From 6829d88617ce11e38c46546efd14d49a0c38abd8 Mon Sep 17 00:00:00 2001 From: alanb Date: Fri, 9 Oct 2009 09:59:54 +0100 Subject: [PATCH] 6889552: Sun provider should not require LDAP CertStore to be present Reviewed-by: vinnie, mullan --- .../sun/security/provider/SunEntries.java | 2 +- .../provider/certpath/CertStoreHelper.java | 68 +++++++++++++++++ .../provider/certpath/URICertStore.java | 38 ++++++++-- .../certpath/{ => ldap}/LDAPCertStore.java | 3 +- .../certpath/ldap/LDAPCertStoreHelper.java | 73 +++++++++++++++++++ 5 files changed, 177 insertions(+), 7 deletions(-) create mode 100644 src/share/classes/sun/security/provider/certpath/CertStoreHelper.java rename src/share/classes/sun/security/provider/certpath/{ => ldap}/LDAPCertStore.java (99%) create mode 100644 src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreHelper.java diff --git a/src/share/classes/sun/security/provider/SunEntries.java b/src/share/classes/sun/security/provider/SunEntries.java index 829ded160..817afb832 100644 --- a/src/share/classes/sun/security/provider/SunEntries.java +++ b/src/share/classes/sun/security/provider/SunEntries.java @@ -210,7 +210,7 @@ final class SunEntries { * CertStores */ map.put("CertStore.LDAP", - "sun.security.provider.certpath.LDAPCertStore"); + "sun.security.provider.certpath.ldap.LDAPCertStore"); map.put("CertStore.LDAP LDAPSchema", "RFC2587"); map.put("CertStore.Collection", "sun.security.provider.certpath.CollectionCertStore"); diff --git a/src/share/classes/sun/security/provider/certpath/CertStoreHelper.java b/src/share/classes/sun/security/provider/certpath/CertStoreHelper.java new file mode 100644 index 000000000..a8f234226 --- /dev/null +++ b/src/share/classes/sun/security/provider/certpath/CertStoreHelper.java @@ -0,0 +1,68 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Sun designates this + * particular file as subject to the "Classpath" exception as provided + * by Sun in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, + * CA 95054 USA or visit www.sun.com if you need additional information or + * have any questions. + */ + +package sun.security.provider.certpath; + +import java.net.URI; +import java.util.Collection; +import java.security.NoSuchAlgorithmException; +import java.security.InvalidAlgorithmParameterException; +import java.security.cert.CertStore; +import java.security.cert.X509CertSelector; +import java.security.cert.X509CRLSelector; +import javax.security.auth.x500.X500Principal; +import java.io.IOException; + +/** + * Helper used by URICertStore when delegating to another CertStore to + * fetch certs and CRLs. + */ + +public interface CertStoreHelper { + + /** + * Returns a CertStore using the given URI as parameters. + */ + CertStore getCertStore(URI uri) + throws NoSuchAlgorithmException, InvalidAlgorithmParameterException; + + /** + * Wraps an existing X509CertSelector when needing to avoid DN matching + * issues. + */ + X509CertSelector wrap(X509CertSelector selector, + X500Principal certSubject, + String dn) + throws IOException; + + /** + * Wraps an existing X509CRLSelector when needing to avoid DN matching + * issues. + */ + X509CRLSelector wrap(X509CRLSelector selector, + Collection certIssuers, + String dn) + throws IOException; +} diff --git a/src/share/classes/sun/security/provider/certpath/URICertStore.java b/src/share/classes/sun/security/provider/certpath/URICertStore.java index 3c0220bbc..b042dd78a 100644 --- a/src/share/classes/sun/security/provider/certpath/URICertStore.java +++ b/src/share/classes/sun/security/provider/certpath/URICertStore.java @@ -30,6 +30,8 @@ import java.io.IOException; import java.net.HttpURLConnection; import java.net.URI; import java.net.URLConnection; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; import java.security.Provider; @@ -120,6 +122,32 @@ class URICertStore extends CertStoreSpi { private CertStore ldapCertStore; private String ldapPath; + /** + * Holder class to lazily load LDAPCertStoreHelper if present. + */ + private static class LDAP { + private static final String CERT_STORE_HELPER = + "sun.security.provider.certpath.ldap.LDAPCertStoreHelper"; + private static final CertStoreHelper helper = + AccessController.doPrivileged( + new PrivilegedAction() { + public CertStoreHelper run() { + try { + Class c = Class.forName(CERT_STORE_HELPER, true, null); + return (CertStoreHelper)c.newInstance(); + } catch (ClassNotFoundException cnf) { + return null; + } catch (InstantiationException e) { + throw new AssertionError(e); + } catch (IllegalAccessException e) { + throw new AssertionError(e); + } + }}); + static CertStoreHelper helper() { + return helper; + } + } + /** * Creates a URICertStore. * @@ -135,9 +163,10 @@ class URICertStore extends CertStoreSpi { this.uri = ((URICertStoreParameters) params).uri; // if ldap URI, use an LDAPCertStore to fetch certs and CRLs if (uri.getScheme().toLowerCase().equals("ldap")) { + if (LDAP.helper() == null) + throw new NoSuchAlgorithmException("LDAP not present"); ldap = true; - ldapCertStore = - LDAPCertStore.getInstance(LDAPCertStore.getParameters(uri)); + ldapCertStore = LDAP.helper().getCertStore(uri); ldapPath = uri.getPath(); // strip off leading '/' if (ldapPath.charAt(0) == '/') { @@ -219,8 +248,7 @@ class URICertStore extends CertStoreSpi { if (ldap) { X509CertSelector xsel = (X509CertSelector) selector; try { - xsel = new LDAPCertStore.LDAPCertSelector - (xsel, xsel.getSubject(), ldapPath); + xsel = LDAP.helper().wrap(xsel, xsel.getSubject(), ldapPath); } catch (IOException ioe) { throw new CertStoreException(ioe); } @@ -340,7 +368,7 @@ class URICertStore extends CertStoreSpi { if (ldap) { X509CRLSelector xsel = (X509CRLSelector) selector; try { - xsel = new LDAPCertStore.LDAPCRLSelector(xsel, null, ldapPath); + xsel = LDAP.helper().wrap(xsel, null, ldapPath); } catch (IOException ioe) { throw new CertStoreException(ioe); } diff --git a/src/share/classes/sun/security/provider/certpath/LDAPCertStore.java b/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java similarity index 99% rename from src/share/classes/sun/security/provider/certpath/LDAPCertStore.java rename to src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java index f7b567bef..3517245e5 100644 --- a/src/share/classes/sun/security/provider/certpath/LDAPCertStore.java +++ b/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java @@ -23,7 +23,7 @@ * have any questions. */ -package sun.security.provider.certpath; +package sun.security.provider.certpath.ldap; import java.io.ByteArrayInputStream; import java.io.IOException; @@ -46,6 +46,7 @@ import java.security.cert.*; import javax.security.auth.x500.X500Principal; import sun.misc.HexDumpEncoder; +import sun.security.provider.certpath.X509CertificatePair; import sun.security.util.Cache; import sun.security.util.Debug; import sun.security.x509.X500Name; diff --git a/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreHelper.java b/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreHelper.java new file mode 100644 index 000000000..3667022d0 --- /dev/null +++ b/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreHelper.java @@ -0,0 +1,73 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Sun designates this + * particular file as subject to the "Classpath" exception as provided + * by Sun in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, + * CA 95054 USA or visit www.sun.com if you need additional information or + * have any questions. + */ + +package sun.security.provider.certpath.ldap; + +import java.net.URI; +import java.util.Collection; +import java.security.NoSuchAlgorithmException; +import java.security.InvalidAlgorithmParameterException; +import java.security.cert.CertStore; +import java.security.cert.X509CertSelector; +import java.security.cert.X509CRLSelector; +import javax.security.auth.x500.X500Principal; +import java.io.IOException; + +import sun.security.provider.certpath.CertStoreHelper; + +/** + * LDAP implementation of CertStoreHelper. + */ + +public class LDAPCertStoreHelper + implements CertStoreHelper +{ + public LDAPCertStoreHelper() { } + + @Override + public CertStore getCertStore(URI uri) + throws NoSuchAlgorithmException, InvalidAlgorithmParameterException + { + return LDAPCertStore.getInstance(LDAPCertStore.getParameters(uri)); + } + + @Override + public X509CertSelector wrap(X509CertSelector selector, + X500Principal certSubject, + String ldapDN) + throws IOException + { + return new LDAPCertStore.LDAPCertSelector(selector, certSubject, ldapDN); + } + + @Override + public X509CRLSelector wrap(X509CRLSelector selector, + Collection certIssuers, + String ldapDN) + throws IOException + { + return new LDAPCertStore.LDAPCRLSelector(selector, certIssuers, ldapDN); + } +} -- GitLab