Context Navigation

source: java/net/deterlab/abac/Credential.java @ 88e139a

abac0-leakabac0-meicompt_changesgec13mei-idmei-rt0-nmei_rt0mei_rt2mei_rt2_fix_1meiyap-rt1meiyap1rt2tvf-new-xml

Last change on this file since 88e139a was 88e139a, checked in by Ted Faber <faber@…>, 13 years ago
Add some basic features, comparability.
Property mode set to `100644`
File size: 11.6 KB

Line
1	package net.deterlab.abac;
2
3	import java.io.*;
4	import java.math.*;
5
6	import java.util.*;
7	import java.util.zip.*;
8	import java.security.*;
9	import java.security.cert.*;
10
11	import net.deterlab.abac.Identity;
12
13	import org.bouncycastle.asn1.*;
14	import org.bouncycastle.x509.*;
15	import org.bouncycastle.jce.X509Principal;
16	import org.bouncycastle.jce.provider.X509AttrCertParser;
17	import org.bouncycastle.jce.provider.X509CertificateObject;
18	import org.bouncycastle.openssl.PEMReader;
19
20	import org.bouncycastle.asn1.util.ASN1Dump;
21
22	import java.security.PrivateKey;
23
24	public class Credential implements Comparable {
25	protected static Vector<Identity> s_ids = new Vector<Identity>();
26	protected static String attrOID = "1.3.6.1.5.5.7.10.4";
27
28	/**
29	* A dummy credential.
30	*/
31	public Credential() {
32	m_head = m_tail = null;
33	m_ac = null;
34	m_id = null;
35	}
36	/**
37	* Create a credential from a head and tail role. This is only for testing.
38	* In a real implementation the Credential must be loaded from an X.509
39	* attribute cert.
40	*/
41	public Credential(Role head, Role tail) {
42	m_head = head;
43	m_tail = tail;
44	m_ac = null;
45	m_id = null;
46	}
47
48	/**
49	* Do the credential initialization from a filename.
50	*/
51	protected void init(InputStream stream) throws Exception {
52	X509AttrCertParser parser = new X509AttrCertParser();
53	parser.engineInit(stream);
54	m_ac = (X509V2AttributeCertificate)parser.engineRead();
55	m_id = null;
56
57	if ( m_ac == null ) throw new IOException("Invalid Credential Format");
58
59	for (Identity id: s_ids) {
60	try {
61	m_ac.verify(id.getCertificate().getPublicKey(), "BC");
62	m_id = id;
63	break;
64	}
65	catch (InvalidKeyException e) { }
66	}
67	if (m_id == null) throw new InvalidKeyException("Unknown identity");
68
69	load_roles();
70
71	if (!m_id.getKeyID().equals(m_head.issuer_part()))
72	throw new InvalidKeyException("Unknown identity");
73	}
74
75	/**
76	* Create a credential from an attribute cert. Throws an exception if the
77	* cert file can't be opened or if there's a format problem with the cert.
78	*/
79	public Credential(String filename) throws Exception {
80	init(new FileInputStream(filename));
81	}
82
83	/**
84	* Create a credential from an attribute cert. Throws an exception if the
85	* cert file can't be opened or if there's a format problem with the cert.
86	*/
87	public Credential(File file) throws Exception {
88	init(new FileInputStream(file));
89	}
90
91	/**
92	* Create a credential from an InputStream.
93	*/
94	public Credential(InputStream s) throws Exception {
95	init(s);
96	}
97
98	public void make_cert(PrivateKey key) {
99	X509V2AttributeCertificateGenerator gen =
100	new X509V2AttributeCertificateGenerator();
101
102	gen.setIssuer(new AttributeCertificateIssuer(
103	new X509Principal("CN="+m_head.issuer_part())));
104	gen.setHolder(new AttributeCertificateHolder(
105	new X509Principal("CN="+m_head.issuer_part())));
106	gen.setNotAfter(new Date(System.currentTimeMillis()
107	+ 3600 * 1000 * 24 * 365));
108	gen.setNotBefore(new Date(System.currentTimeMillis()));
109	gen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
110	gen.addAttribute(new X509Attribute(attrOID,
111	new DERSequence(
112	new DERSequence(
113	new DERUTF8String(toString())))));
114	gen.setSignatureAlgorithm("SHA256WithRSAEncryption");
115
116	try {
117	m_ac = (X509V2AttributeCertificate) gen.generate(key, "BC");
118	}
119	catch (Exception e) {
120	System.err.println(e);
121	}
122	}
123
124	/**
125	* Load the roles off the attribute cert. Throws a RuntimeException if
126	* there's something wrong with the cert.
127	*/
128	private void load_roles() throws RuntimeException {
129	String roles = null;
130	try {
131	X509Attribute attr = m_ac.getAttributes()[0];
132
133	DERSequence java = (DERSequence)attr.getValues()[0];
134	DERSequence fucking = (DERSequence)java.getObjectAt(0);
135	DERUTF8String sucks = (DERUTF8String)fucking.getObjectAt(0);
136
137	roles = sucks.getString();
138	}
139	catch (Exception e) {
140	throw new RuntimeException("Your attribute certificate is funky and I'm not gonna debug it", e);
141	}
142
143	String[] parts = roles.split("\\s<--?\\s");
144	if (parts.length != 2)
145	throw new RuntimeException("Invalid attribute: " + roles);
146
147	m_head = new Role(parts[0]);
148	m_tail = new Role(parts[1]);
149	}
150
151	/**
152	* Two credentials are the same if their roles are the same.
153	*/
154	public boolean equals(Object o) {
155	if ( o instanceof Credential ) {
156	Credential c = (Credential) o;
157
158	if (m_head == null \|\| m_tail == null ) return false;
159	else return (m_head.equals(c.head()) && m_tail.equals(c.tail()));
160	}
161	else return false;
162	}
163
164	public int compareTo(Object o) {
165	if (o instanceof Credential) {
166	Credential c = (Credential) o;
167
168	if (head().equals(c.head())) return tail().compareTo(c.tail());
169	else return head().compareTo(c.head());
170	}
171	else return 1;
172	}
173
174
175	/**
176	* Get the head role from the credential.
177	*/
178	public Role head() {
179	return m_head;
180	}
181
182	/**
183	* Get the tail role from the credential
184	*/
185	public Role tail() {
186	return m_tail;
187	}
188
189	/**
190	* Gets the cert associated with this credential (if any).
191	*/
192	public X509V2AttributeCertificate cert() {
193	return m_ac;
194	}
195
196	/**
197	* Turn the credential into string form. The format is head <- tail. For
198	* example: A.r1 <- B.r2.r3.
199	*/
200	public String toString() {
201	return m_head + " <- " + m_tail;
202	}
203
204	public String simpleString() {
205	return m_head.simpleString() + " <- " + m_tail.simpleString();
206	}
207
208	public void write(OutputStream s) throws IOException {
209	s.write(m_ac.getEncoded());
210	}
211
212	public void write(String fn) throws IOException, FileNotFoundException {
213	write(new FileOutputStream(fn));
214	}
215
216	public boolean hasCertificate() { return m_ac != null; }
217
218	public Identity getID() { return m_id; }
219
220	/**
221	* Import a zip file. First import all the identities
222	* (pem), then the credentials (der) into the credential graph then any
223	* alias files into the two maps. If keys is not null, any key pairs in
224	* PEM files are put in there. If errors is not null, errors reading files
225	* are added indexed by filename.
226	*/
227	static public Collection<Credential> readZipFile(File zf,
228	Collection<KeyPair> keys, Map<String, Exception> errors)
229	throws IOException {
230	Vector<Credential> creds = new Vector<Credential>();
231	Vector<ZipEntry> derFiles = new Vector<ZipEntry>();
232
233	ZipFile z = new ZipFile(zf);
234
235	for (Enumeration<? extends ZipEntry> ze = z.entries();
236	ze.hasMoreElements();) {
237	ZipEntry f = ze.nextElement();
238	Object o = null;
239	try {
240	o = new PEMReader(new InputStreamReader(
241	z.getInputStream(f))).readObject();
242	}
243	catch (IOException e) {
244	// PEMReader couldn't deal, so we assume it's a DER
245	derFiles.add(f);
246	continue;
247	}
248	try {
249	if ( o == null ) {
250	// This shouldn't be, but assume it's a DER
251	derFiles.add(f);
252	}
253	else if (o instanceof X509CertificateObject) {
254	Credential.addIdentity(
255	new Identity((X509CertificateObject)o));
256	}
257	else if (o instanceof KeyPair ) {
258	if ( keys != null ) keys.add((KeyPair) o);
259	}
260	else {
261	throw new IOException("Unexpected PEM object: " +
262	o.getClass().getName());
263	}
264	}
265	catch (Exception e ) {
266	if (errors != null ) errors.put(f.getName(), e);
267	}
268	}
269
270	for ( ZipEntry f : derFiles ) {
271	try {
272	creds.add(new Credential(z.getInputStream(f)));
273	}
274	catch (Exception e ) {
275	if (errors != null ) errors.put(f.getName(), e);
276	}
277	}
278	return creds;
279	}
280
281	static public Collection<Credential> readZipFile(File d)
282	throws IOException {
283	return readZipFile(d, null, null);
284	}
285	static public Collection<Credential> readZipFile(File d,
286	Map<String, Exception> errors) throws IOException {
287	return readZipFile(d, null, errors);
288	}
289	static public Collection<Credential> readZipFile(File d,
290	Collection<KeyPair> keys) throws IOException {
291	return readZipFile(d, keys, null);
292	}
293
294
295	/**
296	* Import a directory full of files. First import all the identities
297	* (pem), then the credentials (der) into the credential graph then any
298	* alias files into the two maps. If keys is not null, any key pairs in
299	* PEM files are put in there. If errors is not null, errors reading files
300	* are added indexed by filename.
301	*/
302	static public Collection<Credential> readDirectory(File d,
303	Collection<KeyPair> keys, Map<String, Exception> errors) {
304	Vector<Credential> creds = new Vector<Credential>();
305	Vector<File> derFiles = new Vector<File>();
306	Collection<File> files = new Vector<File>();
307
308	if (d.isDirectory() )
309	for (File f : d.listFiles())
310	files.add(f);
311	else files.add(d);
312
313	for (File f: files ) {
314	Object o = null;
315	try {
316	o = new PEMReader(new FileReader(f)).readObject();
317	}
318	catch (IOException e) {
319	// PEMReader couldn't deal, so we assume it's a DER
320	derFiles.add(f);
321	continue;
322	}
323	try {
324	if ( o == null ) {
325	// This shouldn't be, but assume it's a DER
326	derFiles.add(f);
327	}
328	else if (o instanceof X509CertificateObject) {
329	Credential.addIdentity(
330	new Identity((X509CertificateObject)o));
331	}
332	else if (o instanceof KeyPair ) {
333	if ( keys != null ) keys.add((KeyPair) o);
334	}
335	else {
336	throw new IOException("Unexpected PEM object: " +
337	o.getClass().getName());
338	}
339	}
340	catch (Exception e ) {
341	if (errors != null ) errors.put(f.getName(), e);
342	}
343	}
344
345	for ( File f : derFiles ) {
346	try {
347	creds.add(new Credential(f));
348	}
349	catch (Exception e ) {
350	if (errors != null ) errors.put(f.getName(), e);
351	}
352	}
353	return creds;
354	}
355
356	static public Collection<Credential> readDirectory(File d) {
357	return readDirectory(d, null, null);
358	}
359	static public Collection<Credential> readDirectory(File d,
360	Map<String, Exception> errors) {
361	return readDirectory(d, null, errors);
362	}
363	static public Collection<Credential> readDirectory(File d,
364	Collection<KeyPair> keys) {
365	return readDirectory(d, keys, null);
366	}
367
368	static public void writeZipFile(Collection<Credential> creds, File f,
369	boolean allIDs)
370	throws IOException {
371	ZipOutputStream z = new ZipOutputStream(new FileOutputStream(f));
372	Set<Identity> ids = allIDs ?
373	new TreeSet(s_ids) : new TreeSet<Identity>();
374
375	int n = 0;
376	for (Credential c: creds) {
377	z.putNextEntry(new ZipEntry("attr" + n++ + ".der"));
378	c.write(z);
379	z.closeEntry();
380	if ( c.getID() != null && !allIDs) ids.add(c.getID());
381	}
382	for (Identity i: ids) {
383	z.putNextEntry(new ZipEntry(i.getName() + ".pem"));
384	i.write(z);
385	z.closeEntry();
386	}
387	z.close();
388	}
389
390
391	private Role m_head, m_tail;
392
393	private X509V2AttributeCertificate m_ac;
394	private Identity m_id;
395
396	/**
397	* Put the Identity into the set of ids used to validate certificates.
398	* Also put the keyID and name into the translation mappings used by Roles
399	* to pretty print. In the role mapping, if multiple ids use the same
400	* common name they are disambiguated. Only one entry for keyid is
401	* allowed.
402	*/
403	public static void addIdentity(Identity id) {
404	s_ids.add(id);
405	if (id.getName() != null && id.getKeyID() != null) {
406	if ( !Role.key_in_mapping(id.getKeyID()) ) {
407	String name = id.getName();
408	int n= 1;
409
410	while (Role.name_in_mapping(name)) {
411	name = id.getName() + n++;
412	}
413	Role.add_mapping(name, id.getKeyID());
414	}
415	}
416	}
417	public static Collection<Identity> identities() { return s_ids; }
418	public static void clearIdentities() {
419	s_ids.clear(); Role.clear_mapping();
420	}
421	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: