[dd5d4d9] | 1 | package net.deterlab.abac; |
---|
| 2 | |
---|
| 3 | import java.io.*; |
---|
| 4 | import java.math.*; |
---|
| 5 | import java.text.*; |
---|
| 6 | |
---|
| 7 | import java.util.*; |
---|
| 8 | import java.security.*; |
---|
| 9 | import java.security.cert.*; |
---|
| 10 | |
---|
| 11 | import javax.security.auth.x500.*; |
---|
| 12 | |
---|
| 13 | import javax.xml.parsers.*; |
---|
| 14 | import javax.xml.transform.*; |
---|
| 15 | import javax.xml.transform.dom.*; |
---|
| 16 | import javax.xml.transform.stream.*; |
---|
| 17 | |
---|
| 18 | import javax.xml.crypto.*; |
---|
| 19 | import javax.xml.crypto.dsig.*; |
---|
| 20 | import javax.xml.crypto.dsig.dom.*; |
---|
| 21 | import javax.xml.crypto.dsig.keyinfo.*; |
---|
| 22 | import javax.xml.crypto.dsig.spec.*; |
---|
| 23 | |
---|
| 24 | import org.xml.sax.*; |
---|
| 25 | import org.w3c.dom.*; |
---|
| 26 | |
---|
| 27 | import org.bouncycastle.asn1.*; |
---|
| 28 | import org.bouncycastle.asn1.x509.*; |
---|
| 29 | import org.bouncycastle.x509.*; |
---|
| 30 | import org.bouncycastle.x509.util.*; |
---|
| 31 | import org.bouncycastle.openssl.*; |
---|
| 32 | |
---|
| 33 | /** |
---|
| 34 | * An ABAC credential formatted as an abac-type GENI credential. |
---|
| 35 | * @author <a href="http://abac.deterlab.net">ISI ABAC team</a> |
---|
| 36 | * @version 1.4 |
---|
| 37 | */ |
---|
| 38 | public class GENIPrivCredential extends GENICredential { |
---|
| 39 | /** |
---|
| 40 | * Create an empty Credential. |
---|
| 41 | */ |
---|
| 42 | public GENIPrivCredential() { |
---|
| 43 | m_head = m_tail = null; |
---|
| 44 | doc = null; |
---|
| 45 | id = null; |
---|
| 46 | } |
---|
| 47 | /** |
---|
| 48 | * Create a credential from a head and tail role. This credential has no |
---|
| 49 | * underlying certificate, and cannot be exported or used in real proofs. |
---|
| 50 | * make_cert can create a certificate for a credential initialized this |
---|
| 51 | * way. |
---|
| 52 | * @param head the Role at the head of the credential |
---|
| 53 | * @param tail the Role at the tail of the credential |
---|
| 54 | */ |
---|
| 55 | public GENIPrivCredential(Role head, Role tail, Document d, Identity i) { |
---|
| 56 | m_head = head; |
---|
| 57 | m_tail = tail; |
---|
| 58 | doc = null; |
---|
| 59 | id = null; |
---|
| 60 | } |
---|
| 61 | |
---|
| 62 | /** |
---|
| 63 | * Create a certificate from this credential issued by the given identity. |
---|
| 64 | * This is the signed XML ABAC credential. |
---|
| 65 | * @param i the Identity that will issue the certificate |
---|
| 66 | * @throws ABACException if xml creation fails |
---|
| 67 | * @throws MissingIssuerException if the issuer is bad |
---|
| 68 | * @throws BadSignatureException if the signature creation fails |
---|
| 69 | */ |
---|
| 70 | public void make_cert(Identity i) |
---|
| 71 | throws ABACException { |
---|
| 72 | throw new ABACException("Cannot generate a GENIPrivCredential"); |
---|
| 73 | } |
---|
| 74 | |
---|
[484bb5a] | 75 | /** |
---|
| 76 | * Class that parses a GENI privilege credential into multiple |
---|
| 77 | * GENIPrivCredential objects. |
---|
| 78 | */ |
---|
[dd5d4d9] | 79 | static public class GENIPrivSpecialization |
---|
| 80 | extends CredentialFactorySpecialization { |
---|
| 81 | |
---|
[484bb5a] | 82 | /** |
---|
| 83 | * Extract an identity from a field holding a PEM-encoded x.509 |
---|
| 84 | * certificate (for example, owner_gid). |
---|
| 85 | * @param n a Node that has the certificate in its Text Content |
---|
| 86 | * @return the Identity |
---|
| 87 | */ |
---|
[dd5d4d9] | 88 | protected Identity nodeToIdentity(Node n) { |
---|
| 89 | String certStr = null; |
---|
| 90 | |
---|
| 91 | if ( ( certStr = n.getTextContent()) == null ) return null; |
---|
| 92 | try { |
---|
| 93 | certStr = "-----BEGIN CERTIFICATE-----\n" + |
---|
| 94 | certStr + |
---|
| 95 | "\n-----END CERTIFICATE-----"; |
---|
| 96 | return new Identity(new StringReader(certStr)); |
---|
| 97 | } |
---|
| 98 | catch (Exception e) { |
---|
| 99 | return null; |
---|
| 100 | } |
---|
| 101 | } |
---|
[484bb5a] | 102 | |
---|
| 103 | /** |
---|
| 104 | * Parses the credential into multiple Objects based on the permissions |
---|
| 105 | * imbued by the credential. |
---|
| 106 | * @param d a Document, the parsed credential |
---|
| 107 | * @param issuer an Identity that signed the credential |
---|
| 108 | * @return an array of GENIPrivCredentials that represent the |
---|
| 109 | * credential |
---|
| 110 | */ |
---|
[dd5d4d9] | 111 | protected Credential[] make_creds(Document d, Identity issuer) |
---|
| 112 | throws ABACException { |
---|
| 113 | Node root = null; |
---|
| 114 | Node credential = null; |
---|
| 115 | Node owner_gid = null; |
---|
| 116 | Node target_gid = null; |
---|
| 117 | Node privileges = null; |
---|
| 118 | Node priv = null; |
---|
| 119 | Identity owner = null; |
---|
| 120 | Identity target = null; |
---|
| 121 | ArrayList<GENIPrivCredential> rv = |
---|
| 122 | new ArrayList<GENIPrivCredential>(); |
---|
| 123 | |
---|
| 124 | |
---|
| 125 | if ( (root = getChildByName(d, "signed-credential")) == null) |
---|
| 126 | throw new CertInvalidException("No signed-credential element"); |
---|
| 127 | if ( (credential = getChildByName(root, "credential")) == null ) |
---|
| 128 | throw new CertInvalidException("No credential element"); |
---|
| 129 | if ( (owner_gid = getChildByName(credential, "owner_gid")) == null ) |
---|
| 130 | throw new CertInvalidException("No owner_gid element"); |
---|
| 131 | if ((target_gid = getChildByName(credential,"target_gid")) == null ) |
---|
| 132 | throw new CertInvalidException("No target_gid element"); |
---|
| 133 | if ((privileges = getChildByName(credential,"privileges")) == null ) |
---|
| 134 | throw new CertInvalidException("No privileges element"); |
---|
| 135 | |
---|
[2405adf] | 136 | Date exp = getTime(d, "expires"); |
---|
| 137 | |
---|
| 138 | if ( exp.before(new Date())) |
---|
| 139 | throw new CertInvalidException("Certificate Expired " + exp); |
---|
| 140 | |
---|
[dd5d4d9] | 141 | if ( (owner = nodeToIdentity(owner_gid)) == null) |
---|
| 142 | throw new CertInvalidException("Bad owner_gid element"); |
---|
| 143 | if ( (target = nodeToIdentity(target_gid)) == null) |
---|
| 144 | throw new CertInvalidException("Bad target_gid element"); |
---|
| 145 | |
---|
| 146 | for (Node n = privileges.getFirstChild(); n != null; |
---|
| 147 | n = n.getNextSibling()) { |
---|
| 148 | if (n.getNodeType() != Node.ELEMENT_NODE || |
---|
| 149 | !"privilege".equals(n.getNodeName())) |
---|
| 150 | throw new CertInvalidException( |
---|
| 151 | "Child of privileges not privilege?"); |
---|
| 152 | Node name = null; |
---|
| 153 | Node can_delegate = null; |
---|
| 154 | boolean cd = false; |
---|
| 155 | String cds = null; |
---|
| 156 | String pname = null; |
---|
| 157 | |
---|
| 158 | if ( (name = getChildByName(n, "name")) == null) |
---|
| 159 | throw new CertInvalidException("No privilege name"); |
---|
| 160 | |
---|
| 161 | if ((can_delegate = getChildByName(n, "can_delegate")) == null) |
---|
| 162 | throw new CertInvalidException("No privilege delegate"); |
---|
| 163 | |
---|
| 164 | if ( (pname = name.getTextContent()) == null) |
---|
| 165 | throw new CertInvalidException("No privilege name text"); |
---|
[6bf703b0] | 166 | if ((cds = can_delegate.getTextContent()) == null) |
---|
[dd5d4d9] | 167 | throw new CertInvalidException("No delegate text"); |
---|
| 168 | cd = cds.equals("1") || cds.equals("true"); |
---|
| 169 | |
---|
[484bb5a] | 170 | /* First privilege includes the basic speaks for defintion |
---|
| 171 | * for this owner */ |
---|
[dd5d4d9] | 172 | if ( rv.isEmpty() ) { |
---|
| 173 | rv.add(new GENIPrivCredential( |
---|
| 174 | new Role(issuer.getKeyID() + ".speaks_for_" + |
---|
| 175 | owner.getKeyID()), |
---|
| 176 | new Role(owner.getKeyID()), d, issuer)); |
---|
| 177 | rv.add(new GENIPrivCredential( |
---|
| 178 | new Role(issuer.getKeyID() + ".speaks_for_" + |
---|
| 179 | owner.getKeyID()), |
---|
| 180 | new Role(owner.getKeyID() + ".speaks_for_" + |
---|
| 181 | owner.getKeyID()), d, issuer)); |
---|
| 182 | } |
---|
[484bb5a] | 183 | |
---|
| 184 | /* The privilege itself */ |
---|
[dd5d4d9] | 185 | rv.add(new GENIPrivCredential( |
---|
| 186 | new Role(issuer.getKeyID() + "." + pname + "_" + |
---|
| 187 | target.getKeyID()), |
---|
| 188 | new Role(issuer.getKeyID() + ".speaks_for_" + |
---|
| 189 | owner.getKeyID()), d, issuer)); |
---|
| 190 | if (cd ) { |
---|
[484bb5a] | 191 | /* The rules for delegation, if necessary */ |
---|
[dd5d4d9] | 192 | rv.add(new GENIPrivCredential( |
---|
| 193 | new Role(issuer.getKeyID() + "." + pname + |
---|
| 194 | "_" + target.getKeyID()), |
---|
| 195 | new Role(issuer.getKeyID() + ".can_delegate_" |
---|
| 196 | + pname + "_" + target.getKeyID() + |
---|
| 197 | "." + pname + "_" + target.getKeyID()), |
---|
| 198 | d, issuer)); |
---|
| 199 | rv.add(new GENIPrivCredential( |
---|
| 200 | new Role(issuer.getKeyID() + |
---|
| 201 | ".can_delegate_" + pname), |
---|
| 202 | new Role(owner.getKeyID()), d, issuer)); |
---|
| 203 | } |
---|
| 204 | } |
---|
| 205 | return rv.toArray(new Credential[rv.size()]); |
---|
| 206 | } |
---|
| 207 | |
---|
[484bb5a] | 208 | /** |
---|
| 209 | * Parse the credential into multiple GENIPrivCredentials that encode |
---|
| 210 | * its semantics. |
---|
| 211 | * @param is an InputStream containing the credentals |
---|
| 212 | * @param ids a Collection of Identities to use in validation |
---|
| 213 | * @return an array of GENIPrivCredentials that represent the |
---|
| 214 | * credential |
---|
| 215 | * @throws CertInvalidException if the stream is unparsable |
---|
| 216 | * @throws MissingIssuerException if none of the Identities can |
---|
| 217 | * validate the certificate |
---|
| 218 | * @throws BadSignatureException if the signature check fails |
---|
| 219 | */ |
---|
[dd5d4d9] | 220 | public Credential[] parseCredential(InputStream is, |
---|
| 221 | Collection<Identity> ids) throws ABACException { |
---|
| 222 | try { |
---|
| 223 | Document d = read_certificate(is); |
---|
| 224 | XMLSignatureFactory fac = |
---|
| 225 | XMLSignatureFactory.getInstance("DOM"); |
---|
| 226 | NodeList nl = d.getElementsByTagNameNS(XMLSignature.XMLNS, |
---|
| 227 | "Signature"); |
---|
| 228 | DOMValidateContext valContext = null; |
---|
| 229 | XMLSignature signature = null; |
---|
| 230 | Identity lid = null; |
---|
| 231 | |
---|
| 232 | |
---|
| 233 | if (nl.getLength() == 0) |
---|
| 234 | throw new CertInvalidException( |
---|
| 235 | "Cannot find Signature element"); |
---|
| 236 | |
---|
| 237 | setIDAttrs(d); |
---|
| 238 | valContext = new DOMValidateContext(new X509KeySelector(), |
---|
| 239 | nl.item(0)); |
---|
| 240 | if ( valContext == null ) |
---|
| 241 | throw new ABACException("No validation context!?"); |
---|
| 242 | |
---|
| 243 | signature = fac.unmarshalXMLSignature(valContext); |
---|
| 244 | if (signature == null) |
---|
| 245 | throw new BadSignatureException( |
---|
| 246 | "Cannot unmarshal signature"); |
---|
| 247 | |
---|
| 248 | if (!signature.validate(valContext)) |
---|
| 249 | throw new BadSignatureException("bad signature"); |
---|
| 250 | |
---|
| 251 | lid = getIdentity(nl.item(0)); |
---|
| 252 | |
---|
| 253 | if ( !ids.contains(lid) ) ids.add(lid); |
---|
| 254 | |
---|
[6bf703b0] | 255 | return make_creds(d, lid); |
---|
[dd5d4d9] | 256 | } |
---|
| 257 | catch (ABACException ae) { |
---|
| 258 | throw ae; |
---|
| 259 | } |
---|
| 260 | catch (Exception e) { |
---|
| 261 | throw new BadSignatureException(e.getMessage(), e); |
---|
| 262 | } |
---|
| 263 | } |
---|
| 264 | |
---|
[484bb5a] | 265 | /** |
---|
| 266 | * One cannot create a GENIPrivCredential to encodes a single arbitrary |
---|
| 267 | * head and tail, so this always fails. |
---|
| 268 | * @param head a Role to encode |
---|
| 269 | * @param tail a Role to encode |
---|
| 270 | */ |
---|
[dd5d4d9] | 271 | public Credential generateCredential(Role head, Role tail) { |
---|
| 272 | return null; |
---|
| 273 | } |
---|
| 274 | }; |
---|
| 275 | |
---|
| 276 | /** |
---|
[484bb5a] | 277 | * Return a CredentialCredentialFactorySpecialization for |
---|
| 278 | * GENIPrivCredentials. Used by the CredentialFactory to parse these kind |
---|
| 279 | * of credentials. |
---|
[dd5d4d9] | 280 | * @return a CredentialFactorySpecialization for this kind of credential. |
---|
| 281 | */ |
---|
| 282 | static public CredentialFactorySpecialization |
---|
| 283 | getCredentialFactorySpecialization() { |
---|
| 284 | return new GENIPrivSpecialization(); |
---|
| 285 | } |
---|
| 286 | } |
---|