Context Navigation

source: java/net/deterlab/abac/Credential.java @ 1a80501

abac0-leakabac0-meicompt_changesgec13mei-idmei-rt0-nmei_rt0mei_rt2mei_rt2_fix_1meiyap-rt1meiyap1rt2tvf-new-xml

Last change on this file since 1a80501 was 0595372, checked in by Ted Faber <faber@…>, 14 years ago
Some cleanup
Property mode set to `100644`
File size: 7.0 KB

Line
1	package net.deterlab.abac;
2
3	import java.io.*;
4	import java.math.*;
5
6	import java.util.*;
7	import java.util.zip.*;
8	import java.security.*;
9	import java.security.cert.*;
10
11	import net.deterlab.abac.Identity;
12
13	import org.bouncycastle.asn1.*;
14	import org.bouncycastle.asn1.x509.*;
15	import org.bouncycastle.x509.*;
16	import org.bouncycastle.jce.X509Principal;
17	import org.bouncycastle.jce.provider.X509AttrCertParser;
18	import org.bouncycastle.jce.provider.X509CertificateObject;
19	import org.bouncycastle.openssl.PEMReader;
20
21	import java.security.PrivateKey;
22
23	public class Credential implements Comparable {
24	protected static Vector<Identity> s_ids = new Vector<Identity>();
25	protected static String attrOID = "1.3.6.1.5.5.7.10.4";
26	protected static String authKeyOID = "2.5.29.35";
27
28	private Role m_head;
29	private Role m_tail;
30	private X509V2AttributeCertificate ac;
31	private Identity id;
32
33	/**
34	* A dummy credential.
35	*/
36	public Credential() {
37	m_head = m_tail = null;
38	ac = null;
39	id = null;
40	}
41	/**
42	* Create a credential from a head and tail role. This is only for testing.
43	* In a real implementation the Credential must be loaded from an X.509
44	* attribute cert.
45	*/
46	public Credential(Role head, Role tail) {
47	m_head = head;
48	m_tail = tail;
49	ac = null;
50	id = null;
51	}
52
53	/**
54	* Do the credential initialization from a filename.
55	*/
56	protected void read_certificate(InputStream stream)
57	throws Exception {
58	X509AttrCertParser parser = new X509AttrCertParser();
59	parser.engineInit(stream);
60	ac = (X509V2AttributeCertificate)parser.engineRead();
61	}
62
63
64	protected void init(InputStream stream, Collection<Identity> ids)
65	throws Exception {
66	read_certificate(stream);
67	if (ac == null) throw new IOException("Unknown Format");
68	init(ids);
69	}
70
71	protected void init(Collection<Identity> ids)
72	throws CertificateException, InvalidKeyException,
73	NoSuchAlgorithmException, NoSuchProviderException,
74	SignatureException {
75	for (Identity i: ids) {
76	try {
77	ac.verify(i.getCertificate().getPublicKey(), "BC");
78	id = i;
79	break;
80	}
81	catch (InvalidKeyException e) { }
82	}
83	if (id == null) throw new InvalidKeyException("Unknown identity");
84
85	load_roles();
86
87	if (!id.getKeyID().equals(m_head.issuer_part()))
88	throw new InvalidKeyException("Unknown identity");
89	}
90	/**
91	* Create a credential from an attribute cert. Throws an exception if the
92	* cert file can't be opened or if there's a format problem with the cert.
93	*/
94	public Credential(String filename, Collection<Identity> ids)
95	throws Exception { init(new FileInputStream(filename), ids); }
96
97	/**
98	* Create a credential from an attribute cert. Throws an exception if the
99	* cert file can't be opened or if there's a format problem with the cert.
100	*/
101	public Credential(File file, Collection<Identity> ids)
102	throws Exception { init(new FileInputStream(file), ids); }
103
104	/**
105	* Create a credential from an InputStream.
106	*/
107	public Credential(InputStream s, Collection<Identity> ids)
108	throws Exception { init(s, ids); }
109
110	public Credential(X509V2AttributeCertificate c, Collection<Identity> ids)
111	throws Exception {
112	ac = c;
113	init(ids);
114	}
115
116
117	/**
118	* Create a certificate from this credential issued by the given identity.
119	* This is just grungy credential generation work.
120	*/
121	public void make_cert(Identity i) {
122	PrivateKey key = i.getKeyPair().getPrivate();
123	SubjectPublicKeyInfo pki = Context.extractSubjectPublicKeyInfo(
124	i.getKeyPair().getPublic());
125	X509V2AttributeCertificateGenerator gen =
126	new X509V2AttributeCertificateGenerator();
127
128	gen.setIssuer(new AttributeCertificateIssuer(
129	new X509Principal("CN="+m_head.issuer_part())));
130	gen.setHolder(new AttributeCertificateHolder(
131	new X509Principal("CN="+m_head.issuer_part())));
132	gen.setNotAfter(new Date(System.currentTimeMillis()
133	+ 3600 * 1000 * 24 * 365));
134	gen.setNotBefore(new Date(System.currentTimeMillis()));
135	gen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
136	gen.addAttribute(new X509Attribute(attrOID,
137	new DERSequence(
138	new DERSequence(
139	new DERUTF8String(toString())))));
140	gen.setSignatureAlgorithm("SHA256WithRSAEncryption");
141
142	try {
143	// Creddy expects an authority key identifier.
144	gen.addExtension(authKeyOID, false,
145	new AuthorityKeyIdentifier(pki));
146	// Create the cert.
147	ac = (X509V2AttributeCertificate) gen.generate(key, "BC");
148	}
149	catch (Exception e) {
150	System.err.println(e);
151	}
152	}
153
154	/**
155	* Load the roles off the attribute cert. Throws a RuntimeException if
156	* there's something wrong with the cert.
157	*/
158	private void load_roles() throws RuntimeException {
159	String roles = null;
160	try {
161	X509Attribute attr = ac.getAttributes()[0];
162
163	DERSequence java = (DERSequence)attr.getValues()[0];
164	DERSequence fucking = (DERSequence)java.getObjectAt(0);
165	DERUTF8String sucks = (DERUTF8String)fucking.getObjectAt(0);
166
167	roles = sucks.getString();
168	}
169	catch (Exception e) {
170	throw new RuntimeException("Badly formatted certificate");
171	}
172
173	String[] parts = roles.split("\\s<--?\\s");
174	if (parts.length != 2)
175	throw new RuntimeException("Invalid attribute: " + roles);
176
177	m_head = new Role(parts[0]);
178	m_tail = new Role(parts[1]);
179	}
180
181	/**
182	* Two credentials are the same if their roles are the same.
183	*/
184	public boolean equals(Object o) {
185	if ( o instanceof Credential ) {
186	Credential c = (Credential) o;
187
188	if (m_head == null \|\| m_tail == null ) return false;
189	else return (m_head.equals(c.head()) && m_tail.equals(c.tail()));
190	}
191	else return false;
192	}
193
194	public int compareTo(Object o) {
195	if (o instanceof Credential) {
196	Credential c = (Credential) o;
197
198	if (head().equals(c.head())) return tail().compareTo(c.tail());
199	else return head().compareTo(c.head());
200	}
201	else return 1;
202	}
203
204
205	/**
206	* Get the head role from the credential.
207	*/
208	public Role head() { return m_head; }
209
210	/**
211	* Get the tail role from the credential
212	*/
213	public Role tail() { return m_tail; }
214
215	/**
216	* Gets the cert associated with this credential (if any).
217	*/
218	public X509V2AttributeCertificate cert() { return ac; }
219
220	/**
221	* Turn the credential into string form. The format is head <- tail. For
222	* example: A.r1 <- B.r2.r3.
223	*/
224	public String toString() {
225	return m_head + " <- " + m_tail;
226	}
227
228	public String simpleString(Context c) {
229	return m_head.simpleString(c) + " <- " + m_tail.simpleString(c);
230	}
231
232	public void write(OutputStream s) throws IOException {
233	s.write(ac.getEncoded());
234	s.flush();
235	}
236
237	public void write(String fn) throws IOException, FileNotFoundException {
238	write(new FileOutputStream(fn));
239	}
240
241	public boolean hasCertificate() { return ac != null; }
242
243	public Identity getID() { return id; }
244
245
246	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: