All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.osgi.service.condpermadmin.BundleSignerCondition Maven / Gradle / Ivy

The newest version!
/*
 * Copyright (c) OSGi Alliance (2005, 2013). All Rights Reserved.
 * 
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.osgi.service.condpermadmin;

import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import org.osgi.framework.Bundle;
import org.osgi.framework.FrameworkUtil;

/**
 * Condition to test if the signer of a bundle matches or does not match a
 * pattern. Since the bundle's signer can only change when the bundle is
 * updated, this condition is immutable.
 * 

* The condition expressed using a single String that specifies a Distinguished * Name (DN) chain to match bundle signers against. DN's are encoded using IETF * RFC 2253. Usually signers use certificates that are issued by certificate * authorities, which also have a corresponding DN and certificate. The * certificate authorities can form a chain of trust where the last DN and * certificate is known by the framework. The signer of a bundle is expressed as * signers DN followed by the DN of its issuer followed by the DN of the next * issuer until the DN of the root certificate authority. Each DN is separated * by a semicolon. *

* A bundle can satisfy this condition if one of its signers has a DN chain that * matches the DN chain used to construct this condition. Wildcards (`*') can be * used to allow greater flexibility in specifying the DN chains. Wildcards can * be used in place of DNs, RDNs, or the value in an RDN. If a wildcard is used * for a value of an RDN, the value must be exactly "*" and will match any value * for the corresponding type in that RDN. If a wildcard is used for a RDN, it * must be the first RDN and will match any number of RDNs (including zero * RDNs). * * @ThreadSafe * @author $Id: 9bb17ecb4b23c66940ab8d9f3b97b0a1040db929 $ */ public class BundleSignerCondition { private static final String CONDITION_TYPE = "org.osgi.service.condpermadmin.BundleSignerCondition"; /** * Constructs a Condition that tries to match the passed Bundle's location * to the location pattern. * * @param bundle The Bundle being evaluated. * @param info The ConditionInfo from which to construct the condition. The * ConditionInfo must specify one or two arguments. The first * argument of the ConditionInfo specifies the chain of distinguished * names pattern to match against the signer of the bundle. The * Condition is satisfied if the signer of the bundle matches the * pattern. The second argument of the ConditionInfo is optional. If * a second argument is present and equal to "!", then the * satisfaction of the Condition is negated. That is, the Condition * is satisfied if the signer of the bundle does NOT match the * pattern. If the second argument is present but does not equal "!", * then the second argument is ignored. * @return A Condition which checks the signers of the specified bundle. */ public static Condition getCondition(final Bundle bundle, final ConditionInfo info) { if (!CONDITION_TYPE.equals(info.getType())) throw new IllegalArgumentException("ConditionInfo must be of type \"" + CONDITION_TYPE + "\""); String[] args = info.getArgs(); if (args.length != 1 && args.length != 2) throw new IllegalArgumentException("Illegal number of args: " + args.length); Map> signers = bundle.getSignerCertificates(Bundle.SIGNERS_TRUSTED); boolean match = false; for (List signerCerts : signers.values()) { List dnChain = new ArrayList(signerCerts.size()); for (X509Certificate signer : signerCerts) { dnChain.add(signer.getSubjectDN().getName()); } if (FrameworkUtil.matchDistinguishedNameChain(args[0], dnChain)) { match = true; break; } } boolean negate = (args.length == 2) ? "!".equals(args[1]) : false; return negate ^ match ? Condition.TRUE : Condition.FALSE; } private BundleSignerCondition() { // private constructor to prevent objects of this type } }





© 2015 - 2024 Weber Informatics LLC | Privacy Policy