1 /*
2 * Copyright (c) 2007, 2009, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package javax.crypto;
27
28 import java.io;
29 import java.net;
30 import java.security;
31 import java.util.jar;
32
33 /**
34 * This class verifies JAR files (and any supporting JAR files), and
35 * determines whether they may be used in this implementation.
36 *
37 * The JCE in OpenJDK has an open cryptographic interface, meaning it
38 * does not restrict which providers can be used. Compliance with
39 * United States export controls and with local law governing the
40 * import/export of products incorporating the JCE in the OpenJDK is
41 * the responsibility of the licensee.
42 *
43 * @since 1.7
44 */
45 final class JarVerifier {
46
47 // The URL for the JAR file we want to verify.
48 private URL jarURL;
49 private boolean savePerms;
50 private CryptoPermissions appPerms = null;
51
52 /**
53 * Creates a JarVerifier object to verify the given URL.
54 *
55 * @param jarURL the JAR file to be verified.
56 * @param savePerms if true, save the permissions allowed by the
57 * exemption mechanism
58 */
59 JarVerifier(URL jarURL, boolean savePerms) {
60 this.jarURL = jarURL;
61 this.savePerms = savePerms;
62 }
63
64 /**
65 * Verify the JAR file is signed by an entity which has a certificate
66 * issued by a trusted CA.
67 *
68 * In OpenJDK, we just need to examine the "cryptoperms" file to see
69 * if any permissions were bundled together with this jar file.
70 */
71 void verify() throws JarException, IOException {
72
73 // Short-circuit. If we weren't asked to save any, we're done.
74 if (!savePerms) {
75 return;
76 }
77
78 // If the protocol of jarURL isn't "jar", we should
79 // construct a JAR URL so we can open a JarURLConnection
80 // for verifying this provider.
81 final URL url = jarURL.getProtocol().equalsIgnoreCase("jar")?
82 jarURL : new URL("jar:" + jarURL.toString() + "!/");
83
84 JarFile jf = null;
85 try {
86
87 // Get a link to the Jarfile to search.
88 try {
89 jf = (JarFile)
90 AccessController.doPrivileged(
91 new PrivilegedExceptionAction() {
92 public Object run() throws Exception {
93 JarURLConnection conn =
94 (JarURLConnection) url.openConnection();
95 // You could do some caching here as
96 // an optimization.
97 conn.setUseCaches(false);
98 return conn.getJarFile();
99 }
100 });
101 } catch (java.security.PrivilegedActionException pae) {
102 SecurityException se = new SecurityException(
103 "Cannot load " + url.toString());
104 se.initCause(pae);
105 throw se;
106 }
107
108 if (jf != null) {
109 JarEntry je = jf.getJarEntry("cryptoPerms");
110 if (je == null) {
111 throw new JarException(
112 "Can not find cryptoPerms");
113 }
114 try {
115 appPerms = new CryptoPermissions();
116 appPerms.load(jf.getInputStream(je));
117 } catch (Exception ex) {
118 JarException jex =
119 new JarException("Cannot load/parse" +
120 jarURL.toString());
121 jex.initCause(ex);
122 throw jex;
123 }
124 }
125 } finally {
126 // Only call close() when caching is not enabled.
127 // Otherwise, exceptions will be thrown for all
128 // subsequent accesses of this cached jar.
129 if (jf != null) {
130 jf.close();
131 }
132 }
133 }
134
135 /**
136 * Verify that the provided certs include the
137 * framework signing certificate.
138 *
139 * @param certs the list of certs to be checked.
140 * @throws Exception if the list of certs did not contain
141 * the framework signing certificate
142 */
143 static void verifyPolicySigned(java.security.cert.Certificate[] certs)
144 throws Exception {
145 }
146
147 /**
148 * Returns the permissions which are bundled with the JAR file,
149 * aka the "cryptoperms" file.
150 *
151 * NOTE: if this JarVerifier instance is constructed with "savePerms"
152 * equal to false, then this method would always return null.
153 */
154 CryptoPermissions getPermissions() {
155 return appPerms;
156 }
157 }