[31b67d5] | 1 | package net.deterlab.abac; |
---|
| 2 | |
---|
[7ef13e3] | 3 | import java.io.*; |
---|
| 4 | |
---|
| 5 | import java.util.*; |
---|
| 6 | import java.security.*; |
---|
| 7 | import java.security.cert.*; |
---|
| 8 | |
---|
[9725efb] | 9 | import net.deterlab.abac.Identity; |
---|
[90f939f] | 10 | |
---|
| 11 | import org.bouncycastle.asn1.*; |
---|
| 12 | import org.bouncycastle.x509.*; |
---|
| 13 | import org.bouncycastle.jce.provider.X509AttrCertParser; |
---|
[7ef13e3] | 14 | import org.bouncycastle.jce.provider.X509CertificateObject; |
---|
| 15 | import org.bouncycastle.openssl.PEMReader; |
---|
[90f939f] | 16 | |
---|
[31b67d5] | 17 | public class Credential { |
---|
[9725efb] | 18 | protected static Vector<Identity> s_ids = new Vector<Identity>(); |
---|
[31b67d5] | 19 | /** |
---|
| 20 | * Create a credential from a head and tail role. This is only for testing. |
---|
| 21 | * In a real implementation the Credential must be loaded from an X.509 |
---|
| 22 | * attribute cert. |
---|
| 23 | */ |
---|
| 24 | public Credential(Role head, Role tail) { |
---|
| 25 | m_head = head; |
---|
| 26 | m_tail = tail; |
---|
| 27 | } |
---|
| 28 | |
---|
[90f939f] | 29 | /** |
---|
[7ef13e3] | 30 | * Do the credential initialization from a filename. |
---|
[90f939f] | 31 | */ |
---|
[1a7e6d3] | 32 | protected void init(InputStream stream) throws Exception { |
---|
[90f939f] | 33 | X509AttrCertParser parser = new X509AttrCertParser(); |
---|
[1a7e6d3] | 34 | parser.engineInit(stream); |
---|
[90f939f] | 35 | m_ac = (X509V2AttributeCertificate)parser.engineRead(); |
---|
[7ef13e3] | 36 | m_id = null; |
---|
| 37 | |
---|
[9725efb] | 38 | for (Identity id: s_ids) { |
---|
[7ef13e3] | 39 | try { |
---|
[9725efb] | 40 | m_ac.verify(id.getCertificate().getPublicKey(), "BC"); |
---|
[7ef13e3] | 41 | m_id = id; |
---|
| 42 | break; |
---|
| 43 | } |
---|
[9725efb] | 44 | catch (InvalidKeyException e) { } |
---|
[7ef13e3] | 45 | } |
---|
| 46 | if (m_id == null) throw new InvalidKeyException("Unknown identity"); |
---|
[90f939f] | 47 | |
---|
| 48 | load_roles(); |
---|
| 49 | } |
---|
| 50 | |
---|
[7ef13e3] | 51 | /** |
---|
| 52 | * Create a credential from an attribute cert. Throws an exception if the |
---|
| 53 | * cert file can't be opened or if there's a format problem with the cert. |
---|
| 54 | */ |
---|
| 55 | public Credential(String filename) throws Exception { |
---|
[1a7e6d3] | 56 | init(new FileInputStream(filename)); |
---|
[7ef13e3] | 57 | } |
---|
| 58 | |
---|
| 59 | /** |
---|
| 60 | * Create a credential from an attribute cert. Throws an exception if the |
---|
| 61 | * cert file can't be opened or if there's a format problem with the cert. |
---|
| 62 | */ |
---|
| 63 | public Credential(File file) throws Exception { |
---|
[1a7e6d3] | 64 | init(new FileInputStream(file)); |
---|
| 65 | } |
---|
| 66 | |
---|
| 67 | /** |
---|
| 68 | * Create a credential from an InputStream. |
---|
| 69 | */ |
---|
| 70 | public Credential(InputStream s) throws Exception { |
---|
| 71 | init(s); |
---|
[7ef13e3] | 72 | } |
---|
| 73 | |
---|
| 74 | |
---|
[90f939f] | 75 | /** |
---|
| 76 | * Load the roles off the attribute cert. Throws a RuntimeException if |
---|
| 77 | * there's something wrong with the cert. |
---|
| 78 | */ |
---|
| 79 | private void load_roles() throws RuntimeException { |
---|
| 80 | String roles = null; |
---|
| 81 | try { |
---|
| 82 | X509Attribute attr = m_ac.getAttributes()[0]; |
---|
| 83 | |
---|
| 84 | DERSequence java = (DERSequence)attr.getValues()[0]; |
---|
| 85 | DERSequence fucking = (DERSequence)java.getObjectAt(0); |
---|
| 86 | DERUTF8String sucks = (DERUTF8String)fucking.getObjectAt(0); |
---|
| 87 | |
---|
| 88 | roles = sucks.getString(); |
---|
| 89 | } |
---|
| 90 | catch (Exception e) { |
---|
| 91 | throw new RuntimeException("Your attribute certificate is funky and I'm not gonna debug it", e); |
---|
| 92 | } |
---|
| 93 | |
---|
| 94 | String[] parts = roles.split("\\s*<--?\\s*"); |
---|
| 95 | if (parts.length != 2) |
---|
| 96 | throw new RuntimeException("Invalid attribute: " + roles); |
---|
| 97 | |
---|
| 98 | m_head = new Role(parts[0]); |
---|
| 99 | m_tail = new Role(parts[1]); |
---|
| 100 | } |
---|
| 101 | |
---|
[31b67d5] | 102 | /** |
---|
| 103 | * Get the head role from the credential. |
---|
| 104 | */ |
---|
| 105 | public Role head() { |
---|
| 106 | return m_head; |
---|
| 107 | } |
---|
| 108 | |
---|
| 109 | /** |
---|
| 110 | * Get the tail role from the credential |
---|
| 111 | */ |
---|
| 112 | public Role tail() { |
---|
| 113 | return m_tail; |
---|
| 114 | } |
---|
| 115 | |
---|
[90f939f] | 116 | /** |
---|
| 117 | * Gets the cert associated with this credential (if any). |
---|
| 118 | */ |
---|
| 119 | public X509V2AttributeCertificate cert() { |
---|
| 120 | return m_ac; |
---|
| 121 | } |
---|
| 122 | |
---|
[31b67d5] | 123 | /** |
---|
| 124 | * Turn the credential into string form. The format is head <- tail. For |
---|
| 125 | * example: A.r1 <- B.r2.r3. |
---|
| 126 | */ |
---|
| 127 | public String toString() { |
---|
| 128 | return m_head + " <- " + m_tail; |
---|
| 129 | } |
---|
| 130 | |
---|
[1a7e6d3] | 131 | public void write(OutputStream s) throws IOException { |
---|
| 132 | s.write(m_ac.getEncoded()); |
---|
| 133 | } |
---|
| 134 | |
---|
| 135 | public void write(String fn) throws IOException, FileNotFoundException { |
---|
| 136 | write(new FileOutputStream(fn)); |
---|
| 137 | } |
---|
| 138 | |
---|
| 139 | |
---|
[31b67d5] | 140 | private Role m_head, m_tail; |
---|
[90f939f] | 141 | |
---|
| 142 | private X509V2AttributeCertificate m_ac; |
---|
[9725efb] | 143 | private Identity m_id; |
---|
[7ef13e3] | 144 | |
---|
[9725efb] | 145 | public static void addIdentity(Identity id) { s_ids.add(id); } |
---|
| 146 | public static Collection<Identity> identities() { return s_ids; } |
---|
[31b67d5] | 147 | } |
---|