security/jca/Providers.java

0N/A/*
3909N/A * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
0N/A *
0N/A * This code is free software; you can redistribute it and/or modify it
0N/A * under the terms of the GNU General Public License version 2 only, as
2362N/A * published by the Free Software Foundation.  Oracle designates this
0N/A * particular file as subject to the "Classpath" exception as provided
2362N/A * by Oracle in the LICENSE file that accompanied this code.
0N/A *
0N/A * This code is distributed in the hope that it will be useful, but WITHOUT
0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
0N/A * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
0N/A * version 2 for more details (a copy is included in the LICENSE file that
0N/A * accompanied this code).
0N/A *
0N/A * You should have received a copy of the GNU General Public License version
0N/A * 2 along with this work; if not, write to the Free Software Foundation,
0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
0N/A *
2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
2362N/A * or visit www.oracle.com if you need additional information or have any
2362N/A * questions.
0N/A */
0N/A
0N/Apackage sun.security.jca;
0N/A
0N/Aimport java.util.*;
0N/A
0N/Aimport java.security.Provider;
0N/Aimport java.security.Security;
0N/A
0N/A/**
0N/A * Collection of methods to get and set provider list. Also includes
0N/A * special code for the provider list during JAR verification.
0N/A *
0N/A * @author  Andreas Sterbenz
0N/A * @since   1.5
0N/A */
0N/Apublic class Providers {
0N/A
0N/A    private static final ThreadLocal<ProviderList> threadLists =
3384N/A        new InheritableThreadLocal<>();
0N/A
0N/A    // number of threads currently using thread-local provider lists
0N/A    // tracked to allow an optimization if == 0
0N/A    private static volatile int threadListsUsed;
0N/A
0N/A    // current system-wide provider list
0N/A    // Note volatile immutable object, so no synchronization needed.
0N/A    private static volatile ProviderList providerList;
0N/A
0N/A    static {
0N/A        // set providerList to empty list first in case initialization somehow
0N/A        // triggers a getInstance() call (although that should not happen)
0N/A        providerList = ProviderList.EMPTY;
0N/A        providerList = ProviderList.fromSecurityProperties();
0N/A    }
0N/A
0N/A    private Providers() {
0N/A        // empty
0N/A    }
0N/A
0N/A    // we need special handling to resolve circularities when loading
0N/A    // signed JAR files during startup. The code below is part of that.
0N/A
0N/A    // Basically, before we load data from a signed JAR file, we parse
0N/A    // the PKCS#7 file and verify the signature. We need a
0N/A    // CertificateFactory, Signatures, etc. to do that. We have to make
0N/A    // sure that we do not try to load the implementation from the JAR
0N/A    // file we are just verifying.
0N/A    //
0N/A    // To avoid that, we use different provider settings during JAR
0N/A    // verification.  However, we do not want those provider settings to
0N/A    // interfere with other parts of the system. Therefore, we make them local
0N/A    // to the Thread executing the JAR verification code.
0N/A    //
0N/A    // The code here is used by sun.security.util.SignatureFileVerifier.
0N/A    // See there for details.
0N/A
0N/A    private static final String BACKUP_PROVIDER_CLASSNAME =
0N/A        "sun.security.provider.VerificationProvider";
0N/A
0N/A    // Hardcoded classnames of providers to use for JAR verification.
0N/A    // MUST NOT be on the bootclasspath and not in signed JAR files.
0N/A    private static final String[] jarVerificationProviders = {
0N/A        "sun.security.provider.Sun",
0N/A        "sun.security.rsa.SunRsaSign",
1786N/A        // Note: SunEC *is* in a signed JAR file, but it's not signed
1786N/A        // by EC itself. So it's still safe to be listed here.
1786N/A        "sun.security.ec.SunEC",
0N/A        BACKUP_PROVIDER_CLASSNAME,
0N/A    };
0N/A
0N/A    // Return to Sun provider or its backup.
0N/A    // This method should only be called by
0N/A    // sun.security.util.ManifestEntryVerifier and java.security.SecureRandom.
0N/A    public static Provider getSunProvider() {
0N/A        try {
0N/A            Class clazz = Class.forName(jarVerificationProviders[0]);
0N/A            return (Provider)clazz.newInstance();
0N/A        } catch (Exception e) {
0N/A            try {
0N/A                Class clazz = Class.forName(BACKUP_PROVIDER_CLASSNAME);
0N/A                return (Provider)clazz.newInstance();
0N/A            } catch (Exception ee) {
0N/A                throw new RuntimeException("Sun provider not found", e);
0N/A            }
0N/A        }
0N/A    }
0N/A
0N/A    /**
0N/A     * Start JAR verification. This sets a special provider list for
0N/A     * the current thread. You MUST save the return value from this
0N/A     * method and you MUST call stopJarVerification() with that object
0N/A     * once you are done.
0N/A     */
0N/A    public static Object startJarVerification() {
0N/A        ProviderList currentList = getProviderList();
0N/A        ProviderList jarList = currentList.getJarList(jarVerificationProviders);
0N/A        // return the old thread-local provider list, usually null
0N/A        return beginThreadProviderList(jarList);
0N/A    }
0N/A
0N/A    /**
0N/A     * Stop JAR verification. Call once you have completed JAR verification.
0N/A     */
0N/A    public static void stopJarVerification(Object obj) {
0N/A        // restore old thread-local provider list
0N/A        endThreadProviderList((ProviderList)obj);
0N/A    }
0N/A
0N/A    /**
0N/A     * Return the current ProviderList. If the thread-local list is set,
0N/A     * it is returned. Otherwise, the system wide list is returned.
0N/A     */
0N/A    public static ProviderList getProviderList() {
0N/A        ProviderList list = getThreadProviderList();
0N/A        if (list == null) {
0N/A            list = getSystemProviderList();
0N/A        }
0N/A        return list;
0N/A    }
0N/A
0N/A    /**
0N/A     * Set the current ProviderList. Affects the thread-local list if set,
0N/A     * otherwise the system wide list.
0N/A     */
0N/A    public static void setProviderList(ProviderList newList) {
0N/A        if (getThreadProviderList() == null) {
0N/A            setSystemProviderList(newList);
0N/A        } else {
0N/A            changeThreadProviderList(newList);
0N/A        }
0N/A    }
0N/A
0N/A    /**
0N/A     * Get the full provider list with invalid providers (those that
0N/A     * could not be loaded) removed. This is the list we need to
0N/A     * present to applications.
0N/A     */
2929N/A    public static ProviderList getFullProviderList() {
2929N/A        ProviderList list;
2929N/A        synchronized (Providers.class) {
2929N/A            list = getThreadProviderList();
2929N/A            if (list != null) {
2929N/A                ProviderList newList = list.removeInvalid();
2929N/A                if (newList != list) {
2929N/A                    changeThreadProviderList(newList);
2929N/A                    list = newList;
2929N/A                }
2929N/A                return list;
0N/A            }
0N/A        }
0N/A        list = getSystemProviderList();
0N/A        ProviderList newList = list.removeInvalid();
0N/A        if (newList != list) {
0N/A            setSystemProviderList(newList);
0N/A            list = newList;
0N/A        }
0N/A        return list;
0N/A    }
0N/A
0N/A    private static ProviderList getSystemProviderList() {
0N/A        return providerList;
0N/A    }
0N/A
0N/A    private static void setSystemProviderList(ProviderList list) {
0N/A        providerList = list;
0N/A    }
0N/A
0N/A    public static ProviderList getThreadProviderList() {
0N/A        // avoid accessing the threadlocal if none are currently in use
0N/A        // (first use of ThreadLocal.get() for a Thread allocates a Map)
0N/A        if (threadListsUsed == 0) {
0N/A            return null;
0N/A        }
0N/A        return threadLists.get();
0N/A    }
0N/A
0N/A    // Change the thread local provider list. Use only if the current thread
0N/A    // is already using a thread local list and you want to change it in place.
0N/A    // In other cases, use the begin/endThreadProviderList() methods.
0N/A    private static void changeThreadProviderList(ProviderList list) {
0N/A        threadLists.set(list);
0N/A    }
0N/A
0N/A    /**
0N/A     * Methods to manipulate the thread local provider list. It is for use by
0N/A     * JAR verification (see above) and the SunJSSE FIPS mode only.
0N/A     *
0N/A     * It should be used as follows:
0N/A     *
0N/A     *   ProviderList list = ...;
0N/A     *   ProviderList oldList = Providers.beginThreadProviderList(list);
0N/A     *   try {
0N/A     *     // code that needs thread local provider list
0N/A     *   } finally {
0N/A     *     Providers.endThreadProviderList(oldList);
0N/A     *   }
0N/A     *
0N/A     */
0N/A
0N/A    public static synchronized ProviderList beginThreadProviderList(ProviderList list) {
0N/A        if (ProviderList.debug != null) {
0N/A            ProviderList.debug.println("ThreadLocal providers: " + list);
0N/A        }
0N/A        ProviderList oldList = threadLists.get();
0N/A        threadListsUsed++;
0N/A        threadLists.set(list);
0N/A        return oldList;
0N/A    }
0N/A
0N/A    public static synchronized void endThreadProviderList(ProviderList list) {
0N/A        if (list == null) {
0N/A            if (ProviderList.debug != null) {
0N/A                ProviderList.debug.println("Disabling ThreadLocal providers");
0N/A            }
0N/A            threadLists.remove();
0N/A        } else {
0N/A            if (ProviderList.debug != null) {
0N/A                ProviderList.debug.println
0N/A                    ("Restoring previous ThreadLocal providers: " + list);
0N/A            }
0N/A            threadLists.set(list);
0N/A        }
0N/A        threadListsUsed--;
0N/A    }
0N/A
0N/A}