/**
* Load the policies from the specified file. Also checks that the policies are correctly signed.
*/
private static void loadPolicies(
File jarPathName, CryptoPermissions defaultPolicy, CryptoPermissions exemptPolicy)
throws Exception {
JarFile jf = new JarFile(jarPathName);
Enumeration<JarEntry> entries = jf.entries();
while (entries.hasMoreElements()) {
JarEntry je = entries.nextElement();
InputStream is = null;
try {
if (je.getName().startsWith("default_")) {
is = jf.getInputStream(je);
defaultPolicy.load(is);
} else if (je.getName().startsWith("exempt_")) {
is = jf.getInputStream(je);
exemptPolicy.load(is);
} else {
continue;
}
} finally {
if (is != null) {
is.close();
}
}
// Enforce the signer restraint, i.e. signer of JCE framework
// jar should also be the signer of the two jurisdiction policy
// jar files.
JarVerifier.verifyPolicySigned(je.getCertificates());
}
// Close and nullify the JarFile reference to help GC.
jf.close();
jf = null;
}
/**
* Loads the keystore from the Keychain.
*
* @param stream Ignored - here for API compatibility.
* @param password Ignored - if user needs to unlock keychain Security framework will post any
* dialogs.
* @exception IOException if there is an I/O or format problem with the keystore data
* @exception NoSuchAlgorithmException if the algorithm used to check the integrity of the
* keystore cannot be found
* @exception CertificateException if any of the certificates in the keystore could not be loaded
*/
public void engineLoad(InputStream stream, char[] password)
throws IOException, NoSuchAlgorithmException, CertificateException {
permissionCheck();
// Release any stray keychain references before clearing out the entries.
synchronized (entries) {
for (Enumeration<String> e = entries.keys(); e.hasMoreElements(); ) {
String alias = e.nextElement();
Object entry = entries.get(alias);
if (entry instanceof TrustedCertEntry) {
if (((TrustedCertEntry) entry).certRef != 0) {
_releaseKeychainItemRef(((TrustedCertEntry) entry).certRef);
}
} else {
KeyEntry keyEntry = (KeyEntry) entry;
if (keyEntry.chain != null) {
for (int i = 0; i < keyEntry.chain.length; i++) {
if (keyEntry.chainRefs[i] != 0) {
_releaseKeychainItemRef(keyEntry.chainRefs[i]);
}
}
if (keyEntry.keyRef != 0) {
_releaseKeychainItemRef(keyEntry.keyRef);
}
}
}
}
entries.clear();
_scanKeychain();
}
}
protected PermissionCollection getPermissions(CodeSource codeSource) {
PermissionCollection perms;
try {
try {
perms = super.getPermissions(codeSource);
} catch (SecurityException e) {
// We lied about our CodeSource and that makes URLClassLoader unhappy.
perms = new Permissions();
}
ProtectionDomain myDomain =
AccessController.doPrivileged(
new PrivilegedAction<ProtectionDomain>() {
public ProtectionDomain run() {
return getClass().getProtectionDomain();
}
});
PermissionCollection myPerms = myDomain.getPermissions();
if (myPerms != null) {
for (Enumeration<Permission> elements = myPerms.elements(); elements.hasMoreElements(); ) {
perms.add(elements.nextElement());
}
}
} catch (Throwable e) {
// We lied about our CodeSource and that makes URLClassLoader unhappy.
perms = new Permissions();
}
perms.setReadOnly();
return perms;
}
public URL getResource(final String name) {
URL url = null;
if (this.isParentFirst(name)) {
url = ((this.parent == null) ? super.getResource(name) : this.parent.getResource(name));
}
if (url != null) {
this.log("Resource " + name + " loaded from parent loader", 4);
} else {
final Enumeration<File> e = this.pathComponents.elements();
while (e.hasMoreElements() && url == null) {
final File pathComponent = e.nextElement();
url = this.getResourceURL(pathComponent, name);
if (url != null) {
this.log("Resource " + name + " loaded from ant loader", 4);
}
}
}
if (url == null && !this.isParentFirst(name)) {
if (this.ignoreBase) {
url = ((this.getRootLoader() == null) ? null : this.getRootLoader().getResource(name));
} else {
url = ((this.parent == null) ? super.getResource(name) : this.parent.getResource(name));
}
if (url != null) {
this.log("Resource " + name + " loaded from parent loader", 4);
}
}
if (url == null) {
this.log("Couldn't load Resource " + name, 4);
}
return url;
}
private Class<?> findClassInComponents(final String name) throws ClassNotFoundException {
final String classFilename = this.getClassFilename(name);
final Enumeration<File> e = this.pathComponents.elements();
while (e.hasMoreElements()) {
final File pathComponent = e.nextElement();
InputStream stream = null;
try {
stream = this.getResourceStream(pathComponent, classFilename);
if (stream != null) {
this.log("Loaded from " + pathComponent + " " + classFilename, 4);
return this.getClassFromStream(stream, name, pathComponent);
}
continue;
} catch (SecurityException se) {
throw se;
} catch (IOException ioe) {
this.log(
"Exception reading component " + pathComponent + " (reason: " + ioe.getMessage() + ")",
3);
} finally {
FileUtils.close(stream);
}
}
throw new ClassNotFoundException(name);
}
public void addJavaLibraries() {
final Vector<String> packages = JavaEnvUtils.getJrePackages();
final Enumeration<String> e = packages.elements();
while (e.hasMoreElements()) {
final String packageName = e.nextElement();
this.addSystemPackageRoot(packageName);
}
}
private InputStream loadResource(final String name) {
InputStream stream = null;
File pathComponent;
for (Enumeration<File> e = this.pathComponents.elements();
e.hasMoreElements() && stream == null;
stream = this.getResourceStream(pathComponent, name)) {
pathComponent = e.nextElement();
}
return stream;
}
/**
* Check and see if this set of permissions implies the permissions expressed in "permission".
*
* @param p the Permission object to compare
* @return true if "permission" is a proper subset of a permission in the set, false if not.
*/
public boolean implies(Permission permission) {
if (!(permission instanceof ExecPermission)) return false;
Enumeration e = permissions.elements();
while (e.hasMoreElements()) {
ExecPermission x = (ExecPermission) e.nextElement();
if (x.implies(permission)) {
return true;
}
}
return false;
}
protected void initResourceBundle(UIDefaults table) {
// The following line of code does not work, when Quaqua has been loaded with
// a custom class loader. That's why, we have to inject the labels
// by ourselves:
// table.addResourceBundle( "ch.randelshofer.quaqua.Labels" );
ResourceBundle bundle =
ResourceBundle.getBundle(
"ch.randelshofer.quaqua.Labels", Locale.getDefault(), getClass().getClassLoader());
for (Enumeration i = bundle.getKeys(); i.hasMoreElements(); ) {
String key = (String) i.nextElement();
table.put(key, bundle.getObject(key));
}
}
public String getClasspath() {
final StringBuilder sb = new StringBuilder();
boolean firstPass = true;
final Enumeration<File> componentEnum = this.pathComponents.elements();
while (componentEnum.hasMoreElements()) {
if (!firstPass) {
sb.append(System.getProperty("path.separator"));
} else {
firstPass = false;
}
sb.append(componentEnum.nextElement().getAbsolutePath());
}
return sb.toString();
}
/**
* Returns the n-th token name or alias
*
* @param nIdx index of token
* @return alias
*/
private String getTokenName(int nIdx) {
try {
if (m_keyStore != null) {
Enumeration eAliases = m_keyStore.aliases();
for (int i = 0; eAliases.hasMoreElements(); i++) {
String alias = (String) eAliases.nextElement();
if (i == nIdx) return alias;
}
}
} catch (Exception ex) {
m_logger.error("Error reading store aliases: " + ex);
}
return null;
}
/**
* Reset the logging configuration.
*
* <p>For all named loggers, the reset operation removes and closes all Handlers and (except for
* the root logger) sets the level to null. The root logger's level is set to Level.INFO.
*
* @exception SecurityException if a security manager exists and if the caller does not have
* LoggingPermission("control").
*/
public void reset() throws SecurityException {
checkPermission();
synchronized (this) {
props = new Properties();
// Since we are doing a reset we no longer want to initialize
// the global handlers, if they haven't been initialized yet.
initializedGlobalHandlers = true;
}
Enumeration enum_ = getLoggerNames();
while (enum_.hasMoreElements()) {
String name = (String) enum_.nextElement();
resetLogger(name);
}
}
public static String[] getZipList(String zipFile) throws ZipException, IOException {
File file = new File(zipFile);
ZipFile zip = new ZipFile(file);
Enumeration<? extends ZipEntry> zipFileEntries = zip.entries();
ArrayList<String> files = new ArrayList<String>();
// Process each entry
while (zipFileEntries.hasMoreElements()) {
// grab a zip file entry
ZipEntry entry = (ZipEntry) zipFileEntries.nextElement();
String currentEntry = entry.getName();
files.add(currentEntry);
}
return files.toArray(new String[files.size()]);
}
public synchronized void cleanup() {
final Enumeration<JarFile> e = this.jarFiles.elements();
while (e.hasMoreElements()) {
final JarFile jarFile = e.nextElement();
try {
jarFile.close();
} catch (IOException ex) {
}
}
this.jarFiles = new Hashtable<File, JarFile>();
if (this.project != null) {
this.project.removeBuildListener(this);
}
this.project = null;
}
/**
* Method returns an array of strings representing the list of available token names.
*
* @return an array of available token names.
* @throws DigiDocException if reading the token information fails.
*/
public String[] getAvailableTokenNames() throws DigiDocException {
Vector vec = new Vector();
try {
if (m_keyStore != null) {
Enumeration eAliases = m_keyStore.aliases();
while (eAliases.hasMoreElements()) {
String alias = (String) eAliases.nextElement();
vec.add(alias);
}
}
} catch (Exception ex) {
m_logger.error("Error reading store aliases: " + ex);
}
String[] arr = new String[vec.size()];
for (int i = 0; (vec != null) && (i < vec.size()); i++) arr[i] = (String) vec.elementAt(i);
return arr;
}
private boolean isParentFirst(final String resourceName) {
boolean useParentFirst = this.parentFirst;
Enumeration<String> e = this.systemPackages.elements();
while (e.hasMoreElements()) {
final String packageName = e.nextElement();
if (resourceName.startsWith(packageName)) {
useParentFirst = true;
break;
}
}
e = this.loaderPackages.elements();
while (e.hasMoreElements()) {
final String packageName = e.nextElement();
if (resourceName.startsWith(packageName)) {
useParentFirst = false;
break;
}
}
return useParentFirst;
}
public static void extract(String zipFile, String newPath, boolean overwrite)
throws ZipException, IOException {
File file = new File(zipFile);
ZipFile zip = new ZipFile(file);
new File(newPath).mkdir();
Enumeration<? extends ZipEntry> zipFileEntries = zip.entries();
// Process each entry
while (zipFileEntries.hasMoreElements()) {
// grab a zip file entry
ZipEntry entry = (ZipEntry) zipFileEntries.nextElement();
String currentEntry = entry.getName();
File destFile = new File(newPath, currentEntry);
// destFile = new File(newPath, destFile.getName());
File destinationParent = destFile.getParentFile();
// create the parent directory structure if needed
destinationParent.mkdirs();
if (!entry.isDirectory()) {
if (!overwrite && destFile.exists()) continue;
BufferedInputStream is = new BufferedInputStream(zip.getInputStream(entry));
int currentByte;
// establish buffer for writing file
byte data[] = new byte[BUFFER];
// write the current file to disk
FileOutputStream fos = new FileOutputStream(destFile);
BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);
// read and write until last byte is encountered
while ((currentByte = is.read(data, 0, BUFFER)) != -1) {
dest.write(data, 0, currentByte);
}
close(dest);
close(is);
}
}
}
public String verify(JarFile jar, String... algorithms) throws IOException {
if (algorithms == null || algorithms.length == 0) algorithms = new String[] {"MD5", "SHA"};
else if (algorithms.length == 1 && algorithms[0].equals("-")) return null;
try {
Manifest m = jar.getManifest();
if (m.getEntries().isEmpty()) return "No name sections";
for (Enumeration<JarEntry> e = jar.entries(); e.hasMoreElements(); ) {
JarEntry je = e.nextElement();
if (MANIFEST_ENTRY.matcher(je.getName()).matches()) continue;
Attributes nameSection = m.getAttributes(je.getName());
if (nameSection == null) return "No name section for " + je.getName();
for (String algorithm : algorithms) {
try {
MessageDigest md = MessageDigest.getInstance(algorithm);
String expected = nameSection.getValue(algorithm + "-Digest");
if (expected != null) {
byte digest[] = Base64.decodeBase64(expected);
copy(jar.getInputStream(je), md);
if (!Arrays.equals(digest, md.digest()))
return "Invalid digest for "
+ je.getName()
+ ", "
+ expected
+ " != "
+ Base64.encodeBase64(md.digest());
} else reporter.error("could not find digest for " + algorithm + "-Digest");
} catch (NoSuchAlgorithmException nsae) {
return "Missing digest algorithm " + algorithm;
}
}
}
} catch (Exception e) {
return "Failed to verify due to exception: " + e.getMessage();
}
return null;
}
// Private method to be called when the configuration has
// changed to apply any level settings to any pre-existing loggers.
private synchronized void setLevelsOnExistingLoggers() {
Enumeration enum_ = props.propertyNames();
while (enum_.hasMoreElements()) {
String key = (String) enum_.nextElement();
if (!key.endsWith(".level")) {
// Not a level definition.
continue;
}
int ix = key.length() - 6;
String name = key.substring(0, ix);
Level level = getLevelProperty(key, null);
if (level == null) {
System.err.println("Bad level value for property: " + key);
continue;
}
Logger l = getLogger(name);
if (l == null) {
continue;
}
l.setLevel(level);
}
}
@Override
public Enumeration<URL> getResources(String name) throws IOException {
try {
equinoxContainer.checkAdminPermission(this, AdminPermission.RESOURCE);
} catch (SecurityException e) {
return null;
}
checkValid();
if (isFragment()) {
return null;
}
ModuleClassLoader classLoader = getModuleClassLoader(false);
Enumeration<URL> result = null;
if (classLoader != null) {
result = classLoader.getResources(name);
} else {
result =
new ClasspathManager((Generation) module.getCurrentRevision().getRevisionInfo(), null)
.findLocalResources(name);
}
return result != null && result.hasMoreElements() ? result : null;
}
/**
* Returns the (alias) name of the first keystore entry whose certificate matches the given
* certificate.
*
* <p>This method attempts to match the given certificate with each keystore entry. If the entry
* being considered is a <i>trusted certificate entry</i>, the given certificate is compared to
* that entry's certificate. If the entry being considered is a <i>key entry</i>, the given
* certificate is compared to the first element of that entry's certificate chain (if a chain
* exists).
*
* @param cert the certificate to match with.
* @return the (alias) name of the first entry with matching certificate, or null if no such entry
* exists in this keystore.
*/
public String engineGetCertificateAlias(Certificate cert) {
permissionCheck();
Certificate certElem;
for (Enumeration<String> e = entries.keys(); e.hasMoreElements(); ) {
String alias = e.nextElement();
Object entry = entries.get(alias);
if (entry instanceof TrustedCertEntry) {
certElem = ((TrustedCertEntry) entry).cert;
} else {
KeyEntry ke = (KeyEntry) entry;
if (ke.chain == null || ke.chain.length == 0) {
continue;
}
certElem = ke.chain[0];
}
if (certElem.equals(cert)) {
return alias;
}
}
return null;
}
public void main(Provider p) throws Exception {
/*
* Use Solaris SPARC 11.2 or later to avoid an intermittent failure
* when running SunPKCS11-Solaris (8044554)
*/
if (p.getName().equals("SunPKCS11-Solaris")
&& System.getProperty("os.name").equals("SunOS")
&& System.getProperty("os.arch").equals("sparcv9")
&& System.getProperty("os.version").compareTo("5.11") <= 0
&& getDistro().compareTo("11.2") < 0) {
System.out.println(
"SunPKCS11-Solaris provider requires " + "Solaris SPARC 11.2 or later, skipping");
return;
}
long start = System.currentTimeMillis();
provider = p;
data = new byte[2048];
new Random().nextBytes(data);
KeyStore ks = getKeyStore();
KeyFactory kf = KeyFactory.getInstance("RSA", provider);
for (Enumeration e = ks.aliases(); e.hasMoreElements(); ) {
String alias = (String) e.nextElement();
if (ks.isKeyEntry(alias)) {
System.out.println("* Key " + alias + "...");
PrivateKey privateKey = (PrivateKey) ks.getKey(alias, password);
PublicKey publicKey = ks.getCertificate(alias).getPublicKey();
privateKey = (PrivateKey) kf.translateKey(privateKey);
publicKey = (PublicKey) kf.translateKey(publicKey);
test(privateKey, publicKey);
}
}
long stop = System.currentTimeMillis();
System.out.println("All tests passed (" + (stop - start) + " ms).");
}
/**
* Stores this keystore to the given output stream, and protects its integrity with the given
* password.
*
* @param stream Ignored. the output stream to which this keystore is written.
* @param password the password to generate the keystore integrity check
* @exception IOException if there was an I/O problem with data
* @exception NoSuchAlgorithmException if the appropriate data integrity algorithm could not be
* found
* @exception CertificateException if any of the certificates included in the keystore data could
* not be stored
*/
public void engineStore(OutputStream stream, char[] password)
throws IOException, NoSuchAlgorithmException, CertificateException {
permissionCheck();
// Delete items that do have a keychain item ref.
for (Enumeration<String> e = deletedEntries.keys(); e.hasMoreElements(); ) {
String alias = e.nextElement();
Object entry = deletedEntries.get(alias);
if (entry instanceof TrustedCertEntry) {
if (((TrustedCertEntry) entry).certRef != 0) {
_removeItemFromKeychain(((TrustedCertEntry) entry).certRef);
_releaseKeychainItemRef(((TrustedCertEntry) entry).certRef);
}
} else {
Certificate certElem;
KeyEntry keyEntry = (KeyEntry) entry;
if (keyEntry.chain != null) {
for (int i = 0; i < keyEntry.chain.length; i++) {
if (keyEntry.chainRefs[i] != 0) {
_removeItemFromKeychain(keyEntry.chainRefs[i]);
_releaseKeychainItemRef(keyEntry.chainRefs[i]);
}
}
if (keyEntry.keyRef != 0) {
_removeItemFromKeychain(keyEntry.keyRef);
_releaseKeychainItemRef(keyEntry.keyRef);
}
}
}
}
// Add all of the certs or keys in the added entries.
// No need to check for 0 refs, as they are in the added list.
for (Enumeration<String> e = addedEntries.keys(); e.hasMoreElements(); ) {
String alias = e.nextElement();
Object entry = addedEntries.get(alias);
if (entry instanceof TrustedCertEntry) {
TrustedCertEntry tce = (TrustedCertEntry) entry;
Certificate certElem;
certElem = tce.cert;
tce.certRef = addCertificateToKeychain(alias, certElem);
} else {
KeyEntry keyEntry = (KeyEntry) entry;
if (keyEntry.chain != null) {
for (int i = 0; i < keyEntry.chain.length; i++) {
keyEntry.chainRefs[i] = addCertificateToKeychain(alias, keyEntry.chain[i]);
}
keyEntry.keyRef =
_addItemToKeychain(alias, false, keyEntry.protectedPrivKey, keyEntry.password);
}
}
}
// Clear the added and deletedEntries hashtables here, now that we're done with the updates.
// For the deleted entries, we freed up the native references above.
deletedEntries.clear();
addedEntries.clear();
}
