/* CodeSource.java -- Code location and certifcates Copyright (C) 1998, 2002, 2004 Free Software Foundation, Inc. This file is part of GNU Classpath. GNU Classpath is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. GNU Classpath is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with GNU Classpath; see the file COPYING. If not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. Linking this library statically or dynamically with other modules is making a combined work based on this library. Thus, the terms and conditions of the GNU General Public License cover the whole combination. As a special exception, the copyright holders of this library give you permission to link this library with independent modules to produce an executable, regardless of the license terms of these independent modules, and to copy and distribute the resulting executable under terms of your choice, provided that you also meet, for each linked independent module, the terms and conditions of the license of that module. An independent module is a module which is not derived from or based on this library. If you modify this library, you may extend this exception to your version of the library, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. */ package java.security; import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; import java.io.Serializable; import java.net.SocketPermission; import java.net.URL; // Note that this overrides Certificate in this package. import java.security.cert.Certificate; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.util.Arrays; import java.util.HashSet; import java.util.Iterator; /** * This class represents a location from which code is loaded (as * represented by a URL), and the list of certificates that are used to * check the signatures of signed code loaded from this source. * * @author Aaron M. Renn (arenn@urbanophile.com) * @author Eric Blake (ebb9@email.byu.edu) * @since 1.1 * @status updated to 1.4 */ public class CodeSource implements Serializable { /** * Compatible with JDK 1.1+. */ private static final long serialVersionUID = 4977541819976013951L; /** * This is the URL that represents the code base from which code will * be loaded. * * @serial the code location */ private final URL location; /** The set of certificates for this code base. */ private transient HashSet certs; /** * This creates a new instance of <code>CodeSource</code> that loads code * from the specified URL location and which uses the specified certificates * for verifying signatures. * * @param location the location from which code will be loaded * @param certs the list of certificates */ public CodeSource(URL location, Certificate[] certs) { this.location = location; if (certs != null) this.certs = new HashSet(Arrays.asList(certs)); } /** * This method returns a hash value for this object. * * @return a hash value for this object */ public int hashCode() { return (location == null ? 0 : location.hashCode()) ^ (certs == null ? 0 : certs.hashCode()); } /** * This method tests the specified <code>Object</code> for equality with * this object. This will be true if and only if the locations are equal * and the certificate sets are identical (ignoring order). * * @param obj the <code>Object</code> to test against * @return true if the specified object is equal to this one */ public boolean equals(Object obj) { if (! (obj instanceof CodeSource)) return false; CodeSource cs = (CodeSource) obj; return (certs == null ? cs.certs == null : certs.equals(cs.certs)) && (location == null ? cs.location == null : location.equals(cs.location)); } /** * This method returns the URL specifying the location from which code * will be loaded under this <code>CodeSource</code>. * * @return the code location for this <code>CodeSource</code> */ public final URL getLocation() { return location; } /** * This method returns the list of digital certificates that can be used * to verify the signatures of code loaded under this * <code>CodeSource</code>. * * @return the certifcate list for this <code>CodeSource</code> */ public final Certificate[] getCertificates() { if (certs == null) return null; Certificate[] c = new Certificate[certs.size()]; certs.toArray(c); return c; } /** * This method tests to see if a specified <code>CodeSource</code> is * implied by this object. Effectively, to meet this test, the specified * object must have all the certifcates this object has (but may have more), * and must have a location that is a subset of this object's. In order * for this object to imply the specified object, the following must be * true: * * <ol> * <li><em>codesource</em> must not be <code>null</code>.</li> * <li>If <em>codesource</em> has a certificate list, all of it's * certificates must be present in the certificate list of this * code source.</li> * <li>If this object does not have a <code>null</code> location, then * the following addtional tests must be passed. * * <ol> * <li><em>codesource</em> must not have a <code>null</code> * location.</li> * <li><em>codesource</em>'s location must be equal to this object's * location, or * <ul> * <li><em>codesource</em>'s location protocol, port, and ref (aka, * anchor) must equal this objects</li> * <li><em>codesource</em>'s location host must imply this object's * location host, as determined by contructing * <code>SocketPermission</code> objects from each with no * action list and using that classes's <code>implies</code> * method</li> * <li>If this object's location file ends with a '/', then the * specified object's location file must start with this * object's location file. Otherwise, the specified object's * location file must start with this object's location file * with the '/' character appended to it.</li> * </ul></li> * </ol></li> * </ol> * * <p>For example, each of these locations imply the location * "http://java.sun.com/classes/foo.jar":</p> * * <pre> * http: * http://*.sun.com/classes/* * http://java.sun.com/classes/- * http://java.sun.com/classes/foo.jar * </pre> * * <p>Note that the code source with null location and null certificates implies * all other code sources.</p> * * @param cs the <code>CodeSource</code> to test against this object * @return true if this specified <code>CodeSource</code> is implied */ public boolean implies(CodeSource cs) { if (cs == null) return false; // First check the certificate list. if (certs != null && (cs.certs == null || ! certs.containsAll(cs.certs))) return false; // Next check the location. if (location == null) return true; if (cs.location == null || ! location.getProtocol().equals(cs.location.getProtocol()) || (location.getPort() != -1 && location.getPort() != cs.location.getPort()) || (location.getRef() != null && ! location.getRef().equals(cs.location.getRef()))) return false; if (location.getHost() != null) { String their_host = cs.location.getHost(); if (their_host == null) return false; SocketPermission our_sockperm = new SocketPermission(location.getHost(), "accept"); SocketPermission their_sockperm = new SocketPermission(their_host, "accept"); if (! our_sockperm.implies(their_sockperm)) return false; } String our_file = location.getFile(); if (our_file != null) { if (! our_file.endsWith("/")) our_file += "/"; String their_file = cs.location.getFile(); if (their_file == null || ! their_file.startsWith(our_file)) return false; } return true; } /** * This method returns a <code>String</code> that represents this object. * The result is in the format <code>"(" + getLocation()</code> followed * by a space separated list of certificates (or "<no certificates>"), * followed by <code>")"</code>. * * @return a <code>String</code> for this object */ public String toString() { StringBuffer sb = new StringBuffer("(").append(location); if (certs == null || certs.isEmpty()) sb.append(" <no certificates>"); else { Iterator iter = certs.iterator(); for (int i = certs.size(); --i >= 0; ) sb.append(' ').append(iter.next()); } return sb.append(")").toString(); } /** * Reads this object from a serialization stream. * * @param s the input stream * @throws IOException if reading fails * @throws ClassNotFoundException if deserialization fails * @serialData this reads the location, then expects an int indicating the * number of certificates. Each certificate is a String type * followed by an int encoding length, then a byte[] encoding */ private void readObject(ObjectInputStream s) throws IOException, ClassNotFoundException { s.defaultReadObject(); int count = s.readInt(); certs = new HashSet(); while (--count >= 0) { String type = (String) s.readObject(); int bytes = s.readInt(); byte[] encoded = new byte[bytes]; for (int i = 0; i < bytes; i++) encoded[i] = s.readByte(); ByteArrayInputStream stream = new ByteArrayInputStream(encoded); try { CertificateFactory factory = CertificateFactory.getInstance(type); certs.add(factory.generateCertificate(stream)); } catch (CertificateException e) { // XXX Should we ignore this certificate? } } } /** * Writes this object to a serialization stream. * * @param s the output stream * @throws IOException if writing fails * @serialData this writes the location, then writes an int indicating the * number of certificates. Each certificate is a String type * followed by an int encoding length, then a byte[] encoding */ private void writeObject(ObjectOutputStream s) throws IOException { s.defaultWriteObject(); if (certs == null) s.writeInt(0); else { int count = certs.size(); s.writeInt(count); Iterator iter = certs.iterator(); while (--count >= 0) { Certificate c = (Certificate) iter.next(); s.writeObject(c.getType()); byte[] encoded; try { encoded = c.getEncoded(); } catch (CertificateEncodingException e) { // XXX Should we ignore this certificate? encoded = null; } if (encoded == null) s.writeInt(0); else { s.writeInt(encoded.length); for (int i = 0; i < encoded.length; i++) s.writeByte(encoded[i]); } } } } } // class CodeSource