Context Navigation

source: java/net/deterlab/abac/Credential.java @ b67a7ac

abac0-leakabac0-meicompt_changesgec13mei-idmei-rt0-nmei_rt0mei_rt2mei_rt2_fix_1meiyap-rt1meiyap1rt2tvf-new-xml

Last change on this file since b67a7ac was e36ea1d, checked in by Ted Faber <faber@…>, 14 years ago
Initial javadocs
Property mode set to `100644`
File size: 16.2 KB

Rev	Line
[31b67d5]	1	package net.deterlab.abac;
	2
[7ef13e3]	3	import java.io.*;
[281158a]	4	import java.math.*;
[7ef13e3]	5
	6	import java.util.*;
	7	import java.security.*;
	8	import java.security.cert.*;
	9
[e36ea1d]	10	import javax.security.auth.x500.*;
[90f939f]	11
	12	import org.bouncycastle.asn1.*;
[e9360e2]	13	import org.bouncycastle.asn1.x509.*;
[90f939f]	14	import org.bouncycastle.x509.*;
[e36ea1d]	15	import org.bouncycastle.x509.util.*;
	16	import org.bouncycastle.openssl.*;
	17
	18	/**
	19	* An ABAC credential, with or without an underlying certificate that
	20	* represents it. These are edges in proof garphs and can be constructed from
	21	* their constituent Roles.
	22	* @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
	23	* @version 1.3
	24	*/
[88e139a]	25	public class Credential implements Comparable {
[e36ea1d]	26	/** The ASN1 OID for an IETF attribute. */
[281158a]	27	protected static String attrOID = "1.3.6.1.5.5.7.10.4";
[e36ea1d]	28	/** The ASN1 OID for AuthorityKeyIdentifier. */
[e9360e2]	29	protected static String authKeyOID = "2.5.29.35";
[9394f1f]	30
[e36ea1d]	31	/** The role at the head */
	32	protected Role m_head
	33	/** The role at the tail */;
[d69593c]	34	protected Role m_tail;
[e36ea1d]	35	/** The certificate representing this credential */
[d69593c]	36	protected X509V2AttributeCertificate ac;
[e36ea1d]	37	/** The identity that issued the certificate */
[d69593c]	38	protected Identity id;
[0595372]	39
[9394f1f]	40	/**
[e36ea1d]	41	* Create an empty Credential.
[9394f1f]	42	*/
	43	public Credential() {
	44	m_head = m_tail = null;
[0595372]	45	ac = null;
	46	id = null;
[9394f1f]	47	}
[31b67d5]	48	/**
[e36ea1d]	49	* Create a credential from a head and tail role. This credential has no
	50	* underlying certificate, and cannot be exported or used in real proofs.
	51	* make_cert can create a certificate for a credential initialized this
	52	* way.
	53	* @param head the Role at the head of the credential
	54	* @param tail the Role at the tail of the credential
[31b67d5]	55	*/
	56	public Credential(Role head, Role tail) {
	57	m_head = head;
	58	m_tail = tail;
[0595372]	59	ac = null;
	60	id = null;
[31b67d5]	61	}
	62
[90f939f]	63	/**
[e36ea1d]	64	* Do the credential extraction from an input stream. This parses the
	65	* certificate from the input stream and saves it. The contents must be
	66	* validated and parsed later.
	67	* @param stream the InputStream to read the certificate from.
	68	* @throws IOException if the stream is unparsable
[90f939f]	69	*/
[84f0e7a]	70	protected void read_certificate(InputStream stream)
[e36ea1d]	71	throws IOException {
	72	ac = new X509V2AttributeCertificate(stream);
[84f0e7a]	73	}
	74
[e36ea1d]	75	/**
	76	* Initialize a credential from parsed certificate. Validiate it against
	77	* the given identities and parse out the roles. Note that catching
	78	* java.security.GeneralSecurityException catches most of the exceptions
	79	* this throws.
	80	* @param ids a Collection of Identities to use in validating the cert
	81	* @throws CertificateException if the certificate is badly formatted
	82	* @throws InvalidKeyException if none of the Identities can validate the
	83	* certificate
	84	* @throws NoSuchAlgorithmException if the credential uses an unknown
	85	* signature algorithm
	86	* @throws NoSuchProviderException if the provider of the signature
	87	* algorithm is unavailable
	88	* @throws SignatureException if the signature check fails
	89	*/
[84f0e7a]	90	protected void init(Collection<Identity> ids)
[0595372]	91	throws CertificateException, InvalidKeyException,
	92	NoSuchAlgorithmException, NoSuchProviderException,
	93	SignatureException {
	94	for (Identity i: ids) {
[7ef13e3]	95	try {
[0595372]	96	ac.verify(i.getCertificate().getPublicKey(), "BC");
	97	id = i;
[7ef13e3]	98	break;
	99	}
[9725efb]	100	catch (InvalidKeyException e) { }
[7ef13e3]	101	}
[0595372]	102	if (id == null) throw new InvalidKeyException("Unknown identity");
[90f939f]	103
	104	load_roles();
[281158a]	105
[d69593c]	106	if (!id.getKeyID().equals(m_head.principal()))
[281158a]	107	throw new InvalidKeyException("Unknown identity");
[90f939f]	108	}
[e36ea1d]	109
	110	/**
	111	* Parse a credential from an InputStream and initialize the role from it.
	112	* Combine read_credential(stream) and init(ids). Note that catching
	113	* java.security.GeneralSecurityException catches most of the exceptions
	114	* this throws.
	115	* @param stream the InputStream to read the certificate from.
	116	* @param ids a Collection of Identities to use in validating the cert
	117	* @throws CertificateException if the certificate is badly formatted
	118	* @throws InvalidKeyException if none of the Identities can validate the
	119	* certificate
	120	* @throws NoSuchAlgorithmException if the credential uses an unknown
	121	* signature algorithm
	122	* @throws NoSuchProviderException if the provider of the signature
	123	* algorithm is unavailable
	124	* @throws SignatureException if the signature check fails
	125	* @throws IOException if the certificate is unparsable.
	126	*/
	127	protected void init(InputStream stream, Collection<Identity> ids)
	128	throws CertificateException, InvalidKeyException,
	129	NoSuchAlgorithmException, NoSuchProviderException,
	130	SignatureException, IOException {
	131	read_certificate(stream);
	132	if (ac == null) throw new IOException("Unknown Format");
	133	init(ids);
	134	}
	135
[7ef13e3]	136	/**
[e36ea1d]	137	* Create a credential from an attribute cert in a file. Throws an
	138	* exception if the cert file can't be opened or if there's a format
	139	* problem with the cert. Note that catching
	140	* java.security.GeneralSecurityException catches most of the exceptions
	141	* this throws.
	142	* @param filename a String containing the filename to read
	143	* @param ids a Collection of Identities to use in validating the cert
	144	* @throws StreamParsingException if the stream is unparsable
	145	* @throws CertificateException if the certificate is badly formatted
	146	* @throws InvalidKeyException if none of the Identities can validate the
	147	* certificate
	148	* @throws NoSuchAlgorithmException if the credential uses an unknown
	149	* signature algorithm
	150	* @throws NoSuchProviderException if the provider of the signature
	151	* algorithm is unavailable
	152	* @throws SignatureException if the signature check fails
	153	* @throws IOException if the certificate is unparsable.
[7ef13e3]	154	*/
[84f0e7a]	155	public Credential(String filename, Collection<Identity> ids)
	156	throws Exception { init(new FileInputStream(filename), ids); }
[7ef13e3]	157
	158	/**
[e36ea1d]	159	* Create a credential from an attribute cert in a file. Throws an
	160	* exception if the cert file can't be opened or if there's a format
	161	* problem with the cert. Note that catching
	162	* java.security.GeneralSecurityException catches most of the exceptions
	163	* this throws.
	164	* @param file the File to read
	165	* @param ids a Collection of Identities to use in validating the cert
	166	* @throws StreamParsingException if the stream is unparsable
	167	* @throws CertificateException if the certificate is badly formatted
	168	* @throws InvalidKeyException if none of the Identities can validate the
	169	* certificate
	170	* @throws NoSuchAlgorithmException if the credential uses an unknown
	171	* signature algorithm
	172	* @throws NoSuchProviderException if the provider of the signature
	173	* algorithm is unavailable
	174	* @throws SignatureException if the signature check fails
	175	* @throws IOException if the certificate is unparsable.
[7ef13e3]	176	*/
[84f0e7a]	177	public Credential(File file, Collection<Identity> ids)
[e36ea1d]	178	throws CertificateException, InvalidKeyException,
	179	NoSuchAlgorithmException, NoSuchProviderException,
	180	SignatureException, StreamParsingException, IOException {
	181	init(new FileInputStream(file), ids);
	182	}
[1a7e6d3]	183
	184	/**
[e36ea1d]	185	* Create a credential from an InputStream. Throws an exception if the
	186	* stream can't be parsed or if there's a format problem with the cert.
	187	* Note that catching java.security.GeneralSecurityException catches most
	188	* of the exceptions this throws.
	189	* @param s the InputStream to read
	190	* @param ids a Collection of Identities to use in validating the cert
	191	* @throws StreamParsingException if the stream is unparsable
	192	* @throws CertificateException if the certificate is badly formatted
	193	* @throws InvalidKeyException if none of the Identities can validate the
	194	* certificate
	195	* @throws NoSuchAlgorithmException if the credential uses an unknown
	196	* signature algorithm
	197	* @throws NoSuchProviderException if the provider of the signature
	198	* algorithm is unavailable
	199	* @throws SignatureException if the signature check fails
	200	* @throws IOException if the certificate is unparsable.
[1a7e6d3]	201	*/
[84f0e7a]	202	public Credential(InputStream s, Collection<Identity> ids)
[e36ea1d]	203	throws CertificateException, InvalidKeyException,
	204	NoSuchAlgorithmException, NoSuchProviderException,
	205	SignatureException, StreamParsingException, IOException {
	206	init(s, ids);
	207	}
[84f0e7a]	208
[e36ea1d]	209	/**
	210	* Create a credential from an X509V2AttributeCertificate object. Throws
	211	* an exception if the certificate doesn't parse into an ABAC credential,
	212	* or cannot be validated. Note that catching
	213	* java.security.GeneralSecurityException catches most of the exceptions
	214	* this throws.
	215	* @param c the X509V2AttributeCertificate to create from
	216	* @param ids a Collection of Identities to use in validating the cert
	217	* @throws CertificateException if the certificate is badly formatted
	218	* @throws InvalidKeyException if none of the Identities can validate the
	219	* certificate
	220	* @throws NoSuchAlgorithmException if the credential uses an unknown
	221	* signature algorithm
	222	* @throws NoSuchProviderException if the provider of the signature
	223	* algorithm is unavailable
	224	* @throws SignatureException if the signature check fails
	225	* @throws IOException if the certificate is unparsable.
	226	*/
[84f0e7a]	227	public Credential(X509V2AttributeCertificate c, Collection<Identity> ids)
[e36ea1d]	228	throws CertificateException, InvalidKeyException,
	229	NoSuchAlgorithmException, NoSuchProviderException,
	230	SignatureException, IOException {
[0595372]	231	ac = c;
[84f0e7a]	232	init(ids);
[7ef13e3]	233	}
	234
[84f0e7a]	235
[e9360e2]	236	/**
	237	* Create a certificate from this credential issued by the given identity.
[e36ea1d]	238	* Note that catching java.security.GeneralSecurityException catches most
	239	* of the exceptions this throws.
	240	* @param i the Identity that will issue the certificate
	241	* @throws IOException reading or writing problems
	242	* @throws CertificateEncodingException Problem creating certificate
	243	* @throws InvalidKeyException if none of the Identities can sign the
	244	* certificate
	245	* @throws NoSuchAlgorithmException if the credential uses an unknown
	246	* signature algorithm
	247	* @throws NoSuchProviderException if the provider of the signature
	248	* algorithm is unavailable
	249	* @throws SignatureException if the signature creation fails
[e9360e2]	250	*/
[e36ea1d]	251	public void make_cert(Identity i)
	252	throws IOException, CertificateEncodingException,
	253	NoSuchProviderException, NoSuchAlgorithmException,
	254	SignatureException, InvalidKeyException {
[e9360e2]	255	PrivateKey key = i.getKeyPair().getPrivate();
[0595372]	256	SubjectPublicKeyInfo pki = Context.extractSubjectPublicKeyInfo(
[e9360e2]	257	i.getKeyPair().getPublic());
[281158a]	258	X509V2AttributeCertificateGenerator gen =
	259	new X509V2AttributeCertificateGenerator();
	260
	261	gen.setIssuer(new AttributeCertificateIssuer(
[e36ea1d]	262	new X500Principal("CN="+m_head.principal())));
[281158a]	263	gen.setHolder(new AttributeCertificateHolder(
[e36ea1d]	264	new X500Principal("CN="+m_head.principal())));
[281158a]	265	gen.setNotAfter(new Date(System.currentTimeMillis()
	266	+ 3600 * 1000 * 24 * 365));
	267	gen.setNotBefore(new Date(System.currentTimeMillis()));
	268	gen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
	269	gen.addAttribute(new X509Attribute(attrOID,
	270	new DERSequence(
	271	new DERSequence(
	272	new DERUTF8String(toString())))));
	273	gen.setSignatureAlgorithm("SHA256WithRSAEncryption");
	274
[e36ea1d]	275	// Creddy expects an authority key identifier.
	276	gen.addExtension(authKeyOID, false,
	277	new AuthorityKeyIdentifier(pki));
	278	// Create the cert.
	279	ac = (X509V2AttributeCertificate) gen.generate(key, "BC");
[281158a]	280	}
[7ef13e3]	281
[90f939f]	282	/**
	283	* Load the roles off the attribute cert. Throws a RuntimeException if
	284	* there's something wrong with the cert.
	285	*/
[e36ea1d]	286	private void load_roles() {
[90f939f]	287	String roles = null;
	288	try {
[0595372]	289	X509Attribute attr = ac.getAttributes()[0];
[90f939f]	290
	291	DERSequence java = (DERSequence)attr.getValues()[0];
	292	DERSequence fucking = (DERSequence)java.getObjectAt(0);
	293	DERUTF8String sucks = (DERUTF8String)fucking.getObjectAt(0);
	294
	295	roles = sucks.getString();
	296	}
	297	catch (Exception e) {
[0595372]	298	throw new RuntimeException("Badly formatted certificate");
[90f939f]	299	}
	300
	301	String[] parts = roles.split("\\s<--?\\s");
	302	if (parts.length != 2)
	303	throw new RuntimeException("Invalid attribute: " + roles);
	304
	305	m_head = new Role(parts[0]);
	306	m_tail = new Role(parts[1]);
	307	}
	308
[cfcdcb4b]	309	/**
	310	* Two credentials are the same if their roles are the same.
[e36ea1d]	311	* @param o an Object to compare
	312	* @return true if the Credentials have the Roles
[cfcdcb4b]	313	*/
	314	public boolean equals(Object o) {
	315	if ( o instanceof Credential ) {
	316	Credential c = (Credential) o;
	317
	318	if (m_head == null \|\| m_tail == null ) return false;
	319	else return (m_head.equals(c.head()) && m_tail.equals(c.tail()));
	320	}
	321	else return false;
	322	}
	323
[e36ea1d]	324	/**
	325	* Allow credentials to be compared. They are ordered by their Roles, head
	326	* then tail.
	327	* @param o an Object to compare
	328	* @return -1 if this Credential is before, 0 if they are the same, and 1
	329	* if this Credential is after the given object.
	330	*/
[88e139a]	331	public int compareTo(Object o) {
	332	if (o instanceof Credential) {
	333	Credential c = (Credential) o;
	334
	335	if (head().equals(c.head())) return tail().compareTo(c.tail());
	336	else return head().compareTo(c.head());
	337	}
	338	else return 1;
	339	}
	340
	341
[31b67d5]	342	/**
	343	* Get the head role from the credential.
[e36ea1d]	344	* @return the Role in the head
[31b67d5]	345	*/
[0595372]	346	public Role head() { return m_head; }
[31b67d5]	347
	348	/**
	349	* Get the tail role from the credential
[e36ea1d]	350	* @return the Role in the tail
[31b67d5]	351	*/
[0595372]	352	public Role tail() { return m_tail; }
[31b67d5]	353
[90f939f]	354	/**
	355	* Gets the cert associated with this credential (if any).
[e36ea1d]	356	* @return the attribute cert associated with this credential (if any).
[90f939f]	357	*/
[0595372]	358	public X509V2AttributeCertificate cert() { return ac; }
[90f939f]	359
[31b67d5]	360	/**
	361	* Turn the credential into string form. The format is head <- tail. For
[e36ea1d]	362	* example: A.r1 <- B.r2.r3. Principal names are key identifiers.
	363	* @return the string form
[31b67d5]	364	*/
	365	public String toString() {
	366	return m_head + " <- " + m_tail;
	367	}
	368
[e36ea1d]	369	/**
	370	* Turn the credential into string form. The format is head <- tail. For
	371	* example: A.r1 <- B.r2.r3. Principal names are shortened to menmonics
	372	* if the Context knows the identity.
	373	* @param c the Context to translate names in
	374	* @return the string form
	375	*/
[84f0e7a]	376	public String simpleString(Context c) {
	377	return m_head.simpleString(c) + " <- " + m_tail.simpleString(c);
[de63a31]	378	}
	379
[e36ea1d]	380	/**
	381	* Output the DER formatted attribute certificate associated with this
	382	* Credential to the OutputStream.
	383	* @param s the OutputStream on which to write
	384	* @throws IOException if there is an error writing.
	385	*/
[1a7e6d3]	386	public void write(OutputStream s) throws IOException {
[e36ea1d]	387	if (ac != null )
	388	s.write(ac.getEncoded());
[e9360e2]	389	s.flush();
[1a7e6d3]	390	}
	391
[e36ea1d]	392	/**
	393	* Output the DER formatted attribute certificate associated with this
	394	* Credential to the filename given.
	395	* @param fn a String containing the output filename
	396	* @throws IOException if there is an error writing.
	397	*/
[1a7e6d3]	398	public void write(String fn) throws IOException, FileNotFoundException {
	399	write(new FileOutputStream(fn));
	400	}
	401
[e36ea1d]	402	/**
	403	* Return true if this Credential has a certificate associated. A jabac
	404	* extension.
	405	* @return true if this Credential has a certificate associated.
	406	*/
[0595372]	407	public boolean hasCertificate() { return ac != null; }
[5cf72cc]	408
[e36ea1d]	409	/**
	410	* Return the Identity that issued the underlying certificate. A jabac
	411	* extension.
	412	* @return the Identity that issued the underlying certificate.
	413	*/
[d69593c]	414	public Identity issuer() { return id; }
[e36ea1d]	415	/**
	416	* Return the X509Certificate that issued the underlying certificate.
	417	* @return the X509Certificate that issued the underlying certificate.
	418	*/
[d69593c]	419	public X509Certificate issuerCert() { return id.getCertificate(); }
[e36ea1d]	420	/**
	421	* Return the X509V2AttributeCertificate that underlys the Credential
	422	* @return the X509V2AttributeCertificate that underlys the Credential.
	423	*/
[d69593c]	424	public X509V2AttributeCertificate attributeCert() { return ac; }
[90f939f]	425
[7ef13e3]	426
[31b67d5]	427	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: