/*
* Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
* ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*/
package java.security;
import sun.misc.
IOUtils;
import java.io.
IOException;
import java.io.
ByteArrayInputStream;
import java.security.cert.
Certificate;
import java.util.
ArrayList;
import java.util.
Hashtable;
import java.lang.reflect.*;
import java.security.cert.*;
import java.util.
List;
/**
* The UnresolvedPermission class is used to hold Permissions that
* were "unresolved" when the Policy was initialized.
* An unresolved permission is one whose actual Permission class
* does not yet exist at the time the Policy is initialized (see below).
*
* <p>The policy for a Java runtime (specifying
* which permissions are available for code from various principals)
* is represented by a Policy object.
* Whenever a Policy is initialized or refreshed, Permission objects of
* appropriate classes are created for all permissions
* allowed by the Policy.
*
* <p>Many permission class types
* referenced by the policy configuration are ones that exist
* locally (i.e., ones that can be found on CLASSPATH).
* Objects for such permissions can be instantiated during
* Policy initialization. For example, it is always possible
* to instantiate a java.io.FilePermission, since the
* FilePermission class is found on the CLASSPATH.
*
* <p>Other permission classes may not yet exist during Policy
* initialization. For example, a referenced permission class may
* be in a JAR file that will later be loaded.
* For each such class, an UnresolvedPermission is instantiated.
* Thus, an UnresolvedPermission is essentially a "placeholder"
* containing information about the permission.
*
* <p>Later, when code calls AccessController.checkPermission
* on a permission of a type that was previously unresolved,
* but whose class has since been loaded, previously-unresolved
* permissions of that type are "resolved". That is,
* for each such UnresolvedPermission, a new object of
* the appropriate class type is instantiated, based on the
* information in the UnresolvedPermission.
*
* <p> To instantiate the new class, UnresolvedPermission assumes
* the class provides a zero, one, and/or two-argument constructor.
* The zero-argument constructor would be used to instantiate
* a permission without a name and without actions.
* A one-arg constructor is assumed to take a {@code String}
* name as input, and a two-arg constructor is assumed to take a
* {@code String} name and {@code String} actions
* as input. UnresolvedPermission may invoke a
* constructor with a {@code null} name and/or actions.
* If an appropriate permission constructor is not available,
* the UnresolvedPermission is ignored and the relevant permission
* will not be granted to executing code.
*
* <p> The newly created permission object replaces the
* UnresolvedPermission, which is removed.
*
* <p> Note that the {@code getName} method for an
* {@code UnresolvedPermission} returns the
* {@code type} (class name) for the underlying permission
* that has not been resolved.
*
* @see java.security.Permission
* @see java.security.Permissions
* @see java.security.PermissionCollection
* @see java.security.Policy
*
*
* @author Roland Schemers
*/
public final class
UnresolvedPermission extends
Permission
implements java.io.
Serializable
{
private static final long
serialVersionUID = -4821973115467008846L;
private static final sun.security.util.
Debug debug =
sun.security.util.
Debug.
getInstance
("policy,access", "UnresolvedPermission");
/**
* The class name of the Permission class that will be
* created when this unresolved permission is resolved.
*
* @serial
*/
private
String type;
/**
* The permission name.
*
* @serial
*/
private
String name;
/**
* The actions of the permission.
*
* @serial
*/
private
String actions;
private transient java.security.cert.
Certificate certs[];
/**
* Creates a new UnresolvedPermission containing the permission
* information needed later to actually create a Permission of the
* specified class, when the permission is resolved.
*
* @param type the class name of the Permission class that will be
* created when this unresolved permission is resolved.
* @param name the name of the permission.
* @param actions the actions of the permission.
* @param certs the certificates the permission's class was signed with.
* This is a list of certificate chains, where each chain is composed of a
* signer certificate and optionally its supporting certificate chain.
* Each chain is ordered bottom-to-top (i.e., with the signer certificate
* first and the (root) certificate authority last). The signer
* certificates are copied from the array. Subsequent changes to
* the array will not affect this UnsolvedPermission.
*/
public
UnresolvedPermission(
String type,
String name,
String actions,
java.security.cert.
Certificate certs[])
{
super(
type);
if (
type == null)
throw new
NullPointerException("type can't be null");
this.
type =
type;
this.
name =
name;
this.
actions =
actions;
if (
certs != null) {
// Extract the signer certs from the list of certificates.
for (int
i=0;
i<
certs.length;
i++) {
if (!(
certs[
i] instanceof
X509Certificate)) {
// there is no concept of signer certs, so we store the
// entire cert array
this.
certs =
certs.
clone();
break;
}
}
if (this.
certs == null) {
// Go through the list of certs and see if all the certs are
// signer certs.
int
i = 0;
int
count = 0;
while (
i <
certs.length) {
count++;
while (((
i+1) <
certs.length) &&
((
X509Certificate)
certs[
i]).
getIssuerDN().
equals(
((
X509Certificate)
certs[
i+1]).
getSubjectDN())) {
i++;
}
i++;
}
if (
count ==
certs.length) {
// All the certs are signer certs, so we store the entire
// array
this.
certs =
certs.
clone();
}
if (this.
certs == null) {
// extract the signer certs
ArrayList<java.security.cert.
Certificate>
signerCerts =
new
ArrayList<>();
i = 0;
while (
i <
certs.length) {
signerCerts.
add(
certs[
i]);
while (((
i+1) <
certs.length) &&
((
X509Certificate)
certs[
i]).
getIssuerDN().
equals(
((
X509Certificate)
certs[
i+1]).
getSubjectDN())) {
i++;
}
i++;
}
this.
certs =
new java.security.cert.
Certificate[
signerCerts.
size()];
signerCerts.
toArray(this.
certs);
}
}
}
}
private static final
Class[]
PARAMS0 = { };
private static final
Class[]
PARAMS1 = {
String.class };
private static final
Class[]
PARAMS2 = {
String.class,
String.class };
/**
* try and resolve this permission using the class loader of the permission
* that was passed in.
*/
Permission resolve(
Permission p, java.security.cert.
Certificate certs[]) {
if (this.
certs != null) {
// if p wasn't signed, we don't have a match
if (
certs == null) {
return null;
}
// all certs in this.certs must be present in certs
boolean
match;
for (int
i = 0;
i < this.
certs.length;
i++) {
match = false;
for (int
j = 0;
j <
certs.length;
j++) {
if (this.
certs[
i].
equals(
certs[
j])) {
match = true;
break;
}
}
if (!
match) return null;
}
}
try {
Class<?>
pc =
p.
getClass();
if (
name == null &&
actions == null) {
try {
Constructor<?>
c =
pc.
getConstructor(
PARAMS0);
return (
Permission)
c.
newInstance(new
Object[] {});
} catch (
NoSuchMethodException ne) {
try {
Constructor<?>
c =
pc.
getConstructor(
PARAMS1);
return (
Permission)
c.
newInstance(
new
Object[] {
name});
} catch (
NoSuchMethodException ne1) {
Constructor<?>
c =
pc.
getConstructor(
PARAMS2);
return (
Permission)
c.
newInstance(
new
Object[] {
name,
actions });
}
}
} else {
if (
name != null &&
actions == null) {
try {
Constructor<?>
c =
pc.
getConstructor(
PARAMS1);
return (
Permission)
c.
newInstance(
new
Object[] {
name});
} catch (
NoSuchMethodException ne) {
Constructor<?>
c =
pc.
getConstructor(
PARAMS2);
return (
Permission)
c.
newInstance(
new
Object[] {
name,
actions });
}
} else {
Constructor<?>
c =
pc.
getConstructor(
PARAMS2);
return (
Permission)
c.
newInstance(
new
Object[] {
name,
actions });
}
}
} catch (
NoSuchMethodException nsme) {
if (
debug != null ) {
debug.
println("NoSuchMethodException:\n could not find " +
"proper constructor for " +
type);
nsme.
printStackTrace();
}
return null;
} catch (
Exception e) {
if (
debug != null ) {
debug.
println("unable to instantiate " +
name);
e.
printStackTrace();
}
return null;
}
}
/**
* This method always returns false for unresolved permissions.
* That is, an UnresolvedPermission is never considered to
* imply another permission.
*
* @param p the permission to check against.
*
* @return false.
*/
public boolean
implies(
Permission p) {
return false;
}
/**
* Checks two UnresolvedPermission objects for equality.
* Checks that <i>obj</i> is an UnresolvedPermission, and has
* the same type (class) name, permission name, actions, and
* certificates as this object.
*
* <p> To determine certificate equality, this method only compares
* actual signer certificates. Supporting certificate chains
* are not taken into consideration by this method.
*
* @param obj the object we are testing for equality with this object.
*
* @return true if obj is an UnresolvedPermission, and has the same
* type (class) name, permission name, actions, and
* certificates as this object.
*/
public boolean
equals(
Object obj) {
if (
obj == this)
return true;
if (! (
obj instanceof
UnresolvedPermission))
return false;
UnresolvedPermission that = (
UnresolvedPermission)
obj;
// check type
if (!this.
type.
equals(
that.
type)) {
return false;
}
// check name
if (this.
name == null) {
if (
that.
name != null) {
return false;
}
} else if (!this.
name.
equals(
that.
name)) {
return false;
}
// check actions
if (this.
actions == null) {
if (
that.
actions != null) {
return false;
}
} else {
if (!this.
actions.
equals(
that.
actions)) {
return false;
}
}
// check certs
if ((this.
certs == null &&
that.
certs != null) ||
(this.
certs != null &&
that.
certs == null) ||
(this.
certs != null &&
that.
certs != null &&
this.
certs.length !=
that.
certs.length)) {
return false;
}
int
i,
j;
boolean
match;
for (
i = 0; this.
certs != null &&
i < this.
certs.length;
i++) {
match = false;
for (
j = 0;
j <
that.
certs.length;
j++) {
if (this.
certs[
i].
equals(
that.
certs[
j])) {
match = true;
break;
}
}
if (!
match) return false;
}
for (
i = 0;
that.
certs != null &&
i <
that.
certs.length;
i++) {
match = false;
for (
j = 0;
j < this.
certs.length;
j++) {
if (
that.
certs[
i].
equals(this.
certs[
j])) {
match = true;
break;
}
}
if (!
match) return false;
}
return true;
}
/**
* Returns the hash code value for this object.
*
* @return a hash code value for this object.
*/
public int
hashCode() {
int
hash =
type.
hashCode();
if (
name != null)
hash ^=
name.
hashCode();
if (
actions != null)
hash ^=
actions.
hashCode();
return
hash;
}
/**
* Returns the canonical string representation of the actions,
* which currently is the empty string "", since there are no actions for
* an UnresolvedPermission. That is, the actions for the
* permission that will be created when this UnresolvedPermission
* is resolved may be non-null, but an UnresolvedPermission
* itself is never considered to have any actions.
*
* @return the empty string "".
*/
public
String getActions()
{
return "";
}
/**
* Get the type (class name) of the underlying permission that
* has not been resolved.
*
* @return the type (class name) of the underlying permission that
* has not been resolved
*
* @since 1.5
*/
public
String getUnresolvedType() {
return
type;
}
/**
* Get the target name of the underlying permission that
* has not been resolved.
*
* @return the target name of the underlying permission that
* has not been resolved, or {@code null},
* if there is no target name
*
* @since 1.5
*/
public
String getUnresolvedName() {
return
name;
}
/**
* Get the actions for the underlying permission that
* has not been resolved.
*
* @return the actions for the underlying permission that
* has not been resolved, or {@code null}
* if there are no actions
*
* @since 1.5
*/
public
String getUnresolvedActions() {
return
actions;
}
/**
* Get the signer certificates (without any supporting chain)
* for the underlying permission that has not been resolved.
*
* @return the signer certificates for the underlying permission that
* has not been resolved, or null, if there are no signer certificates.
* Returns a new array each time this method is called.
*
* @since 1.5
*/
public java.security.cert.
Certificate[]
getUnresolvedCerts() {
return (
certs == null) ? null :
certs.
clone();
}
/**
* Returns a string describing this UnresolvedPermission. The convention
* is to specify the class name, the permission name, and the actions, in
* the following format: '(unresolved "ClassName" "name" "actions")'.
*
* @return information about this UnresolvedPermission.
*/
public
String toString() {
return "(unresolved " +
type + " " +
name + " " +
actions + ")";
}
/**
* Returns a new PermissionCollection object for storing
* UnresolvedPermission objects.
* <p>
* @return a new PermissionCollection object suitable for
* storing UnresolvedPermissions.
*/
public
PermissionCollection newPermissionCollection() {
return new
UnresolvedPermissionCollection();
}
/**
* Writes this object out to a stream (i.e., serializes it).
*
* @serialData An initial {@code String} denoting the
* {@code type} is followed by a {@code String} denoting the
* {@code name} is followed by a {@code String} denoting the
* {@code actions} is followed by an {@code int} indicating the
* number of certificates to follow
* (a value of "zero" denotes that there are no certificates associated
* with this object).
* Each certificate is written out starting with a {@code String}
* denoting the certificate type, followed by an
* {@code int} specifying the length of the certificate encoding,
* followed by the certificate encoding itself which is written out as an
* array of bytes.
*/
private void
writeObject(java.io.
ObjectOutputStream oos)
throws
IOException
{
oos.
defaultWriteObject();
if (
certs==null ||
certs.length==0) {
oos.
writeInt(0);
} else {
// write out the total number of certs
oos.
writeInt(
certs.length);
// write out each cert, including its type
for (int
i=0;
i <
certs.length;
i++) {
java.security.cert.
Certificate cert =
certs[
i];
try {
oos.
writeUTF(
cert.
getType());
byte[]
encoded =
cert.
getEncoded();
oos.
writeInt(
encoded.length);
oos.
write(
encoded);
} catch (
CertificateEncodingException cee) {
throw new
IOException(
cee.
getMessage());
}
}
}
}
/**
* Restores this object from a stream (i.e., deserializes it).
*/
private void
readObject(java.io.
ObjectInputStream ois)
throws
IOException,
ClassNotFoundException
{
CertificateFactory cf;
Hashtable<
String,
CertificateFactory>
cfs = null;
List<
Certificate>
certList = null;
ois.
defaultReadObject();
if (
type == null)
throw new
NullPointerException("type can't be null");
// process any new-style certs in the stream (if present)
int
size =
ois.
readInt();
if (
size > 0) {
// we know of 3 different cert types: X.509, PGP, SDSI, which
// could all be present in the stream at the same time
cfs = new
Hashtable<>(3);
certList = new
ArrayList<>(
size > 20 ? 20 :
size);
} else if (
size < 0) {
throw new
IOException("size cannot be negative");
}
for (int
i=0;
i<
size;
i++) {
// read the certificate type, and instantiate a certificate
// factory of that type (reuse existing factory if possible)
String certType =
ois.
readUTF();
if (
cfs.
containsKey(
certType)) {
// reuse certificate factory
cf =
cfs.
get(
certType);
} else {
// create new certificate factory
try {
cf =
CertificateFactory.
getInstance(
certType);
} catch (
CertificateException ce) {
throw new
ClassNotFoundException
("Certificate factory for "+
certType+" not found");
}
// store the certificate factory so we can reuse it later
cfs.
put(
certType,
cf);
}
// parse the certificate
byte[]
encoded =
IOUtils.
readNBytes(
ois,
ois.
readInt());
ByteArrayInputStream bais = new
ByteArrayInputStream(
encoded);
try {
certList.
add(
cf.
generateCertificate(
bais));
} catch (
CertificateException ce) {
throw new
IOException(
ce.
getMessage());
}
bais.
close();
}
if (
certList != null) {
this.
certs =
certList.
toArray(
new java.security.cert.
Certificate[
size]);
}
}
}