bundles/org.eclipse.osgi/osgi/src/org/osgi/service/condpermadmin/BundleSignerCondition.java - equinox/rt.equinox.framework - Git at Google

 /*
  * Copyright (c) OSGi Alliance (2005, 2013). All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package org.osgi.service.condpermadmin;

 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 import org.osgi.framework.Bundle;
 import org.osgi.framework.FrameworkUtil;

 /**
  * Condition to test if the signer of a bundle matches or does not match a
  * pattern. Since the bundle's signer can only change when the bundle is
  * updated, this condition is immutable.
  * <p>
  * The condition expressed using a single String that specifies a Distinguished
  * Name (DN) chain to match bundle signers against. DN's are encoded using IETF
  * RFC 2253. Usually signers use certificates that are issued by certificate
  * authorities, which also have a corresponding DN and certificate. The
  * certificate authorities can form a chain of trust where the last DN and
  * certificate is known by the framework. The signer of a bundle is expressed as
  * signers DN followed by the DN of its issuer followed by the DN of the next
  * issuer until the DN of the root certificate authority. Each DN is separated
  * by a semicolon.
  * <p>
  * A bundle can satisfy this condition if one of its signers has a DN chain that
  * matches the DN chain used to construct this condition. Wildcards (`*') can be
  * used to allow greater flexibility in specifying the DN chains. Wildcards can
  * be used in place of DNs, RDNs, or the value in an RDN. If a wildcard is used
  * for a value of an RDN, the value must be exactly "*" and will match any value
  * for the corresponding type in that RDN. If a wildcard is used for a RDN, it
  * must be the first RDN and will match any number of RDNs (including zero
  * RDNs).
  *
  * @ThreadSafe
  * @author $Id$
  */
 public class BundleSignerCondition {
 	private static final String	CONDITION_TYPE	= "org.osgi.service.condpermadmin.BundleSignerCondition";

 	/**
 	 * Constructs a Condition that tries to match the passed Bundle's location
 	 * to the location pattern.
 	 *
 	 * @param bundle The Bundle being evaluated.
 	 * @param info The ConditionInfo from which to construct the condition. The
 	 *        ConditionInfo must specify one or two arguments. The first
 	 *        argument of the ConditionInfo specifies the chain of distinguished
 	 *        names pattern to match against the signer of the bundle. The
 	 *        Condition is satisfied if the signer of the bundle matches the
 	 *        pattern. The second argument of the ConditionInfo is optional. If
 	 *        a second argument is present and equal to "!", then the
 	 *        satisfaction of the Condition is negated. That is, the Condition
 	 *        is satisfied if the signer of the bundle does NOT match the
 	 *        pattern. If the second argument is present but does not equal "!",
 	 *        then the second argument is ignored.
 	 * @return A Condition which checks the signers of the specified bundle.
 	 */
 	public static Condition getCondition(final Bundle bundle, final ConditionInfo info) {
 		if (!CONDITION_TYPE.equals(info.getType()))
 			throw new IllegalArgumentException("ConditionInfo must be of type \"" + CONDITION_TYPE + "\"");
 		String[] args = info.getArgs();
 		if (args.length != 1 && args.length != 2)
 			throw new IllegalArgumentException("Illegal number of args: " + args.length);

 		Map<X509Certificate, List<X509Certificate>> signers = bundle.getSignerCertificates(Bundle.SIGNERS_TRUSTED);
 		boolean match = false;
 		for (List<X509Certificate> signerCerts : signers.values()) {
 			List<String> dnChain = new ArrayList<String>(signerCerts.size());
 			for (X509Certificate signer : signerCerts) {
 				dnChain.add(signer.getSubjectDN().getName());
 			}
 			if (FrameworkUtil.matchDistinguishedNameChain(args[0], dnChain)) {
 				match = true;
 				break;
 			}
 		}

 		boolean negate = (args.length == 2) ? "!".equals(args[1]) : false;
 		return negate ^ match ? Condition.TRUE : Condition.FALSE;
 	}

 	private BundleSignerCondition() {
 		// private constructor to prevent objects of this type
 	}
 }
	/*
	* Copyright (c) OSGi Alliance (2005, 2013). All Rights Reserved.
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package org.osgi.service.condpermadmin;

	import java.security.cert.X509Certificate;
	import java.util.ArrayList;
	import java.util.List;
	import java.util.Map;
	import org.osgi.framework.Bundle;
	import org.osgi.framework.FrameworkUtil;

	/**
	* Condition to test if the signer of a bundle matches or does not match a
	* pattern. Since the bundle's signer can only change when the bundle is
	* updated, this condition is immutable.
	* <p>
	* The condition expressed using a single String that specifies a Distinguished
	* Name (DN) chain to match bundle signers against. DN's are encoded using IETF
	* RFC 2253. Usually signers use certificates that are issued by certificate
	* authorities, which also have a corresponding DN and certificate. The
	* certificate authorities can form a chain of trust where the last DN and
	* certificate is known by the framework. The signer of a bundle is expressed as
	* signers DN followed by the DN of its issuer followed by the DN of the next
	* issuer until the DN of the root certificate authority. Each DN is separated
	* by a semicolon.
	* <p>
	* A bundle can satisfy this condition if one of its signers has a DN chain that
	* matches the DN chain used to construct this condition. Wildcards (`*') can be
	* used to allow greater flexibility in specifying the DN chains. Wildcards can
	* be used in place of DNs, RDNs, or the value in an RDN. If a wildcard is used
	* for a value of an RDN, the value must be exactly "*" and will match any value
	* for the corresponding type in that RDN. If a wildcard is used for a RDN, it
	* must be the first RDN and will match any number of RDNs (including zero
	* RDNs).
	*
	* @ThreadSafe
	* @author $Id$
	*/
	public class BundleSignerCondition {
	private static final String CONDITION_TYPE = "org.osgi.service.condpermadmin.BundleSignerCondition";

	/**
	* Constructs a Condition that tries to match the passed Bundle's location
	* to the location pattern.
	*
	* @param bundle The Bundle being evaluated.
	* @param info The ConditionInfo from which to construct the condition. The
	* ConditionInfo must specify one or two arguments. The first
	* argument of the ConditionInfo specifies the chain of distinguished
	* names pattern to match against the signer of the bundle. The
	* Condition is satisfied if the signer of the bundle matches the
	* pattern. The second argument of the ConditionInfo is optional. If
	* a second argument is present and equal to "!", then the
	* satisfaction of the Condition is negated. That is, the Condition
	* is satisfied if the signer of the bundle does NOT match the
	* pattern. If the second argument is present but does not equal "!",
	* then the second argument is ignored.
	* @return A Condition which checks the signers of the specified bundle.
	*/
	public static Condition getCondition(final Bundle bundle, final ConditionInfo info) {
	if (!CONDITION_TYPE.equals(info.getType()))
	throw new IllegalArgumentException("ConditionInfo must be of type \"" + CONDITION_TYPE + "\"");
	String[] args = info.getArgs();
	if (args.length != 1 && args.length != 2)
	throw new IllegalArgumentException("Illegal number of args: " + args.length);

	Map<X509Certificate, List<X509Certificate>> signers = bundle.getSignerCertificates(Bundle.SIGNERS_TRUSTED);
	boolean match = false;
	for (List<X509Certificate> signerCerts : signers.values()) {
	List<String> dnChain = new ArrayList<String>(signerCerts.size());
	for (X509Certificate signer : signerCerts) {
	dnChain.add(signer.getSubjectDN().getName());
	}
	if (FrameworkUtil.matchDistinguishedNameChain(args[0], dnChain)) {
	match = true;
	break;
	}
	}

	boolean negate = (args.length == 2) ? "!".equals(args[1]) : false;
	return negate ^ match ? Condition.TRUE : Condition.FALSE;
	}

	private BundleSignerCondition() {
	// private constructor to prevent objects of this type
	}
	}