Context Navigation

source: java/net/deterlab/abac/Context.java @ 0100d7b

abac0-leakabac0-meimei-idmei-rt0-nmei_rt0tvf-new-xml

Last change on this file since 0100d7b was 8fdbdac, checked in by Ted Faber <faber@…>, 12 years ago
Missed a couple cases (ant didn't rebuild)
Property mode set to `100644`
File size: 34.7 KB

Rev	Line
[418b586]	1	package net.deterlab.abac;
	2
	3	import edu.uci.ics.jung.graph.*;
	4	import edu.uci.ics.jung.graph.util.*;
	5
	6	import java.io.*;
	7	import java.util.*;
[ad24705]	8	import java.util.regex.*;
[418b586]	9	import java.util.zip.*;
	10	import java.security.*;
	11	import java.security.cert.*;
	12
[0595372]	13	import org.bouncycastle.asn1.*;
	14	import org.bouncycastle.asn1.x509.*;
[418b586]	15	import org.bouncycastle.x509.*;
	16	import org.bouncycastle.openssl.*;
[238717d]	17	import org.bouncycastle.jce.provider.BouncyCastleProvider;
[418b586]	18
	19	/**
	20	* Represents a global graph of credentials in the form of principals and
[e36ea1d]	21	* attributes. Contains the identities and credentials that can be used in a
	22	* proof.
	23	* @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
[4560b65]	24	* @version 1.4
[418b586]	25	*/
	26	public class Context {
[e36ea1d]	27	/** Certificate imported successfully */
	28	public static final int ABAC_CERT_SUCCESS = 0;
	29	/** Certificate import failed, invalid certificate */
	30	public static final int ABAC_CERT_INVALID = -1;
	31	/** Certificate import failed, signature filed */
	32	public static final int ABAC_CERT_BAD_SIG = -2;
	33	/** Certificate import failed, unknown issuer */
	34	public static final int ABAC_CERT_MISSING_ISSUER = -3;
	35
	36	/** Internal graph representation */
[418b586]	37	protected Graph<Role,Credential> g;
[e36ea1d]	38	/** Set of edges in the graph that were added by the logic. */
[418b586]	39	protected Set<Credential> derived_edges;
[e36ea1d]	40	/** Internal persistent query object */
[418b586]	41	protected Query pq;
[e36ea1d]	42	/** True when the graph has been changed since the last set of implied
	43	* edges were calculated. */
[418b586]	44	protected boolean dirty;
[e36ea1d]	45	/** Set of identities known to this Context. */
[388a3d7]	46	protected Set<Identity> m_identities;
[d06c453]	47	/** The CredentialFactory for this Context */
	48	protected CredentialFactory credentialFactory;
[418b586]	49
[e36ea1d]	50	/** Translation from issuer CN to issuer pubkey identifier */
[418b586]	51	protected Map<String, String> nicknames;
[e36ea1d]	52	/** Translation from issuer pubkey identifier to issuer CN */
[418b586]	53	protected Map<String, String> keys;
	54
[238717d]	55	/** True once BouncyCastle has been loaded. */
	56	static boolean providerLoaded = false;
	57
	58	/**
	59	* Load the BouncyCastle provider, necessary for ABAC crypto (shouldn't
	60	* need to be called directly). This is called from the Context static
	61	* constructor and static constructors in other ABAC classes that use
	62	* BouncyCastle crypto (which loads a Context, which calls it as well) to
	63	* make sure crypto is available.
	64	*/
	65	static void loadBouncyCastle() {
	66	if ( !providerLoaded ) {
	67	AccessController.doPrivileged(new PrivilegedAction<Object>() {
	68	public Object run() {
	69	Security.addProvider(new BouncyCastleProvider());
	70	return null;
	71	}
	72	});
	73	providerLoaded = true;
	74	}
	75	}
	76
	77	/** Load the BouncyCastle provider. */
	78	static { loadBouncyCastle(); };
	79
[e36ea1d]	80	/**
	81	* The result of a query on this context. The credentials form a partial
	82	* or total proof, and success indicates whether the proof succeeded.
	83	* @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
[4560b65]	84	* @version 1.4
[e36ea1d]	85	*/
[1a80501]	86	public class QueryResult {
[e36ea1d]	87	/** Credentials returned */
[1a80501]	88	protected Collection<Credential> creds;
[e36ea1d]	89	/** True if the proof succeeded. */
[1a80501]	90	protected boolean success;
	91
[e36ea1d]	92	/**
	93	* Construct a result from components.
	94	* @param c the collection of credentials in the proof
	95	* @param s a boolean, true if the query succeeded.
	96	*/
	97	QueryResult(Collection<Credential> c, boolean s) {
[1a80501]	98	creds = c;
	99	success = s;
	100	}
	101
[e36ea1d]	102	/**
	103	* Empty constructor
	104	*/
[1a80501]	105	public QueryResult() {
	106	creds = new TreeSet<Credential>();
	107	success = false;
	108	}
	109
[e36ea1d]	110	/**
	111	* Return the credentials in the proof.
	112	* @return the collection of credentials
	113	*/
[1a80501]	114	public Collection<Credential> getCredentials() { return creds; }
[e36ea1d]	115	/**
	116	* Return the success in the proof.
	117	* @return the boolean, true on success
	118	*/
[1a80501]	119	public boolean getSuccess() { return success; }
	120	}
	121
	122
[e36ea1d]	123	/**
	124	* Create an empty Context.
	125	*/
[418b586]	126	public Context() {
	127	/* create the graph */
	128	g = Graphs.<Role,Credential>synchronizedDirectedGraph(
	129	new DirectedSparseGraph<Role,Credential>());
	130	derived_edges = new HashSet<Credential>();
	131	pq = new Query(g);
	132	dirty = false;
[388a3d7]	133	m_identities = new TreeSet<Identity>();
[418b586]	134	nicknames = new TreeMap<String, String>();
	135	keys = new TreeMap<String, String>();
[d06c453]	136	try {
	137	credentialFactory = new CredentialFactory();
	138	}
	139	catch (ABACException ignored) { }
[418b586]	140	}
	141
[e36ea1d]	142	/**
	143	* Create a context from another context.
	144	* @param c the Context to copy
	145	*/
[418b586]	146	public Context(Context c) {
	147	this();
[388a3d7]	148	for (Identity i: c.m_identities)
[6432e35]	149	load_id_chunk(i);
[418b586]	150	for (Credential cr: c.credentials())
[6432e35]	151	load_attribute_chunk(cr);
[418b586]	152	derive_implied_edges();
[d06c453]	153	try {
	154	credentialFactory = (CredentialFactory) c.credentialFactory.clone();
	155	}
	156	catch (CloneNotSupportedException ignored) { }
[418b586]	157	}
	158
[83cdf0f]	159	/**
	160	* Create a Context from a collection of Credentials. A jabac extension.
	161	* @param creds the collection of credentials
	162	*/
	163	public Context(Collection<Credential> creds) {
	164	this();
	165	for (Credential c: creds) {
	166	Identity i = c.issuer();
	167
	168	if (i != null ) load_id_chunk(i);
	169	load_attribute_chunk(c);
	170	}
	171	}
	172
[e36ea1d]	173	/**
	174	* Load an Identity from a file.
	175	* @param fn a String containing the file name.
	176	* @return one of the static int return codes.
	177	*/
[6432e35]	178	public int load_id_file(String fn) { return load_id_chunk(new File(fn)); }
[e36ea1d]	179	/**
	180	* Load an Identity from a file.
	181	* @param fn a File containing the file name.
	182	* @return one of the static int return codes.
	183	*/
[6432e35]	184	public int load_id_file(File fn) { return load_id_chunk(fn); }
[e36ea1d]	185	/**
	186	* Load an Identity from an object. Supported objects are an Identity, a
	187	* String, a File, or a java.security.cert.X509Certificate. A string
	188	* creates an new identity, and the others are derived from the contents of
	189	* the data or file.
	190	* @param c an object convertable to an identity as above.
	191	* @return one of the static int return codes.
	192	*/
[6432e35]	193	public int load_id_chunk(Object c) {
[418b586]	194	try {
	195	if (c instanceof Identity)
	196	addIdentity((Identity) c);
	197	else if (c instanceof String)
	198	addIdentity(new Identity((String) c));
	199	else if (c instanceof File)
	200	addIdentity(new Identity((File) c));
	201	else if (c instanceof X509Certificate)
	202	addIdentity(new Identity((X509Certificate) c));
	203	else
	204	return ABAC_CERT_INVALID;
	205	}
[8fdbdac]	206	catch (BadSignatureException sig) {
[418b586]	207	return ABAC_CERT_BAD_SIG;
	208	}
	209	catch (Exception e) {
	210	return ABAC_CERT_INVALID;
	211	}
	212	return ABAC_CERT_SUCCESS;
	213	}
	214
[e36ea1d]	215	/**
	216	* Load an attribute certificate from a file.
	217	* @param fn a String containing the file name.
	218	* @return one of the static int return codes.
	219	*/
[6432e35]	220	public int load_attribute_file(String fn) {
	221	return load_attribute_chunk(new File(fn));
[418b586]	222	}
	223
[e36ea1d]	224	/**
	225	* Load an attribute certificate from a file.
	226	* @param fn a File containing the file name.
	227	* @return one of the static int return codes.
	228	*/
[6432e35]	229	public int load_attribute_file(File fn) { return load_attribute_chunk(fn); }
[418b586]	230
[e36ea1d]	231	/**
[7f16578]	232	* Load an Credential from an object. Supported objects are a Credential, a
[e36ea1d]	233	* String, a File, or an org.bouncycastle.x509.X509V2AttributeCertificate.
	234	* A string creates an new Credential, and the others are derived from the
	235	* contents of the data or file.
	236	* @param c an object convertable to a Credential as above.
	237	* @return one of the static int return codes.
	238	*/
[6432e35]	239	public int load_attribute_chunk(Object c) {
[418b586]	240	try {
[7f16578]	241	Credential[] creds = null;
	242
	243	if (c instanceof Credential) {
[418b586]	244	add_credential((Credential) c);
[7f16578]	245	return ABAC_CERT_SUCCESS;
	246	} else if (c instanceof String) {
[d06c453]	247	creds = credentialFactory.parseCredential(
[f84d71e]	248	(String) c, m_identities);
[7f16578]	249	} else if (c instanceof File) {
[d06c453]	250	creds = credentialFactory.parseCredential(
[f84d71e]	251	(File) c, m_identities);
[7f16578]	252	} else if ( c instanceof X509V2AttributeCertificate) {
[3612811]	253	add_credential(new X509Credential((X509V2AttributeCertificate)c,
[388a3d7]	254	m_identities));
[7f16578]	255	return ABAC_CERT_SUCCESS;
	256	} else return ABAC_CERT_INVALID;
	257
	258	if ( creds == null )
[418b586]	259	return ABAC_CERT_INVALID;
[7f16578]	260
	261	for (Credential cc: creds )
	262	add_credential(cc);
[418b586]	263	}
[3612811]	264	catch (MissingIssuerException sig) {
[388a3d7]	265	return ABAC_CERT_MISSING_ISSUER ;
	266	}
[3612811]	267	catch (BadSignatureException sig) {
[418b586]	268	return ABAC_CERT_BAD_SIG;
	269	}
[3612811]	270	catch (CertInvalidException e) {
	271	return ABAC_CERT_INVALID;
	272	}
	273	catch (ABACException ae) {
[418b586]	274	return ABAC_CERT_INVALID;
	275	}
	276	return ABAC_CERT_SUCCESS;
	277	}
	278
[e36ea1d]	279	/**
	280	* Determine if prinicpal possesses role in the current context. If so,
	281	* return a proof of that, otherwise return a partial proof of it.
	282	* @param role a String encoding the role to check for.
	283	* @param principal a String with the principal ID in it.
	284	* @return a Context.QueryResult containing the result.
	285	*/
[1a80501]	286	public QueryResult query(String role, String principal) {
[418b586]	287	derive_implied_edges();
	288
	289	Query q = new Query(g);
	290	Graph<Role, Credential> rg = q.run(role, principal);
[1a80501]	291
	292	return new QueryResult(rg.getEdges(), q.successful());
[418b586]	293	}
	294
	295	/**
[e36ea1d]	296	* Return a collection of the credentials in the graph.s
	297	* @return a collection of the credentials in the graph.
[418b586]	298	*/
	299	public Collection<Credential> credentials() {
	300	Collection<Credential> creds = new HashSet<Credential>();
	301
[ad24705]	302	// only non-derived edges
[418b586]	303	for (Credential cred : g.getEdges())
[ad24705]	304	if (!derived_edges.contains(cred))
[418b586]	305	creds.add(cred);
	306
	307	return creds;
	308	}
	309
[388a3d7]	310	/**
	311	* Return all the Identities known in this context. A jabac extension.
	312	* @return all the Identities known in this context.
	313	*/
	314	public Collection<Identity> identities() {
	315	return m_identities;
	316	}
	317
[e36ea1d]	318	/**
	319	* Returns true if the given Identity is known in this Context. A jabac
	320	* extension.
	321	* @param i the Identity to look for
	322	* @return a boolean, true if the Identity is known.
	323	*/
[238717d]	324	public boolean knowsIdentity(Identity i) { return m_identities.contains(i);}
[e36ea1d]	325	/**
	326	* Returns true if an Identity with the given string representation is
	327	* known in this Context. A jabac extension.
	328	* @param k the string representing the Identity to look for
	329	* @return a boolean, true if the Identity is known.
	330	*/
[53f5c27]	331	public boolean knowsKeyID(String k) {
	332	boolean known = false;
[388a3d7]	333	for (Identity i: m_identities)
[53f5c27]	334	if (k.equals(i.getKeyID())) return true;
	335	return false;
[418b586]	336	}
	337
[53f5c27]	338
[418b586]	339	/**
	340	* Add a credential to the graph.
[e36ea1d]	341	* @param cred the Credential to add
[418b586]	342	*/
[56ec930]	343	protected void add_credential(Credential cred) {
[418b586]	344	Role tail = cred.tail();
	345	Role head = cred.head();
	346
[f25a7ff]	347	// explicitly add the vertices, to avoid a null pointer exception
[418b586]	348	if ( !g.containsVertex(head))
	349	g.addVertex(head);
	350	if ( !g.containsVertex(tail))
	351	g.addVertex(tail);
	352
	353	if (!g.containsEdge(cred))
	354	g.addEdge(cred, tail, head);
	355
	356	// add the prereqs of an intersection to the graph
[8fdbdac]	357	if (tail.is_intersection()) {
	358	try {
	359	for (Role prereq : tail.prereqs())
	360	g.addVertex(prereq);
	361	} catch (ABACException ignored) { }
	362	}
[418b586]	363
	364	dirty = true;
	365	}
	366
	367	/**
	368	* Remove a credential from the graph.
[e36ea1d]	369	* @param cred the Credential to remove
[418b586]	370	*/
[56ec930]	371	protected void remove_credential(Credential cred) {
[418b586]	372	if (g.containsEdge(cred))
	373	g.removeEdge(cred);
	374	dirty = true;
	375	}
	376
	377	/**
	378	* Add a role w/o an edge
[e36ea1d]	379	* @param v the Role to add
[418b586]	380	*/
[56ec930]	381	protected void add_vertex(Role v) {
[418b586]	382	if (!g.containsVertex(v)) {
	383	g.addVertex(v);
	384	dirty = true;
	385	}
	386	}
	387
[e36ea1d]	388	/**
	389	* Remove a role and connected edges.
	390	* @param v the Role to remove
	391	*/
[56ec930]	392	protected void remove_vertex(Role v) {
[418b586]	393	if (g.containsVertex(v)) {
	394	g.removeVertex(v);
	395	dirty = true;
	396	}
	397	}
	398
	399	/**
	400	* Derive the implied edges in the graph, according to RT0 derivation rules.
	401	* They are added to this graph. See "Distributed Credential Chain Discovery
	402	* in Trust Management" by Ninghui Li et al. for details. Note that a
	403	* derived linking edge can imply a new intersection edge and vice versa.
	404	* Therefore we iteratively derive edges, giving up when an iteration
	405	* produces 0 new edges.
	406	*/
	407	protected synchronized void derive_implied_edges() {
	408	// nothing to do on a clean graph
	409	if (!dirty)
	410	return;
	411
	412	clear_old_edges();
	413
	414	// iteratively derive links. continue as long as new links are added
	415	while (derive_links_iter() > 0)
	416	;
	417	dirty = false;
	418	}
	419
	420	/**
	421	* Single iteration of deriving implied edges. Returns the number of new
	422	* links added.
[e36ea1d]	423	* @return the number of new links added.
[418b586]	424	*/
	425	protected int derive_links_iter() {
	426	int count = 0;
	427
	428	/* for every node in the graph.. */
	429	for (Role vertex : g.getVertices()) {
	430	if (vertex.is_intersection()) {
	431	// for each prereq edge:
	432	// find set of principals that have the prereq
[f25a7ff]	433	// find the intersection of all sets (i.e., principals
	434	// that satisfy all prereqs)
[418b586]	435	// for each principal in intersection:
	436	// add derived edge
	437
	438	Set<Role> principals = null;
[8fdbdac]	439	try {
	440	for (Role prereq : vertex.prereqs()) {
	441	Set<Role> cur_principals = pq.find_principals(prereq);
	442
	443	if (principals == null)
	444	principals = cur_principals;
	445	else
	446	// no, they couldn't just call it "intersection"
	447	principals.retainAll(cur_principals);
	448
	449	if (principals.size() == 0)
	450	break;
	451	}
	452	}
	453	catch (ABACException ignored) { }
[418b586]	454
	455	// add em
	456	for (Role principal : principals)
	457	if (add_derived_edge(vertex, principal))
	458	++count;
	459	}
	460
	461	else if (vertex.is_linking()) {
	462	// make the rest of the code a bit clearer
	463	Role A_r1_r2 = vertex;
	464
	465	Role A_r1 = new Role(A_r1_r2.A_r1());
	466	String r2 = A_r1_r2.r2();
	467
	468	/* locate the node A.r1 */
[f25a7ff]	469	if (!g.containsVertex(A_r1)) continue;
[418b586]	470
	471	/* for each B that satisfies A_r1 */
	472	for (Role principal : pq.find_principals(A_r1)) {
	473	Role B_r2 = new Role(principal + "." + r2);
	474	if (!g.containsVertex(B_r2)) continue;
	475
	476	if (add_derived_edge(A_r1_r2, B_r2))
	477	++count;
	478	}
	479	}
	480	}
	481
	482	return count;
	483	}
	484
	485	/**
	486	* Add a derived edge in the graph. Returns true only if the edge does not
	487	* exist.
[e36ea1d]	488	* @return a boolean, true if an edge has been added
[418b586]	489	*/
	490	protected boolean add_derived_edge(Role head, Role tail) {
	491	// edge exists: return false
	492	if (g.findEdge(tail, head) != null)
	493	return false;
	494
	495	// add the new edge
[3612811]	496	Credential derived_edge = new InternalCredential(head, tail);
[418b586]	497	derived_edges.add(derived_edge);
	498	g.addEdge(derived_edge, tail, head);
	499
	500	return true;
	501	}
	502
	503	/**
	504	* Clear the derived edges that currently exist in the graph. This is done
	505	* before the edges are rederived. The derived edges in filtered graphs are
	506	* also cleared.
	507	*/
	508	protected void clear_old_edges() {
	509	for (Credential i: derived_edges)
	510	g.removeEdge(i);
	511	derived_edges = new HashSet<Credential>();
	512	}
[3f928b0]	513
[418b586]	514	/**
	515	* Put the Identity into the set of ids used to validate certificates.
	516	* Also put the keyID and name into the translation mappings used by Roles
	517	* to pretty print. In the role mapping, if multiple ids use the same
	518	* common name they are disambiguated. Only one entry for keyid is
	519	* allowed.
[6432e35]	520	* @param id the Identity to add
[418b586]	521	*/
	522	protected void addIdentity(Identity id) {
[3f928b0]	523	if (m_identities.contains(id))
[7f614c1]	524	return;
[388a3d7]	525	m_identities.add(id);
[418b586]	526	if (id.getName() != null && id.getKeyID() != null) {
	527	if ( !keys.containsKey(id.getKeyID()) ) {
	528	String name = id.getName();
	529	int n= 1;
	530
	531	while (nicknames.containsKey(name)) {
	532	name = id.getName() + n++;
	533	}
	534	nicknames.put(name, id.getKeyID());
	535	keys.put(id.getKeyID(), name);
	536	}
	537	}
	538	}
	539	/**
	540	* Translate either keys to nicknames or vice versa. Break the string into
	541	* space separated tokens and then each of them into period separated
	542	* strings. If any of the smallest strings is in the map, replace it with
	543	* the value.
[e36ea1d]	544	* @param is the string to manipulate
	545	* @param m the Map containing translations
	546	* @return the string after modification
[418b586]	547	*/
	548	protected String replace(String is, Map<String, String> m) {
	549	String rv = "";
	550	for (String tok: is.split(" ")) {
	551	String term = "";
	552	for (String s: tok.split("\\.")) {
	553	String next = m.containsKey(s) ? m.get(s) : s;
	554
	555	if (term.isEmpty()) term = next;
	556	else term += "." + next;
	557	}
	558	if (rv.isEmpty()) rv = term;
	559	else rv += " " + term;
	560	}
	561	return rv;
	562	}
	563
[e36ea1d]	564	/**
	565	* Expand menmonic names in a Role string, e.g. the CN of the issuer
	566	* certificate, into the full key ID. Used internally by Roles to provide
	567	* transparent use of mnemonics
	568	* @param s the string to expand
	569	* @return the String after expansion.
	570	*/
	571	String expandKeyID(String s) { return replace(s, nicknames); }
	572	/**
	573	* Convert key IDs to menmonic names in a Role string. The inverse of
	574	* expandKeyID.
	575	* @param s the string to expand
	576	* @return the String after expansion.
	577	*/
	578	String expandNickname(String s) { return replace(s, keys); }
[418b586]	579
[39526ce]	580	/**
	581	* Read the current ZipEntry's bytes from z. Tedious because there's no
	582	* way to reliably tell how big the entry is, so we have to rely on a
	583	* simple expanding array read of the bytes.
	584	*/
	585	protected byte[] readCurrentZipEntry(ZipInputStream z) throws IOException {
	586	final int bsize = 4096;
	587	byte[] buf = new byte[bsize];
	588	byte[] rv = new byte[0];
	589	int r = 0;
	590
	591	// z.read returns -1 at the end of entry
	592	while ((r = z.read(buf, 0, bsize)) != -1 ) {
	593	byte[] b = new byte[rv.length + r];
	594
	595	System.arraycopy(rv, 0, b, 0, rv.length);
	596	System.arraycopy(buf, 0, b, rv.length, r);
	597	rv = b;
	598	}
	599	return rv;
	600	}
	601
[418b586]	602	/**
	603	* Import a zip file. First import all the identities
	604	* (pem), then the credentials (der) into the credential graph then any
	605	* alias files into the two maps. If keys is not null, any key pairs in
	606	* PEM files are put in there. If errors is not null, errors reading files
[6432e35]	607	* are added indexed by filename. This is a jabac extension.
[39526ce]	608	* @param s the InputStream to read
[e36ea1d]	609	* @param keys a Collection into which to insert unmatched keys
	610	* @param errors a Map from entry name to generated exception
	611	* @throws IOException if the file is unreadable. Per entry exceptions are
	612	* returned in the errors parameter.
[418b586]	613	*/
[39526ce]	614	public void load_zip(InputStream s, Collection<KeyPair> keys,
[418b586]	615	Map<String, Exception> errors) throws IOException {
[39526ce]	616	Map<String, byte[]> derEntries = new HashMap<String, byte[]>();
[418b586]	617	Map<String, Identity> ids = new TreeMap<String, Identity>();
	618	Map<String, KeyPair> kps = new TreeMap<String, KeyPair>();
[39526ce]	619	int entries = 0;
[418b586]	620
[39526ce]	621	ZipInputStream z = new ZipInputStream(s);
[418b586]	622
[39526ce]	623	for (ZipEntry ze = z.getNextEntry(); ze != null; ze = z.getNextEntry()){
[418b586]	624	try {
[39526ce]	625	entries++;
	626	byte[] buf = readCurrentZipEntry(z);
[418b586]	627	PEMReader r = new PEMReader(
[39526ce]	628	new InputStreamReader(new ByteArrayInputStream(buf)));
[418b586]	629	Object o = readPEM(r);
	630
	631	if ( o != null ) {
	632	if (o instanceof Identity) {
	633	Identity i = (Identity) o;
	634	String kid = i.getKeyID();
	635
	636	if (kps.containsKey(kid) ) {
	637	i.setKeyPair(kps.get(kid));
	638	kps.remove(kid);
	639	}
	640	else if (i.getKeyPair() == null )
	641	ids.put(i.getKeyID(), i);
	642
[6432e35]	643	load_id_chunk(i);
[418b586]	644	}
	645	else if (o instanceof KeyPair ) {
	646	KeyPair kp = (KeyPair) o;
[0595372]	647	String kid = extractKeyID(kp.getPublic());
[418b586]	648
	649	if (ids.containsKey(kid)) {
	650	Identity i = ids.get(kid);
	651
	652	i.setKeyPair(kp);
	653	ids.remove(kid);
	654	}
	655	else {
	656	kps.put(kid, kp);
	657	}
	658	}
	659	}
	660	else {
	661	// Not a PEM file
[39526ce]	662	derEntries.put(ze.getName(),buf);
[418b586]	663	continue;
	664	}
	665	}
	666	catch (Exception e ) {
[39526ce]	667	if (errors != null ) errors.put(ze.getName(), e);
[418b586]	668	}
	669	}
	670
[39526ce]	671	for ( String k: derEntries.keySet() ) {
[418b586]	672	try {
[d06c453]	673	Credential[] creds = credentialFactory.parseCredential(
[39526ce]	674	new ByteArrayInputStream(derEntries.get(k)),
[3612811]	675	m_identities);
	676	for (Credential c: creds)
	677	add_credential(c);
[418b586]	678	}
	679	catch (Exception e ) {
[39526ce]	680	if (errors != null ) errors.put(k, e);
[418b586]	681	}
	682	}
[39526ce]	683
	684	if (entries == 0)
	685	throw new IOException("Not a ZIP file (or empty ZIP file)");
	686	}
	687	/**
	688	* Equivalent to load_zip(s, null, null).
	689	* @param s the InputStream to read
	690	* @throws IOException if the file is unreadable. To see per-entry
	691	* exceptions use a signature with the errors parameter
	692	*/
	693	public void load_zip(InputStream s)
	694	throws IOException {
	695	load_zip(s, null, null);
	696	}
	697	/**
	698	* Equivalent to load_zip(s, null, errors).
	699	* @param s the InputStream to read
	700	* @param errors a Map from entry name to generated exception
	701	* @throws IOException if the file is unreadable. Per entry exceptions are
	702	* returned in the errors parameter.
	703	*/
	704	public void load_zip(InputStream s,
	705	Map<String, Exception> errors) throws IOException {
	706	load_zip(s, null, errors);
[418b586]	707	}
[e36ea1d]	708	/**
[39526ce]	709	* Equivalent to load_zip(s, keys, null).
	710	* @param s the InputStream to read
	711	* @param keys a Collection into which to insert unmatched keys
	712	* @throws IOException if the file is unreadable. To see per-entry
	713	* exceptions use a signature with the errors parameter
	714	*/
	715	public void load_zip(InputStream s,
	716	Collection<KeyPair> keys) throws IOException {
	717	load_zip(s, keys, null);
	718	}
	719
	720	/**
	721	* Loads a zip file. Equivalent to
	722	* load_zip(new FileInputStream(zf), keys, errors).
	723	* @param zf the File to read
	724	* @param keys a Collection into which to insert unmatched keys
	725	* @param errors a Map from entry name to generated exception
	726	* @throws IOException if the file is unreadable. Per entry exceptions are
	727	* returned in the errors parameter.
	728	*/
	729	public void load_zip(File zf, Collection<KeyPair> keys,
	730	Map<String, Exception> errors) throws IOException {
	731	load_zip(new FileInputStream(zf), keys, errors);
	732	}
	733	/**
	734	* Equivalent to load_zip(d, null, null).
[e36ea1d]	735	* @param d the File to read
	736	* @throws IOException if the file is unreadable. To see per-entry
	737	* exceptions use a signature with the errors parameter
	738	*/
[39526ce]	739	public void load_zip(File d)
[418b586]	740	throws IOException {
[39526ce]	741	load_zip(d, null, null);
[418b586]	742	}
[e36ea1d]	743	/**
[39526ce]	744	* Equivalent to load_zip(d, null, errors).
[e36ea1d]	745	* @param d the File to read
	746	* @param errors a Map from entry name to generated exception
	747	* @throws IOException if the file is unreadable. Per entry exceptions are
	748	* returned in the errors parameter.
	749	*/
[39526ce]	750	public void load_zip(File d,
[418b586]	751	Map<String, Exception> errors) throws IOException {
[39526ce]	752	load_zip(d, null, errors);
[418b586]	753	}
[e36ea1d]	754	/**
[39526ce]	755	* Equivalent to load_zip(d, keys, null).
[e36ea1d]	756	* @param d the File to read
	757	* @param keys a Collection into which to insert unmatched keys
	758	* @throws IOException if the file is unreadable. To see per-entry
	759	* exceptions use a signature with the errors parameter
	760	*/
[39526ce]	761	public void load_zip(File d,
[418b586]	762	Collection<KeyPair> keys) throws IOException {
[39526ce]	763	load_zip(d, keys, null);
[418b586]	764	}
	765
[e36ea1d]	766	/**
	767	* Read a PEM file that contains an X509 Certificate, a key pair, or both.
	768	* If a cert is present it is converted into an Identity. A key pair is
	769	* returned as a java.security.KeyPair and both are returned as an Identity
	770	* with an associated key pair.
	771	* @param r a PEMReader from which to read
	772	* @return an object encoding the contents (as above)
	773	* @throws IOException for an unreadable or badly formated input
	774	*/
[418b586]	775	protected Object readPEM(PEMReader r) throws IOException {
	776	Identity i = null;
	777	KeyPair keys = null;
	778	Object o = null;
	779
	780	while ( (o = r.readObject()) != null ) {
	781	if (o instanceof X509Certificate) {
	782	if ( i == null ) {
	783	try {
	784	i = new Identity((X509Certificate)o);
	785	}
	786	catch (Exception e) {
	787	// Translate Idenitiy exceptions to IOException
	788	throw new IOException(e);
	789	}
	790	if (keys != null ) {
	791	i.setKeyPair(keys);
	792	keys = null;
	793	}
	794	}
	795	else throw new IOException("Two certificates");
	796	}
	797	else if (o instanceof KeyPair ) {
	798	if ( i != null ) i.setKeyPair((KeyPair) o);
	799	else keys = (KeyPair) o;
	800	}
	801	else {
	802	throw new IOException("Unexpected PEM object: " +
	803	o.getClass().getName());
	804	}
	805	}
	806
	807	if ( i != null ) return i;
	808	else if ( keys != null) return keys;
	809	else return null;
	810	}
	811
	812	/**
	813	* Import a directory full of files. First import all the identities
	814	* (pem), then the credentials (der) into the credential graph then any
	815	* alias files into the two maps. If keys is not null, any key pairs in
	816	* PEM files are put in there. If errors is not null, errors reading files
[6432e35]	817	* are added indexed by filename. This behaves slightly differently from
	818	* the load_directory description in the general libabac documentation.
[e36ea1d]	819	* @param d the File to read. If it is a directory its contents are read
	820	* @param keys a Collection into which to insert unmatched keys
	821	* @param errors a Map from entry name to generated exception
	822	* @throws IOException if the file is unreadable. Per file exceptions are
	823	* returned in the errors parameter.
[418b586]	824	*/
[6432e35]	825	public void load_directory(File d, Collection<KeyPair> keys,
[418b586]	826	Map<String, Exception> errors) {
	827	Vector<File> derFiles = new Vector<File>();
	828	Collection<File> files = new Vector<File>();
	829	Map<String, Identity> ids = new TreeMap<String, Identity>();
	830	Map<String, KeyPair> kps = new TreeMap<String, KeyPair>();
	831
	832	if (d.isDirectory() )
	833	for (File f : d.listFiles())
	834	files.add(f);
	835	else files.add(d);
	836
	837	for (File f: files ) {
	838	try {
	839	PEMReader r = new PEMReader(new FileReader(f));
	840	Object o = readPEM(r);
	841
	842	if ( o != null ) {
	843	if (o instanceof Identity) {
	844	Identity i = (Identity) o;
	845	String kid = i.getKeyID();
	846
	847	if (kps.containsKey(kid) ) {
	848	i.setKeyPair(kps.get(kid));
	849	kps.remove(kid);
	850	}
	851	else if (i.getKeyPair() == null )
	852	ids.put(i.getKeyID(), i);
	853
[6432e35]	854	load_id_chunk(i);
[418b586]	855	}
	856	else if (o instanceof KeyPair ) {
	857	KeyPair kp = (KeyPair) o;
[0595372]	858	String kid = extractKeyID(kp.getPublic());
[418b586]	859
	860	if (ids.containsKey(kid)) {
	861	Identity i = ids.get(kid);
	862
	863	i.setKeyPair(kp);
	864	ids.remove(kid);
	865	}
	866	else {
	867	kps.put(kid, kp);
	868	}
	869	}
	870	}
	871	else {
	872	// Not a PEM file
	873	derFiles.add(f);
	874	continue;
	875	}
	876	}
	877	catch (Exception e ) {
	878	if (errors != null ) errors.put(f.getName(), e);
	879	}
	880	}
	881
	882	for ( File f : derFiles ) {
	883	try {
[d06c453]	884	Credential[] creds = credentialFactory.parseCredential(f,
[3612811]	885	m_identities);
	886	for (Credential c: creds)
	887	add_credential(c);
[418b586]	888	}
	889	catch (Exception e ) {
	890	if (errors != null ) errors.put(f.getName(), e);
	891	}
	892	}
	893	}
[e36ea1d]	894	/**
[6432e35]	895	* Equivalent to load_directory(d, null, null).
[e36ea1d]	896	* @param d the File to read. If it is a directory its contents are read
	897	* @throws IOException if the file is unreadable. To see per-file
	898	* exceptions use a signature with the errors parameter.
	899	*/
[6432e35]	900	public void load_directory(File d) {
	901	load_directory(d, null, null);
[418b586]	902	}
[e36ea1d]	903	/**
[6432e35]	904	* Equivalent to load_directory(d, null, null).
[e36ea1d]	905	* @param d the File to read. If it is a directory its contents are read
	906	* @param errors a Map from entry name to generated exception
	907	* @throws IOException if the file is unreadable. Per file exceptions are
	908	* returned in the errors parameter.
	909	*/
[6432e35]	910	public void load_directory(File d, Map<String, Exception> errors) {
	911	load_directory(d, null, errors);
[418b586]	912	}
[e36ea1d]	913	/**
[6432e35]	914	* Equivalent to load_directory(d, null, null).
[e36ea1d]	915	* @param d the File to read. If it is a directory its contents are read
	916	* @param keys a Collection into which to insert unmatched keys
	917	* @throws IOException if the file is unreadable. To see per-file
	918	* exceptions use a signature with the errors parameter.
	919	*/
[6432e35]	920	public void load_directory(File d, Collection<KeyPair> keys) {
	921	load_directory(d, keys, null);
[418b586]	922	}
	923
[ad24705]	924	/**
	925	* Load from a simple rt0 text format. A jabac extension. The format is
	926	* <br/>
	927	* # comments<br/>
	928	* role <- role<br/>
	929	* <br/>
	930	*
	931	* Spaces are not significant around the arrow and the tail can be as long
	932	* as needed.
[39526ce]	933	* @param s the InputStream to load
	934	* @throws IOException if there is an error getting the file open or in
	935	* format
[ad24705]	936	*/
[39526ce]	937	public void load_rt0(InputStream s)
[ad24705]	938	throws IOException {
	939	Pattern comment = Pattern.compile("(^\\s#\|^\\s$)");
[39526ce]	940	Pattern rule = Pattern.compile("([\\w\\.]+)\\s<-+\\s(.+)");
	941	LineNumberReader r = new LineNumberReader(new InputStreamReader(s));
[ad24705]	942	String line = null;
	943
	944	while ((line = r.readLine()) != null) {
	945	Matcher cm = comment.matcher(line);
	946	Matcher rm = rule.matcher(line);
	947
	948	if (cm.find()) continue;
	949	if (rm.find())
[3612811]	950	add_credential(new InternalCredential(new Role(rm.group(1)),
[ad24705]	951	new Role(rm.group(2))));
[39526ce]	952	else
	953	throw new RuntimeException("Unexpected format: line " +
	954	r.getLineNumber());
[ad24705]	955	}
	956	}
	957	/**
[39526ce]	958	* Equivalent to load_rt0(new FileInputStream(f)
[ad24705]	959	* @param f the File to load
	960	* @throws IOException if there is an error getting the file open
	961	*/
[39526ce]	962	public void load_rt0(File f) throws IOException {
	963	load_rt0(new FileInputStream(f));
[ad24705]	964	}
	965
	966
[e36ea1d]	967	/**
	968	* Write the certificates that make up the context as a zip file, with an
[3d13073]	969	* entry for each credential or identity. The files are all zipped in a
	970	* directory derived from the filename.
[39526ce]	971	* @param s the OutputStream to write
[e36ea1d]	972	* @param allIDs a boolean, if true write certificates for all Identities,
	973	* whether used in signing a credential or not.
	974	* @param withPrivateKeys a boolean, if true write the Identities as PEM
	975	* file containing both the certificate and the private keys.
[3d13073]	976	* @throws IOException if there is a problem writing the file.
[e36ea1d]	977	*/
[39526ce]	978	public void write_zip(OutputStream s, boolean allIDs,
	979	boolean withPrivateKeys) throws IOException {
	980	ZipOutputStream z = new ZipOutputStream(s);
[388a3d7]	981	Set<Identity> ids = allIDs ? m_identities : new TreeSet<Identity>();
[39526ce]	982	String baseDir = "creds";
[b6e7c18]	983	int idx = baseDir.indexOf('.');
	984
	985
	986	if (idx != -1)
	987	baseDir = baseDir.substring(0, idx);
[418b586]	988
	989	int n = 0;
	990	for (Credential c: credentials()) {
[b6e7c18]	991	z.putNextEntry(new ZipEntry(baseDir + File.separator +
	992	"attr" + n++ + ".der"));
[418b586]	993	c.write(z);
	994	z.closeEntry();
[d69593c]	995	if ( c.issuer() != null && !allIDs) ids.add(c.issuer());
[418b586]	996	}
	997	for (Identity i: ids) {
[b6e7c18]	998	z.putNextEntry(new ZipEntry(baseDir + File.separator +
	999	i.getName() + ".pem"));
[418b586]	1000	i.write(z);
	1001	if (withPrivateKeys)
	1002	i.writePrivateKey(z);
	1003	z.closeEntry();
	1004	}
	1005	z.close();
	1006	}
[39526ce]	1007	/**
	1008	* Equivalent to
	1009	* write_zip(new FileOutputStream(f), allIDs, withPrivateKeys).
	1010	* @param f the File to write
	1011	* @param allIDs a boolean, if true write certificates for all Identities,
	1012	* whether used in signing a credential or not.
	1013	* @param withPrivateKeys a boolean, if true write the Identities as PEM
	1014	* file containing both the certificate and the private keys.
	1015	* @throws IOException if there is a problem writing the file.
	1016	*/
	1017	public void write_zip(File f, boolean allIDs, boolean withPrivateKeys)
	1018	throws IOException {
	1019	write_zip(new FileOutputStream(f), allIDs, withPrivateKeys);
	1020	}
[418b586]	1021
[ad24705]	1022	/**
	1023	* Write to a simple rt0 text format. A jabac extension.
	1024	* The format is
	1025	* <br/>
	1026	* role <- role<br/>
	1027	* <br/>
	1028	*
	1029	* @param w a Writer to print on
	1030	* @param useKeyIDs a boolean, true to print key IDs not mnemonics
	1031	*/
	1032	public void write_rt0(Writer w, boolean useKeyIDs) {
	1033	PrintWriter pw = w instanceof PrintWriter ?
	1034	(PrintWriter) w : new PrintWriter(w);
	1035
	1036	for (Credential c: credentials())
	1037	pw.println(useKeyIDs ? c.toString() : c.simpleString(this));
	1038	pw.flush();
	1039	}
	1040
	1041	/**
	1042	* Call write_rt0 on a FileWriter derived from f.
	1043	* @param f the File to write to
	1044	* @param useKeyIDs a boolean, true to print key IDs not mnemonics
	1045	* @throws IOException if there is a problem writing the file.
	1046	*/
	1047	public void write_rt0(File f, boolean useKeyIDs) throws IOException {
	1048	write_rt0(new FileWriter(f), useKeyIDs);
	1049	}
	1050
	1051	/**
	1052	* Equivalent to write_rt0(w, false);
	1053	* @param w a Writer to print on
	1054	*/
	1055	public void write_rt0(Writer w) { write_rt0(w, false); }
	1056
	1057	/**
	1058	* Equivalent to write_rt0(f, false);
	1059	* @param f the File to write to
	1060	* @throws IOException if there is a problem writing the file.
	1061	*/
	1062	public void write_rt0(File f) throws IOException {
	1063	write_rt0(new FileWriter(f), false);
	1064	}
	1065
[d06c453]	1066	/**
	1067	* Return this Context's CredentialFactory.
	1068	* @return this Context's CredentialFactory.
	1069	*/
	1070	public CredentialFactory getCredentialFactory() {
	1071	return credentialFactory;
	1072	}
	1073
	1074	/**
	1075	* Set this Context's CredentialFactory.
	1076	* @param cf the new CredentialFactoty
	1077	*/
	1078	public void setCredentialFactory(CredentialFactory cf) {
	1079	credentialFactory = cf;
	1080	}
	1081
[aaadefd]	1082	/**
	1083	* Return a new credential supported by this Context. It is not inserted
	1084	* in the Context.
	1085	* @param head a Role, the head of the encoded ABAC statement
	1086	* @param tail a Role, the tail of the decoded ABAC statement
	1087	* @return a Credential encoding that ABAC statement
	1088	*/
	1089	public Credential newCredential(Role head, Role tail) {
	1090	return credentialFactory.generateCredential(head, tail);
	1091	}
	1092
[0595372]	1093	/**
[e36ea1d]	1094	* Get to the SHA1 hash of the key. Used by Roles and Identities to get a
	1095	* key ID.
	1096	* @param k the PublicKey to get the ID from.
	1097	* @return a String with the key identifier
[0595372]	1098	*/
[e36ea1d]	1099	static String extractKeyID(PublicKey k) {
[0595372]	1100	SubjectPublicKeyInfo ki = extractSubjectPublicKeyInfo(k);
	1101	SubjectKeyIdentifier id =
	1102	SubjectKeyIdentifier.createSHA1KeyIdentifier(ki);
	1103
	1104	// Now format it into a string for keeps
	1105	Formatter fmt = new Formatter(new StringWriter());
	1106	for (byte b: id.getKeyIdentifier())
	1107	fmt.format("%02x", b);
	1108	return fmt.out().toString();
	1109	}
	1110
	1111	/**
	1112	* Extratct the SubjectPublicKeyInfo. Useful for some other encryptions,
	1113	* notably Certificate.make_cert().
[e36ea1d]	1114	* @param k the PublicKey to get the ID from.
	1115	* @return a String with the key identifier
[0595372]	1116	*/
[e36ea1d]	1117	static SubjectPublicKeyInfo extractSubjectPublicKeyInfo(
[0595372]	1118	PublicKey k) {
	1119	ASN1Sequence seq = null;
	1120	try {
	1121	seq = (ASN1Sequence) new ASN1InputStream(
	1122	k.getEncoded()).readObject();
	1123	}
	1124	catch (IOException ie) {
	1125	// Badly formatted key??
	1126	return null;
	1127	}
	1128	return new SubjectPublicKeyInfo(seq);
	1129	}
	1130
[418b586]	1131	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: