package javasec.samples.appe;
import java.net.*;
import java.io.*;
import java.util.jar.*;
import java.util.*;
import java.security.cert.*;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.AccessController;
import java.security.CodeSource;
import java.security.Provider;
public class XYZProvider extends Provider {
public XYZProvider() {
super("XYZ", 1.0, "XYZ Security Provider v1.0");
// These are examples we'll demonstrate throughout the next
// chapters.
put("KeyGenerator.XOR", "javasec.samples.ch09.XORKeyGenerator");
put("KeyPairGenerator.XYZ", "javasec.samples.ch09.XYZKeyPairGenerator");
put("KeyFactory.XYZ", "javasec.samples.ch09.XYZKeyFactory");
put("MessageDigest.XYZ", "javasec.samples.ch11.XYZMessageDigest");
put("Signature.XYZwithSHA", "javasec.samples.ch12.XYZSignature");
put("Cipher.XOR", "javasec.samples.ch13.XORCipher");
put("KeyManagerFactory.XYZ", "javasec.samples.ch14.SSLKeyManagerFactory");
// Now include any aliases
put("Alg.Alias.MessageDigest.SHA-1", "SHA");
}
private static boolean verifiedJCE = false;
private static X509Certificate[] trustedCerts;
static byte[][] embeddedCerts = {
/*
{ // Embed first certificate here
},
{ // Embed second certificate here... and so on
}
*/
};
static {
// Note: This code is incomplete until you obtain the trusted
// root certificate from Sun (and, optionally, IBM). When you
// apply for your JCE signing certificate, they will send you
// the root certificate. Then follow these steps:
// 1) Import it into a keystore
// 2) Write a program to read the certificate out of the keystore
// 3) Get the encoded byte array from the certificate
// 4) Dump out the byte array to a print writer file like this:
// for (int i = 0; i < bytearray.length; i++)
// pw.print(bytearray[i] + ", ");
// 5) Convert that file into a byte array definition, and put
// it into the embeddedCerts array above
try {
trustedCerts = new X509Certificate[embeddedCerts.length];
CertificateFactory cf = CertificateFactory.getInstance("X509");
for (int i = 0; i < trustedCerts.length; i++) {
ByteArrayInputStream bais =
new ByteArrayInputStream(embeddedCerts[i]);
trustedCerts[i] = (X509Certificate) cf.generateCertificate(bais);
}
} catch (Exception e) {
throw new SecurityException("Can't initialize certs " + e);
}
}
public static final synchronized void verifyForJCE() {
// If the JCE has already been verified, just return.
if (verifiedJCE)
return;
verify(javax.crypto.Cipher.class);
verify(XYZProvider.class);
verifiedJCE = true;
}
private static void verify(Class c) {
// Verify that the class C comes from a jar file signed by a
// trusted entity.
// Find out the URL for the class
final URL u = getURL(c);
if (u == null)
throw new SecurityException("Can't find valid signed class " + c);
// Read the JAR file
JarFile jf;
try {
jf = (JarFile)AccessController.doPrivileged(
new PrivilegedExceptionAction() {
public Object run() throws Exception {
return ((JarURLConnection)
u.openConnection()).getJarFile();
}
}
);
} catch (PrivilegedActionException pae) {
throw new SecurityException("Cannot authenticate JCE " + pae);
}
try {
verifySingleJarFile(jf);
} catch (Exception e) {
throw new SecurityException("Cannot authenticate JCE " + e);
}
}
private static void verifySingleJarFile(JarFile jf)
throws IOException, CertificateException {
Vector entriesVec = new Vector();
// Ensure there is a manifest file
Manifest man = jf.getManifest();
if (man == null)
throw new SecurityException("The JCE framework is not signed");
// Ensure all the entries' signatures verify correctly
byte[] buffer = new byte[8192];
Enumeration entries = jf.entries();
while (entries.hasMoreElements()) {
JarEntry je = (JarEntry)entries.nextElement();
entriesVec.addElement(je);
InputStream is = jf.getInputStream(je);
int n;
while ((n = is.read(buffer, 0, buffer.length)) != -1) {
// we just read. This will throw a SecurityException
// if a signature/digest check fails.
}
is.close();
}
jf.close();
// Get the list of signer certificates
Enumeration e = entriesVec.elements();
while (e.hasMoreElements()) {
JarEntry je = (JarEntry) e.nextElement();
if (je.isDirectory())
continue;
// Every file must be signed - except files in META-INF
Certificate[] certs = je.getCertificates();
if ((certs == null) || (certs.length == 0)) {
if (!je.getName().startsWith("META-INF"))
throw new SecurityException("Unsigned JCE classes!");
else ;
} else {
// Check whether the file is signed as expected.
// The framework may be signed by multiple signers.
// At least one of the signers must be a trusted signer.
// First, determine the roots of the certificate chains
Certificate[] chainRoots = getChainRoots(certs);
boolean signedAsExpected = false;
for (int i = 0; i < chainRoots.length; i++) {
if (isTrusted((X509Certificate)chainRoots[i])) {
signedAsExpected = true;
break;
}
}
if (!signedAsExpected)
throw new SecurityException("The JCE framework " +
"is not signed by a trusted signer");
}
}
}
private static boolean isTrusted(X509Certificate cert) {
// Return true only if either of the following is true:
// 1) the cert is in the trustedCerts.
// 2) the cert is issued by a trusted CA.
// Check whether the cert is in the trustedCerts
for (int i = 0; i < trustedCerts.length; i++) {
// If the cert has the same SubjectDN as a trusted CA,
// check whether the two certs are the same.
if (cert.getSubjectDN().equals(
trustedCerts[i].getSubjectDN())) {
if (cert.equals(trustedCerts[i]))
return true;
}
}
// Check whether the cert is issued by a trusted CA.
// Signature verification is expensive. So we check
// whether the cert is issued by one of the trusted CAs
// only if the above loop failed.
for (int i = 0; i < trustedCerts.length; i++) {
// If the issuer of the cert has the same name as
// a trusted CA, check whether that trusted CA
// actually issued the cert.
if (cert.getIssuerDN().equals(trustedCerts[i].getSubjectDN())) {
S1试 题
"S1试题"所指的可能是一份与信息技术相关的测试或学习材料,尤其在编程或软件开发领域。由于没有提供具体的题目内容,我们只能根据常见的IT知识领域进行推测。通常,这样的试题可能包括Java编程语言的安全性问题,也就是"javasec"这个文件名所暗示的。 在Java安全方面,有许多关键知识点需要理解: 1. **Java沙箱模型**:Java的运行环境使用沙箱模型来限制代码的权限,防止恶意代码对系统造成破坏。这是Java平台安全性的重要基础。 2. **类加载器**:Java程序的执行依赖于类加载器,它们负责加载类文件并确保不同类之间的隔离,这在多线程和安全环境中非常重要。 3. **访问控制修饰符**:private、protected、public和默认(包级私有)这些访问控制修饰符决定了类、方法和字段的可见性和可访问性,是实现代码安全的基础。 4. **异常处理**:Java通过try-catch-finally语句块处理异常,确保程序在遇到错误时能够优雅地处理,而不是崩溃。 5. **安全的输入验证**:防止SQL注入、跨站脚本攻击(XSS)等,对用户输入进行严格的验证和过滤。 6. **加密技术**:Java提供了丰富的加密库,如Java Cryptography Architecture (JCA)和Java Cryptography Extension (JCE),用于数据加密和安全通信。 7. **权限和策略**:Java安全经理(Security Manager)允许设置特定的权限策略,控制哪些操作可以执行,哪些被禁止。 8. **数字签名和证书**:用于验证代码的来源和完整性,防止代码被篡改。 9. **网络编程安全**:处理Socket连接、HTTP/HTTPS协议时,应考虑安全套接层(SSL/TLS)以及证书管理。 10. **JVM安全**:理解JVM如何加载和执行字节码,以及如何防止恶意代码的执行。 "A B C D"可能是试题选项或者分类标识,但没有具体信息无法进一步分析。 至于"META-INF",这是一个标准的Java存档(JAR)文件目录,其中包含关于JAR文件的元数据,如MANIFEST.MF文件,它记录了JAR的主类、版本信息和其他配置。在构建可执行的JAR文件或处理依赖时,这个目录及其内容至关重要。 总结来说,"S1试题"可能涵盖了Java安全的多个重要方面,包括但不限于类加载、异常处理、输入验证、加密、权限控制、网络安全以及JVM行为。对于准备这样的试题,深入理解Java的底层机制和安全特性是至关重要的。
- 1
- 2
- 粉丝: 0
- 资源: 1
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- 图书管理系统(C语言版)
- 资源搬运:latent-gt-code512.pth Apr 17, 2023
- DeepSeek-R1技术报告
- epic pen屏幕笔非常好用!
- 电机控制单电阻采样方法及电流重构解析,PWM移项技术与双、三电阻应用研究,电机控制单电阻采样方法详细资料,电流重构,pwm移项方法等等 还有双电阻和三电阻都噢 ,电机控制;单电阻采样方法;电流重构
- 大模型与LangChain4j:Java环境下构建和优化AI应用的全方位指南
- 遗传算法在微电网经济运行优化中的应用(含蓄电池、风电等能源)-matlab程序解析,遗传算法的微电网经济运行优化(matlab程序) 采用遗传算法的优化运行 在微电网中 系统中包括蓄电池、风电、柴油机
- 双碳目标下综合能源系统优化调度策略:分时机制、碳交易与双层响应优化的模型分析(Matlab+Yalmip+Cplex求解),分时优化机制+碳交易+双层需求响应优化+综合能源系统IES联合低碳优化调度:
- Node.js接收文件分片数据并进行合并处理
- 基于 DeepSeek 的情感分析的 Python 源码
- 软考报考流程指南-2024.pdf
- 基于Matlab的含碳捕集与电转气协同虚拟电厂优化调度策略求解程序,《计及电转气协同的含碳捕集与垃圾焚烧电厂优化调度》matlab程序 #电转气协同、碳捕集、电厂优化调度# matlab程序,采用y
- 基于Tent映射的混合灰狼优化算法:结合混沌初始种群与非线性控制参数的改进策略,一种基于Tent映射的混合灰狼优化的改进算法-滕志军 MATLAB代码,可提供代码与lunwen 首先,其通过 Te
- UMP Pro Win Mac Linux WebGL(2.0.3修改版)
- Springboot+vue3在线预约系统
- 博图程序块与西门子PLC在水处理中的智能电机控制:一键启动,轮询运行与最短运行时间筛选,博图程序块,西门子plc程序 做水处理时,会用到多个电机,但是运行时只启动其中几台电机,其他的备用,现在程序块
评论0