Context Navigation

source: java/net/deterlab/abac/GENICredential.java @ d31242c

abac0-leakabac0-meimei-idmei-rt0-nmei_rt0tvf-new-xml

Last change on this file since d31242c was d31242c, checked in by Ted Faber <faber@…>, 11 years ago
Add suffix
Property mode set to `100644`
File size: 22.1 KB

Line
1	package net.deterlab.abac;
2
3	import java.io.*;
4	import java.math.*;
5	import java.text.*;
6
7	import java.util.*;
8
9	import java.security.*;
10	import java.security.cert.*;
11
12	import javax.xml.parsers.*;
13	import javax.xml.transform.*;
14	import javax.xml.transform.dom.*;
15	import javax.xml.transform.stream.*;
16
17	import javax.xml.crypto.*;
18	import javax.xml.crypto.dsig.*;
19	import javax.xml.crypto.dsig.dom.*;
20	import javax.xml.crypto.dsig.keyinfo.*;
21	import javax.xml.crypto.dsig.spec.*;
22
23	import org.xml.sax.*;
24	import org.w3c.dom.*;
25
26	/**
27	* An ABAC credential formatted as an abac-type GENI credential.
28	* @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
29	* @version 1.4
30	*/
31	public class GENICredential extends Credential implements Comparable {
32	/** The signed XML representing this credential */
33	protected Document doc;
34	/** The GENI credential suffix */
35	private static final String fileSuffix = ".xml";
36
37	/**
38	* X509KeySelector implementation from
39	* http://www.outsourcingi.com/art-271-Programming-With-the-Java-XML-Digital-Signature-API.html
40	* .
41	*
42	* Straight ahead extraction of a key from an X509 cert, but it is their
43	* code and hard to improve on.
44	*/
45	static protected class X509KeySelector extends KeySelector {
46	public KeySelectorResult select(KeyInfo keyInfo,
47	KeySelector.Purpose purpose,
48	AlgorithmMethod method,
49	XMLCryptoContext context)
50	throws KeySelectorException {
51	Iterator ki = keyInfo.getContent().iterator();
52	while (ki.hasNext()) {
53	XMLStructure info = (XMLStructure) ki.next();
54	if (!(info instanceof X509Data))
55	continue;
56	X509Data x509Data = (X509Data) info;
57	Iterator xi = x509Data.getContent().iterator();
58	while (xi.hasNext()) {
59	Object o = xi.next();
60	if (!(o instanceof X509Certificate))
61	continue;
62	final PublicKey key = ((X509Certificate)o).getPublicKey();
63	// Make sure the algorithm is compatible
64	// with the method.
65	if (algEquals(method.getAlgorithm(), key.getAlgorithm())) {
66	return new KeySelectorResult() {
67	public Key getKey() { return key; }
68	};
69	}
70	}
71	}
72	throw new KeySelectorException("No key found!");
73	}
74
75	boolean algEquals(String algURI, String algName) {
76	if ((algName.equalsIgnoreCase("DSA") &&
77	algURI.equalsIgnoreCase(SignatureMethod.DSA_SHA1)) \|\|
78	(algName.equalsIgnoreCase("RSA") &&
79
80	algURI.equalsIgnoreCase(SignatureMethod.RSA_SHA1))) {
81	return true;
82	} else {
83	return false;
84	}
85	}
86	}
87
88	/**
89	* Create an empty Credential.
90	*/
91	public GENICredential() {
92	super();
93	doc = null;
94	setSuffix(fileSuffix);
95	}
96	/**
97	* Create a credential from a head and tail role. This credential has no
98	* underlying certificate, and cannot be exported or used in real proofs.
99	* make_cert can create a certificate for a credential initialized this
100	* way.
101	* @param head the Role at the head of the credential
102	* @param tail the Role at the tail of the credential
103	*/
104	public GENICredential(Role head, Role tail) {
105	super(head, tail);
106	doc = null;
107	setSuffix(fileSuffix);
108	}
109
110	/**
111	* Do the credential extraction from an input stream. This parses the
112	* certificate from the input stream and saves it. The contents must be
113	* validated and parsed later.
114	* @param stream the InputStream to read the certificate from.
115	* @return the parsed XML document
116	* @throws IOException if the stream is unparsable
117	*/
118	static protected Document read_certificate(InputStream stream)
119	throws IOException {
120	DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
121	DocumentBuilder db = null;
122	Document ldoc = null;
123
124	if ( dbf == null )
125	throw new IOException("Cannot get DocumentBuilderFactory!?");
126	try {
127	/* Note this setting is required to find the properly
128	* namespace-scoped signature block in the credential.
129	*/
130	dbf.setNamespaceAware(true);
131	if ( (db = dbf.newDocumentBuilder()) == null )
132	throw new IOException("Cannot get DocumentBuilder!?");
133	ldoc = db.parse(stream);
134	ldoc.normalizeDocument();
135	return ldoc;
136	}
137	catch (IllegalArgumentException ie) {
138	throw new IOException("null stream", ie);
139	}
140	catch (SAXException se) {
141	throw new IOException(se.getMessage(), se);
142	}
143	catch (Exception e) {
144	throw new IOException(e.getMessage(), e);
145	}
146
147	}
148
149	/**
150	* Walk the document and set all instances of an xml:id attribute to be ID
151	* attributes in terms of the java libraries. This is needed for the
152	* signature code to find signed subsections. The "xml:id" is treated as
153	* both a namespace free ID with a colon and as an "id" identifier in the
154	* "xml" namespace so we don't miss it.
155	* @param n the root of the document to mark
156	*/
157	static protected void setIDAttrs(Node n) {
158	if ( n.getNodeType() == Node.ELEMENT_NODE) {
159	Element e = (Element) n;
160	String id = e.getAttribute("xml:id");
161
162	if ( id != null && id.length() > 0 )
163	e.setIdAttribute("xml:id", true);
164
165	id = e.getAttributeNS("xml", "id");
166	if ( id != null && id.length() > 0 )
167	e.setIdAttributeNS("xml", "id", true);
168	}
169
170	for (Node nn = n.getFirstChild(); nn != null; nn = nn.getNextSibling())
171	setIDAttrs(nn);
172	}
173
174	/**
175	* Return the child of Node n that has the given name, if there is one.
176	* @param n a Node to search
177	* @param name the name to search for
178	* @return a Node with the name, may be null
179	*/
180	static protected Node getChildByName(Node n, String name) {
181	if (name == null ) return null;
182
183	for (Node nn = n.getFirstChild(); nn != null; nn = nn.getNextSibling())
184	if ( nn.getNodeType() == Node.ELEMENT_NODE &&
185	name.equals(nn.getNodeName())) return nn;
186	return null;
187	}
188
189	/**
190	* Find the X509Certificate in the Signature element and convert it to an
191	* ABAC identity. This assumes a KeyInfo in that section holding an
192	* X509Data section containing the certificate in an X509Certificate
193	* section. Any of that not being found will cause a failure. If the
194	* Identity cannot be created a Gignature exception is thrown.
195	* @param n a Node pointing to a Signature section
196	* @return an Identity constructed frm the X509 Certificate
197	* @throws MissingIssuerException if the Identity cannot be created from the
198	* certificate.
199	*/
200	static protected Identity getIdentity(Node n)
201	throws MissingIssuerException {
202	Identity rv = null;
203	Node nn = getChildByName(n, "KeyInfo");
204	String certStr = null;
205
206	if ( nn == null ) return null;
207	if ( ( nn = getChildByName(nn, "X509Data")) == null ) return null;
208	if ( ( nn = getChildByName(nn, "X509Certificate")) == null ) return null;
209	if ( ( certStr = nn.getTextContent()) == null ) return null;
210	try {
211	certStr = "-----BEGIN CERTIFICATE-----\n" +
212	certStr +
213	"\n-----END CERTIFICATE-----";
214	return new Identity(new StringReader(certStr));
215	}
216	catch (Exception e) {
217	throw new MissingIssuerException(e.getMessage(), e);
218	}
219	}
220
221	static protected Date getTime(Document d, String field)
222	throws ABACException {
223	Node root = null;
224	Node n = null;
225	SimpleDateFormat df = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssz");
226	Date date = null;
227	String dstr = null;
228
229	if ( (root = getChildByName(d, "signed-credential")) == null)
230	throw new CertInvalidException("No signed-credential element");
231	if ( (n = getChildByName(root, "credential")) == null )
232	throw new CertInvalidException("No credential element");
233	if ( (n = getChildByName(n, field)) == null )
234	throw new CertInvalidException("No " + field + " element");
235
236	if ( ( dstr = n.getTextContent()) == null )
237	throw new CertInvalidException("No expires content");
238
239	dstr = dstr.replace("Z", "GMT");
240	if ((date = df.parse(dstr, new ParsePosition(0))) == null)
241	throw new CertInvalidException("Cannot parse date: "+
242	n.getTextContent());
243
244	return date;
245	}
246
247	/**
248	* Initialize a credential from parsed certificate. Validiate it against
249	* the given identities and parse out the roles. Note that catching
250	* java.security.GeneralSecurityException catches most of the exceptions
251	* this throws.
252	* @param ids a Collection of Identities to use in validating the cert
253	* @throws CertInvalidException if the stream is unparsable
254	* @throws MissingIssuerException if none of the Identities can validate the
255	* certificate
256	* @throws BadSignatureException if the signature check fails
257	*/
258	protected void init(Collection<Identity> ids)
259	throws ABACException {
260
261	XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
262	NodeList nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS,
263	"Signature");
264	DOMValidateContext valContext = null;
265	XMLSignature signature = null;
266
267	try {
268
269	if (nl.getLength() == 0)
270	throw new CertInvalidException("Cannot find Signature element");
271
272	setIDAttrs(doc);
273	valContext = new DOMValidateContext(new X509KeySelector(),
274	nl.item(0));
275	if ( valContext == null )
276	throw new ABACException("No validation context!?");
277
278	signature = fac.unmarshalXMLSignature(valContext);
279	if (signature == null)
280	throw new BadSignatureException("Cannot unmarshal signature");
281
282	if (!signature.validate(valContext))
283	throw new BadSignatureException("bad signature");
284
285	m_expiration = getTime(doc, "expires");
286
287	if ( m_expiration.before(new Date()))
288	throw new CertInvalidException("Certificate Expired " +
289	m_expiration);
290
291	load_roles();
292
293	id = getIdentity(nl.item(0));
294
295	if ( !ids.contains(id) ) ids.add(id);
296
297	if (!id.getKeyID().equals(m_head.principal()))
298	throw new MissingIssuerException("Issuer ID and left hand " +
299	"side principal disagree");
300	}
301	catch (ABACException ae) {
302	throw ae;
303	}
304	catch (Exception e) {
305	throw new BadSignatureException(e.getMessage(), e);
306	}
307	}
308
309	/**
310	* Parse a credential from an InputStream and initialize the role from it.
311	* Combine read_credential(stream) and init(ids). Note that catching
312	* java.security.GeneralSecurityException catches most of the exceptions
313	* this throws.
314	* @param stream the InputStream to read the certificate from.
315	* @param ids a Collection of Identities to use in validating the cert
316	* @throws CertInvalidException if the stream is unparsable
317	* @throws MissingIssuerException if none of the Identities can validate the
318	* certificate
319	* @throws BadSignatureException if the signature check fails
320	*/
321	protected void init(InputStream stream, Collection<Identity> ids)
322	throws ABACException {
323	try {
324	doc = read_certificate(stream);
325	}
326	catch (IOException e) {
327	throw new CertInvalidException("Cannot parse cert", e);
328	}
329	if (doc == null) throw new CertInvalidException("Unknown Format");
330	init(ids);
331	}
332
333	/**
334	* Create a credential from an attribute cert in a file. Throws an
335	* exception if the cert file can't be opened or if there's a format
336	* problem with the cert. Note that catching
337	* java.security.GeneralSecurityException catches most of the exceptions
338	* this throws.
339	* @param filename a String containing the filename to read
340	* @param ids a Collection of Identities to use in validating the cert
341	* @throws CertInvalidException if the stream is unparsable
342	* @throws MissingIssuerException if none of the Identities can validate the
343	* certificate
344	* @throws BadSignatureException if the signature check fails
345	*/
346	GENICredential(String filename, Collection<Identity> ids)
347	throws ABACException {
348	super();
349	setSuffix(fileSuffix);
350	try {
351	init(new FileInputStream(filename), ids);
352	}
353	catch (FileNotFoundException e) {
354	throw new CertInvalidException("Bad filename", e);
355	}
356	}
357
358	/**
359	* Create a credential from an attribute cert in a file. Throws an
360	* exception if the cert file can't be opened or if there's a format
361	* problem with the cert. Note that catching
362	* java.security.GeneralSecurityException catches most of the exceptions
363	* this throws.
364	* @param file the File to read
365	* @param ids a Collection of Identities to use in validating the cert
366	* @throws CertInvalidException if the stream is unparsable
367	* @throws MissingIssuerException if none of the Identities can validate the
368	* certificate
369	* @throws BadSignatureException if the signature check fails
370	*/
371	GENICredential(File file, Collection<Identity> ids)
372	throws ABACException {
373	super();
374	setSuffix(fileSuffix);
375	try {
376	init(new FileInputStream(file), ids);
377	}
378	catch (FileNotFoundException e) {
379	throw new CertInvalidException("Bad filename", e);
380	}
381	}
382
383	/**
384	* Create a credential from an InputStream. Throws an exception if the
385	* stream can't be parsed or if there's a format problem with the cert.
386	* Note that catching java.security.GeneralSecurityException catches most
387	* of the exceptions this throws.
388	* @param s the InputStream to read
389	* @param ids a Collection of Identities to use in validating the cert
390	* @throws CertInvalidException if the stream is unparsable
391	* @throws MissingIssuerException if none of the Identities can validate the
392	* certificate
393	* @throws BadSignatureException if the signature check fails
394	*/
395	GENICredential(InputStream s, Collection<Identity> ids)
396	throws ABACException {
397	super();
398	setSuffix(fileSuffix);
399	init(s, ids);
400	}
401
402	/**
403	* Encode the abac credential's XML and set the validity. This is straight
404	* line code that directly builds the credential.
405	* @param validity a long holding the number of seconds that the credential
406	* is valid for.
407	* @return a Node, the place to attach signatures
408	* @throws ABACException if any of the XML construction fails
409	*/
410	protected Node make_rt0_content(long validity) throws ABACException {
411	DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
412	DocumentBuilder db = null;
413	SimpleDateFormat df = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
414	StringBuffer expBuf = new StringBuffer();
415
416	/* This is a weirdness to cope with the GENI format. They have a naked
417	* xml:id specifier without any namespace declarations in the
418	* credential. Notice that this is the opposite of the setting used in
419	* init to read a credential. */
420	dbf.setNamespaceAware(false);
421
422	if ( dbf == null )
423	throw new ABACException("Cannot get DocumentBuilderFactory!?");
424
425	try {
426	db = dbf.newDocumentBuilder();
427	}
428	catch (ParserConfigurationException pe) {
429	throw new ABACException("Cannot get DocumentBuilder!?" +
430	pe.getMessage(), pe);
431	}
432
433	doc = db.newDocument();
434	if ( doc == null )
435	throw new ABACException("No Document");
436
437	Element root = doc.createElement("signed-credential");
438	Element cred = doc.createElement("credential");
439	Element sig = doc.createElement("signatures");
440	Element e = doc.createElement("type");
441	Node text = doc.createTextNode("abac");
442
443	doc.appendChild(root);
444
445	cred.setAttribute("xml:id", "ref0");
446	/* So that the signing code can find the section to sign */
447	cred.setIdAttribute("xml:id", true);
448
449	root.appendChild(cred);
450	e.appendChild(text);
451	cred.appendChild(e);
452
453	m_expiration = new Date(System.currentTimeMillis() +
454	(1000L * validity ));
455	df.setTimeZone(new SimpleTimeZone(0, "Z"));
456	df.format(m_expiration, expBuf, new FieldPosition(0));
457	e = doc.createElement("expires");
458	text = doc.createTextNode(expBuf.toString());
459	e.appendChild(text);
460	cred.appendChild(e);
461
462	e = doc.createElement("version");
463	text = doc.createTextNode("1.0");
464	e.appendChild(text);
465	cred.appendChild(e);
466
467	e = doc.createElement("rt0");
468	text = doc.createTextNode(m_head + "<-" + m_tail);
469	e.appendChild(text);
470	cred.appendChild(e);
471
472	root.appendChild(sig);
473	return sig;
474	}
475
476	/**
477	* Create a certificate from this credential issued by the given identity
478	* valid for the given time (in seconds). This is the signed XML ABAC
479	* credential.
480	* @param i the Identity that will issue the certificate
481	* @param validity a long holding the number of seconds that the credential
482	* is valid for.
483	* @throws ABACException if xml creation fails
484	* @throws MissingIssuerException if the issuer is bad
485	* @throws BadSignatureException if the signature creation fails
486	*/
487	public void make_cert(Identity i, long validity)
488	throws ABACException {
489	X509Certificate cert = i.getCertificate();
490	KeyPair kp = i.getKeyPair();
491	PublicKey pubKey = null;
492	PrivateKey privKey = null;
493	if ( cert == null )
494	throw new MissingIssuerException("No credential in identity?");
495	if ( kp == null )
496	throw new MissingIssuerException("No keypair in identity?");
497
498	pubKey = kp.getPublic();
499	if ((privKey = kp.getPrivate()) == null )
500	throw new MissingIssuerException("No private ket in identity");
501
502	XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
503	Reference ref = null;
504	SignedInfo si = null;
505	KeyInfoFactory kif = fac.getKeyInfoFactory();
506
507	/* The <Object> doesn't say much, but shuts the compiler up about
508	* unchecked references. The lists are polymorphyc and the signature
509	* libs expect that, so <Object> is the best we can do.
510	*/
511	List<Object> x509Content = new ArrayList<Object>();
512	List<Object> keyInfo = new ArrayList<Object>();
513	x509Content.add(cert.getSubjectX500Principal().getName());
514	x509Content.add(cert);
515	X509Data xd = kif.newX509Data(x509Content);
516	KeyValue kv = null;
517
518	try {
519	kv = kif.newKeyValue(pubKey);
520	}
521	catch (KeyException ke) {
522	throw new ABACException("Unsupported key format " +
523	ke.getMessage(), ke);
524	}
525
526	Collections.addAll(keyInfo, kv, xd);
527
528	KeyInfo ki = kif.newKeyInfo(keyInfo);
529	Node sig = make_rt0_content(validity);
530
531	try {
532	ref = fac.newReference("#ref0",
533	fac.newDigestMethod(DigestMethod.SHA1, null),
534	Collections.singletonList(
535	fac.newTransform(Transform.ENVELOPED,
536	(TransformParameterSpec) null)),
537	null, null);
538
539	si = fac.newSignedInfo(
540	fac.newCanonicalizationMethod(
541	CanonicalizationMethod.INCLUSIVE,
542	(C14NMethodParameterSpec) null),
543	fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),
544	Collections.singletonList(ref));
545
546	DOMSignContext dsc = new DOMSignContext(privKey, sig);
547	XMLSignature signature = fac.newXMLSignature(si, ki);
548	signature.sign(dsc);
549	}
550	catch (Exception me) {
551	throw new BadSignatureException(me.getMessage(), me);
552	}
553
554	}
555
556	/**
557	* Create a certificate from this credential issued by the given identity
558	* valid for the default validity period. This is the signed XML ABAC
559	* credential.
560	* @param i the Identity that will issue the certificate
561	* @throws ABACException if xml creation fails
562	* @throws MissingIssuerException if the issuer is bad
563	* @throws BadSignatureException if the signature creation fails
564	*/
565	public void make_cert(Identity i)
566	throws ABACException {
567	make_cert(i, defaultValidity);
568	}
569
570	/**
571	* Load the roles off the attribute cert.
572	* @throws CertInvalidException if the certificate is badly formatted
573	*/
574	private void load_roles() throws CertInvalidException {
575	if ( doc == null )
576	throw new CertInvalidException("No credential");
577
578	NodeList nodes = doc.getElementsByTagName("type");
579	Node node = null;
580	String roles = null;
581
582	if (nodes == null \|\| nodes.getLength() != 1)
583	throw new CertInvalidException("More than one type element?");
584
585	node = nodes.item(0);
586	if ( node == null )
587	throw new CertInvalidException("bad rt0 element?");
588
589	if ( !"abac".equals(node.getTextContent()) )
590	throw new CertInvalidException("Not an abac type credential");
591
592	nodes = doc.getElementsByTagName("rt0");
593	if (nodes == null \|\| nodes.getLength() != 1)
594	throw new CertInvalidException("More than one rt0 element?");
595
596	node = nodes.item(0);
597
598	if ( node == null )
599	throw new CertInvalidException("bad rt0 element?");
600
601	if ( (roles = node.getTextContent()) == null )
602	throw new CertInvalidException("bad rt0 element (no text)?");
603
604	String[] parts = roles.split("\\s<--?\\s");
605	if (parts.length != 2)
606	throw new CertInvalidException("Invalid attribute: " + roles);
607
608	m_head = new Role(parts[0]);
609	m_tail = new Role(parts[1]);
610	}
611
612	/**
613	* Output the signed GENI ABAC certificate associated with this
614	* Credential to the OutputStream.
615	* @param s the OutputStream on which to write
616	* @throws IOException if there is an error writing.
617	*/
618	public void write(OutputStream s) throws IOException {
619	if ( doc == null )
620	return;
621	try {
622	TransformerFactory tf = TransformerFactory.newInstance();
623	Transformer t = tf.newTransformer();
624	DOMSource source = new DOMSource(doc);
625	StreamResult result = new StreamResult(s);
626
627	t.transform(source, result);
628	s.flush();
629	}
630	catch (Exception e) {
631	throw new IOException(e.getMessage(), e);
632	}
633	}
634	/**
635	* Output the signed GENI ABAC certificate associated with this
636	* Credential to the OutputStream.
637	* @param fn a String, the file name on which to write
638	* @throws IOException if there is an error writing.
639	* @throws FileNotFoundExeption if the file path is bogus
640	*/
641	public void write(String fn) throws IOException, FileNotFoundException {
642	write(new FileOutputStream(fn));
643	}
644
645	/**
646	* Return true if this Credential has a certificate associated. A jabac
647	* extension.
648	* @return true if this Credential has a certificate associated.
649	*/
650	public boolean hasCertificate() { return doc != null; }
651
652	/**
653	* Return a CredentialCredentialFactorySpecialization for GENICredentials.
654	* Used by the CredentialFactory to parse and generate these kind of
655	* credentials. It basically wraps constuctor calls.
656	* @return a CredentialFactorySpecialization for this kind of credential.
657	*/
658	static public CredentialFactorySpecialization
659	getCredentialFactorySpecialization() {
660	return new CredentialFactorySpecialization() {
661	public Credential[] parseCredential(InputStream is,
662	Collection<Identity> ids) throws ABACException {
663	return new Credential[] { new GENICredential(is, ids) };
664	}
665	public Credential generateCredential(Role head, Role tail) {
666	return new GENICredential(head, tail);
667	}
668	};
669	}
670	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: