1 /*
2 * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package javax.crypto;
27
28 import java.io.*;
29 import java.net.*;
30 import java.security.*;
31 import java.util.jar.*;
32
33 /**
34 * This class verifies JAR files (and any supporting JAR files), and
35 * determines whether they may be used in this implementation.
36 *
37 * The JCE in OpenJDK has an open cryptographic interface, meaning it
38 * does not restrict which providers can be used. Compliance with
39 * United States export controls and with local law governing the
40 * import/export of products incorporating the JCE in the OpenJDK is
41 * the responsibility of the licensee.
42 *
43 * @since 1.7
44 */
45 final class JarVerifier {
46
47 // The URL for the JAR file we want to verify.
48 private URL jarURL;
49 private boolean savePerms;
50 private CryptoPermissions appPerms = null;
51
52 /**
53 * Creates a JarVerifier object to verify the given URL.
54 *
55 * @param jarURL the JAR file to be verified.
56 * @param savePerms if true, save the permissions allowed by the
57 * exemption mechanism
58 */
59 JarVerifier(URL jarURL, boolean savePerms) {
60 this.jarURL = jarURL;
61 this.savePerms = savePerms;
62 }
63
64 /**
65 * Verify the JAR file is signed by an entity which has a certificate
66 * issued by a trusted CA.
67 *
68 * In OpenJDK, we just need to examine the "cryptoperms" file to see
69 * if any permissions were bundled together with this jar file.
70 */
71 void verify() throws JarException, IOException {
72
73 // Short-circuit. If we weren't asked to save any, we're done.
74 if (!savePerms) {
75 return;
76 }
77
78 // If the protocol of jarURL isn't "jar", we should
79 // construct a JAR URL so we can open a JarURLConnection
80 // for verifying this provider.
81 final URL url = jarURL.getProtocol().equalsIgnoreCase("jar")?
82 jarURL : new URL("jar:" + jarURL.toString() + "!/");
83
84 JarFile jf = null;
85 try {
86
87 // Get a link to the Jarfile to search.
88 try {
89 jf = AccessController.doPrivileged(
90 new PrivilegedExceptionAction<JarFile>() {
91 public JarFile run() throws Exception {
92 JarURLConnection conn =
93 (JarURLConnection) url.openConnection();
94 // You could do some caching here as
95 // an optimization.
96 conn.setUseCaches(false);
97 return conn.getJarFile();
98 }
99 });
100 } catch (java.security.PrivilegedActionException pae) {
101 throw new SecurityException("Cannot load " + url.toString(), pae);
102 }
103
104 if (jf != null) {
105 JarEntry je = jf.getJarEntry("cryptoPerms");
106 if (je == null) {
107 throw new JarException(
108 "Can not find cryptoPerms");
109 }
110 try {
111 appPerms = new CryptoPermissions();
112 appPerms.load(jf.getInputStream(je));
113 } catch (Exception ex) {
114 JarException jex =
115 new JarException("Cannot load/parse" +
116 jarURL.toString());
117 jex.initCause(ex);
118 throw jex;
119 }
120 }
121 } finally {
127 }
128 }
129 }
130
131 /**
132 * Verify that the provided certs include the
133 * framework signing certificate.
134 *
135 * @param certs the list of certs to be checked.
136 * @throws Exception if the list of certs did not contain
137 * the framework signing certificate
138 */
139 static void verifyPolicySigned(java.security.cert.Certificate[] certs)
140 throws Exception {
141 }
142
143 /**
144 * Returns the permissions which are bundled with the JAR file,
145 * aka the "cryptoperms" file.
146 *
147 * NOTE: if this JarVerifier instance is constructed with "savePerms"
148 * equal to false, then this method would always return null.
149 */
150 CryptoPermissions getPermissions() {
151 return appPerms;
152 }
153 }
|
1 /*
2 * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package javax.crypto;
27
28 import java.io.*;
29 import java.net.*;
30 import java.security.*;
31 import java.util.jar.*;
32
33 /**
34 * This class verifies resources found at a URL (currently only JAR
35 * files and any supporting JAR files), and determines whether they may
36 * be used in this implementation.
37 *
38 * The JCE in OpenJDK has an open cryptographic interface, meaning it
39 * does not restrict which providers can be used. Compliance with
40 * United States export controls and with local law governing the
41 * import/export of products incorporating the JCE in the OpenJDK is
42 * the responsibility of the licensee.
43 *
44 * @since 1.7
45 */
46 final class URLVerifier {
47
48 // The URL for the JAR file we want to verify.
49 private URL jarURL;
50 private Provider provider;
51 private boolean savePerms;
52 private CryptoPermissions appPerms = null;
53
54 /**
55 * Creates a URLVerifier object to verify the given URL.
56 *
57 * @param jarURL the JAR file to be verified.
58 * @param savePerms if true, save the permissions allowed by the
59 * exemption mechanism
60 */
61 URLVerifier(URL jarURL, boolean savePerms) {
62 this(jarURL, null, savePerms);
63 }
64
65 /**
66 * Creates a URLVerifier object to verify the given URL.
67 *
68 * @param jarURL the JAR file to be verified
69 * @param provider the corresponding provider.
70 * @param savePerms if true, save the permissions allowed by the
71 * exemption mechanism
72 */
73 URLVerifier(URL jarURL, Provider provider, boolean savePerms) {
74 this.jarURL = jarURL;
75 this.provider = provider;
76 this.savePerms = savePerms;
77 }
78
79 /**
80 * Verify the JAR file is signed by an entity which has a certificate
81 * issued by a trusted CA.
82 *
83 * In OpenJDK, we just need to examine the "cryptoperms" file to see
84 * if any permissions were bundled together with this jar file.
85 */
86 void verify() throws JarException, IOException {
87
88 // Short-circuit. If we weren't asked to save any, we're done.
89 if (!savePerms) {
90 return;
91 }
92
93 // If the protocol of jarURL isn't "jar", we should
94 // construct a JAR URL so we can open a JarURLConnection
95 // for verifying this provider.
96 final URL url = jarURL.getProtocol().equalsIgnoreCase("jar")?
97 jarURL : new URL("jar:" + jarURL.toString() + "!/");
98
99 JarFile jf = null;
100 try {
101
102 // Get a link to the Jarfile to search.
103 try {
104 jf = AccessController.doPrivileged(
105 new PrivilegedExceptionAction<JarFile>() {
106 public JarFile run() throws Exception {
107 JarURLConnection conn =
108 (JarURLConnection) url.openConnection();
109 // You could do some caching here as
110 // an optimization.
111 conn.setUseCaches(false);
112 return conn.getJarFile();
113 }
114 });
115 } catch (java.security.PrivilegedActionException pae) {
116 throw new SecurityException("Cannot load " + url.toString(),
117 pae);
118 }
119
120 if (jf != null) {
121 JarEntry je = jf.getJarEntry("cryptoPerms");
122 if (je == null) {
123 throw new JarException(
124 "Can not find cryptoPerms");
125 }
126 try {
127 appPerms = new CryptoPermissions();
128 appPerms.load(jf.getInputStream(je));
129 } catch (Exception ex) {
130 JarException jex =
131 new JarException("Cannot load/parse" +
132 jarURL.toString());
133 jex.initCause(ex);
134 throw jex;
135 }
136 }
137 } finally {
143 }
144 }
145 }
146
147 /**
148 * Verify that the provided certs include the
149 * framework signing certificate.
150 *
151 * @param certs the list of certs to be checked.
152 * @throws Exception if the list of certs did not contain
153 * the framework signing certificate
154 */
155 static void verifyPolicySigned(java.security.cert.Certificate[] certs)
156 throws Exception {
157 }
158
159 /**
160 * Returns the permissions which are bundled with the JAR file,
161 * aka the "cryptoperms" file.
162 *
163 * NOTE: if this URLVerifier instance is constructed with "savePerms"
164 * equal to false, then this method would always return null.
165 */
166 CryptoPermissions getPermissions() {
167 return appPerms;
168 }
169 }
|