org.eclipse.osgi.internal.signedcontent.TrustEngineListener Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of aspectjtools Show documentation
Show all versions of aspectjtools Show documentation
AspectJ tools most notably contains the AspectJ compiler (AJC). AJC applies aspects to Java classes during
compilation, fully replacing Javac for plain Java classes and also compiling native AspectJ or annotation-based
@AspectJ syntax. Furthermore, AJC can weave aspects into existing class files in a post-compile binary weaving step.
This library is a superset of AspectJ weaver and hence also of AspectJ runtime.
/*******************************************************************************
* Copyright (c) 2007, 2016 IBM Corporation and others.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License 2.0 which accompanies this distribution,
* and is available at
* https://www.eclipse.org/legal/epl-2.0/
*
* SPDX-License-Identifier: EPL-2.0
*
* Contributors: IBM Corporation - initial API and implementation
******************************************************************************/
package org.eclipse.osgi.internal.signedcontent;
import java.security.cert.Certificate;
import java.util.HashSet;
import java.util.Set;
import org.eclipse.osgi.internal.framework.EquinoxConfiguration;
import org.eclipse.osgi.internal.signedcontent.SignedContentFromBundleFile.BaseSignerInfo;
import org.eclipse.osgi.signedcontent.SignedContent;
import org.eclipse.osgi.signedcontent.SignerInfo;
import org.osgi.framework.Bundle;
import org.osgi.framework.BundleContext;
public class TrustEngineListener {
private final BundleContext context;
private final SignedBundleHook signedBundleHook;
TrustEngineListener(BundleContext context, SignedBundleHook signedBundleHook) {
this.context = context;
this.signedBundleHook = signedBundleHook;
}
public void addedTrustAnchor(Certificate anchor) {
// find any SignedContent with SignerInfos that do not have an anchor;
// re-evaluate trust and check authorization for these SignedContents
Bundle[] bundles = context.getBundles();
for (Bundle bundle : bundles) {
SignedContentFromBundleFile signedContent = getSignedContent(bundle);
if (signedContent != null && signedContent.isSigned()) {
// check the SignerInfos for this content
SignerInfo[] infos = signedContent.getSignerInfos();
for (SignerInfo info : infos) {
if (info.getTrustAnchor() == null) {
// one of the signers is not trusted
signedBundleHook.determineTrust(signedContent,
EquinoxConfiguration.SIGNED_CONTENT_VERIFY_TRUST);
} else {
SignerInfo tsa = signedContent.getTSASignerInfo(info);
if (tsa != null && tsa.getTrustAnchor() == null)
// one of the tsa signers is not trusted
signedBundleHook.determineTrust(signedContent,
EquinoxConfiguration.SIGNED_CONTENT_VERIFY_TRUST);
}
}
}
}
}
public void removedTrustAnchor(Certificate anchor) {
// find any signed content that has signerinfos with the supplied anchor
// re-evaluate trust and check authorization again.
Bundle[] bundles = context.getBundles();
Set usingAnchor = new HashSet<>();
Set untrustedSigners = new HashSet<>();
for (Bundle bundle : bundles) {
SignedContentFromBundleFile signedContent = getSignedContent(bundle);
if (signedContent != null && signedContent.isSigned()) {
// check signer infos for this content
SignerInfo[] infos = signedContent.getSignerInfos();
for (SignerInfo info : infos) {
if (anchor.equals(info.getTrustAnchor())) {
// one of the signers uses this anchor
untrustedSigners.add(info);
usingAnchor.add(bundle);
}
SignerInfo tsa = signedContent.getTSASignerInfo(info);
if (tsa != null && anchor.equals(tsa.getTrustAnchor())) {
// one of the tsa signers uses this anchor
usingAnchor.add(bundle);
untrustedSigners.add(tsa);
}
}
}
}
// remove trust anchors from untrusted signers
for (SignerInfo untrustedSigner : untrustedSigners)
((BaseSignerInfo) untrustedSigner).setTrustAnchor(null);
// re-establish trust
for (Bundle bundle : usingAnchor) {
SignedContentFromBundleFile signedContent = getSignedContent(bundle);
// found an signer using the anchor for this bundle re-evaluate trust
signedBundleHook.determineTrust(signedContent, EquinoxConfiguration.SIGNED_CONTENT_VERIFY_TRUST);
}
}
private SignedContentFromBundleFile getSignedContent(Bundle bundle) {
return (SignedContentFromBundleFile) bundle.adapt(SignedContent.class);
}
}