Context Navigation

source: java/net/deterlab/abac/GENICredential.java @ 461edba

Last change on this file since 461edba was 461edba, checked in by Ted Faber <faber@…>, 10 years ago
Clean up javadoc for v8.
Property mode set to `100644`
File size: 18.5 KB

Rev	Line
[3797bbe]	1	package net.deterlab.abac;
	2
	3	import java.io.*;
	4	import java.math.*;
	5	import java.text.*;
	6
	7	import java.util.*;
[fd40109]	8
[3797bbe]	9	import java.security.*;
	10	import java.security.cert.*;
	11
	12	import javax.xml.parsers.*;
	13	import javax.xml.transform.*;
	14	import javax.xml.transform.dom.*;
	15	import javax.xml.transform.stream.*;
	16
	17	import javax.xml.crypto.*;
	18	import javax.xml.crypto.dsig.*;
	19	import javax.xml.crypto.dsig.dom.*;
	20	import javax.xml.crypto.dsig.keyinfo.*;
	21	import javax.xml.crypto.dsig.spec.*;
	22
	23	import org.xml.sax.*;
	24	import org.w3c.dom.*;
	25
	26	/**
[c1736fe]	27	* Abstract Base class from which GENI credentials are derived.
[3797bbe]	28	* @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
[a1a9a47]	29	* @version 1.5
[3797bbe]	30	*/
[c1736fe]	31	public abstract class GENICredential extends Credential implements Comparable {
[3797bbe]	32	/** The signed XML representing this credential */
	33	protected Document doc;
[d31242c]	34	/** The GENI credential suffix */
	35	private static final String fileSuffix = ".xml";
[797bebe]	36
	37	/**
[61f21c5]	38	* X509KeySelector implementation from
	39	* http://www.outsourcingi.com/art-271-Programming-With-the-Java-XML-Digital-Signature-API.html
	40	* .
	41	*
	42	* Straight ahead extraction of a key from an X509 cert, but it is their
	43	* code and hard to improve on.
[797bebe]	44	*/
[e5ac25b]	45	static protected class X509KeySelector extends KeySelector {
[797bebe]	46	public KeySelectorResult select(KeyInfo keyInfo,
	47	KeySelector.Purpose purpose,
	48	AlgorithmMethod method,
	49	XMLCryptoContext context)
	50	throws KeySelectorException {
	51	Iterator ki = keyInfo.getContent().iterator();
	52	while (ki.hasNext()) {
	53	XMLStructure info = (XMLStructure) ki.next();
	54	if (!(info instanceof X509Data))
	55	continue;
	56	X509Data x509Data = (X509Data) info;
	57	Iterator xi = x509Data.getContent().iterator();
	58	while (xi.hasNext()) {
	59	Object o = xi.next();
	60	if (!(o instanceof X509Certificate))
	61	continue;
	62	final PublicKey key = ((X509Certificate)o).getPublicKey();
	63	// Make sure the algorithm is compatible
	64	// with the method.
	65	if (algEquals(method.getAlgorithm(), key.getAlgorithm())) {
	66	return new KeySelectorResult() {
	67	public Key getKey() { return key; }
	68	};
	69	}
	70	}
	71	}
	72	throw new KeySelectorException("No key found!");
	73	}
	74
	75	boolean algEquals(String algURI, String algName) {
	76	if ((algName.equalsIgnoreCase("DSA") &&
	77	algURI.equalsIgnoreCase(SignatureMethod.DSA_SHA1)) \|\|
	78	(algName.equalsIgnoreCase("RSA") &&
	79
	80	algURI.equalsIgnoreCase(SignatureMethod.RSA_SHA1))) {
	81	return true;
	82	} else {
	83	return false;
	84	}
	85	}
	86	}
	87
[3797bbe]	88	/**
	89	* Create an empty Credential.
	90	*/
	91	public GENICredential() {
[7f614c1]	92	super();
[3797bbe]	93	doc = null;
[d31242c]	94	setSuffix(fileSuffix);
[3797bbe]	95	}
	96	/**
	97	* Create a credential from a head and tail role. This credential has no
	98	* underlying certificate, and cannot be exported or used in real proofs.
	99	* make_cert can create a certificate for a credential initialized this
	100	* way.
	101	* @param head the Role at the head of the credential
	102	* @param tail the Role at the tail of the credential
	103	*/
	104	public GENICredential(Role head, Role tail) {
[7f614c1]	105	super(head, tail);
[3797bbe]	106	doc = null;
[d31242c]	107	setSuffix(fileSuffix);
[3797bbe]	108	}
	109
	110	/**
	111	* Do the credential extraction from an input stream. This parses the
	112	* certificate from the input stream and saves it. The contents must be
	113	* validated and parsed later.
	114	* @param stream the InputStream to read the certificate from.
[e5ac25b]	115	* @return the parsed XML document
[3797bbe]	116	* @throws IOException if the stream is unparsable
	117	*/
[e5ac25b]	118	static protected Document read_certificate(InputStream stream)
[3797bbe]	119	throws IOException {
	120	DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
	121	DocumentBuilder db = null;
[e5ac25b]	122	Document ldoc = null;
[3797bbe]	123
	124	if ( dbf == null )
	125	throw new IOException("Cannot get DocumentBuilderFactory!?");
	126	try {
[61f21c5]	127	/* Note this setting is required to find the properly
	128	* namespace-scoped signature block in the credential.
	129	*/
[797bebe]	130	dbf.setNamespaceAware(true);
[3797bbe]	131	if ( (db = dbf.newDocumentBuilder()) == null )
	132	throw new IOException("Cannot get DocumentBuilder!?");
[e5ac25b]	133	ldoc = db.parse(stream);
	134	ldoc.normalizeDocument();
	135	return ldoc;
[3797bbe]	136	}
	137	catch (IllegalArgumentException ie) {
[44896b5]	138	throw new IOException("null stream", ie);
[3797bbe]	139	}
	140	catch (SAXException se) {
[44896b5]	141	throw new IOException(se.getMessage(), se);
[3797bbe]	142	}
	143	catch (Exception e) {
[44896b5]	144	throw new IOException(e.getMessage(), e);
[3797bbe]	145	}
	146
	147	}
	148
[797bebe]	149	/**
	150	* Walk the document and set all instances of an xml:id attribute to be ID
	151	* attributes in terms of the java libraries. This is needed for the
	152	* signature code to find signed subsections. The "xml:id" is treated as
	153	* both a namespace free ID with a colon and as an "id" identifier in the
	154	* "xml" namespace so we don't miss it.
	155	* @param n the root of the document to mark
	156	*/
	157	static protected void setIDAttrs(Node n) {
	158	if ( n.getNodeType() == Node.ELEMENT_NODE) {
	159	Element e = (Element) n;
	160	String id = e.getAttribute("xml:id");
	161
	162	if ( id != null && id.length() > 0 )
	163	e.setIdAttribute("xml:id", true);
	164
	165	id = e.getAttributeNS("xml", "id");
	166	if ( id != null && id.length() > 0 )
	167	e.setIdAttributeNS("xml", "id", true);
	168	}
	169
	170	for (Node nn = n.getFirstChild(); nn != null; nn = nn.getNextSibling())
	171	setIDAttrs(nn);
	172	}
	173
	174	/**
	175	* Return the child of Node n that has the given name, if there is one.
	176	* @param n a Node to search
	177	* @param name the name to search for
	178	* @return a Node with the name, may be null
	179	*/
	180	static protected Node getChildByName(Node n, String name) {
	181	if (name == null ) return null;
	182
	183	for (Node nn = n.getFirstChild(); nn != null; nn = nn.getNextSibling())
	184	if ( nn.getNodeType() == Node.ELEMENT_NODE &&
	185	name.equals(nn.getNodeName())) return nn;
	186	return null;
	187	}
	188
	189	/**
	190	* Find the X509Certificate in the Signature element and convert it to an
	191	* ABAC identity. This assumes a KeyInfo in that section holding an
	192	* X509Data section containing the certificate in an X509Certificate
	193	* section. Any of that not being found will cause a failure. If the
	194	* Identity cannot be created a Gignature exception is thrown.
	195	* @param n a Node pointing to a Signature section
	196	* @return an Identity constructed frm the X509 Certificate
[44896b5]	197	* @throws MissingIssuerException if the Identity cannot be created from the
[797bebe]	198	* certificate.
	199	*/
[44896b5]	200	static protected Identity getIdentity(Node n)
	201	throws MissingIssuerException {
[797bebe]	202	Identity rv = null;
	203	Node nn = getChildByName(n, "KeyInfo");
	204	String certStr = null;
	205
	206	if ( nn == null ) return null;
	207	if ( ( nn = getChildByName(nn, "X509Data")) == null ) return null;
	208	if ( ( nn = getChildByName(nn, "X509Certificate")) == null ) return null;
	209	if ( ( certStr = nn.getTextContent()) == null ) return null;
	210	try {
	211	certStr = "-----BEGIN CERTIFICATE-----\n" +
	212	certStr +
	213	"\n-----END CERTIFICATE-----";
	214	return new Identity(new StringReader(certStr));
	215	}
	216	catch (Exception e) {
[44896b5]	217	throw new MissingIssuerException(e.getMessage(), e);
[797bebe]	218	}
	219	}
	220
[2405adf]	221	static protected Date getTime(Document d, String field)
[fd40109]	222	throws ABACException {
	223	Node root = null;
	224	Node n = null;
	225	SimpleDateFormat df = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssz");
	226	Date date = null;
	227	String dstr = null;
	228
	229	if ( (root = getChildByName(d, "signed-credential")) == null)
	230	throw new CertInvalidException("No signed-credential element");
	231	if ( (n = getChildByName(root, "credential")) == null )
	232	throw new CertInvalidException("No credential element");
	233	if ( (n = getChildByName(n, field)) == null )
	234	throw new CertInvalidException("No " + field + " element");
	235
	236	if ( ( dstr = n.getTextContent()) == null )
	237	throw new CertInvalidException("No expires content");
	238
	239	dstr = dstr.replace("Z", "GMT");
	240	if ((date = df.parse(dstr, new ParsePosition(0))) == null)
	241	throw new CertInvalidException("Cannot parse date: "+
	242	n.getTextContent());
	243
[2405adf]	244	return date;
[fd40109]	245	}
	246
[3797bbe]	247	/**
	248	* Initialize a credential from parsed certificate. Validiate it against
	249	* the given identities and parse out the roles. Note that catching
	250	* java.security.GeneralSecurityException catches most of the exceptions
	251	* this throws.
	252	* @param ids a Collection of Identities to use in validating the cert
[44896b5]	253	* @throws CertInvalidException if the stream is unparsable
	254	* @throws MissingIssuerException if none of the Identities can validate the
[3797bbe]	255	* certificate
[44896b5]	256	* @throws BadSignatureException if the signature check fails
[3797bbe]	257	*/
	258	protected void init(Collection<Identity> ids)
[44896b5]	259	throws ABACException {
[3797bbe]	260
	261	XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
	262	NodeList nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS,
[797bebe]	263	"Signature");
[3797bbe]	264	DOMValidateContext valContext = null;
	265	XMLSignature signature = null;
	266
	267	try {
	268
	269	if (nl.getLength() == 0)
[44896b5]	270	throw new CertInvalidException("Cannot find Signature element");
[3797bbe]	271
[797bebe]	272	setIDAttrs(doc);
	273	valContext = new DOMValidateContext(new X509KeySelector(),
	274	nl.item(0));
[3797bbe]	275	if ( valContext == null )
[44896b5]	276	throw new ABACException("No validation context!?");
[3797bbe]	277
	278	signature = fac.unmarshalXMLSignature(valContext);
	279	if (signature == null)
[44896b5]	280	throw new BadSignatureException("Cannot unmarshal signature");
[3797bbe]	281
	282	if (!signature.validate(valContext))
[44896b5]	283	throw new BadSignatureException("bad signature");
[3797bbe]	284
[7f614c1]	285	m_expiration = getTime(doc, "expires");
[2405adf]	286
[7f614c1]	287	if ( m_expiration.before(new Date()))
	288	throw new CertInvalidException("Certificate Expired " +
	289	m_expiration);
[fd40109]	290
[3797bbe]	291	load_roles();
	292
[081eabc]	293	// Load the issuer identity from the credential. If the identity in
	294	// the credential is invalid throw out the credential (the
	295	// getIdentity call will throw an exception)
[797bebe]	296	id = getIdentity(nl.item(0));
	297
	298	if ( !ids.contains(id) ) ids.add(id);
	299
[3797bbe]	300	if (!id.getKeyID().equals(m_head.principal()))
[44896b5]	301	throw new MissingIssuerException("Issuer ID and left hand " +
	302	"side principal disagree");
	303	}
	304	catch (ABACException ae) {
	305	throw ae;
[3797bbe]	306	}
	307	catch (Exception e) {
[44896b5]	308	throw new BadSignatureException(e.getMessage(), e);
[3797bbe]	309	}
	310	}
	311
	312	/**
	313	* Parse a credential from an InputStream and initialize the role from it.
	314	* Combine read_credential(stream) and init(ids). Note that catching
	315	* java.security.GeneralSecurityException catches most of the exceptions
	316	* this throws.
	317	* @param stream the InputStream to read the certificate from.
	318	* @param ids a Collection of Identities to use in validating the cert
[44896b5]	319	* @throws CertInvalidException if the stream is unparsable
	320	* @throws MissingIssuerException if none of the Identities can validate the
[3797bbe]	321	* certificate
[44896b5]	322	* @throws BadSignatureException if the signature check fails
[3797bbe]	323	*/
	324	protected void init(InputStream stream, Collection<Identity> ids)
[44896b5]	325	throws ABACException {
	326	try {
[e5ac25b]	327	doc = read_certificate(stream);
[44896b5]	328	}
	329	catch (IOException e) {
	330	throw new CertInvalidException("Cannot parse cert", e);
	331	}
	332	if (doc == null) throw new CertInvalidException("Unknown Format");
[3797bbe]	333	init(ids);
	334	}
	335
	336	/**
	337	* Create a credential from an attribute cert in a file. Throws an
	338	* exception if the cert file can't be opened or if there's a format
	339	* problem with the cert. Note that catching
	340	* java.security.GeneralSecurityException catches most of the exceptions
	341	* this throws.
	342	* @param filename a String containing the filename to read
	343	* @param ids a Collection of Identities to use in validating the cert
[44896b5]	344	* @throws CertInvalidException if the stream is unparsable
	345	* @throws MissingIssuerException if none of the Identities can validate the
[3797bbe]	346	* certificate
[44896b5]	347	* @throws BadSignatureException if the signature check fails
[3797bbe]	348	*/
[4d5f56d]	349	GENICredential(String filename, Collection<Identity> ids)
[44896b5]	350	throws ABACException {
[d31242c]	351	super();
	352	setSuffix(fileSuffix);
[44896b5]	353	try {
	354	init(new FileInputStream(filename), ids);
	355	}
	356	catch (FileNotFoundException e) {
	357	throw new CertInvalidException("Bad filename", e);
	358	}
	359	}
[3797bbe]	360
	361	/**
	362	* Create a credential from an attribute cert in a file. Throws an
	363	* exception if the cert file can't be opened or if there's a format
	364	* problem with the cert. Note that catching
	365	* java.security.GeneralSecurityException catches most of the exceptions
	366	* this throws.
	367	* @param file the File to read
	368	* @param ids a Collection of Identities to use in validating the cert
[44896b5]	369	* @throws CertInvalidException if the stream is unparsable
	370	* @throws MissingIssuerException if none of the Identities can validate the
[3797bbe]	371	* certificate
[44896b5]	372	* @throws BadSignatureException if the signature check fails
[3797bbe]	373	*/
[4d5f56d]	374	GENICredential(File file, Collection<Identity> ids)
[44896b5]	375	throws ABACException {
[d31242c]	376	super();
	377	setSuffix(fileSuffix);
[44896b5]	378	try {
	379	init(new FileInputStream(file), ids);
	380	}
	381	catch (FileNotFoundException e) {
	382	throw new CertInvalidException("Bad filename", e);
	383	}
[3797bbe]	384	}
	385
	386	/**
	387	* Create a credential from an InputStream. Throws an exception if the
	388	* stream can't be parsed or if there's a format problem with the cert.
	389	* Note that catching java.security.GeneralSecurityException catches most
	390	* of the exceptions this throws.
	391	* @param s the InputStream to read
	392	* @param ids a Collection of Identities to use in validating the cert
[44896b5]	393	* @throws CertInvalidException if the stream is unparsable
	394	* @throws MissingIssuerException if none of the Identities can validate the
[3797bbe]	395	* certificate
[44896b5]	396	* @throws BadSignatureException if the signature check fails
[3797bbe]	397	*/
[4d5f56d]	398	GENICredential(InputStream s, Collection<Identity> ids)
[d31242c]	399	throws ABACException {
	400	super();
	401	setSuffix(fileSuffix);
	402	init(s, ids);
	403	}
[3797bbe]	404
[61f21c5]	405	/**
[c1736fe]	406	* Encode the abac credential's XML and set the validity. Overload this to
	407	* build a real credential.
[675770e]	408	* @param validity a long holding the number of seconds that the credential
	409	* is valid for.
[61f21c5]	410	* @return a Node, the place to attach signatures
[44896b5]	411	* @throws ABACException if any of the XML construction fails
[61f21c5]	412	*/
[c1736fe]	413	abstract protected Node make_rt0_content(long validity)
	414	throws ABACException;
[61f21c5]	415
[3797bbe]	416	/**
[675770e]	417	* Create a certificate from this credential issued by the given identity
	418	* valid for the given time (in seconds). This is the signed XML ABAC
	419	* credential.
[3797bbe]	420	* @param i the Identity that will issue the certificate
[675770e]	421	* @param validity a long holding the number of seconds that the credential
	422	* is valid for.
[44896b5]	423	* @throws ABACException if xml creation fails
	424	* @throws MissingIssuerException if the issuer is bad
	425	* @throws BadSignatureException if the signature creation fails
[3797bbe]	426	*/
[675770e]	427	public void make_cert(Identity i, long validity)
[44896b5]	428	throws ABACException {
[61f21c5]	429	X509Certificate cert = i.getCertificate();
	430	KeyPair kp = i.getKeyPair();
	431	PublicKey pubKey = null;
	432	PrivateKey privKey = null;
	433	if ( cert == null )
[44896b5]	434	throw new MissingIssuerException("No credential in identity?");
[61f21c5]	435	if ( kp == null )
[44896b5]	436	throw new MissingIssuerException("No keypair in identity?");
[61f21c5]	437
	438	pubKey = kp.getPublic();
	439	if ((privKey = kp.getPrivate()) == null )
[44896b5]	440	throw new MissingIssuerException("No private ket in identity");
[61f21c5]	441
	442	XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
	443	Reference ref = null;
	444	SignedInfo si = null;
	445	KeyInfoFactory kif = fac.getKeyInfoFactory();
[152673d]	446
	447	/* The <Object> doesn't say much, but shuts the compiler up about
	448	* unchecked references. The lists are polymorphyc and the signature
	449	* libs expect that, so <Object> is the best we can do.
	450	*/
	451	List<Object> x509Content = new ArrayList<Object>();
	452	List<Object> keyInfo = new ArrayList<Object>();
[61f21c5]	453	x509Content.add(cert.getSubjectX500Principal().getName());
	454	x509Content.add(cert);
	455	X509Data xd = kif.newX509Data(x509Content);
	456	KeyValue kv = null;
	457
[3797bbe]	458	try {
[61f21c5]	459	kv = kif.newKeyValue(pubKey);
	460	}
	461	catch (KeyException ke) {
[44896b5]	462	throw new ABACException("Unsupported key format " +
	463	ke.getMessage(), ke);
[61f21c5]	464	}
	465
	466	Collections.addAll(keyInfo, kv, xd);
	467
	468	KeyInfo ki = kif.newKeyInfo(keyInfo);
[675770e]	469	Node sig = make_rt0_content(validity);
[61f21c5]	470
	471	try {
	472	ref = fac.newReference("#ref0",
[3797bbe]	473	fac.newDigestMethod(DigestMethod.SHA1, null),
	474	Collections.singletonList(
	475	fac.newTransform(Transform.ENVELOPED,
	476	(TransformParameterSpec) null)),
	477	null, null);
	478
[61f21c5]	479	si = fac.newSignedInfo(
[797bebe]	480	fac.newCanonicalizationMethod(
	481	CanonicalizationMethod.INCLUSIVE,
[3797bbe]	482	(C14NMethodParameterSpec) null),
	483	fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),
	484	Collections.singletonList(ref));
	485
[61f21c5]	486	DOMSignContext dsc = new DOMSignContext(privKey, sig);
[3797bbe]	487	XMLSignature signature = fac.newXMLSignature(si, ki);
	488	signature.sign(dsc);
	489	}
[61f21c5]	490	catch (Exception me) {
[44896b5]	491	throw new BadSignatureException(me.getMessage(), me);
[3797bbe]	492	}
	493
	494	}
	495
[675770e]	496	/**
	497	* Create a certificate from this credential issued by the given identity
	498	* valid for the default validity period. This is the signed XML ABAC
	499	* credential.
	500	* @param i the Identity that will issue the certificate
	501	* @throws ABACException if xml creation fails
	502	* @throws MissingIssuerException if the issuer is bad
	503	* @throws BadSignatureException if the signature creation fails
	504	*/
	505	public void make_cert(Identity i)
	506	throws ABACException {
	507	make_cert(i, defaultValidity);
	508	}
	509
[3797bbe]	510	/**
[c1736fe]	511	* Load the roles off the attribute cert. Overload it to make a real
	512	* credential.
[44896b5]	513	* @throws CertInvalidException if the certificate is badly formatted
[3797bbe]	514	*/
[c1736fe]	515	abstract protected void load_roles() throws CertInvalidException;
[3797bbe]	516	/**
	517	* Output the signed GENI ABAC certificate associated with this
	518	* Credential to the OutputStream.
	519	* @param s the OutputStream on which to write
	520	* @throws IOException if there is an error writing.
	521	*/
	522	public void write(OutputStream s) throws IOException {
	523	if ( doc == null )
	524	return;
	525	try {
	526	TransformerFactory tf = TransformerFactory.newInstance();
	527	Transformer t = tf.newTransformer();
	528	DOMSource source = new DOMSource(doc);
	529	StreamResult result = new StreamResult(s);
	530
	531	t.transform(source, result);
	532	s.flush();
	533	}
	534	catch (Exception e) {
[44896b5]	535	throw new IOException(e.getMessage(), e);
[3797bbe]	536	}
	537	}
	538	/**
	539	* Output the signed GENI ABAC certificate associated with this
[7b33c9b]	540	* Credential to the OutputStream.
	541	* @param fn a String, the file name on which to write
[3797bbe]	542	* @throws IOException if there is an error writing.
	543	*/
[461edba]	544	public void write(String fn) throws IOException {
[3797bbe]	545	write(new FileOutputStream(fn));
	546	}
	547
	548	/**
	549	* Return true if this Credential has a certificate associated. A jabac
	550	* extension.
	551	* @return true if this Credential has a certificate associated.
	552	*/
	553	public boolean hasCertificate() { return doc != null; }
	554
	555	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: