1 /* 2 * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.security; 27 28 import java.lang.reflect.*; 29 import java.util.*; 30 import java.util.concurrent.ConcurrentHashMap; 31 import java.io.*; 32 import java.net.URL; 33 import sun.security.util.Debug; 34 import sun.security.util.PropertyExpander; 35 36 import sun.security.jca.*; 37 38 /** 39 * <p>This class centralizes all security properties and common security 40 * methods. One of its primary uses is to manage providers. 41 * 42 * <p>The default values of security properties are read from an 43 * implementation-specific location, which is typically the properties file 44 * {@code lib/security/java.security} in the Java installation directory. 45 * 46 * @author Benjamin Renaud 47 */ 48 49 public final class Security { 50 51 /* Are we debugging? -- for developers */ 52 private static final Debug sdebug = 53 Debug.getInstance("properties"); 54 55 /* The java.security properties */ 56 private static Properties props; 57 58 // An element in the cache 59 private static class ProviderProperty { 60 String className; 61 Provider provider; 62 } 63 64 static { 65 // doPrivileged here because there are multiple 66 // things in initialize that might require privs. 67 // (the FileInputStream call and the File.exists call, 68 // the securityPropFile call, etc) 69 AccessController.doPrivileged(new PrivilegedAction<Void>() { 70 public Void run() { 71 initialize(); 72 return null; 73 } 74 }); 75 } 76 77 private static void initialize() { 78 props = new Properties(); 79 boolean loadedProps = false; 80 boolean overrideAll = false; 81 82 // first load the system properties file 83 // to determine the value of security.overridePropertiesFile 84 File propFile = securityPropFile("java.security"); 85 if (propFile.exists()) { 86 InputStream is = null; 87 try { 88 FileInputStream fis = new FileInputStream(propFile); 89 is = new BufferedInputStream(fis); 90 props.load(is); 91 loadedProps = true; 92 93 if (sdebug != null) { 94 sdebug.println("reading security properties file: " + 95 propFile); 96 } 97 } catch (IOException e) { 98 if (sdebug != null) { 99 sdebug.println("unable to load security properties from " + 100 propFile); 101 e.printStackTrace(); 102 } 103 } finally { 104 if (is != null) { 105 try { 106 is.close(); 107 } catch (IOException ioe) { 108 if (sdebug != null) { 109 sdebug.println("unable to close input stream"); 110 } 111 } 112 } 113 } 114 } 115 116 if ("true".equalsIgnoreCase(props.getProperty 117 ("security.overridePropertiesFile"))) { 118 119 String extraPropFile = System.getProperty 120 ("java.security.properties"); 121 if (extraPropFile != null && extraPropFile.startsWith("=")) { 122 overrideAll = true; 123 extraPropFile = extraPropFile.substring(1); 124 } 125 126 if (overrideAll) { 127 props = new Properties(); 128 if (sdebug != null) { 129 sdebug.println 130 ("overriding other security properties files!"); 131 } 132 } 133 134 // now load the user-specified file so its values 135 // will win if they conflict with the earlier values 136 if (extraPropFile != null) { 137 BufferedInputStream bis = null; 138 try { 139 URL propURL; 140 141 extraPropFile = PropertyExpander.expand(extraPropFile); 142 propFile = new File(extraPropFile); 143 if (propFile.exists()) { 144 propURL = new URL 145 ("file:" + propFile.getCanonicalPath()); 146 } else { 147 propURL = new URL(extraPropFile); 148 } 149 bis = new BufferedInputStream(propURL.openStream()); 150 props.load(bis); 151 loadedProps = true; 152 153 if (sdebug != null) { 154 sdebug.println("reading security properties file: " + 155 propURL); 156 if (overrideAll) { 157 sdebug.println 158 ("overriding other security properties files!"); 159 } 160 } 161 } catch (Exception e) { 162 if (sdebug != null) { 163 sdebug.println 164 ("unable to load security properties from " + 165 extraPropFile); 166 e.printStackTrace(); 167 } 168 } finally { 169 if (bis != null) { 170 try { 171 bis.close(); 172 } catch (IOException ioe) { 173 if (sdebug != null) { 174 sdebug.println("unable to close input stream"); 175 } 176 } 177 } 178 } 179 } 180 } 181 182 if (!loadedProps) { 183 initializeStatic(); 184 if (sdebug != null) { 185 sdebug.println("unable to load security properties " + 186 "-- using defaults"); 187 } 188 } 189 190 } 191 192 /* 193 * Initialize to default values, if <java.home>/lib/java.security 194 * is not found. 195 */ 196 private static void initializeStatic() { 197 props.put("security.provider.1", "sun.security.provider.Sun"); 198 props.put("security.provider.2", "sun.security.rsa.SunRsaSign"); 199 props.put("security.provider.3", "com.sun.net.ssl.internal.ssl.Provider"); 200 props.put("security.provider.4", "com.sun.crypto.provider.SunJCE"); 201 props.put("security.provider.5", "sun.security.jgss.SunProvider"); 202 props.put("security.provider.6", "com.sun.security.sasl.Provider"); 203 } 204 205 /** 206 * Don't let anyone instantiate this. 207 */ 208 private Security() { 209 } 210 211 private static File securityPropFile(String filename) { 212 // maybe check for a system property which will specify where to 213 // look. Someday. 214 String sep = File.separator; 215 return new File(System.getProperty("java.home") + sep + "lib" + sep + 216 "security" + sep + filename); 217 } 218 219 /** 220 * Looks up providers, and returns the property (and its associated 221 * provider) mapping the key, if any. 222 * The order in which the providers are looked up is the 223 * provider-preference order, as specificed in the security 224 * properties file. 225 */ 226 private static ProviderProperty getProviderProperty(String key) { 227 ProviderProperty entry = null; 228 229 List<Provider> providers = Providers.getProviderList().providers(); 230 for (int i = 0; i < providers.size(); i++) { 231 232 String matchKey = null; 233 Provider prov = providers.get(i); 234 String prop = prov.getProperty(key); 235 236 if (prop == null) { 237 // Is there a match if we do a case-insensitive property name 238 // comparison? Let's try ... 239 for (Enumeration<Object> e = prov.keys(); 240 e.hasMoreElements() && prop == null; ) { 241 matchKey = (String)e.nextElement(); 242 if (key.equalsIgnoreCase(matchKey)) { 243 prop = prov.getProperty(matchKey); 244 break; 245 } 246 } 247 } 248 249 if (prop != null) { 250 ProviderProperty newEntry = new ProviderProperty(); 251 newEntry.className = prop; 252 newEntry.provider = prov; 253 return newEntry; 254 } 255 } 256 257 return entry; 258 } 259 260 /** 261 * Returns the property (if any) mapping the key for the given provider. 262 */ 263 private static String getProviderProperty(String key, Provider provider) { 264 String prop = provider.getProperty(key); 265 if (prop == null) { 266 // Is there a match if we do a case-insensitive property name 267 // comparison? Let's try ... 268 for (Enumeration<Object> e = provider.keys(); 269 e.hasMoreElements() && prop == null; ) { 270 String matchKey = (String)e.nextElement(); 271 if (key.equalsIgnoreCase(matchKey)) { 272 prop = provider.getProperty(matchKey); 273 break; 274 } 275 } 276 } 277 return prop; 278 } 279 280 /** 281 * Gets a specified property for an algorithm. The algorithm name 282 * should be a standard name. See the <a href= 283 * "{@docRoot}/../technotes/guides/security/StandardNames.html"> 284 * Java Cryptography Architecture Standard Algorithm Name Documentation</a> 285 * for information about standard algorithm names. 286 * 287 * One possible use is by specialized algorithm parsers, which may map 288 * classes to algorithms which they understand (much like Key parsers 289 * do). 290 * 291 * @param algName the algorithm name. 292 * 293 * @param propName the name of the property to get. 294 * 295 * @return the value of the specified property. 296 * 297 * @deprecated This method used to return the value of a proprietary 298 * property in the master file of the "SUN" Cryptographic Service 299 * Provider in order to determine how to parse algorithm-specific 300 * parameters. Use the new provider-based and algorithm-independent 301 * {@code AlgorithmParameters} and {@code KeyFactory} engine 302 * classes (introduced in the J2SE version 1.2 platform) instead. 303 */ 304 @Deprecated 305 public static String getAlgorithmProperty(String algName, 306 String propName) { 307 ProviderProperty entry = getProviderProperty("Alg." + propName 308 + "." + algName); 309 if (entry != null) { 310 return entry.className; 311 } else { 312 return null; 313 } 314 } 315 316 /** 317 * Adds a new provider, at a specified position. The position is 318 * the preference order in which providers are searched for 319 * requested algorithms. The position is 1-based, that is, 320 * 1 is most preferred, followed by 2, and so on. 321 * 322 * <p>If the given provider is installed at the requested position, 323 * the provider that used to be at that position, and all providers 324 * with a position greater than {@code position}, are shifted up 325 * one position (towards the end of the list of installed providers). 326 * 327 * <p>A provider cannot be added if it is already installed. 328 * 329 * <p>First, if there is a security manager, its 330 * {@code checkSecurityAccess} 331 * method is called with the string 332 * {@code "insertProvider."+provider.getName()} 333 * to see if it's ok to add a new provider. 334 * If the default implementation of {@code checkSecurityAccess} 335 * is used (i.e., that method is not overriden), then this will result in 336 * a call to the security manager's {@code checkPermission} method 337 * with a 338 * {@code SecurityPermission("insertProvider."+provider.getName())} 339 * permission. 340 * 341 * @param provider the provider to be added. 342 * 343 * @param position the preference position that the caller would 344 * like for this provider. 345 * 346 * @return the actual preference position in which the provider was 347 * added, or -1 if the provider was not added because it is 348 * already installed. 349 * 350 * @throws NullPointerException if provider is null 351 * @throws SecurityException 352 * if a security manager exists and its {@link 353 * java.lang.SecurityManager#checkSecurityAccess} method 354 * denies access to add a new provider 355 * 356 * @see #getProvider 357 * @see #removeProvider 358 * @see java.security.SecurityPermission 359 */ 360 public static synchronized int insertProviderAt(Provider provider, 361 int position) { 362 String providerName = provider.getName(); 363 check("insertProvider." + providerName); 364 ProviderList list = Providers.getFullProviderList(); 365 ProviderList newList = ProviderList.insertAt(list, provider, position - 1); 366 if (list == newList) { 367 return -1; 368 } 369 Providers.setProviderList(newList); 370 return newList.getIndex(providerName) + 1; 371 } 372 373 /** 374 * Adds a provider to the next position available. 375 * 376 * <p>First, if there is a security manager, its 377 * {@code checkSecurityAccess} 378 * method is called with the string 379 * {@code "insertProvider."+provider.getName()} 380 * to see if it's ok to add a new provider. 381 * If the default implementation of {@code checkSecurityAccess} 382 * is used (i.e., that method is not overriden), then this will result in 383 * a call to the security manager's {@code checkPermission} method 384 * with a 385 * {@code SecurityPermission("insertProvider."+provider.getName())} 386 * permission. 387 * 388 * @param provider the provider to be added. 389 * 390 * @return the preference position in which the provider was 391 * added, or -1 if the provider was not added because it is 392 * already installed. 393 * 394 * @throws NullPointerException if provider is null 395 * @throws SecurityException 396 * if a security manager exists and its {@link 397 * java.lang.SecurityManager#checkSecurityAccess} method 398 * denies access to add a new provider 399 * 400 * @see #getProvider 401 * @see #removeProvider 402 * @see java.security.SecurityPermission 403 */ 404 public static int addProvider(Provider provider) { 405 /* 406 * We can't assign a position here because the statically 407 * registered providers may not have been installed yet. 408 * insertProviderAt() will fix that value after it has 409 * loaded the static providers. 410 */ 411 return insertProviderAt(provider, 0); 412 } 413 414 /** 415 * Removes the provider with the specified name. 416 * 417 * <p>When the specified provider is removed, all providers located 418 * at a position greater than where the specified provider was are shifted 419 * down one position (towards the head of the list of installed 420 * providers). 421 * 422 * <p>This method returns silently if the provider is not installed or 423 * if name is null. 424 * 425 * <p>First, if there is a security manager, its 426 * {@code checkSecurityAccess} 427 * method is called with the string {@code "removeProvider."+name} 428 * to see if it's ok to remove the provider. 429 * If the default implementation of {@code checkSecurityAccess} 430 * is used (i.e., that method is not overriden), then this will result in 431 * a call to the security manager's {@code checkPermission} method 432 * with a {@code SecurityPermission("removeProvider."+name)} 433 * permission. 434 * 435 * @param name the name of the provider to remove. 436 * 437 * @throws SecurityException 438 * if a security manager exists and its {@link 439 * java.lang.SecurityManager#checkSecurityAccess} method 440 * denies 441 * access to remove the provider 442 * 443 * @see #getProvider 444 * @see #addProvider 445 */ 446 public static synchronized void removeProvider(String name) { 447 check("removeProvider." + name); 448 ProviderList list = Providers.getFullProviderList(); 449 ProviderList newList = ProviderList.remove(list, name); 450 Providers.setProviderList(newList); 451 } 452 453 /** 454 * Returns an array containing all the installed providers. The order of 455 * the providers in the array is their preference order. 456 * 457 * @return an array of all the installed providers. 458 */ 459 public static Provider[] getProviders() { 460 return Providers.getFullProviderList().toArray(); 461 } 462 463 /** 464 * Returns the provider installed with the specified name, if 465 * any. Returns null if no provider with the specified name is 466 * installed or if name is null. 467 * 468 * @param name the name of the provider to get. 469 * 470 * @return the provider of the specified name. 471 * 472 * @see #removeProvider 473 * @see #addProvider 474 */ 475 public static Provider getProvider(String name) { 476 return Providers.getProviderList().getProvider(name); 477 } 478 479 /** 480 * Returns an array containing all installed providers that satisfy the 481 * specified selection criterion, or null if no such providers have been 482 * installed. The returned providers are ordered 483 * according to their <a href= 484 * "#insertProviderAt(java.security.Provider, int)">preference order</a>. 485 * 486 * <p> A cryptographic service is always associated with a particular 487 * algorithm or type. For example, a digital signature service is 488 * always associated with a particular algorithm (e.g., DSA), 489 * and a CertificateFactory service is always associated with 490 * a particular certificate type (e.g., X.509). 491 * 492 * <p>The selection criterion must be specified in one of the following two 493 * formats: 494 * <ul> 495 * <li> <i><crypto_service>.<algorithm_or_type></i> <p> The 496 * cryptographic service name must not contain any dots. 497 * <p> A 498 * provider satisfies the specified selection criterion iff the provider 499 * implements the 500 * specified algorithm or type for the specified cryptographic service. 501 * <p> For example, "CertificateFactory.X.509" 502 * would be satisfied by any provider that supplied 503 * a CertificateFactory implementation for X.509 certificates. 504 * <li> <i><crypto_service>.<algorithm_or_type> 505 * <attribute_name>:< attribute_value></i> 506 * <p> The cryptographic service name must not contain any dots. There 507 * must be one or more space charaters between the 508 * <i><algorithm_or_type></i> and the <i><attribute_name></i>. 509 * <p> A provider satisfies this selection criterion iff the 510 * provider implements the specified algorithm or type for the specified 511 * cryptographic service and its implementation meets the 512 * constraint expressed by the specified attribute name/value pair. 513 * <p> For example, "Signature.SHA1withDSA KeySize:1024" would be 514 * satisfied by any provider that implemented 515 * the SHA1withDSA signature algorithm with a keysize of 1024 (or larger). 516 * 517 * </ul> 518 * 519 * <p> See the <a href= 520 * "{@docRoot}/../technotes/guides/security/StandardNames.html"> 521 * Java Cryptography Architecture Standard Algorithm Name Documentation</a> 522 * for information about standard cryptographic service names, standard 523 * algorithm names and standard attribute names. 524 * 525 * @param filter the criterion for selecting 526 * providers. The filter is case-insensitive. 527 * 528 * @return all the installed providers that satisfy the selection 529 * criterion, or null if no such providers have been installed. 530 * 531 * @throws InvalidParameterException 532 * if the filter is not in the required format 533 * @throws NullPointerException if filter is null 534 * 535 * @see #getProviders(java.util.Map) 536 * @since 1.3 537 */ 538 public static Provider[] getProviders(String filter) { 539 String key = null; 540 String value = null; 541 int index = filter.indexOf(':'); 542 543 if (index == -1) { 544 key = filter; 545 value = ""; 546 } else { 547 key = filter.substring(0, index); 548 value = filter.substring(index + 1); 549 } 550 551 Hashtable<String, String> hashtableFilter = new Hashtable<>(1); 552 hashtableFilter.put(key, value); 553 554 return (getProviders(hashtableFilter)); 555 } 556 557 /** 558 * Returns an array containing all installed providers that satisfy the 559 * specified* selection criteria, or null if no such providers have been 560 * installed. The returned providers are ordered 561 * according to their <a href= 562 * "#insertProviderAt(java.security.Provider, int)">preference order</a>. 563 * 564 * <p>The selection criteria are represented by a map. 565 * Each map entry represents a selection criterion. 566 * A provider is selected iff it satisfies all selection 567 * criteria. The key for any entry in such a map must be in one of the 568 * following two formats: 569 * <ul> 570 * <li> <i><crypto_service>.<algorithm_or_type></i> 571 * <p> The cryptographic service name must not contain any dots. 572 * <p> The value associated with the key must be an empty string. 573 * <p> A provider 574 * satisfies this selection criterion iff the provider implements the 575 * specified algorithm or type for the specified cryptographic service. 576 * <li> <i><crypto_service>.<algorithm_or_type> <attribute_name></i> 577 * <p> The cryptographic service name must not contain any dots. There 578 * must be one or more space charaters between the <i><algorithm_or_type></i> 579 * and the <i><attribute_name></i>. 580 * <p> The value associated with the key must be a non-empty string. 581 * A provider satisfies this selection criterion iff the 582 * provider implements the specified algorithm or type for the specified 583 * cryptographic service and its implementation meets the 584 * constraint expressed by the specified attribute name/value pair. 585 * </ul> 586 * 587 * <p> See the <a href= 588 * "../../../technotes/guides/security/StandardNames.html"> 589 * Java Cryptography Architecture Standard Algorithm Name Documentation</a> 590 * for information about standard cryptographic service names, standard 591 * algorithm names and standard attribute names. 592 * 593 * @param filter the criteria for selecting 594 * providers. The filter is case-insensitive. 595 * 596 * @return all the installed providers that satisfy the selection 597 * criteria, or null if no such providers have been installed. 598 * 599 * @throws InvalidParameterException 600 * if the filter is not in the required format 601 * @throws NullPointerException if filter is null 602 * 603 * @see #getProviders(java.lang.String) 604 * @since 1.3 605 */ 606 public static Provider[] getProviders(Map<String,String> filter) { 607 // Get all installed providers first. 608 // Then only return those providers who satisfy the selection criteria. 609 Provider[] allProviders = Security.getProviders(); 610 Set<String> keySet = filter.keySet(); 611 LinkedHashSet<Provider> candidates = new LinkedHashSet<>(5); 612 613 // Returns all installed providers 614 // if the selection criteria is null. 615 if ((keySet == null) || (allProviders == null)) { 616 return allProviders; 617 } 618 619 boolean firstSearch = true; 620 621 // For each selection criterion, remove providers 622 // which don't satisfy the criterion from the candidate set. 623 for (Iterator<String> ite = keySet.iterator(); ite.hasNext(); ) { 624 String key = ite.next(); 625 String value = filter.get(key); 626 627 LinkedHashSet<Provider> newCandidates = getAllQualifyingCandidates(key, value, 628 allProviders); 629 if (firstSearch) { 630 candidates = newCandidates; 631 firstSearch = false; 632 } 633 634 if ((newCandidates != null) && !newCandidates.isEmpty()) { 635 // For each provider in the candidates set, if it 636 // isn't in the newCandidate set, we should remove 637 // it from the candidate set. 638 for (Iterator<Provider> cansIte = candidates.iterator(); 639 cansIte.hasNext(); ) { 640 Provider prov = cansIte.next(); 641 if (!newCandidates.contains(prov)) { 642 cansIte.remove(); 643 } 644 } 645 } else { 646 candidates = null; 647 break; 648 } 649 } 650 651 if ((candidates == null) || (candidates.isEmpty())) 652 return null; 653 654 Object[] candidatesArray = candidates.toArray(); 655 Provider[] result = new Provider[candidatesArray.length]; 656 657 for (int i = 0; i < result.length; i++) { 658 result[i] = (Provider)candidatesArray[i]; 659 } 660 661 return result; 662 } 663 664 // Map containing cached Spi Class objects of the specified type 665 private static final Map<String, Class<?>> spiMap = 666 new ConcurrentHashMap<>(); 667 668 /** 669 * Return the Class object for the given engine type 670 * (e.g. "MessageDigest"). Works for Spis in the java.security package 671 * only. 672 */ 673 private static Class<?> getSpiClass(String type) { 674 Class<?> clazz = spiMap.get(type); 675 if (clazz != null) { 676 return clazz; 677 } 678 try { 679 clazz = Class.forName("java.security." + type + "Spi"); 680 spiMap.put(type, clazz); 681 return clazz; 682 } catch (ClassNotFoundException e) { 683 throw new AssertionError("Spi class not found", e); 684 } 685 } 686 687 /* 688 * Returns an array of objects: the first object in the array is 689 * an instance of an implementation of the requested algorithm 690 * and type, and the second object in the array identifies the provider 691 * of that implementation. 692 * The {@code provider} argument can be null, in which case all 693 * configured providers will be searched in order of preference. 694 */ 695 static Object[] getImpl(String algorithm, String type, String provider) 696 throws NoSuchAlgorithmException, NoSuchProviderException { 697 if (provider == null) { 698 return GetInstance.getInstance 699 (type, getSpiClass(type), algorithm).toArray(); 700 } else { 701 return GetInstance.getInstance 702 (type, getSpiClass(type), algorithm, provider).toArray(); 703 } 704 } 705 706 static Object[] getImpl(String algorithm, String type, String provider, 707 Object params) throws NoSuchAlgorithmException, 708 NoSuchProviderException, InvalidAlgorithmParameterException { 709 if (provider == null) { 710 return GetInstance.getInstance 711 (type, getSpiClass(type), algorithm, params).toArray(); 712 } else { 713 return GetInstance.getInstance 714 (type, getSpiClass(type), algorithm, params, provider).toArray(); 715 } 716 } 717 718 /* 719 * Returns an array of objects: the first object in the array is 720 * an instance of an implementation of the requested algorithm 721 * and type, and the second object in the array identifies the provider 722 * of that implementation. 723 * The {@code provider} argument cannot be null. 724 */ 725 static Object[] getImpl(String algorithm, String type, Provider provider) 726 throws NoSuchAlgorithmException { 727 return GetInstance.getInstance 728 (type, getSpiClass(type), algorithm, provider).toArray(); 729 } 730 731 static Object[] getImpl(String algorithm, String type, Provider provider, 732 Object params) throws NoSuchAlgorithmException, 733 InvalidAlgorithmParameterException { 734 return GetInstance.getInstance 735 (type, getSpiClass(type), algorithm, params, provider).toArray(); 736 } 737 738 /** 739 * Gets a security property value. 740 * 741 * <p>First, if there is a security manager, its 742 * {@code checkPermission} method is called with a 743 * {@code java.security.SecurityPermission("getProperty."+key)} 744 * permission to see if it's ok to retrieve the specified 745 * security property value.. 746 * 747 * @param key the key of the property being retrieved. 748 * 749 * @return the value of the security property corresponding to key. 750 * 751 * @throws SecurityException 752 * if a security manager exists and its {@link 753 * java.lang.SecurityManager#checkPermission} method 754 * denies 755 * access to retrieve the specified security property value 756 * @throws NullPointerException is key is null 757 * 758 * @see #setProperty 759 * @see java.security.SecurityPermission 760 */ 761 public static String getProperty(String key) { 762 SecurityManager sm = System.getSecurityManager(); 763 if (sm != null) { 764 sm.checkPermission(new SecurityPermission("getProperty."+ 765 key)); 766 } 767 String name = props.getProperty(key); 768 if (name != null) 769 name = name.trim(); // could be a class name with trailing ws 770 return name; 771 } 772 773 /** 774 * Sets a security property value. 775 * 776 * <p>First, if there is a security manager, its 777 * {@code checkPermission} method is called with a 778 * {@code java.security.SecurityPermission("setProperty."+key)} 779 * permission to see if it's ok to set the specified 780 * security property value. 781 * 782 * @param key the name of the property to be set. 783 * 784 * @param datum the value of the property to be set. 785 * 786 * @throws SecurityException 787 * if a security manager exists and its {@link 788 * java.lang.SecurityManager#checkPermission} method 789 * denies access to set the specified security property value 790 * @throws NullPointerException if key or datum is null 791 * 792 * @see #getProperty 793 * @see java.security.SecurityPermission 794 */ 795 public static void setProperty(String key, String datum) { 796 check("setProperty."+key); 797 props.put(key, datum); 798 invalidateSMCache(key); /* See below. */ 799 } 800 801 /* 802 * Implementation detail: If the property we just set in 803 * setProperty() was either "package.access" or 804 * "package.definition", we need to signal to the SecurityManager 805 * class that the value has just changed, and that it should 806 * invalidate it's local cache values. 807 * 808 * Rather than create a new API entry for this function, 809 * we use reflection to set a private variable. 810 */ 811 private static void invalidateSMCache(String key) { 812 813 final boolean pa = key.equals("package.access"); 814 final boolean pd = key.equals("package.definition"); 815 816 if (pa || pd) { 817 AccessController.doPrivileged(new PrivilegedAction<Void>() { 818 public Void run() { 819 try { 820 /* Get the class via the bootstrap class loader. */ 821 Class<?> cl = Class.forName( 822 "java.lang.SecurityManager", false, null); 823 Field f = null; 824 boolean accessible = false; 825 826 if (pa) { 827 f = cl.getDeclaredField("packageAccessValid"); 828 accessible = f.isAccessible(); 829 f.setAccessible(true); 830 } else { 831 f = cl.getDeclaredField("packageDefinitionValid"); 832 accessible = f.isAccessible(); 833 f.setAccessible(true); 834 } 835 f.setBoolean(f, false); 836 f.setAccessible(accessible); 837 } 838 catch (Exception e1) { 839 /* If we couldn't get the class, it hasn't 840 * been loaded yet. If there is no such 841 * field, we shouldn't try to set it. There 842 * shouldn't be a security execption, as we 843 * are loaded by boot class loader, and we 844 * are inside a doPrivileged() here. 845 * 846 * NOOP: don't do anything... 847 */ 848 } 849 return null; 850 } /* run */ 851 }); /* PrivilegedAction */ 852 } /* if */ 853 } 854 855 private static void check(String directive) { 856 SecurityManager security = System.getSecurityManager(); 857 if (security != null) { 858 security.checkSecurityAccess(directive); 859 } 860 } 861 862 /* 863 * Returns all providers who satisfy the specified 864 * criterion. 865 */ 866 private static LinkedHashSet<Provider> getAllQualifyingCandidates( 867 String filterKey, 868 String filterValue, 869 Provider[] allProviders) { 870 String[] filterComponents = getFilterComponents(filterKey, 871 filterValue); 872 873 // The first component is the service name. 874 // The second is the algorithm name. 875 // If the third isn't null, that is the attrinute name. 876 String serviceName = filterComponents[0]; 877 String algName = filterComponents[1]; 878 String attrName = filterComponents[2]; 879 880 return getProvidersNotUsingCache(serviceName, algName, attrName, 881 filterValue, allProviders); 882 } 883 884 private static LinkedHashSet<Provider> getProvidersNotUsingCache( 885 String serviceName, 886 String algName, 887 String attrName, 888 String filterValue, 889 Provider[] allProviders) { 890 LinkedHashSet<Provider> candidates = new LinkedHashSet<>(5); 891 for (int i = 0; i < allProviders.length; i++) { 892 if (isCriterionSatisfied(allProviders[i], serviceName, 893 algName, 894 attrName, filterValue)) { 895 candidates.add(allProviders[i]); 896 } 897 } 898 return candidates; 899 } 900 901 /* 902 * Returns true if the given provider satisfies 903 * the selection criterion key:value. 904 */ 905 private static boolean isCriterionSatisfied(Provider prov, 906 String serviceName, 907 String algName, 908 String attrName, 909 String filterValue) { 910 String key = serviceName + '.' + algName; 911 912 if (attrName != null) { 913 key += ' ' + attrName; 914 } 915 // Check whether the provider has a property 916 // whose key is the same as the given key. 917 String propValue = getProviderProperty(key, prov); 918 919 if (propValue == null) { 920 // Check whether we have an alias instead 921 // of a standard name in the key. 922 String standardName = getProviderProperty("Alg.Alias." + 923 serviceName + "." + 924 algName, 925 prov); 926 if (standardName != null) { 927 key = serviceName + "." + standardName; 928 929 if (attrName != null) { 930 key += ' ' + attrName; 931 } 932 933 propValue = getProviderProperty(key, prov); 934 } 935 936 if (propValue == null) { 937 // The provider doesn't have the given 938 // key in its property list. 939 return false; 940 } 941 } 942 943 // If the key is in the format of: 944 // <crypto_service>.<algorithm_or_type>, 945 // there is no need to check the value. 946 947 if (attrName == null) { 948 return true; 949 } 950 951 // If we get here, the key must be in the 952 // format of <crypto_service>.<algorithm_or_provider> <attribute_name>. 953 if (isStandardAttr(attrName)) { 954 return isConstraintSatisfied(attrName, filterValue, propValue); 955 } else { 956 return filterValue.equalsIgnoreCase(propValue); 957 } 958 } 959 960 /* 961 * Returns true if the attribute is a standard attribute; 962 * otherwise, returns false. 963 */ 964 private static boolean isStandardAttr(String attribute) { 965 // For now, we just have two standard attributes: 966 // KeySize and ImplementedIn. 967 if (attribute.equalsIgnoreCase("KeySize")) 968 return true; 969 970 if (attribute.equalsIgnoreCase("ImplementedIn")) 971 return true; 972 973 return false; 974 } 975 976 /* 977 * Returns true if the requested attribute value is supported; 978 * otherwise, returns false. 979 */ 980 private static boolean isConstraintSatisfied(String attribute, 981 String value, 982 String prop) { 983 // For KeySize, prop is the max key size the 984 // provider supports for a specific <crypto_service>.<algorithm>. 985 if (attribute.equalsIgnoreCase("KeySize")) { 986 int requestedSize = Integer.parseInt(value); 987 int maxSize = Integer.parseInt(prop); 988 if (requestedSize <= maxSize) { 989 return true; 990 } else { 991 return false; 992 } 993 } 994 995 // For Type, prop is the type of the implementation 996 // for a specific <crypto service>.<algorithm>. 997 if (attribute.equalsIgnoreCase("ImplementedIn")) { 998 return value.equalsIgnoreCase(prop); 999 } 1000 1001 return false; 1002 } 1003 1004 static String[] getFilterComponents(String filterKey, String filterValue) { 1005 int algIndex = filterKey.indexOf('.'); 1006 1007 if (algIndex < 0) { 1008 // There must be a dot in the filter, and the dot 1009 // shouldn't be at the beginning of this string. 1010 throw new InvalidParameterException("Invalid filter"); 1011 } 1012 1013 String serviceName = filterKey.substring(0, algIndex); 1014 String algName = null; 1015 String attrName = null; 1016 1017 if (filterValue.length() == 0) { 1018 // The filterValue is an empty string. So the filterKey 1019 // should be in the format of <crypto_service>.<algorithm_or_type>. 1020 algName = filterKey.substring(algIndex + 1).trim(); 1021 if (algName.length() == 0) { 1022 // There must be a algorithm or type name. 1023 throw new InvalidParameterException("Invalid filter"); 1024 } 1025 } else { 1026 // The filterValue is a non-empty string. So the filterKey must be 1027 // in the format of 1028 // <crypto_service>.<algorithm_or_type> <attribute_name> 1029 int attrIndex = filterKey.indexOf(' '); 1030 1031 if (attrIndex == -1) { 1032 // There is no attribute name in the filter. 1033 throw new InvalidParameterException("Invalid filter"); 1034 } else { 1035 attrName = filterKey.substring(attrIndex + 1).trim(); 1036 if (attrName.length() == 0) { 1037 // There is no attribute name in the filter. 1038 throw new InvalidParameterException("Invalid filter"); 1039 } 1040 } 1041 1042 // There must be an algorithm name in the filter. 1043 if ((attrIndex < algIndex) || 1044 (algIndex == attrIndex - 1)) { 1045 throw new InvalidParameterException("Invalid filter"); 1046 } else { 1047 algName = filterKey.substring(algIndex + 1, attrIndex); 1048 } 1049 } 1050 1051 String[] result = new String[3]; 1052 result[0] = serviceName; 1053 result[1] = algName; 1054 result[2] = attrName; 1055 1056 return result; 1057 } 1058 1059 /** 1060 * Returns a Set of Strings containing the names of all available 1061 * algorithms or types for the specified Java cryptographic service 1062 * (e.g., Signature, MessageDigest, Cipher, Mac, KeyStore). Returns 1063 * an empty Set if there is no provider that supports the 1064 * specified service or if serviceName is null. For a complete list 1065 * of Java cryptographic services, please see the 1066 * <a href="../../../technotes/guides/security/crypto/CryptoSpec.html">Java 1067 * Cryptography Architecture API Specification & Reference</a>. 1068 * Note: the returned set is immutable. 1069 * 1070 * @param serviceName the name of the Java cryptographic 1071 * service (e.g., Signature, MessageDigest, Cipher, Mac, KeyStore). 1072 * Note: this parameter is case-insensitive. 1073 * 1074 * @return a Set of Strings containing the names of all available 1075 * algorithms or types for the specified Java cryptographic service 1076 * or an empty set if no provider supports the specified service. 1077 * 1078 * @since 1.4 1079 **/ 1080 public static Set<String> getAlgorithms(String serviceName) { 1081 1082 if ((serviceName == null) || (serviceName.length() == 0) || 1083 (serviceName.endsWith("."))) { 1084 return Collections.emptySet(); 1085 } 1086 1087 HashSet<String> result = new HashSet<>(); 1088 Provider[] providers = Security.getProviders(); 1089 1090 for (int i = 0; i < providers.length; i++) { 1091 // Check the keys for each provider. 1092 for (Enumeration<Object> e = providers[i].keys(); 1093 e.hasMoreElements(); ) { 1094 String currentKey = 1095 ((String)e.nextElement()).toUpperCase(Locale.ENGLISH); 1096 if (currentKey.startsWith( 1097 serviceName.toUpperCase(Locale.ENGLISH))) { 1098 // We should skip the currentKey if it contains a 1099 // whitespace. The reason is: such an entry in the 1100 // provider property contains attributes for the 1101 // implementation of an algorithm. We are only interested 1102 // in entries which lead to the implementation 1103 // classes. 1104 if (currentKey.indexOf(" ") < 0) { 1105 result.add(currentKey.substring( 1106 serviceName.length() + 1)); 1107 } 1108 } 1109 } 1110 } 1111 return Collections.unmodifiableSet(result); 1112 } 1113 }