Context Navigation

source: java/net/deterlab/abac/GENICredential.java

Last change on this file was 461edba, checked in by Ted Faber <faber@…>, 10 years ago
Clean up javadoc for v8.
Property mode set to `100644`
File size: 18.5 KB

Line
1	package net.deterlab.abac;
2
3	import java.io.*;
4	import java.math.*;
5	import java.text.*;
6
7	import java.util.*;
8
9	import java.security.*;
10	import java.security.cert.*;
11
12	import javax.xml.parsers.*;
13	import javax.xml.transform.*;
14	import javax.xml.transform.dom.*;
15	import javax.xml.transform.stream.*;
16
17	import javax.xml.crypto.*;
18	import javax.xml.crypto.dsig.*;
19	import javax.xml.crypto.dsig.dom.*;
20	import javax.xml.crypto.dsig.keyinfo.*;
21	import javax.xml.crypto.dsig.spec.*;
22
23	import org.xml.sax.*;
24	import org.w3c.dom.*;
25
26	/**
27	* Abstract Base class from which GENI credentials are derived.
28	* @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
29	* @version 1.5
30	*/
31	public abstract class GENICredential extends Credential implements Comparable {
32	/** The signed XML representing this credential */
33	protected Document doc;
34	/** The GENI credential suffix */
35	private static final String fileSuffix = ".xml";
36
37	/**
38	* X509KeySelector implementation from
39	* http://www.outsourcingi.com/art-271-Programming-With-the-Java-XML-Digital-Signature-API.html
40	* .
41	*
42	* Straight ahead extraction of a key from an X509 cert, but it is their
43	* code and hard to improve on.
44	*/
45	static protected class X509KeySelector extends KeySelector {
46	public KeySelectorResult select(KeyInfo keyInfo,
47	KeySelector.Purpose purpose,
48	AlgorithmMethod method,
49	XMLCryptoContext context)
50	throws KeySelectorException {
51	Iterator ki = keyInfo.getContent().iterator();
52	while (ki.hasNext()) {
53	XMLStructure info = (XMLStructure) ki.next();
54	if (!(info instanceof X509Data))
55	continue;
56	X509Data x509Data = (X509Data) info;
57	Iterator xi = x509Data.getContent().iterator();
58	while (xi.hasNext()) {
59	Object o = xi.next();
60	if (!(o instanceof X509Certificate))
61	continue;
62	final PublicKey key = ((X509Certificate)o).getPublicKey();
63	// Make sure the algorithm is compatible
64	// with the method.
65	if (algEquals(method.getAlgorithm(), key.getAlgorithm())) {
66	return new KeySelectorResult() {
67	public Key getKey() { return key; }
68	};
69	}
70	}
71	}
72	throw new KeySelectorException("No key found!");
73	}
74
75	boolean algEquals(String algURI, String algName) {
76	if ((algName.equalsIgnoreCase("DSA") &&
77	algURI.equalsIgnoreCase(SignatureMethod.DSA_SHA1)) \|\|
78	(algName.equalsIgnoreCase("RSA") &&
79
80	algURI.equalsIgnoreCase(SignatureMethod.RSA_SHA1))) {
81	return true;
82	} else {
83	return false;
84	}
85	}
86	}
87
88	/**
89	* Create an empty Credential.
90	*/
91	public GENICredential() {
92	super();
93	doc = null;
94	setSuffix(fileSuffix);
95	}
96	/**
97	* Create a credential from a head and tail role. This credential has no
98	* underlying certificate, and cannot be exported or used in real proofs.
99	* make_cert can create a certificate for a credential initialized this
100	* way.
101	* @param head the Role at the head of the credential
102	* @param tail the Role at the tail of the credential
103	*/
104	public GENICredential(Role head, Role tail) {
105	super(head, tail);
106	doc = null;
107	setSuffix(fileSuffix);
108	}
109
110	/**
111	* Do the credential extraction from an input stream. This parses the
112	* certificate from the input stream and saves it. The contents must be
113	* validated and parsed later.
114	* @param stream the InputStream to read the certificate from.
115	* @return the parsed XML document
116	* @throws IOException if the stream is unparsable
117	*/
118	static protected Document read_certificate(InputStream stream)
119	throws IOException {
120	DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
121	DocumentBuilder db = null;
122	Document ldoc = null;
123
124	if ( dbf == null )
125	throw new IOException("Cannot get DocumentBuilderFactory!?");
126	try {
127	/* Note this setting is required to find the properly
128	* namespace-scoped signature block in the credential.
129	*/
130	dbf.setNamespaceAware(true);
131	if ( (db = dbf.newDocumentBuilder()) == null )
132	throw new IOException("Cannot get DocumentBuilder!?");
133	ldoc = db.parse(stream);
134	ldoc.normalizeDocument();
135	return ldoc;
136	}
137	catch (IllegalArgumentException ie) {
138	throw new IOException("null stream", ie);
139	}
140	catch (SAXException se) {
141	throw new IOException(se.getMessage(), se);
142	}
143	catch (Exception e) {
144	throw new IOException(e.getMessage(), e);
145	}
146
147	}
148
149	/**
150	* Walk the document and set all instances of an xml:id attribute to be ID
151	* attributes in terms of the java libraries. This is needed for the
152	* signature code to find signed subsections. The "xml:id" is treated as
153	* both a namespace free ID with a colon and as an "id" identifier in the
154	* "xml" namespace so we don't miss it.
155	* @param n the root of the document to mark
156	*/
157	static protected void setIDAttrs(Node n) {
158	if ( n.getNodeType() == Node.ELEMENT_NODE) {
159	Element e = (Element) n;
160	String id = e.getAttribute("xml:id");
161
162	if ( id != null && id.length() > 0 )
163	e.setIdAttribute("xml:id", true);
164
165	id = e.getAttributeNS("xml", "id");
166	if ( id != null && id.length() > 0 )
167	e.setIdAttributeNS("xml", "id", true);
168	}
169
170	for (Node nn = n.getFirstChild(); nn != null; nn = nn.getNextSibling())
171	setIDAttrs(nn);
172	}
173
174	/**
175	* Return the child of Node n that has the given name, if there is one.
176	* @param n a Node to search
177	* @param name the name to search for
178	* @return a Node with the name, may be null
179	*/
180	static protected Node getChildByName(Node n, String name) {
181	if (name == null ) return null;
182
183	for (Node nn = n.getFirstChild(); nn != null; nn = nn.getNextSibling())
184	if ( nn.getNodeType() == Node.ELEMENT_NODE &&
185	name.equals(nn.getNodeName())) return nn;
186	return null;
187	}
188
189	/**
190	* Find the X509Certificate in the Signature element and convert it to an
191	* ABAC identity. This assumes a KeyInfo in that section holding an
192	* X509Data section containing the certificate in an X509Certificate
193	* section. Any of that not being found will cause a failure. If the
194	* Identity cannot be created a Gignature exception is thrown.
195	* @param n a Node pointing to a Signature section
196	* @return an Identity constructed frm the X509 Certificate
197	* @throws MissingIssuerException if the Identity cannot be created from the
198	* certificate.
199	*/
200	static protected Identity getIdentity(Node n)
201	throws MissingIssuerException {
202	Identity rv = null;
203	Node nn = getChildByName(n, "KeyInfo");
204	String certStr = null;
205
206	if ( nn == null ) return null;
207	if ( ( nn = getChildByName(nn, "X509Data")) == null ) return null;
208	if ( ( nn = getChildByName(nn, "X509Certificate")) == null ) return null;
209	if ( ( certStr = nn.getTextContent()) == null ) return null;
210	try {
211	certStr = "-----BEGIN CERTIFICATE-----\n" +
212	certStr +
213	"\n-----END CERTIFICATE-----";
214	return new Identity(new StringReader(certStr));
215	}
216	catch (Exception e) {
217	throw new MissingIssuerException(e.getMessage(), e);
218	}
219	}
220
221	static protected Date getTime(Document d, String field)
222	throws ABACException {
223	Node root = null;
224	Node n = null;
225	SimpleDateFormat df = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssz");
226	Date date = null;
227	String dstr = null;
228
229	if ( (root = getChildByName(d, "signed-credential")) == null)
230	throw new CertInvalidException("No signed-credential element");
231	if ( (n = getChildByName(root, "credential")) == null )
232	throw new CertInvalidException("No credential element");
233	if ( (n = getChildByName(n, field)) == null )
234	throw new CertInvalidException("No " + field + " element");
235
236	if ( ( dstr = n.getTextContent()) == null )
237	throw new CertInvalidException("No expires content");
238
239	dstr = dstr.replace("Z", "GMT");
240	if ((date = df.parse(dstr, new ParsePosition(0))) == null)
241	throw new CertInvalidException("Cannot parse date: "+
242	n.getTextContent());
243
244	return date;
245	}
246
247	/**
248	* Initialize a credential from parsed certificate. Validiate it against
249	* the given identities and parse out the roles. Note that catching
250	* java.security.GeneralSecurityException catches most of the exceptions
251	* this throws.
252	* @param ids a Collection of Identities to use in validating the cert
253	* @throws CertInvalidException if the stream is unparsable
254	* @throws MissingIssuerException if none of the Identities can validate the
255	* certificate
256	* @throws BadSignatureException if the signature check fails
257	*/
258	protected void init(Collection<Identity> ids)
259	throws ABACException {
260
261	XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
262	NodeList nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS,
263	"Signature");
264	DOMValidateContext valContext = null;
265	XMLSignature signature = null;
266
267	try {
268
269	if (nl.getLength() == 0)
270	throw new CertInvalidException("Cannot find Signature element");
271
272	setIDAttrs(doc);
273	valContext = new DOMValidateContext(new X509KeySelector(),
274	nl.item(0));
275	if ( valContext == null )
276	throw new ABACException("No validation context!?");
277
278	signature = fac.unmarshalXMLSignature(valContext);
279	if (signature == null)
280	throw new BadSignatureException("Cannot unmarshal signature");
281
282	if (!signature.validate(valContext))
283	throw new BadSignatureException("bad signature");
284
285	m_expiration = getTime(doc, "expires");
286
287	if ( m_expiration.before(new Date()))
288	throw new CertInvalidException("Certificate Expired " +
289	m_expiration);
290
291	load_roles();
292
293	// Load the issuer identity from the credential. If the identity in
294	// the credential is invalid throw out the credential (the
295	// getIdentity call will throw an exception)
296	id = getIdentity(nl.item(0));
297
298	if ( !ids.contains(id) ) ids.add(id);
299
300	if (!id.getKeyID().equals(m_head.principal()))
301	throw new MissingIssuerException("Issuer ID and left hand " +
302	"side principal disagree");
303	}
304	catch (ABACException ae) {
305	throw ae;
306	}
307	catch (Exception e) {
308	throw new BadSignatureException(e.getMessage(), e);
309	}
310	}
311
312	/**
313	* Parse a credential from an InputStream and initialize the role from it.
314	* Combine read_credential(stream) and init(ids). Note that catching
315	* java.security.GeneralSecurityException catches most of the exceptions
316	* this throws.
317	* @param stream the InputStream to read the certificate from.
318	* @param ids a Collection of Identities to use in validating the cert
319	* @throws CertInvalidException if the stream is unparsable
320	* @throws MissingIssuerException if none of the Identities can validate the
321	* certificate
322	* @throws BadSignatureException if the signature check fails
323	*/
324	protected void init(InputStream stream, Collection<Identity> ids)
325	throws ABACException {
326	try {
327	doc = read_certificate(stream);
328	}
329	catch (IOException e) {
330	throw new CertInvalidException("Cannot parse cert", e);
331	}
332	if (doc == null) throw new CertInvalidException("Unknown Format");
333	init(ids);
334	}
335
336	/**
337	* Create a credential from an attribute cert in a file. Throws an
338	* exception if the cert file can't be opened or if there's a format
339	* problem with the cert. Note that catching
340	* java.security.GeneralSecurityException catches most of the exceptions
341	* this throws.
342	* @param filename a String containing the filename to read
343	* @param ids a Collection of Identities to use in validating the cert
344	* @throws CertInvalidException if the stream is unparsable
345	* @throws MissingIssuerException if none of the Identities can validate the
346	* certificate
347	* @throws BadSignatureException if the signature check fails
348	*/
349	GENICredential(String filename, Collection<Identity> ids)
350	throws ABACException {
351	super();
352	setSuffix(fileSuffix);
353	try {
354	init(new FileInputStream(filename), ids);
355	}
356	catch (FileNotFoundException e) {
357	throw new CertInvalidException("Bad filename", e);
358	}
359	}
360
361	/**
362	* Create a credential from an attribute cert in a file. Throws an
363	* exception if the cert file can't be opened or if there's a format
364	* problem with the cert. Note that catching
365	* java.security.GeneralSecurityException catches most of the exceptions
366	* this throws.
367	* @param file the File to read
368	* @param ids a Collection of Identities to use in validating the cert
369	* @throws CertInvalidException if the stream is unparsable
370	* @throws MissingIssuerException if none of the Identities can validate the
371	* certificate
372	* @throws BadSignatureException if the signature check fails
373	*/
374	GENICredential(File file, Collection<Identity> ids)
375	throws ABACException {
376	super();
377	setSuffix(fileSuffix);
378	try {
379	init(new FileInputStream(file), ids);
380	}
381	catch (FileNotFoundException e) {
382	throw new CertInvalidException("Bad filename", e);
383	}
384	}
385
386	/**
387	* Create a credential from an InputStream. Throws an exception if the
388	* stream can't be parsed or if there's a format problem with the cert.
389	* Note that catching java.security.GeneralSecurityException catches most
390	* of the exceptions this throws.
391	* @param s the InputStream to read
392	* @param ids a Collection of Identities to use in validating the cert
393	* @throws CertInvalidException if the stream is unparsable
394	* @throws MissingIssuerException if none of the Identities can validate the
395	* certificate
396	* @throws BadSignatureException if the signature check fails
397	*/
398	GENICredential(InputStream s, Collection<Identity> ids)
399	throws ABACException {
400	super();
401	setSuffix(fileSuffix);
402	init(s, ids);
403	}
404
405	/**
406	* Encode the abac credential's XML and set the validity. Overload this to
407	* build a real credential.
408	* @param validity a long holding the number of seconds that the credential
409	* is valid for.
410	* @return a Node, the place to attach signatures
411	* @throws ABACException if any of the XML construction fails
412	*/
413	abstract protected Node make_rt0_content(long validity)
414	throws ABACException;
415
416	/**
417	* Create a certificate from this credential issued by the given identity
418	* valid for the given time (in seconds). This is the signed XML ABAC
419	* credential.
420	* @param i the Identity that will issue the certificate
421	* @param validity a long holding the number of seconds that the credential
422	* is valid for.
423	* @throws ABACException if xml creation fails
424	* @throws MissingIssuerException if the issuer is bad
425	* @throws BadSignatureException if the signature creation fails
426	*/
427	public void make_cert(Identity i, long validity)
428	throws ABACException {
429	X509Certificate cert = i.getCertificate();
430	KeyPair kp = i.getKeyPair();
431	PublicKey pubKey = null;
432	PrivateKey privKey = null;
433	if ( cert == null )
434	throw new MissingIssuerException("No credential in identity?");
435	if ( kp == null )
436	throw new MissingIssuerException("No keypair in identity?");
437
438	pubKey = kp.getPublic();
439	if ((privKey = kp.getPrivate()) == null )
440	throw new MissingIssuerException("No private ket in identity");
441
442	XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
443	Reference ref = null;
444	SignedInfo si = null;
445	KeyInfoFactory kif = fac.getKeyInfoFactory();
446
447	/* The <Object> doesn't say much, but shuts the compiler up about
448	* unchecked references. The lists are polymorphyc and the signature
449	* libs expect that, so <Object> is the best we can do.
450	*/
451	List<Object> x509Content = new ArrayList<Object>();
452	List<Object> keyInfo = new ArrayList<Object>();
453	x509Content.add(cert.getSubjectX500Principal().getName());
454	x509Content.add(cert);
455	X509Data xd = kif.newX509Data(x509Content);
456	KeyValue kv = null;
457
458	try {
459	kv = kif.newKeyValue(pubKey);
460	}
461	catch (KeyException ke) {
462	throw new ABACException("Unsupported key format " +
463	ke.getMessage(), ke);
464	}
465
466	Collections.addAll(keyInfo, kv, xd);
467
468	KeyInfo ki = kif.newKeyInfo(keyInfo);
469	Node sig = make_rt0_content(validity);
470
471	try {
472	ref = fac.newReference("#ref0",
473	fac.newDigestMethod(DigestMethod.SHA1, null),
474	Collections.singletonList(
475	fac.newTransform(Transform.ENVELOPED,
476	(TransformParameterSpec) null)),
477	null, null);
478
479	si = fac.newSignedInfo(
480	fac.newCanonicalizationMethod(
481	CanonicalizationMethod.INCLUSIVE,
482	(C14NMethodParameterSpec) null),
483	fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),
484	Collections.singletonList(ref));
485
486	DOMSignContext dsc = new DOMSignContext(privKey, sig);
487	XMLSignature signature = fac.newXMLSignature(si, ki);
488	signature.sign(dsc);
489	}
490	catch (Exception me) {
491	throw new BadSignatureException(me.getMessage(), me);
492	}
493
494	}
495
496	/**
497	* Create a certificate from this credential issued by the given identity
498	* valid for the default validity period. This is the signed XML ABAC
499	* credential.
500	* @param i the Identity that will issue the certificate
501	* @throws ABACException if xml creation fails
502	* @throws MissingIssuerException if the issuer is bad
503	* @throws BadSignatureException if the signature creation fails
504	*/
505	public void make_cert(Identity i)
506	throws ABACException {
507	make_cert(i, defaultValidity);
508	}
509
510	/**
511	* Load the roles off the attribute cert. Overload it to make a real
512	* credential.
513	* @throws CertInvalidException if the certificate is badly formatted
514	*/
515	abstract protected void load_roles() throws CertInvalidException;
516	/**
517	* Output the signed GENI ABAC certificate associated with this
518	* Credential to the OutputStream.
519	* @param s the OutputStream on which to write
520	* @throws IOException if there is an error writing.
521	*/
522	public void write(OutputStream s) throws IOException {
523	if ( doc == null )
524	return;
525	try {
526	TransformerFactory tf = TransformerFactory.newInstance();
527	Transformer t = tf.newTransformer();
528	DOMSource source = new DOMSource(doc);
529	StreamResult result = new StreamResult(s);
530
531	t.transform(source, result);
532	s.flush();
533	}
534	catch (Exception e) {
535	throw new IOException(e.getMessage(), e);
536	}
537	}
538	/**
539	* Output the signed GENI ABAC certificate associated with this
540	* Credential to the OutputStream.
541	* @param fn a String, the file name on which to write
542	* @throws IOException if there is an error writing.
543	*/
544	public void write(String fn) throws IOException {
545	write(new FileOutputStream(fn));
546	}
547
548	/**
549	* Return true if this Credential has a certificate associated. A jabac
550	* extension.
551	* @return true if this Credential has a certificate associated.
552	*/
553	public boolean hasCertificate() { return doc != null; }
554
555	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: