1 /*
2 * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.jca;
27
28 import java.util.*;
29
30 import java.security.Provider;
31 import java.security.Security;
32
33 /**
34 * Collection of methods to get and set provider list. Also includes
35 * special code for the provider list during JAR verification.
36 *
37 * @author Andreas Sterbenz
38 * @since 1.5
39 */
40 public class Providers {
41
42 private static final ThreadLocal<ProviderList> threadLists =
43 new InheritableThreadLocal<>();
44
45 // number of threads currently using thread-local provider lists
46 // tracked to allow an optimization if == 0
47 private static volatile int threadListsUsed;
48
49 // current system-wide provider list
50 // Note volatile immutable object, so no synchronization needed.
51 private static volatile ProviderList providerList;
52
53 static {
54 // set providerList to empty list first in case initialization somehow
55 // triggers a getInstance() call (although that should not happen)
56 providerList = ProviderList.EMPTY;
57 providerList = ProviderList.fromSecurityProperties();
58 }
59
60 private Providers() {
61 // empty
62 }
63
64 // we need special handling to resolve circularities when loading
65 // signed JAR files during startup. The code below is part of that.
66
67 // Basically, before we load data from a signed JAR file, we parse
68 // the PKCS#7 file and verify the signature. We need a
69 // CertificateFactory, Signatures, etc. to do that. We have to make
70 // sure that we do not try to load the implementation from the JAR
71 // file we are just verifying.
72 //
73 // To avoid that, we use different provider settings during JAR
74 // verification. However, we do not want those provider settings to
75 // interfere with other parts of the system. Therefore, we make them local
76 // to the Thread executing the JAR verification code.
77 //
78 // The code here is used by sun.security.util.SignatureFileVerifier.
79 // See there for details.
80
81 private static final String BACKUP_PROVIDER_CLASSNAME =
82 "sun.security.provider.VerificationProvider";
83
84 // Hardcoded classnames of providers to use for JAR verification.
85 // MUST NOT be on the bootclasspath and not in signed JAR files.
86 private static final String[] jarVerificationProviders = {
87 "sun.security.provider.Sun",
88 "sun.security.rsa.SunRsaSign",
89 // Note: SunEC *is* in a signed JAR file, but it's not signed
90 // by EC itself. So it's still safe to be listed here.
91 "sun.security.ec.SunEC",
92 BACKUP_PROVIDER_CLASSNAME,
93 };
94
95 // Return to Sun provider or its backup.
96 // This method should only be called by
97 // sun.security.util.ManifestEntryVerifier and java.security.SecureRandom.
98 public static Provider getSunProvider() {
99 try {
100 Class clazz = Class.forName(jarVerificationProviders[0]);
101 return (Provider)clazz.newInstance();
102 } catch (Exception e) {
103 try {
104 Class clazz = Class.forName(BACKUP_PROVIDER_CLASSNAME);
105 return (Provider)clazz.newInstance();
106 } catch (Exception ee) {
107 throw new RuntimeException("Sun provider not found", e);
108 }
109 }
110 }
111
112 /**
113 * Start JAR verification. This sets a special provider list for
114 * the current thread. You MUST save the return value from this
115 * method and you MUST call stopJarVerification() with that object
116 * once you are done.
117 */
118 public static Object startJarVerification() {
119 ProviderList currentList = getProviderList();
120 ProviderList jarList = currentList.getJarList(jarVerificationProviders);
121 // return the old thread-local provider list, usually null
122 return beginThreadProviderList(jarList);
123 }
124
125 /**
126 * Stop JAR verification. Call once you have completed JAR verification.
127 */
128 public static void stopJarVerification(Object obj) {
129 // restore old thread-local provider list
130 endThreadProviderList((ProviderList)obj);
131 }
132
133 /**
134 * Return the current ProviderList. If the thread-local list is set,
135 * it is returned. Otherwise, the system wide list is returned.
136 */
137 public static ProviderList getProviderList() {
138 ProviderList list = getThreadProviderList();
139 if (list == null) {
140 list = getSystemProviderList();
141 }
142 return list;
143 }
144
145 /**
146 * Set the current ProviderList. Affects the thread-local list if set,
147 * otherwise the system wide list.
148 */
149 public static void setProviderList(ProviderList newList) {
150 if (getThreadProviderList() == null) {
151 setSystemProviderList(newList);
152 } else {
153 changeThreadProviderList(newList);
154 }
155 }
156
157 /**
158 * Get the full provider list with invalid providers (those that
159 * could not be loaded) removed. This is the list we need to
160 * present to applications.
161 */
162 public static ProviderList getFullProviderList() {
163 ProviderList list;
164 synchronized (Providers.class) {
165 list = getThreadProviderList();
166 if (list != null) {
167 ProviderList newList = list.removeInvalid();
168 if (newList != list) {
169 changeThreadProviderList(newList);
170 list = newList;
171 }
172 return list;
173 }
174 }
175 list = getSystemProviderList();
176 ProviderList newList = list.removeInvalid();
177 if (newList != list) {
178 setSystemProviderList(newList);
179 list = newList;
180 }
181 return list;
182 }
183
184 private static ProviderList getSystemProviderList() {
185 return providerList;
186 }
187
188 private static void setSystemProviderList(ProviderList list) {
189 providerList = list;
190 }
191
192 public static ProviderList getThreadProviderList() {
193 // avoid accessing the threadlocal if none are currently in use
194 // (first use of ThreadLocal.get() for a Thread allocates a Map)
195 if (threadListsUsed == 0) {
196 return null;
197 }
198 return threadLists.get();
199 }
200
201 // Change the thread local provider list. Use only if the current thread
202 // is already using a thread local list and you want to change it in place.
203 // In other cases, use the begin/endThreadProviderList() methods.
204 private static void changeThreadProviderList(ProviderList list) {
205 threadLists.set(list);
206 }
207
208 /**
209 * Methods to manipulate the thread local provider list. It is for use by
210 * JAR verification (see above) and the SunJSSE FIPS mode only.
211 *
212 * It should be used as follows:
213 *
214 * ProviderList list = ...;
215 * ProviderList oldList = Providers.beginThreadProviderList(list);
216 * try {
217 * // code that needs thread local provider list
218 * } finally {
219 * Providers.endThreadProviderList(oldList);
220 * }
221 *
222 */
223
224 public static synchronized ProviderList beginThreadProviderList(ProviderList list) {
225 if (ProviderList.debug != null) {
226 ProviderList.debug.println("ThreadLocal providers: " + list);
227 }
228 ProviderList oldList = threadLists.get();
229 threadListsUsed++;
230 threadLists.set(list);
231 return oldList;
232 }
233
234 public static synchronized void endThreadProviderList(ProviderList list) {
235 if (list == null) {
236 if (ProviderList.debug != null) {
237 ProviderList.debug.println("Disabling ThreadLocal providers");
238 }
239 threadLists.remove();
240 } else {
241 if (ProviderList.debug != null) {
242 ProviderList.debug.println
243 ("Restoring previous ThreadLocal providers: " + list);
244 }
245 threadLists.set(list);
246 }
247 threadListsUsed--;
248 }
249
250 }