source: java/net/deterlab/abac/GENICredential.java @ 3a83fda

abac0-leakabac0-meimei-idmei-rt0-ntvf-new-xml
Last change on this file since 3a83fda was d31242c, checked in by Ted Faber <faber@…>, 12 years ago

Add suffix

  • Property mode set to 100644
File size: 22.1 KB
Line 
1package net.deterlab.abac;
2
3import java.io.*;
4import java.math.*;
5import java.text.*;
6
7import java.util.*;
8
9import java.security.*;
10import java.security.cert.*;
11
12import javax.xml.parsers.*;
13import javax.xml.transform.*;
14import javax.xml.transform.dom.*;
15import javax.xml.transform.stream.*;
16
17import javax.xml.crypto.*;
18import javax.xml.crypto.dsig.*;
19import javax.xml.crypto.dsig.dom.*;
20import javax.xml.crypto.dsig.keyinfo.*;
21import javax.xml.crypto.dsig.spec.*;
22
23import org.xml.sax.*;
24import org.w3c.dom.*;
25
26/**
27 * An ABAC credential formatted as an abac-type GENI credential.
28 * @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
29 * @version 1.4
30 */
31public class GENICredential extends Credential implements Comparable {
32    /** The signed XML representing this credential */
33    protected Document doc;
34    /** The GENI credential suffix */
35    private static final String fileSuffix = ".xml";
36
37    /**
38     * X509KeySelector implementation from
39     * http://www.outsourcingi.com/art-271-Programming-With-the-Java-XML-Digital-Signature-API.html
40     * .
41     *
42     * Straight ahead extraction of a key from an X509 cert, but it is their
43     * code and hard to improve on.
44     */
45    static protected class X509KeySelector extends KeySelector {
46        public KeySelectorResult select(KeyInfo keyInfo,
47                                        KeySelector.Purpose purpose,
48                                        AlgorithmMethod method,
49                                        XMLCryptoContext context)
50            throws KeySelectorException {
51            Iterator ki = keyInfo.getContent().iterator();
52            while (ki.hasNext()) {
53                XMLStructure info = (XMLStructure) ki.next();
54                if (!(info instanceof X509Data))
55                    continue;
56                X509Data x509Data = (X509Data) info;
57                Iterator xi = x509Data.getContent().iterator();
58                while (xi.hasNext()) {
59                    Object o = xi.next();
60                    if (!(o instanceof X509Certificate))
61                        continue;
62                    final PublicKey key = ((X509Certificate)o).getPublicKey();
63                    // Make sure the algorithm is compatible
64                    // with the method.
65                    if (algEquals(method.getAlgorithm(), key.getAlgorithm())) {
66                        return new KeySelectorResult() {
67                            public Key getKey() { return key; }
68                        };
69                    }
70                }
71            }
72            throw new KeySelectorException("No key found!");
73        }
74
75        boolean algEquals(String algURI, String algName) {
76            if ((algName.equalsIgnoreCase("DSA") &&
77                algURI.equalsIgnoreCase(SignatureMethod.DSA_SHA1)) ||
78                (algName.equalsIgnoreCase("RSA") &&
79
80                algURI.equalsIgnoreCase(SignatureMethod.RSA_SHA1))) {
81                return true;
82            } else {
83                return false;
84            }
85        }
86    }
87
88    /**
89     * Create an empty Credential.
90     */
91    public GENICredential() {
92        super();
93        doc = null;
94        setSuffix(fileSuffix);
95    }
96    /**
97     * Create a credential from a head and tail role.  This credential has no
98     * underlying certificate, and cannot be exported or used in real proofs.
99     * make_cert can create a certificate for a credential initialized this
100     * way.
101     * @param head the Role at the head of the credential
102     * @param tail the Role at the tail of the credential
103     */
104    public GENICredential(Role head, Role tail) {
105        super(head, tail);
106        doc = null; 
107        setSuffix(fileSuffix);
108    }
109
110    /**
111     * Do the credential extraction from an input stream.  This parses the
112     * certificate from the input stream and saves it. The contents must be
113     * validated and parsed later.
114     * @param stream the InputStream to read the certificate from.
115     * @return the parsed XML document
116     * @throws IOException if the stream is unparsable
117     */
118    static protected Document read_certificate(InputStream stream) 
119            throws IOException {
120        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
121        DocumentBuilder db = null;
122        Document ldoc = null;
123
124        if ( dbf == null ) 
125            throw new IOException("Cannot get DocumentBuilderFactory!?");
126        try {
127            /* Note this setting is required to find the properly
128             * namespace-scoped signature block in the credential.
129             */
130            dbf.setNamespaceAware(true);
131            if ( (db = dbf.newDocumentBuilder()) == null ) 
132                throw new IOException("Cannot get DocumentBuilder!?");
133            ldoc = db.parse(stream);
134            ldoc.normalizeDocument();
135            return ldoc;
136        }
137        catch (IllegalArgumentException ie) {
138            throw new IOException("null stream", ie);
139        }
140        catch (SAXException se) {
141            throw new IOException(se.getMessage(), se);
142        }
143        catch (Exception e) {
144            throw new IOException(e.getMessage(), e);
145        }
146
147    }
148
149    /**
150     * Walk the document and set all instances of an xml:id attribute to be ID
151     * attributes in terms of the java libraries.  This is needed for the
152     * signature code to find signed subsections.  The "xml:id" is treated as
153     * both a namespace free ID with a colon and as an "id" identifier in the
154     * "xml" namespace so we don't miss it.
155     * @param n the root of the document to mark
156     */
157    static protected void setIDAttrs(Node n) {
158        if ( n.getNodeType() == Node.ELEMENT_NODE) {
159            Element e = (Element) n;
160            String id = e.getAttribute("xml:id");
161
162            if ( id != null && id.length() > 0 )
163                e.setIdAttribute("xml:id", true);
164
165            id = e.getAttributeNS("xml", "id");
166            if ( id != null && id.length() > 0 )
167                e.setIdAttributeNS("xml", "id", true);
168        }
169
170        for (Node nn = n.getFirstChild(); nn != null; nn = nn.getNextSibling())
171            setIDAttrs(nn);
172    }
173
174    /**
175     * Return the child of Node n  that has the given name, if there is one.
176     * @param n a Node to search
177     * @param name the name to search for
178     * @return a Node with the name, may be null
179     */
180    static protected Node getChildByName(Node n, String name) {
181        if (name == null ) return null;
182
183        for (Node nn = n.getFirstChild(); nn != null; nn = nn.getNextSibling())
184            if ( nn.getNodeType() == Node.ELEMENT_NODE && 
185                    name.equals(nn.getNodeName())) return nn;
186        return null;
187    }
188
189    /**
190     * Find the X509Certificate in the Signature element and convert it to an
191     * ABAC identity.  This assumes a KeyInfo in that section holding an
192     * X509Data section containing the certificate in an X509Certificate
193     * section.  Any of that not being found will cause a failure.  If the
194     * Identity cannot be created a Gignature exception is thrown.
195     * @param n a Node pointing to a Signature section
196     * @return an Identity constructed frm the X509 Certificate
197     * @throws MissingIssuerException if the Identity cannot be created from the
198     * certificate.
199     */
200    static protected Identity getIdentity(Node n) 
201        throws MissingIssuerException {
202        Identity rv = null;
203        Node nn = getChildByName(n, "KeyInfo");
204        String certStr = null;
205
206        if ( nn == null ) return null;
207        if ( ( nn = getChildByName(nn, "X509Data")) == null ) return null;
208        if ( ( nn = getChildByName(nn, "X509Certificate")) == null ) return null;
209        if ( ( certStr = nn.getTextContent()) == null ) return null;
210        try {
211            certStr = "-----BEGIN CERTIFICATE-----\n" + 
212                certStr + 
213                "\n-----END CERTIFICATE-----";
214            return new Identity(new StringReader(certStr));
215        } 
216        catch (Exception e) {
217            throw new MissingIssuerException(e.getMessage(), e);
218        }
219    }
220
221    static protected Date getTime(Document d, String field) 
222            throws ABACException {
223        Node root = null;
224        Node n = null;
225        SimpleDateFormat df = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssz");
226        Date date = null;
227        String dstr = null;
228
229        if ( (root = getChildByName(d, "signed-credential")) == null)
230            throw new CertInvalidException("No signed-credential element");
231        if ( (n = getChildByName(root, "credential")) == null )
232            throw new CertInvalidException("No credential element");
233        if ( (n = getChildByName(n, field)) == null )
234            throw new CertInvalidException("No " + field + " element");
235
236        if ( ( dstr = n.getTextContent()) == null ) 
237            throw new CertInvalidException("No expires content");
238
239        dstr = dstr.replace("Z", "GMT");
240        if ((date = df.parse(dstr, new ParsePosition(0))) == null)
241            throw new CertInvalidException("Cannot parse date: "+
242                    n.getTextContent());
243
244        return date;
245    }
246
247    /**
248     * Initialize a credential from parsed certificate.  Validiate it against
249     * the given identities and parse out the roles.  Note that catching
250     * java.security.GeneralSecurityException catches most of the exceptions
251     * this throws.
252     * @param ids a Collection of Identities to use in validating the cert
253     * @throws CertInvalidException if the stream is unparsable
254     * @throws MissingIssuerException if none of the Identities can validate the
255     *                              certificate
256     * @throws BadSignatureException if the signature check fails
257     */
258    protected void init(Collection<Identity> ids) 
259            throws ABACException {
260
261        XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
262        NodeList nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS, 
263                "Signature");
264        DOMValidateContext valContext = null;
265        XMLSignature signature = null;
266
267        try {
268
269            if (nl.getLength() == 0) 
270                throw new CertInvalidException("Cannot find Signature element");
271
272            setIDAttrs(doc);
273            valContext = new DOMValidateContext(new X509KeySelector(),
274                    nl.item(0));
275            if ( valContext == null )
276                throw new ABACException("No validation context!?");
277
278            signature = fac.unmarshalXMLSignature(valContext);
279            if (signature == null) 
280                throw new BadSignatureException("Cannot unmarshal signature");
281
282            if (!signature.validate(valContext))
283                throw new BadSignatureException("bad signature");
284
285            m_expiration = getTime(doc, "expires");
286
287            if ( m_expiration.before(new Date()))
288                throw new CertInvalidException("Certificate Expired " + 
289                        m_expiration);
290
291            load_roles();
292
293            id = getIdentity(nl.item(0));
294
295            if ( !ids.contains(id) ) ids.add(id);
296
297            if (!id.getKeyID().equals(m_head.principal()))
298                throw new MissingIssuerException("Issuer ID and left hand " +
299                        "side principal disagree");
300        }
301        catch (ABACException ae) {
302            throw ae;
303        }
304        catch (Exception e) {
305            throw new BadSignatureException(e.getMessage(), e);
306        }
307    }
308
309    /**
310     * Parse a credential from an InputStream and initialize the role from it.
311     * Combine read_credential(stream) and init(ids).  Note that catching
312     * java.security.GeneralSecurityException catches most of the exceptions
313     * this throws.
314     * @param stream the InputStream to read the certificate from.
315     * @param ids a Collection of Identities to use in validating the cert
316     * @throws CertInvalidException if the stream is unparsable
317     * @throws MissingIssuerException if none of the Identities can validate the
318     *                              certificate
319     * @throws BadSignatureException if the signature check fails
320     */
321    protected void init(InputStream stream, Collection<Identity> ids) 
322            throws ABACException {
323         try {
324            doc = read_certificate(stream);
325         }
326         catch (IOException e) {
327             throw new CertInvalidException("Cannot parse cert", e);
328         }
329        if (doc == null) throw new CertInvalidException("Unknown Format");
330        init(ids);
331    }
332
333    /**
334     * Create a credential from an attribute cert in a file. Throws an
335     * exception if the cert file can't be opened or if there's a format
336     * problem with the cert.  Note that catching
337     * java.security.GeneralSecurityException catches most of the exceptions
338     * this throws.
339     * @param filename a String containing the filename to read
340     * @param ids a Collection of Identities to use in validating the cert
341     * @throws CertInvalidException if the stream is unparsable
342     * @throws MissingIssuerException if none of the Identities can validate the
343     *                              certificate
344     * @throws BadSignatureException if the signature check fails
345     */
346    GENICredential(String filename, Collection<Identity> ids) 
347        throws ABACException { 
348        super();
349        setSuffix(fileSuffix);
350        try {
351            init(new FileInputStream(filename), ids);
352        }
353        catch (FileNotFoundException e) {
354            throw new CertInvalidException("Bad filename", e);
355        }
356    }
357
358    /**
359     * Create a credential from an attribute cert in a file. Throws an
360     * exception if the cert file can't be opened or if there's a format
361     * problem with the cert.  Note that catching
362     * java.security.GeneralSecurityException catches most of the exceptions
363     * this throws.
364     * @param file the File to read
365     * @param ids a Collection of Identities to use in validating the cert
366     * @throws CertInvalidException if the stream is unparsable
367     * @throws MissingIssuerException if none of the Identities can validate the
368     *                              certificate
369     * @throws BadSignatureException if the signature check fails
370     */
371    GENICredential(File file, Collection<Identity> ids) 
372            throws ABACException {
373        super();
374        setSuffix(fileSuffix);
375        try {
376            init(new FileInputStream(file), ids);
377        }
378        catch (FileNotFoundException e) {
379            throw new CertInvalidException("Bad filename", e);
380        }
381    }
382
383    /**
384     * Create a credential from an InputStream.  Throws an exception if the
385     * stream can't be parsed or if there's a format problem with the cert.
386     * Note that catching java.security.GeneralSecurityException catches most
387     * of the exceptions this throws.
388     * @param s the InputStream to read
389     * @param ids a Collection of Identities to use in validating the cert
390     * @throws CertInvalidException if the stream is unparsable
391     * @throws MissingIssuerException if none of the Identities can validate the
392     *                              certificate
393     * @throws BadSignatureException if the signature check fails
394     */
395    GENICredential(InputStream s, Collection<Identity> ids) 
396            throws ABACException { 
397        super();
398        setSuffix(fileSuffix);
399        init(s, ids);
400    }
401
402    /**
403     * Encode the abac credential's XML and set the validity.  This is straight
404     * line code that directly builds the credential.
405     * @param validity a long holding the number of seconds that the credential
406     * is valid for.
407     * @return a Node, the place to attach signatures
408     * @throws ABACException if any of the XML construction fails
409     */
410    protected Node make_rt0_content(long validity) throws ABACException {
411        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
412        DocumentBuilder db = null;
413        SimpleDateFormat df = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
414        StringBuffer expBuf = new StringBuffer();
415
416        /* This is a weirdness to cope with the GENI format.  They have a naked
417         * xml:id specifier without any namespace declarations in the
418         * credential.  Notice that this is the opposite of the setting used in
419         * init to read a credential. */
420        dbf.setNamespaceAware(false);
421
422        if ( dbf == null ) 
423            throw new ABACException("Cannot get DocumentBuilderFactory!?");
424
425        try {
426            db = dbf.newDocumentBuilder();
427        }
428        catch (ParserConfigurationException pe) {
429            throw new ABACException("Cannot get DocumentBuilder!?" + 
430                    pe.getMessage(), pe);
431        }
432
433        doc = db.newDocument();
434        if ( doc == null ) 
435            throw new ABACException("No Document");
436
437        Element root = doc.createElement("signed-credential"); 
438        Element cred = doc.createElement("credential");
439        Element sig = doc.createElement("signatures");
440        Element e = doc.createElement("type");
441        Node text = doc.createTextNode("abac");
442
443        doc.appendChild(root);
444
445        cred.setAttribute("xml:id", "ref0");
446        /* So that the signing code can find the section to sign */
447        cred.setIdAttribute("xml:id", true);
448
449        root.appendChild(cred);
450        e.appendChild(text);
451        cred.appendChild(e);
452
453        m_expiration = new Date(System.currentTimeMillis() + 
454                (1000L * validity ));
455        df.setTimeZone(new SimpleTimeZone(0, "Z"));
456        df.format(m_expiration, expBuf, new FieldPosition(0));
457        e = doc.createElement("expires");
458        text = doc.createTextNode(expBuf.toString());
459        e.appendChild(text);
460        cred.appendChild(e);
461
462        e = doc.createElement("version");
463        text = doc.createTextNode("1.0");
464        e.appendChild(text);
465        cred.appendChild(e);
466
467        e = doc.createElement("rt0");
468        text = doc.createTextNode(m_head + "<-" + m_tail);
469        e.appendChild(text);
470        cred.appendChild(e);
471
472        root.appendChild(sig);
473        return sig;
474    }
475
476    /**
477     * Create a certificate from this credential issued by the given identity
478     * valid for the given time (in seconds).  This is the signed XML ABAC
479     * credential.
480     * @param i the Identity that will issue the certificate
481     * @param validity a long holding the number of seconds that the credential
482     * is valid for.
483     * @throws ABACException if xml creation fails
484     * @throws MissingIssuerException if the issuer is bad
485     * @throws BadSignatureException if the signature creation fails
486     */
487    public void make_cert(Identity i, long validity) 
488            throws ABACException {
489        X509Certificate cert = i.getCertificate();
490        KeyPair kp = i.getKeyPair();
491        PublicKey pubKey = null;
492        PrivateKey privKey = null;
493        if ( cert == null ) 
494            throw new MissingIssuerException("No credential in identity?");
495        if ( kp == null ) 
496            throw new MissingIssuerException("No keypair in identity?");
497
498        pubKey = kp.getPublic();
499        if ((privKey = kp.getPrivate()) == null ) 
500            throw new MissingIssuerException("No private ket in identity");
501
502        XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
503        Reference ref = null;
504        SignedInfo si = null;
505        KeyInfoFactory kif = fac.getKeyInfoFactory();
506
507        /* The <Object> doesn't say much, but shuts the compiler up about
508         * unchecked references.  The lists are polymorphyc and the signature
509         * libs expect that, so <Object> is the best we can do.
510         */
511        List<Object> x509Content = new ArrayList<Object>();
512        List<Object> keyInfo = new ArrayList<Object>();
513        x509Content.add(cert.getSubjectX500Principal().getName());
514        x509Content.add(cert);
515        X509Data xd = kif.newX509Data(x509Content);
516        KeyValue kv = null;
517
518        try {
519            kv = kif.newKeyValue(pubKey);
520        } 
521        catch (KeyException ke) {
522            throw new ABACException("Unsupported key format " + 
523                    ke.getMessage(), ke);
524        }
525
526        Collections.addAll(keyInfo, kv, xd);
527
528        KeyInfo ki = kif.newKeyInfo(keyInfo);
529        Node sig = make_rt0_content(validity);
530
531        try {
532            ref = fac.newReference("#ref0", 
533                    fac.newDigestMethod(DigestMethod.SHA1, null),
534                    Collections.singletonList(
535                        fac.newTransform(Transform.ENVELOPED, 
536                            (TransformParameterSpec) null)),
537                    null, null);
538
539            si = fac.newSignedInfo(
540                    fac.newCanonicalizationMethod(
541                        CanonicalizationMethod.INCLUSIVE,
542                        (C14NMethodParameterSpec) null),
543                    fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),
544                    Collections.singletonList(ref));
545
546            DOMSignContext dsc = new DOMSignContext(privKey, sig);
547            XMLSignature signature = fac.newXMLSignature(si, ki);
548            signature.sign(dsc);
549        }
550        catch (Exception me) {
551            throw new BadSignatureException(me.getMessage(), me);
552        }
553
554    }
555
556    /**
557     * Create a certificate from this credential issued by the given identity
558     * valid for the default validity period.  This is the signed XML ABAC
559     * credential.
560     * @param i the Identity that will issue the certificate
561     * @throws ABACException if xml creation fails
562     * @throws MissingIssuerException if the issuer is bad
563     * @throws BadSignatureException if the signature creation fails
564     */
565    public void make_cert(Identity i) 
566            throws ABACException {
567        make_cert(i, defaultValidity);
568    }
569
570    /**
571     * Load the roles off the attribute cert.
572     * @throws CertInvalidException if the certificate is badly formatted
573     */
574    private void load_roles() throws CertInvalidException {
575        if ( doc == null ) 
576            throw new CertInvalidException("No credential");
577
578        NodeList nodes = doc.getElementsByTagName("type");
579        Node node = null;
580        String roles = null;
581
582        if (nodes == null || nodes.getLength() != 1) 
583            throw new CertInvalidException("More than one type element?");
584
585        node = nodes.item(0);
586        if ( node == null ) 
587            throw new CertInvalidException("bad rt0 element?");
588
589        if ( !"abac".equals(node.getTextContent()) ) 
590            throw new CertInvalidException("Not an abac type credential");
591
592        nodes = doc.getElementsByTagName("rt0");
593        if (nodes == null || nodes.getLength() != 1) 
594            throw new CertInvalidException("More than one rt0 element?");
595
596        node = nodes.item(0);
597
598        if ( node == null ) 
599            throw new CertInvalidException("bad rt0 element?");
600
601        if ( (roles = node.getTextContent()) == null ) 
602            throw new CertInvalidException("bad rt0 element (no text)?");
603
604        String[] parts = roles.split("\\s*<--?\\s*");
605        if (parts.length != 2)
606            throw new CertInvalidException("Invalid attribute: " + roles);
607
608        m_head = new Role(parts[0]);
609        m_tail = new Role(parts[1]);
610    }
611
612    /**
613     * Output the signed GENI ABAC certificate associated with this
614     * Credential to the OutputStream.
615     * @param s the OutputStream on which to write
616     * @throws IOException if there is an error writing.
617     */
618    public void write(OutputStream s) throws IOException {
619        if ( doc == null ) 
620            return;
621        try {
622            TransformerFactory tf = TransformerFactory.newInstance();
623            Transformer t = tf.newTransformer();
624            DOMSource source = new DOMSource(doc);
625            StreamResult result = new StreamResult(s);
626
627            t.transform(source, result);
628            s.flush();
629        } 
630        catch (Exception e) {
631            throw new IOException(e.getMessage(), e);
632        }
633    }
634    /**
635     * Output the signed GENI ABAC certificate associated with this
636     * Credential to the OutputStream.
637     * @param fn a String, the file name on which to write
638     * @throws IOException if there is an error writing.
639     * @throws FileNotFoundExeption if the file path is bogus
640     */
641    public void write(String fn) throws IOException, FileNotFoundException {
642        write(new FileOutputStream(fn));
643    }
644
645    /**
646     * Return true if this Credential has a certificate associated.  A jabac
647     * extension.
648     * @return true if this Credential has a certificate associated.
649     */
650    public boolean hasCertificate() { return doc != null; }
651
652    /**
653     * Return a CredentialCredentialFactorySpecialization for GENICredentials.
654     * Used by the CredentialFactory to parse and generate these kind of
655     * credentials.  It basically wraps constuctor calls.
656     * @return a CredentialFactorySpecialization for this kind of credential.
657     */
658    static public CredentialFactorySpecialization
659            getCredentialFactorySpecialization() {
660        return new CredentialFactorySpecialization() {
661            public Credential[] parseCredential(InputStream is, 
662                    Collection<Identity> ids) throws ABACException {
663                return new Credential[] { new GENICredential(is, ids) }; 
664            }
665            public Credential generateCredential(Role head, Role tail) {
666                return new GENICredential(head, tail);
667            }
668        };
669    }
670}
Note: See TracBrowser for help on using the repository browser.