diff --git a/jdk/src/java.base/share/classes/java/security/CodeSource.java b/jdk/src/java.base/share/classes/java/security/CodeSource.java index c08050a9f03..6c922aad441 100644 --- a/jdk/src/java.base/share/classes/java/security/CodeSource.java +++ b/jdk/src/java.base/share/classes/java/security/CodeSource.java @@ -339,7 +339,7 @@ public class CodeSource implements java.io.Serializable { * @param strict If true then a strict equality match is performed. * Otherwise a subset match is performed. */ - private boolean matchCerts(CodeSource that, boolean strict) + boolean matchCerts(CodeSource that, boolean strict) { boolean match; diff --git a/jdk/src/java.base/share/classes/java/security/SecureClassLoader.java b/jdk/src/java.base/share/classes/java/security/SecureClassLoader.java index 56d98363dd9..eee1e0bb7fe 100644 --- a/jdk/src/java.base/share/classes/java/security/SecureClassLoader.java +++ b/jdk/src/java.base/share/classes/java/security/SecureClassLoader.java @@ -25,9 +25,10 @@ package java.security; -import java.util.Map; -import java.util.ArrayList; import java.net.URL; +import java.util.ArrayList; +import java.util.Map; +import java.util.Objects; import java.util.concurrent.ConcurrentHashMap; import java.util.function.Function; @@ -50,15 +51,15 @@ public class SecureClassLoader extends ClassLoader { private final boolean initialized; /* - * Map that maps the CodeSource URL (as a String) to ProtectionDomain. - * We use a String instead of a CodeSource/URL as the key to avoid + * Map that maps the CodeSource to a ProtectionDomain. The key is a + * CodeSourceKey class that uses a String instead of a URL to avoid * potential expensive name service lookups. This does mean that URLs that * are equivalent after nameservice lookup will be placed in separate * ProtectionDomains; however during policy enforcement these URLs will be * canonicalized and resolved resulting in a consistent set of granted * permissions. */ - private final Map pdcache + private final Map pdcache = new ConcurrentHashMap<>(11); private static final Debug debug = Debug.getInstance("scl"); @@ -209,17 +210,14 @@ public class SecureClassLoader extends ClassLoader { return null; } - // Use a String form of the URL as the key. It should behave in the - // same manner as the URL when compared for equality except that no - // nameservice lookup is done on the hostname (String comparison + // Use a CodeSourceKey object key. It should behave in the + // same manner as the CodeSource when compared for equality except + // that no nameservice lookup is done on the hostname (String comparison // only), and the fragment is not considered. - String key = cs.getLocationNoFragString(); - if (key == null) { - key = ""; - } + CodeSourceKey key = new CodeSourceKey(cs); return pdcache.computeIfAbsent(key, new Function<>() { @Override - public ProtectionDomain apply(String key /* not used */) { + public ProtectionDomain apply(CodeSourceKey key /* not used */) { PermissionCollection perms = SecureClassLoader.this.getPermissions(cs); ProtectionDomain pd = new ProtectionDomain( @@ -242,4 +240,37 @@ public class SecureClassLoader extends ClassLoader { } } + private static class CodeSourceKey { + private final CodeSource cs; + + CodeSourceKey(CodeSource cs) { + this.cs = cs; + } + + @Override + public int hashCode() { + String locationNoFrag = cs.getLocationNoFragString(); + return locationNoFrag != null ? locationNoFrag.hashCode() : 0; + } + + @Override + public boolean equals(Object obj) { + if (obj == this) { + return true; + } + + if (!(obj instanceof CodeSourceKey)) { + return false; + } + + CodeSourceKey csk = (CodeSourceKey) obj; + + if (!Objects.equals(cs.getLocationNoFragString(), + csk.cs.getLocationNoFragString())) { + return false; + } + + return cs.matchCerts(csk.cs, true); + } + } } diff --git a/jdk/test/java/security/SecureClassLoader/DefineClass.java b/jdk/test/java/security/SecureClassLoader/DefineClass.java index c54ef2215cd..33efdb0e648 100644 --- a/jdk/test/java/security/SecureClassLoader/DefineClass.java +++ b/jdk/test/java/security/SecureClassLoader/DefineClass.java @@ -21,28 +21,44 @@ * questions. */ +import java.io.ByteArrayInputStream; +import java.io.File; +import java.io.InputStream; import java.io.IOException; +import java.io.OutputStream; import java.net.URL; import java.security.CodeSource; +import java.security.Key; +import java.security.KeyStoreException; +import java.security.KeyStoreSpi; +import java.security.NoSuchAlgorithmException; import java.security.Permission; import java.security.Policy; import java.security.ProtectionDomain; +import java.security.Provider; import java.security.SecureClassLoader; +import java.security.Security; +import java.security.UnrecoverableKeyException; +import java.security.URIParameter; import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; import java.util.ArrayList; import java.util.Arrays; import java.util.Base64; import java.util.Collections; +import java.util.Date; +import java.util.Enumeration; import java.util.List; import java.util.PropertyPermission; /* * @test - * @bug 6826789 + * @bug 6826789 8131486 * @summary Make sure equivalent ProtectionDomains are granted the same * permissions when the CodeSource URLs are different but resolve * to the same ip address after name service resolution. - * @run main/othervm/java.security.policy=DefineClass.policy DefineClass + * @run main/othervm DefineClass */ public class DefineClass { @@ -53,42 +69,100 @@ public class DefineClass { new PropertyPermission("user.name", "read") }; - // Base64 encoded bytes of a simple class: "public class Foo {}" + // Base64 encoded bytes of simple class: "package foo; public class Foo {}" private final static String FOO_CLASS = - "yv66vgAAADQADQoAAwAKBwALBwAMAQAGPGluaXQ+AQADKClWAQAEQ29kZQEA" + + "yv66vgAAADMADQoAAwAKBwALBwAMAQAGPGluaXQ+AQADKClWAQAEQ29kZQEA" + "D0xpbmVOdW1iZXJUYWJsZQEAClNvdXJjZUZpbGUBAAhGb28uamF2YQwABAAF" + - "AQADRm9vAQAQamF2YS9sYW5nL09iamVjdAAhAAIAAwAAAAAAAQABAAQABQAB" + - "AAYAAAAdAAEAAQAAAAUqtwABsQAAAAEABwAAAAYAAQAAAAEAAQAIAAAAAgAJ"; + "AQAHZm9vL0ZvbwEAEGphdmEvbGFuZy9PYmplY3QAIQACAAMAAAAAAAEAAQAE" + + "AAUAAQAGAAAAHQABAAEAAAAFKrcAAbEAAAABAAcAAAAGAAEAAAABAAEACAAA" + + "AAIACQ=="; - // Base64 encoded bytes of a simple class: "public class Bar {}" + // Base64 encoded bytes of simple class: "package bar; public class Bar {}" private final static String BAR_CLASS = - "yv66vgAAADQADQoAAwAKBwALBwAMAQAGPGluaXQ+AQADKClWAQAEQ29kZQEA" + + "yv66vgAAADMADQoAAwAKBwALBwAMAQAGPGluaXQ+AQADKClWAQAEQ29kZQEA" + "D0xpbmVOdW1iZXJUYWJsZQEAClNvdXJjZUZpbGUBAAhCYXIuamF2YQwABAAF" + - "AQADQmFyAQAQamF2YS9sYW5nL09iamVjdAAhAAIAAwAAAAAAAQABAAQABQAB" + - "AAYAAAAdAAEAAQAAAAUqtwABsQAAAAEABwAAAAYAAQAAAAEAAQAIAAAAAgAJ"; + "AQAHYmFyL0JhcgEAEGphdmEvbGFuZy9PYmplY3QAIQACAAMAAAAAAAEAAQAE" + + "AAUAAQAGAAAAHQABAAEAAAAFKrcAAbEAAAABAAcAAAAGAAEAAAABAAEACAAA" + + "AAIACQ=="; + + // Base64 encoded bytes of simple class: "package baz; public class Baz {}" + private final static String BAZ_CLASS = + "yv66vgAAADQADQoAAwAKBwALBwAMAQAGPGluaXQ+AQADKClWAQAEQ29kZQEA" + + "D0xpbmVOdW1iZXJUYWJsZQEAClNvdXJjZUZpbGUBAAhCYXouamF2YQwABAAF" + + "AQAHYmF6L0JhegEAEGphdmEvbGFuZy9PYmplY3QAIQACAAMAAAAAAAEAAQAE" + + "AAUAAQAGAAAAHQABAAEAAAAFKrcAAbEAAAABAAcAAAAGAAEAAAABAAEACAAA" + + "AAIACQ=="; + + private final static String BAZ_CERT = + "-----BEGIN CERTIFICATE-----\n" + + "MIIEFzCCA8OgAwIBAgIESpPf8TANBglghkgBZQMEAwIFADAOMQwwCgYDVQQDEwNG\n" + + "b28wHhcNMTUwNzE1MTY1ODM5WhcNMTUxMDEzMTY1ODM5WjAOMQwwCgYDVQQDEwNG\n" + + "b28wggNCMIICNQYHKoZIzjgEATCCAigCggEBAI95Ndm5qum/q+2Ies9JUbbzLsWe\n" + + "O683GOjqxJYfPv02BudDUanEGDM5uAnnwq4cU5unR1uF0BGtuLR5h3VJhGlcrA6P\n" + + "FLM2CCiiL/onEQo9YqmTRTQJoP5pbEZY+EvdIIGcNwmgEFexla3NACM9ulSEtikf\n" + + "nWSO+INEhneXnOwEtDSmrC516Zhd4j2wKS/BEYyf+p2BgeczjbeStzDXueNJWS9o\n" + + "CZhyFTkV6j1ri0ZTxjNFj4A7MqTC4PJykCVuTj+KOwg4ocRQ5OGMGimjfd9eoUPe\n" + + "S2b/BJA+1c8WI+FY1IfGCOl/IRzYHcojy244B2X4IuNCvkhMBXY5OWAc1mcCHQC6\n" + + "9pamhXj3397n+mfJd8eF7zKyM7rlgMC81WldAoIBABamXFggSFBwTnUCo5dXBA00\n" + + "2jo0eMFU1OSlwC0kLuBPluYeS9CQSr2sjzfuseCfMYLSPJBDy2QviABBYO35ygmz\n" + + "IHannDKmJ/JHPpGHm6LE50S9IIFUTLVbgCw2jR+oPtSJ6U4PoGiOMkKKXHjEeMaN\n" + + "BSe3HJo6uwsL4SxEaJY559POdNsQGmWqK4f2TGgm2z7HL0tVmYNLtO2wL3yQ6aSW\n" + + "06VdU1vr/EXU9hn2Pz3tu4c5JcLyJOB3MSltqIfsHkdI+H77X963VIQxayIy3uVT\n" + + "3a8CESsNHwLaMJcyJP4nrtqLnUspItm6i+Oe2eEDpjxSgQvGiLfi7UMW4e8X294D\n" + + "ggEFAAKCAQBsGeU8/STExzQsJ8kFM9xarA/2VAFMzyUpd3IQ2UGHQC5rEnGh/RiU\n" + + "T20y7a2hCpQ1f/qgLnY8hku9GRVY3z8WamBzWLzCAEAx67EsS58mf4o8R3sUbkH5\n" + + "/mRaZoNVSPUy+tXoLmTzIetU4W+JT8Rq4OcXXU9uo9TreeBehhVexS3vpVgQeUIn\n" + + "MmMma8WHpovIJQQlp4cyjalX7Beda/tqX/HPLkAS4TRqQAz7hFr3FqFrVMKFSGo4\n" + + "fTS06GGdQ4tw9c6NQLuQ9WF9BxYSwSk9yENQvKDZaBNarqPMnsh1Gi/QcKMRBVhM\n" + + "RT/9vb4QUi/pOowhhKCDBLgjY60QgX3HoyEwHzAdBgNVHQ4EFgQUa787CE+3ZNAb\n" + + "g1ql9yJVVrRCdx0wDQYJYIZIAWUDBAMCBQADPwAwPAIcCUkZIRrBlKdTzhKYBEOm\n" + + "E1i45MMum1RuHc28agIcfHQkkjBA4FfH5UMRgKpIyRR8V/dVboxDj4hKOA==\n" + + "-----END CERTIFICATE-----"; public static void main(String[] args) throws Exception { + Security.addProvider(new TestProvider()); + MySecureClassLoader scl = new MySecureClassLoader(); - Policy p = Policy.getPolicy(); + + File policyFile = new File(System.getProperty("test.src", "."), + "DefineClass.policy"); + Policy p = Policy.getInstance("JavaPolicy", + new URIParameter(policyFile.toURI())); + Policy.setPolicy(p); + + System.setSecurityManager(new SecurityManager()); ArrayList perms1 = getPermissions(scl, p, "http://localhost/", - "Foo", FOO_CLASS); + "foo.Foo", FOO_CLASS, + null); checkPerms(perms1, GRANTED_PERMS); ArrayList perms2 = getPermissions(scl, p, "http://127.0.0.1/", - "Bar", BAR_CLASS); + "bar.Bar", BAR_CLASS, + null); checkPerms(perms2, GRANTED_PERMS); assert(perms1.equals(perms2)); + + // check that class signed by baz is granted an additional permission + Certificate[] chain = new Certificate[] {getCert(BAZ_CERT)}; + ArrayList perms3 = getPermissions(scl, p, + "http://localhost/", + "baz.Baz", BAZ_CLASS, + chain); + List perms = new ArrayList<>(Arrays.asList(GRANTED_PERMS)); + perms.add(new PropertyPermission("user.dir", "read")); + checkPerms(perms3, perms.toArray(new Permission[0])); } // returns the permissions granted to the codebase URL private static ArrayList getPermissions(MySecureClassLoader scl, Policy p, String url, String className, - String classBytes) + String classBytes, + Certificate[] chain) throws IOException { - CodeSource cs = new CodeSource(new URL(url), (Certificate[])null); + CodeSource cs = new CodeSource(new URL(url), chain); Base64.Decoder bd = Base64.getDecoder(); byte[] bytes = bd.decode(classBytes); Class c = scl.defineMyClass(className, bytes, cs); @@ -105,10 +179,125 @@ public class DefineClass { } } + private static Certificate getCert(String base64Cert) throws Exception { + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + InputStream is = new ByteArrayInputStream(base64Cert.getBytes("UTF-8")); + return cf.generateCertificate(is); + } + // A SecureClassLoader that allows the test to define its own classes private static class MySecureClassLoader extends SecureClassLoader { Class defineMyClass(String name, byte[] b, CodeSource cs) { return super.defineClass(name, b, 0, b.length, cs); } } + + private static class TestProvider extends Provider { + TestProvider() { + super("Test8131486", 0.0, "For testing only"); + putService(new Provider.Service(this, "KeyStore", "Test8131486", + "DefineClass$TestKeyStore", null, null)); + } + } + + /** + * A KeyStore containing a single certificate entry named "baz". + */ + public static class TestKeyStore extends KeyStoreSpi { + private final String baz = "baz"; + private final List aliases = Collections.singletonList(baz); + private final Certificate bazCert; + + public TestKeyStore() { + try { + this.bazCert = getCert(BAZ_CERT); + } catch (Exception e) { + throw new Error(); + } + } + + @Override + public Enumeration engineAliases() { + return Collections.enumeration(aliases); + } + + @Override + public boolean engineContainsAlias(String alias) { + return alias.equals(baz); + } + + @Override + public void engineDeleteEntry(String alias) throws KeyStoreException { + throw new KeyStoreException(); + } + + @Override + public Certificate engineGetCertificate(String alias) { + return alias.equals(baz) ? bazCert : null; + } + + @Override + public String engineGetCertificateAlias(Certificate cert) { + return cert.equals(bazCert) ? baz : null; + } + + @Override + public Certificate[] engineGetCertificateChain(String alias) { + return alias.equals(baz) ? new Certificate[] {bazCert} : null; + } + + @Override + public Date engineGetCreationDate(String alias) { + return alias.equals(baz) ? new Date() : null; + } + + @Override + public Key engineGetKey(String alias, char[] password) + throws NoSuchAlgorithmException, UnrecoverableKeyException { + return null; + } + + @Override + public boolean engineIsCertificateEntry(String alias) { + return alias.equals(baz); + } + + @Override + public boolean engineIsKeyEntry(String alias) { + return false; + } + + @Override + public void engineLoad(InputStream stream, char[] password) + throws IOException, NoSuchAlgorithmException, CertificateException { + } + + @Override + public void engineSetCertificateEntry(String alias, Certificate cert) + throws KeyStoreException { + throw new KeyStoreException(); + } + + @Override + public void engineSetKeyEntry(String alias, byte[] key, + Certificate[] chain) + throws KeyStoreException { + throw new KeyStoreException(); + } + + @Override + public void engineSetKeyEntry(String alias, Key key, char[] password, + Certificate[] chain) + throws KeyStoreException { + throw new KeyStoreException(); + } + + @Override + public int engineSize() { return 1; } + + @Override + public void engineStore(OutputStream stream, char[] password) + throws IOException, NoSuchAlgorithmException, CertificateException { + } + } } diff --git a/jdk/test/java/security/SecureClassLoader/DefineClass.policy b/jdk/test/java/security/SecureClassLoader/DefineClass.policy index ea7eae7c003..dd9dbaa1efd 100644 --- a/jdk/test/java/security/SecureClassLoader/DefineClass.policy +++ b/jdk/test/java/security/SecureClassLoader/DefineClass.policy @@ -1,7 +1,7 @@ +keystore "NONE", "Test8131486", "Test8131486"; + grant { - permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getProtectionDomain"; - permission java.security.SecurityPermission "getPolicy"; }; grant codebase "http://localhost/" { permission java.util.PropertyPermission "user.home", "read"; @@ -9,3 +9,6 @@ grant codebase "http://localhost/" { grant codebase "http://127.0.0.1/" { permission java.util.PropertyPermission "user.name", "read"; }; +grant codebase "http://localhost/", signedby "baz" { + permission java.util.PropertyPermission "user.dir", "read"; +};