package net.deterlab.abac; import java.io.*; import java.math.*; import java.util.*; import java.security.*; import java.security.cert.*; import javax.security.auth.x500.*; import org.bouncycastle.asn1.*; import org.bouncycastle.asn1.x509.*; import org.bouncycastle.x509.*; import org.bouncycastle.x509.util.*; import org.bouncycastle.openssl.*; /** * An ABAC credential, with or without an underlying certificate that * represents it. These are edges in proof graphs and can be constructed from * their constituent Roles. * @author ISI ABAC team * @version 1.4 */ public abstract class Credential implements Comparable { /** Default validity period (in seconds) */ static public long defaultValidity = 3600L * 24L * 365L; /** The role at the head */ protected Role m_head /** The role at the tail */; protected Role m_tail; /** The identity that issued the certificate */ protected Identity id; /** The expiration time of the credential */ protected Date m_expiration; /** * Create an empty Credential. */ Credential() { m_head = m_tail = null; id = null; m_expiration = null; } /** * Create a credential from a head and tail role. This credential has no * underlying certificate, and cannot be exported or used in real proofs. * make_cert can create a certificate for a credential initialized this * way. * @param head the Role at the head of the credential * @param tail the Role at the tail of the credential */ Credential(Role head, Role tail) { m_head = head; m_tail = tail; id = null; m_expiration = null; } /** * Create a credential from an attribute cert in a file. Throws an * exception if the cert file can't be opened or if there's a format * problem with the cert. Note that catching * java.security.GeneralSecurityException catches most of the exceptions * this throws. * @param filename a String containing the filename to read * @param ids a Collection of Identities to use in validating the cert * @throws CertInvalidException if the stream is unparsable * @throws MissingIssuerException if none of the Identities can validate the * certificate * @throws BadSignatureException if the signature check fails */ Credential(String filename, Collection ids) throws ABACException { this(); } /** * Create a credential from an attribute cert in a file. Throws an * exception if the cert file can't be opened or if there's a format * problem with the cert. Note that catching * java.security.GeneralSecurityException catches most of the exceptions * this throws. * @param file the File to read * @param ids a Collection of Identities to use in validating the cert * @throws CertInvalidException if the stream is unparsable * @throws MissingIssuerException if none of the Identities can validate the * certificate * @throws BadSignatureException if the signature check fails */ Credential(File file, Collection ids) throws ABACException { this(); } /** * Create a credential from an InputStream. Throws an exception if the * stream can't be parsed or if there's a format problem with the cert. * Note that catching java.security.GeneralSecurityException catches most * of the exceptions this throws. * @param s the InputStream to read * @param ids a Collection of Identities to use in validating the cert * @throws CertInvalidException if the stream is unparsable * @throws MissingIssuerException if none of the Identities can validate the * certificate * @throws BadSignatureException if the signature check fails */ Credential(InputStream s, Collection ids) throws ABACException { this(); } /** * Create a certificate from this credential issued by the given identity, * valid for the given time. * @param i the Identity that will issue the certificate * @param validity a long holding the number of seconds that the credential * is valid for. * @throws ABACException for Credential-specific errors * @throws MissingIssuerException the identity is invalid * @throws BadSignatureException if the signature creation fails */ public abstract void make_cert(Identity i, long validity) throws ABACException; /** * Create a certificate from this credential issued by the given identity, * valid for the default interval. * @param i the Identity that will issue the certificate * @throws ABACException for Credential-specific errors * @throws MissingIssuerException the identity is invalid * @throws BadSignatureException if the signature creation fails */ public abstract void make_cert(Identity i) throws ABACException; /** * Return true if 2 credentials represent the same ABAC. Two credentials * are the same if their roles are the same. * @param o an Object to compare * @return true if the Credentials have the Roles */ public boolean equals(Object o) { if ( o instanceof Credential ) { Credential c = (Credential) o; if (m_head == null || m_tail == null ) return false; else return (m_head.equals(c.head()) && m_tail.equals(c.tail())); } else return false; } /** * Return a hash code for the Credential - the hashes of its roles. * @return an int, the hashCode */ public int hashCode() { if ( m_head == null || m_tail == null) return super.hashCode(); return m_head.hashCode() + m_tail.hashCode(); } /** * Compare 2 credentials for sorting. They are ordered by their Roles, * head then tail. * @param o an Object to compare * @return -1 if this Credential is before, 0 if they are the same, and 1 * if this Credential is after the given object. */ public int compareTo(Object o) { if (o instanceof Credential) { Credential c = (Credential) o; if (head().equals(c.head())) return tail().compareTo(c.tail()); else return head().compareTo(c.head()); } else return 1; } /** * Get the head role from the credential. * @return the Role in the head */ public Role head() { return m_head; } /** * Get the tail role from the credential * @return the Role in the tail */ public Role tail() { return m_tail; } /** * Get the expiration Date of the credential. */ public Date expiration() { return m_expiration; } /** * Return an untranslated string form of the credential. The format is head * <- tail. For example: A.r1 <- B.r2.r3. Principal names are key * identifiers. * @return the string form */ public String toString() { return m_head + " <- " + m_tail; } /** * Return a translated string form of the credential. The format is head * <- tail. For example: A.r1 <- B.r2.r3. Principal names are * shortened to menmonics if the Context knows the identity. * @param c the Context to translate names in * @return the string form */ public String simpleString(Context c) { return m_head.simpleString(c) + " <- " + m_tail.simpleString(c); } /** * Output the external representation of the Credential to the OutputStream * given. Subclasses will overload this for their output format. * @param s the OutputStream on which to write * @throws IOException if there is an error writing. */ public abstract void write(OutputStream s) throws IOException; /** * Output the external representation of the Credential to the filename * given. Subclasses will overload this for their output format. * @param fn a String containing the output filename * @throws IOException if there is an error writing. */ public abstract void write(String fn) throws IOException, FileNotFoundException; /** * Return true if this Credential has a certificate associated. A jabac * extension. * @return true if this Credential has a certificate associated. */ public abstract boolean hasCertificate(); /** * Return the Identity that issued the underlying certificate (if any). A * jabac extension. * @return the Identity that issued the underlying certificate. */ public Identity issuer() { return id; } }