Context Navigation

source: java/net/deterlab/abac/GENICredential.java @ 2e87ebb

abac0-leakabac0-mei

Last change on this file since 2e87ebb was a1a9a47, checked in by Ted Faber <faber@…>, 11 years ago
Bump version
Property mode set to `100644`
File size: 18.4 KB

Rev	Line
[3797bbe]	1	package net.deterlab.abac;
	2
	3	import java.io.*;
	4	import java.math.*;
	5	import java.text.*;
	6
	7	import java.util.*;
[fd40109]	8
[3797bbe]	9	import java.security.*;
	10	import java.security.cert.*;
	11
	12	import javax.xml.parsers.*;
	13	import javax.xml.transform.*;
	14	import javax.xml.transform.dom.*;
	15	import javax.xml.transform.stream.*;
	16
	17	import javax.xml.crypto.*;
	18	import javax.xml.crypto.dsig.*;
	19	import javax.xml.crypto.dsig.dom.*;
	20	import javax.xml.crypto.dsig.keyinfo.*;
	21	import javax.xml.crypto.dsig.spec.*;
	22
	23	import org.xml.sax.*;
	24	import org.w3c.dom.*;
	25
	26	/**
[c1736fe]	27	* Abstract Base class from which GENI credentials are derived.
[3797bbe]	28	* @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
[a1a9a47]	29	* @version 1.5
[3797bbe]	30	*/
[c1736fe]	31	public abstract class GENICredential extends Credential implements Comparable {
[3797bbe]	32	/** The signed XML representing this credential */
	33	protected Document doc;
[d31242c]	34	/** The GENI credential suffix */
	35	private static final String fileSuffix = ".xml";
[797bebe]	36
	37	/**
[61f21c5]	38	* X509KeySelector implementation from
	39	* http://www.outsourcingi.com/art-271-Programming-With-the-Java-XML-Digital-Signature-API.html
	40	* .
	41	*
	42	* Straight ahead extraction of a key from an X509 cert, but it is their
	43	* code and hard to improve on.
[797bebe]	44	*/
[e5ac25b]	45	static protected class X509KeySelector extends KeySelector {
[797bebe]	46	public KeySelectorResult select(KeyInfo keyInfo,
	47	KeySelector.Purpose purpose,
	48	AlgorithmMethod method,
	49	XMLCryptoContext context)
	50	throws KeySelectorException {
	51	Iterator ki = keyInfo.getContent().iterator();
	52	while (ki.hasNext()) {
	53	XMLStructure info = (XMLStructure) ki.next();
	54	if (!(info instanceof X509Data))
	55	continue;
	56	X509Data x509Data = (X509Data) info;
	57	Iterator xi = x509Data.getContent().iterator();
	58	while (xi.hasNext()) {
	59	Object o = xi.next();
	60	if (!(o instanceof X509Certificate))
	61	continue;
	62	final PublicKey key = ((X509Certificate)o).getPublicKey();
	63	// Make sure the algorithm is compatible
	64	// with the method.
	65	if (algEquals(method.getAlgorithm(), key.getAlgorithm())) {
	66	return new KeySelectorResult() {
	67	public Key getKey() { return key; }
	68	};
	69	}
	70	}
	71	}
	72	throw new KeySelectorException("No key found!");
	73	}
	74
	75	boolean algEquals(String algURI, String algName) {
	76	if ((algName.equalsIgnoreCase("DSA") &&
	77	algURI.equalsIgnoreCase(SignatureMethod.DSA_SHA1)) \|\|
	78	(algName.equalsIgnoreCase("RSA") &&
	79
	80	algURI.equalsIgnoreCase(SignatureMethod.RSA_SHA1))) {
	81	return true;
	82	} else {
	83	return false;
	84	}
	85	}
	86	}
	87
[3797bbe]	88	/**
	89	* Create an empty Credential.
	90	*/
	91	public GENICredential() {
[7f614c1]	92	super();
[3797bbe]	93	doc = null;
[d31242c]	94	setSuffix(fileSuffix);
[3797bbe]	95	}
	96	/**
	97	* Create a credential from a head and tail role. This credential has no
	98	* underlying certificate, and cannot be exported or used in real proofs.
	99	* make_cert can create a certificate for a credential initialized this
	100	* way.
	101	* @param head the Role at the head of the credential
	102	* @param tail the Role at the tail of the credential
	103	*/
	104	public GENICredential(Role head, Role tail) {
[7f614c1]	105	super(head, tail);
[3797bbe]	106	doc = null;
[d31242c]	107	setSuffix(fileSuffix);
[3797bbe]	108	}
	109
	110	/**
	111	* Do the credential extraction from an input stream. This parses the
	112	* certificate from the input stream and saves it. The contents must be
	113	* validated and parsed later.
	114	* @param stream the InputStream to read the certificate from.
[e5ac25b]	115	* @return the parsed XML document
[3797bbe]	116	* @throws IOException if the stream is unparsable
	117	*/
[e5ac25b]	118	static protected Document read_certificate(InputStream stream)
[3797bbe]	119	throws IOException {
	120	DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
	121	DocumentBuilder db = null;
[e5ac25b]	122	Document ldoc = null;
[3797bbe]	123
	124	if ( dbf == null )
	125	throw new IOException("Cannot get DocumentBuilderFactory!?");
	126	try {
[61f21c5]	127	/* Note this setting is required to find the properly
	128	* namespace-scoped signature block in the credential.
	129	*/
[797bebe]	130	dbf.setNamespaceAware(true);
[3797bbe]	131	if ( (db = dbf.newDocumentBuilder()) == null )
	132	throw new IOException("Cannot get DocumentBuilder!?");
[e5ac25b]	133	ldoc = db.parse(stream);
	134	ldoc.normalizeDocument();
	135	return ldoc;
[3797bbe]	136	}
	137	catch (IllegalArgumentException ie) {
[44896b5]	138	throw new IOException("null stream", ie);
[3797bbe]	139	}
	140	catch (SAXException se) {
[44896b5]	141	throw new IOException(se.getMessage(), se);
[3797bbe]	142	}
	143	catch (Exception e) {
[44896b5]	144	throw new IOException(e.getMessage(), e);
[3797bbe]	145	}
	146
	147	}
	148
[797bebe]	149	/**
	150	* Walk the document and set all instances of an xml:id attribute to be ID
	151	* attributes in terms of the java libraries. This is needed for the
	152	* signature code to find signed subsections. The "xml:id" is treated as
	153	* both a namespace free ID with a colon and as an "id" identifier in the
	154	* "xml" namespace so we don't miss it.
	155	* @param n the root of the document to mark
	156	*/
	157	static protected void setIDAttrs(Node n) {
	158	if ( n.getNodeType() == Node.ELEMENT_NODE) {
	159	Element e = (Element) n;
	160	String id = e.getAttribute("xml:id");
	161
	162	if ( id != null && id.length() > 0 )
	163	e.setIdAttribute("xml:id", true);
	164
	165	id = e.getAttributeNS("xml", "id");
	166	if ( id != null && id.length() > 0 )
	167	e.setIdAttributeNS("xml", "id", true);
	168	}
	169
	170	for (Node nn = n.getFirstChild(); nn != null; nn = nn.getNextSibling())
	171	setIDAttrs(nn);
	172	}
	173
	174	/**
	175	* Return the child of Node n that has the given name, if there is one.
	176	* @param n a Node to search
	177	* @param name the name to search for
	178	* @return a Node with the name, may be null
	179	*/
	180	static protected Node getChildByName(Node n, String name) {
	181	if (name == null ) return null;
	182
	183	for (Node nn = n.getFirstChild(); nn != null; nn = nn.getNextSibling())
	184	if ( nn.getNodeType() == Node.ELEMENT_NODE &&
	185	name.equals(nn.getNodeName())) return nn;
	186	return null;
	187	}
	188
	189	/**
	190	* Find the X509Certificate in the Signature element and convert it to an
	191	* ABAC identity. This assumes a KeyInfo in that section holding an
	192	* X509Data section containing the certificate in an X509Certificate
	193	* section. Any of that not being found will cause a failure. If the
	194	* Identity cannot be created a Gignature exception is thrown.
	195	* @param n a Node pointing to a Signature section
	196	* @return an Identity constructed frm the X509 Certificate
[44896b5]	197	* @throws MissingIssuerException if the Identity cannot be created from the
[797bebe]	198	* certificate.
	199	*/
[44896b5]	200	static protected Identity getIdentity(Node n)
	201	throws MissingIssuerException {
[797bebe]	202	Identity rv = null;
	203	Node nn = getChildByName(n, "KeyInfo");
	204	String certStr = null;
	205
	206	if ( nn == null ) return null;
	207	if ( ( nn = getChildByName(nn, "X509Data")) == null ) return null;
	208	if ( ( nn = getChildByName(nn, "X509Certificate")) == null ) return null;
	209	if ( ( certStr = nn.getTextContent()) == null ) return null;
	210	try {
	211	certStr = "-----BEGIN CERTIFICATE-----\n" +
	212	certStr +
	213	"\n-----END CERTIFICATE-----";
	214	return new Identity(new StringReader(certStr));
	215	}
	216	catch (Exception e) {
[44896b5]	217	throw new MissingIssuerException(e.getMessage(), e);
[797bebe]	218	}
	219	}
	220
[2405adf]	221	static protected Date getTime(Document d, String field)
[fd40109]	222	throws ABACException {
	223	Node root = null;
	224	Node n = null;
	225	SimpleDateFormat df = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssz");
	226	Date date = null;
	227	String dstr = null;
	228
	229	if ( (root = getChildByName(d, "signed-credential")) == null)
	230	throw new CertInvalidException("No signed-credential element");
	231	if ( (n = getChildByName(root, "credential")) == null )
	232	throw new CertInvalidException("No credential element");
	233	if ( (n = getChildByName(n, field)) == null )
	234	throw new CertInvalidException("No " + field + " element");
	235
	236	if ( ( dstr = n.getTextContent()) == null )
	237	throw new CertInvalidException("No expires content");
	238
	239	dstr = dstr.replace("Z", "GMT");
	240	if ((date = df.parse(dstr, new ParsePosition(0))) == null)
	241	throw new CertInvalidException("Cannot parse date: "+
	242	n.getTextContent());
	243
[2405adf]	244	return date;
[fd40109]	245	}
	246
[3797bbe]	247	/**
	248	* Initialize a credential from parsed certificate. Validiate it against
	249	* the given identities and parse out the roles. Note that catching
	250	* java.security.GeneralSecurityException catches most of the exceptions
	251	* this throws.
	252	* @param ids a Collection of Identities to use in validating the cert
[44896b5]	253	* @throws CertInvalidException if the stream is unparsable
	254	* @throws MissingIssuerException if none of the Identities can validate the
[3797bbe]	255	* certificate
[44896b5]	256	* @throws BadSignatureException if the signature check fails
[3797bbe]	257	*/
	258	protected void init(Collection<Identity> ids)
[44896b5]	259	throws ABACException {
[3797bbe]	260
	261	XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
	262	NodeList nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS,
[797bebe]	263	"Signature");
[3797bbe]	264	DOMValidateContext valContext = null;
	265	XMLSignature signature = null;
	266
	267	try {
	268
	269	if (nl.getLength() == 0)
[44896b5]	270	throw new CertInvalidException("Cannot find Signature element");
[3797bbe]	271
[797bebe]	272	setIDAttrs(doc);
	273	valContext = new DOMValidateContext(new X509KeySelector(),
	274	nl.item(0));
[3797bbe]	275	if ( valContext == null )
[44896b5]	276	throw new ABACException("No validation context!?");
[3797bbe]	277
	278	signature = fac.unmarshalXMLSignature(valContext);
	279	if (signature == null)
[44896b5]	280	throw new BadSignatureException("Cannot unmarshal signature");
[3797bbe]	281
	282	if (!signature.validate(valContext))
[44896b5]	283	throw new BadSignatureException("bad signature");
[3797bbe]	284
[7f614c1]	285	m_expiration = getTime(doc, "expires");
[2405adf]	286
[7f614c1]	287	if ( m_expiration.before(new Date()))
	288	throw new CertInvalidException("Certificate Expired " +
	289	m_expiration);
[fd40109]	290
[3797bbe]	291	load_roles();
	292
[797bebe]	293	id = getIdentity(nl.item(0));
	294
	295	if ( !ids.contains(id) ) ids.add(id);
	296
[3797bbe]	297	if (!id.getKeyID().equals(m_head.principal()))
[44896b5]	298	throw new MissingIssuerException("Issuer ID and left hand " +
	299	"side principal disagree");
	300	}
	301	catch (ABACException ae) {
	302	throw ae;
[3797bbe]	303	}
	304	catch (Exception e) {
[44896b5]	305	throw new BadSignatureException(e.getMessage(), e);
[3797bbe]	306	}
	307	}
	308
	309	/**
	310	* Parse a credential from an InputStream and initialize the role from it.
	311	* Combine read_credential(stream) and init(ids). Note that catching
	312	* java.security.GeneralSecurityException catches most of the exceptions
	313	* this throws.
	314	* @param stream the InputStream to read the certificate from.
	315	* @param ids a Collection of Identities to use in validating the cert
[44896b5]	316	* @throws CertInvalidException if the stream is unparsable
	317	* @throws MissingIssuerException if none of the Identities can validate the
[3797bbe]	318	* certificate
[44896b5]	319	* @throws BadSignatureException if the signature check fails
[3797bbe]	320	*/
	321	protected void init(InputStream stream, Collection<Identity> ids)
[44896b5]	322	throws ABACException {
	323	try {
[e5ac25b]	324	doc = read_certificate(stream);
[44896b5]	325	}
	326	catch (IOException e) {
	327	throw new CertInvalidException("Cannot parse cert", e);
	328	}
	329	if (doc == null) throw new CertInvalidException("Unknown Format");
[3797bbe]	330	init(ids);
	331	}
	332
	333	/**
	334	* Create a credential from an attribute cert in a file. Throws an
	335	* exception if the cert file can't be opened or if there's a format
	336	* problem with the cert. Note that catching
	337	* java.security.GeneralSecurityException catches most of the exceptions
	338	* this throws.
	339	* @param filename a String containing the filename to read
	340	* @param ids a Collection of Identities to use in validating the cert
[44896b5]	341	* @throws CertInvalidException if the stream is unparsable
	342	* @throws MissingIssuerException if none of the Identities can validate the
[3797bbe]	343	* certificate
[44896b5]	344	* @throws BadSignatureException if the signature check fails
[3797bbe]	345	*/
[4d5f56d]	346	GENICredential(String filename, Collection<Identity> ids)
[44896b5]	347	throws ABACException {
[d31242c]	348	super();
	349	setSuffix(fileSuffix);
[44896b5]	350	try {
	351	init(new FileInputStream(filename), ids);
	352	}
	353	catch (FileNotFoundException e) {
	354	throw new CertInvalidException("Bad filename", e);
	355	}
	356	}
[3797bbe]	357
	358	/**
	359	* Create a credential from an attribute cert in a file. Throws an
	360	* exception if the cert file can't be opened or if there's a format
	361	* problem with the cert. Note that catching
	362	* java.security.GeneralSecurityException catches most of the exceptions
	363	* this throws.
	364	* @param file the File to read
	365	* @param ids a Collection of Identities to use in validating the cert
[44896b5]	366	* @throws CertInvalidException if the stream is unparsable
	367	* @throws MissingIssuerException if none of the Identities can validate the
[3797bbe]	368	* certificate
[44896b5]	369	* @throws BadSignatureException if the signature check fails
[3797bbe]	370	*/
[4d5f56d]	371	GENICredential(File file, Collection<Identity> ids)
[44896b5]	372	throws ABACException {
[d31242c]	373	super();
	374	setSuffix(fileSuffix);
[44896b5]	375	try {
	376	init(new FileInputStream(file), ids);
	377	}
	378	catch (FileNotFoundException e) {
	379	throw new CertInvalidException("Bad filename", e);
	380	}
[3797bbe]	381	}
	382
	383	/**
	384	* Create a credential from an InputStream. Throws an exception if the
	385	* stream can't be parsed or if there's a format problem with the cert.
	386	* Note that catching java.security.GeneralSecurityException catches most
	387	* of the exceptions this throws.
	388	* @param s the InputStream to read
	389	* @param ids a Collection of Identities to use in validating the cert
[44896b5]	390	* @throws CertInvalidException if the stream is unparsable
	391	* @throws MissingIssuerException if none of the Identities can validate the
[3797bbe]	392	* certificate
[44896b5]	393	* @throws BadSignatureException if the signature check fails
[3797bbe]	394	*/
[4d5f56d]	395	GENICredential(InputStream s, Collection<Identity> ids)
[d31242c]	396	throws ABACException {
	397	super();
	398	setSuffix(fileSuffix);
	399	init(s, ids);
	400	}
[3797bbe]	401
[61f21c5]	402	/**
[c1736fe]	403	* Encode the abac credential's XML and set the validity. Overload this to
	404	* build a real credential.
[675770e]	405	* @param validity a long holding the number of seconds that the credential
	406	* is valid for.
[61f21c5]	407	* @return a Node, the place to attach signatures
[44896b5]	408	* @throws ABACException if any of the XML construction fails
[61f21c5]	409	*/
[c1736fe]	410	abstract protected Node make_rt0_content(long validity)
	411	throws ABACException;
[61f21c5]	412
[3797bbe]	413	/**
[675770e]	414	* Create a certificate from this credential issued by the given identity
	415	* valid for the given time (in seconds). This is the signed XML ABAC
	416	* credential.
[3797bbe]	417	* @param i the Identity that will issue the certificate
[675770e]	418	* @param validity a long holding the number of seconds that the credential
	419	* is valid for.
[44896b5]	420	* @throws ABACException if xml creation fails
	421	* @throws MissingIssuerException if the issuer is bad
	422	* @throws BadSignatureException if the signature creation fails
[3797bbe]	423	*/
[675770e]	424	public void make_cert(Identity i, long validity)
[44896b5]	425	throws ABACException {
[61f21c5]	426	X509Certificate cert = i.getCertificate();
	427	KeyPair kp = i.getKeyPair();
	428	PublicKey pubKey = null;
	429	PrivateKey privKey = null;
	430	if ( cert == null )
[44896b5]	431	throw new MissingIssuerException("No credential in identity?");
[61f21c5]	432	if ( kp == null )
[44896b5]	433	throw new MissingIssuerException("No keypair in identity?");
[61f21c5]	434
	435	pubKey = kp.getPublic();
	436	if ((privKey = kp.getPrivate()) == null )
[44896b5]	437	throw new MissingIssuerException("No private ket in identity");
[61f21c5]	438
	439	XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
	440	Reference ref = null;
	441	SignedInfo si = null;
	442	KeyInfoFactory kif = fac.getKeyInfoFactory();
[152673d]	443
	444	/* The <Object> doesn't say much, but shuts the compiler up about
	445	* unchecked references. The lists are polymorphyc and the signature
	446	* libs expect that, so <Object> is the best we can do.
	447	*/
	448	List<Object> x509Content = new ArrayList<Object>();
	449	List<Object> keyInfo = new ArrayList<Object>();
[61f21c5]	450	x509Content.add(cert.getSubjectX500Principal().getName());
	451	x509Content.add(cert);
	452	X509Data xd = kif.newX509Data(x509Content);
	453	KeyValue kv = null;
	454
[3797bbe]	455	try {
[61f21c5]	456	kv = kif.newKeyValue(pubKey);
	457	}
	458	catch (KeyException ke) {
[44896b5]	459	throw new ABACException("Unsupported key format " +
	460	ke.getMessage(), ke);
[61f21c5]	461	}
	462
	463	Collections.addAll(keyInfo, kv, xd);
	464
	465	KeyInfo ki = kif.newKeyInfo(keyInfo);
[675770e]	466	Node sig = make_rt0_content(validity);
[61f21c5]	467
	468	try {
	469	ref = fac.newReference("#ref0",
[3797bbe]	470	fac.newDigestMethod(DigestMethod.SHA1, null),
	471	Collections.singletonList(
	472	fac.newTransform(Transform.ENVELOPED,
	473	(TransformParameterSpec) null)),
	474	null, null);
	475
[61f21c5]	476	si = fac.newSignedInfo(
[797bebe]	477	fac.newCanonicalizationMethod(
	478	CanonicalizationMethod.INCLUSIVE,
[3797bbe]	479	(C14NMethodParameterSpec) null),
	480	fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),
	481	Collections.singletonList(ref));
	482
[61f21c5]	483	DOMSignContext dsc = new DOMSignContext(privKey, sig);
[3797bbe]	484	XMLSignature signature = fac.newXMLSignature(si, ki);
	485	signature.sign(dsc);
	486	}
[61f21c5]	487	catch (Exception me) {
[44896b5]	488	throw new BadSignatureException(me.getMessage(), me);
[3797bbe]	489	}
	490
	491	}
	492
[675770e]	493	/**
	494	* Create a certificate from this credential issued by the given identity
	495	* valid for the default validity period. This is the signed XML ABAC
	496	* credential.
	497	* @param i the Identity that will issue the certificate
	498	* @throws ABACException if xml creation fails
	499	* @throws MissingIssuerException if the issuer is bad
	500	* @throws BadSignatureException if the signature creation fails
	501	*/
	502	public void make_cert(Identity i)
	503	throws ABACException {
	504	make_cert(i, defaultValidity);
	505	}
	506
[3797bbe]	507	/**
[c1736fe]	508	* Load the roles off the attribute cert. Overload it to make a real
	509	* credential.
[44896b5]	510	* @throws CertInvalidException if the certificate is badly formatted
[3797bbe]	511	*/
[c1736fe]	512	abstract protected void load_roles() throws CertInvalidException;
[3797bbe]	513	/**
	514	* Output the signed GENI ABAC certificate associated with this
	515	* Credential to the OutputStream.
	516	* @param s the OutputStream on which to write
	517	* @throws IOException if there is an error writing.
	518	*/
	519	public void write(OutputStream s) throws IOException {
	520	if ( doc == null )
	521	return;
	522	try {
	523	TransformerFactory tf = TransformerFactory.newInstance();
	524	Transformer t = tf.newTransformer();
	525	DOMSource source = new DOMSource(doc);
	526	StreamResult result = new StreamResult(s);
	527
	528	t.transform(source, result);
	529	s.flush();
	530	}
	531	catch (Exception e) {
[44896b5]	532	throw new IOException(e.getMessage(), e);
[3797bbe]	533	}
	534	}
	535	/**
	536	* Output the signed GENI ABAC certificate associated with this
[7b33c9b]	537	* Credential to the OutputStream.
	538	* @param fn a String, the file name on which to write
[3797bbe]	539	* @throws IOException if there is an error writing.
[44896b5]	540	* @throws FileNotFoundExeption if the file path is bogus
[3797bbe]	541	*/
	542	public void write(String fn) throws IOException, FileNotFoundException {
	543	write(new FileOutputStream(fn));
	544	}
	545
	546	/**
	547	* Return true if this Credential has a certificate associated. A jabac
	548	* extension.
	549	* @return true if this Credential has a certificate associated.
	550	*/
	551	public boolean hasCertificate() { return doc != null; }
	552
	553	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: