Path: blob/master/src/java.base/share/classes/javax/crypto/ProviderVerifier.java
41152 views
/*1* Copyright (c) 2007, 2021, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/2425package javax.crypto;2627import java.io.*;28import java.net.*;29import java.security.*;30import java.util.jar.*;3132/**33* This class verifies Provider/Policy resources found at a URL34* (currently only JAR files and any supporting JAR files), and35* determines whether they may be used in this implementation.36*37* The JCE in OpenJDK has an open cryptographic interface, meaning it38* does not restrict which providers can be used. Compliance with39* United States export controls and with local law governing the40* import/export of products incorporating the JCE in the OpenJDK is41* the responsibility of the licensee.42*43* @since 1.744*/45final class ProviderVerifier {4647// The URL for the JAR file we want to verify.48private URL jarURL;49private Provider provider;50private boolean savePerms;51private CryptoPermissions appPerms = null;5253/**54* Creates a ProviderVerifier object to verify the given URL.55*56* @param jarURL the JAR file to be verified.57* @param savePerms if true, save the permissions allowed by the58* exemption mechanism59*/60ProviderVerifier(URL jarURL, boolean savePerms) {61this(jarURL, null, savePerms);62}6364/**65* Creates a ProviderVerifier object to verify the given URL.66*67* @param jarURL the JAR file to be verified68* @param provider the corresponding provider.69* @param savePerms if true, save the permissions allowed by the70* exemption mechanism71*/72ProviderVerifier(URL jarURL, Provider provider, boolean savePerms) {73this.jarURL = jarURL;74this.provider = provider;75this.savePerms = savePerms;76}7778/**79* Verify the JAR file is signed by an entity which has a certificate80* issued by a trusted CA.81*82* In OpenJDK, we just need to examine the "cryptoperms" file to see83* if any permissions were bundled together with this jar file.84*/85void verify() throws IOException {8687// Short-circuit. If we weren't asked to save any, we're done.88if (!savePerms) {89return;90}9192// If the protocol of jarURL isn't "jar", we should93// construct a JAR URL so we can open a JarURLConnection94// for verifying this provider.95final URL url = jarURL.getProtocol().equalsIgnoreCase("jar")?96jarURL : new URL("jar:" + jarURL.toString() + "!/");9798JarFile jf = null;99try {100101// Get a link to the Jarfile to search.102try {103@SuppressWarnings("removal")104var tmp = AccessController.doPrivileged(105new PrivilegedExceptionAction<JarFile>() {106public JarFile run() throws Exception {107JarURLConnection conn =108(JarURLConnection) url.openConnection();109// You could do some caching here as110// an optimization.111conn.setUseCaches(false);112return conn.getJarFile();113}114});115jf = tmp;116} catch (java.security.PrivilegedActionException pae) {117throw new SecurityException("Cannot load " + url.toString(),118pae.getCause());119}120121if (jf != null) {122JarEntry je = jf.getJarEntry("cryptoPerms");123if (je == null) {124throw new JarException(125"Can not find cryptoPerms");126}127try {128appPerms = new CryptoPermissions();129appPerms.load(jf.getInputStream(je));130} catch (Exception ex) {131JarException jex =132new JarException("Cannot load/parse" +133jarURL.toString());134jex.initCause(ex);135throw jex;136}137}138} finally {139// Only call close() when caching is not enabled.140// Otherwise, exceptions will be thrown for all141// subsequent accesses of this cached jar.142if (jf != null) {143jf.close();144}145}146}147148/**149* Verify that the provided certs include the150* framework signing certificate.151*152* @param certs the list of certs to be checked.153* @throws Exception if the list of certs did not contain154* the framework signing certificate155*/156static void verifyPolicySigned(java.security.cert.Certificate[] certs)157throws Exception {158}159160/**161* Returns true if the given provider is JDK trusted crypto provider162* if the implementation supports fast-path verification.163*/164static boolean isTrustedCryptoProvider(Provider provider) {165return false;166}167168/**169* Returns the permissions which are bundled with the JAR file,170* aka the "cryptoperms" file.171*172* NOTE: if this ProviderVerifier instance is constructed with "savePerms"173* equal to false, then this method would always return null.174*/175CryptoPermissions getPermissions() {176return appPerms;177}178}179180181