8131486: SecureClassLoader key for ProtectionDomain cache also needs to take into account certificates

Reviewed-by: weijun
2015-07-20 09:03:03 -04:00 · 2015-07-20 09:03:03 -04:00 · 981dbca21a
commit 981dbca21a
parent d9cbd23d50
4 changed files with 254 additions and 31 deletions
--- a/jdk/src/java.base/share/classes/java/security/CodeSource.java
+++ b/jdk/src/java.base/share/classes/java/security/CodeSource.java
@ -339,7 +339,7 @@ public class CodeSource implements java.io.Serializable {
     * @param strict If true then a strict equality match is performed.
     *               Otherwise a subset match is performed.
     */
-    private boolean matchCerts(CodeSource that, boolean strict)
+    boolean matchCerts(CodeSource that, boolean strict)
    {
        boolean match;

--- a/jdk/src/java.base/share/classes/java/security/SecureClassLoader.java
+++ b/jdk/src/java.base/share/classes/java/security/SecureClassLoader.java
@ -25,9 +25,10 @@

 package java.security;

-import java.util.Map;
-import java.util.ArrayList;
 import java.net.URL;
+import java.util.ArrayList;
+import java.util.Map;
+import java.util.Objects;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.function.Function;

@ -50,15 +51,15 @@ public class SecureClassLoader extends ClassLoader {
    private final boolean initialized;

    /*
-     * Map that maps the CodeSource URL (as a String) to ProtectionDomain.
-     * We use a String instead of a CodeSource/URL as the key to avoid
+     * Map that maps the CodeSource to a ProtectionDomain. The key is a
+     * CodeSourceKey class that uses a String instead of a URL to avoid
     * potential expensive name service lookups. This does mean that URLs that
     * are equivalent after nameservice lookup will be placed in separate
     * ProtectionDomains; however during policy enforcement these URLs will be
     * canonicalized and resolved resulting in a consistent set of granted
     * permissions.
     */
-    private final Map<String, ProtectionDomain> pdcache
+    private final Map<CodeSourceKey, ProtectionDomain> pdcache
            = new ConcurrentHashMap<>(11);

    private static final Debug debug = Debug.getInstance("scl");
@ -209,17 +210,14 @@ public class SecureClassLoader extends ClassLoader {
            return null;
        }

-        // Use a String form of the URL as the key. It should behave in the
-        // same manner as the URL when compared for equality except that no
-        // nameservice lookup is done on the hostname (String comparison
+        // Use a CodeSourceKey object key. It should behave in the
+        // same manner as the CodeSource when compared for equality except
+        // that no nameservice lookup is done on the hostname (String comparison
        // only), and the fragment is not considered.
-        String key = cs.getLocationNoFragString();
-        if (key == null) {
-            key = "<null>";
-        }
+        CodeSourceKey key = new CodeSourceKey(cs);
        return pdcache.computeIfAbsent(key, new Function<>() {
            @Override
-            public ProtectionDomain apply(String key /* not used */) {
+            public ProtectionDomain apply(CodeSourceKey key /* not used */) {
                PermissionCollection perms
                        = SecureClassLoader.this.getPermissions(cs);
                ProtectionDomain pd = new ProtectionDomain(
@ -242,4 +240,37 @@ public class SecureClassLoader extends ClassLoader {
        }
    }

+    private static class CodeSourceKey {
+        private final CodeSource cs;
+
+        CodeSourceKey(CodeSource cs) {
+            this.cs = cs;
+        }
+
+        @Override
+        public int hashCode() {
+            String locationNoFrag = cs.getLocationNoFragString();
+            return locationNoFrag != null ? locationNoFrag.hashCode() : 0;
+        }
+
+        @Override
+        public boolean equals(Object obj) {
+            if (obj == this) {
+                return true;
+            }
+
+            if (!(obj instanceof CodeSourceKey)) {
+                return false;
+            }
+
+            CodeSourceKey csk = (CodeSourceKey) obj;
+
+            if (!Objects.equals(cs.getLocationNoFragString(),
+                                csk.cs.getLocationNoFragString())) {
+                return false;
+            }
+
+            return cs.matchCerts(csk.cs, true);
+        }
+    }
 }
--- a/jdk/test/java/security/SecureClassLoader/DefineClass.java
+++ b/jdk/test/java/security/SecureClassLoader/DefineClass.java
@ -21,28 +21,44 @@
 * questions.
 */

+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.InputStream;
 import java.io.IOException;
+import java.io.OutputStream;
 import java.net.URL;
 import java.security.CodeSource;
+import java.security.Key;
+import java.security.KeyStoreException;
+import java.security.KeyStoreSpi;
+import java.security.NoSuchAlgorithmException;
 import java.security.Permission;
 import java.security.Policy;
 import java.security.ProtectionDomain;
+import java.security.Provider;
 import java.security.SecureClassLoader;
+import java.security.Security;
+import java.security.UnrecoverableKeyException;
+import java.security.URIParameter;
 import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Base64;
 import java.util.Collections;
+import java.util.Date;
+import java.util.Enumeration;
 import java.util.List;
 import java.util.PropertyPermission;

 /*
 * @test
- * @bug 6826789
+ * @bug 6826789 8131486
 * @summary Make sure equivalent ProtectionDomains are granted the same
 *          permissions when the CodeSource URLs are different but resolve
 *          to the same ip address after name service resolution.
- * @run main/othervm/java.security.policy=DefineClass.policy DefineClass
+ * @run main/othervm DefineClass
 */

 public class DefineClass {
@ -53,42 +69,100 @@ public class DefineClass {
        new PropertyPermission("user.name", "read")
    };

-    // Base64 encoded bytes of a simple class: "public class Foo {}"
+    // Base64 encoded bytes of simple class: "package foo; public class Foo {}"
    private final static String FOO_CLASS =
-        "yv66vgAAADQADQoAAwAKBwALBwAMAQAGPGluaXQ+AQADKClWAQAEQ29kZQEA" +
+        "yv66vgAAADMADQoAAwAKBwALBwAMAQAGPGluaXQ+AQADKClWAQAEQ29kZQEA" +
        "D0xpbmVOdW1iZXJUYWJsZQEAClNvdXJjZUZpbGUBAAhGb28uamF2YQwABAAF" +
-        "AQADRm9vAQAQamF2YS9sYW5nL09iamVjdAAhAAIAAwAAAAAAAQABAAQABQAB" +
-        "AAYAAAAdAAEAAQAAAAUqtwABsQAAAAEABwAAAAYAAQAAAAEAAQAIAAAAAgAJ";
+        "AQAHZm9vL0ZvbwEAEGphdmEvbGFuZy9PYmplY3QAIQACAAMAAAAAAAEAAQAE" +
+        "AAUAAQAGAAAAHQABAAEAAAAFKrcAAbEAAAABAAcAAAAGAAEAAAABAAEACAAA" +
+        "AAIACQ==";

-    // Base64 encoded bytes of a simple class: "public class Bar {}"
+    // Base64 encoded bytes of simple class: "package bar; public class Bar {}"
    private final static String BAR_CLASS =
-        "yv66vgAAADQADQoAAwAKBwALBwAMAQAGPGluaXQ+AQADKClWAQAEQ29kZQEA" +
+        "yv66vgAAADMADQoAAwAKBwALBwAMAQAGPGluaXQ+AQADKClWAQAEQ29kZQEA" +
        "D0xpbmVOdW1iZXJUYWJsZQEAClNvdXJjZUZpbGUBAAhCYXIuamF2YQwABAAF" +
-        "AQADQmFyAQAQamF2YS9sYW5nL09iamVjdAAhAAIAAwAAAAAAAQABAAQABQAB" +
-        "AAYAAAAdAAEAAQAAAAUqtwABsQAAAAEABwAAAAYAAQAAAAEAAQAIAAAAAgAJ";
+        "AQAHYmFyL0JhcgEAEGphdmEvbGFuZy9PYmplY3QAIQACAAMAAAAAAAEAAQAE" +
+        "AAUAAQAGAAAAHQABAAEAAAAFKrcAAbEAAAABAAcAAAAGAAEAAAABAAEACAAA" +
+        "AAIACQ==";
+
+    // Base64 encoded bytes of simple class: "package baz; public class Baz {}"
+    private final static String BAZ_CLASS =
+        "yv66vgAAADQADQoAAwAKBwALBwAMAQAGPGluaXQ+AQADKClWAQAEQ29kZQEA" +
+        "D0xpbmVOdW1iZXJUYWJsZQEAClNvdXJjZUZpbGUBAAhCYXouamF2YQwABAAF" +
+        "AQAHYmF6L0JhegEAEGphdmEvbGFuZy9PYmplY3QAIQACAAMAAAAAAAEAAQAE" +
+        "AAUAAQAGAAAAHQABAAEAAAAFKrcAAbEAAAABAAcAAAAGAAEAAAABAAEACAAA" +
+        "AAIACQ==";
+
+    private final static String BAZ_CERT =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIEFzCCA8OgAwIBAgIESpPf8TANBglghkgBZQMEAwIFADAOMQwwCgYDVQQDEwNG\n" +
+        "b28wHhcNMTUwNzE1MTY1ODM5WhcNMTUxMDEzMTY1ODM5WjAOMQwwCgYDVQQDEwNG\n" +
+        "b28wggNCMIICNQYHKoZIzjgEATCCAigCggEBAI95Ndm5qum/q+2Ies9JUbbzLsWe\n" +
+        "O683GOjqxJYfPv02BudDUanEGDM5uAnnwq4cU5unR1uF0BGtuLR5h3VJhGlcrA6P\n" +
+        "FLM2CCiiL/onEQo9YqmTRTQJoP5pbEZY+EvdIIGcNwmgEFexla3NACM9ulSEtikf\n" +
+        "nWSO+INEhneXnOwEtDSmrC516Zhd4j2wKS/BEYyf+p2BgeczjbeStzDXueNJWS9o\n" +
+        "CZhyFTkV6j1ri0ZTxjNFj4A7MqTC4PJykCVuTj+KOwg4ocRQ5OGMGimjfd9eoUPe\n" +
+        "S2b/BJA+1c8WI+FY1IfGCOl/IRzYHcojy244B2X4IuNCvkhMBXY5OWAc1mcCHQC6\n" +
+        "9pamhXj3397n+mfJd8eF7zKyM7rlgMC81WldAoIBABamXFggSFBwTnUCo5dXBA00\n" +
+        "2jo0eMFU1OSlwC0kLuBPluYeS9CQSr2sjzfuseCfMYLSPJBDy2QviABBYO35ygmz\n" +
+        "IHannDKmJ/JHPpGHm6LE50S9IIFUTLVbgCw2jR+oPtSJ6U4PoGiOMkKKXHjEeMaN\n" +
+        "BSe3HJo6uwsL4SxEaJY559POdNsQGmWqK4f2TGgm2z7HL0tVmYNLtO2wL3yQ6aSW\n" +
+        "06VdU1vr/EXU9hn2Pz3tu4c5JcLyJOB3MSltqIfsHkdI+H77X963VIQxayIy3uVT\n" +
+        "3a8CESsNHwLaMJcyJP4nrtqLnUspItm6i+Oe2eEDpjxSgQvGiLfi7UMW4e8X294D\n" +
+        "ggEFAAKCAQBsGeU8/STExzQsJ8kFM9xarA/2VAFMzyUpd3IQ2UGHQC5rEnGh/RiU\n" +
+        "T20y7a2hCpQ1f/qgLnY8hku9GRVY3z8WamBzWLzCAEAx67EsS58mf4o8R3sUbkH5\n" +
+        "/mRaZoNVSPUy+tXoLmTzIetU4W+JT8Rq4OcXXU9uo9TreeBehhVexS3vpVgQeUIn\n" +
+        "MmMma8WHpovIJQQlp4cyjalX7Beda/tqX/HPLkAS4TRqQAz7hFr3FqFrVMKFSGo4\n" +
+        "fTS06GGdQ4tw9c6NQLuQ9WF9BxYSwSk9yENQvKDZaBNarqPMnsh1Gi/QcKMRBVhM\n" +
+        "RT/9vb4QUi/pOowhhKCDBLgjY60QgX3HoyEwHzAdBgNVHQ4EFgQUa787CE+3ZNAb\n" +
+        "g1ql9yJVVrRCdx0wDQYJYIZIAWUDBAMCBQADPwAwPAIcCUkZIRrBlKdTzhKYBEOm\n" +
+        "E1i45MMum1RuHc28agIcfHQkkjBA4FfH5UMRgKpIyRR8V/dVboxDj4hKOA==\n" +
+        "-----END CERTIFICATE-----";

    public static void main(String[] args) throws Exception {

+        Security.addProvider(new TestProvider());
+
        MySecureClassLoader scl = new MySecureClassLoader();
-        Policy p = Policy.getPolicy();
+
+        File policyFile = new File(System.getProperty("test.src", "."),
+                                   "DefineClass.policy");
+        Policy p = Policy.getInstance("JavaPolicy",
+                                      new URIParameter(policyFile.toURI()));
+        Policy.setPolicy(p);
+
+        System.setSecurityManager(new SecurityManager());
        ArrayList<Permission> perms1 = getPermissions(scl, p,
                                                      "http://localhost/",
-                                                      "Foo", FOO_CLASS);
+                                                      "foo.Foo", FOO_CLASS,
+                                                      null);
        checkPerms(perms1, GRANTED_PERMS);
        ArrayList<Permission> perms2 = getPermissions(scl, p,
                                                      "http://127.0.0.1/",
-                                                      "Bar", BAR_CLASS);
+                                                      "bar.Bar", BAR_CLASS,
+                                                      null);
        checkPerms(perms2, GRANTED_PERMS);
        assert(perms1.equals(perms2));
+
+        // check that class signed by baz is granted an additional permission
+        Certificate[] chain = new Certificate[] {getCert(BAZ_CERT)};
+        ArrayList<Permission> perms3 = getPermissions(scl, p,
+                                                      "http://localhost/",
+                                                      "baz.Baz", BAZ_CLASS,
+                                                      chain);
+        List<Permission> perms = new ArrayList<>(Arrays.asList(GRANTED_PERMS));
+        perms.add(new PropertyPermission("user.dir", "read"));
+        checkPerms(perms3, perms.toArray(new Permission[0]));
    }

    // returns the permissions granted to the codebase URL
    private static ArrayList<Permission> getPermissions(MySecureClassLoader scl,
                                                        Policy p, String url,
                                                        String className,
-                                                        String classBytes)
+                                                        String classBytes,
+                                                        Certificate[] chain)
                                                        throws IOException {
-        CodeSource cs = new CodeSource(new URL(url), (Certificate[])null);
+        CodeSource cs = new CodeSource(new URL(url), chain);
        Base64.Decoder bd = Base64.getDecoder();
        byte[] bytes = bd.decode(classBytes);
        Class<?> c = scl.defineMyClass(className, bytes, cs);
@ -105,10 +179,125 @@ public class DefineClass {
        }
    }

+    private static Certificate getCert(String base64Cert) throws Exception {
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+        InputStream is = new ByteArrayInputStream(base64Cert.getBytes("UTF-8"));
+        return cf.generateCertificate(is);
+    }
+
    // A SecureClassLoader that allows the test to define its own classes
    private static class MySecureClassLoader extends SecureClassLoader {
        Class<?> defineMyClass(String name, byte[] b, CodeSource cs) {
            return super.defineClass(name, b, 0, b.length, cs);
        }
    }
+
+    private static class TestProvider extends Provider {
+        TestProvider() {
+            super("Test8131486", 0.0, "For testing only");
+            putService(new Provider.Service(this, "KeyStore", "Test8131486",
+                       "DefineClass$TestKeyStore", null, null));
+        }
+    }
+
+    /**
+     * A KeyStore containing a single certificate entry named "baz".
+     */
+    public static class TestKeyStore extends KeyStoreSpi {
+        private final String baz = "baz";
+        private final List<String> aliases = Collections.singletonList(baz);
+        private final Certificate bazCert;
+
+        public TestKeyStore() {
+            try {
+                this.bazCert = getCert(BAZ_CERT);
+            } catch (Exception e) {
+                throw new Error();
+            }
+        }
+
+        @Override
+        public Enumeration<String> engineAliases() {
+            return Collections.enumeration(aliases);
+        }
+
+        @Override
+        public boolean engineContainsAlias(String alias) {
+            return alias.equals(baz);
+        }
+
+        @Override
+        public void engineDeleteEntry(String alias) throws KeyStoreException {
+            throw new KeyStoreException();
+        }
+
+        @Override
+        public Certificate engineGetCertificate(String alias) {
+            return alias.equals(baz) ? bazCert : null;
+        }
+
+        @Override
+        public String engineGetCertificateAlias(Certificate cert) {
+            return cert.equals(bazCert) ? baz : null;
+        }
+
+        @Override
+        public Certificate[] engineGetCertificateChain(String alias) {
+            return alias.equals(baz) ? new Certificate[] {bazCert} : null;
+        }
+
+        @Override
+        public Date engineGetCreationDate(String alias) {
+            return alias.equals(baz) ? new Date() : null;
+        }
+
+        @Override
+        public Key engineGetKey(String alias, char[] password)
+            throws NoSuchAlgorithmException, UnrecoverableKeyException {
+            return null;
+        }
+
+        @Override
+        public boolean engineIsCertificateEntry(String alias) {
+            return alias.equals(baz);
+        }
+
+        @Override
+        public boolean engineIsKeyEntry(String alias) {
+            return false;
+        }
+
+        @Override
+        public void engineLoad(InputStream stream, char[] password)
+            throws IOException, NoSuchAlgorithmException, CertificateException {
+        }
+
+        @Override
+        public void engineSetCertificateEntry(String alias, Certificate cert)
+            throws KeyStoreException {
+            throw new KeyStoreException();
+        }
+
+        @Override
+        public void engineSetKeyEntry(String alias, byte[] key,
+                                      Certificate[] chain)
+            throws KeyStoreException {
+            throw new KeyStoreException();
+        }
+
+        @Override
+        public void engineSetKeyEntry(String alias, Key key, char[] password,
+                                      Certificate[] chain)
+            throws KeyStoreException {
+            throw new KeyStoreException();
+        }
+
+        @Override
+        public int engineSize() { return 1; }
+
+        @Override
+        public void engineStore(OutputStream stream, char[] password)
+            throws IOException, NoSuchAlgorithmException, CertificateException {
+        }
+    }
 }
--- a/jdk/test/java/security/SecureClassLoader/DefineClass.policy
+++ b/jdk/test/java/security/SecureClassLoader/DefineClass.policy
@ -1,7 +1,7 @@
+keystore "NONE", "Test8131486", "Test8131486";
+
 grant {
-    permission java.lang.RuntimePermission "createClassLoader";
    permission java.lang.RuntimePermission "getProtectionDomain";
-    permission java.security.SecurityPermission "getPolicy";
 };
 grant codebase "http://localhost/" {
    permission java.util.PropertyPermission "user.home", "read";
@ -9,3 +9,6 @@ grant codebase "http://localhost/" {
 grant codebase "http://127.0.0.1/" {
    permission java.util.PropertyPermission "user.name", "read";
 };
+grant codebase "http://localhost/", signedby "baz" {
+    permission java.util.PropertyPermission "user.dir", "read";
+};