source: java/net/deterlab/abac/Credential.java @ ea38d81

abac0-leak
Last change on this file since ea38d81 was a1a9a47, checked in by Ted Faber <faber@…>, 11 years ago

Bump version

  • Property mode set to 100644
File size: 9.2 KB
Line 
1package net.deterlab.abac;
2
3import java.io.*;
4import java.math.*;
5
6import java.util.*;
7import java.security.*;
8import java.security.cert.*;
9
10import javax.security.auth.x500.*;
11
12import org.bouncycastle.asn1.*;
13import org.bouncycastle.asn1.x509.*;
14import org.bouncycastle.x509.*;
15import org.bouncycastle.x509.util.*;
16import org.bouncycastle.openssl.*;
17
18/**
19 * An ABAC credential, with or without an underlying certificate that
20 * represents it.  These are edges in proof graphs and can be constructed from
21 * their constituent Roles.
22 * @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
23 * @version 1.5
24 */
25public abstract class Credential implements Comparable {
26    /** Default validity period (in seconds) */
27    static public long defaultValidity = 3600L * 24L * 365L;
28    /** The role at the head */
29    protected Role m_head
30    /** The role at the tail */;
31    protected Role m_tail;
32    /** The identity that issued the certificate */
33    protected Identity id;
34    /** The expiration time of the credential */
35    protected Date m_expiration;
36    /**
37     * Suggested file suffix to save this format credential under.  Subclasses
38      should override it.
39     */
40    protected String suffix;
41    /** Default file suffix. */
42    private static final String defSuffix = ".cred";
43
44    /**
45     * Create an empty Credential.
46     */
47    Credential() {
48        m_head = m_tail = null;
49        id = null;
50        m_expiration = null;
51        suffix = defSuffix;
52    }
53    /**
54     * Create a credential from a head and tail role.  This credential has no
55     * underlying certificate, and cannot be exported or used in real proofs.
56     * make_cert can create a certificate for a credential initialized this
57     * way.
58     * @param head the Role at the head of the credential
59     * @param tail the Role at the tail of the credential
60     */
61    Credential(Role head, Role tail) {
62        m_head = head;
63        m_tail = tail;
64        id = null;
65        m_expiration = null;
66        suffix = defSuffix;
67    }
68
69    /**
70     * Create a credential from an attribute cert in a file. Throws an
71     * exception if the cert file can't be opened or if there's a format
72     * problem with the cert.  Note that catching
73     * java.security.GeneralSecurityException catches most of the exceptions
74     * this throws.
75     * @param filename a String containing the filename to read
76     * @param ids a Collection of Identities to use in validating the cert
77     * @throws CertInvalidException if the stream is unparsable
78     * @throws MissingIssuerException if none of the Identities can validate the
79     *                              certificate
80     * @throws BadSignatureException if the signature check fails
81     */
82    Credential(String filename, Collection<Identity> ids) 
83        throws ABACException { this(); }
84
85    /**
86     * Create a credential from an attribute cert in a file. Throws an
87     * exception if the cert file can't be opened or if there's a format
88     * problem with the cert.  Note that catching
89     * java.security.GeneralSecurityException catches most of the exceptions
90     * this throws.
91     * @param file the File to read
92     * @param ids a Collection of Identities to use in validating the cert
93     * @throws CertInvalidException if the stream is unparsable
94     * @throws MissingIssuerException if none of the Identities can validate the
95     *                              certificate
96     * @throws BadSignatureException if the signature check fails
97     */
98    Credential(File file, Collection<Identity> ids) 
99            throws ABACException { this(); }
100
101    /**
102     * Create a credential from an InputStream.  Throws an exception if the
103     * stream can't be parsed or if there's a format problem with the cert.
104     * Note that catching java.security.GeneralSecurityException catches most
105     * of the exceptions this throws.
106     * @param s the InputStream to read
107     * @param ids a Collection of Identities to use in validating the cert
108     * @throws CertInvalidException if the stream is unparsable
109     * @throws MissingIssuerException if none of the Identities can validate the
110     *                              certificate
111     * @throws BadSignatureException if the signature check fails
112     */
113    Credential(InputStream s, Collection<Identity> ids) 
114            throws ABACException { this(); }
115
116    /**
117     * Create a certificate from this credential issued by the given identity,
118     * valid for the given time.
119     * @param i the Identity that will issue the certificate
120     * @param validity a long holding the number of seconds that the credential
121     * is valid for.
122     * @throws ABACException for Credential-specific errors
123     * @throws MissingIssuerException the identity is invalid
124     * @throws BadSignatureException if the signature creation fails
125     */
126    public abstract void make_cert(Identity i, long validity) 
127            throws ABACException;
128    /**
129     * Create a certificate from this credential issued by the given identity,
130     * valid for the default interval.
131     * @param i the Identity that will issue the certificate
132     * @throws ABACException for Credential-specific errors
133     * @throws MissingIssuerException the identity is invalid
134     * @throws BadSignatureException if the signature creation fails
135     */
136    public abstract void make_cert(Identity i) 
137            throws ABACException;
138
139    /**
140     * Return true if 2 credentials represent the same ABAC. Two credentials
141     * are the same if their roles are the same.
142     * @param o an Object to compare
143     * @return true if the Credentials have the Roles
144     */
145    public boolean equals(Object o) {
146        if ( o instanceof Credential ) {
147            Credential c = (Credential) o;
148
149            if (m_head == null || m_tail == null ) return false;
150            else return (m_head.equals(c.head()) && m_tail.equals(c.tail()));
151        }
152        else return false;
153    }
154
155    /**
156     * Return a hash code for the Credential - the hashes of its roles.
157     * @return an int, the hashCode
158     */
159    public int hashCode() {
160        if ( m_head == null || m_tail == null) return super.hashCode();
161
162        return m_head.hashCode() + m_tail.hashCode();
163    }
164
165    /**
166     * Compare 2 credentials for sorting.  They are ordered by their Roles,
167     * head then tail.
168     * @param o an Object to compare
169     * @return -1 if this Credential is before, 0 if they are the same, and 1
170     *              if this Credential is after the given object.
171     */
172    public int compareTo(Object o) {
173        if (o instanceof Credential) {
174            Credential c = (Credential) o;
175
176            if (head().equals(c.head())) return tail().compareTo(c.tail());
177            else return head().compareTo(c.head());
178        }
179        else return 1;
180    }
181
182
183    /**
184     * Get the head role from the credential.
185     * @return the Role in the head
186     */
187    public Role head() { return m_head; }
188
189    /**
190     * Get the tail role from the credential
191     * @return the Role in the tail
192     */
193    public Role tail() { return m_tail; }
194
195    /**
196     * Get the expiration Date of the credential.
197     */
198    public Date expiration() { return m_expiration; }
199
200    /**
201     * Return an untranslated string form of the credential. The format is head
202     * &lt;- tail. For example: A.r1 &lt;- B.r2.r3.  Principal names are key
203     * identifiers.
204     * @return the string form
205     */
206    public String toString() {
207        return m_head + " <- " + m_tail;
208    }
209
210    /**
211     * Return a translated string form of the credential. The format is head
212     * &lt;- tail. For example: A.r1 &lt;- B.r2.r3.  Principal names are
213     * shortened to menmonics if the Context knows the identity.
214     * @param c the Context to translate names in
215     * @return the string form
216     */
217    public String simpleString(Context c) {
218        return m_head.simpleString(c) + " <- " + m_tail.simpleString(c);
219    }
220
221    /**
222     * Output the external representation of the Credential to the OutputStream
223     * given. Subclasses will overload this for their output format.
224     * @param s the OutputStream on which to write
225     * @throws IOException if there is an error writing.
226     */
227    public abstract void write(OutputStream s) throws IOException;
228
229    /**
230     * Output the external representation of the Credential to the filename
231     * given. Subclasses will overload this for their output format.
232     * @param fn a String containing the output filename
233     * @throws IOException if there is an error writing.
234     */
235    public abstract void write(String fn) 
236        throws IOException, FileNotFoundException;
237
238    /**
239     * Return true if this Credential has a certificate associated.  A jabac
240     * extension.
241     * @return true if this Credential has a certificate associated.
242     */
243    public abstract boolean hasCertificate();
244
245    /**
246     * Return the Identity that issued the underlying certificate (if any).  A
247     * jabac extension.
248     * @return the Identity that issued the underlying certificate.
249     */
250    public Identity issuer() { return id; }
251
252    /**
253     * Return an suggested suffix for output files (most start with a ".").
254     * @return a String, an optional suffix for output files.
255     */
256    public String getSuffix() { return suffix; } 
257
258    /**
259     * Set the suggested suffix for output files (most start with a ".").
260     * Available for subclasses to set the value without knowing the member
261     * name.
262     * @param suff a String, an optional suffix for output files.
263     */
264    protected void setSuffix(String suff) { suffix = suff; } 
265
266}
Note: See TracBrowser for help on using the repository browser.