1. /*

  2.  * @(#)CodeSource.java	1.32 03/01/23

  3.  *

  4.  * Copyright 2003 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7.  

  8. package java.security;

  9. 

  10. 

  11. import java.net.URL;

  12. import java.net.SocketPermission;

  13. import java.util.Hashtable;

  14. import java.io.ByteArrayInputStream;

  15. import java.io.IOException;

  16. import java.security.cert.*;

  17. 

  18. /**

  19.  *

  20.  * <p>This class extends the concept of a codebase to

  21.  * encapsulate not only the location (URL) but also the certificate(s)

  22.  * that were used to verify signed code originating from that

  23.  * location.

  24.  *

  25.  * @version 	1.32, 01/23/03

  26.  * @author Li Gong

  27.  * @author Roland Schemers

  28.  */

  29. 

  30. public class CodeSource implements java.io.Serializable {

  31. 

  32.     /**

  33.      * The code location.

  34.      *

  35.      * @serial

  36.      */

  37.     private URL location;

  38. 

  39.     // certificates

  40.     private transient java.security.cert.Certificate certs[];

  41. 

  42.     // cached SocketPermission used for matchLocation

  43.     private transient SocketPermission sp;

  44. 

  45.     /**

  46.      * Constructs a CodeSource and associates it with the specified 

  47.      * location and set of certificates.

  48.      * 

  49.      * @param url the location (URL).

  50.      * 

  51.      * @param certs the certificate(s).

  52.      */

  53.     public CodeSource(URL url, java.security.cert.Certificate certs[]) {

  54. 	this.location = url;

  55. 	if (certs != null) 

  56. 	    this.certs = (java.security.cert.Certificate[]) certs.clone();

  57.     }

  58. 

  59.     /**

  60.      * Returns the hash code value for this object.

  61.      *

  62.      * @return a hash code value for this object.

  63.      */

  64. 

  65.     public int hashCode() {

  66. 	if (location != null)

  67. 	    return location.hashCode();

  68. 	else 

  69. 	    return 0;

  70.     }

  71. 

  72.     /**

  73.      * Tests for equality between the specified object and this

  74.      * object. Two CodeSource objects are considered equal if their 

  75.      * locations are of identical value and if the two sets of 

  76.      * certificates are of identical values. It is not required that

  77.      * the certificates be in the same order.

  78.      * 

  79.      * @param obj the object to test for equality with this object.

  80.      * 

  81.      * @return true if the objects are considered equal, false otherwise.

  82.      */

  83.     public boolean equals(Object obj) {

  84. 	if (obj == this) 

  85. 	    return true;

  86. 

  87. 	// objects types must be equal

  88. 	if (!(obj instanceof CodeSource))

  89. 	    return false;

  90. 

  91. 	CodeSource cs = (CodeSource) obj;

  92. 

  93. 	// URLs must match

  94. 	if (location == null) {

  95. 	    // if location is null, then cs.location must be null as well

  96. 	    if (cs.location != null) return false;

  97. 	} else {

  98. 	    // if location is not null, then it must equal cs.location

  99. 	    if (!location.equals(cs.location)) return false;

  100. 	}

  101. 

  102. 	// certs must match

  103. 	if (certs == null) {

  104. 	    // if certs is null, then cs.certs must be null as well

  105. 	    if (cs.certs != null) return false;

  106. 	} else {

  107. 	    // if certs is not null, then it must equal cs.certs

  108. 	    // equality means that both arrays of certs are the same set

  109. 	    // step 1 -- every cert in certs[] must match one in cs.certs[]

  110. 	    if (cs.certs == null) 

  111. 		return false;

  112. 

  113. 	    boolean match;

  114. 	    for (int i = 0; i < certs.length; i++) {

  115. 		match = false;

  116. 		for (int j = 0; j < cs.certs.length; j++) {

  117. 		    if (certs[i].equals(cs.certs[j])) {

  118. 			match = true;

  119. 			break;

  120. 		    }

  121. 		}

  122. 		if (!match) return false;

  123. 	    }

  124. 	    // step 2 -- every key in cs.certs[] must match one in certs[]

  125. 	    for (int i = 0; i < cs.certs.length; i++) {

  126. 		match = false;

  127. 		for (int j = 0; j < certs.length; j++) {

  128. 		    if (cs.certs[i].equals(certs[j])) {

  129. 			match = true;

  130. 			break;

  131. 		    }

  132. 		}

  133. 		if (!match) return false;

  134. 	    }

  135. 	}

  136.        

  137. 	// they must be equal if we got here...

  138. 	return true;

  139.     }

  140. 

  141.     /**

  142.      * Returns the location associated with this CodeSource.

  143.      * 

  144.      * @return the location (URL).

  145.      */

  146.     public final URL getLocation() {

  147. 	/* since URL is practically immutable, returning itself is not

  148.            a security problem */

  149. 	return this.location;

  150.     }

  151. 

  152.     /**

  153.      * Returns the certificates associated with this CodeSource.

  154.      * 

  155.      * @return the certificates

  156.      */

  157.     public final java.security.cert.Certificate[] getCertificates() {

  158. 	/* return a clone copy, to avoid malicious modification to the

  159. 	   original object */

  160. 	if (this.certs != null) {

  161. 	    return (java.security.cert.Certificate[])this.certs.clone();

  162. 	} else {

  163. 	    return null;

  164. 	}

  165.     }

  166. 

  167.     /**

  168.      * Returns true if this CodeSource object "implies" the specified CodeSource.

  169.      * <P>

  170.      * More specifically, this method makes the following checks, in order. 

  171.      * If any fail, it returns false. If they all succeed, it returns true.<p>

  172.      * <ol>

  173.      * <li> <i>codesource</i> must not be null.

  174.      * <li> If this object's certificates are not null, then all

  175.      * of this object's certificates must be present in <i>codesource</i>'s 

  176.      * certificates.

  177.      * <li> If this object's location (getLocation()) is not null, then the 

  178.      * following checks are made against this object's location and 

  179.      * <i>codesource</i>'s:<p>

  180.      *   <ol>

  181.      *     <li>  <i>codesource</i>'s location must not be null.

  182.      *

  183.      *     <li>  If this object's location 

  184.      *           equals <i>codesource</i>'s location, then return true.

  185.      *

  186.      *     <li>  This object's protocol (getLocation().getProtocol()) must be

  187.      *           equal to <i>codesource</i>'s protocol.

  188.      *

  189.      *     <li>  If this object's host (getLocation().getHost()) is not null,  

  190.      *           then the SocketPermission

  191.      *           constructed with this object's host must imply the

  192.      *           SocketPermission constructed with <i>codesource</i>'s host.

  193.      *

  194.      *     <li>  If this object's port (getLocation().getPort()) is not 

  195.      *           equal to -1 (that is, if a port is specified), it must equal 

  196.      *           <i>codesource</i>'s port.

  197.      *

  198.      *     <li>  If this object's file (getLocation().getFile()) doesn't equal

  199.      *           <i>codesource</i>'s file, then the following checks are made:

  200.      *           If this object's file ends with "/-",

  201.      *           then <i>codesource</i>'s file must start with this object's

  202.      *           file (exclusive the trailing "-").

  203.      *           If this object's file ends with a "/*",

  204.      *           then <i>codesource</i>'s file must start with this object's

  205.      *           file and must not have any further "/" separators.

  206.      *           If this object's file doesn't end with a "/", 

  207.      *           then <i>codesource</i>'s file must match this object's 

  208.      *           file with a '/' appended.

  209.      *

  210.      *     <li>  If this object's reference (getLocation().getRef()) is 

  211.      *           not null, it must equal <i>codesource</i>'s reference.

  212.      *

  213.      *   </ol>

  214.      * </ol>

  215.      * <p>

  216.      * For example, the codesource objects with the following locations

  217.      * and null certificates all imply

  218.      * the codesource with the location "http://java.sun.com/classes/foo.jar"

  219.      * and null certificates:

  220.      * <pre>

  221.      *     http:

  222.      *     http://*.sun.com/classes/*

  223.      *     http://java.sun.com/classes/-

  224.      *     http://java.sun.com/classes/foo.jar

  225.      * </pre>

  226.      * 

  227.      * Note that if this CodeSource has a null location and a null

  228.      * certificate chain, then it implies every other CodeSource.

  229.      *

  230.      * @param codesource CodeSource to compare against.

  231.      *

  232.      * @return true if the specified codesource is implied by this codesource,

  233.      * false if not.  

  234.      */

  235.  

  236.     public boolean implies(CodeSource codesource)

  237.     {

  238. 	if (codesource == null)

  239. 	    return false;

  240. 

  241. 	return matchCerts(codesource) && matchLocation(codesource);

  242.     }

  243. 

  244.    

  245.     /**

  246.      * Returns true if all the certs in this

  247.      * CodeSource are also in <i>that</i>.

  248.      * 

  249.      * @param that the CodeSource to check against.

  250.      */

  251.     private boolean matchCerts(CodeSource that)

  252.     {

  253. 	// match any key

  254. 	if (this.certs == null) 

  255. 	    return true;

  256. 

  257. 	// if certs are null, and this.certs is not null, return false

  258. 	if (that.certs == null)

  259. 	    return false;

  260. 

  261. 	boolean match;

  262. 	for (int i=0; i < this.certs.length; i++) {

  263. 	    match = false;

  264. 	    for (int j=0; j < that.certs.length; j++) {

  265. 		if (this.certs[i].equals(that.certs[j])) {

  266. 		    match = true;

  267. 		    break;

  268. 		}

  269. 	    }

  270. 	    if (!match) return false;

  271. 	}

  272. 	return true;

  273.     }

  274. 

  275.     /**

  276.      * Returns true if two CodeSource's have the "same" location.

  277.      * 

  278.      * @param that CodeSource to compare against

  279.      */

  280.     private boolean matchLocation(CodeSource that)

  281. 	{

  282. 	    if (location == null) {

  283. 		return true;

  284. 	    }

  285. 

  286. 	    if ((that == null) || (that.location == null))

  287. 		return false;

  288. 

  289. 	    if (location.equals(that.location))

  290. 		return true;

  291. 

  292. 	    if (!location.getProtocol().equals(that.location.getProtocol()))

  293. 		return false;

  294. 

  295. 	    if ((location.getHost() != null)) {

  296. 		if ((location.getHost().equals("") || 

  297. 		    location.getHost().equals("localhost")) &&

  298. 		    (that.location.getHost().equals("") || 

  299. 		     that.location.getHost().equals("localhost"))) {

  300. 		    // ok

  301. 		} else if (!location.getHost().equals(

  302. 					     that.location.getHost())) {

  303. 		    if (this.sp == null) {

  304. 			this.sp = 

  305. 			    new SocketPermission(location.getHost(),"resolve");

  306. 		    }

  307. 		    if (that.sp == null) {

  308. 			if (that.location.getHost() == null ||

  309. 				that.location.getHost().equals(""))

  310. 			    return false;

  311. 			that.sp = 

  312. 		       new SocketPermission(that.location.getHost(),"resolve");

  313. 		    }

  314. 

  315. 		    boolean ok = this.sp.implies(that.sp);

  316. 		    if (!ok)

  317. 			return false;

  318. 		}

  319. 	    }

  320. 

  321. 	    if (location.getPort() != -1) {

  322. 		if (location.getPort() != that.location.getPort())

  323. 		    return false;

  324. 	    }

  325. 

  326. 	    if (location.getFile().endsWith("/-")) {

  327. 		// Matches the directory and (recursively) all files

  328. 		// and subdirectories contained in that directory.

  329. 		// For example, "/a/b/-" implies anything that starts with

  330. 		// "/a/b/"

  331. 		String thisPath = location.getFile().substring(0,

  332.                                                 location.getFile().length()-1);

  333. 		if (!that.location.getFile().startsWith(thisPath))

  334. 		    return false;

  335. 	    } else if (location.getFile().endsWith("/*")) {

  336. 		// Matches the directory and all the files contained in that

  337. 		// directory.

  338. 		// For example, "/a/b/*" implies anything that starts with

  339. 		// "/a/b/" but has no further slashes

  340. 		int last = that.location.getFile().lastIndexOf('/');

  341. 		if (last == -1) 

  342. 		    return false;

  343. 		String thisPath = location.getFile().substring(0,

  344.                                                 location.getFile().length()-1);

  345. 		String thatPath = that.location.getFile().substring(0, last+1);

  346. 		if (!thatPath.equals(thisPath))

  347. 		    return false;

  348. 	    } else {

  349. 		// Exact matches only.

  350. 		// For example, "/a/b" and "/a/b/" both imply "/a/b/" 

  351. 		if ((!that.location.getFile().equals(location.getFile()))

  352. 		&& (!that.location.getFile().equals(location.getFile()+"/"))) {

  353. 		    return false;

  354. 		}

  355. 	    }

  356. 

  357. 	    if (location.getRef() == null)

  358. 		return true;

  359. 	    else 

  360. 		return location.getRef().equals(that.location.getRef());

  361. 	}

  362. 

  363.     /**

  364.      * Returns a string describing this CodeSource, telling its

  365.      * URL and certificates.

  366.      * 

  367.      * @return information about this CodeSource.

  368.      */

  369.     public String toString() {

  370. 	StringBuffer sb = new StringBuffer();

  371. 	sb.append("(");

  372. 	sb.append(this.location);

  373. 	if (this.certs != null && this.certs.length > 0) {

  374. 	    for (int i=0; i < this.certs.length; i++) {

  375. 		sb.append( " "+this.certs[i]);

  376. 	    }

  377. 	} else {

  378. 	    sb.append(" <no certificates>");

  379. 	}

  380. 	sb.append(")");

  381. 	return sb.toString();

  382.     }

  383. 

  384.     /**

  385.      * Writes this object out to a stream (i.e., serializes it).

  386.      *

  387.      * @serialData An initial <code>URL</code> is followed by an

  388.      * <code>int</code> indicating the number of certificates to follow 

  389.      * (a value of "zero" denotes that there are no certificates associated

  390.      * with this object).

  391.      * Each certificate is written out starting with a <code>String</code>

  392.      * denoting the certificate type, followed by an

  393.      * <code>int</code> specifying the length of the certificate encoding,

  394.      * followed by the certificate encoding itself which is written out as an

  395.      * array of bytes.

  396.      */

  397.     private synchronized void writeObject(java.io.ObjectOutputStream oos)

  398.         throws IOException

  399.     {

  400. 	oos.defaultWriteObject();

  401. 

  402. 	if (certs==null || certs.length==0) {

  403. 	    oos.writeInt(0);

  404. 	} else {

  405. 	    // write out the total number of certs

  406. 	    oos.writeInt(certs.length);

  407. 	    // write out each cert, including its type

  408. 	    for (int i=0; i < certs.length; i++) {

  409. 		java.security.cert.Certificate cert = certs[i];

  410. 		try {

  411. 		    oos.writeUTF(cert.getType());

  412. 		    byte[] encoded = cert.getEncoded();

  413. 		    oos.writeInt(encoded.length);

  414. 		    oos.write(encoded);

  415. 		} catch (CertificateEncodingException cee) {

  416. 		    throw new IOException(cee.getMessage());

  417. 		}

  418. 	    }

  419. 	}

  420.     }

  421. 

  422.     /**

  423.      * Restores this object from a stream (i.e., deserializes it).

  424.      */

  425.     private synchronized void readObject(java.io.ObjectInputStream ois)

  426. 	throws IOException, ClassNotFoundException

  427.     {

  428. 	CertificateFactory cf;

  429. 	Hashtable cfs=null;

  430. 

  431. 	ois.defaultReadObject();

  432. 

  433. 	// process any new-style certs in the stream (if present)

  434. 	int size = ois.readInt();

  435. 	if (size > 0) {

  436. 	    // we know of 3 different cert types: X.509, PGP, SDSI, which

  437. 	    // could all be present in the stream at the same time

  438. 	    cfs = new Hashtable(3);

  439. 	    this.certs = new java.security.cert.Certificate[size];

  440. 	}

  441. 

  442. 	for (int i=0; i<size; i++) {

  443. 	    // read the certificate type, and instantiate a certificate

  444. 	    // factory of that type (reuse existing factory if possible)

  445. 	    String certType = ois.readUTF();

  446. 	    if (cfs.containsKey(certType)) {

  447. 		// reuse certificate factory

  448. 		cf = (CertificateFactory)cfs.get(certType);

  449. 	    } else {

  450. 		// create new certificate factory

  451. 		try {

  452. 		    cf = CertificateFactory.getInstance(certType);

  453. 		} catch (CertificateException ce) {

  454. 		    throw new ClassNotFoundException

  455. 			("Certificate factory for "+certType+" not found");

  456. 		}

  457. 		// store the certificate factory so we can reuse it later

  458. 		cfs.put(certType, cf);

  459. 	    }

  460. 	    // parse the certificate

  461. 	    byte[] encoded=null;

  462. 	    try {

  463. 		encoded = new byte[ois.readInt()];

  464. 	    } catch (OutOfMemoryError oome) {

  465. 		throw new IOException("Certificate too big");

  466. 	    }

  467. 	    ois.readFully(encoded);

  468. 	    ByteArrayInputStream bais = new ByteArrayInputStream(encoded);

  469. 	    try {

  470. 		this.certs[i] = cf.generateCertificate(bais);

  471. 	    } catch (CertificateException ce) {

  472. 		throw new IOException(ce.getMessage());

  473. 	    }

  474. 	    bais.close();

  475. 	}

  476.     }

  477. }

  478.