Author: peter_firmstone Date: Mon Jan 23 23:29:10 2012 New Revision: 1235063
URL: http://svn.apache.org/viewvc?rev=1235063&view=rev Log: River-404 Commenced writing a bouncy castle self signed certificate generator to replace DSTC JCSI. Made changes to some policy files to support constructing ConcurrentPolicyFile (which requires a getPolicy, permission, because ConcurrentPolicyFile uses doPrivileged calls to read policy files and System properties, user code could otherwise use it to gain policy information). Added: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/ river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcmail-jdk16-146.jar (with props) river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcpg-jdk16-146.jar (with props) river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcprov-jdk16-146.jar (with props) river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bctest-jdk16-146.jar (with props) river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bctsp-jdk16-146.jar (with props) Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/build.xml river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/certs/ (props changed) river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/certs/CA.java river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/jeri/tcp/localHostExposure/TestNameService.java river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/jeri/transport/multihomed/TestNameService.java river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/Security/implicitGrants/Test.java river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/Security/implicitGrants/policy river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/basePolicyNotFound/policy river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/domainCaching/policy river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/Test.java river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/policy river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/nullCases/policy river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/principalGrants/policy river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/selfGrants/policy.0 river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/basePolicyNotFound/policy river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/basicGrants/policy.0 river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/nullCases/policy river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/umbrellaGrants/policy river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/porter/policy river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/GrantPermission.java river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/DynamicPolicyProvider.java river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/url/httpmd/Handler.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/ConcurrentPolicyFile.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java Added: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcmail-jdk16-146.jar URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcmail-jdk16-146.jar?rev=1235063&view=auto ============================================================================== Binary file - no diff available. Propchange: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcmail-jdk16-146.jar ------------------------------------------------------------------------------ svn:mime-type = application/octet-stream Added: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcpg-jdk16-146.jar URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcpg-jdk16-146.jar?rev=1235063&view=auto ============================================================================== Binary file - no diff available. Propchange: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcpg-jdk16-146.jar ------------------------------------------------------------------------------ svn:mime-type = application/octet-stream Added: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcprov-jdk16-146.jar URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcprov-jdk16-146.jar?rev=1235063&view=auto ============================================================================== Binary file - no diff available. Propchange: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcprov-jdk16-146.jar ------------------------------------------------------------------------------ svn:mime-type = application/octet-stream Added: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bctest-jdk16-146.jar URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bctest-jdk16-146.jar?rev=1235063&view=auto ============================================================================== Binary file - no diff available. Propchange: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bctest-jdk16-146.jar ------------------------------------------------------------------------------ svn:mime-type = application/octet-stream Added: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bctsp-jdk16-146.jar URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bctsp-jdk16-146.jar?rev=1235063&view=auto ============================================================================== Binary file - no diff available. Propchange: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bctsp-jdk16-146.jar ------------------------------------------------------------------------------ svn:mime-type = application/octet-stream Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/build.xml URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/build.xml?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/build.xml (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/build.xml Mon Jan 23 23:29:10 2012 @@ -58,7 +58,7 @@ <property name="jtreg.home" location="${env.JT_HOME}" /> <!-- probably should rename the environment variable, to enable using the correct --> <!-- jdk version for the jtreg tests which depend on jdk1.5 --> - <property name="jdk1.5.home" location="/usr/jdk/jdk1.5.0_15"/> + <property name="jdk1.5.home" location="/usr/jdk/jdk1.6.0_30"/> <property name="jtlib.tmp" location="${jtreg.dir}/JTlib-tmp"/> <!-- classpath for use by ClassDep in this build --> @@ -214,9 +214,10 @@ reportdir="${jtreg.dir}/JTreport" workdir="${jtreg.dir}/JTwork" jdk="${jdk1.5.home}"> <arg value="-cpa:${jtlib.tmp}/jsk-policy.jar${path.separator}${jtlib.tmp}/jsk-lib.jar${path.separator}${jtlib.tmp}/jsk-platform.jar${path.separator}${jtlib.tmp}/jsk-resources.jar${path.separator}${jtlib.tmp}/phoenix-init.jar${path.separator}${jtlib.tmp}/tools.jar"/> - <arg value="-timeout:2"/> + <arg value="-timeout:4"/> <!--<arg value="-Djsk.home=${river.home}"/>--> <arg value="-Djtlib.tmp=${jtlib.tmp}"/> + <arg value="-Dscratch.dir=${jtreg.dir}/JTwork/scratch"/> <!--<arg value="-status:fail"/>--> <!--<arg value="-Djava.security.debug=access,failure"/>--> <!--<arg value="-Dsun.security.krb5.debug=true"/>--> @@ -224,7 +225,9 @@ <!--<arg value="net/jini/jeri/kerberos/UnitTests/runTestPerformance.sh" />--> <!--<arg value="-Bug:6307813"/>--> <!--<arg value="net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/Test.java"/>--> + <!--<arg value="net/jini/security/Security/implicitGrants/Test.java"/>--> <!--<arg value="net/jini/security/GrantPermission/implies/Test.java" />--> + <arg value="net/jini/url/httpmd/TestEqual.java"/> </jtreg> <move todir="${river.lib.dir}"> <filelist dir="${jtreg.dir}/JTlib-tmp"> Propchange: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/certs/ ------------------------------------------------------------------------------ --- svn:ignore (added) +++ svn:ignore Mon Jan 23 23:29:10 2012 @@ -0,0 +1,19 @@ +OID.java +PBEKeyImpl.java +ConsoleKeyTool.java +PKCS12KeyDerivation.java +NetscapeCertType.java +CertGenerator.java +PKCS5KeyDerivation.java +PBEKeyDerivation.java +ConsoleCATool.java +ContentInfo.java +ToolException.java +ConfigException.java +BasicConstraints.java +SubjectKeyIdentifier.java +PKCS8EncryptedPrivateKey.java +AlgorithmId.java +RevokedCertificate.java +Config.java +UTCTime.java Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/certs/CA.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/certs/CA.java?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/certs/CA.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/certs/CA.java Mon Jan 23 23:29:10 2012 @@ -15,9 +15,38 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -import com.dstc.security.pki.ConsoleCATool; -import com.dstc.security.provider.DSTC; +//import com.dstc.security.pki.ConsoleCATool; +//import com.dstc.security.provider.DSTC; +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.math.BigInteger; +import java.security.InvalidKeyException; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; import java.security.Security; +import java.security.SignatureException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.util.Date; +import java.util.Properties; +import java.util.logging.Level; +import java.util.logging.Logger; +import javax.security.auth.x500.X500Principal; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.X509v1CertificateBuilder; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; +import org.bouncycastle.cert.jcajce.JcaX509v1CertificateBuilder; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.operator.ContentSigner; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; /** * Run the DSTC Certificate Authority console after installing the provider. @@ -26,7 +55,87 @@ import java.security.Security; */ public class CA { public static void main(String[] args) { - Security.insertProviderAt(new DSTC(), 1); - com.dstc.security.pki.ConsoleCATool.main(args); + //Security.insertProviderAt(new DSTC(), 1); + //com.dstc.security.pki.ConsoleCATool.main(args); + String configFile = System.getProperty("jcsi.ca.conf", "${user.home}${/}.jcsi${/}ca.properties"); + Properties p = new Properties(); + File conf = new File(configFile); + try { + InputStream in = new FileInputStream(conf); + p.load(in); + } catch (IOException ex) { + ex.printStackTrace(System.err); + } + Security.insertProviderAt(new BouncyCastleProvider(), 1); + KeyPairGenerator keyGen = null; + String algorithm = p.getProperty("jcsi.ca.keyAlg", "RSA"); + int keyLen = Integer.parseInt(p.getProperty("jcsi.ca.keyLength", "256")); + try { + keyGen = KeyPairGenerator.getInstance(algorithm, "BC"); + } catch (NoSuchAlgorithmException ex) { + ex.printStackTrace(System.err); + } catch (NoSuchProviderException ex) { + ex.printStackTrace(System.err); + } + SecureRandom random = new SecureRandom(); + keyGen.initialize(keyLen, random); + KeyPair keys = keyGen.generateKeyPair(); + PublicKey publicKey = keys.getPublic(); + PrivateKey privKey = keys.getPrivate(); // The key used to sign our Certificate. + + String issuerDN = p.getProperty("jcsi.ca.issuerDN"); + int validDays + = Integer.parseInt(p.getProperty("jcsi.ca.validityPeriod")); + String signerAlgorithm = p.getProperty("jcsi.ca.sigAlg", "SHA1withRSA"); + + // + ContentSigner sigGen = null; + try { + sigGen = new JcaContentSignerBuilder(signerAlgorithm).setProvider("BC").build(privKey); + } catch (OperatorCreationException ex) { + ex.printStackTrace(System.err); + } + + X500Principal issuer = new X500Principal(issuerDN); + + X500Principal subject = issuer; // Self signed. + long time = System.currentTimeMillis(); + BigInteger serial = BigInteger.valueOf(time); + Date notBefore = new Date(time - 50000); + Date notAfter = new Date(time + validDays* 86400000); + X509v1CertificateBuilder certBuilder = + new JcaX509v1CertificateBuilder( + issuer, + serial, + notBefore, + notAfter, + subject, + publicKey); + + X509CertificateHolder certHolder = certBuilder.build(sigGen); + JcaX509CertificateConverter converter = new JcaX509CertificateConverter(); + Certificate cert = null; + try { + cert = converter.getCertificate(certHolder); + } catch (CertificateException ex) { + ex.printStackTrace(System.err); + } + try { + cert.verify(publicKey); + // TODO: write private key and certificate to files. + } catch (CertificateException ex) { + ex.printStackTrace(System.err); + } catch (NoSuchAlgorithmException ex) { + ex.printStackTrace(System.err); + } catch (InvalidKeyException ex) { + ex.printStackTrace(System.err); + } catch (NoSuchProviderException ex) { + ex.printStackTrace(System.err); + } catch (SignatureException ex) { + ex.printStackTrace(System.err); + } + } + + } Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/jeri/tcp/localHostExposure/TestNameService.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/jeri/tcp/localHostExposure/TestNameService.java?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/jeri/tcp/localHostExposure/TestNameService.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/jeri/tcp/localHostExposure/TestNameService.java Mon Jan 23 23:29:10 2012 @@ -15,6 +15,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ +import java.net.InetAddress; import java.net.UnknownHostException; import sun.net.spi.nameservice.NameService; @@ -28,8 +29,19 @@ public class TestNameService implements return lastNameLookup; } } + + /* Java 6 version */ + public InetAddress [] lookupAllHostAddr(String host) throws UnknownHostException{ + byte [][] allHostAdd = lookAllHostAddr(host); + int l = allHostAdd.length; + InetAddress [] result = new InetAddress[l]; + for (int i = 0; i<l; i++){ + result[i] = InetAddress.getByAddress(allHostAdd[i]); + } + return result; + } - public byte[][] lookupAllHostAddr(String host) + private byte[][] lookAllHostAddr(String host) throws UnknownHostException { // System.err.println("FORWARD: " + host); Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/jeri/transport/multihomed/TestNameService.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/jeri/transport/multihomed/TestNameService.java?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/jeri/transport/multihomed/TestNameService.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/jeri/transport/multihomed/TestNameService.java Mon Jan 23 23:29:10 2012 @@ -58,8 +58,20 @@ public class TestNameService implements // do nothing } } + + /* Java 6 version */ + public InetAddress [] lookupAllHostAddr(String host) throws UnknownHostException{ + byte [][] allHostAdd = lookAllHostAddr(host); + int l = allHostAdd.length; + InetAddress [] result = new InetAddress[l]; + for (int i = 0; i<l; i++){ + result[i] = InetAddress.getByAddress(allHostAdd[i]); + } + return result; + } - public byte[][] lookupAllHostAddr(String host) + /* Java 5 version of provider, renamed and privatised */ + private byte[][] lookAllHostAddr(String host) throws UnknownHostException { // System.err.println("FORWARD: " + host); Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/Security/implicitGrants/Test.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/Security/implicitGrants/Test.java?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/Security/implicitGrants/Test.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/Security/implicitGrants/Test.java Mon Jan 23 23:29:10 2012 @@ -49,6 +49,10 @@ public class Test { TestLibrary.installClassInCodebase("Foo", "cb2")}); cl1 = Class.forName("Foo", true, ldr1); cl2 = Class.forName("Foo", true, ldr2); + ProtectionDomain pd2 = cl2.getProtectionDomain(); + if (policy.implies(pd2, pA)) throw new Error(); + if (policy.implies(pd2, pB)) throw new Error(); + if (policy.implies(pd2, pC)) throw new Error(); ClassLoader ldr3 = new URLClassLoader(new URL[]{ TestLibrary.installClassInCodebase("Setup", "cb3")}); @@ -62,13 +66,10 @@ public class Test { { throw new Error(); } - ProtectionDomain pd2 = cl2.getProtectionDomain(); - if (policy.implies(pd2, pA) || - policy.implies(pd2, pB) || - policy.implies(pd2, pC)) - { - throw new Error(); - } + //ProtectionDomain pd2 = cl2.getProtectionDomain(); + if (policy.implies(pd2, pA)) throw new Error(); + if (policy.implies(pd2, pB)) throw new Error(); + if (policy.implies(pd2, pC)) throw new Error(); final Principal prX = new StringPrincipal("X"), prY = new StringPrincipal("Y"), Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/Security/implicitGrants/policy URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/Security/implicitGrants/policy?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/Security/implicitGrants/policy (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/Security/implicitGrants/policy Mon Jan 23 23:29:10 2012 @@ -25,10 +25,11 @@ grant { permission java.lang.RuntimePermission "setSecurityManager"; permission java.security.SecurityPermission "getProperty.*"; permission java.security.SecurityPermission "setPolicy"; + permission java.security.SecurityPermission "getPolicy"; permission java.util.PropertyPermission "*", "read"; permission javax.security.auth.AuthPermission "doAs"; }; -grant codeBase "file:.${/}cb3${/}" { +grant codeBase "file:${scratch.dir}${/}cb3${/}*" { permission java.security.AllPermission; }; Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/basePolicyNotFound/policy URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/basePolicyNotFound/policy?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/basePolicyNotFound/policy (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/basePolicyNotFound/policy Mon Jan 23 23:29:10 2012 @@ -15,4 +15,5 @@ grant { permission java.lang.RuntimePermission "setSecurityManager"; permission java.security.SecurityPermission "getProperty.*"; permission java.security.SecurityPermission "setProperty.*"; + permission java.security.SecurityPermission "getPolicy"; }; Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/domainCaching/policy URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/domainCaching/policy?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/domainCaching/policy (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/domainCaching/policy Mon Jan 23 23:29:10 2012 @@ -14,6 +14,7 @@ grant { permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.util.PropertyPermission "*", "read"; permission java.security.SecurityPermission "getProperty.*"; + permission java.security.SecurityPermission "getPolicy"; permission java.io.FilePermission ".", "read,write,delete"; permission java.io.FilePermission ".${/}-", "read,write,delete"; permission java.io.FilePermission "${test.classes}", "read,write,delete"; Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/Test.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/Test.java?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/Test.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/Test.java Mon Jan 23 23:29:10 2012 @@ -50,9 +50,9 @@ public class Test { } p = new RuntimePermission("C"); + if (policy1.implies(pd, p)) throw new Error(); policy2.grant(cl, null, new Permission[]{ p }); - if (policy1.implies(pd, p) || !policy2.implies(pd, p)) { - throw new Error(); - } + if (policy1.implies(pd, p)) throw new Error(); + if (!policy2.implies(pd, p)) throw new Error(); } } Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/policy URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/policy?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/policy (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/policy Mon Jan 23 23:29:10 2012 @@ -16,4 +16,5 @@ grant { permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.lang.RuntimePermission "getProtectionDomain"; permission java.security.SecurityPermission "getProperty.*"; + permission java.security.SecurityPermission "getPolicy"; }; Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/nullCases/policy URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/nullCases/policy?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/nullCases/policy (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/nullCases/policy Mon Jan 23 23:29:10 2012 @@ -13,4 +13,5 @@ grant { permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.lang.RuntimePermission "setSecurityManager"; permission java.security.SecurityPermission "getProperty.*"; + permission java.security.SecurityPermission "getPolicy"; }; Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/principalGrants/policy URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/principalGrants/policy?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/principalGrants/policy (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/principalGrants/policy Mon Jan 23 23:29:10 2012 @@ -23,4 +23,5 @@ grant { permission java.lang.RuntimePermission "setSecurityManager"; permission java.util.PropertyPermission "*", "read"; permission java.security.SecurityPermission "getProperty.*"; + permission java.security.SecurityPermission "getPolicy"; }; Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/selfGrants/policy.0 URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/selfGrants/policy.0?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/selfGrants/policy.0 (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/selfGrants/policy.0 Mon Jan 23 23:29:10 2012 @@ -20,4 +20,5 @@ grant { permission java.util.PropertyPermission "test.src", "read"; permission java.security.SecurityPermission "getProperty.*"; permission java.security.SecurityPermission "setPolicy"; + permission java.security.SecurityPermission "getPolicy"; }; Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/basePolicyNotFound/policy URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/basePolicyNotFound/policy?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/basePolicyNotFound/policy (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/basePolicyNotFound/policy Mon Jan 23 23:29:10 2012 @@ -15,4 +15,5 @@ grant { permission java.lang.RuntimePermission "setSecurityManager"; permission java.security.SecurityPermission "getProperty.*"; permission java.security.SecurityPermission "setProperty.*"; + permission java.security.SecurityPermission "getPolicy"; }; Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/basicGrants/policy.0 URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/basicGrants/policy.0?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/basicGrants/policy.0 (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/basicGrants/policy.0 Mon Jan 23 23:29:10 2012 @@ -17,6 +17,7 @@ grant { "java.security.policy", "read,write"; permission java.util.PropertyPermission "test.src", "read"; permission java.security.SecurityPermission "getProperty.*"; + permission java.security.SecurityPermission "getPolicy"; }; grant codeBase "file:/foo/*" { Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/nullCases/policy URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/nullCases/policy?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/nullCases/policy (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/nullCases/policy Mon Jan 23 23:29:10 2012 @@ -13,4 +13,5 @@ grant { permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.lang.RuntimePermission "setSecurityManager"; permission java.security.SecurityPermission "getProperty.*"; + permission java.security.SecurityPermission "getPolicy"; }; Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/umbrellaGrants/policy URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/umbrellaGrants/policy?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/umbrellaGrants/policy (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/umbrellaGrants/policy Mon Jan 23 23:29:10 2012 @@ -1,7 +1,7 @@ /* @summary Test PolicyFileProvider expansion of UmbrellaGrantPermissions */ -grant codeBase "file:${java.home}/lib/ext/*" { +grant codeBase "file:${{java.ext.dirs}}/*" { permission java.security.AllPermission; }; @@ -13,6 +13,7 @@ grant { permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.lang.RuntimePermission "setSecurityManager"; permission java.security.SecurityPermission "getProperty.*"; + permission java.security.SecurityPermission "getPolicy"; }; grant codeBase "file:/foo.jar" { Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/porter/policy URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/porter/policy?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/porter/policy (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/porter/policy Mon Jan 23 23:29:10 2012 @@ -1,5 +1,5 @@ -grant codeBase "file:${java.home}/lib/ext/*" { - permission java.security.AllPermission; +grant codeBase "file:${{java.ext.dirs}}/*" { + permission java.security.AllPermission; }; grant codeBase "file:${jtlib.tmp}/*" { Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/GrantPermission.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/GrantPermission.java?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/GrantPermission.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/GrantPermission.java Mon Jan 23 23:29:10 2012 @@ -765,9 +765,9 @@ public final class GrantPermission exten private static final ObjectStreamField[] serialPersistentFields = { new ObjectStreamField("perms", List.class, true) }; - - private Collection<Permission> perms = - new TreeSet<Permission>(new PermissionComparator()); + + // Serial form. + private List<Permission> perms = new ArrayList<Permission>(); private Implier implier = new Implier(); public synchronized void add(Permission p) { @@ -778,10 +778,11 @@ public final class GrantPermission exten throw new SecurityException( "can't add to read-only PermissionCollection"); } - if (!perms.contains(p)){ - perms.add(p); - implier.add((GrantPermission) p); - } + // No longer rely on TreeSet to ensure correctness, just don't + // add twice, in other words check must be external. + perms.add(p); + implier.add((GrantPermission) p); + } public synchronized Enumeration<Permission> elements() { Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/DynamicPolicyProvider.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/DynamicPolicyProvider.java?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/DynamicPolicyProvider.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/DynamicPolicyProvider.java Mon Jan 23 23:29:10 2012 @@ -174,6 +174,14 @@ public class DynamicPolicyProvider exten "net.jini.security.policy.DynamicPolicyProvider.revocation"; private static final Logger logger = Logger.getLogger("net.jini.security.policy"); + private static final ProtectionDomain policyDomain = + AccessController.doPrivileged(new PrivilegedAction<ProtectionDomain>(){ + + public ProtectionDomain run() { + return DynamicPolicyProvider.class.getProtectionDomain(); + } + }); + /* * Copy referent before use. * @@ -205,7 +213,7 @@ public class DynamicPolicyProvider exten private final Permission implementsPermissionGrant; private final Guard protectionDomainPermission; - private final ProtectionDomain policyDomain; + private final PermissionCollection policyPermissions; /** @@ -281,7 +289,6 @@ public class DynamicPolicyProvider exten basePolicyIsRemote = basePolicy instanceof RemotePolicy ?true: false; basePolicyIsConcurrent = basePolicy instanceof ConcurrentPolicy ? ((ConcurrentPolicy) basePolicy).isConcurrent() : false; - policyDomain = getClass().getProtectionDomain(); policyPermissions = basePolicy.getPermissions(policyDomain); policyPermissions.setReadOnly(); } @@ -320,7 +327,6 @@ public class DynamicPolicyProvider exten basePolicyIsRemote = basePolicy instanceof RemotePolicy ?true: false; basePolicyIsConcurrent = basePolicy instanceof ConcurrentPolicy ? ((ConcurrentPolicy) basePolicy).isConcurrent() : false; - policyDomain = getClass().getProtectionDomain(); policyPermissions = basePolicy.getPermissions(policyDomain); policyPermissions.setReadOnly(); } @@ -530,7 +536,6 @@ Put the policy providers and all referen public boolean implies(ProtectionDomain domain, Permission permission) { if (domain == policyDomain) return policyPermissions.implies(permission); if (basePolicyIsDynamic || basePolicyIsRemote){ - // Total delegation revoke supported only by underlying policy. if (basePolicy.implies(domain, permission)) return true; } if (permission == null) throw new NullPointerException("permission not allowed to be null"); @@ -671,32 +676,31 @@ Put the policy providers and all referen return true; } - public void grant(Class cl, Principal[] principals, Permission[] permissions) { + public void grant(final Class cl, Principal[] principals, Permission[] permissions) { if (principals == null){ principals = new Principal[0];} checkNullElements(principals); // This has to be after checkNullElements principals or we fail the NullCases test. if (permissions == null || permissions.length == 0) {return;} checkNullElements(permissions); - if ( basePolicyIsDynamic ){ - /* Delegate, otherwise, if base policy is an instance of this class, we - * may have multi combinations of permissions that together should - * be true but become separated as this implementation will not - * return any dynamically granted permissions via getPermissions( - * because doing so would mean loosing revoke ability. - */ - DynamicPolicy dp = (DynamicPolicy) basePolicy; - dp.grant(cl, principals, permissions); - return; - } + // Not delgated to base policy. SecurityManager sm = System.getSecurityManager(); if (sm != null){ sm.checkPermission(new GrantPermission(permissions)); } - PermissionGrantBuilder pgb = PermissionGrantBuilder.newBuilder(); - PermissionGrant pe = pgb.clazz(cl).principals(principals) - .permissions(permissions) - .context(PermissionGrantBuilder.CLASSLOADER) - .build(); + final PermissionGrantBuilder pgb = PermissionGrantBuilder.newBuilder(); + pgb.principals(principals) + .permissions(permissions) + .context(PermissionGrantBuilder.CLASSLOADER); + AccessController.doPrivileged( + new PrivilegedAction(){ + + public Object run() { + pgb.clazz(cl); + return null; + } + + }); + PermissionGrant pe = pgb.build(); dynamicPolicyGrants.add(pe); if (loggable){ logger.log(Level.FINEST, "Granting: {0}", pe.toString()); @@ -705,9 +709,6 @@ Put the policy providers and all referen // documentation inherited from DynamicPolicy.getGrants public Permission[] getGrants(Class cl, Principal[] principals) { - if (basePolicyIsDynamic){ - return ((DynamicPolicy)basePolicy).getGrants(cl, principals); - } ClassLoader loader = null; if( cl != null ) { loader = cl.getClassLoader(); @@ -732,10 +733,6 @@ Put the policy providers and all referen public Permission[] revoke(Class cl, Principal[] principals) { revokePermission.checkGuard(null); - if (basePolicyIsDynamic && revokeable){ - RevocablePolicy bp = (RevocablePolicy) basePolicy; - return bp.revoke(cl, principals); - } ClassLoader loader = null; if( cl != null ) { loader = cl.getClassLoader(); Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/url/httpmd/Handler.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/url/httpmd/Handler.java?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/url/httpmd/Handler.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/url/httpmd/Handler.java Mon Jan 23 23:29:10 2012 @@ -226,6 +226,29 @@ public class Handler extends URLStreamHa } } } + + /** + * The default superclass implementation performs dns lookup to determine + * if hosts are equal, this allows two URL's with different hashCode's + * to be equal, breaking the hashCode equals contract. + * + * It also causes a test failure in the jtreg test suite. + * + * + * *** Start test: Mon Jan 23 08:11:26 EST 2012 + * [jtreg] Test 9: TestEqual: httpmd://foo:88/bar/baz;p1=v1;md5=abcd?q#r, httpmd://alpha:88/bar/baz;p1=v1;md5=abcd?q#r + * [jtreg] FAIL: Should be: false + * [jtreg] Result: true + * + * URL.implies(URL url) is better suited to perform this function, why + * it was originally implemented in equals is unknown. + */ + protected boolean hostsEqual(URL u1, URL u2) { + if (u1.getHost() != null && u2.getHost() != null) + return u1.getHost().equalsIgnoreCase(u2.getHost()); + else + return u1.getHost() == null && u2.getHost() == null; + } /** * Compares two HTTPMD URLs to see if they refer to the same file. Performs @@ -317,15 +340,15 @@ public class Handler extends URLStreamHa } /* Generate the host part */ - InetAddress addr = getHostAddress(u); - if (addr != null) { - h += addr.hashCode(); - } else { +// InetAddress addr = getHostAddress(u); +// if (addr != null) { +// h += addr.hashCode(); +// } else { String host = u.getHost(); if (host != null) { h += host.toLowerCase().hashCode(); } - } +// } /* * Generate the path part, ignoring case in the message digest and Modified: river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/ConcurrentPolicyFile.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/ConcurrentPolicyFile.java?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/ConcurrentPolicyFile.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/ConcurrentPolicyFile.java Mon Jan 23 23:29:10 2012 @@ -36,6 +36,7 @@ import java.security.Permission; import java.security.PermissionCollection; import java.security.Permissions; import java.security.Policy; +import java.security.PrivilegedAction; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; import java.security.ProtectionDomain; @@ -182,7 +183,13 @@ public class ConcurrentPolicyFile extend private static final Guard guard = new SecurityPermission("getPolicy"); - private final ProtectionDomain myDomain; + private static final ProtectionDomain myDomain = + AccessController.doPrivileged(new PrivilegedAction<ProtectionDomain>(){ + + public ProtectionDomain run() { + return ConcurrentPolicyFile.class.getProtectionDomain(); + } + }); private final Comparator<Permission> comparator; @@ -205,7 +212,6 @@ public class ConcurrentPolicyFile extend protected ConcurrentPolicyFile(PolicyParser dpr, Comparator<Permission> comp) throws PolicyInitializationException { guard.checkGuard(null); parser = dpr; - myDomain = this.getClass().getProtectionDomain(); comparator = comp; /* * The bootstrap policy makes implies decisions until this constructor Modified: river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java?rev=1235063&r1=1235062&r2=1235063&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java Mon Jan 23 23:29:10 2012 @@ -356,8 +356,7 @@ class URIGrant extends CertificateGrant // compatbility with URL.getFile String thisFile = grant.getPath(); String thatFile = implied.getPath(); - if (thatFile == null) return false; - + if (thatFile == null || thisFile == null) return false; if (thisFile.endsWith("/-")) { //javadoc:3.6."/-" //$NON-NLS-1$ if (!thatFile.startsWith(thisFile.substring(0, thisFile .length() - 2))) { @@ -384,7 +383,7 @@ class URIGrant extends CertificateGrant } } } - + //javadoc:3.7 // A URL Anchor is a URI Fragment. if (grant.getFragment() != null) {
