Skip to main content
summaryrefslogtreecommitdiffstats
path: root/bundles/org.eclipse.osgi/osgi/src/org/osgi/service/condpermadmin/BundleSignerCondition.java
blob: 6e10febd6a8cfc31973ece0af29c352ed972b105 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106

/*
 * Copyright (c) OSGi Alliance (2005, 2010). All Rights Reserved.
 * 
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.osgi.service.condpermadmin;

import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;

import org.osgi.framework.Bundle;
import org.osgi.framework.FrameworkUtil;

/**
 * Condition to test if the signer of a bundle matches or does not match a
 * pattern. Since the bundle's signer can only change when the bundle is
 * updated, this condition is immutable.
 * <p>
 * The condition expressed using a single String that specifies a Distinguished
 * Name (DN) chain to match bundle signers against. DN's are encoded using IETF
 * RFC 2253. Usually signers use certificates that are issued by certificate
 * authorities, which also have a corresponding DN and certificate. The
 * certificate authorities can form a chain of trust where the last DN and
 * certificate is known by the framework. The signer of a bundle is expressed as
 * signers DN followed by the DN of its issuer followed by the DN of the next
 * issuer until the DN of the root certificate authority. Each DN is separated
 * by a semicolon.
 * <p>
 * A bundle can satisfy this condition if one of its signers has a DN chain that
 * matches the DN chain used to construct this condition. Wildcards (`*') can be
 * used to allow greater flexibility in specifying the DN chains. Wildcards can
 * be used in place of DNs, RDNs, or the value in an RDN. If a wildcard is used
 * for a value of an RDN, the value must be exactly "*" and will match any value
 * for the corresponding type in that RDN. If a wildcard is used for a RDN, it
 * must be the first RDN and will match any number of RDNs (including zero
 * RDNs).
 * 
 * @ThreadSafe
 * @version $Id$
 */
public class BundleSignerCondition {
	private static final String	CONDITION_TYPE	= "org.osgi.service.condpermadmin.BundleSignerCondition";

	/**
	 * Constructs a Condition that tries to match the passed Bundle's location
	 * to the location pattern.
	 * 
	 * @param bundle The Bundle being evaluated.
	 * @param info The ConditionInfo from which to construct the condition. The
	 *        ConditionInfo must specify one or two arguments. The first
	 *        argument of the ConditionInfo specifies the chain of distinguished
	 *        names pattern to match against the signer of the bundle. The
	 *        Condition is satisfied if the signer of the bundle matches the
	 *        pattern. The second argument of the ConditionInfo is optional. If
	 *        a second argument is present and equal to "!", then the
	 *        satisfaction of the Condition is negated. That is, the Condition
	 *        is satisfied if the signer of the bundle does NOT match the
	 *        pattern. If the second argument is present but does not equal "!",
	 *        then the second argument is ignored.
	 * @return A Condition which checks the signers of the specified bundle.
	 */
	public static Condition getCondition(final Bundle bundle,
			final ConditionInfo info) {
		if (!CONDITION_TYPE.equals(info.getType()))
			throw new IllegalArgumentException(
					"ConditionInfo must be of type \"" + CONDITION_TYPE + "\"");
		String[] args = info.getArgs();
		if (args.length != 1 && args.length != 2)
			throw new IllegalArgumentException("Illegal number of args: "
					+ args.length);

		Map<X509Certificate, List<X509Certificate>> signers = bundle
				.getSignerCertificates(Bundle.SIGNERS_TRUSTED);
		boolean match = false;
		for (List<X509Certificate> signerCerts : signers.values()) {
			List<String> dnChain = new ArrayList<String>(signerCerts.size());
			for (X509Certificate signer : signerCerts) {
				dnChain.add(signer.getSubjectDN().getName());
			}
			if (FrameworkUtil.matchDistinguishedNameChain(args[0], dnChain)) {
				match = true;
				break;
			}
		}

		boolean negate = (args.length == 2) ? "!".equals(args[1]) : false;
		return negate ^ match ? Condition.TRUE : Condition.FALSE;
	}

	private BundleSignerCondition() {
		// private constructor to prevent objects of this type
	}
}

Back to the top