open-source/apache-tomcat-8.5.51
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
xieyinlu
2024-11-30 19:03:49 +08:00
commit 1e6763c160
3806 changed files with 737676 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

125
java/org/apache/tomcat/util/security/ConcurrentMessageDigest.java Normal file
View File

@@ -0,0 +1,125 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.tomcat.util.security;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.HashMap;
import java.util.Map;
import java.util.Queue;
import java.util.concurrent.ConcurrentLinkedQueue;
/**
* A thread safe wrapper around {@link MessageDigest} that does not make use
* of ThreadLocal and - broadly - only creates enough MessageDigest objects
* to satisfy the concurrency requirements.
*/
public class ConcurrentMessageDigest {
private static final String MD5 = "MD5";
private static final String SHA1 = "SHA-1";
private static final Map<String,Queue<MessageDigest>> queues =
new HashMap<>();
private ConcurrentMessageDigest() {
// Hide default constructor for this utility class
}
static {
try {
// Init commonly used algorithms
init(MD5);
init(SHA1);
} catch (NoSuchAlgorithmException e) {
throw new IllegalArgumentException(e);
}
}
public static byte[] digestMD5(byte[]... input) {
return digest(MD5, input);
}
public static byte[] digestSHA1(byte[]... input) {
return digest(SHA1, input);
}
public static byte[] digest(String algorithm, byte[]... input) {
return digest(algorithm, 1, input);
}
public static byte[] digest(String algorithm, int rounds, byte[]... input) {
Queue<MessageDigest> queue = queues.get(algorithm);
if (queue == null) {
throw new IllegalStateException("Must call init() first");
}
MessageDigest md = queue.poll();
if (md == null) {
try {
md = MessageDigest.getInstance(algorithm);
} catch (NoSuchAlgorithmException e) {
// Ignore. Impossible if init() has been successfully called
// first.
throw new IllegalStateException("Must call init() first");
}
}
// Round 1
for (byte[] bytes : input) {
md.update(bytes);
}
byte[] result = md.digest();
// Subsequent rounds
if (rounds > 1) {
for (int i = 1; i < rounds; i++) {
md.update(result);
result = md.digest();
}
}
queue.add(md);
return result;
}
/**
* Ensures that {@link #digest(String, byte[][])} will support the specified
* algorithm. This method <b>must</b> be called and return successfully
* before using {@link #digest(String, byte[][])}.
*
* @param algorithm The message digest algorithm to be supported
*
* @throws NoSuchAlgorithmException If the algorithm is not supported by the
* JVM
*/
public static void init(String algorithm) throws NoSuchAlgorithmException {
synchronized (queues) {
if (!queues.containsKey(algorithm)) {
MessageDigest md = MessageDigest.getInstance(algorithm);
Queue<MessageDigest> queue = new ConcurrentLinkedQueue<>();
queue.add(md);
queues.put(algorithm, queue);
}
}
}
}

160
java/org/apache/tomcat/util/security/Escape.java Normal file
View File

@@ -0,0 +1,160 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.tomcat.util.security;
/**
* Provides utility methods to escape content for different contexts. It is
* critical that the escaping used is correct for the context in which the data
* is to be used.
*/
public class Escape {
/**
* Escape content for use in HTML. This escaping is suitable for the
* following uses:
* <ul>
* <li>Element content when the escaped data will be placed directly inside
* tags such as &lt;p&gt;, &lt;td&gt; etc.</li>
* <li>Attribute values when the attribute value is quoted with &quot; or
* &#x27;.</li>
* </ul>
*
* @param content The content to escape
*
* @return The escaped content or {@code null} if the content was
* {@code null}
*/
public static String htmlElementContent(String content) {
if (content == null) {
return null;
}
StringBuilder sb = new StringBuilder();
for (int i = 0; i < content.length(); i++) {
char c = content.charAt(i);
if (c == '<') {
sb.append("&lt;");
} else if (c == '>') {
sb.append("&gt;");
} else if (c == '\'') {
sb.append("&#39;");
} else if (c == '&') {
sb.append("&amp;");
} else if (c == '"') {
sb.append("&quot;");
} else if (c == '/') {
sb.append("&#47;");
} else {
sb.append(c);
}
}
return (sb.length() > content.length()) ? sb.toString() : content;
}
/**
* Convert the object to a string via {@link Object#toString()} and HTML
* escape the resulting string for use in HTML content.
*
* @param obj The object to convert to String and then escape
*
* @return The escaped content or <code>&quot;?&quot;</code> if obj is
* {@code null}
*/
public static String htmlElementContext(Object obj) {
if (obj == null) {
return "?";
}
try {
return htmlElementContent(obj.toString());
} catch (Exception e) {
return null;
}
}
/**
* Escape content for use in XML.
*
* @param content The content to escape
*
* @return The escaped content or {@code null} if the content was
* {@code null}
*/
public static String xml(String content) {
return xml(null, content);
}
/**
* Escape content for use in XML.
*
* @param ifNull The value to return if content is {@code null}
* @param content The content to escape
*
* @return The escaped content or the value of {@code ifNull} if the
* content was {@code null}
*/
public static String xml(String ifNull, String content) {
return xml(ifNull, false, content);
}
/**
* Escape content for use in XML.
*
* @param ifNull The value to return if content is {@code null}
* @param escapeCRLF Should CR and LF also be escaped?
* @param content The content to escape
*
* @return The escaped content or the value of ifNull if the content was
* {@code null}
*/
public static String xml(String ifNull, boolean escapeCRLF, String content) {
if (content == null) {
return ifNull;
}
StringBuilder sb = new StringBuilder();
for (int i = 0; i < content.length(); i++) {
char c = content.charAt(i);
if (c == '<') {
sb.append("&lt;");
} else if (c == '>') {
sb.append("&gt;");
} else if (c == '\'') {
sb.append("&apos;");
} else if (c == '&') {
sb.append("&amp;");
} else if (c == '"') {
sb.append("&quot;");
} else if (escapeCRLF && c == '\r') {
sb.append("&#13;");
} else if (escapeCRLF && c == '\n') {
sb.append("&#10;");
} else {
sb.append(c);
}
}
return (sb.length() > content.length()) ? sb.toString(): content;
}
}

72
java/org/apache/tomcat/util/security/KeyStoreUtil.java Normal file
View File

@@ -0,0 +1,72 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.tomcat.util.security;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
public class KeyStoreUtil {
private KeyStoreUtil() {
// Utility class
}
/**
* Loads a KeyStore from an InputStream working around the known JDK bug
* https://bugs.openjdk.java.net/browse/JDK-8157404.
*
* This code can be removed once the minimum Java version for Tomcat is 13.
*
*
* @param keystore The KeyStore to load from the InputStream
* @param is The InputStream to use to populate the KeyStore
* @param storePass The password to access the KeyStore
*
* @throws IOException
* If an I/O occurs reading from the given InputStream
* @throws CertificateException
* If one or more certificates can't be loaded into the
* KeyStore
* @throws NoSuchAlgorithmException
* If the algorithm specified to validate the integrity of the
* KeyStore cannot be found
*/
public static void load(KeyStore keystore, InputStream is, char[] storePass)
throws NoSuchAlgorithmException, CertificateException, IOException {
if (keystore.getType().equals("PKCS12")) {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
byte[] buf = new byte[8192];
int numRead;
while ((numRead = is.read(buf)) >= 0) {
baos.write(buf, 0, numRead);
}
baos.close();
// Don't close is. That remains the callers responsibility.
ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());
keystore.load(bais, storePass);
} else {
keystore.load(is, storePass);
}
}
}

64
java/org/apache/tomcat/util/security/MD5Encoder.java Normal file
View File

@@ -0,0 +1,64 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.tomcat.util.security;
/**
* Encode an MD5 digest into a String.
* <p>
* The 128 bit MD5 hash is converted into a 32 character long String.
* Each character of the String is the hexadecimal representation of 4 bits
* of the digest.
*
* @author Remy Maucherat
*/
public final class MD5Encoder {
private MD5Encoder() {
// Hide default constructor for utility class
}
private static final char[] hexadecimal = {'0', '1', '2', '3', '4', '5',
'6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
/**
* Encodes the 128 bit (16 bytes) MD5 into a 32 character String.
*
* @param binaryData Array containing the digest
*
* @return Encoded MD5, or null if encoding failed
*/
public static String encode(byte[] binaryData) {
if (binaryData.length != 16)
return null;
char[] buffer = new char[32];
for (int i=0; i<16; i++) {
int low = binaryData[i] & 0x0f;
int high = (binaryData[i] & 0xf0) >> 4;
buffer[i*2] = hexadecimal[high];
buffer[i*2 + 1] = hexadecimal[low];
}
return new String(buffer);
}
}

43
java/org/apache/tomcat/util/security/PermissionCheck.java Normal file
View File

@@ -0,0 +1,43 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.tomcat.util.security;
import java.security.Permission;
/**
* This interface is implemented by components to enable privileged code to
* check whether the component has a given permission.
* This is typically used when a privileged component (e.g. the container) is
* performing an action on behalf of an untrusted component (e.g. a web
* application) without the current thread having passed through a code source
* provided by the untrusted component. Because the current thread has not
* passed through a code source provided by the untrusted component the
* SecurityManager assumes the code is trusted so the standard checking
* mechanisms can't be used.
*/
public interface PermissionCheck {
/**
* Does this component have the given permission?
*
* @param permission The permission to test
*
* @return {@code false} if a SecurityManager is enabled and the component
* does not have the given permission, otherwise {@code true}
*/
boolean check(Permission permission);
}

28
java/org/apache/tomcat/util/security/PrivilegedGetTccl.java Normal file
View File

@@ -0,0 +1,28 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.tomcat.util.security;
import java.security.PrivilegedAction;
public class PrivilegedGetTccl implements PrivilegedAction<ClassLoader> {
@Override
public ClassLoader run() {
return Thread.currentThread().getContextClassLoader();
}
}

41
java/org/apache/tomcat/util/security/PrivilegedSetTccl.java Normal file
View File

@@ -0,0 +1,41 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.tomcat.util.security;
import java.security.PrivilegedAction;
public class PrivilegedSetTccl implements PrivilegedAction<Void> {
private final ClassLoader cl;
private final Thread t;
public PrivilegedSetTccl(ClassLoader cl) {
this(Thread.currentThread(), cl);
}
public PrivilegedSetTccl(Thread t, ClassLoader cl) {
this.t = t;
this.cl = cl;
}
@Override
public Void run() {
t.setContextClassLoader(cl);
return null;
}
}