| /* |
| * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. |
| * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| * |
| * This code is free software; you can redistribute it and/or modify it |
| * under the terms of the GNU General Public License version 2 only, as |
| * published by the Free Software Foundation. |
| * |
| * This code is distributed in the hope that it will be useful, but WITHOUT |
| * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| * version 2 for more details (a copy is included in the LICENSE file that |
| * accompanied this code). |
| * |
| * You should have received a copy of the GNU General Public License version |
| * 2 along with this work; if not, write to the Free Software Foundation, |
| * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| * |
| * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
| * or visit www.oracle.com if you need additional information or have any |
| * questions. |
| */ |
| |
| import java.io.ByteArrayInputStream; |
| import java.io.File; |
| import java.io.InputStream; |
| import java.io.IOException; |
| import java.io.OutputStream; |
| import java.net.URL; |
| import java.security.CodeSource; |
| import java.security.Key; |
| import java.security.KeyStoreException; |
| import java.security.KeyStoreSpi; |
| import java.security.NoSuchAlgorithmException; |
| import java.security.Permission; |
| import java.security.Policy; |
| import java.security.ProtectionDomain; |
| import java.security.Provider; |
| import java.security.SecureClassLoader; |
| import java.security.Security; |
| import java.security.UnrecoverableKeyException; |
| import java.security.URIParameter; |
| import java.security.cert.Certificate; |
| import java.security.cert.CertificateException; |
| import java.security.cert.CertificateFactory; |
| import java.util.ArrayList; |
| import java.util.Arrays; |
| import java.util.Base64; |
| import java.util.Collections; |
| import java.util.Date; |
| import java.util.Enumeration; |
| import java.util.List; |
| import java.util.PropertyPermission; |
| |
| /* |
| * @test |
| * @bug 6826789 8131486 8130181 |
| * @summary Make sure equivalent ProtectionDomains are granted the same |
| * permissions when the CodeSource URLs are different but resolve |
| * to the same ip address after name service resolution. |
| * @run main/othervm DefineClass |
| */ |
| |
| public class DefineClass { |
| |
| // permissions that are expected to be granted by the policy file |
| private final static Permission[] GRANTED_PERMS = new Permission[] { |
| new PropertyPermission("user.home", "read"), |
| new PropertyPermission("user.name", "read") |
| }; |
| |
| // Base64 encoded bytes of simple class: "package foo; public class Foo {}" |
| private final static String FOO_CLASS = |
| "yv66vgAAADMADQoAAwAKBwALBwAMAQAGPGluaXQ+AQADKClWAQAEQ29kZQEA" + |
| "D0xpbmVOdW1iZXJUYWJsZQEAClNvdXJjZUZpbGUBAAhGb28uamF2YQwABAAF" + |
| "AQAHZm9vL0ZvbwEAEGphdmEvbGFuZy9PYmplY3QAIQACAAMAAAAAAAEAAQAE" + |
| "AAUAAQAGAAAAHQABAAEAAAAFKrcAAbEAAAABAAcAAAAGAAEAAAABAAEACAAA" + |
| "AAIACQ=="; |
| |
| // Base64 encoded bytes of simple class: "package bar; public class Bar {}" |
| private final static String BAR_CLASS = |
| "yv66vgAAADMADQoAAwAKBwALBwAMAQAGPGluaXQ+AQADKClWAQAEQ29kZQEA" + |
| "D0xpbmVOdW1iZXJUYWJsZQEAClNvdXJjZUZpbGUBAAhCYXIuamF2YQwABAAF" + |
| "AQAHYmFyL0JhcgEAEGphdmEvbGFuZy9PYmplY3QAIQACAAMAAAAAAAEAAQAE" + |
| "AAUAAQAGAAAAHQABAAEAAAAFKrcAAbEAAAABAAcAAAAGAAEAAAABAAEACAAA" + |
| "AAIACQ=="; |
| |
| // Base64 encoded bytes of simple class: "package baz; public class Baz {}" |
| private final static String BAZ_CLASS = |
| "yv66vgAAADQADQoAAwAKBwALBwAMAQAGPGluaXQ+AQADKClWAQAEQ29kZQEA" + |
| "D0xpbmVOdW1iZXJUYWJsZQEAClNvdXJjZUZpbGUBAAhCYXouamF2YQwABAAF" + |
| "AQAHYmF6L0JhegEAEGphdmEvbGFuZy9PYmplY3QAIQACAAMAAAAAAAEAAQAE" + |
| "AAUAAQAGAAAAHQABAAEAAAAFKrcAAbEAAAABAAcAAAAGAAEAAAABAAEACAAA" + |
| "AAIACQ=="; |
| |
| private final static String BAZ_CERT = |
| "-----BEGIN CERTIFICATE-----\n" + |
| "MIIEFzCCA8OgAwIBAgIESpPf8TANBglghkgBZQMEAwIFADAOMQwwCgYDVQQDEwNG\n" + |
| "b28wHhcNMTUwNzE1MTY1ODM5WhcNMTUxMDEzMTY1ODM5WjAOMQwwCgYDVQQDEwNG\n" + |
| "b28wggNCMIICNQYHKoZIzjgEATCCAigCggEBAI95Ndm5qum/q+2Ies9JUbbzLsWe\n" + |
| "O683GOjqxJYfPv02BudDUanEGDM5uAnnwq4cU5unR1uF0BGtuLR5h3VJhGlcrA6P\n" + |
| "FLM2CCiiL/onEQo9YqmTRTQJoP5pbEZY+EvdIIGcNwmgEFexla3NACM9ulSEtikf\n" + |
| "nWSO+INEhneXnOwEtDSmrC516Zhd4j2wKS/BEYyf+p2BgeczjbeStzDXueNJWS9o\n" + |
| "CZhyFTkV6j1ri0ZTxjNFj4A7MqTC4PJykCVuTj+KOwg4ocRQ5OGMGimjfd9eoUPe\n" + |
| "S2b/BJA+1c8WI+FY1IfGCOl/IRzYHcojy244B2X4IuNCvkhMBXY5OWAc1mcCHQC6\n" + |
| "9pamhXj3397n+mfJd8eF7zKyM7rlgMC81WldAoIBABamXFggSFBwTnUCo5dXBA00\n" + |
| "2jo0eMFU1OSlwC0kLuBPluYeS9CQSr2sjzfuseCfMYLSPJBDy2QviABBYO35ygmz\n" + |
| "IHannDKmJ/JHPpGHm6LE50S9IIFUTLVbgCw2jR+oPtSJ6U4PoGiOMkKKXHjEeMaN\n" + |
| "BSe3HJo6uwsL4SxEaJY559POdNsQGmWqK4f2TGgm2z7HL0tVmYNLtO2wL3yQ6aSW\n" + |
| "06VdU1vr/EXU9hn2Pz3tu4c5JcLyJOB3MSltqIfsHkdI+H77X963VIQxayIy3uVT\n" + |
| "3a8CESsNHwLaMJcyJP4nrtqLnUspItm6i+Oe2eEDpjxSgQvGiLfi7UMW4e8X294D\n" + |
| "ggEFAAKCAQBsGeU8/STExzQsJ8kFM9xarA/2VAFMzyUpd3IQ2UGHQC5rEnGh/RiU\n" + |
| "T20y7a2hCpQ1f/qgLnY8hku9GRVY3z8WamBzWLzCAEAx67EsS58mf4o8R3sUbkH5\n" + |
| "/mRaZoNVSPUy+tXoLmTzIetU4W+JT8Rq4OcXXU9uo9TreeBehhVexS3vpVgQeUIn\n" + |
| "MmMma8WHpovIJQQlp4cyjalX7Beda/tqX/HPLkAS4TRqQAz7hFr3FqFrVMKFSGo4\n" + |
| "fTS06GGdQ4tw9c6NQLuQ9WF9BxYSwSk9yENQvKDZaBNarqPMnsh1Gi/QcKMRBVhM\n" + |
| "RT/9vb4QUi/pOowhhKCDBLgjY60QgX3HoyEwHzAdBgNVHQ4EFgQUa787CE+3ZNAb\n" + |
| "g1ql9yJVVrRCdx0wDQYJYIZIAWUDBAMCBQADPwAwPAIcCUkZIRrBlKdTzhKYBEOm\n" + |
| "E1i45MMum1RuHc28agIcfHQkkjBA4FfH5UMRgKpIyRR8V/dVboxDj4hKOA==\n" + |
| "-----END CERTIFICATE-----"; |
| |
| public static void main(String[] args) throws Exception { |
| |
| Security.addProvider(new TestProvider()); |
| |
| MySecureClassLoader scl = new MySecureClassLoader(); |
| |
| File policyFile = new File(System.getProperty("test.src", "."), |
| "DefineClass.policy"); |
| Policy p = Policy.getInstance("JavaPolicy", |
| new URIParameter(policyFile.toURI())); |
| Policy.setPolicy(p); |
| |
| System.setSecurityManager(new SecurityManager()); |
| ArrayList<Permission> perms1 = getPermissions(scl, p, |
| "http://localhost/", |
| "foo.Foo", FOO_CLASS, |
| null); |
| checkPerms(perms1, GRANTED_PERMS); |
| ArrayList<Permission> perms2 = getPermissions(scl, p, |
| "http://127.0.0.1/", |
| "bar.Bar", BAR_CLASS, |
| null); |
| checkPerms(perms2, GRANTED_PERMS); |
| assert(perms1.equals(perms2)); |
| |
| // check that class signed by baz is granted an additional permission |
| Certificate[] chain = new Certificate[] {getCert(BAZ_CERT)}; |
| ArrayList<Permission> perms3 = getPermissions(scl, p, |
| "http://localhost/", |
| "baz.Baz", BAZ_CLASS, |
| chain); |
| List<Permission> perms = new ArrayList<>(Arrays.asList(GRANTED_PERMS)); |
| perms.add(new PropertyPermission("user.dir", "read")); |
| checkPerms(perms3, perms.toArray(new Permission[0])); |
| } |
| |
| // returns the permissions granted to the codebase URL |
| private static ArrayList<Permission> getPermissions(MySecureClassLoader scl, |
| Policy p, String url, |
| String className, |
| String classBytes, |
| Certificate[] chain) |
| throws IOException { |
| CodeSource cs = new CodeSource(new URL(url), chain); |
| Base64.Decoder bd = Base64.getDecoder(); |
| byte[] bytes = bd.decode(classBytes); |
| Class<?> c = scl.defineMyClass(className, bytes, cs); |
| ProtectionDomain pd = c.getProtectionDomain(); |
| return Collections.list(p.getPermissions(pd).elements()); |
| } |
| |
| private static void checkPerms(List<Permission> perms, |
| Permission... grantedPerms) |
| throws Exception |
| { |
| if (!perms.containsAll(Arrays.asList(grantedPerms))) { |
| throw new Exception("Granted permissions not correct"); |
| } |
| } |
| |
| private static Certificate getCert(String base64Cert) throws Exception { |
| CertificateFactory cf = CertificateFactory.getInstance("X.509"); |
| InputStream is = new ByteArrayInputStream(base64Cert.getBytes("UTF-8")); |
| return cf.generateCertificate(is); |
| } |
| |
| // A SecureClassLoader that allows the test to define its own classes |
| private static class MySecureClassLoader extends SecureClassLoader { |
| Class<?> defineMyClass(String name, byte[] b, CodeSource cs) { |
| return super.defineClass(name, b, 0, b.length, cs); |
| } |
| } |
| |
| private static class TestProvider extends Provider { |
| TestProvider() { |
| super("Test8131486", "0.0", "For testing only"); |
| putService(new Provider.Service(this, "KeyStore", "Test8131486", |
| "DefineClass$TestKeyStore", null, null)); |
| } |
| } |
| |
| /** |
| * A KeyStore containing a single certificate entry named "baz". |
| */ |
| public static class TestKeyStore extends KeyStoreSpi { |
| private final String baz = "baz"; |
| private final List<String> aliases = Collections.singletonList(baz); |
| private final Certificate bazCert; |
| |
| public TestKeyStore() { |
| try { |
| this.bazCert = getCert(BAZ_CERT); |
| } catch (Exception e) { |
| throw new Error(); |
| } |
| } |
| |
| @Override |
| public Enumeration<String> engineAliases() { |
| return Collections.enumeration(aliases); |
| } |
| |
| @Override |
| public boolean engineContainsAlias(String alias) { |
| return alias.equals(baz); |
| } |
| |
| @Override |
| public void engineDeleteEntry(String alias) throws KeyStoreException { |
| throw new KeyStoreException(); |
| } |
| |
| @Override |
| public Certificate engineGetCertificate(String alias) { |
| return alias.equals(baz) ? bazCert : null; |
| } |
| |
| @Override |
| public String engineGetCertificateAlias(Certificate cert) { |
| return cert.equals(bazCert) ? baz : null; |
| } |
| |
| @Override |
| public Certificate[] engineGetCertificateChain(String alias) { |
| return alias.equals(baz) ? new Certificate[] {bazCert} : null; |
| } |
| |
| @Override |
| public Date engineGetCreationDate(String alias) { |
| return alias.equals(baz) ? new Date() : null; |
| } |
| |
| @Override |
| public Key engineGetKey(String alias, char[] password) |
| throws NoSuchAlgorithmException, UnrecoverableKeyException { |
| return null; |
| } |
| |
| @Override |
| public boolean engineIsCertificateEntry(String alias) { |
| return alias.equals(baz); |
| } |
| |
| @Override |
| public boolean engineIsKeyEntry(String alias) { |
| return false; |
| } |
| |
| @Override |
| public void engineLoad(InputStream stream, char[] password) |
| throws IOException, NoSuchAlgorithmException, CertificateException { |
| } |
| |
| @Override |
| public void engineSetCertificateEntry(String alias, Certificate cert) |
| throws KeyStoreException { |
| throw new KeyStoreException(); |
| } |
| |
| @Override |
| public void engineSetKeyEntry(String alias, byte[] key, |
| Certificate[] chain) |
| throws KeyStoreException { |
| throw new KeyStoreException(); |
| } |
| |
| @Override |
| public void engineSetKeyEntry(String alias, Key key, char[] password, |
| Certificate[] chain) |
| throws KeyStoreException { |
| throw new KeyStoreException(); |
| } |
| |
| @Override |
| public int engineSize() { return 1; } |
| |
| @Override |
| public void engineStore(OutputStream stream, char[] password) |
| throws IOException, NoSuchAlgorithmException, CertificateException { |
| } |
| } |
| } |
