1 /*
2 * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package java.security;
27
28 import java.lang.reflect.*;
29 import java.util.*;
30 import java.util.concurrent.ConcurrentHashMap;
31 import java.io.*;
32 import java.net.URL;
33 import sun.security.util.Debug;
34 import sun.security.util.PropertyExpander;
35
36 import sun.security.jca.*;
37
38 /**
39 * <p>This class centralizes all security properties and common security
40 * methods. One of its primary uses is to manage providers.
41 *
42 * <p>The default values of security properties are read from an
43 * implementation-specific location, which is typically the properties file
44 * {@code lib/security/java.security} in the Java installation directory.
45 *
46 * @author Benjamin Renaud
47 */
48
49 public final class Security {
50
51 /* Are we debugging? -- for developers */
52 private static final Debug sdebug =
53 Debug.getInstance("properties");
54
55 /* The java.security properties */
56 private static Properties props;
57
58 // An element in the cache
59 private static class ProviderProperty {
60 String className;
61 Provider provider;
62 }
63
64 static {
65 // doPrivileged here because there are multiple
66 // things in initialize that might require privs.
67 // (the FileInputStream call and the File.exists call,
68 // the securityPropFile call, etc)
69 AccessController.doPrivileged(new PrivilegedAction<Void>() {
70 public Void run() {
71 initialize();
72 return null;
73 }
74 });
75 }
76
77 private static void initialize() {
78 props = new Properties();
79 boolean loadedProps = false;
80 boolean overrideAll = false;
81
82 // first load the system properties file
83 // to determine the value of security.overridePropertiesFile
84 File propFile = securityPropFile("java.security");
85 if (propFile.exists()) {
86 InputStream is = null;
87 try {
88 FileInputStream fis = new FileInputStream(propFile);
89 is = new BufferedInputStream(fis);
90 props.load(is);
91 loadedProps = true;
92
93 if (sdebug != null) {
94 sdebug.println("reading security properties file: " +
95 propFile);
96 }
97 } catch (IOException e) {
98 if (sdebug != null) {
99 sdebug.println("unable to load security properties from " +
100 propFile);
101 e.printStackTrace();
102 }
103 } finally {
104 if (is != null) {
105 try {
106 is.close();
107 } catch (IOException ioe) {
108 if (sdebug != null) {
109 sdebug.println("unable to close input stream");
110 }
111 }
112 }
113 }
114 }
115
116 if ("true".equalsIgnoreCase(props.getProperty
117 ("security.overridePropertiesFile"))) {
118
119 String extraPropFile = System.getProperty
120 ("java.security.properties");
121 if (extraPropFile != null && extraPropFile.startsWith("=")) {
122 overrideAll = true;
123 extraPropFile = extraPropFile.substring(1);
124 }
125
126 if (overrideAll) {
127 props = new Properties();
128 if (sdebug != null) {
129 sdebug.println
130 ("overriding other security properties files!");
131 }
132 }
133
134 // now load the user-specified file so its values
135 // will win if they conflict with the earlier values
136 if (extraPropFile != null) {
137 BufferedInputStream bis = null;
138 try {
139 URL propURL;
140
141 extraPropFile = PropertyExpander.expand(extraPropFile);
142 propFile = new File(extraPropFile);
143 if (propFile.exists()) {
144 propURL = new URL
145 ("file:" + propFile.getCanonicalPath());
146 } else {
147 propURL = new URL(extraPropFile);
148 }
149 bis = new BufferedInputStream(propURL.openStream());
150 props.load(bis);
151 loadedProps = true;
152
153 if (sdebug != null) {
154 sdebug.println("reading security properties file: " +
155 propURL);
156 if (overrideAll) {
157 sdebug.println
158 ("overriding other security properties files!");
159 }
160 }
161 } catch (Exception e) {
162 if (sdebug != null) {
163 sdebug.println
164 ("unable to load security properties from " +
165 extraPropFile);
166 e.printStackTrace();
167 }
168 } finally {
169 if (bis != null) {
170 try {
171 bis.close();
172 } catch (IOException ioe) {
173 if (sdebug != null) {
174 sdebug.println("unable to close input stream");
175 }
176 }
177 }
178 }
179 }
180 }
181
182 if (!loadedProps) {
183 initializeStatic();
184 if (sdebug != null) {
185 sdebug.println("unable to load security properties " +
186 "-- using defaults");
187 }
188 }
189
190 }
191
192 /*
193 * Initialize to default values, if <java.home>/lib/java.security
194 * is not found.
195 */
196 private static void initializeStatic() {
197 props.put("security.provider.1", "sun.security.provider.Sun");
198 props.put("security.provider.2", "sun.security.rsa.SunRsaSign");
199 props.put("security.provider.3", "com.sun.net.ssl.internal.ssl.Provider");
200 props.put("security.provider.4", "com.sun.crypto.provider.SunJCE");
201 props.put("security.provider.5", "sun.security.jgss.SunProvider");
202 props.put("security.provider.6", "com.sun.security.sasl.Provider");
203 }
204
205 /**
206 * Don't let anyone instantiate this.
207 */
208 private Security() {
209 }
210
211 private static File securityPropFile(String filename) {
212 // maybe check for a system property which will specify where to
213 // look. Someday.
214 String sep = File.separator;
215 return new File(System.getProperty("java.home") + sep + "lib" + sep +
216 "security" + sep + filename);
217 }
218
219 /**
220 * Looks up providers, and returns the property (and its associated
221 * provider) mapping the key, if any.
222 * The order in which the providers are looked up is the
223 * provider-preference order, as specificed in the security
224 * properties file.
225 */
226 private static ProviderProperty getProviderProperty(String key) {
227 ProviderProperty entry = null;
228
229 List<Provider> providers = Providers.getProviderList().providers();
230 for (int i = 0; i < providers.size(); i++) {
231
232 String matchKey = null;
233 Provider prov = providers.get(i);
234 String prop = prov.getProperty(key);
235
236 if (prop == null) {
237 // Is there a match if we do a case-insensitive property name
238 // comparison? Let's try ...
239 for (Enumeration<Object> e = prov.keys();
240 e.hasMoreElements() && prop == null; ) {
241 matchKey = (String)e.nextElement();
242 if (key.equalsIgnoreCase(matchKey)) {
243 prop = prov.getProperty(matchKey);
244 break;
245 }
246 }
247 }
248
249 if (prop != null) {
250 ProviderProperty newEntry = new ProviderProperty();
251 newEntry.className = prop;
252 newEntry.provider = prov;
253 return newEntry;
254 }
255 }
256
257 return entry;
258 }
259
260 /**
261 * Returns the property (if any) mapping the key for the given provider.
262 */
263 private static String getProviderProperty(String key, Provider provider) {
264 String prop = provider.getProperty(key);
265 if (prop == null) {
266 // Is there a match if we do a case-insensitive property name
267 // comparison? Let's try ...
268 for (Enumeration<Object> e = provider.keys();
269 e.hasMoreElements() && prop == null; ) {
270 String matchKey = (String)e.nextElement();
271 if (key.equalsIgnoreCase(matchKey)) {
272 prop = provider.getProperty(matchKey);
273 break;
274 }
275 }
276 }
277 return prop;
278 }
279
280 /**
281 * Gets a specified property for an algorithm. The algorithm name
282 * should be a standard name. See the <a href=
283 * "{@docRoot}/../technotes/guides/security/StandardNames.html">
284 * Java Cryptography Architecture Standard Algorithm Name Documentation</a>
285 * for information about standard algorithm names.
286 *
287 * One possible use is by specialized algorithm parsers, which may map
288 * classes to algorithms which they understand (much like Key parsers
289 * do).
290 *
291 * @param algName the algorithm name.
292 *
293 * @param propName the name of the property to get.
294 *
295 * @return the value of the specified property.
296 *
297 * @deprecated This method used to return the value of a proprietary
298 * property in the master file of the "SUN" Cryptographic Service
299 * Provider in order to determine how to parse algorithm-specific
300 * parameters. Use the new provider-based and algorithm-independent
301 * {@code AlgorithmParameters} and {@code KeyFactory} engine
302 * classes (introduced in the J2SE version 1.2 platform) instead.
303 */
304 @Deprecated
305 public static String getAlgorithmProperty(String algName,
306 String propName) {
307 ProviderProperty entry = getProviderProperty("Alg." + propName
308 + "." + algName);
309 if (entry != null) {
310 return entry.className;
311 } else {
312 return null;
313 }
314 }
315
316 /**
317 * Adds a new provider, at a specified position. The position is
318 * the preference order in which providers are searched for
319 * requested algorithms. The position is 1-based, that is,
320 * 1 is most preferred, followed by 2, and so on.
321 *
322 * <p>If the given provider is installed at the requested position,
323 * the provider that used to be at that position, and all providers
324 * with a position greater than {@code position}, are shifted up
325 * one position (towards the end of the list of installed providers).
326 *
327 * <p>A provider cannot be added if it is already installed.
328 *
329 * <p>First, if there is a security manager, its
330 * {@code checkSecurityAccess}
331 * method is called with the string
332 * {@code "insertProvider."+provider.getName()}
333 * to see if it's ok to add a new provider.
334 * If the default implementation of {@code checkSecurityAccess}
335 * is used (i.e., that method is not overriden), then this will result in
336 * a call to the security manager's {@code checkPermission} method
337 * with a
338 * {@code SecurityPermission("insertProvider."+provider.getName())}
339 * permission.
340 *
341 * @param provider the provider to be added.
342 *
343 * @param position the preference position that the caller would
344 * like for this provider.
345 *
346 * @return the actual preference position in which the provider was
347 * added, or -1 if the provider was not added because it is
348 * already installed.
349 *
350 * @throws NullPointerException if provider is null
351 * @throws SecurityException
352 * if a security manager exists and its {@link
353 * java.lang.SecurityManager#checkSecurityAccess} method
354 * denies access to add a new provider
355 *
356 * @see #getProvider
357 * @see #removeProvider
358 * @see java.security.SecurityPermission
359 */
360 public static synchronized int insertProviderAt(Provider provider,
361 int position) {
362 String providerName = provider.getName();
363 check("insertProvider." + providerName);
364 ProviderList list = Providers.getFullProviderList();
365 ProviderList newList = ProviderList.insertAt(list, provider, position - 1);
366 if (list == newList) {
367 return -1;
368 }
369 Providers.setProviderList(newList);
370 return newList.getIndex(providerName) + 1;
371 }
372
373 /**
374 * Adds a provider to the next position available.
375 *
376 * <p>First, if there is a security manager, its
377 * {@code checkSecurityAccess}
378 * method is called with the string
379 * {@code "insertProvider."+provider.getName()}
380 * to see if it's ok to add a new provider.
381 * If the default implementation of {@code checkSecurityAccess}
382 * is used (i.e., that method is not overriden), then this will result in
383 * a call to the security manager's {@code checkPermission} method
384 * with a
385 * {@code SecurityPermission("insertProvider."+provider.getName())}
386 * permission.
387 *
388 * @param provider the provider to be added.
389 *
390 * @return the preference position in which the provider was
391 * added, or -1 if the provider was not added because it is
392 * already installed.
393 *
394 * @throws NullPointerException if provider is null
395 * @throws SecurityException
396 * if a security manager exists and its {@link
397 * java.lang.SecurityManager#checkSecurityAccess} method
398 * denies access to add a new provider
399 *
400 * @see #getProvider
401 * @see #removeProvider
402 * @see java.security.SecurityPermission
403 */
404 public static int addProvider(Provider provider) {
405 /*
406 * We can't assign a position here because the statically
407 * registered providers may not have been installed yet.
408 * insertProviderAt() will fix that value after it has
409 * loaded the static providers.
410 */
411 return insertProviderAt(provider, 0);
412 }
413
414 /**
415 * Removes the provider with the specified name.
416 *
417 * <p>When the specified provider is removed, all providers located
418 * at a position greater than where the specified provider was are shifted
419 * down one position (towards the head of the list of installed
420 * providers).
421 *
422 * <p>This method returns silently if the provider is not installed or
423 * if name is null.
424 *
425 * <p>First, if there is a security manager, its
426 * {@code checkSecurityAccess}
427 * method is called with the string {@code "removeProvider."+name}
428 * to see if it's ok to remove the provider.
429 * If the default implementation of {@code checkSecurityAccess}
430 * is used (i.e., that method is not overriden), then this will result in
431 * a call to the security manager's {@code checkPermission} method
432 * with a {@code SecurityPermission("removeProvider."+name)}
433 * permission.
434 *
435 * @param name the name of the provider to remove.
436 *
437 * @throws SecurityException
438 * if a security manager exists and its {@link
439 * java.lang.SecurityManager#checkSecurityAccess} method
440 * denies
441 * access to remove the provider
442 *
443 * @see #getProvider
444 * @see #addProvider
445 */
446 public static synchronized void removeProvider(String name) {
447 check("removeProvider." + name);
448 ProviderList list = Providers.getFullProviderList();
449 ProviderList newList = ProviderList.remove(list, name);
450 Providers.setProviderList(newList);
451 }
452
453 /**
454 * Returns an array containing all the installed providers. The order of
455 * the providers in the array is their preference order.
456 *
457 * @return an array of all the installed providers.
458 */
459 public static Provider[] getProviders() {
460 return Providers.getFullProviderList().toArray();
461 }
462
463 /**
464 * Returns the provider installed with the specified name, if
465 * any. Returns null if no provider with the specified name is
466 * installed or if name is null.
467 *
468 * @param name the name of the provider to get.
469 *
470 * @return the provider of the specified name.
471 *
472 * @see #removeProvider
473 * @see #addProvider
474 */
475 public static Provider getProvider(String name) {
476 return Providers.getProviderList().getProvider(name);
477 }
478
479 /**
480 * Returns an array containing all installed providers that satisfy the
481 * specified selection criterion, or null if no such providers have been
482 * installed. The returned providers are ordered
483 * according to their <a href=
484 * "#insertProviderAt(java.security.Provider, int)">preference order</a>.
485 *
486 * <p> A cryptographic service is always associated with a particular
487 * algorithm or type. For example, a digital signature service is
488 * always associated with a particular algorithm (e.g., DSA),
489 * and a CertificateFactory service is always associated with
490 * a particular certificate type (e.g., X.509).
491 *
492 * <p>The selection criterion must be specified in one of the following two
493 * formats:
494 * <ul>
495 * <li> <i><crypto_service>.<algorithm_or_type></i> <p> The
496 * cryptographic service name must not contain any dots.
497 * <p> A
498 * provider satisfies the specified selection criterion iff the provider
499 * implements the
500 * specified algorithm or type for the specified cryptographic service.
501 * <p> For example, "CertificateFactory.X.509"
502 * would be satisfied by any provider that supplied
503 * a CertificateFactory implementation for X.509 certificates.
504 * <li> <i><crypto_service>.<algorithm_or_type>
505 * <attribute_name>:< attribute_value></i>
506 * <p> The cryptographic service name must not contain any dots. There
507 * must be one or more space charaters between the
508 * <i><algorithm_or_type></i> and the <i><attribute_name></i>.
509 * <p> A provider satisfies this selection criterion iff the
510 * provider implements the specified algorithm or type for the specified
511 * cryptographic service and its implementation meets the
512 * constraint expressed by the specified attribute name/value pair.
513 * <p> For example, "Signature.SHA1withDSA KeySize:1024" would be
514 * satisfied by any provider that implemented
515 * the SHA1withDSA signature algorithm with a keysize of 1024 (or larger).
516 *
517 * </ul>
518 *
519 * <p> See the <a href=
520 * "{@docRoot}/../technotes/guides/security/StandardNames.html">
521 * Java Cryptography Architecture Standard Algorithm Name Documentation</a>
522 * for information about standard cryptographic service names, standard
523 * algorithm names and standard attribute names.
524 *
525 * @param filter the criterion for selecting
526 * providers. The filter is case-insensitive.
527 *
528 * @return all the installed providers that satisfy the selection
529 * criterion, or null if no such providers have been installed.
530 *
531 * @throws InvalidParameterException
532 * if the filter is not in the required format
533 * @throws NullPointerException if filter is null
534 *
535 * @see #getProviders(java.util.Map)
536 * @since 1.3
537 */
538 public static Provider[] getProviders(String filter) {
539 String key = null;
540 String value = null;
541 int index = filter.indexOf(':');
542
543 if (index == -1) {
544 key = filter;
545 value = "";
546 } else {
547 key = filter.substring(0, index);
548 value = filter.substring(index + 1);
549 }
550
551 Hashtable<String, String> hashtableFilter = new Hashtable<>(1);
552 hashtableFilter.put(key, value);
553
554 return (getProviders(hashtableFilter));
555 }
556
557 /**
558 * Returns an array containing all installed providers that satisfy the
559 * specified* selection criteria, or null if no such providers have been
560 * installed. The returned providers are ordered
561 * according to their <a href=
562 * "#insertProviderAt(java.security.Provider, int)">preference order</a>.
563 *
564 * <p>The selection criteria are represented by a map.
565 * Each map entry represents a selection criterion.
566 * A provider is selected iff it satisfies all selection
567 * criteria. The key for any entry in such a map must be in one of the
568 * following two formats:
569 * <ul>
570 * <li> <i><crypto_service>.<algorithm_or_type></i>
571 * <p> The cryptographic service name must not contain any dots.
572 * <p> The value associated with the key must be an empty string.
573 * <p> A provider
574 * satisfies this selection criterion iff the provider implements the
575 * specified algorithm or type for the specified cryptographic service.
576 * <li> <i><crypto_service>.<algorithm_or_type> <attribute_name></i>
577 * <p> The cryptographic service name must not contain any dots. There
578 * must be one or more space charaters between the <i><algorithm_or_type></i>
579 * and the <i><attribute_name></i>.
580 * <p> The value associated with the key must be a non-empty string.
581 * A provider satisfies this selection criterion iff the
582 * provider implements the specified algorithm or type for the specified
583 * cryptographic service and its implementation meets the
584 * constraint expressed by the specified attribute name/value pair.
585 * </ul>
586 *
587 * <p> See the <a href=
588 * "../../../technotes/guides/security/StandardNames.html">
589 * Java Cryptography Architecture Standard Algorithm Name Documentation</a>
590 * for information about standard cryptographic service names, standard
591 * algorithm names and standard attribute names.
592 *
593 * @param filter the criteria for selecting
594 * providers. The filter is case-insensitive.
595 *
596 * @return all the installed providers that satisfy the selection
597 * criteria, or null if no such providers have been installed.
598 *
599 * @throws InvalidParameterException
600 * if the filter is not in the required format
601 * @throws NullPointerException if filter is null
602 *
603 * @see #getProviders(java.lang.String)
604 * @since 1.3
605 */
606 public static Provider[] getProviders(Map<String,String> filter) {
607 // Get all installed providers first.
608 // Then only return those providers who satisfy the selection criteria.
609 Provider[] allProviders = Security.getProviders();
610 Set<String> keySet = filter.keySet();
611 LinkedHashSet<Provider> candidates = new LinkedHashSet<>(5);
612
613 // Returns all installed providers
614 // if the selection criteria is null.
615 if ((keySet == null) || (allProviders == null)) {
616 return allProviders;
617 }
618
619 boolean firstSearch = true;
620
621 // For each selection criterion, remove providers
622 // which don't satisfy the criterion from the candidate set.
623 for (Iterator<String> ite = keySet.iterator(); ite.hasNext(); ) {
624 String key = ite.next();
625 String value = filter.get(key);
626
627 LinkedHashSet<Provider> newCandidates = getAllQualifyingCandidates(key, value,
628 allProviders);
629 if (firstSearch) {
630 candidates = newCandidates;
631 firstSearch = false;
632 }
633
634 if ((newCandidates != null) && !newCandidates.isEmpty()) {
635 // For each provider in the candidates set, if it
636 // isn't in the newCandidate set, we should remove
637 // it from the candidate set.
638 for (Iterator<Provider> cansIte = candidates.iterator();
639 cansIte.hasNext(); ) {
640 Provider prov = cansIte.next();
641 if (!newCandidates.contains(prov)) {
642 cansIte.remove();
643 }
644 }
645 } else {
646 candidates = null;
647 break;
648 }
649 }
650
651 if ((candidates == null) || (candidates.isEmpty()))
652 return null;
653
654 Object[] candidatesArray = candidates.toArray();
655 Provider[] result = new Provider[candidatesArray.length];
656
657 for (int i = 0; i < result.length; i++) {
658 result[i] = (Provider)candidatesArray[i];
659 }
660
661 return result;
662 }
663
664 // Map containing cached Spi Class objects of the specified type
665 private static final Map<String, Class<?>> spiMap =
666 new ConcurrentHashMap<>();
667
668 /**
669 * Return the Class object for the given engine type
670 * (e.g. "MessageDigest"). Works for Spis in the java.security package
671 * only.
672 */
673 private static Class<?> getSpiClass(String type) {
674 Class<?> clazz = spiMap.get(type);
675 if (clazz != null) {
676 return clazz;
677 }
678 try {
679 clazz = Class.forName("java.security." + type + "Spi");
680 spiMap.put(type, clazz);
681 return clazz;
682 } catch (ClassNotFoundException e) {
683 throw new AssertionError("Spi class not found", e);
684 }
685 }
686
687 /*
688 * Returns an array of objects: the first object in the array is
689 * an instance of an implementation of the requested algorithm
690 * and type, and the second object in the array identifies the provider
691 * of that implementation.
692 * The {@code provider} argument can be null, in which case all
693 * configured providers will be searched in order of preference.
694 */
695 static Object[] getImpl(String algorithm, String type, String provider)
696 throws NoSuchAlgorithmException, NoSuchProviderException {
697 if (provider == null) {
698 return GetInstance.getInstance
699 (type, getSpiClass(type), algorithm).toArray();
700 } else {
701 return GetInstance.getInstance
702 (type, getSpiClass(type), algorithm, provider).toArray();
703 }
704 }
705
706 static Object[] getImpl(String algorithm, String type, String provider,
707 Object params) throws NoSuchAlgorithmException,
708 NoSuchProviderException, InvalidAlgorithmParameterException {
709 if (provider == null) {
710 return GetInstance.getInstance
711 (type, getSpiClass(type), algorithm, params).toArray();
712 } else {
713 return GetInstance.getInstance
714 (type, getSpiClass(type), algorithm, params, provider).toArray();
715 }
716 }
717
718 /*
719 * Returns an array of objects: the first object in the array is
720 * an instance of an implementation of the requested algorithm
721 * and type, and the second object in the array identifies the provider
722 * of that implementation.
723 * The {@code provider} argument cannot be null.
724 */
725 static Object[] getImpl(String algorithm, String type, Provider provider)
726 throws NoSuchAlgorithmException {
727 return GetInstance.getInstance
728 (type, getSpiClass(type), algorithm, provider).toArray();
729 }
730
731 static Object[] getImpl(String algorithm, String type, Provider provider,
732 Object params) throws NoSuchAlgorithmException,
733 InvalidAlgorithmParameterException {
734 return GetInstance.getInstance
735 (type, getSpiClass(type), algorithm, params, provider).toArray();
736 }
737
738 /**
739 * Gets a security property value.
740 *
741 * <p>First, if there is a security manager, its
742 * {@code checkPermission} method is called with a
743 * {@code java.security.SecurityPermission("getProperty."+key)}
744 * permission to see if it's ok to retrieve the specified
745 * security property value..
746 *
747 * @param key the key of the property being retrieved.
748 *
749 * @return the value of the security property corresponding to key.
750 *
751 * @throws SecurityException
752 * if a security manager exists and its {@link
753 * java.lang.SecurityManager#checkPermission} method
754 * denies
755 * access to retrieve the specified security property value
756 * @throws NullPointerException is key is null
757 *
758 * @see #setProperty
759 * @see java.security.SecurityPermission
760 */
761 public static String getProperty(String key) {
762 SecurityManager sm = System.getSecurityManager();
763 if (sm != null) {
764 sm.checkPermission(new SecurityPermission("getProperty."+
765 key));
766 }
767 String name = props.getProperty(key);
768 if (name != null)
769 name = name.trim(); // could be a class name with trailing ws
770 return name;
771 }
772
773 /**
774 * Sets a security property value.
775 *
776 * <p>First, if there is a security manager, its
777 * {@code checkPermission} method is called with a
778 * {@code java.security.SecurityPermission("setProperty."+key)}
779 * permission to see if it's ok to set the specified
780 * security property value.
781 *
782 * @param key the name of the property to be set.
783 *
784 * @param datum the value of the property to be set.
785 *
786 * @throws SecurityException
787 * if a security manager exists and its {@link
788 * java.lang.SecurityManager#checkPermission} method
789 * denies access to set the specified security property value
790 * @throws NullPointerException if key or datum is null
791 *
792 * @see #getProperty
793 * @see java.security.SecurityPermission
794 */
795 public static void setProperty(String key, String datum) {
796 check("setProperty."+key);
797 props.put(key, datum);
798 invalidateSMCache(key); /* See below. */
799 }
800
801 /*
802 * Implementation detail: If the property we just set in
803 * setProperty() was either "package.access" or
804 * "package.definition", we need to signal to the SecurityManager
805 * class that the value has just changed, and that it should
806 * invalidate it's local cache values.
807 *
808 * Rather than create a new API entry for this function,
809 * we use reflection to set a private variable.
810 */
811 private static void invalidateSMCache(String key) {
812
813 final boolean pa = key.equals("package.access");
814 final boolean pd = key.equals("package.definition");
815
816 if (pa || pd) {
817 AccessController.doPrivileged(new PrivilegedAction<Void>() {
818 public Void run() {
819 try {
820 /* Get the class via the bootstrap class loader. */
821 Class<?> cl = Class.forName(
822 "java.lang.SecurityManager", false, null);
823 Field f = null;
824 boolean accessible = false;
825
826 if (pa) {
827 f = cl.getDeclaredField("packageAccessValid");
828 accessible = f.isAccessible();
829 f.setAccessible(true);
830 } else {
831 f = cl.getDeclaredField("packageDefinitionValid");
832 accessible = f.isAccessible();
833 f.setAccessible(true);
834 }
835 f.setBoolean(f, false);
836 f.setAccessible(accessible);
837 }
838 catch (Exception e1) {
839 /* If we couldn't get the class, it hasn't
840 * been loaded yet. If there is no such
841 * field, we shouldn't try to set it. There
842 * shouldn't be a security execption, as we
843 * are loaded by boot class loader, and we
844 * are inside a doPrivileged() here.
845 *
846 * NOOP: don't do anything...
847 */
848 }
849 return null;
850 } /* run */
851 }); /* PrivilegedAction */
852 } /* if */
853 }
854
855 private static void check(String directive) {
856 SecurityManager security = System.getSecurityManager();
857 if (security != null) {
858 security.checkSecurityAccess(directive);
859 }
860 }
861
862 /*
863 * Returns all providers who satisfy the specified
864 * criterion.
865 */
866 private static LinkedHashSet<Provider> getAllQualifyingCandidates(
867 String filterKey,
868 String filterValue,
869 Provider[] allProviders) {
870 String[] filterComponents = getFilterComponents(filterKey,
871 filterValue);
872
873 // The first component is the service name.
874 // The second is the algorithm name.
875 // If the third isn't null, that is the attrinute name.
876 String serviceName = filterComponents[0];
877 String algName = filterComponents[1];
878 String attrName = filterComponents[2];
879
880 return getProvidersNotUsingCache(serviceName, algName, attrName,
881 filterValue, allProviders);
882 }
883
884 private static LinkedHashSet<Provider> getProvidersNotUsingCache(
885 String serviceName,
886 String algName,
887 String attrName,
888 String filterValue,
889 Provider[] allProviders) {
890 LinkedHashSet<Provider> candidates = new LinkedHashSet<>(5);
891 for (int i = 0; i < allProviders.length; i++) {
892 if (isCriterionSatisfied(allProviders[i], serviceName,
893 algName,
894 attrName, filterValue)) {
895 candidates.add(allProviders[i]);
896 }
897 }
898 return candidates;
899 }
900
901 /*
902 * Returns true if the given provider satisfies
903 * the selection criterion key:value.
904 */
905 private static boolean isCriterionSatisfied(Provider prov,
906 String serviceName,
907 String algName,
908 String attrName,
909 String filterValue) {
910 String key = serviceName + '.' + algName;
911
912 if (attrName != null) {
913 key += ' ' + attrName;
914 }
915 // Check whether the provider has a property
916 // whose key is the same as the given key.
917 String propValue = getProviderProperty(key, prov);
918
919 if (propValue == null) {
920 // Check whether we have an alias instead
921 // of a standard name in the key.
922 String standardName = getProviderProperty("Alg.Alias." +
923 serviceName + "." +
924 algName,
925 prov);
926 if (standardName != null) {
927 key = serviceName + "." + standardName;
928
929 if (attrName != null) {
930 key += ' ' + attrName;
931 }
932
933 propValue = getProviderProperty(key, prov);
934 }
935
936 if (propValue == null) {
937 // The provider doesn't have the given
938 // key in its property list.
939 return false;
940 }
941 }
942
943 // If the key is in the format of:
944 // <crypto_service>.<algorithm_or_type>,
945 // there is no need to check the value.
946
947 if (attrName == null) {
948 return true;
949 }
950
951 // If we get here, the key must be in the
952 // format of <crypto_service>.<algorithm_or_provider> <attribute_name>.
953 if (isStandardAttr(attrName)) {
954 return isConstraintSatisfied(attrName, filterValue, propValue);
955 } else {
956 return filterValue.equalsIgnoreCase(propValue);
957 }
958 }
959
960 /*
961 * Returns true if the attribute is a standard attribute;
962 * otherwise, returns false.
963 */
964 private static boolean isStandardAttr(String attribute) {
965 // For now, we just have two standard attributes:
966 // KeySize and ImplementedIn.
967 if (attribute.equalsIgnoreCase("KeySize"))
968 return true;
969
970 if (attribute.equalsIgnoreCase("ImplementedIn"))
971 return true;
972
973 return false;
974 }
975
976 /*
977 * Returns true if the requested attribute value is supported;
978 * otherwise, returns false.
979 */
980 private static boolean isConstraintSatisfied(String attribute,
981 String value,
982 String prop) {
983 // For KeySize, prop is the max key size the
984 // provider supports for a specific <crypto_service>.<algorithm>.
985 if (attribute.equalsIgnoreCase("KeySize")) {
986 int requestedSize = Integer.parseInt(value);
987 int maxSize = Integer.parseInt(prop);
988 if (requestedSize <= maxSize) {
989 return true;
990 } else {
991 return false;
992 }
993 }
994
995 // For Type, prop is the type of the implementation
996 // for a specific <crypto service>.<algorithm>.
997 if (attribute.equalsIgnoreCase("ImplementedIn")) {
998 return value.equalsIgnoreCase(prop);
999 }
1000
1001 return false;
1002 }
1003
1004 static String[] getFilterComponents(String filterKey, String filterValue) {
1005 int algIndex = filterKey.indexOf('.');
1006
1007 if (algIndex < 0) {
1008 // There must be a dot in the filter, and the dot
1009 // shouldn't be at the beginning of this string.
1010 throw new InvalidParameterException("Invalid filter");
1011 }
1012
1013 String serviceName = filterKey.substring(0, algIndex);
1014 String algName = null;
1015 String attrName = null;
1016
1017 if (filterValue.length() == 0) {
1018 // The filterValue is an empty string. So the filterKey
1019 // should be in the format of <crypto_service>.<algorithm_or_type>.
1020 algName = filterKey.substring(algIndex + 1).trim();
1021 if (algName.length() == 0) {
1022 // There must be a algorithm or type name.
1023 throw new InvalidParameterException("Invalid filter");
1024 }
1025 } else {
1026 // The filterValue is a non-empty string. So the filterKey must be
1027 // in the format of
1028 // <crypto_service>.<algorithm_or_type> <attribute_name>
1029 int attrIndex = filterKey.indexOf(' ');
1030
1031 if (attrIndex == -1) {
1032 // There is no attribute name in the filter.
1033 throw new InvalidParameterException("Invalid filter");
1034 } else {
1035 attrName = filterKey.substring(attrIndex + 1).trim();
1036 if (attrName.length() == 0) {
1037 // There is no attribute name in the filter.
1038 throw new InvalidParameterException("Invalid filter");
1039 }
1040 }
1041
1042 // There must be an algorithm name in the filter.
1043 if ((attrIndex < algIndex) ||
1044 (algIndex == attrIndex - 1)) {
1045 throw new InvalidParameterException("Invalid filter");
1046 } else {
1047 algName = filterKey.substring(algIndex + 1, attrIndex);
1048 }
1049 }
1050
1051 String[] result = new String[3];
1052 result[0] = serviceName;
1053 result[1] = algName;
1054 result[2] = attrName;
1055
1056 return result;
1057 }
1058
1059 /**
1060 * Returns a Set of Strings containing the names of all available
1061 * algorithms or types for the specified Java cryptographic service
1062 * (e.g., Signature, MessageDigest, Cipher, Mac, KeyStore). Returns
1063 * an empty Set if there is no provider that supports the
1064 * specified service or if serviceName is null. For a complete list
1065 * of Java cryptographic services, please see the
1066 * <a href="../../../technotes/guides/security/crypto/CryptoSpec.html">Java
1067 * Cryptography Architecture API Specification & Reference</a>.
1068 * Note: the returned set is immutable.
1069 *
1070 * @param serviceName the name of the Java cryptographic
1071 * service (e.g., Signature, MessageDigest, Cipher, Mac, KeyStore).
1072 * Note: this parameter is case-insensitive.
1073 *
1074 * @return a Set of Strings containing the names of all available
1075 * algorithms or types for the specified Java cryptographic service
1076 * or an empty set if no provider supports the specified service.
1077 *
1078 * @since 1.4
1079 **/
1080 public static Set<String> getAlgorithms(String serviceName) {
1081
1082 if ((serviceName == null) || (serviceName.length() == 0) ||
1083 (serviceName.endsWith("."))) {
1084 return Collections.emptySet();
1085 }
1086
1087 HashSet<String> result = new HashSet<>();
1088 Provider[] providers = Security.getProviders();
1089
1090 for (int i = 0; i < providers.length; i++) {
1091 // Check the keys for each provider.
1092 for (Enumeration<Object> e = providers[i].keys();
1093 e.hasMoreElements(); ) {
1094 String currentKey =
1095 ((String)e.nextElement()).toUpperCase(Locale.ENGLISH);
1096 if (currentKey.startsWith(
1097 serviceName.toUpperCase(Locale.ENGLISH))) {
1098 // We should skip the currentKey if it contains a
1099 // whitespace. The reason is: such an entry in the
1100 // provider property contains attributes for the
1101 // implementation of an algorithm. We are only interested
1102 // in entries which lead to the implementation
1103 // classes.
1104 if (currentKey.indexOf(" ") < 0) {
1105 result.add(currentKey.substring(
1106 serviceName.length() + 1));
1107 }
1108 }
1109 }
1110 }
1111 return Collections.unmodifiableSet(result);
1112 }
1113 }