author | wetmore |
Fri, 26 Aug 2016 13:44:20 -0700 | |
changeset 40565 | 3ac0ba151e70 |
parent 36511 | 9d0388c6b336 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
36119 | 2 |
* Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package javax.crypto; |
|
27 |
||
28 |
import java.util.*; |
|
29 |
import java.util.jar.*; |
|
30 |
import java.io.*; |
|
31 |
import java.net.URL; |
|
40565
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
32 |
import java.nio.file.*; |
2 | 33 |
import java.security.*; |
34 |
||
35 |
import java.security.Provider.Service; |
|
36 |
||
37 |
import sun.security.jca.*; |
|
38 |
import sun.security.jca.GetInstance.Instance; |
|
39 |
||
40 |
/** |
|
41 |
* This class instantiates implementations of JCE engine classes from |
|
42 |
* providers registered with the java.security.Security object. |
|
43 |
* |
|
44 |
* @author Jan Luehe |
|
45 |
* @author Sharon Liu |
|
46 |
* @since 1.4 |
|
47 |
*/ |
|
48 |
||
49 |
final class JceSecurity { |
|
50 |
||
51 |
static final SecureRandom RANDOM = new SecureRandom(); |
|
52 |
||
53 |
// The defaultPolicy and exemptPolicy will be set up |
|
54 |
// in the static initializer. |
|
55 |
private static CryptoPermissions defaultPolicy = null; |
|
56 |
private static CryptoPermissions exemptPolicy = null; |
|
57 |
||
58 |
// Map<Provider,?> of the providers we already have verified |
|
59 |
// value == PROVIDER_VERIFIED is successfully verified |
|
60 |
// value is failure cause Exception in error case |
|
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
30033
diff
changeset
|
61 |
private static final Map<Provider, Object> verificationResults = |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
62 |
new IdentityHashMap<>(); |
2 | 63 |
|
64 |
// Map<Provider,?> of the providers currently being verified |
|
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
30033
diff
changeset
|
65 |
private static final Map<Provider, Object> verifyingProviders = |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
66 |
new IdentityHashMap<>(); |
2 | 67 |
|
36119 | 68 |
private static final boolean isRestricted; |
2 | 69 |
|
70 |
/* |
|
71 |
* Don't let anyone instantiate this. |
|
72 |
*/ |
|
73 |
private JceSecurity() { |
|
74 |
} |
|
75 |
||
76 |
static { |
|
77 |
try { |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
78 |
AccessController.doPrivileged( |
30033
b9c86c17164a
8078468: Update security libraries to use diamond with anonymous classes
darcy
parents:
26861
diff
changeset
|
79 |
new PrivilegedExceptionAction<> () { |
26861
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
80 |
@Override |
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
81 |
public Void run() throws Exception { |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
82 |
setupJurisdictionPolicies(); |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
83 |
return null; |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
84 |
} |
26861
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
85 |
} |
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
86 |
); |
2 | 87 |
|
88 |
isRestricted = defaultPolicy.implies( |
|
89 |
CryptoAllPermission.INSTANCE) ? false : true; |
|
90 |
} catch (Exception e) { |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
91 |
throw new SecurityException( |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
92 |
"Can not initialize cryptographic mechanism", e); |
2 | 93 |
} |
94 |
} |
|
95 |
||
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
96 |
static Instance getInstance(String type, Class<?> clazz, String algorithm, |
2 | 97 |
String provider) throws NoSuchAlgorithmException, |
98 |
NoSuchProviderException { |
|
99 |
Service s = GetInstance.getService(type, algorithm, provider); |
|
100 |
Exception ve = getVerificationResult(s.getProvider()); |
|
101 |
if (ve != null) { |
|
102 |
String msg = "JCE cannot authenticate the provider " + provider; |
|
103 |
throw (NoSuchProviderException) |
|
104 |
new NoSuchProviderException(msg).initCause(ve); |
|
105 |
} |
|
106 |
return GetInstance.getInstance(s, clazz); |
|
107 |
} |
|
108 |
||
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
109 |
static Instance getInstance(String type, Class<?> clazz, String algorithm, |
2 | 110 |
Provider provider) throws NoSuchAlgorithmException { |
111 |
Service s = GetInstance.getService(type, algorithm, provider); |
|
112 |
Exception ve = JceSecurity.getVerificationResult(provider); |
|
113 |
if (ve != null) { |
|
114 |
String msg = "JCE cannot authenticate the provider " |
|
115 |
+ provider.getName(); |
|
116 |
throw new SecurityException(msg, ve); |
|
117 |
} |
|
118 |
return GetInstance.getInstance(s, clazz); |
|
119 |
} |
|
120 |
||
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
121 |
static Instance getInstance(String type, Class<?> clazz, String algorithm) |
2 | 122 |
throws NoSuchAlgorithmException { |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
123 |
List<Service> services = GetInstance.getServices(type, algorithm); |
2 | 124 |
NoSuchAlgorithmException failure = null; |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
125 |
for (Service s : services) { |
2 | 126 |
if (canUseProvider(s.getProvider()) == false) { |
127 |
// allow only signed providers |
|
128 |
continue; |
|
129 |
} |
|
130 |
try { |
|
131 |
Instance instance = GetInstance.getInstance(s, clazz); |
|
132 |
return instance; |
|
133 |
} catch (NoSuchAlgorithmException e) { |
|
134 |
failure = e; |
|
135 |
} |
|
136 |
} |
|
137 |
throw new NoSuchAlgorithmException("Algorithm " + algorithm |
|
138 |
+ " not available", failure); |
|
139 |
} |
|
140 |
||
141 |
/** |
|
142 |
* Verify if the JAR at URL codeBase is a signed exempt application |
|
143 |
* JAR file and returns the permissions bundled with the JAR. |
|
144 |
* |
|
145 |
* @throws Exception on error |
|
146 |
*/ |
|
147 |
static CryptoPermissions verifyExemptJar(URL codeBase) throws Exception { |
|
26861
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
148 |
ProviderVerifier pv = new ProviderVerifier(codeBase, true); |
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
149 |
pv.verify(); |
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
150 |
return pv.getPermissions(); |
2 | 151 |
} |
152 |
||
153 |
/** |
|
154 |
* Verify if the JAR at URL codeBase is a signed provider JAR file. |
|
155 |
* |
|
156 |
* @throws Exception on error |
|
157 |
*/ |
|
26861
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
158 |
static void verifyProvider(URL codeBase, Provider p) throws Exception { |
2 | 159 |
// Verify the provider JAR file and all |
160 |
// supporting JAR files if there are any. |
|
26861
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
161 |
ProviderVerifier pv = new ProviderVerifier(codeBase, p, false); |
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
162 |
pv.verify(); |
2 | 163 |
} |
164 |
||
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
30033
diff
changeset
|
165 |
private static final Object PROVIDER_VERIFIED = Boolean.TRUE; |
2 | 166 |
|
167 |
/* |
|
168 |
* Verify that the provider JAR files are signed properly, which |
|
169 |
* means the signer's certificate can be traced back to a |
|
170 |
* JCE trusted CA. |
|
171 |
* Return null if ok, failure Exception if verification failed. |
|
172 |
*/ |
|
173 |
static synchronized Exception getVerificationResult(Provider p) { |
|
174 |
Object o = verificationResults.get(p); |
|
175 |
if (o == PROVIDER_VERIFIED) { |
|
176 |
return null; |
|
177 |
} else if (o != null) { |
|
178 |
return (Exception)o; |
|
179 |
} |
|
180 |
if (verifyingProviders.get(p) != null) { |
|
181 |
// this method is static synchronized, must be recursion |
|
182 |
// return failure now but do not save the result |
|
183 |
return new NoSuchProviderException("Recursion during verification"); |
|
184 |
} |
|
185 |
try { |
|
186 |
verifyingProviders.put(p, Boolean.FALSE); |
|
187 |
URL providerURL = getCodeBase(p.getClass()); |
|
26861
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
188 |
verifyProvider(providerURL, p); |
2 | 189 |
// Verified ok, cache result |
190 |
verificationResults.put(p, PROVIDER_VERIFIED); |
|
191 |
return null; |
|
192 |
} catch (Exception e) { |
|
193 |
verificationResults.put(p, e); |
|
194 |
return e; |
|
195 |
} finally { |
|
196 |
verifyingProviders.remove(p); |
|
197 |
} |
|
198 |
} |
|
199 |
||
200 |
// return whether this provider is properly signed and can be used by JCE |
|
201 |
static boolean canUseProvider(Provider p) { |
|
202 |
return getVerificationResult(p) == null; |
|
203 |
} |
|
204 |
||
205 |
// dummy object to represent null |
|
206 |
private static final URL NULL_URL; |
|
207 |
||
208 |
static { |
|
209 |
try { |
|
40565
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
210 |
NULL_URL = new URL("http://null.oracle.com/"); |
2 | 211 |
} catch (Exception e) { |
212 |
throw new RuntimeException(e); |
|
213 |
} |
|
214 |
} |
|
215 |
||
216 |
// reference to a Map we use as a cache for codebases |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
217 |
private static final Map<Class<?>, URL> codeBaseCacheRef = |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
218 |
new WeakHashMap<>(); |
2 | 219 |
|
220 |
/* |
|
24501
767c30e88a61
8028627: Unsynchronized code path from javax.crypto.Cipher to the WeakHashMap used by JceSecurity to store codebase mappings
robm
parents:
10336
diff
changeset
|
221 |
* Returns the CodeBase for the given class. |
2 | 222 |
*/ |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
223 |
static URL getCodeBase(final Class<?> clazz) { |
24501
767c30e88a61
8028627: Unsynchronized code path from javax.crypto.Cipher to the WeakHashMap used by JceSecurity to store codebase mappings
robm
parents:
10336
diff
changeset
|
224 |
synchronized (codeBaseCacheRef) { |
767c30e88a61
8028627: Unsynchronized code path from javax.crypto.Cipher to the WeakHashMap used by JceSecurity to store codebase mappings
robm
parents:
10336
diff
changeset
|
225 |
URL url = codeBaseCacheRef.get(clazz); |
767c30e88a61
8028627: Unsynchronized code path from javax.crypto.Cipher to the WeakHashMap used by JceSecurity to store codebase mappings
robm
parents:
10336
diff
changeset
|
226 |
if (url == null) { |
26861
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
227 |
url = AccessController.doPrivileged( |
30033
b9c86c17164a
8078468: Update security libraries to use diamond with anonymous classes
darcy
parents:
26861
diff
changeset
|
228 |
new PrivilegedAction<>() { |
26861
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
229 |
@Override |
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
230 |
public URL run() { |
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
231 |
ProtectionDomain pd = clazz.getProtectionDomain(); |
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
232 |
if (pd != null) { |
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
233 |
CodeSource cs = pd.getCodeSource(); |
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
234 |
if (cs != null) { |
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
235 |
return cs.getLocation(); |
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
236 |
} |
24501
767c30e88a61
8028627: Unsynchronized code path from javax.crypto.Cipher to the WeakHashMap used by JceSecurity to store codebase mappings
robm
parents:
10336
diff
changeset
|
237 |
} |
26861
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
238 |
return NULL_URL; |
2 | 239 |
} |
26861
47dde7f5cf36
8058845: Update JCE environment for build improvements
wetmore
parents:
25859
diff
changeset
|
240 |
}); |
24501
767c30e88a61
8028627: Unsynchronized code path from javax.crypto.Cipher to the WeakHashMap used by JceSecurity to store codebase mappings
robm
parents:
10336
diff
changeset
|
241 |
codeBaseCacheRef.put(clazz, url); |
767c30e88a61
8028627: Unsynchronized code path from javax.crypto.Cipher to the WeakHashMap used by JceSecurity to store codebase mappings
robm
parents:
10336
diff
changeset
|
242 |
} |
767c30e88a61
8028627: Unsynchronized code path from javax.crypto.Cipher to the WeakHashMap used by JceSecurity to store codebase mappings
robm
parents:
10336
diff
changeset
|
243 |
return (url == NULL_URL) ? null : url; |
2 | 244 |
} |
245 |
} |
|
246 |
||
40565
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
247 |
// This is called from within an doPrivileged block. |
2 | 248 |
private static void setupJurisdictionPolicies() throws Exception { |
40565
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
249 |
|
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
250 |
// Sanity check the crypto.policy Security property. Single |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
251 |
// directory entry, no pseudo-directories (".", "..", leading/trailing |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
252 |
// path separators). normalize()/getParent() will help later. |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
253 |
String cryptoPolicyProperty = Security.getProperty("crypto.policy"); |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
254 |
Path cpPath = Paths.get(cryptoPolicyProperty); |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
255 |
|
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
256 |
if ((cryptoPolicyProperty == null) || |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
257 |
(cpPath.getNameCount() != 1) || |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
258 |
(cpPath.compareTo(cpPath.getFileName()) != 0)) { |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
259 |
throw new SecurityException( |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
260 |
"Invalid policy directory name format: " + |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
261 |
cryptoPolicyProperty); |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
262 |
} |
2 | 263 |
|
40565
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
264 |
// Prepend java.home to get the full path. normalize() in |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
265 |
// case an extra "." or ".." snuck in somehow. |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
266 |
String javaHomeProperty = System.getProperty("java.home"); |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
267 |
Path javaHomePolicyPath = Paths.get(javaHomeProperty, "conf", |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
268 |
"security", "policy").normalize(); |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
269 |
Path cryptoPolicyPath = Paths.get(javaHomeProperty, "conf", "security", |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
270 |
"policy", cryptoPolicyProperty).normalize(); |
2 | 271 |
|
40565
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
272 |
if (cryptoPolicyPath.getParent().compareTo(javaHomePolicyPath) != 0) { |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
273 |
throw new SecurityException( |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
274 |
"Invalid cryptographic jurisdiction policy directory path: " + |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
275 |
cryptoPolicyProperty); |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
276 |
} |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
277 |
|
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
278 |
if (!Files.isDirectory(cryptoPolicyPath) |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
279 |
|| !Files.isReadable(cryptoPolicyPath)) { |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
280 |
throw new SecurityException( |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
281 |
"Can't read cryptographic policy directory: " + |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
282 |
cryptoPolicyProperty); |
2 | 283 |
} |
284 |
||
40565
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
285 |
try (DirectoryStream<Path> stream = Files.newDirectoryStream( |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
286 |
cryptoPolicyPath, "{default,exempt}_*.policy")) { |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
287 |
for (Path entry : stream) { |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
288 |
try (InputStream is = new BufferedInputStream( |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
289 |
Files.newInputStream(entry))) { |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
290 |
String filename = entry.getFileName().toString(); |
2 | 291 |
|
40565
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
292 |
CryptoPermissions tmpPerms = new CryptoPermissions(); |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
293 |
tmpPerms.load(is); |
2 | 294 |
|
40565
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
295 |
if (filename.startsWith("default_")) { |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
296 |
// Did we find a default perms? |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
297 |
defaultPolicy = ((defaultPolicy == null) ? tmpPerms : |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
298 |
defaultPolicy.getMinimum(tmpPerms)); |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
299 |
} else if (filename.startsWith("exempt_")) { |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
300 |
// Did we find a exempt perms? |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
301 |
exemptPolicy = ((exemptPolicy == null) ? tmpPerms : |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
302 |
exemptPolicy.getMinimum(tmpPerms)); |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
303 |
} else { |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
304 |
// This should never happen. newDirectoryStream |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
305 |
// should only throw return "{default,exempt}_*.policy" |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
306 |
throw new SecurityException( |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
307 |
"Unexpected jurisdiction policy files in : " + |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
308 |
cryptoPolicyProperty); |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
309 |
} |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
310 |
} catch (Exception e) { |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
311 |
throw new SecurityException( |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
312 |
"Couldn't parse jurisdiction policy files in: " + |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
313 |
cryptoPolicyProperty); |
2 | 314 |
} |
315 |
} |
|
40565
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
316 |
} catch (DirectoryIteratorException ex) { |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
317 |
// I/O error encountered during the iteration, |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
318 |
// the cause is an IOException |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
319 |
throw new SecurityException( |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
320 |
"Couldn't iterate through the jurisdiction policy files: " + |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
321 |
cryptoPolicyProperty); |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
322 |
} |
2 | 323 |
|
40565
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
324 |
// Must have a default policy |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
325 |
if ((defaultPolicy == null) || defaultPolicy.isEmpty()) { |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
326 |
throw new SecurityException( |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
327 |
"Missing mandatory jurisdiction policy files: " + |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
328 |
cryptoPolicyProperty); |
2 | 329 |
} |
40565
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
330 |
|
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
331 |
// If there was an empty exempt policy file, ignore it. |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
332 |
if ((exemptPolicy != null) && exemptPolicy.isEmpty()) { |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
333 |
exemptPolicy = null; |
3ac0ba151e70
8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents:
36511
diff
changeset
|
334 |
} |
2 | 335 |
} |
336 |
||
337 |
static CryptoPermissions getDefaultPolicy() { |
|
338 |
return defaultPolicy; |
|
339 |
} |
|
340 |
||
341 |
static CryptoPermissions getExemptPolicy() { |
|
342 |
return exemptPolicy; |
|
343 |
} |
|
344 |
||
345 |
static boolean isRestricted() { |
|
346 |
return isRestricted; |
|
347 |
} |
|
348 |
} |