1 /*
   2  * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package java.net;
  27 
  28 import java.io.IOException;
  29 import java.io.ObjectInputStream;
  30 import java.io.ObjectOutputStream;
  31 import java.io.ObjectStreamField;
  32 import java.io.Serializable;
  33 import java.net.InetAddress;
  34 import java.security.AccessController;
  35 import java.security.Permission;
  36 import java.security.PermissionCollection;
  37 import java.security.PrivilegedAction;
  38 import java.security.Security;
  39 import java.util.Collections;
  40 import java.util.Comparator;
  41 import java.util.Enumeration;
  42 import java.util.Vector;
  43 import java.util.StringJoiner;
  44 import java.util.StringTokenizer;
  45 import java.util.concurrent.ConcurrentSkipListMap;
  46 import sun.net.util.IPAddressUtil;
  47 import sun.net.PortConfig;
  48 import sun.security.util.RegisteredDomain;
  49 import sun.security.util.SecurityConstants;
  50 import sun.security.util.Debug;
  51 
  52 
  53 /**
  54  * This class represents access to a network via sockets.
  55  * A SocketPermission consists of a
  56  * host specification and a set of "actions" specifying ways to
  57  * connect to that host. The host is specified as
  58  * <pre>
  59  *    host = (hostname | IPv4address | iPv6reference) [:portrange]
  60  *    portrange = portnumber | -portnumber | portnumber-[portnumber]
  61  * </pre>
  62  * The host is expressed as a DNS name, as a numerical IP address,
  63  * or as "localhost" (for the local machine).
  64  * The wildcard "*" may be included once in a DNS name host
  65  * specification. If it is included, it must be in the leftmost
  66  * position, as in "*.example.com".
  67  * <p>
  68  * The format of the IPv6reference should follow that specified in <a
  69  * href="http://www.ietf.org/rfc/rfc2732.txt"><i>RFC&nbsp;2732: Format
  70  * for Literal IPv6 Addresses in URLs</i></a>:
  71  * <pre>
  72  *    ipv6reference = "[" IPv6address "]"
  73  *</pre>
  74  * For example, you can construct a SocketPermission instance
  75  * as the following:
  76  * <pre>
  77  *    String hostAddress = inetaddress.getHostAddress();
  78  *    if (inetaddress instanceof Inet6Address) {
  79  *        sp = new SocketPermission("[" + hostAddress + "]:" + port, action);
  80  *    } else {
  81  *        sp = new SocketPermission(hostAddress + ":" + port, action);
  82  *    }
  83  * </pre>
  84  * or
  85  * <pre>
  86  *    String host = url.getHost();
  87  *    sp = new SocketPermission(host + ":" + port, action);
  88  * </pre>
  89  * <p>
  90  * The <A HREF="Inet6Address.html#lform">full uncompressed form</A> of
  91  * an IPv6 literal address is also valid.
  92  * <p>
  93  * The port or portrange is optional. A port specification of the
  94  * form "N-", where <i>N</i> is a port number, signifies all ports
  95  * numbered <i>N</i> and above, while a specification of the
  96  * form "-N" indicates all ports numbered <i>N</i> and below.
  97  * The special port value {@code 0} refers to the entire <i>ephemeral</i>
  98  * port range. This is a fixed range of ports a system may use to
  99  * allocate dynamic ports from. The actual range may be system dependent.
 100  * <p>
 101  * The possible ways to connect to the host are
 102  * <pre>
 103  * accept
 104  * connect
 105  * listen
 106  * resolve
 107  * </pre>
 108  * The "listen" action is only meaningful when used with "localhost" and
 109  * means the ability to bind to a specified port.
 110  * The "resolve" action is implied when any of the other actions are present.
 111  * The action "resolve" refers to host/ip name service lookups.
 112  * <P>
 113  * The actions string is converted to lowercase before processing.
 114  * <p>As an example of the creation and meaning of SocketPermissions,
 115  * note that if the following permission:
 116  *
 117  * <pre>
 118  *   p1 = new SocketPermission("foo.example.com:7777", "connect,accept");
 119  * </pre>
 120  *
 121  * is granted to some code, it allows that code to connect to port 7777 on
 122  * {@code foo.example.com}, and to accept connections on that port.
 123  *
 124  * <p>Similarly, if the following permission:
 125  *
 126  * <pre>
 127  *   p2 = new SocketPermission("localhost:1024-", "accept,connect,listen");
 128  * </pre>
 129  *
 130  * is granted to some code, it allows that code to
 131  * accept connections on, connect to, or listen on any port between
 132  * 1024 and 65535 on the local host.
 133  *
 134  * <p>Note: Granting code permission to accept or make connections to remote
 135  * hosts may be dangerous because malevolent code can then more easily
 136  * transfer and share confidential data among parties who may not
 137  * otherwise have access to the data.
 138  *
 139  * @see java.security.Permissions
 140  * @see SocketPermission
 141  *
 142  *
 143  * @author Marianne Mueller
 144  * @author Roland Schemers
 145  * @since 1.2
 146  *
 147  * @serial exclude
 148  */
 149 
 150 public final class SocketPermission extends Permission
 151     implements java.io.Serializable
 152 {
 153     @java.io.Serial
 154     private static final long serialVersionUID = -7204263841984476862L;
 155 
 156     /**
 157      * Connect to host:port
 158      */
 159     private static final int CONNECT    = 0x1;
 160 
 161     /**
 162      * Listen on host:port
 163      */
 164     private static final int LISTEN     = 0x2;
 165 
 166     /**
 167      * Accept a connection from host:port
 168      */
 169     private static final int ACCEPT     = 0x4;
 170 
 171     /**
 172      * Resolve DNS queries
 173      */
 174     private static final int RESOLVE    = 0x8;
 175 
 176     /**
 177      * No actions
 178      */
 179     private static final int NONE               = 0x0;
 180 
 181     /**
 182      * All actions
 183      */
 184     private static final int ALL        = CONNECT|LISTEN|ACCEPT|RESOLVE;
 185 
 186     // various port constants
 187     private static final int PORT_MIN = 0;
 188     private static final int PORT_MAX = 65535;
 189     private static final int PRIV_PORT_MAX = 1023;
 190     private static final int DEF_EPH_LOW = 49152;
 191 
 192     // the actions mask
 193     private transient int mask;
 194 
 195     /**
 196      * the actions string.
 197      *
 198      * @serial
 199      */
 200 
 201     private String actions; // Left null as long as possible, then
 202                             // created and re-used in the getAction function.
 203 
 204     // hostname part as it is passed
 205     private transient String hostname;
 206 
 207     // the canonical name of the host
 208     // in the case of "*.foo.com", cname is ".foo.com".
 209 
 210     private transient String cname;
 211 
 212     // all the IP addresses of the host
 213     private transient InetAddress[] addresses;
 214 
 215     // true if the hostname is a wildcard (e.g. "*.example.com")
 216     private transient boolean wildcard;
 217 
 218     // true if we were initialized with a single numeric IP address
 219     private transient boolean init_with_ip;
 220 
 221     // true if this SocketPermission represents an invalid/unknown host
 222     // used for implies when the delayed lookup has already failed
 223     private transient boolean invalid;
 224 
 225     // port range on host
 226     private transient int[] portrange;
 227 
 228     private transient boolean defaultDeny = false;
 229 
 230     // true if this SocketPermission represents a hostname
 231     // that failed our reverse mapping heuristic test
 232     private transient boolean untrusted;
 233     private transient boolean trusted;
 234 
 235     // true if the sun.net.trustNameService system property is set
 236     private static boolean trustNameService;
 237 
 238     private static Debug debug = null;
 239     private static boolean debugInit = false;
 240 
 241     // lazy initializer
 242     private static class EphemeralRange {
 243         static final int low = initEphemeralPorts("low", DEF_EPH_LOW);
 244             static final int high = initEphemeralPorts("high", PORT_MAX);
 245     };
 246 
 247     static {
 248         Boolean tmp = java.security.AccessController.doPrivileged(
 249                 new sun.security.action.GetBooleanAction("sun.net.trustNameService"));
 250         trustNameService = tmp.booleanValue();
 251     }
 252 
 253     private static synchronized Debug getDebug() {
 254         if (!debugInit) {
 255             debug = Debug.getInstance("access");
 256             debugInit = true;
 257         }
 258         return debug;
 259     }
 260 
 261     /**
 262      * Creates a new SocketPermission object with the specified actions.
 263      * The host is expressed as a DNS name, or as a numerical IP address.
 264      * Optionally, a port or a portrange may be supplied (separated
 265      * from the DNS name or IP address by a colon).
 266      * <p>
 267      * To specify the local machine, use "localhost" as the <i>host</i>.
 268      * Also note: An empty <i>host</i> String ("") is equivalent to "localhost".
 269      * <p>
 270      * The <i>actions</i> parameter contains a comma-separated list of the
 271      * actions granted for the specified host (and port(s)). Possible actions are
 272      * "connect", "listen", "accept", "resolve", or
 273      * any combination of those. "resolve" is automatically added
 274      * when any of the other three are specified.
 275      * <p>
 276      * Examples of SocketPermission instantiation are the following:
 277      * <pre>
 278      *    nr = new SocketPermission("www.example.com", "connect");
 279      *    nr = new SocketPermission("www.example.com:80", "connect");
 280      *    nr = new SocketPermission("*.example.com", "connect");
 281      *    nr = new SocketPermission("*.edu", "resolve");
 282      *    nr = new SocketPermission("204.160.241.0", "connect");
 283      *    nr = new SocketPermission("localhost:1024-65535", "listen");
 284      *    nr = new SocketPermission("204.160.241.0:1024-65535", "connect");
 285      * </pre>
 286      *
 287      * @param host the hostname or IP address of the computer, optionally
 288      * including a colon followed by a port or port range.
 289      * @param action the action string.
 290      */
 291     public SocketPermission(String host, String action) {
 292         super(getHost(host));
 293         // name initialized to getHost(host); NPE detected in getHost()
 294         init(getName(), getMask(action));
 295     }
 296 
 297 
 298     SocketPermission(String host, int mask) {
 299         super(getHost(host));
 300         // name initialized to getHost(host); NPE detected in getHost()
 301         init(getName(), mask);
 302     }
 303 
 304     private void setDeny() {
 305         defaultDeny = true;
 306     }
 307 
 308     private static String getHost(String host) {
 309         if (host.isEmpty()) {
 310             return "localhost";
 311         } else {
 312             /* IPv6 literal address used in this context should follow
 313              * the format specified in RFC 2732;
 314              * if not, we try to solve the unambiguous case
 315              */
 316             int ind;
 317             if (host.charAt(0) != '[') {
 318                 if ((ind = host.indexOf(':')) != host.lastIndexOf(':')) {
 319                     /* More than one ":", meaning IPv6 address is not
 320                      * in RFC 2732 format;
 321                      * We will rectify user errors for all unambiguous cases
 322                      */
 323                     StringTokenizer st = new StringTokenizer(host, ":");
 324                     int tokens = st.countTokens();
 325                     if (tokens == 9) {
 326                         // IPv6 address followed by port
 327                         ind = host.lastIndexOf(':');
 328                         host = "[" + host.substring(0, ind) + "]" +
 329                             host.substring(ind);
 330                     } else if (tokens == 8 && host.indexOf("::") == -1) {
 331                         // IPv6 address only, not followed by port
 332                         host = "[" + host + "]";
 333                     } else {
 334                         // could be ambiguous
 335                         throw new IllegalArgumentException("Ambiguous"+
 336                                                            " hostport part");
 337                     }
 338                 }
 339             }
 340             return host;
 341         }
 342     }
 343 
 344     private int[] parsePort(String port)
 345         throws Exception
 346     {
 347 
 348         if (port == null || port.isEmpty() || port.equals("*")) {
 349             return new int[] {PORT_MIN, PORT_MAX};
 350         }
 351 
 352         int dash = port.indexOf('-');
 353 
 354         if (dash == -1) {
 355             int p = Integer.parseInt(port);
 356             return new int[] {p, p};
 357         } else {
 358             String low = port.substring(0, dash);
 359             String high = port.substring(dash+1);
 360             int l,h;
 361 
 362             if (low.isEmpty()) {
 363                 l = PORT_MIN;
 364             } else {
 365                 l = Integer.parseInt(low);
 366             }
 367 
 368             if (high.isEmpty()) {
 369                 h = PORT_MAX;
 370             } else {
 371                 h = Integer.parseInt(high);
 372             }
 373             if (l < 0 || h < 0 || h<l)
 374                 throw new IllegalArgumentException("invalid port range");
 375 
 376             return new int[] {l, h};
 377         }
 378     }
 379 
 380     /**
 381      * Returns true if the permission has specified zero
 382      * as its value (or lower bound) signifying the ephemeral range
 383      */
 384     private boolean includesEphemerals() {
 385         return portrange[0] == 0;
 386     }
 387 
 388     /**
 389      * Initialize the SocketPermission object. We don't do any DNS lookups
 390      * as this point, instead we hold off until the implies method is
 391      * called.
 392      */
 393     private void init(String host, int mask) {
 394         // Set the integer mask that represents the actions
 395 
 396         if ((mask & ALL) != mask)
 397             throw new IllegalArgumentException("invalid actions mask");
 398 
 399         // always OR in RESOLVE if we allow any of the others
 400         this.mask = mask | RESOLVE;
 401 
 402         // Parse the host name.  A name has up to three components, the
 403         // hostname, a port number, or two numbers representing a port
 404         // range.   "www.example.com:8080-9090" is a valid host name.
 405 
 406         // With IPv6 an address can be 2010:836B:4179::836B:4179
 407         // An IPv6 address needs to be enclose in []
 408         // For ex: [2010:836B:4179::836B:4179]:8080-9090
 409         // Refer to RFC 2732 for more information.
 410 
 411         int rb = 0 ;
 412         int start = 0, end = 0;
 413         int sep = -1;
 414         String hostport = host;
 415         if (host.charAt(0) == '[') {
 416             start = 1;
 417             rb = host.indexOf(']');
 418             if (rb != -1) {
 419                 host = host.substring(start, rb);
 420             } else {
 421                 throw new
 422                     IllegalArgumentException("invalid host/port: "+host);
 423             }
 424             sep = hostport.indexOf(':', rb+1);
 425         } else {
 426             start = 0;
 427             sep = host.indexOf(':', rb);
 428             end = sep;
 429             if (sep != -1) {
 430                 host = host.substring(start, end);
 431             }
 432         }
 433 
 434         if (sep != -1) {
 435             String port = hostport.substring(sep+1);
 436             try {
 437                 portrange = parsePort(port);
 438             } catch (Exception e) {
 439                 throw new
 440                     IllegalArgumentException("invalid port range: "+port);
 441             }
 442         } else {
 443             portrange = new int[] { PORT_MIN, PORT_MAX };
 444         }
 445 
 446         hostname = host;
 447 
 448         // is this a domain wildcard specification
 449         if (host.lastIndexOf('*') > 0) {
 450             throw new
 451                IllegalArgumentException("invalid host wildcard specification");
 452         } else if (host.startsWith("*")) {
 453             wildcard = true;
 454             if (host.equals("*")) {
 455                 cname = "";
 456             } else if (host.startsWith("*.")) {
 457                 cname = host.substring(1).toLowerCase();
 458             } else {
 459               throw new
 460                IllegalArgumentException("invalid host wildcard specification");
 461             }
 462             return;
 463         } else {
 464             if (!host.isEmpty()) {
 465                 // see if we are being initialized with an IP address.
 466                 char ch = host.charAt(0);
 467                 if (ch == ':' || Character.digit(ch, 16) != -1) {
 468                     byte ip[] = IPAddressUtil.textToNumericFormatV4(host);
 469                     if (ip == null) {
 470                         ip = IPAddressUtil.textToNumericFormatV6(host);
 471                     }
 472                     if (ip != null) {
 473                         try {
 474                             addresses =
 475                                 new InetAddress[]
 476                                 {InetAddress.getByAddress(ip) };
 477                             init_with_ip = true;
 478                         } catch (UnknownHostException uhe) {
 479                             // this shouldn't happen
 480                             invalid = true;
 481                         }
 482                     }
 483                 }
 484             }
 485         }
 486     }
 487 
 488     /**
 489      * Convert an action string to an integer actions mask.
 490      *
 491      * @param action the action string
 492      * @return the action mask
 493      */
 494     private static int getMask(String action) {
 495 
 496         if (action == null) {
 497             throw new NullPointerException("action can't be null");
 498         }
 499 
 500         if (action.isEmpty()) {
 501             throw new IllegalArgumentException("action can't be empty");
 502         }
 503 
 504         int mask = NONE;
 505 
 506         // Use object identity comparison against known-interned strings for
 507         // performance benefit (these values are used heavily within the JDK).
 508         if (action == SecurityConstants.SOCKET_RESOLVE_ACTION) {
 509             return RESOLVE;
 510         } else if (action == SecurityConstants.SOCKET_CONNECT_ACTION) {
 511             return CONNECT;
 512         } else if (action == SecurityConstants.SOCKET_LISTEN_ACTION) {
 513             return LISTEN;
 514         } else if (action == SecurityConstants.SOCKET_ACCEPT_ACTION) {
 515             return ACCEPT;
 516         } else if (action == SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION) {
 517             return CONNECT|ACCEPT;
 518         }
 519 
 520         char[] a = action.toCharArray();
 521 
 522         int i = a.length - 1;
 523         if (i < 0)
 524             return mask;
 525 
 526         while (i != -1) {
 527             char c;
 528 
 529             // skip whitespace
 530             while ((i!=-1) && ((c = a[i]) == ' ' ||
 531                                c == '\r' ||
 532                                c == '\n' ||
 533                                c == '\f' ||
 534                                c == '\t'))
 535                 i--;
 536 
 537             // check for the known strings
 538             int matchlen;
 539 
 540             if (i >= 6 && (a[i-6] == 'c' || a[i-6] == 'C') &&
 541                           (a[i-5] == 'o' || a[i-5] == 'O') &&
 542                           (a[i-4] == 'n' || a[i-4] == 'N') &&
 543                           (a[i-3] == 'n' || a[i-3] == 'N') &&
 544                           (a[i-2] == 'e' || a[i-2] == 'E') &&
 545                           (a[i-1] == 'c' || a[i-1] == 'C') &&
 546                           (a[i] == 't' || a[i] == 'T'))
 547             {
 548                 matchlen = 7;
 549                 mask |= CONNECT;
 550 
 551             } else if (i >= 6 && (a[i-6] == 'r' || a[i-6] == 'R') &&
 552                                  (a[i-5] == 'e' || a[i-5] == 'E') &&
 553                                  (a[i-4] == 's' || a[i-4] == 'S') &&
 554                                  (a[i-3] == 'o' || a[i-3] == 'O') &&
 555                                  (a[i-2] == 'l' || a[i-2] == 'L') &&
 556                                  (a[i-1] == 'v' || a[i-1] == 'V') &&
 557                                  (a[i] == 'e' || a[i] == 'E'))
 558             {
 559                 matchlen = 7;
 560                 mask |= RESOLVE;
 561 
 562             } else if (i >= 5 && (a[i-5] == 'l' || a[i-5] == 'L') &&
 563                                  (a[i-4] == 'i' || a[i-4] == 'I') &&
 564                                  (a[i-3] == 's' || a[i-3] == 'S') &&
 565                                  (a[i-2] == 't' || a[i-2] == 'T') &&
 566                                  (a[i-1] == 'e' || a[i-1] == 'E') &&
 567                                  (a[i] == 'n' || a[i] == 'N'))
 568             {
 569                 matchlen = 6;
 570                 mask |= LISTEN;
 571 
 572             } else if (i >= 5 && (a[i-5] == 'a' || a[i-5] == 'A') &&
 573                                  (a[i-4] == 'c' || a[i-4] == 'C') &&
 574                                  (a[i-3] == 'c' || a[i-3] == 'C') &&
 575                                  (a[i-2] == 'e' || a[i-2] == 'E') &&
 576                                  (a[i-1] == 'p' || a[i-1] == 'P') &&
 577                                  (a[i] == 't' || a[i] == 'T'))
 578             {
 579                 matchlen = 6;
 580                 mask |= ACCEPT;
 581 
 582             } else {
 583                 // parse error
 584                 throw new IllegalArgumentException(
 585                         "invalid permission: " + action);
 586             }
 587 
 588             // make sure we didn't just match the tail of a word
 589             // like "ackbarfaccept".  Also, skip to the comma.
 590             boolean seencomma = false;
 591             while (i >= matchlen && !seencomma) {
 592                 switch(a[i-matchlen]) {
 593                 case ',':
 594                     seencomma = true;
 595                     break;
 596                 case ' ': case '\r': case '\n':
 597                 case '\f': case '\t':
 598                     break;
 599                 default:
 600                     throw new IllegalArgumentException(
 601                             "invalid permission: " + action);
 602                 }
 603                 i--;
 604             }
 605 
 606             // point i at the location of the comma minus one (or -1).
 607             i -= matchlen;
 608         }
 609 
 610         return mask;
 611     }
 612 
 613     private boolean isUntrusted()
 614         throws UnknownHostException
 615     {
 616         if (trusted) return false;
 617         if (invalid || untrusted) return true;
 618         try {
 619             if (!trustNameService && (defaultDeny ||
 620                 sun.net.www.URLConnection.isProxiedHost(hostname))) {
 621                 if (this.cname == null) {
 622                     this.getCanonName();
 623                 }
 624                 if (!match(cname, hostname)) {
 625                     // Last chance
 626                     if (!authorized(hostname, addresses[0].getAddress())) {
 627                         untrusted = true;
 628                         Debug debug = getDebug();
 629                         if (debug != null && Debug.isOn("failure")) {
 630                             debug.println("socket access restriction: proxied host " + "(" + addresses[0] + ")" + " does not match " + cname + " from reverse lookup");
 631                         }
 632                         return true;
 633                     }
 634                 }
 635                 trusted = true;
 636             }
 637         } catch (UnknownHostException uhe) {
 638             invalid = true;
 639             throw uhe;
 640         }
 641         return false;
 642     }
 643 
 644     /**
 645      * attempt to get the fully qualified domain name
 646      *
 647      */
 648     void getCanonName()
 649         throws UnknownHostException
 650     {
 651         if (cname != null || invalid || untrusted) return;
 652 
 653         // attempt to get the canonical name
 654 
 655         try {
 656             // first get the IP addresses if we don't have them yet
 657             // this is because we need the IP address to then get
 658             // FQDN.
 659             if (addresses == null) {
 660                 getIP();
 661             }
 662 
 663             // we have to do this check, otherwise we might not
 664             // get the fully qualified domain name
 665             if (init_with_ip) {
 666                 cname = addresses[0].getHostName(false).toLowerCase();
 667             } else {
 668              cname = InetAddress.getByName(addresses[0].getHostAddress()).
 669                                               getHostName(false).toLowerCase();
 670             }
 671         } catch (UnknownHostException uhe) {
 672             invalid = true;
 673             throw uhe;
 674         }
 675     }
 676 
 677     private transient String cdomain, hdomain;
 678 
 679     /**
 680      * previously we allowed domain names to be specified in IDN ACE form
 681      * Need to check for that and convert to Unicode
 682      */
 683     private static String checkForIDN(String name) {
 684         if (name.startsWith("xn--") || name.contains(".xn--")) {
 685             return IDN.toUnicode(name);
 686         } else {
 687             return name;
 688         }
 689     }
 690 
 691     private boolean match(String cname, String hname) {
 692         String a = checkForIDN(cname.toLowerCase());
 693         String b = checkForIDN(hname.toLowerCase());
 694         if (a.startsWith(b)  &&
 695             ((a.length() == b.length()) || (a.charAt(b.length()) == '.'))) {
 696             return true;
 697         }
 698         if (cdomain == null) {
 699             cdomain = RegisteredDomain.from(a)
 700                                       .map(RegisteredDomain::name)
 701                                       .orElse(a);
 702         }
 703         if (hdomain == null) {
 704             hdomain = RegisteredDomain.from(b)
 705                                       .map(RegisteredDomain::name)
 706                                       .orElse(b);
 707         }
 708 
 709         return !cdomain.isEmpty() && !hdomain.isEmpty() && cdomain.equals(hdomain);
 710     }
 711 
 712     private boolean authorized(String cname, byte[] addr) {
 713         if (addr.length == 4)
 714             return authorizedIPv4(cname, addr);
 715         else if (addr.length == 16)
 716             return authorizedIPv6(cname, addr);
 717         else
 718             return false;
 719     }
 720 
 721     private boolean authorizedIPv4(String cname, byte[] addr) {
 722         String authHost = "";
 723         InetAddress auth;
 724 
 725         try {
 726             authHost = "auth." +
 727                         (addr[3] & 0xff) + "." + (addr[2] & 0xff) + "." +
 728                         (addr[1] & 0xff) + "." + (addr[0] & 0xff) +
 729                         ".in-addr.arpa";
 730             // Following check seems unnecessary
 731             // auth = InetAddress.getAllByName0(authHost, false)[0];
 732             authHost = hostname + '.' + authHost;
 733             auth = InetAddress.getAllByName0(authHost, false)[0];
 734             if (auth.equals(InetAddress.getByAddress(addr))) {
 735                 return true;
 736             }
 737             Debug debug = getDebug();
 738             if (debug != null && Debug.isOn("failure")) {
 739                 debug.println("socket access restriction: IP address of " + auth + " != " + InetAddress.getByAddress(addr));
 740             }
 741         } catch (UnknownHostException uhe) {
 742             Debug debug = getDebug();
 743             if (debug != null && Debug.isOn("failure")) {
 744                 debug.println("socket access restriction: forward lookup failed for " + authHost);
 745             }
 746         }
 747         return false;
 748     }
 749 
 750     private boolean authorizedIPv6(String cname, byte[] addr) {
 751         String authHost = "";
 752         InetAddress auth;
 753 
 754         try {
 755             StringBuilder sb = new StringBuilder(39);
 756 
 757             for (int i = 15; i >= 0; i--) {
 758                 sb.append(Integer.toHexString(((addr[i]) & 0x0f)));
 759                 sb.append('.');
 760                 sb.append(Integer.toHexString(((addr[i] >> 4) & 0x0f)));
 761                 sb.append('.');
 762             }
 763             authHost = "auth." + sb.toString() + "IP6.ARPA";
 764             //auth = InetAddress.getAllByName0(authHost, false)[0];
 765             authHost = hostname + '.' + authHost;
 766             auth = InetAddress.getAllByName0(authHost, false)[0];
 767             if (auth.equals(InetAddress.getByAddress(addr)))
 768                 return true;
 769             Debug debug = getDebug();
 770             if (debug != null && Debug.isOn("failure")) {
 771                 debug.println("socket access restriction: IP address of " + auth + " != " + InetAddress.getByAddress(addr));
 772             }
 773         } catch (UnknownHostException uhe) {
 774             Debug debug = getDebug();
 775             if (debug != null && Debug.isOn("failure")) {
 776                 debug.println("socket access restriction: forward lookup failed for " + authHost);
 777             }
 778         }
 779         return false;
 780     }
 781 
 782 
 783     /**
 784      * get IP addresses. Sets invalid to true if we can't get them.
 785      *
 786      */
 787     void getIP()
 788         throws UnknownHostException
 789     {
 790         if (addresses != null || wildcard || invalid) return;
 791 
 792         try {
 793             // now get all the IP addresses
 794             String host;
 795             if (getName().charAt(0) == '[') {
 796                 // Literal IPv6 address
 797                 host = getName().substring(1, getName().indexOf(']'));
 798             } else {
 799                 int i = getName().indexOf(':');
 800                 if (i == -1)
 801                     host = getName();
 802                 else {
 803                     host = getName().substring(0,i);
 804                 }
 805             }
 806 
 807             addresses =
 808                 new InetAddress[] {InetAddress.getAllByName0(host, false)[0]};
 809 
 810         } catch (UnknownHostException uhe) {
 811             invalid = true;
 812             throw uhe;
 813         }  catch (IndexOutOfBoundsException iobe) {
 814             invalid = true;
 815             throw new UnknownHostException(getName());
 816         }
 817     }
 818 
 819     /**
 820      * Checks if this socket permission object "implies" the
 821      * specified permission.
 822      * <P>
 823      * More specifically, this method first ensures that all of the following
 824      * are true (and returns false if any of them are not):
 825      * <ul>
 826      * <li> <i>p</i> is an instanceof SocketPermission,
 827      * <li> <i>p</i>'s actions are a proper subset of this
 828      * object's actions, and
 829      * <li> <i>p</i>'s port range is included in this port range. Note:
 830      * port range is ignored when p only contains the action, 'resolve'.
 831      * </ul>
 832      *
 833      * Then {@code implies} checks each of the following, in order,
 834      * and for each returns true if the stated condition is true:
 835      * <ul>
 836      * <li> If this object was initialized with a single IP address and one of <i>p</i>'s
 837      * IP addresses is equal to this object's IP address.
 838      * <li>If this object is a wildcard domain (such as *.example.com), and
 839      * <i>p</i>'s canonical name (the name without any preceding *)
 840      * ends with this object's canonical host name. For example, *.example.com
 841      * implies *.foo.example.com.
 842      * <li>If this object was not initialized with a single IP address, and one of this
 843      * object's IP addresses equals one of <i>p</i>'s IP addresses.
 844      * <li>If this canonical name equals <i>p</i>'s canonical name.
 845      * </ul>
 846      *
 847      * If none of the above are true, {@code implies} returns false.
 848      * @param p the permission to check against.
 849      *
 850      * @return true if the specified permission is implied by this object,
 851      * false if not.
 852      */
 853     @Override
 854     public boolean implies(Permission p) {
 855         int i,j;
 856 
 857         if (!(p instanceof SocketPermission))
 858             return false;
 859 
 860         if (p == this)
 861             return true;
 862 
 863         SocketPermission that = (SocketPermission) p;
 864 
 865         return ((this.mask & that.mask) == that.mask) &&
 866                                         impliesIgnoreMask(that);
 867     }
 868 
 869     /**
 870      * Checks if the incoming Permission's action are a proper subset of
 871      * the this object's actions.
 872      * <P>
 873      * Check, in the following order:
 874      * <ul>
 875      * <li> Checks that "p" is an instanceof a SocketPermission
 876      * <li> Checks that "p"'s actions are a proper subset of the
 877      * current object's actions.
 878      * <li> Checks that "p"'s port range is included in this port range
 879      * <li> If this object was initialized with an IP address, checks that
 880      *      one of "p"'s IP addresses is equal to this object's IP address.
 881      * <li> If either object is a wildcard domain (i.e., "*.example.com"),
 882      *      attempt to match based on the wildcard.
 883      * <li> If this object was not initialized with an IP address, attempt
 884      *      to find a match based on the IP addresses in both objects.
 885      * <li> Attempt to match on the canonical hostnames of both objects.
 886      * </ul>
 887      * @param that the incoming permission request
 888      *
 889      * @return true if "permission" is a proper subset of the current object,
 890      * false if not.
 891      */
 892     boolean impliesIgnoreMask(SocketPermission that) {
 893         int i,j;
 894 
 895         if ((that.mask & RESOLVE) != that.mask) {
 896 
 897             // check simple port range
 898             if ((that.portrange[0] < this.portrange[0]) ||
 899                     (that.portrange[1] > this.portrange[1])) {
 900 
 901                 // if either includes the ephemeral range, do full check
 902                 if (this.includesEphemerals() || that.includesEphemerals()) {
 903                     if (!inRange(this.portrange[0], this.portrange[1],
 904                                      that.portrange[0], that.portrange[1]))
 905                     {
 906                                 return false;
 907                     }
 908                 } else {
 909                     return false;
 910                 }
 911             }
 912         }
 913 
 914         // allow a "*" wildcard to always match anything
 915         if (this.wildcard && "".equals(this.cname))
 916             return true;
 917 
 918         // return if either one of these NetPerm objects are invalid...
 919         if (this.invalid || that.invalid) {
 920             return compareHostnames(that);
 921         }
 922 
 923         try {
 924             if (this.init_with_ip) { // we only check IP addresses
 925                 if (that.wildcard)
 926                     return false;
 927 
 928                 if (that.init_with_ip) {
 929                     return (this.addresses[0].equals(that.addresses[0]));
 930                 } else {
 931                     if (that.addresses == null) {
 932                         that.getIP();
 933                     }
 934                     for (i=0; i < that.addresses.length; i++) {
 935                         if (this.addresses[0].equals(that.addresses[i]))
 936                             return true;
 937                     }
 938                 }
 939                 // since "this" was initialized with an IP address, we
 940                 // don't check any other cases
 941                 return false;
 942             }
 943 
 944             // check and see if we have any wildcards...
 945             if (this.wildcard || that.wildcard) {
 946                 // if they are both wildcards, return true iff
 947                 // that's cname ends with this cname (i.e., *.example.com
 948                 // implies *.foo.example.com)
 949                 if (this.wildcard && that.wildcard)
 950                     return (that.cname.endsWith(this.cname));
 951 
 952                 // a non-wildcard can't imply a wildcard
 953                 if (that.wildcard)
 954                     return false;
 955 
 956                 // this is a wildcard, lets see if that's cname ends with
 957                 // it...
 958                 if (that.cname == null) {
 959                     that.getCanonName();
 960                 }
 961                 return (that.cname.endsWith(this.cname));
 962             }
 963 
 964             // compare IP addresses
 965             if (this.addresses == null) {
 966                 this.getIP();
 967             }
 968 
 969             if (that.addresses == null) {
 970                 that.getIP();
 971             }
 972 
 973             if (!(that.init_with_ip && this.isUntrusted())) {
 974                 for (j = 0; j < this.addresses.length; j++) {
 975                     for (i=0; i < that.addresses.length; i++) {
 976                         if (this.addresses[j].equals(that.addresses[i]))
 977                             return true;
 978                     }
 979                 }
 980 
 981                 // XXX: if all else fails, compare hostnames?
 982                 // Do we really want this?
 983                 if (this.cname == null) {
 984                     this.getCanonName();
 985                 }
 986 
 987                 if (that.cname == null) {
 988                     that.getCanonName();
 989                 }
 990 
 991                 return (this.cname.equalsIgnoreCase(that.cname));
 992             }
 993 
 994         } catch (UnknownHostException uhe) {
 995             return compareHostnames(that);
 996         }
 997 
 998         // make sure the first thing that is done here is to return
 999         // false. If not, uncomment the return false in the above catch.
1000 
1001         return false;
1002     }
1003 
1004     private boolean compareHostnames(SocketPermission that) {
1005         // we see if the original names/IPs passed in were equal.
1006 
1007         String thisHost = hostname;
1008         String thatHost = that.hostname;
1009 
1010         if (thisHost == null) {
1011             return false;
1012         } else if (this.wildcard) {
1013             final int cnameLength = this.cname.length();
1014             return thatHost.regionMatches(true,
1015                                           (thatHost.length() - cnameLength),
1016                                           this.cname, 0, cnameLength);
1017         } else {
1018             return thisHost.equalsIgnoreCase(thatHost);
1019         }
1020     }
1021 
1022     /**
1023      * Checks two SocketPermission objects for equality.
1024      *
1025      * @param obj the object to test for equality with this object.
1026      *
1027      * @return true if <i>obj</i> is a SocketPermission, and has the
1028      *  same hostname, port range, and actions as this
1029      *  SocketPermission object. However, port range will be ignored
1030      *  in the comparison if <i>obj</i> only contains the action, 'resolve'.
1031      */
1032     @Override
1033     public boolean equals(Object obj) {
1034         if (obj == this)
1035             return true;
1036 
1037         if (! (obj instanceof SocketPermission))
1038             return false;
1039 
1040         SocketPermission that = (SocketPermission) obj;
1041 
1042         //this is (overly?) complex!!!
1043 
1044         // check the mask first
1045         if (this.mask != that.mask) return false;
1046 
1047         if ((that.mask & RESOLVE) != that.mask) {
1048             // now check the port range...
1049             if ((this.portrange[0] != that.portrange[0]) ||
1050                 (this.portrange[1] != that.portrange[1])) {
1051                 return false;
1052             }
1053         }
1054 
1055         // short cut. This catches:
1056         //  "crypto" equal to "crypto", or
1057         // "1.2.3.4" equal to "1.2.3.4.", or
1058         //  "*.edu" equal to "*.edu", but it
1059         //  does not catch "crypto" equal to
1060         // "crypto.foo.example.com".
1061 
1062         if (this.getName().equalsIgnoreCase(that.getName())) {
1063             return true;
1064         }
1065 
1066         // we now attempt to get the Canonical (FQDN) name and
1067         // compare that. If this fails, about all we can do is return
1068         // false.
1069 
1070         try {
1071             this.getCanonName();
1072             that.getCanonName();
1073         } catch (UnknownHostException uhe) {
1074             return false;
1075         }
1076 
1077         if (this.invalid || that.invalid)
1078             return false;
1079 
1080         if (this.cname != null) {
1081             return this.cname.equalsIgnoreCase(that.cname);
1082         }
1083 
1084         return false;
1085     }
1086 
1087     /**
1088      * Returns the hash code value for this object.
1089      *
1090      * @return a hash code value for this object.
1091      */
1092     @Override
1093     public int hashCode() {
1094         /*
1095          * If this SocketPermission was initialized with an IP address
1096          * or a wildcard, use getName().hashCode(), otherwise use
1097          * the hashCode() of the host name returned from
1098          * java.net.InetAddress.getHostName method.
1099          */
1100 
1101         if (init_with_ip || wildcard) {
1102             return this.getName().hashCode();
1103         }
1104 
1105         try {
1106             getCanonName();
1107         } catch (UnknownHostException uhe) {
1108 
1109         }
1110 
1111         if (invalid || cname == null)
1112             return this.getName().hashCode();
1113         else
1114             return this.cname.hashCode();
1115     }
1116 
1117     /**
1118      * Return the current action mask.
1119      *
1120      * @return the actions mask.
1121      */
1122 
1123     int getMask() {
1124         return mask;
1125     }
1126 
1127     /**
1128      * Returns the "canonical string representation" of the actions in the
1129      * specified mask.
1130      * Always returns present actions in the following order:
1131      * connect, listen, accept, resolve.
1132      *
1133      * @param mask a specific integer action mask to translate into a string
1134      * @return the canonical string representation of the actions
1135      */
1136     private static String getActions(int mask) {
1137         StringJoiner sj = new StringJoiner(",");
1138         if ((mask & CONNECT) == CONNECT) {
1139             sj.add("connect");
1140         }
1141         if ((mask & LISTEN) == LISTEN) {
1142             sj.add("listen");
1143         }
1144         if ((mask & ACCEPT) == ACCEPT) {
1145             sj.add("accept");
1146         }
1147         if ((mask & RESOLVE) == RESOLVE) {
1148             sj.add("resolve");
1149         }
1150         return sj.toString();
1151     }
1152 
1153     /**
1154      * Returns the canonical string representation of the actions.
1155      * Always returns present actions in the following order:
1156      * connect, listen, accept, resolve.
1157      *
1158      * @return the canonical string representation of the actions.
1159      */
1160     @Override
1161     public String getActions()
1162     {
1163         if (actions == null)
1164             actions = getActions(this.mask);
1165 
1166         return actions;
1167     }
1168 
1169     /**
1170      * Returns a new PermissionCollection object for storing SocketPermission
1171      * objects.
1172      * <p>
1173      * SocketPermission objects must be stored in a manner that allows them
1174      * to be inserted into the collection in any order, but that also enables the
1175      * PermissionCollection {@code implies}
1176      * method to be implemented in an efficient (and consistent) manner.
1177      *
1178      * @return a new PermissionCollection object suitable for storing SocketPermissions.
1179      */
1180     @Override
1181     public PermissionCollection newPermissionCollection() {
1182         return new SocketPermissionCollection();
1183     }
1184 
1185     /**
1186      * WriteObject is called to save the state of the SocketPermission
1187      * to a stream. The actions are serialized, and the superclass
1188      * takes care of the name.
1189      */
1190     @java.io.Serial
1191     private synchronized void writeObject(java.io.ObjectOutputStream s)
1192         throws IOException
1193     {
1194         // Write out the actions. The superclass takes care of the name
1195         // call getActions to make sure actions field is initialized
1196         if (actions == null)
1197             getActions();
1198         s.defaultWriteObject();
1199     }
1200 
1201     /**
1202      * readObject is called to restore the state of the SocketPermission from
1203      * a stream.
1204      */
1205     @java.io.Serial
1206     private synchronized void readObject(java.io.ObjectInputStream s)
1207          throws IOException, ClassNotFoundException
1208     {
1209         // Read in the action, then initialize the rest
1210         s.defaultReadObject();
1211         init(getName(),getMask(actions));
1212     }
1213 
1214     /**
1215      * Check the system/security property for the ephemeral port range
1216      * for this system. The suffix is either "high" or "low"
1217      */
1218     private static int initEphemeralPorts(String suffix, int defval) {
1219         return AccessController.doPrivileged(
1220             new PrivilegedAction<>(){
1221                 public Integer run() {
1222                     int val = Integer.getInteger(
1223                             "jdk.net.ephemeralPortRange."+suffix, -1
1224                     );
1225                     if (val != -1) {
1226                         return val;
1227                     } else {
1228                         return suffix.equals("low") ?
1229                             PortConfig.getLower() : PortConfig.getUpper();
1230                     }
1231                 }
1232             }
1233         );
1234     }
1235 
1236     /**
1237      * Check if the target range is within the policy range
1238      * together with the ephemeral range for this platform
1239      * (if policy includes ephemeral range)
1240      */
1241     private static boolean inRange(
1242         int policyLow, int policyHigh, int targetLow, int targetHigh
1243     )
1244     {
1245         final int ephemeralLow = EphemeralRange.low;
1246         final int ephemeralHigh = EphemeralRange.high;
1247 
1248         if (targetLow == 0) {
1249             // check policy includes ephemeral range
1250             if (!inRange(policyLow, policyHigh, ephemeralLow, ephemeralHigh)) {
1251                 return false;
1252             }
1253             if (targetHigh == 0) {
1254                 // nothing left to do
1255                 return true;
1256             }
1257             // continue check with first real port number
1258             targetLow = 1;
1259         }
1260 
1261         if (policyLow == 0 && policyHigh == 0) {
1262             // ephemeral range only
1263             return targetLow >= ephemeralLow && targetHigh <= ephemeralHigh;
1264         }
1265 
1266         if (policyLow != 0) {
1267             // simple check of policy only
1268             return targetLow >= policyLow && targetHigh <= policyHigh;
1269         }
1270 
1271         // policyLow == 0 which means possibly two ranges to check
1272 
1273         // first check if policy and ephem range overlap/contiguous
1274 
1275         if (policyHigh >= ephemeralLow - 1) {
1276             return targetHigh <= ephemeralHigh;
1277         }
1278 
1279         // policy and ephem range do not overlap
1280 
1281         // target range must lie entirely inside policy range or eph range
1282 
1283         return  (targetLow <= policyHigh && targetHigh <= policyHigh) ||
1284                 (targetLow >= ephemeralLow && targetHigh <= ephemeralHigh);
1285     }
1286     /*
1287     public String toString()
1288     {
1289         StringBuffer s = new StringBuffer(super.toString() + "\n" +
1290             "cname = " + cname + "\n" +
1291             "wildcard = " + wildcard + "\n" +
1292             "invalid = " + invalid + "\n" +
1293             "portrange = " + portrange[0] + "," + portrange[1] + "\n");
1294         if (addresses != null) for (int i=0; i<addresses.length; i++) {
1295             s.append( addresses[i].getHostAddress());
1296             s.append("\n");
1297         } else {
1298             s.append("(no addresses)\n");
1299         }
1300 
1301         return s.toString();
1302     }
1303 
1304     public static void main(String args[]) throws Exception {
1305         SocketPermission this_ = new SocketPermission(args[0], "connect");
1306         SocketPermission that_ = new SocketPermission(args[1], "connect");
1307         System.out.println("-----\n");
1308         System.out.println("this.implies(that) = " + this_.implies(that_));
1309         System.out.println("-----\n");
1310         System.out.println("this = "+this_);
1311         System.out.println("-----\n");
1312         System.out.println("that = "+that_);
1313         System.out.println("-----\n");
1314 
1315         SocketPermissionCollection nps = new SocketPermissionCollection();
1316         nps.add(this_);
1317         nps.add(new SocketPermission("www-leland.stanford.edu","connect"));
1318         nps.add(new SocketPermission("www-example.com","connect"));
1319         System.out.println("nps.implies(that) = " + nps.implies(that_));
1320         System.out.println("-----\n");
1321     }
1322     */
1323 }
1324 
1325 /**
1326 
1327 if (init'd with IP, key is IP as string)
1328 if wildcard, its the wild card
1329 else its the cname?
1330 
1331  *
1332  * @see java.security.Permission
1333  * @see java.security.Permissions
1334  * @see java.security.PermissionCollection
1335  *
1336  *
1337  * @author Roland Schemers
1338  *
1339  * @serial include
1340  */
1341 
1342 final class SocketPermissionCollection extends PermissionCollection
1343     implements Serializable
1344 {
1345     // Not serialized; see serialization section at end of class
1346     // A ConcurrentSkipListMap is used to preserve order, so that most
1347     // recently added permissions are checked first (see JDK-4301064).
1348     private transient ConcurrentSkipListMap<String, SocketPermission> perms;
1349 
1350     /**
1351      * Create an empty SocketPermissions object.
1352      *
1353      */
1354     public SocketPermissionCollection() {
1355         perms = new ConcurrentSkipListMap<>(new SPCComparator());
1356     }
1357 
1358     /**
1359      * Adds a permission to the SocketPermissions. The key for the hash is
1360      * the name in the case of wildcards, or all the IP addresses.
1361      *
1362      * @param permission the Permission object to add.
1363      *
1364      * @exception IllegalArgumentException - if the permission is not a
1365      *                                       SocketPermission
1366      *
1367      * @exception SecurityException - if this SocketPermissionCollection object
1368      *                                has been marked readonly
1369      */
1370     @Override
1371     public void add(Permission permission) {
1372         if (! (permission instanceof SocketPermission))
1373             throw new IllegalArgumentException("invalid permission: "+
1374                                                permission);
1375         if (isReadOnly())
1376             throw new SecurityException(
1377                 "attempt to add a Permission to a readonly PermissionCollection");
1378 
1379         SocketPermission sp = (SocketPermission)permission;
1380 
1381         // Add permission to map if it is absent, or replace with new
1382         // permission if applicable. NOTE: cannot use lambda for
1383         // remappingFunction parameter until JDK-8076596 is fixed.
1384         perms.merge(sp.getName(), sp,
1385             new java.util.function.BiFunction<>() {
1386                 @Override
1387                 public SocketPermission apply(SocketPermission existingVal,
1388                                               SocketPermission newVal) {
1389                     int oldMask = existingVal.getMask();
1390                     int newMask = newVal.getMask();
1391                     if (oldMask != newMask) {
1392                         int effective = oldMask | newMask;
1393                         if (effective == newMask) {
1394                             return newVal;
1395                         }
1396                         if (effective != oldMask) {
1397                             return new SocketPermission(sp.getName(),
1398                                                         effective);
1399                         }
1400                     }
1401                     return existingVal;
1402                 }
1403             }
1404         );
1405     }
1406 
1407     /**
1408      * Check and see if this collection of permissions implies the permissions
1409      * expressed in "permission".
1410      *
1411      * @param permission the Permission object to compare
1412      *
1413      * @return true if "permission" is a proper subset of a permission in
1414      * the collection, false if not.
1415      */
1416     @Override
1417     public boolean implies(Permission permission)
1418     {
1419         if (! (permission instanceof SocketPermission))
1420                 return false;
1421 
1422         SocketPermission np = (SocketPermission) permission;
1423 
1424         int desired = np.getMask();
1425         int effective = 0;
1426         int needed = desired;
1427 
1428         //System.out.println("implies "+np);
1429         for (SocketPermission x : perms.values()) {
1430             //System.out.println("  trying "+x);
1431             if (((needed & x.getMask()) != 0) && x.impliesIgnoreMask(np)) {
1432                 effective |=  x.getMask();
1433                 if ((effective & desired) == desired) {
1434                     return true;
1435                 }
1436                 needed = (desired ^ effective);
1437             }
1438         }
1439         return false;
1440     }
1441 
1442     /**
1443      * Returns an enumeration of all the SocketPermission objects in the
1444      * container.
1445      *
1446      * @return an enumeration of all the SocketPermission objects.
1447      */
1448     @Override
1449     @SuppressWarnings("unchecked")
1450     public Enumeration<Permission> elements() {
1451         return (Enumeration)Collections.enumeration(perms.values());
1452     }
1453 
1454     @java.io.Serial
1455     private static final long serialVersionUID = 2787186408602843674L;
1456 
1457     // Need to maintain serialization interoperability with earlier releases,
1458     // which had the serializable field:
1459 
1460     //
1461     // The SocketPermissions for this set.
1462     // @serial
1463     //
1464     // private Vector permissions;
1465 
1466     /**
1467      * @serialField permissions java.util.Vector
1468      *     A list of the SocketPermissions for this set.
1469      */
1470     @java.io.Serial
1471     private static final ObjectStreamField[] serialPersistentFields = {
1472         new ObjectStreamField("permissions", Vector.class),
1473     };
1474 
1475     /**
1476      * @serialData "permissions" field (a Vector containing the SocketPermissions).
1477      */
1478     /*
1479      * Writes the contents of the perms field out as a Vector for
1480      * serialization compatibility with earlier releases.
1481      */
1482     @java.io.Serial
1483     private void writeObject(ObjectOutputStream out) throws IOException {
1484         // Don't call out.defaultWriteObject()
1485 
1486         // Write out Vector
1487         Vector<SocketPermission> permissions = new Vector<>(perms.values());
1488 
1489         ObjectOutputStream.PutField pfields = out.putFields();
1490         pfields.put("permissions", permissions);
1491         out.writeFields();
1492     }
1493 
1494     /*
1495      * Reads in a Vector of SocketPermissions and saves them in the perms field.
1496      */
1497     @java.io.Serial
1498     private void readObject(ObjectInputStream in)
1499         throws IOException, ClassNotFoundException
1500     {
1501         // Don't call in.defaultReadObject()
1502 
1503         // Read in serialized fields
1504         ObjectInputStream.GetField gfields = in.readFields();
1505 
1506         // Get the one we want
1507         @SuppressWarnings("unchecked")
1508         Vector<SocketPermission> permissions = (Vector<SocketPermission>)gfields.get("permissions", null);
1509         perms = new ConcurrentSkipListMap<>(new SPCComparator());
1510         for (SocketPermission sp : permissions) {
1511             perms.put(sp.getName(), sp);
1512         }
1513     }
1514 
1515     /**
1516      * A simple comparator that orders new non-equal entries at the beginning.
1517      */
1518     private static class SPCComparator implements Comparator<String> {
1519         @Override
1520         public int compare(String s1, String s2) {
1521             if (s1.equals(s2)) {
1522                 return 0;
1523             }
1524             return -1;
1525         }
1526     }
1527 }