Providers.java revision 1d958dba8b5c9589e3375446045e1672eee0e1b1
1/* 2 * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26package sun.security.jca; 27 28import java.util.*; 29 30import java.security.Provider; 31import java.security.Security; 32 33/** 34 * Collection of methods to get and set provider list. Also includes 35 * special code for the provider list during JAR verification. 36 * 37 * @author Andreas Sterbenz 38 * @since 1.5 39 */ 40public class Providers { 41 42 private static final ThreadLocal<ProviderList> threadLists = 43 new InheritableThreadLocal<>(); 44 45 // number of threads currently using thread-local provider lists 46 // tracked to allow an optimization if == 0 47 private static volatile int threadListsUsed; 48 49 // current system-wide provider list 50 // Note volatile immutable object, so no synchronization needed. 51 private static volatile ProviderList providerList; 52 53 static { 54 // set providerList to empty list first in case initialization somehow 55 // triggers a getInstance() call (although that should not happen) 56 providerList = ProviderList.EMPTY; 57 providerList = ProviderList.fromSecurityProperties(); 58 } 59 60 private Providers() { 61 // empty 62 } 63 64 // we need special handling to resolve circularities when loading 65 // signed JAR files during startup. The code below is part of that. 66 67 // Basically, before we load data from a signed JAR file, we parse 68 // the PKCS#7 file and verify the signature. We need a 69 // CertificateFactory, Signatures, etc. to do that. We have to make 70 // sure that we do not try to load the implementation from the JAR 71 // file we are just verifying. 72 // 73 // To avoid that, we use different provider settings during JAR 74 // verification. However, we do not want those provider settings to 75 // interfere with other parts of the system. Therefore, we make them local 76 // to the Thread executing the JAR verification code. 77 // 78 // The code here is used by sun.security.util.SignatureFileVerifier. 79 // See there for details. 80 81 private static final String BACKUP_PROVIDER_CLASSNAME = 82 "sun.security.provider.VerificationProvider"; 83 84 // Hardcoded classnames of providers to use for JAR verification. 85 // MUST NOT be on the bootclasspath and not in signed JAR files. 86 private static final String[] jarVerificationProviders = { 87 /* ----- BEGIN android ----- 88 "sun.security.provider.Sun", 89 "sun.security.rsa.SunRsaSign", 90 // Note: SunEC *is* in a signed JAR file, but it's not signed 91 // by EC itself. So it's still safe to be listed here. 92 "sun.security.ec.SunEC",*/ 93 "com.android.org.conscrypt.OpenSSLProvider", 94 "com.android.org.bouncycastle.jce.provider.BouncyCastleProvider", 95 "org.apache.harmony.security.provider.crypto.CryptoProvider", 96 "com.android.org.conscrypt.JSSEProvider", 97 // ----- END android ----- 98 BACKUP_PROVIDER_CLASSNAME, 99 }; 100 101 // Return to Sun provider or its backup. 102 // This method should only be called by 103 // sun.security.util.ManifestEntryVerifier and java.security.SecureRandom. 104 public static Provider getSunProvider() { 105 try { 106 Class clazz = Class.forName(jarVerificationProviders[0]); 107 return (Provider)clazz.newInstance(); 108 } catch (Exception e) { 109 try { 110 Class clazz = Class.forName(BACKUP_PROVIDER_CLASSNAME); 111 return (Provider)clazz.newInstance(); 112 } catch (Exception ee) { 113 throw new RuntimeException("Sun provider not found", e); 114 } 115 } 116 } 117 118 /** 119 * Start JAR verification. This sets a special provider list for 120 * the current thread. You MUST save the return value from this 121 * method and you MUST call stopJarVerification() with that object 122 * once you are done. 123 */ 124 public static Object startJarVerification() { 125 ProviderList currentList = getProviderList(); 126 ProviderList jarList = currentList.getJarList(jarVerificationProviders); 127 // return the old thread-local provider list, usually null 128 return beginThreadProviderList(jarList); 129 } 130 131 /** 132 * Stop JAR verification. Call once you have completed JAR verification. 133 */ 134 public static void stopJarVerification(Object obj) { 135 // restore old thread-local provider list 136 endThreadProviderList((ProviderList)obj); 137 } 138 139 /** 140 * Return the current ProviderList. If the thread-local list is set, 141 * it is returned. Otherwise, the system wide list is returned. 142 */ 143 public static ProviderList getProviderList() { 144 ProviderList list = getThreadProviderList(); 145 if (list == null) { 146 list = getSystemProviderList(); 147 } 148 return list; 149 } 150 151 /** 152 * Set the current ProviderList. Affects the thread-local list if set, 153 * otherwise the system wide list. 154 */ 155 public static void setProviderList(ProviderList newList) { 156 if (getThreadProviderList() == null) { 157 setSystemProviderList(newList); 158 } else { 159 changeThreadProviderList(newList); 160 } 161 } 162 163 /** 164 * Get the full provider list with invalid providers (those that 165 * could not be loaded) removed. This is the list we need to 166 * present to applications. 167 */ 168 public static ProviderList getFullProviderList() { 169 ProviderList list; 170 synchronized (Providers.class) { 171 list = getThreadProviderList(); 172 if (list != null) { 173 ProviderList newList = list.removeInvalid(); 174 if (newList != list) { 175 changeThreadProviderList(newList); 176 list = newList; 177 } 178 return list; 179 } 180 } 181 list = getSystemProviderList(); 182 ProviderList newList = list.removeInvalid(); 183 if (newList != list) { 184 setSystemProviderList(newList); 185 list = newList; 186 } 187 return list; 188 } 189 190 private static ProviderList getSystemProviderList() { 191 return providerList; 192 } 193 194 private static void setSystemProviderList(ProviderList list) { 195 providerList = list; 196 } 197 198 public static ProviderList getThreadProviderList() { 199 // avoid accessing the threadlocal if none are currently in use 200 // (first use of ThreadLocal.get() for a Thread allocates a Map) 201 if (threadListsUsed == 0) { 202 return null; 203 } 204 return threadLists.get(); 205 } 206 207 // Change the thread local provider list. Use only if the current thread 208 // is already using a thread local list and you want to change it in place. 209 // In other cases, use the begin/endThreadProviderList() methods. 210 private static void changeThreadProviderList(ProviderList list) { 211 threadLists.set(list); 212 } 213 214 /** 215 * Methods to manipulate the thread local provider list. It is for use by 216 * JAR verification (see above) and the SunJSSE FIPS mode only. 217 * 218 * It should be used as follows: 219 * 220 * ProviderList list = ...; 221 * ProviderList oldList = Providers.beginThreadProviderList(list); 222 * try { 223 * // code that needs thread local provider list 224 * } finally { 225 * Providers.endThreadProviderList(oldList); 226 * } 227 * 228 */ 229 230 public static synchronized ProviderList beginThreadProviderList(ProviderList list) { 231 if (ProviderList.debug != null) { 232 ProviderList.debug.println("ThreadLocal providers: " + list); 233 } 234 ProviderList oldList = threadLists.get(); 235 threadListsUsed++; 236 threadLists.set(list); 237 return oldList; 238 } 239 240 public static synchronized void endThreadProviderList(ProviderList list) { 241 if (list == null) { 242 if (ProviderList.debug != null) { 243 ProviderList.debug.println("Disabling ThreadLocal providers"); 244 } 245 threadLists.remove(); 246 } else { 247 if (ProviderList.debug != null) { 248 ProviderList.debug.println 249 ("Restoring previous ThreadLocal providers: " + list); 250 } 251 threadLists.set(list); 252 } 253 threadListsUsed--; 254 } 255 256} 257