source: java/net/deterlab/abac/Credential.java @ 8a9f7af

abac0-leak
Last change on this file since 8a9f7af was a1a9a47, checked in by Ted Faber <faber@…>, 11 years ago

Bump version

  • Property mode set to 100644
File size: 9.2 KB
RevLine 
[31b67d5]1package net.deterlab.abac;
2
[7ef13e3]3import java.io.*;
[281158a]4import java.math.*;
[7ef13e3]5
6import java.util.*;
7import java.security.*;
8import java.security.cert.*;
9
[e36ea1d]10import javax.security.auth.x500.*;
[90f939f]11
12import org.bouncycastle.asn1.*;
[e9360e2]13import org.bouncycastle.asn1.x509.*;
[90f939f]14import org.bouncycastle.x509.*;
[e36ea1d]15import org.bouncycastle.x509.util.*;
16import org.bouncycastle.openssl.*;
17
18/**
19 * An ABAC credential, with or without an underlying certificate that
[3797bbe]20 * represents it.  These are edges in proof graphs and can be constructed from
[e36ea1d]21 * their constituent Roles.
22 * @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
[a1a9a47]23 * @version 1.5
[e36ea1d]24 */
[7b33c9b]25public abstract class Credential implements Comparable {
[675770e]26    /** Default validity period (in seconds) */
27    static public long defaultValidity = 3600L * 24L * 365L;
[e36ea1d]28    /** The role at the head */
29    protected Role m_head
30    /** The role at the tail */;
[d69593c]31    protected Role m_tail;
[e36ea1d]32    /** The identity that issued the certificate */
[d69593c]33    protected Identity id;
[7f614c1]34    /** The expiration time of the credential */
35    protected Date m_expiration;
[d31242c]36    /**
37     * Suggested file suffix to save this format credential under.  Subclasses
38      should override it.
39     */
40    protected String suffix;
41    /** Default file suffix. */
42    private static final String defSuffix = ".cred";
[0595372]43
[9394f1f]44    /**
[e36ea1d]45     * Create an empty Credential.
[9394f1f]46     */
[a7f73b5]47    Credential() {
[9394f1f]48        m_head = m_tail = null;
[0595372]49        id = null;
[7f614c1]50        m_expiration = null;
[d31242c]51        suffix = defSuffix;
[9394f1f]52    }
[31b67d5]53    /**
[e36ea1d]54     * Create a credential from a head and tail role.  This credential has no
55     * underlying certificate, and cannot be exported or used in real proofs.
56     * make_cert can create a certificate for a credential initialized this
57     * way.
58     * @param head the Role at the head of the credential
59     * @param tail the Role at the tail of the credential
[31b67d5]60     */
[a7f73b5]61    Credential(Role head, Role tail) {
[31b67d5]62        m_head = head;
63        m_tail = tail;
[0595372]64        id = null;
[7f614c1]65        m_expiration = null;
[d31242c]66        suffix = defSuffix;
[31b67d5]67    }
68
[7ef13e3]69    /**
[e36ea1d]70     * Create a credential from an attribute cert in a file. Throws an
71     * exception if the cert file can't be opened or if there's a format
72     * problem with the cert.  Note that catching
73     * java.security.GeneralSecurityException catches most of the exceptions
74     * this throws.
75     * @param filename a String containing the filename to read
76     * @param ids a Collection of Identities to use in validating the cert
[44896b5]77     * @throws CertInvalidException if the stream is unparsable
78     * @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]79     *                              certificate
[44896b5]80     * @throws BadSignatureException if the signature check fails
[7ef13e3]81     */
[4d5f56d]82    Credential(String filename, Collection<Identity> ids) 
[44896b5]83        throws ABACException { this(); }
[7ef13e3]84
85    /**
[e36ea1d]86     * Create a credential from an attribute cert in a file. Throws an
87     * exception if the cert file can't be opened or if there's a format
88     * problem with the cert.  Note that catching
89     * java.security.GeneralSecurityException catches most of the exceptions
90     * this throws.
91     * @param file the File to read
92     * @param ids a Collection of Identities to use in validating the cert
[44896b5]93     * @throws CertInvalidException if the stream is unparsable
94     * @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]95     *                              certificate
[44896b5]96     * @throws BadSignatureException if the signature check fails
[7ef13e3]97     */
[4d5f56d]98    Credential(File file, Collection<Identity> ids) 
[d31242c]99            throws ABACException { this(); }
[1a7e6d3]100
101    /**
[e36ea1d]102     * Create a credential from an InputStream.  Throws an exception if the
103     * stream can't be parsed or if there's a format problem with the cert.
104     * Note that catching java.security.GeneralSecurityException catches most
105     * of the exceptions this throws.
106     * @param s the InputStream to read
107     * @param ids a Collection of Identities to use in validating the cert
[44896b5]108     * @throws CertInvalidException if the stream is unparsable
109     * @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]110     *                              certificate
[44896b5]111     * @throws BadSignatureException if the signature check fails
[1a7e6d3]112     */
[4d5f56d]113    Credential(InputStream s, Collection<Identity> ids) 
[d31242c]114            throws ABACException { this(); }
[7ef13e3]115
[e9360e2]116    /**
[675770e]117     * Create a certificate from this credential issued by the given identity,
118     * valid for the given time.
119     * @param i the Identity that will issue the certificate
120     * @param validity a long holding the number of seconds that the credential
121     * is valid for.
122     * @throws ABACException for Credential-specific errors
123     * @throws MissingIssuerException the identity is invalid
124     * @throws BadSignatureException if the signature creation fails
125     */
126    public abstract void make_cert(Identity i, long validity) 
127            throws ABACException;
128    /**
129     * Create a certificate from this credential issued by the given identity,
130     * valid for the default interval.
[e36ea1d]131     * @param i the Identity that will issue the certificate
[44896b5]132     * @throws ABACException for Credential-specific errors
133     * @throws MissingIssuerException the identity is invalid
134     * @throws BadSignatureException if the signature creation fails
[e9360e2]135     */
[7b33c9b]136    public abstract void make_cert(Identity i) 
[44896b5]137            throws ABACException;
[90f939f]138
[cfcdcb4b]139    /**
[a7f73b5]140     * Return true if 2 credentials represent the same ABAC. Two credentials
141     * are the same if their roles are the same.
[e36ea1d]142     * @param o an Object to compare
143     * @return true if the Credentials have the Roles
[cfcdcb4b]144     */
145    public boolean equals(Object o) {
146        if ( o instanceof Credential ) {
147            Credential c = (Credential) o;
148
149            if (m_head == null || m_tail == null ) return false;
150            else return (m_head.equals(c.head()) && m_tail.equals(c.tail()));
151        }
152        else return false;
153    }
154
[0100d7b]155    /**
156     * Return a hash code for the Credential - the hashes of its roles.
157     * @return an int, the hashCode
158     */
159    public int hashCode() {
160        if ( m_head == null || m_tail == null) return super.hashCode();
161
162        return m_head.hashCode() + m_tail.hashCode();
163    }
164
[e36ea1d]165    /**
[a7f73b5]166     * Compare 2 credentials for sorting.  They are ordered by their Roles,
167     * head then tail.
[e36ea1d]168     * @param o an Object to compare
169     * @return -1 if this Credential is before, 0 if they are the same, and 1
170     *              if this Credential is after the given object.
171     */
[88e139a]172    public int compareTo(Object o) {
173        if (o instanceof Credential) {
174            Credential c = (Credential) o;
175
176            if (head().equals(c.head())) return tail().compareTo(c.tail());
177            else return head().compareTo(c.head());
178        }
179        else return 1;
180    }
181
182
[31b67d5]183    /**
184     * Get the head role from the credential.
[e36ea1d]185     * @return the Role in the head
[31b67d5]186     */
[0595372]187    public Role head() { return m_head; }
[31b67d5]188
189    /**
190     * Get the tail role from the credential
[e36ea1d]191     * @return the Role in the tail
[31b67d5]192     */
[0595372]193    public Role tail() { return m_tail; }
[31b67d5]194
[7f614c1]195    /**
196     * Get the expiration Date of the credential.
197     */
198    public Date expiration() { return m_expiration; }
199
[31b67d5]200    /**
[a7f73b5]201     * Return an untranslated string form of the credential. The format is head
202     * &lt;- tail. For example: A.r1 &lt;- B.r2.r3.  Principal names are key
203     * identifiers.
[e36ea1d]204     * @return the string form
[31b67d5]205     */
206    public String toString() {
207        return m_head + " <- " + m_tail;
208    }
209
[e36ea1d]210    /**
[a7f73b5]211     * Return a translated string form of the credential. The format is head
212     * &lt;- tail. For example: A.r1 &lt;- B.r2.r3.  Principal names are
213     * shortened to menmonics if the Context knows the identity.
[e36ea1d]214     * @param c the Context to translate names in
215     * @return the string form
216     */
[84f0e7a]217    public String simpleString(Context c) {
218        return m_head.simpleString(c) + " <- " + m_tail.simpleString(c);
[de63a31]219    }
220
[e36ea1d]221    /**
[a7f73b5]222     * Output the external representation of the Credential to the OutputStream
223     * given. Subclasses will overload this for their output format.
[e36ea1d]224     * @param s the OutputStream on which to write
225     * @throws IOException if there is an error writing.
226     */
[7b33c9b]227    public abstract void write(OutputStream s) throws IOException;
[1a7e6d3]228
[e36ea1d]229    /**
[a7f73b5]230     * Output the external representation of the Credential to the filename
231     * given. Subclasses will overload this for their output format.
[e36ea1d]232     * @param fn a String containing the output filename
233     * @throws IOException if there is an error writing.
234     */
[7b33c9b]235    public abstract void write(String fn) 
236        throws IOException, FileNotFoundException;
[1a7e6d3]237
[e36ea1d]238    /**
239     * Return true if this Credential has a certificate associated.  A jabac
240     * extension.
241     * @return true if this Credential has a certificate associated.
242     */
[7b33c9b]243    public abstract boolean hasCertificate();
[5cf72cc]244
[e36ea1d]245    /**
[a7f73b5]246     * Return the Identity that issued the underlying certificate (if any).  A
247     * jabac extension.
248     * @return the Identity that issued the underlying certificate.
[e36ea1d]249     */
[d69593c]250    public Identity issuer() { return id; }
[f84d71e]251
[d31242c]252    /**
253     * Return an suggested suffix for output files (most start with a ".").
254     * @return a String, an optional suffix for output files.
255     */
256    public String getSuffix() { return suffix; } 
257
258    /**
259     * Set the suggested suffix for output files (most start with a ".").
260     * Available for subclasses to set the value without knowing the member
261     * name.
262     * @param suff a String, an optional suffix for output files.
263     */
264    protected void setSuffix(String suff) { suffix = suff; } 
265
[31b67d5]266}
Note: See TracBrowser for help on using the repository browser.