| Frames | No Frames |
1: /* CodeSource.java -- Code location and certifcates 2: Copyright (C) 1998, 2002, 2004 Free Software Foundation, Inc. 3: 4: This file is part of GNU Classpath. 5: 6: GNU Classpath is free software; you can redistribute it and/or modify 7: it under the terms of the GNU General Public License as published by 8: the Free Software Foundation; either version 2, or (at your option) 9: any later version. 10: 11: GNU Classpath is distributed in the hope that it will be useful, but 12: WITHOUT ANY WARRANTY; without even the implied warranty of 13: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14: General Public License for more details. 15: 16: You should have received a copy of the GNU General Public License 17: along with GNU Classpath; see the file COPYING. If not, write to the 18: Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 19: 02110-1301 USA. 20: 21: Linking this library statically or dynamically with other modules is 22: making a combined work based on this library. Thus, the terms and 23: conditions of the GNU General Public License cover the whole 24: combination. 25: 26: As a special exception, the copyright holders of this library give you 27: permission to link this library with independent modules to produce an 28: executable, regardless of the license terms of these independent 29: modules, and to copy and distribute the resulting executable under 30: terms of your choice, provided that you also meet, for each linked 31: independent module, the terms and conditions of the license of that 32: module. An independent module is a module which is not derived from 33: or based on this library. If you modify this library, you may extend 34: this exception to your version of the library, but you are not 35: obligated to do so. If you do not wish to do so, delete this 36: exception statement from your version. */ 37: 38: 39: package java.security; 40: 41: import gnu.java.lang.CPStringBuilder; 42: 43: import java.io.ByteArrayInputStream; 44: import java.io.IOException; 45: import java.io.ObjectInputStream; 46: import java.io.ObjectOutputStream; 47: import java.io.Serializable; 48: import java.net.SocketPermission; 49: import java.net.URL; 50: // Note that this overrides Certificate in this package. 51: import java.security.cert.Certificate; 52: import java.security.cert.CertificateEncodingException; 53: import java.security.cert.CertificateException; 54: import java.security.cert.CertificateFactory; 55: import java.util.Arrays; 56: import java.util.HashSet; 57: import java.util.Iterator; 58: 59: /** 60: * This class represents a location from which code is loaded (as 61: * represented by a URL), and the list of certificates that are used to 62: * check the signatures of signed code loaded from this source. 63: * 64: * @author Aaron M. Renn (arenn@urbanophile.com) 65: * @author Eric Blake (ebb9@email.byu.edu) 66: * @since 1.1 67: * @status updated to 1.4 68: */ 69: public class CodeSource implements Serializable 70: { 71: /** 72: * Compatible with JDK 1.1+. 73: */ 74: private static final long serialVersionUID = 4977541819976013951L; 75: 76: /** 77: * This is the URL that represents the code base from which code will 78: * be loaded. 79: * 80: * @serial the code location 81: */ 82: private final URL location; 83: 84: /** The set of certificates for this code base. */ 85: private transient HashSet certs; 86: 87: /** 88: * This creates a new instance of <code>CodeSource</code> that loads code 89: * from the specified URL location and which uses the specified certificates 90: * for verifying signatures. 91: * 92: * @param location the location from which code will be loaded 93: * @param certs the list of certificates 94: */ 95: public CodeSource(URL location, Certificate[] certs) 96: { 97: this.location = location; 98: if (certs != null) 99: this.certs = new HashSet(Arrays.asList(certs)); 100: } 101: 102: /** 103: * This method returns a hash value for this object. 104: * 105: * @return a hash value for this object 106: */ 107: public int hashCode() 108: { 109: return (location == null ? 0 : location.hashCode()) 110: ^ (certs == null ? 0 : certs.hashCode()); 111: } 112: 113: /** 114: * This method tests the specified <code>Object</code> for equality with 115: * this object. This will be true if and only if the locations are equal 116: * and the certificate sets are identical (ignoring order). 117: * 118: * @param obj the <code>Object</code> to test against 119: * @return true if the specified object is equal to this one 120: */ 121: public boolean equals(Object obj) 122: { 123: if (! (obj instanceof CodeSource)) 124: return false; 125: CodeSource cs = (CodeSource) obj; 126: return (certs == null ? cs.certs == null : certs.equals(cs.certs)) 127: && (location == null ? cs.location == null 128: : location.equals(cs.location)); 129: } 130: 131: /** 132: * This method returns the URL specifying the location from which code 133: * will be loaded under this <code>CodeSource</code>. 134: * 135: * @return the code location for this <code>CodeSource</code> 136: */ 137: public final URL getLocation() 138: { 139: return location; 140: } 141: 142: /** 143: * This method returns the list of digital certificates that can be used 144: * to verify the signatures of code loaded under this 145: * <code>CodeSource</code>. 146: * 147: * @return the certifcate list for this <code>CodeSource</code> 148: */ 149: public final Certificate[] getCertificates() 150: { 151: if (certs == null) 152: return null; 153: Certificate[] c = new Certificate[certs.size()]; 154: certs.toArray(c); 155: return c; 156: } 157: 158: /** 159: * This method tests to see if a specified <code>CodeSource</code> is 160: * implied by this object. Effectively, to meet this test, the specified 161: * object must have all the certifcates this object has (but may have more), 162: * and must have a location that is a subset of this object's. In order 163: * for this object to imply the specified object, the following must be 164: * true: 165: * 166: * <ol> 167: * <li><em>codesource</em> must not be <code>null</code>.</li> 168: * <li>If <em>codesource</em> has a certificate list, all of it's 169: * certificates must be present in the certificate list of this 170: * code source.</li> 171: * <li>If this object does not have a <code>null</code> location, then 172: * the following addtional tests must be passed. 173: * 174: * <ol> 175: * <li><em>codesource</em> must not have a <code>null</code> 176: * location.</li> 177: * <li><em>codesource</em>'s location must be equal to this object's 178: * location, or 179: * <ul> 180: * <li><em>codesource</em>'s location protocol, port, and ref (aka, 181: * anchor) must equal this objects</li> 182: * <li><em>codesource</em>'s location host must imply this object's 183: * location host, as determined by contructing 184: * <code>SocketPermission</code> objects from each with no 185: * action list and using that classes's <code>implies</code> 186: * method</li> 187: * <li>If this object's location file ends with a '/', then the 188: * specified object's location file must start with this 189: * object's location file. Otherwise, the specified object's 190: * location file must start with this object's location file 191: * with the '/' character appended to it.</li> 192: * </ul></li> 193: * </ol></li> 194: * </ol> 195: * 196: * <p>For example, each of these locations imply the location 197: * "http://java.sun.com/classes/foo.jar":</p> 198: * 199: * <pre> 200: * http: 201: * http://*.sun.com/classes/* 202: * http://java.sun.com/classes/- 203: * http://java.sun.com/classes/foo.jar 204: * </pre> 205: * 206: * <p>Note that the code source with null location and null certificates implies 207: * all other code sources.</p> 208: * 209: * @param cs the <code>CodeSource</code> to test against this object 210: * @return true if this specified <code>CodeSource</code> is implied 211: */ 212: public boolean implies(CodeSource cs) 213: { 214: if (cs == null) 215: return false; 216: // First check the certificate list. 217: if (certs != null && (cs.certs == null || ! certs.containsAll(cs.certs))) 218: return false; 219: // Next check the location. 220: if (location == null) 221: return true; 222: if (cs.location == null 223: || ! location.getProtocol().equals(cs.location.getProtocol()) 224: || (location.getPort() != -1 225: && location.getPort() != cs.location.getPort()) 226: || (location.getRef() != null 227: && ! location.getRef().equals(cs.location.getRef()))) 228: return false; 229: if (location.getHost() != null) 230: { 231: String their_host = cs.location.getHost(); 232: if (their_host == null) 233: return false; 234: SocketPermission our_sockperm = 235: new SocketPermission(location.getHost(), "accept"); 236: SocketPermission their_sockperm = 237: new SocketPermission(their_host, "accept"); 238: if (! our_sockperm.implies(their_sockperm)) 239: return false; 240: } 241: String our_file = location.getFile(); 242: if (our_file != null) 243: { 244: if (! our_file.endsWith("/")) 245: our_file += "/"; 246: String their_file = cs.location.getFile(); 247: if (their_file == null 248: || ! their_file.startsWith(our_file)) 249: return false; 250: } 251: return true; 252: } 253: 254: /** 255: * This method returns a <code>String</code> that represents this object. 256: * The result is in the format <code>"(" + getLocation()</code> followed 257: * by a space separated list of certificates (or "<no certificates>"), 258: * followed by <code>")"</code>. 259: * 260: * @return a <code>String</code> for this object 261: */ 262: public String toString() 263: { 264: CPStringBuilder sb = new CPStringBuilder("(").append(location); 265: if (certs == null || certs.isEmpty()) 266: sb.append(" <no certificates>"); 267: else 268: { 269: Iterator iter = certs.iterator(); 270: for (int i = certs.size(); --i >= 0; ) 271: sb.append(' ').append(iter.next()); 272: } 273: return sb.append(")").toString(); 274: } 275: 276: /** 277: * Reads this object from a serialization stream. 278: * 279: * @param s the input stream 280: * @throws IOException if reading fails 281: * @throws ClassNotFoundException if deserialization fails 282: * @serialData this reads the location, then expects an int indicating the 283: * number of certificates. Each certificate is a String type 284: * followed by an int encoding length, then a byte[] encoding 285: */ 286: private void readObject(ObjectInputStream s) 287: throws IOException, ClassNotFoundException 288: { 289: s.defaultReadObject(); 290: int count = s.readInt(); 291: certs = new HashSet(); 292: while (--count >= 0) 293: { 294: String type = (String) s.readObject(); 295: int bytes = s.readInt(); 296: byte[] encoded = new byte[bytes]; 297: for (int i = 0; i < bytes; i++) 298: encoded[i] = s.readByte(); 299: ByteArrayInputStream stream = new ByteArrayInputStream(encoded); 300: try 301: { 302: CertificateFactory factory = CertificateFactory.getInstance(type); 303: certs.add(factory.generateCertificate(stream)); 304: } 305: catch (CertificateException e) 306: { 307: // XXX Should we ignore this certificate? 308: } 309: } 310: } 311: 312: /** 313: * Writes this object to a serialization stream. 314: * 315: * @param s the output stream 316: * @throws IOException if writing fails 317: * @serialData this writes the location, then writes an int indicating the 318: * number of certificates. Each certificate is a String type 319: * followed by an int encoding length, then a byte[] encoding 320: */ 321: private void writeObject(ObjectOutputStream s) throws IOException 322: { 323: s.defaultWriteObject(); 324: if (certs == null) 325: s.writeInt(0); 326: else 327: { 328: int count = certs.size(); 329: s.writeInt(count); 330: Iterator iter = certs.iterator(); 331: while (--count >= 0) 332: { 333: Certificate c = (Certificate) iter.next(); 334: s.writeObject(c.getType()); 335: byte[] encoded; 336: try 337: { 338: encoded = c.getEncoded(); 339: } 340: catch (CertificateEncodingException e) 341: { 342: // XXX Should we ignore this certificate? 343: encoded = null; 344: } 345: if (encoded == null) 346: s.writeInt(0); 347: else 348: { 349: s.writeInt(encoded.length); 350: for (int i = 0; i < encoded.length; i++) 351: s.writeByte(encoded[i]); 352: } 353: } 354: } 355: } 356: } // class CodeSource