Context Navigation

source: java/net/deterlab/abac/Credential.java @ dc9ae96

abac0-leakabac0-meicompt_changesgec13mei-idmei-rt0-nmei_rt0mei_rt2mei_rt2_fix_1meiyap-rt1meiyap1rt2tvf-new-xml

Last change on this file since dc9ae96 was dc9ae96, checked in by Ted Faber <faber@…>, 13 years ago
Set identity in make_cert (how did that stop happening)
Property mode set to `100644`
File size: 16.2 KB

Line
1	package net.deterlab.abac;
2
3	import java.io.*;
4	import java.math.*;
5
6	import java.util.*;
7	import java.security.*;
8	import java.security.cert.*;
9
10	import javax.security.auth.x500.*;
11
12	import org.bouncycastle.asn1.*;
13	import org.bouncycastle.asn1.x509.*;
14	import org.bouncycastle.x509.*;
15	import org.bouncycastle.x509.util.*;
16	import org.bouncycastle.openssl.*;
17
18	/**
19	* An ABAC credential, with or without an underlying certificate that
20	* represents it. These are edges in proof garphs and can be constructed from
21	* their constituent Roles.
22	* @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
23	* @version 1.3
24	*/
25	public class Credential implements Comparable {
26	/** The ASN1 OID for an IETF attribute. */
27	protected static String attrOID = "1.3.6.1.5.5.7.10.4";
28	/** The ASN1 OID for AuthorityKeyIdentifier. */
29	protected static String authKeyOID = "2.5.29.35";
30
31	/** The role at the head */
32	protected Role m_head
33	/** The role at the tail */;
34	protected Role m_tail;
35	/** The certificate representing this credential */
36	protected X509V2AttributeCertificate ac;
37	/** The identity that issued the certificate */
38	protected Identity id;
39
40	/** Make sure BouncyCastle is loaded */
41	static { Context.loadBouncyCastle(); }
42
43	/**
44	* Create an empty Credential.
45	*/
46	public Credential() {
47	m_head = m_tail = null;
48	ac = null;
49	id = null;
50	}
51	/**
52	* Create a credential from a head and tail role. This credential has no
53	* underlying certificate, and cannot be exported or used in real proofs.
54	* make_cert can create a certificate for a credential initialized this
55	* way.
56	* @param head the Role at the head of the credential
57	* @param tail the Role at the tail of the credential
58	*/
59	public Credential(Role head, Role tail) {
60	m_head = head;
61	m_tail = tail;
62	ac = null;
63	id = null;
64	}
65
66	/**
67	* Do the credential extraction from an input stream. This parses the
68	* certificate from the input stream and saves it. The contents must be
69	* validated and parsed later.
70	* @param stream the InputStream to read the certificate from.
71	* @throws IOException if the stream is unparsable
72	*/
73	protected void read_certificate(InputStream stream)
74	throws IOException {
75	ac = new X509V2AttributeCertificate(stream);
76	}
77
78	/**
79	* Initialize a credential from parsed certificate. Validiate it against
80	* the given identities and parse out the roles. Note that catching
81	* java.security.GeneralSecurityException catches most of the exceptions
82	* this throws.
83	* @param ids a Collection of Identities to use in validating the cert
84	* @throws CertificateException if the certificate is badly formatted
85	* @throws InvalidKeyException if none of the Identities can validate the
86	* certificate
87	* @throws NoSuchAlgorithmException if the credential uses an unknown
88	* signature algorithm
89	* @throws NoSuchProviderException if the provider of the signature
90	* algorithm is unavailable
91	* @throws SignatureException if the signature check fails
92	*/
93	protected void init(Collection<Identity> ids)
94	throws CertificateException, InvalidKeyException,
95	NoSuchAlgorithmException, NoSuchProviderException,
96	SignatureException {
97	for (Identity i: ids) {
98	try {
99	ac.verify(i.getCertificate().getPublicKey(), "BC");
100	id = i;
101	break;
102	}
103	catch (InvalidKeyException e) { }
104	}
105	if (id == null) throw new InvalidKeyException("Unknown identity");
106
107	load_roles();
108
109	if (!id.getKeyID().equals(m_head.principal()))
110	throw new InvalidKeyException("Unknown identity");
111	}
112
113	/**
114	* Parse a credential from an InputStream and initialize the role from it.
115	* Combine read_credential(stream) and init(ids). Note that catching
116	* java.security.GeneralSecurityException catches most of the exceptions
117	* this throws.
118	* @param stream the InputStream to read the certificate from.
119	* @param ids a Collection of Identities to use in validating the cert
120	* @throws CertificateException if the certificate is badly formatted
121	* @throws InvalidKeyException if none of the Identities can validate the
122	* certificate
123	* @throws NoSuchAlgorithmException if the credential uses an unknown
124	* signature algorithm
125	* @throws NoSuchProviderException if the provider of the signature
126	* algorithm is unavailable
127	* @throws SignatureException if the signature check fails
128	* @throws IOException if the certificate is unparsable.
129	*/
130	protected void init(InputStream stream, Collection<Identity> ids)
131	throws CertificateException, InvalidKeyException,
132	NoSuchAlgorithmException, NoSuchProviderException,
133	SignatureException, IOException {
134	read_certificate(stream);
135	if (ac == null) throw new IOException("Unknown Format");
136	init(ids);
137	}
138
139	/**
140	* Create a credential from an attribute cert in a file. Throws an
141	* exception if the cert file can't be opened or if there's a format
142	* problem with the cert. Note that catching
143	* java.security.GeneralSecurityException catches most of the exceptions
144	* this throws.
145	* @param filename a String containing the filename to read
146	* @param ids a Collection of Identities to use in validating the cert
147	* @throws StreamParsingException if the stream is unparsable
148	* @throws CertificateException if the certificate is badly formatted
149	* @throws InvalidKeyException if none of the Identities can validate the
150	* certificate
151	* @throws NoSuchAlgorithmException if the credential uses an unknown
152	* signature algorithm
153	* @throws NoSuchProviderException if the provider of the signature
154	* algorithm is unavailable
155	* @throws SignatureException if the signature check fails
156	* @throws IOException if the certificate is unparsable.
157	*/
158	public Credential(String filename, Collection<Identity> ids)
159	throws Exception { init(new FileInputStream(filename), ids); }
160
161	/**
162	* Create a credential from an attribute cert in a file. Throws an
163	* exception if the cert file can't be opened or if there's a format
164	* problem with the cert. Note that catching
165	* java.security.GeneralSecurityException catches most of the exceptions
166	* this throws.
167	* @param file the File to read
168	* @param ids a Collection of Identities to use in validating the cert
169	* @throws StreamParsingException if the stream is unparsable
170	* @throws CertificateException if the certificate is badly formatted
171	* @throws InvalidKeyException if none of the Identities can validate the
172	* certificate
173	* @throws NoSuchAlgorithmException if the credential uses an unknown
174	* signature algorithm
175	* @throws NoSuchProviderException if the provider of the signature
176	* algorithm is unavailable
177	* @throws SignatureException if the signature check fails
178	* @throws IOException if the certificate is unparsable.
179	*/
180	public Credential(File file, Collection<Identity> ids)
181	throws CertificateException, InvalidKeyException,
182	NoSuchAlgorithmException, NoSuchProviderException,
183	SignatureException, StreamParsingException, IOException {
184	init(new FileInputStream(file), ids);
185	}
186
187	/**
188	* Create a credential from an InputStream. Throws an exception if the
189	* stream can't be parsed or if there's a format problem with the cert.
190	* Note that catching java.security.GeneralSecurityException catches most
191	* of the exceptions this throws.
192	* @param s the InputStream to read
193	* @param ids a Collection of Identities to use in validating the cert
194	* @throws StreamParsingException if the stream is unparsable
195	* @throws CertificateException if the certificate is badly formatted
196	* @throws InvalidKeyException if none of the Identities can validate the
197	* certificate
198	* @throws NoSuchAlgorithmException if the credential uses an unknown
199	* signature algorithm
200	* @throws NoSuchProviderException if the provider of the signature
201	* algorithm is unavailable
202	* @throws SignatureException if the signature check fails
203	* @throws IOException if the certificate is unparsable.
204	*/
205	public Credential(InputStream s, Collection<Identity> ids)
206	throws CertificateException, InvalidKeyException,
207	NoSuchAlgorithmException, NoSuchProviderException,
208	SignatureException, StreamParsingException, IOException {
209	init(s, ids);
210	}
211
212	/**
213	* Create a credential from an X509V2AttributeCertificate object. Throws
214	* an exception if the certificate doesn't parse into an ABAC credential,
215	* or cannot be validated. Note that catching
216	* java.security.GeneralSecurityException catches most of the exceptions
217	* this throws.
218	* @param c the X509V2AttributeCertificate to create from
219	* @param ids a Collection of Identities to use in validating the cert
220	* @throws CertificateException if the certificate is badly formatted
221	* @throws InvalidKeyException if none of the Identities can validate the
222	* certificate
223	* @throws NoSuchAlgorithmException if the credential uses an unknown
224	* signature algorithm
225	* @throws NoSuchProviderException if the provider of the signature
226	* algorithm is unavailable
227	* @throws SignatureException if the signature check fails
228	* @throws IOException if the certificate is unparsable.
229	*/
230	public Credential(X509V2AttributeCertificate c, Collection<Identity> ids)
231	throws CertificateException, InvalidKeyException,
232	NoSuchAlgorithmException, NoSuchProviderException,
233	SignatureException, IOException {
234	ac = c;
235	init(ids);
236	}
237
238
239	/**
240	* Create a certificate from this credential issued by the given identity.
241	* Note that catching java.security.GeneralSecurityException catches most
242	* of the exceptions this throws.
243	* @param i the Identity that will issue the certificate
244	* @throws IOException reading or writing problems
245	* @throws CertificateEncodingException Problem creating certificate
246	* @throws InvalidKeyException if none of the Identities can sign the
247	* certificate
248	* @throws NoSuchAlgorithmException if the credential uses an unknown
249	* signature algorithm
250	* @throws NoSuchProviderException if the provider of the signature
251	* algorithm is unavailable
252	* @throws SignatureException if the signature creation fails
253	*/
254	public void make_cert(Identity i)
255	throws IOException, CertificateEncodingException,
256	NoSuchProviderException, NoSuchAlgorithmException,
257	SignatureException, InvalidKeyException {
258	PrivateKey key = i.getKeyPair().getPrivate();
259	SubjectPublicKeyInfo pki = Context.extractSubjectPublicKeyInfo(
260	i.getKeyPair().getPublic());
261	X509V2AttributeCertificateGenerator gen =
262	new X509V2AttributeCertificateGenerator();
263
264	gen.setIssuer(new AttributeCertificateIssuer(
265	new X500Principal("CN="+m_head.principal())));
266	gen.setHolder(new AttributeCertificateHolder(
267	new X500Principal("CN="+m_head.principal())));
268	gen.setNotAfter(new Date(System.currentTimeMillis()
269	+ 3600 * 1000 * 24 * 365));
270	gen.setNotBefore(new Date(System.currentTimeMillis()));
271	gen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
272	gen.addAttribute(new X509Attribute(attrOID,
273	new DERSequence(
274	new DERSequence(
275	new DERUTF8String(toString())))));
276	gen.setSignatureAlgorithm("SHA256WithRSAEncryption");
277
278	// Creddy expects an authority key identifier.
279	gen.addExtension(authKeyOID, false,
280	new AuthorityKeyIdentifier(pki));
281	// Create the cert.
282	ac = (X509V2AttributeCertificate) gen.generate(key, "BC");
283	id = i;
284	}
285
286	/**
287	* Load the roles off the attribute cert. Throws a RuntimeException if
288	* there's something wrong with the cert.
289	*/
290	private void load_roles() {
291	String roles = null;
292	try {
293	X509Attribute attr = ac.getAttributes()[0];
294
295	DERSequence java = (DERSequence)attr.getValues()[0];
296	DERSequence fucking = (DERSequence)java.getObjectAt(0);
297	DERUTF8String sucks = (DERUTF8String)fucking.getObjectAt(0);
298
299	roles = sucks.getString();
300	}
301	catch (Exception e) {
302	throw new RuntimeException("Badly formatted certificate");
303	}
304
305	String[] parts = roles.split("\\s<--?\\s");
306	if (parts.length != 2)
307	throw new RuntimeException("Invalid attribute: " + roles);
308
309	m_head = new Role(parts[0]);
310	m_tail = new Role(parts[1]);
311	}
312
313	/**
314	* Two credentials are the same if their roles are the same.
315	* @param o an Object to compare
316	* @return true if the Credentials have the Roles
317	*/
318	public boolean equals(Object o) {
319	if ( o instanceof Credential ) {
320	Credential c = (Credential) o;
321
322	if (m_head == null \|\| m_tail == null ) return false;
323	else return (m_head.equals(c.head()) && m_tail.equals(c.tail()));
324	}
325	else return false;
326	}
327
328	/**
329	* Allow credentials to be compared. They are ordered by their Roles, head
330	* then tail.
331	* @param o an Object to compare
332	* @return -1 if this Credential is before, 0 if they are the same, and 1
333	* if this Credential is after the given object.
334	*/
335	public int compareTo(Object o) {
336	if (o instanceof Credential) {
337	Credential c = (Credential) o;
338
339	if (head().equals(c.head())) return tail().compareTo(c.tail());
340	else return head().compareTo(c.head());
341	}
342	else return 1;
343	}
344
345
346	/**
347	* Get the head role from the credential.
348	* @return the Role in the head
349	*/
350	public Role head() { return m_head; }
351
352	/**
353	* Get the tail role from the credential
354	* @return the Role in the tail
355	*/
356	public Role tail() { return m_tail; }
357
358	/**
359	* Gets the cert associated with this credential (if any).
360	* @return the attribute cert associated with this credential (if any).
361	*/
362	public X509V2AttributeCertificate cert() { return ac; }
363
364	/**
365	* Turn the credential into string form. The format is head <- tail. For
366	* example: A.r1 <- B.r2.r3. Principal names are key identifiers.
367	* @return the string form
368	*/
369	public String toString() {
370	return m_head + " <- " + m_tail;
371	}
372
373	/**
374	* Turn the credential into string form. The format is head <- tail. For
375	* example: A.r1 <- B.r2.r3. Principal names are shortened to menmonics
376	* if the Context knows the identity.
377	* @param c the Context to translate names in
378	* @return the string form
379	*/
380	public String simpleString(Context c) {
381	return m_head.simpleString(c) + " <- " + m_tail.simpleString(c);
382	}
383
384	/**
385	* Output the DER formatted attribute certificate associated with this
386	* Credential to the OutputStream.
387	* @param s the OutputStream on which to write
388	* @throws IOException if there is an error writing.
389	*/
390	public void write(OutputStream s) throws IOException {
391	if (ac != null )
392	s.write(ac.getEncoded());
393	s.flush();
394	}
395
396	/**
397	* Output the DER formatted attribute certificate associated with this
398	* Credential to the filename given.
399	* @param fn a String containing the output filename
400	* @throws IOException if there is an error writing.
401	*/
402	public void write(String fn) throws IOException, FileNotFoundException {
403	write(new FileOutputStream(fn));
404	}
405
406	/**
407	* Return true if this Credential has a certificate associated. A jabac
408	* extension.
409	* @return true if this Credential has a certificate associated.
410	*/
411	public boolean hasCertificate() { return ac != null; }
412
413	/**
414	* Return the Identity that issued the underlying certificate. A jabac
415	* extension.
416	* @return the Identity that issued the underlying certificate.
417	*/
418	public Identity issuer() { return id; }
419	/**
420	* Return the X509Certificate that issued the underlying certificate.
421	* @return the X509Certificate that issued the underlying certificate.
422	*/
423	public X509Certificate issuerCert() { return id.getCertificate(); }
424	/**
425	* Return the X509V2AttributeCertificate that underlys the Credential
426	* @return the X509V2AttributeCertificate that underlys the Credential.
427	*/
428	public X509V2AttributeCertificate attributeCert() { return ac; }
429
430
431	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: