OJ1357: Fix issue on FIPS with a SecurityManager in place (openjdk#25)

Resolves: OPENJDK-1357
Reviewed-by: @martinuy, @gnu-andrew

Author: jerboaa

src/java.base/share/lib/security/default.policy

@@ -151,6 +151,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" {
     permission java.util.PropertyPermission "os.name", "read";
     permission java.util.PropertyPermission "os.arch", "read";
     permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read";
+    permission java.util.PropertyPermission "fips.nssdb.path", "read,write";
+    permission java.util.PropertyPermission "fips.nssdb.pin", "read";
     permission java.security.SecurityPermission "putProviderProperty.*";
     permission java.security.SecurityPermission "clearProviderProperties.*";
     permission java.security.SecurityPermission "removeProviderProperty.*";

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java

@@ -168,10 +168,21 @@ public SunPKCS11 run() throws Exception {
                          * fips.nssdb.path System property after expansion.
                          * Security properties expansion is unsupported.
                          */
-                        System.setProperty(
-                                FIPS_NSSDB_PATH_PROP,
+                        String nssdbPath =
                                 SecurityProperties.privilegedGetOverridable(
-                                        FIPS_NSSDB_PATH_PROP));
+                                        FIPS_NSSDB_PATH_PROP);
+                        if (System.getSecurityManager() != null) {
+                            AccessController.doPrivileged(
+                                    (PrivilegedAction<Void>) () -> {
+                                        System.setProperty(
+                                                FIPS_NSSDB_PATH_PROP,
+                                                nssdbPath);
+                                        return null;
+                                    });
+                        } else {
+                            System.setProperty(
+                                    FIPS_NSSDB_PATH_PROP, nssdbPath);
+                        }
                     }
                     return new SunPKCS11(new Config(newConfigName));
                 }
@@ -1450,6 +1461,7 @@ private static final class P11Service extends Service {
         }
 
         @Override
+        @SuppressWarnings("removal")
         public Object newInstance(Object param)
                 throws NoSuchAlgorithmException {
             if (!token.isValid()) {
@@ -1469,7 +1481,26 @@ public Object newInstance(Object param)
                  * property.
                  */
                 try {
-                    token.ensureLoggedIn(null);
+                    if (System.getSecurityManager() != null) {
+                        try {
+                            AccessController.doPrivileged(
+                                    (PrivilegedExceptionAction<Void>) () -> {
+                                        token.ensureLoggedIn(null);
+                                        return null;
+                                    });
+                        } catch (PrivilegedActionException pae) {
+                            Exception e = pae.getException();
+                            if (e instanceof LoginException le) {
+                                throw le;
+                            } else if (e instanceof PKCS11Exception p11e) {
+                                throw p11e;
+                            } else {
+                                throw new RuntimeException(e);
+                            }
+                        }
+                    } else {
+                        token.ensureLoggedIn(null);
+                    }
                 } catch (PKCS11Exception | LoginException e) {
                     throw new ProviderException("FIPS: error during the Token" +
                             " login required for the " + getType() +