             PlatformNativeLibrarySupport.singleton().addBuiltinPkgNativePrefix("sun_security_mscapi");
         }
 
-        if (FutureDefaultsOptions.isJDKInitializedAtBuildTime()) {
+        if (!FutureDefaultsOptions.isJDKInitializedAtRunTime()) {
             substitutionProcessor = ((Inflation) access.getBigBang()).getAnnotationSubstitutionProcessor();
 
             access.registerFieldValueTransformer(providerListField, new FieldValueTransformerWithAvailability() {

substratevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/ServiceLoaderFeature.java

@@ -149,7 +149,7 @@ public boolean isInConfiguration(IsInConfigurationAccess access) {
 
     @Override
     public void afterRegistration(AfterRegistrationAccess access) {
-        if (FutureDefaultsOptions.isJDKInitializedAtBuildTime()) {
+        if (!FutureDefaultsOptions.isJDKInitializedAtRunTime()) {
             servicesToSkip.add(java.security.Provider.class.getName());
         }
         servicesToSkip.addAll(Options.ServiceLoaderFeatureExcludeServices.getValue().values());

substratevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/jdk/JDKInitializationFeature.java

@@ -227,7 +227,7 @@ public void afterRegistration(AfterRegistrationAccess access) {
         rci.initializeAtBuildTime("sun.security.validator", JDK_CLASS_REASON);
         rci.initializeAtBuildTime("sun.security.x509", JDK_CLASS_REASON);
         rci.initializeAtBuildTime("com.sun.jndi", JDK_CLASS_REASON);
-        if (FutureDefaultsOptions.isJDKInitializedAtBuildTime()) {
+        if (!FutureDefaultsOptions.isJDKInitializedAtRunTime()) {
             rci.initializeAtBuildTime("sun.security.pkcs11", JDK_CLASS_REASON);
             rci.initializeAtBuildTime("sun.security.smartcardio", JDK_CLASS_REASON);
             rci.initializeAtBuildTime("com.sun.security.sasl", JDK_CLASS_REASON);