author | jjg |
Mon, 15 Aug 2011 11:48:20 -0700 | |
changeset 10336 | 0bb1999251f8 |
parent 9849 | eb437e9fba66 |
child 10781 | f8a00c400655 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
9849
eb437e9fba66
7003952: SEC: securely load DLLs and launch executables using fully qualified path
valeriep
parents:
9275
diff
changeset
|
2 |
* Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.pkcs11; |
|
27 |
||
28 |
import java.io.*; |
|
29 |
import static java.io.StreamTokenizer.*; |
|
30 |
import java.math.BigInteger; |
|
31 |
import java.util.*; |
|
32 |
||
33 |
import java.security.*; |
|
34 |
||
35 |
import sun.security.action.GetPropertyAction; |
|
36 |
import sun.security.util.PropertyExpander; |
|
37 |
||
38 |
import sun.security.pkcs11.wrapper.*; |
|
39 |
import static sun.security.pkcs11.wrapper.PKCS11Constants.*; |
|
40 |
import static sun.security.pkcs11.wrapper.CK_ATTRIBUTE.*; |
|
41 |
||
42 |
import static sun.security.pkcs11.TemplateManager.*; |
|
43 |
||
44 |
/** |
|
45 |
* Configuration container and file parsing. |
|
46 |
* |
|
47 |
* @author Andreas Sterbenz |
|
48 |
* @since 1.5 |
|
49 |
*/ |
|
50 |
final class Config { |
|
51 |
||
52 |
static final int ERR_HALT = 1; |
|
53 |
static final int ERR_IGNORE_ALL = 2; |
|
54 |
static final int ERR_IGNORE_LIB = 3; |
|
55 |
||
56 |
// same as allowSingleThreadedModules but controlled via a system property |
|
57 |
// and applied to all providers. if set to false, no SunPKCS11 instances |
|
58 |
// will accept single threaded modules regardless of the setting in their |
|
59 |
// config files. |
|
60 |
private static final boolean staticAllowSingleThreadedModules; |
|
61 |
||
62 |
static { |
|
63 |
String p = "sun.security.pkcs11.allowSingleThreadedModules"; |
|
64 |
String s = AccessController.doPrivileged(new GetPropertyAction(p)); |
|
65 |
if ("false".equalsIgnoreCase(s)) { |
|
66 |
staticAllowSingleThreadedModules = false; |
|
67 |
} else { |
|
68 |
staticAllowSingleThreadedModules = true; |
|
69 |
} |
|
70 |
} |
|
71 |
||
72 |
// temporary storage for configurations |
|
73 |
// needed because the SunPKCS11 needs to call the superclass constructor |
|
74 |
// in provider before accessing any instance variables |
|
75 |
private final static Map<String,Config> configMap = |
|
76 |
new HashMap<String,Config>(); |
|
77 |
||
78 |
static Config getConfig(final String name, final InputStream stream) { |
|
79 |
Config config = configMap.get(name); |
|
80 |
if (config != null) { |
|
81 |
return config; |
|
82 |
} |
|
83 |
try { |
|
84 |
config = new Config(name, stream); |
|
85 |
configMap.put(name, config); |
|
86 |
return config; |
|
87 |
} catch (Exception e) { |
|
88 |
throw new ProviderException("Error parsing configuration", e); |
|
89 |
} |
|
90 |
} |
|
91 |
||
92 |
static Config removeConfig(String name) { |
|
93 |
return configMap.remove(name); |
|
94 |
} |
|
95 |
||
96 |
private final static boolean DEBUG = false; |
|
97 |
||
98 |
private static void debug(Object o) { |
|
99 |
if (DEBUG) { |
|
100 |
System.out.println(o); |
|
101 |
} |
|
102 |
} |
|
103 |
||
104 |
// Reader and StringTokenizer used during parsing |
|
105 |
private Reader reader; |
|
106 |
||
107 |
private StreamTokenizer st; |
|
108 |
||
109 |
private Set<String> parsedKeywords; |
|
110 |
||
111 |
// name suffix of the provider |
|
112 |
private String name; |
|
113 |
||
114 |
// name of the PKCS#11 library |
|
115 |
private String library; |
|
116 |
||
117 |
// description to pass to the provider class |
|
118 |
private String description; |
|
119 |
||
120 |
// slotID of the slot to use |
|
121 |
private int slotID = -1; |
|
122 |
||
123 |
// slot to use, specified as index in the slotlist |
|
124 |
private int slotListIndex = -1; |
|
125 |
||
126 |
// set of enabled mechanisms (or null to use default) |
|
127 |
private Set<Long> enabledMechanisms; |
|
128 |
||
129 |
// set of disabled mechanisms |
|
130 |
private Set<Long> disabledMechanisms; |
|
131 |
||
132 |
// whether to print debug info during startup |
|
133 |
private boolean showInfo = false; |
|
134 |
||
135 |
// template manager, initialized from parsed attributes |
|
136 |
private TemplateManager templateManager; |
|
137 |
||
138 |
// how to handle error during startup, one of ERR_ |
|
139 |
private int handleStartupErrors = ERR_HALT; |
|
140 |
||
141 |
// flag indicating whether the P11KeyStore should |
|
142 |
// be more tolerant of input parameters |
|
143 |
private boolean keyStoreCompatibilityMode = true; |
|
144 |
||
145 |
// flag indicating whether we need to explicitly cancel operations |
|
146 |
// see Token |
|
147 |
private boolean explicitCancel = true; |
|
148 |
||
149 |
// how often to test for token insertion, if no token is present |
|
150 |
private int insertionCheckInterval = 2000; |
|
151 |
||
152 |
// flag inidicating whether to omit the call to C_Initialize() |
|
153 |
// should be used only if we are running within a process that |
|
154 |
// has already called it (e.g. Plugin inside of Mozilla/NSS) |
|
155 |
private boolean omitInitialize = false; |
|
156 |
||
157 |
// whether to allow modules that only support single threaded access. |
|
158 |
// they cannot be used safely from multiple PKCS#11 consumers in the |
|
159 |
// same process, for example NSS and SunPKCS11 |
|
160 |
private boolean allowSingleThreadedModules = true; |
|
161 |
||
162 |
// name of the C function that returns the PKCS#11 functionlist |
|
163 |
// This option primarily exists for the deprecated |
|
164 |
// Secmod.Module.getProvider() method. |
|
165 |
private String functionList = "C_GetFunctionList"; |
|
166 |
||
167 |
// whether to use NSS secmod mode. Implicitly set if nssLibraryDirectory, |
|
168 |
// nssSecmodDirectory, or nssModule is specified. |
|
169 |
private boolean nssUseSecmod; |
|
170 |
||
171 |
// location of the NSS library files (libnss3.so, etc.) |
|
172 |
private String nssLibraryDirectory; |
|
173 |
||
174 |
// location of secmod.db |
|
175 |
private String nssSecmodDirectory; |
|
176 |
||
177 |
// which NSS module to use |
|
178 |
private String nssModule; |
|
179 |
||
180 |
private Secmod.DbMode nssDbMode = Secmod.DbMode.READ_WRITE; |
|
181 |
||
182 |
// Whether the P11KeyStore should specify the CKA_NETSCAPE_DB attribute |
|
183 |
// when creating private keys. Only valid if nssUseSecmod is true. |
|
184 |
private boolean nssNetscapeDbWorkaround = true; |
|
185 |
||
186 |
// Special init argument string for the NSS softtoken. |
|
187 |
// This is used when using the NSS softtoken directly without secmod mode. |
|
188 |
private String nssArgs; |
|
189 |
||
190 |
// whether to use NSS trust attributes for the KeyStore of this provider |
|
191 |
// this option is for internal use by the SunPKCS11 code only and |
|
192 |
// works only for NSS providers created via the Secmod API |
|
193 |
private boolean nssUseSecmodTrust = false; |
|
194 |
||
195 |
private Config(String filename, InputStream in) throws IOException { |
|
196 |
if (in == null) { |
|
197 |
if (filename.startsWith("--")) { |
|
198 |
// inline config |
|
199 |
String config = filename.substring(2).replace("\\n", "\n"); |
|
200 |
reader = new StringReader(config); |
|
201 |
} else { |
|
202 |
in = new FileInputStream(expand(filename)); |
|
203 |
} |
|
204 |
} |
|
205 |
if (reader == null) { |
|
206 |
reader = new BufferedReader(new InputStreamReader(in)); |
|
207 |
} |
|
208 |
parsedKeywords = new HashSet<String>(); |
|
209 |
st = new StreamTokenizer(reader); |
|
210 |
setupTokenizer(); |
|
211 |
parse(); |
|
212 |
} |
|
213 |
||
214 |
String getName() { |
|
215 |
return name; |
|
216 |
} |
|
217 |
||
218 |
String getLibrary() { |
|
219 |
return library; |
|
220 |
} |
|
221 |
||
222 |
String getDescription() { |
|
223 |
if (description != null) { |
|
224 |
return description; |
|
225 |
} |
|
226 |
return "SunPKCS11-" + name + " using library " + library; |
|
227 |
} |
|
228 |
||
229 |
int getSlotID() { |
|
230 |
return slotID; |
|
231 |
} |
|
232 |
||
233 |
int getSlotListIndex() { |
|
234 |
if ((slotID == -1) && (slotListIndex == -1)) { |
|
235 |
// if neither is set, default to first slot |
|
236 |
return 0; |
|
237 |
} else { |
|
238 |
return slotListIndex; |
|
239 |
} |
|
240 |
} |
|
241 |
||
242 |
boolean getShowInfo() { |
|
243 |
return (SunPKCS11.debug != null) || showInfo; |
|
244 |
} |
|
245 |
||
246 |
TemplateManager getTemplateManager() { |
|
247 |
if (templateManager == null) { |
|
248 |
templateManager = new TemplateManager(); |
|
249 |
} |
|
250 |
return templateManager; |
|
251 |
} |
|
252 |
||
253 |
boolean isEnabled(long m) { |
|
254 |
if (enabledMechanisms != null) { |
|
255 |
return enabledMechanisms.contains(Long.valueOf(m)); |
|
256 |
} |
|
257 |
if (disabledMechanisms != null) { |
|
258 |
return !disabledMechanisms.contains(Long.valueOf(m)); |
|
259 |
} |
|
260 |
return true; |
|
261 |
} |
|
262 |
||
263 |
int getHandleStartupErrors() { |
|
264 |
return handleStartupErrors; |
|
265 |
} |
|
266 |
||
267 |
boolean getKeyStoreCompatibilityMode() { |
|
268 |
return keyStoreCompatibilityMode; |
|
269 |
} |
|
270 |
||
271 |
boolean getExplicitCancel() { |
|
272 |
return explicitCancel; |
|
273 |
} |
|
274 |
||
275 |
int getInsertionCheckInterval() { |
|
276 |
return insertionCheckInterval; |
|
277 |
} |
|
278 |
||
279 |
boolean getOmitInitialize() { |
|
280 |
return omitInitialize; |
|
281 |
} |
|
282 |
||
283 |
boolean getAllowSingleThreadedModules() { |
|
284 |
return staticAllowSingleThreadedModules && allowSingleThreadedModules; |
|
285 |
} |
|
286 |
||
287 |
String getFunctionList() { |
|
288 |
return functionList; |
|
289 |
} |
|
290 |
||
291 |
boolean getNssUseSecmod() { |
|
292 |
return nssUseSecmod; |
|
293 |
} |
|
294 |
||
295 |
String getNssLibraryDirectory() { |
|
296 |
return nssLibraryDirectory; |
|
297 |
} |
|
298 |
||
299 |
String getNssSecmodDirectory() { |
|
300 |
return nssSecmodDirectory; |
|
301 |
} |
|
302 |
||
303 |
String getNssModule() { |
|
304 |
return nssModule; |
|
305 |
} |
|
306 |
||
307 |
Secmod.DbMode getNssDbMode() { |
|
308 |
return nssDbMode; |
|
309 |
} |
|
310 |
||
311 |
public boolean getNssNetscapeDbWorkaround() { |
|
312 |
return nssUseSecmod && nssNetscapeDbWorkaround; |
|
313 |
} |
|
314 |
||
315 |
String getNssArgs() { |
|
316 |
return nssArgs; |
|
317 |
} |
|
318 |
||
319 |
boolean getNssUseSecmodTrust() { |
|
320 |
return nssUseSecmodTrust; |
|
321 |
} |
|
322 |
||
323 |
private static String expand(final String s) throws IOException { |
|
324 |
try { |
|
325 |
return PropertyExpander.expand(s); |
|
326 |
} catch (Exception e) { |
|
327 |
throw new RuntimeException(e.getMessage()); |
|
328 |
} |
|
329 |
} |
|
330 |
||
331 |
private void setupTokenizer() { |
|
332 |
st.resetSyntax(); |
|
333 |
st.wordChars('a', 'z'); |
|
334 |
st.wordChars('A', 'Z'); |
|
335 |
st.wordChars('0', '9'); |
|
336 |
st.wordChars(':', ':'); |
|
337 |
st.wordChars('.', '.'); |
|
338 |
st.wordChars('_', '_'); |
|
339 |
st.wordChars('-', '-'); |
|
340 |
st.wordChars('/', '/'); |
|
341 |
st.wordChars('\\', '\\'); |
|
342 |
st.wordChars('$', '$'); |
|
343 |
st.wordChars('{', '{'); // need {} for property subst |
|
344 |
st.wordChars('}', '}'); |
|
345 |
st.wordChars('*', '*'); |
|
9261
efb29ab3324e
6986789: Sun pkcs11 provider fails to parse path name containing "+"
valeriep
parents:
7808
diff
changeset
|
346 |
st.wordChars('+', '+'); |
7808
992bb9918576
6581254: pkcs11 provider fails to parse configuration file contains windows short path
valeriep
parents:
5506
diff
changeset
|
347 |
st.wordChars('~', '~'); |
2 | 348 |
// XXX check ASCII table and add all other characters except special |
349 |
||
350 |
// special: #="(), |
|
351 |
st.whitespaceChars(0, ' '); |
|
352 |
st.commentChar('#'); |
|
353 |
st.eolIsSignificant(true); |
|
354 |
st.quoteChar('\"'); |
|
355 |
} |
|
356 |
||
357 |
private ConfigurationException excToken(String msg) { |
|
358 |
return new ConfigurationException(msg + " " + st); |
|
359 |
} |
|
360 |
||
361 |
private ConfigurationException excLine(String msg) { |
|
362 |
return new ConfigurationException(msg + ", line " + st.lineno()); |
|
363 |
} |
|
364 |
||
365 |
private void parse() throws IOException { |
|
366 |
while (true) { |
|
367 |
int token = nextToken(); |
|
368 |
if (token == TT_EOF) { |
|
369 |
break; |
|
370 |
} |
|
371 |
if (token == TT_EOL) { |
|
372 |
continue; |
|
373 |
} |
|
374 |
if (token != TT_WORD) { |
|
375 |
throw excToken("Unexpected token:"); |
|
376 |
} |
|
377 |
String word = st.sval; |
|
378 |
if (word.equals("name")) { |
|
379 |
name = parseStringEntry(word); |
|
380 |
} else if (word.equals("library")) { |
|
381 |
library = parseLibrary(word); |
|
382 |
} else if (word.equals("description")) { |
|
383 |
parseDescription(word); |
|
384 |
} else if (word.equals("slot")) { |
|
385 |
parseSlotID(word); |
|
386 |
} else if (word.equals("slotListIndex")) { |
|
387 |
parseSlotListIndex(word); |
|
388 |
} else if (word.equals("enabledMechanisms")) { |
|
389 |
parseEnabledMechanisms(word); |
|
390 |
} else if (word.equals("disabledMechanisms")) { |
|
391 |
parseDisabledMechanisms(word); |
|
392 |
} else if (word.equals("attributes")) { |
|
393 |
parseAttributes(word); |
|
394 |
} else if (word.equals("handleStartupErrors")) { |
|
395 |
parseHandleStartupErrors(word); |
|
396 |
} else if (word.endsWith("insertionCheckInterval")) { |
|
397 |
insertionCheckInterval = parseIntegerEntry(word); |
|
398 |
if (insertionCheckInterval < 100) { |
|
399 |
throw excLine(word + " must be at least 100 ms"); |
|
400 |
} |
|
401 |
} else if (word.equals("showInfo")) { |
|
402 |
showInfo = parseBooleanEntry(word); |
|
403 |
} else if (word.equals("keyStoreCompatibilityMode")) { |
|
404 |
keyStoreCompatibilityMode = parseBooleanEntry(word); |
|
405 |
} else if (word.equals("explicitCancel")) { |
|
406 |
explicitCancel = parseBooleanEntry(word); |
|
407 |
} else if (word.equals("omitInitialize")) { |
|
408 |
omitInitialize = parseBooleanEntry(word); |
|
409 |
} else if (word.equals("allowSingleThreadedModules")) { |
|
410 |
allowSingleThreadedModules = parseBooleanEntry(word); |
|
411 |
} else if (word.equals("functionList")) { |
|
412 |
functionList = parseStringEntry(word); |
|
413 |
} else if (word.equals("nssUseSecmod")) { |
|
414 |
nssUseSecmod = parseBooleanEntry(word); |
|
415 |
} else if (word.equals("nssLibraryDirectory")) { |
|
416 |
nssLibraryDirectory = parseLibrary(word); |
|
417 |
nssUseSecmod = true; |
|
418 |
} else if (word.equals("nssSecmodDirectory")) { |
|
419 |
nssSecmodDirectory = expand(parseStringEntry(word)); |
|
420 |
nssUseSecmod = true; |
|
421 |
} else if (word.equals("nssModule")) { |
|
422 |
nssModule = parseStringEntry(word); |
|
423 |
nssUseSecmod = true; |
|
424 |
} else if (word.equals("nssDbMode")) { |
|
425 |
String mode = parseStringEntry(word); |
|
426 |
if (mode.equals("readWrite")) { |
|
427 |
nssDbMode = Secmod.DbMode.READ_WRITE; |
|
428 |
} else if (mode.equals("readOnly")) { |
|
429 |
nssDbMode = Secmod.DbMode.READ_ONLY; |
|
430 |
} else if (mode.equals("noDb")) { |
|
431 |
nssDbMode = Secmod.DbMode.NO_DB; |
|
432 |
} else { |
|
433 |
throw excToken("nssDbMode must be one of readWrite, readOnly, and noDb:"); |
|
434 |
} |
|
435 |
nssUseSecmod = true; |
|
436 |
} else if (word.equals("nssNetscapeDbWorkaround")) { |
|
437 |
nssNetscapeDbWorkaround = parseBooleanEntry(word); |
|
438 |
nssUseSecmod = true; |
|
439 |
} else if (word.equals("nssArgs")) { |
|
440 |
parseNSSArgs(word); |
|
441 |
} else if (word.equals("nssUseSecmodTrust")) { |
|
442 |
nssUseSecmodTrust = parseBooleanEntry(word); |
|
443 |
} else { |
|
444 |
throw new ConfigurationException |
|
445 |
("Unknown keyword '" + word + "', line " + st.lineno()); |
|
446 |
} |
|
447 |
parsedKeywords.add(word); |
|
448 |
} |
|
449 |
reader.close(); |
|
450 |
reader = null; |
|
451 |
st = null; |
|
452 |
parsedKeywords = null; |
|
453 |
if (name == null) { |
|
454 |
throw new ConfigurationException("name must be specified"); |
|
455 |
} |
|
456 |
if (nssUseSecmod == false) { |
|
457 |
if (library == null) { |
|
458 |
throw new ConfigurationException("library must be specified"); |
|
459 |
} |
|
460 |
} else { |
|
461 |
if (library != null) { |
|
462 |
throw new ConfigurationException |
|
463 |
("library must not be specified in NSS mode"); |
|
464 |
} |
|
465 |
if ((slotID != -1) || (slotListIndex != -1)) { |
|
466 |
throw new ConfigurationException |
|
467 |
("slot and slotListIndex must not be specified in NSS mode"); |
|
468 |
} |
|
469 |
if (nssArgs != null) { |
|
470 |
throw new ConfigurationException |
|
471 |
("nssArgs must not be specified in NSS mode"); |
|
472 |
} |
|
473 |
if (nssUseSecmodTrust != false) { |
|
474 |
throw new ConfigurationException("nssUseSecmodTrust is an " |
|
475 |
+ "internal option and must not be specified in NSS mode"); |
|
476 |
} |
|
477 |
} |
|
478 |
} |
|
479 |
||
480 |
// |
|
481 |
// Parsing helper methods |
|
482 |
// |
|
483 |
||
484 |
private int nextToken() throws IOException { |
|
485 |
int token = st.nextToken(); |
|
486 |
debug(st); |
|
487 |
return token; |
|
488 |
} |
|
489 |
||
490 |
private void parseEquals() throws IOException { |
|
491 |
int token = nextToken(); |
|
492 |
if (token != '=') { |
|
493 |
throw excToken("Expected '=', read"); |
|
494 |
} |
|
495 |
} |
|
496 |
||
497 |
private void parseOpenBraces() throws IOException { |
|
498 |
while (true) { |
|
499 |
int token = nextToken(); |
|
500 |
if (token == TT_EOL) { |
|
501 |
continue; |
|
502 |
} |
|
503 |
if ((token == TT_WORD) && st.sval.equals("{")) { |
|
504 |
return; |
|
505 |
} |
|
506 |
throw excToken("Expected '{', read"); |
|
507 |
} |
|
508 |
} |
|
509 |
||
510 |
private boolean isCloseBraces(int token) { |
|
511 |
return (token == TT_WORD) && st.sval.equals("}"); |
|
512 |
} |
|
513 |
||
514 |
private String parseWord() throws IOException { |
|
515 |
int token = nextToken(); |
|
516 |
if (token != TT_WORD) { |
|
517 |
throw excToken("Unexpected value:"); |
|
518 |
} |
|
519 |
return st.sval; |
|
520 |
} |
|
521 |
||
522 |
private String parseStringEntry(String keyword) throws IOException { |
|
523 |
checkDup(keyword); |
|
524 |
parseEquals(); |
|
525 |
||
526 |
int token = nextToken(); |
|
527 |
if (token != TT_WORD && token != '\"') { |
|
528 |
// not a word token nor a string enclosed by double quotes |
|
529 |
throw excToken("Unexpected value:"); |
|
530 |
} |
|
531 |
String value = st.sval; |
|
532 |
||
533 |
debug(keyword + ": " + value); |
|
534 |
return value; |
|
535 |
} |
|
536 |
||
537 |
private boolean parseBooleanEntry(String keyword) throws IOException { |
|
538 |
checkDup(keyword); |
|
539 |
parseEquals(); |
|
540 |
boolean value = parseBoolean(); |
|
541 |
debug(keyword + ": " + value); |
|
542 |
return value; |
|
543 |
} |
|
544 |
||
545 |
private int parseIntegerEntry(String keyword) throws IOException { |
|
546 |
checkDup(keyword); |
|
547 |
parseEquals(); |
|
548 |
int value = decodeNumber(parseWord()); |
|
549 |
debug(keyword + ": " + value); |
|
550 |
return value; |
|
551 |
} |
|
552 |
||
553 |
private boolean parseBoolean() throws IOException { |
|
554 |
String val = parseWord(); |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9849
diff
changeset
|
555 |
switch (val) { |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9849
diff
changeset
|
556 |
case "true": |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9849
diff
changeset
|
557 |
return true; |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9849
diff
changeset
|
558 |
case "false": |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9849
diff
changeset
|
559 |
return false; |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9849
diff
changeset
|
560 |
default: |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9849
diff
changeset
|
561 |
throw excToken("Expected boolean value, read:"); |
2 | 562 |
} |
563 |
} |
|
564 |
||
565 |
private String parseLine() throws IOException { |
|
566 |
String s = parseWord(); |
|
567 |
while (true) { |
|
568 |
int token = nextToken(); |
|
569 |
if ((token == TT_EOL) || (token == TT_EOF)) { |
|
570 |
break; |
|
571 |
} |
|
572 |
if (token != TT_WORD) { |
|
573 |
throw excToken("Unexpected value"); |
|
574 |
} |
|
575 |
s = s + " " + st.sval; |
|
576 |
} |
|
577 |
return s; |
|
578 |
} |
|
579 |
||
580 |
private int decodeNumber(String str) throws IOException { |
|
581 |
try { |
|
582 |
if (str.startsWith("0x") || str.startsWith("0X")) { |
|
583 |
return Integer.parseInt(str.substring(2), 16); |
|
584 |
} else { |
|
585 |
return Integer.parseInt(str); |
|
586 |
} |
|
587 |
} catch (NumberFormatException e) { |
|
588 |
throw excToken("Expected number, read"); |
|
589 |
} |
|
590 |
} |
|
591 |
||
592 |
private static boolean isNumber(String s) { |
|
593 |
if (s.length() == 0) { |
|
594 |
return false; |
|
595 |
} |
|
596 |
char ch = s.charAt(0); |
|
597 |
return ((ch >= '0') && (ch <= '9')); |
|
598 |
} |
|
599 |
||
600 |
private void parseComma() throws IOException { |
|
601 |
int token = nextToken(); |
|
602 |
if (token != ',') { |
|
603 |
throw excToken("Expected ',', read"); |
|
604 |
} |
|
605 |
} |
|
606 |
||
607 |
private static boolean isByteArray(String val) { |
|
608 |
return val.startsWith("0h"); |
|
609 |
} |
|
610 |
||
611 |
private byte[] decodeByteArray(String str) throws IOException { |
|
612 |
if (str.startsWith("0h") == false) { |
|
613 |
throw excToken("Expected byte array value, read"); |
|
614 |
} |
|
615 |
str = str.substring(2); |
|
616 |
// XXX proper hex parsing |
|
617 |
try { |
|
618 |
return new BigInteger(str, 16).toByteArray(); |
|
619 |
} catch (NumberFormatException e) { |
|
620 |
throw excToken("Expected byte array value, read"); |
|
621 |
} |
|
622 |
} |
|
623 |
||
624 |
private void checkDup(String keyword) throws IOException { |
|
625 |
if (parsedKeywords.contains(keyword)) { |
|
626 |
throw excLine(keyword + " must only be specified once"); |
|
627 |
} |
|
628 |
} |
|
629 |
||
630 |
// |
|
631 |
// individual entry parsing methods |
|
632 |
// |
|
633 |
||
634 |
private String parseLibrary(String keyword) throws IOException { |
|
635 |
checkDup(keyword); |
|
636 |
parseEquals(); |
|
637 |
String lib = parseLine(); |
|
638 |
lib = expand(lib); |
|
639 |
int i = lib.indexOf("/$ISA/"); |
|
640 |
if (i != -1) { |
|
641 |
// replace "/$ISA/" with "/sparcv9/" on 64-bit Solaris SPARC |
|
642 |
// and with "/amd64/" on Solaris AMD64. |
|
643 |
// On all other platforms, just turn it into a "/" |
|
644 |
String osName = System.getProperty("os.name", ""); |
|
645 |
String osArch = System.getProperty("os.arch", ""); |
|
646 |
String prefix = lib.substring(0, i); |
|
647 |
String suffix = lib.substring(i + 5); |
|
648 |
if (osName.equals("SunOS") && osArch.equals("sparcv9")) { |
|
649 |
lib = prefix + "/sparcv9" + suffix; |
|
650 |
} else if (osName.equals("SunOS") && osArch.equals("amd64")) { |
|
651 |
lib = prefix + "/amd64" + suffix; |
|
652 |
} else { |
|
653 |
lib = prefix + suffix; |
|
654 |
} |
|
655 |
} |
|
656 |
debug(keyword + ": " + lib); |
|
9849
eb437e9fba66
7003952: SEC: securely load DLLs and launch executables using fully qualified path
valeriep
parents:
9275
diff
changeset
|
657 |
|
eb437e9fba66
7003952: SEC: securely load DLLs and launch executables using fully qualified path
valeriep
parents:
9275
diff
changeset
|
658 |
// Check to see if full path is specified to prevent the DLL |
eb437e9fba66
7003952: SEC: securely load DLLs and launch executables using fully qualified path
valeriep
parents:
9275
diff
changeset
|
659 |
// preloading attack |
eb437e9fba66
7003952: SEC: securely load DLLs and launch executables using fully qualified path
valeriep
parents:
9275
diff
changeset
|
660 |
if (!(new File(lib)).isAbsolute()) { |
eb437e9fba66
7003952: SEC: securely load DLLs and launch executables using fully qualified path
valeriep
parents:
9275
diff
changeset
|
661 |
throw new ConfigurationException( |
eb437e9fba66
7003952: SEC: securely load DLLs and launch executables using fully qualified path
valeriep
parents:
9275
diff
changeset
|
662 |
"Absolute path required for library value: " + lib); |
eb437e9fba66
7003952: SEC: securely load DLLs and launch executables using fully qualified path
valeriep
parents:
9275
diff
changeset
|
663 |
} |
2 | 664 |
return lib; |
665 |
} |
|
666 |
||
667 |
private void parseDescription(String keyword) throws IOException { |
|
668 |
checkDup(keyword); |
|
669 |
parseEquals(); |
|
670 |
description = parseLine(); |
|
671 |
debug("description: " + description); |
|
672 |
} |
|
673 |
||
674 |
private void parseSlotID(String keyword) throws IOException { |
|
675 |
if (slotID >= 0) { |
|
676 |
throw excLine("Duplicate slot definition"); |
|
677 |
} |
|
678 |
if (slotListIndex >= 0) { |
|
679 |
throw excLine |
|
680 |
("Only one of slot and slotListIndex must be specified"); |
|
681 |
} |
|
682 |
parseEquals(); |
|
683 |
String slotString = parseWord(); |
|
684 |
slotID = decodeNumber(slotString); |
|
685 |
debug("slot: " + slotID); |
|
686 |
} |
|
687 |
||
688 |
private void parseSlotListIndex(String keyword) throws IOException { |
|
689 |
if (slotListIndex >= 0) { |
|
690 |
throw excLine("Duplicate slotListIndex definition"); |
|
691 |
} |
|
692 |
if (slotID >= 0) { |
|
693 |
throw excLine |
|
694 |
("Only one of slot and slotListIndex must be specified"); |
|
695 |
} |
|
696 |
parseEquals(); |
|
697 |
String slotString = parseWord(); |
|
698 |
slotListIndex = decodeNumber(slotString); |
|
699 |
debug("slotListIndex: " + slotListIndex); |
|
700 |
} |
|
701 |
||
702 |
private void parseEnabledMechanisms(String keyword) throws IOException { |
|
703 |
enabledMechanisms = parseMechanisms(keyword); |
|
704 |
} |
|
705 |
||
706 |
private void parseDisabledMechanisms(String keyword) throws IOException { |
|
707 |
disabledMechanisms = parseMechanisms(keyword); |
|
708 |
} |
|
709 |
||
710 |
private Set<Long> parseMechanisms(String keyword) throws IOException { |
|
711 |
checkDup(keyword); |
|
712 |
Set<Long> mechs = new HashSet<Long>(); |
|
713 |
parseEquals(); |
|
714 |
parseOpenBraces(); |
|
715 |
while (true) { |
|
716 |
int token = nextToken(); |
|
717 |
if (isCloseBraces(token)) { |
|
718 |
break; |
|
719 |
} |
|
720 |
if (token == TT_EOL) { |
|
721 |
continue; |
|
722 |
} |
|
723 |
if (token != TT_WORD) { |
|
724 |
throw excToken("Expected mechanism, read"); |
|
725 |
} |
|
726 |
long mech = parseMechanism(st.sval); |
|
727 |
mechs.add(Long.valueOf(mech)); |
|
728 |
} |
|
729 |
if (DEBUG) { |
|
730 |
System.out.print("mechanisms: ["); |
|
731 |
for (Long mech : mechs) { |
|
732 |
System.out.print(Functions.getMechanismName(mech)); |
|
733 |
System.out.print(", "); |
|
734 |
} |
|
735 |
System.out.println("]"); |
|
736 |
} |
|
737 |
return mechs; |
|
738 |
} |
|
739 |
||
740 |
private long parseMechanism(String mech) throws IOException { |
|
741 |
if (isNumber(mech)) { |
|
742 |
return decodeNumber(mech); |
|
743 |
} else { |
|
744 |
try { |
|
745 |
return Functions.getMechanismId(mech); |
|
746 |
} catch (IllegalArgumentException e) { |
|
747 |
throw excLine("Unknown mechanism: " + mech); |
|
748 |
} |
|
749 |
} |
|
750 |
} |
|
751 |
||
752 |
private void parseAttributes(String keyword) throws IOException { |
|
753 |
if (templateManager == null) { |
|
754 |
templateManager = new TemplateManager(); |
|
755 |
} |
|
756 |
int token = nextToken(); |
|
757 |
if (token == '=') { |
|
758 |
String s = parseWord(); |
|
759 |
if (s.equals("compatibility") == false) { |
|
760 |
throw excLine("Expected 'compatibility', read " + s); |
|
761 |
} |
|
762 |
setCompatibilityAttributes(); |
|
763 |
return; |
|
764 |
} |
|
765 |
if (token != '(') { |
|
766 |
throw excToken("Expected '(' or '=', read"); |
|
767 |
} |
|
768 |
String op = parseOperation(); |
|
769 |
parseComma(); |
|
770 |
long objectClass = parseObjectClass(); |
|
771 |
parseComma(); |
|
772 |
long keyAlg = parseKeyAlgorithm(); |
|
773 |
token = nextToken(); |
|
774 |
if (token != ')') { |
|
775 |
throw excToken("Expected ')', read"); |
|
776 |
} |
|
777 |
parseEquals(); |
|
778 |
parseOpenBraces(); |
|
779 |
List<CK_ATTRIBUTE> attributes = new ArrayList<CK_ATTRIBUTE>(); |
|
780 |
while (true) { |
|
781 |
token = nextToken(); |
|
782 |
if (isCloseBraces(token)) { |
|
783 |
break; |
|
784 |
} |
|
785 |
if (token == TT_EOL) { |
|
786 |
continue; |
|
787 |
} |
|
788 |
if (token != TT_WORD) { |
|
789 |
throw excToken("Expected mechanism, read"); |
|
790 |
} |
|
791 |
String attributeName = st.sval; |
|
792 |
long attributeId = decodeAttributeName(attributeName); |
|
793 |
parseEquals(); |
|
794 |
String attributeValue = parseWord(); |
|
795 |
attributes.add(decodeAttributeValue(attributeId, attributeValue)); |
|
796 |
} |
|
797 |
templateManager.addTemplate |
|
798 |
(op, objectClass, keyAlg, attributes.toArray(CK_A0)); |
|
799 |
} |
|
800 |
||
801 |
private void setCompatibilityAttributes() { |
|
802 |
// all secret keys |
|
803 |
templateManager.addTemplate(O_ANY, CKO_SECRET_KEY, PCKK_ANY, |
|
804 |
new CK_ATTRIBUTE[] { |
|
805 |
TOKEN_FALSE, |
|
806 |
SENSITIVE_FALSE, |
|
807 |
EXTRACTABLE_TRUE, |
|
808 |
ENCRYPT_TRUE, |
|
809 |
DECRYPT_TRUE, |
|
810 |
WRAP_TRUE, |
|
811 |
UNWRAP_TRUE, |
|
812 |
}); |
|
813 |
||
814 |
// generic secret keys are special |
|
815 |
// They are used as MAC keys plus for the SSL/TLS (pre)master secrets |
|
816 |
templateManager.addTemplate(O_ANY, CKO_SECRET_KEY, CKK_GENERIC_SECRET, |
|
817 |
new CK_ATTRIBUTE[] { |
|
818 |
SIGN_TRUE, |
|
819 |
VERIFY_TRUE, |
|
820 |
ENCRYPT_NULL, |
|
821 |
DECRYPT_NULL, |
|
822 |
WRAP_NULL, |
|
823 |
UNWRAP_NULL, |
|
824 |
DERIVE_TRUE, |
|
825 |
}); |
|
826 |
||
827 |
// all private and public keys |
|
828 |
templateManager.addTemplate(O_ANY, CKO_PRIVATE_KEY, PCKK_ANY, |
|
829 |
new CK_ATTRIBUTE[] { |
|
830 |
TOKEN_FALSE, |
|
831 |
SENSITIVE_FALSE, |
|
832 |
EXTRACTABLE_TRUE, |
|
833 |
}); |
|
834 |
templateManager.addTemplate(O_ANY, CKO_PUBLIC_KEY, PCKK_ANY, |
|
835 |
new CK_ATTRIBUTE[] { |
|
836 |
TOKEN_FALSE, |
|
837 |
}); |
|
838 |
||
839 |
// additional attributes for RSA private keys |
|
840 |
templateManager.addTemplate(O_ANY, CKO_PRIVATE_KEY, CKK_RSA, |
|
841 |
new CK_ATTRIBUTE[] { |
|
842 |
DECRYPT_TRUE, |
|
843 |
SIGN_TRUE, |
|
844 |
SIGN_RECOVER_TRUE, |
|
845 |
UNWRAP_TRUE, |
|
846 |
}); |
|
847 |
// additional attributes for RSA public keys |
|
848 |
templateManager.addTemplate(O_ANY, CKO_PUBLIC_KEY, CKK_RSA, |
|
849 |
new CK_ATTRIBUTE[] { |
|
850 |
ENCRYPT_TRUE, |
|
851 |
VERIFY_TRUE, |
|
852 |
VERIFY_RECOVER_TRUE, |
|
853 |
WRAP_TRUE, |
|
854 |
}); |
|
855 |
||
856 |
// additional attributes for DSA private keys |
|
857 |
templateManager.addTemplate(O_ANY, CKO_PRIVATE_KEY, CKK_DSA, |
|
858 |
new CK_ATTRIBUTE[] { |
|
859 |
SIGN_TRUE, |
|
860 |
}); |
|
861 |
// additional attributes for DSA public keys |
|
862 |
templateManager.addTemplate(O_ANY, CKO_PUBLIC_KEY, CKK_DSA, |
|
863 |
new CK_ATTRIBUTE[] { |
|
864 |
VERIFY_TRUE, |
|
865 |
}); |
|
866 |
||
867 |
// additional attributes for DH private keys |
|
868 |
templateManager.addTemplate(O_ANY, CKO_PRIVATE_KEY, CKK_DH, |
|
869 |
new CK_ATTRIBUTE[] { |
|
870 |
DERIVE_TRUE, |
|
871 |
}); |
|
872 |
||
873 |
// additional attributes for EC private keys |
|
874 |
templateManager.addTemplate(O_ANY, CKO_PRIVATE_KEY, CKK_EC, |
|
875 |
new CK_ATTRIBUTE[] { |
|
876 |
SIGN_TRUE, |
|
877 |
DERIVE_TRUE, |
|
878 |
}); |
|
879 |
// additional attributes for EC public keys |
|
880 |
templateManager.addTemplate(O_ANY, CKO_PUBLIC_KEY, CKK_EC, |
|
881 |
new CK_ATTRIBUTE[] { |
|
882 |
VERIFY_TRUE, |
|
883 |
}); |
|
884 |
} |
|
885 |
||
886 |
private final static CK_ATTRIBUTE[] CK_A0 = new CK_ATTRIBUTE[0]; |
|
887 |
||
888 |
private String parseOperation() throws IOException { |
|
889 |
String op = parseWord(); |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9849
diff
changeset
|
890 |
switch (op) { |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9849
diff
changeset
|
891 |
case "*": |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9849
diff
changeset
|
892 |
return TemplateManager.O_ANY; |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9849
diff
changeset
|
893 |
case "generate": |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9849
diff
changeset
|
894 |
return TemplateManager.O_GENERATE; |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9849
diff
changeset
|
895 |
case "import": |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9849
diff
changeset
|
896 |
return TemplateManager.O_IMPORT; |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9849
diff
changeset
|
897 |
default: |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9849
diff
changeset
|
898 |
throw excLine("Unknown operation " + op); |
2 | 899 |
} |
900 |
} |
|
901 |
||
902 |
private long parseObjectClass() throws IOException { |
|
903 |
String name = parseWord(); |
|
904 |
try { |
|
905 |
return Functions.getObjectClassId(name); |
|
906 |
} catch (IllegalArgumentException e) { |
|
907 |
throw excLine("Unknown object class " + name); |
|
908 |
} |
|
909 |
} |
|
910 |
||
911 |
private long parseKeyAlgorithm() throws IOException { |
|
912 |
String name = parseWord(); |
|
913 |
if (isNumber(name)) { |
|
914 |
return decodeNumber(name); |
|
915 |
} else { |
|
916 |
try { |
|
917 |
return Functions.getKeyId(name); |
|
918 |
} catch (IllegalArgumentException e) { |
|
919 |
throw excLine("Unknown key algorithm " + name); |
|
920 |
} |
|
921 |
} |
|
922 |
} |
|
923 |
||
924 |
private long decodeAttributeName(String name) throws IOException { |
|
925 |
if (isNumber(name)) { |
|
926 |
return decodeNumber(name); |
|
927 |
} else { |
|
928 |
try { |
|
929 |
return Functions.getAttributeId(name); |
|
930 |
} catch (IllegalArgumentException e) { |
|
931 |
throw excLine("Unknown attribute name " + name); |
|
932 |
} |
|
933 |
} |
|
934 |
} |
|
935 |
||
936 |
private CK_ATTRIBUTE decodeAttributeValue(long id, String value) |
|
937 |
throws IOException { |
|
938 |
if (value.equals("null")) { |
|
939 |
return new CK_ATTRIBUTE(id); |
|
940 |
} else if (value.equals("true")) { |
|
941 |
return new CK_ATTRIBUTE(id, true); |
|
942 |
} else if (value.equals("false")) { |
|
943 |
return new CK_ATTRIBUTE(id, false); |
|
944 |
} else if (isByteArray(value)) { |
|
945 |
return new CK_ATTRIBUTE(id, decodeByteArray(value)); |
|
946 |
} else if (isNumber(value)) { |
|
947 |
return new CK_ATTRIBUTE(id, Integer.valueOf(decodeNumber(value))); |
|
948 |
} else { |
|
949 |
throw excLine("Unknown attribute value " + value); |
|
950 |
} |
|
951 |
} |
|
952 |
||
953 |
private void parseNSSArgs(String keyword) throws IOException { |
|
954 |
checkDup(keyword); |
|
955 |
parseEquals(); |
|
956 |
int token = nextToken(); |
|
957 |
if (token != '"') { |
|
958 |
throw excToken("Expected quoted string"); |
|
959 |
} |
|
960 |
nssArgs = expand(st.sval); |
|
961 |
debug("nssArgs: " + nssArgs); |
|
962 |
} |
|
963 |
||
964 |
private void parseHandleStartupErrors(String keyword) throws IOException { |
|
965 |
checkDup(keyword); |
|
966 |
parseEquals(); |
|
967 |
String val = parseWord(); |
|
968 |
if (val.equals("ignoreAll")) { |
|
969 |
handleStartupErrors = ERR_IGNORE_ALL; |
|
970 |
} else if (val.equals("ignoreMissingLibrary")) { |
|
971 |
handleStartupErrors = ERR_IGNORE_LIB; |
|
972 |
} else if (val.equals("halt")) { |
|
973 |
handleStartupErrors = ERR_HALT; |
|
974 |
} else { |
|
975 |
throw excToken("Invalid value for handleStartupErrors:"); |
|
976 |
} |
|
977 |
debug("handleStartupErrors: " + handleStartupErrors); |
|
978 |
} |
|
979 |
||
980 |
} |
|
981 |
||
982 |
class ConfigurationException extends IOException { |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9849
diff
changeset
|
983 |
private static final long serialVersionUID = 254492758807673194L; |
2 | 984 |
ConfigurationException(String msg) { |
985 |
super(msg); |
|
986 |
} |
|
987 |
} |