Context Navigation

source: java/net/deterlab/abac/GENICredential.java @ 3797bbe

abac0-leakabac0-meimei-idmei-rt0-nmei_rt0tvf-new-xml

Last change on this file since 3797bbe was 3797bbe, checked in by Ted Faber <faber@…>, 11 years ago
checkpoint
Property mode set to `100644`
File size: 19.3 KB

Line
1	package net.deterlab.abac;
2
3	import java.io.*;
4	import java.math.*;
5	import java.text.*;
6
7	import java.util.*;
8	import java.security.*;
9	import java.security.cert.*;
10
11	import javax.security.auth.x500.*;
12
13	import javax.xml.parsers.*;
14	import javax.xml.transform.*;
15	import javax.xml.transform.dom.*;
16	import javax.xml.transform.stream.*;
17
18	import javax.xml.crypto.*;
19	import javax.xml.crypto.dsig.*;
20	import javax.xml.crypto.dsig.dom.*;
21	import javax.xml.crypto.dsig.keyinfo.*;
22	import javax.xml.crypto.dsig.spec.*;
23
24	import org.xml.sax.*;
25	import org.w3c.dom.*;
26
27	import org.bouncycastle.asn1.*;
28	import org.bouncycastle.asn1.x509.*;
29	import org.bouncycastle.x509.*;
30	import org.bouncycastle.x509.util.*;
31	import org.bouncycastle.openssl.*;
32
33	/**
34	* An ABAC credential, with or without an underlying certificate that
35	* represents it. These are edges in proof garphs and can be constructed from
36	* their constituent Roles.
37	* @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
38	* @version 1.3
39	*/
40	public class GENICredential extends Credential implements Comparable {
41	/** The role at the head */
42	protected Role m_head
43	/** The role at the tail */;
44	protected Role m_tail;
45	/** The signed XML representing this credential */
46	protected Document doc;
47	/** The identity that issued the certificate */
48	protected Identity id;
49
50	/**
51	* Create an empty Credential.
52	*/
53	public GENICredential() {
54	m_head = m_tail = null;
55	doc = null;
56	id = null;
57	}
58	/**
59	* Create a credential from a head and tail role. This credential has no
60	* underlying certificate, and cannot be exported or used in real proofs.
61	* make_cert can create a certificate for a credential initialized this
62	* way.
63	* @param head the Role at the head of the credential
64	* @param tail the Role at the tail of the credential
65	*/
66	public GENICredential(Role head, Role tail) {
67	m_head = head;
68	m_tail = tail;
69	doc = null;
70	id = null;
71	}
72
73	/**
74	* Do the credential extraction from an input stream. This parses the
75	* certificate from the input stream and saves it. The contents must be
76	* validated and parsed later.
77	* @param stream the InputStream to read the certificate from.
78	* @throws IOException if the stream is unparsable
79	*/
80	protected void read_certificate(InputStream stream)
81	throws IOException {
82	DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
83	DocumentBuilder db = null;
84
85	if ( dbf == null )
86	throw new IOException("Cannot get DocumentBuilderFactory!?");
87	try {
88	if ( (db = dbf.newDocumentBuilder()) == null )
89	throw new IOException("Cannot get DocumentBuilder!?");
90	doc = db.parse(stream);
91	}
92	catch (IllegalArgumentException ie) {
93	throw new IOException("null stream");
94	}
95	catch (SAXException se) {
96	throw new IOException(se.getMessage());
97	}
98	catch (Exception e) {
99	throw new IOException(e.getMessage());
100	}
101
102	}
103
104	/**
105	* Initialize a credential from parsed certificate. Validiate it against
106	* the given identities and parse out the roles. Note that catching
107	* java.security.GeneralSecurityException catches most of the exceptions
108	* this throws.
109	* @param ids a Collection of Identities to use in validating the cert
110	* @throws CertificateException if the certificate is badly formatted
111	* @throws InvalidKeyException if none of the Identities can validate the
112	* certificate
113	* @throws NoSuchAlgorithmException if the credential uses an unknown
114	* signature algorithm
115	* @throws NoSuchProviderException if the provider of the signature
116	* algorithm is unavailable
117	* @throws SignatureException if the signature check fails
118	*/
119	protected void init(Collection<Identity> ids)
120	throws CertificateException, InvalidKeyException,
121	NoSuchAlgorithmException, NoSuchProviderException,
122	SignatureException {
123
124	XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
125	NodeList nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS,
126	"Signature");
127	DOMValidateContext valContext = null;
128	XMLSignature signature = null;
129	boolean isValid = false;
130
131	try {
132
133	if (nl.getLength() == 0)
134	throw new SignatureException("Cannot find Signature element");
135
136	// XXX: need a javax.xml.crypto.KeySelector we'll probably have to
137	// parse the certificate in teh sig and use singletonKeySelector
138	valContext = new DOMValidateContext((KeySelector) null, nl.item(0));
139	if ( valContext == null )
140	throw new SignatureException("No context");
141
142	signature = fac.unmarshalXMLSignature(valContext);
143	if (signature == null)
144	throw new SignatureException("No sig");
145
146	if (!signature.validate(valContext))
147	throw new SignatureException("bag signature");
148
149	load_roles();
150
151	if (!id.getKeyID().equals(m_head.principal()))
152	throw new InvalidKeyException("Unknown identity");
153	}
154	catch (Exception e) {
155	throw new SignatureException(e.getMessage());
156	}
157	}
158
159	/**
160	* Parse a credential from an InputStream and initialize the role from it.
161	* Combine read_credential(stream) and init(ids). Note that catching
162	* java.security.GeneralSecurityException catches most of the exceptions
163	* this throws.
164	* @param stream the InputStream to read the certificate from.
165	* @param ids a Collection of Identities to use in validating the cert
166	* @throws CertificateException if the certificate is badly formatted
167	* @throws InvalidKeyException if none of the Identities can validate the
168	* certificate
169	* @throws NoSuchAlgorithmException if the credential uses an unknown
170	* signature algorithm
171	* @throws NoSuchProviderException if the provider of the signature
172	* algorithm is unavailable
173	* @throws SignatureException if the signature check fails
174	* @throws IOException if the certificate is unparsable.
175	*/
176	protected void init(InputStream stream, Collection<Identity> ids)
177	throws CertificateException, InvalidKeyException,
178	NoSuchAlgorithmException, NoSuchProviderException,
179	SignatureException, IOException {
180	read_certificate(stream);
181	if (doc == null) throw new IOException("Unknown Format");
182	init(ids);
183	}
184
185	/**
186	* Create a credential from an attribute cert in a file. Throws an
187	* exception if the cert file can't be opened or if there's a format
188	* problem with the cert. Note that catching
189	* java.security.GeneralSecurityException catches most of the exceptions
190	* this throws.
191	* @param filename a String containing the filename to read
192	* @param ids a Collection of Identities to use in validating the cert
193	* @throws StreamParsingException if the stream is unparsable
194	* @throws CertificateException if the certificate is badly formatted
195	* @throws InvalidKeyException if none of the Identities can validate the
196	* certificate
197	* @throws NoSuchAlgorithmException if the credential uses an unknown
198	* signature algorithm
199	* @throws NoSuchProviderException if the provider of the signature
200	* algorithm is unavailable
201	* @throws SignatureException if the signature check fails
202	* @throws IOException if the certificate is unparsable.
203	*/
204	public GENICredential(String filename, Collection<Identity> ids)
205	throws Exception { init(new FileInputStream(filename), ids); }
206
207	/**
208	* Create a credential from an attribute cert in a file. Throws an
209	* exception if the cert file can't be opened or if there's a format
210	* problem with the cert. Note that catching
211	* java.security.GeneralSecurityException catches most of the exceptions
212	* this throws.
213	* @param file the File to read
214	* @param ids a Collection of Identities to use in validating the cert
215	* @throws StreamParsingException if the stream is unparsable
216	* @throws CertificateException if the certificate is badly formatted
217	* @throws InvalidKeyException if none of the Identities can validate the
218	* certificate
219	* @throws NoSuchAlgorithmException if the credential uses an unknown
220	* signature algorithm
221	* @throws NoSuchProviderException if the provider of the signature
222	* algorithm is unavailable
223	* @throws SignatureException if the signature check fails
224	* @throws IOException if the certificate is unparsable.
225	*/
226	public GENICredential(File file, Collection<Identity> ids)
227	throws CertificateException, InvalidKeyException,
228	NoSuchAlgorithmException, NoSuchProviderException,
229	SignatureException, StreamParsingException, IOException {
230	init(new FileInputStream(file), ids);
231	}
232
233	/**
234	* Create a credential from an InputStream. Throws an exception if the
235	* stream can't be parsed or if there's a format problem with the cert.
236	* Note that catching java.security.GeneralSecurityException catches most
237	* of the exceptions this throws.
238	* @param s the InputStream to read
239	* @param ids a Collection of Identities to use in validating the cert
240	* @throws StreamParsingException if the stream is unparsable
241	* @throws CertificateException if the certificate is badly formatted
242	* @throws InvalidKeyException if none of the Identities can validate the
243	* certificate
244	* @throws NoSuchAlgorithmException if the credential uses an unknown
245	* signature algorithm
246	* @throws NoSuchProviderException if the provider of the signature
247	* algorithm is unavailable
248	* @throws SignatureException if the signature check fails
249	* @throws IOException if the certificate is unparsable.
250	*/
251	public GENICredential(InputStream s, Collection<Identity> ids)
252	throws CertificateException, InvalidKeyException,
253	NoSuchAlgorithmException, NoSuchProviderException,
254	SignatureException, StreamParsingException, IOException {
255	init(s, ids);
256	}
257
258	/**
259	* Create a certificate from this credential issued by the given identity.
260	* Note that catching java.security.GeneralSecurityException catches most
261	* of the exceptions this throws.
262	* @param i the Identity that will issue the certificate
263	* @throws IOException reading or writing problems
264	* @throws CertificateEncodingException Problem creating certificate
265	* @throws InvalidKeyException if none of the Identities can sign the
266	* certificate
267	* @throws NoSuchAlgorithmException if the credential uses an unknown
268	* signature algorithm
269	* @throws NoSuchProviderException if the provider of the signature
270	* algorithm is unavailable
271	* @throws SignatureException if the signature creation fails
272	*/
273	public void make_cert(Identity i)
274	throws IOException, CertificateEncodingException,
275	NoSuchProviderException, NoSuchAlgorithmException,
276	SignatureException, InvalidKeyException {
277	try {
278	SimpleDateFormat df = new SimpleDateFormat("yyy-MM-dd'T'HH:mm:ss'Z'");
279	StringBuffer expBuf = new StringBuffer();
280	X509Certificate cert = i.getCertificate();
281	KeyPair kp = i.getKeyPair();
282	if ( cert == null )
283	throw new IOException("No credential in identity?");
284	if ( kp == null )
285	throw new IOException("No keypair in identity?");
286
287	XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
288	Reference ref = fac.newReference("#ref0",
289	fac.newDigestMethod(DigestMethod.SHA1, null),
290	Collections.singletonList(
291	fac.newTransform(Transform.ENVELOPED,
292	(TransformParameterSpec) null)),
293	null, null);
294
295	SignedInfo si = fac.newSignedInfo(
296	fac.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE,
297	(C14NMethodParameterSpec) null),
298	fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),
299	Collections.singletonList(ref));
300	KeyInfoFactory kif = fac.getKeyInfoFactory();
301	List x509Content = new ArrayList();
302	x509Content.add(cert.getSubjectX500Principal().getName());
303	x509Content.add(cert);
304	X509Data xd = kif.newX509Data(x509Content);
305	KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));
306
307
308	DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
309	DocumentBuilder db = null;
310
311	if ( dbf == null )
312	throw new IOException("Cannot get DocumentBuilderFactory!?");
313	if ( (db = dbf.newDocumentBuilder()) == null )
314	throw new IOException("Cannot get DocumentBuilder!?");
315	doc = db.newDocument();
316	if ( doc == null )
317	throw new IOException("No Document");
318	Element root = doc.createElement("signed-credential");
319	doc.appendChild(root);
320	Element cred = doc.createElement("credential");
321	Element sig = doc.createElement("credential");
322	cred.setAttributeNS("xml", "id", "ref0");
323	root.appendChild(cred);
324	cred.appendChild(doc.createElement("type").appendChild(
325	doc.createTextNode("abac")));
326	df.format(new Date(System.currentTimeMillis()
327	+ (3600L * 1000L * 24L * 365L)), expBuf,
328	new FieldPosition(0));
329	cred.appendChild(doc.createElement("expires").appendChild(
330	doc.createTextNode(expBuf.toString())));
331	cred.appendChild(doc.createElement("version").appendChild(
332	doc.createTextNode("1.0")));
333	cred.appendChild(doc.createElement("rt0").appendChild(
334	doc.createTextNode(m_head + "<-" + m_tail)));
335	root.appendChild(sig);
336
337	DOMSignContext dsc = new DOMSignContext(kp.getPrivate(), sig);
338	XMLSignature signature = fac.newXMLSignature(si, ki);
339	signature.sign(dsc);
340	}
341	catch (Exception e) {
342	throw new SignatureException(e.getMessage());
343	}
344
345	/*
346	PrivateKey key = i.getKeyPair().getPrivate();
347	SubjectPublicKeyInfo pki = Context.extractSubjectPublicKeyInfo(
348	i.getKeyPair().getPublic());
349	X509V2AttributeCertificateGenerator gen =
350	new X509V2AttributeCertificateGenerator();
351
352	gen.setIssuer(new AttributeCertificateIssuer(
353	new X500Principal("CN="+m_head.principal())));
354	gen.setHolder(new AttributeCertificateHolder(
355	new X500Principal("CN="+m_head.principal())));
356	gen.setNotAfter(new Date(System.currentTimeMillis()
357	+ (3600L * 1000L * 24L * 365L)));
358	gen.setNotBefore(new Date(System.currentTimeMillis()));
359	gen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
360	gen.addAttribute(new X509Attribute(attrOID,
361	new DERSequence(
362	new DERSequence(
363	new DERUTF8String(toString())))));
364	gen.setSignatureAlgorithm("SHA256WithRSAEncryption");
365
366	// Creddy expects an authority key identifier.
367	gen.addExtension(authKeyOID, false,
368	new AuthorityKeyIdentifier(pki));
369	// Create the cert.
370	ac = (X509V2AttributeCertificate) gen.generate(key, "BC");
371	id = i;
372	*/
373	}
374
375	/**
376	* Load the roles off the attribute cert. Throws a RuntimeException if
377	* there's something wrong with the cert.
378	*/
379	private void load_roles() {
380	if ( doc == null )
381	throw new RuntimeException("No credential");
382
383	String roles = null;
384	NodeList nodes = doc.getElementsByTagName("rt0");
385
386	if (nodes == null \|\| nodes.getLength() != 1)
387	throw new RuntimeException("More than one rt0 element?");
388
389	Node node = nodes.item(0);
390
391	if ( node == null )
392	throw new RuntimeException("bad rt0 element?");
393
394	if ( (roles = node.getTextContent()) == null )
395	throw new RuntimeException("bad rt0 element (no text)?");
396
397	String[] parts = roles.split("\\s<--?\\s");
398	if (parts.length != 2)
399	throw new RuntimeException("Invalid attribute: " + roles);
400
401	m_head = new Role(parts[0]);
402	m_tail = new Role(parts[1]);
403	}
404
405	/**
406	* Two credentials are the same if their roles are the same.
407	* @param o an Object to compare
408	* @return true if the Credentials have the Roles
409	*/
410	public boolean equals(Object o) {
411	if ( o instanceof Credential ) {
412	Credential c = (Credential) o;
413
414	if (m_head == null \|\| m_tail == null ) return false;
415	else return (m_head.equals(c.head()) && m_tail.equals(c.tail()));
416	}
417	else return false;
418	}
419
420	/**
421	* Allow credentials to be compared. They are ordered by their Roles, head
422	* then tail.
423	* @param o an Object to compare
424	* @return -1 if this Credential is before, 0 if they are the same, and 1
425	* if this Credential is after the given object.
426	*/
427	public int compareTo(Object o) {
428	if (o instanceof Credential) {
429	Credential c = (Credential) o;
430
431	if (head().equals(c.head())) return tail().compareTo(c.tail());
432	else return head().compareTo(c.head());
433	}
434	else return 1;
435	}
436
437
438	/**
439	* Get the head role from the credential.
440	* @return the Role in the head
441	*/
442	public Role head() { return m_head; }
443
444	/**
445	* Get the tail role from the credential
446	* @return the Role in the tail
447	*/
448	public Role tail() { return m_tail; }
449
450	/**
451	* Gets the cert associated with this credential (if any).
452	* @return the attribute cert associated with this credential (if any).
453	*/
454	public Document GENIcert() { return doc; }
455
456	/**
457	* Turn the credential into string form. The format is head <- tail. For
458	* example: A.r1 <- B.r2.r3. Principal names are key identifiers.
459	* @return the string form
460	*/
461	public String toString() {
462	return m_head + " <- " + m_tail;
463	}
464
465	/**
466	* Turn the credential into string form. The format is head <- tail. For
467	* example: A.r1 <- B.r2.r3. Principal names are shortened to menmonics
468	* if the Context knows the identity.
469	* @param c the Context to translate names in
470	* @return the string form
471	*/
472	public String simpleString(Context c) {
473	return m_head.simpleString(c) + " <- " + m_tail.simpleString(c);
474	}
475
476	/**
477	* Output the signed GENI ABAC certificate associated with this
478	* Credential to the OutputStream.
479	* @param s the OutputStream on which to write
480	* @throws IOException if there is an error writing.
481	*/
482	public void write(OutputStream s) throws IOException {
483	if ( doc == null )
484	return;
485	try {
486	TransformerFactory tf = TransformerFactory.newInstance();
487	Transformer t = tf.newTransformer();
488	DOMSource source = new DOMSource(doc);
489	StreamResult result = new StreamResult(s);
490
491	t.transform(source, result);
492	s.flush();
493	}
494	catch (Exception e) {
495	throw new IOException(e.getMessage());
496	}
497	}
498
499	/**
500	* Output the signed GENI ABAC certificate associated with this
501	* Credential to the filename given.
502	* @param fn a String containing the output filename
503	* @throws IOException if there is an error writing.
504	*/
505	public void write(String fn) throws IOException, FileNotFoundException {
506	write(new FileOutputStream(fn));
507	}
508
509	/**
510	* Return true if this Credential has a certificate associated. A jabac
511	* extension.
512	* @return true if this Credential has a certificate associated.
513	*/
514	public boolean hasCertificate() { return doc != null; }
515
516	/**
517	* Return the Identity that issued the underlying certificate. A jabac
518	* extension.
519	* @return the Identity that issued the underlying certificate.
520	*/
521	public Identity issuer() { return id; }
522	/**
523	* Return the X509Certificate that issued the underlying certificate.
524	* @return the X509Certificate that issued the underlying certificate.
525	*/
526	public X509Certificate issuerCert() { return id.getCertificate(); }
527	/**
528	* Return the X509V2AttributeCertificate that underlys the Credential
529	* @return the X509V2AttributeCertificate that underlys the Credential.
530	public X509V2AttributeCertificate attributeCert() { return ac; }
531	*/
532
533
534	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: