source: java/net/deterlab/abac/GENIPrivCredential.java @ b89cfd8

abac0-leakabac0-meimei-idmei-rt0-nmei_rt0tvf-new-xml
Last change on this file since b89cfd8 was 675770e, checked in by Ted Faber <faber@…>, 12 years ago

Allow users to set validity periods.

  • Property mode set to 100644
File size: 9.8 KB
RevLine 
[dd5d4d9]1package net.deterlab.abac;
2
3import java.io.*;
4import java.math.*;
5import java.text.*;
6
7import java.util.*;
8import java.security.*;
9import java.security.cert.*;
10
11import javax.security.auth.x500.*;
12
13import javax.xml.parsers.*;
14import javax.xml.transform.*;
15import javax.xml.transform.dom.*;
16import javax.xml.transform.stream.*;
17
18import javax.xml.crypto.*;
19import javax.xml.crypto.dsig.*;
20import javax.xml.crypto.dsig.dom.*;
21import javax.xml.crypto.dsig.keyinfo.*;
22import javax.xml.crypto.dsig.spec.*;
23
24import org.xml.sax.*;
25import org.w3c.dom.*;
26
27import org.bouncycastle.asn1.*;
28import org.bouncycastle.asn1.x509.*;
29import org.bouncycastle.x509.*;
30import org.bouncycastle.x509.util.*;
31import org.bouncycastle.openssl.*;
32
33/**
34 * An ABAC credential formatted as an abac-type GENI credential.
35 * @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
36 * @version 1.4
37 */
38public class GENIPrivCredential extends GENICredential {
39    /**
40     * Create an empty Credential.
41     */
42    public GENIPrivCredential() {
[7f614c1]43        super();
[dd5d4d9]44        doc = null;
45    }
46    /**
47     * Create a credential from a head and tail role.  This credential has no
48     * underlying certificate, and cannot be exported or used in real proofs.
49     * make_cert can create a certificate for a credential initialized this
50     * way.
51     * @param head the Role at the head of the credential
52     * @param tail the Role at the tail of the credential
53     */
[7f614c1]54    public GENIPrivCredential(Role head, Role tail, Document d, Identity i,
55            Date e) {
[dd5d4d9]56        m_head = head;
57        m_tail = tail;
58        doc = null; 
59        id = null;
[7f614c1]60        m_expiration = e;
[dd5d4d9]61    }
[675770e]62    /**
63     * Create a certificate from this credential issued by the given identity
64     * valid for the given period; these credentials cannot be turned into
65     * certificates, so this will always throw an exception.
66     * @param i the Identity that will issue the certificate
67     * @param validity a long holding the number of seconds that the credential
68     * is valid for.
69     * @throws ABACException if xml creation fails
70     * @throws MissingIssuerException if the issuer is bad
71     * @throws BadSignatureException if the signature creation fails
72     */
73    public void make_cert(Identity i, long validity) 
74            throws ABACException {
75        throw new ABACException("Cannot generate a GENIPrivCredential");
76    }
77
[dd5d4d9]78
79    /**
[675770e]80     * Create a certificate from this credential issued by the given identity;
81     * these credentials cannot be turned into certificates, so this will
82     * always throw an exception.
[dd5d4d9]83     * @param i the Identity that will issue the certificate
84     * @throws ABACException if xml creation fails
85     * @throws MissingIssuerException if the issuer is bad
86     * @throws BadSignatureException if the signature creation fails
87     */
88    public void make_cert(Identity i) 
89            throws ABACException {
90        throw new ABACException("Cannot generate a GENIPrivCredential");
91    }
92
[484bb5a]93    /**
94     * Class that parses a GENI privilege credential into multiple
95     * GENIPrivCredential objects.
96     */
[dd5d4d9]97    static public class GENIPrivSpecialization 
98            extends CredentialFactorySpecialization {
99
[484bb5a]100        /**
101         * Extract an identity from a field holding a PEM-encoded x.509
102         * certificate (for example, owner_gid).
103         * @param n a Node that has the certificate in its Text Content
104         * @return the Identity
105         */
[dd5d4d9]106        protected Identity nodeToIdentity(Node n) {
107            String certStr = null;
108
109            if ( ( certStr = n.getTextContent()) == null ) return null;
110            try {
111                certStr = "-----BEGIN CERTIFICATE-----\n" + 
112                    certStr + 
113                "\n-----END CERTIFICATE-----";
114                return new Identity(new StringReader(certStr));
115            } 
116            catch (Exception e) {
117                return null;
118            }
119        }
[484bb5a]120
121        /**
122         * Parses the credential into multiple Objects based on the permissions
123         * imbued by the credential.
124         * @param d a Document, the parsed credential
125         * @param issuer an Identity that signed the credential
126         * @return an array of GENIPrivCredentials that represent the
127         * credential
128         */
[dd5d4d9]129        protected Credential[] make_creds(Document d, Identity issuer) 
130                throws ABACException {
131            Node root = null;
132            Node credential = null;
133            Node owner_gid = null;
134            Node target_gid = null;
135            Node privileges = null;
136            Node priv = null;
137            Identity owner = null;
138            Identity target = null;
139            ArrayList<GENIPrivCredential> rv = 
140                new ArrayList<GENIPrivCredential>();
141
142
143            if ( (root = getChildByName(d, "signed-credential")) == null)
144                throw new CertInvalidException("No signed-credential element");
145            if ( (credential = getChildByName(root, "credential")) == null )
146                throw new CertInvalidException("No credential element");
147            if ( (owner_gid = getChildByName(credential, "owner_gid")) == null )
148                throw new CertInvalidException("No owner_gid element");
149            if ((target_gid = getChildByName(credential,"target_gid")) == null )
150                throw new CertInvalidException("No target_gid element");
151            if ((privileges = getChildByName(credential,"privileges")) == null )
152                throw new CertInvalidException("No privileges element");
153
[2405adf]154            Date exp = getTime(d, "expires");
155
156            if ( exp.before(new Date()))
157                throw new CertInvalidException("Certificate Expired " + exp);
158
[dd5d4d9]159            if ( (owner = nodeToIdentity(owner_gid)) == null) 
160                throw new CertInvalidException("Bad owner_gid element");
161            if ( (target = nodeToIdentity(target_gid)) == null) 
162                throw new CertInvalidException("Bad target_gid element");
163
164            for (Node n = privileges.getFirstChild(); n != null; 
165                    n = n.getNextSibling()) {
166                if (n.getNodeType() != Node.ELEMENT_NODE ||
167                        !"privilege".equals(n.getNodeName()))
168                    throw new CertInvalidException(
169                            "Child of privileges not privilege?");
170                Node name = null;
171                Node can_delegate = null;
172                boolean cd = false;
173                String cds = null;
174                String pname = null;
175
176                if ( (name = getChildByName(n, "name")) == null)
177                    throw new CertInvalidException("No privilege name");
178
179                if ((can_delegate = getChildByName(n, "can_delegate")) == null)
180                    throw new CertInvalidException("No privilege delegate");
181
182                if ( (pname = name.getTextContent()) == null)
183                    throw new CertInvalidException("No privilege name text");
[6bf703b0]184                if ((cds = can_delegate.getTextContent()) == null)
[dd5d4d9]185                    throw new CertInvalidException("No delegate text");
186                cd = cds.equals("1") || cds.equals("true");
187
[484bb5a]188                /* First privilege includes the basic speaks for defintion
189                 * for this owner */
[dd5d4d9]190                if ( rv.isEmpty() ) {
191                    rv.add(new GENIPrivCredential(
192                                new Role(issuer.getKeyID() + ".speaks_for_" +
193                                    owner.getKeyID()),
[7f614c1]194                                new Role(owner.getKeyID()), d, issuer, exp));
[dd5d4d9]195                    rv.add(new GENIPrivCredential(
196                                new Role(issuer.getKeyID() + ".speaks_for_" +
197                                    owner.getKeyID()),
198                                new Role(owner.getKeyID() + ".speaks_for_" +
[7f614c1]199                                    owner.getKeyID()), d, issuer, exp));
[dd5d4d9]200                }
[484bb5a]201
202                /* The privilege itself */
[dd5d4d9]203                rv.add(new GENIPrivCredential(
204                            new Role(issuer.getKeyID() + "." + pname + "_" +
205                                target.getKeyID()),
206                            new Role(issuer.getKeyID() + ".speaks_for_" +
[7f614c1]207                                owner.getKeyID()), d, issuer, exp));
[dd5d4d9]208                if (cd ) {
[484bb5a]209                    /* The rules for delegation, if necessary */
[dd5d4d9]210                    rv.add(new GENIPrivCredential(
211                                new Role(issuer.getKeyID() + "." + pname + 
212                                    "_" + target.getKeyID()),
213                                new Role(issuer.getKeyID() + ".can_delegate_" 
214                                    + pname + "_" + target.getKeyID() + 
215                                    "." + pname + "_" + target.getKeyID()), 
[7f614c1]216                                d, issuer, exp));
[dd5d4d9]217                    rv.add(new GENIPrivCredential(
218                                new Role(issuer.getKeyID() + 
219                                    ".can_delegate_" + pname),
[7f614c1]220                                new Role(owner.getKeyID()), d, issuer, exp));
[dd5d4d9]221                }
222            }
223            return rv.toArray(new Credential[rv.size()]);
224        }
225
[484bb5a]226        /**
227         * Parse the credential into multiple GENIPrivCredentials that encode
228         * its semantics.
229         * @param is an InputStream containing the credentals
230         * @param ids a Collection of Identities to use in validation
231         * @return an array of GENIPrivCredentials that represent the
232         * credential
233         * @throws CertInvalidException if the stream is unparsable
234         * @throws MissingIssuerException if none of the Identities can
235         *                      validate the certificate
236         * @throws BadSignatureException if the signature check fails
237         */
[dd5d4d9]238        public Credential[] parseCredential(InputStream is, 
239                Collection<Identity> ids) throws ABACException {
240            try {
241                Document d = read_certificate(is);
242                XMLSignatureFactory fac = 
243                    XMLSignatureFactory.getInstance("DOM");
244                NodeList nl = d.getElementsByTagNameNS(XMLSignature.XMLNS, 
245                        "Signature");
246                DOMValidateContext valContext = null;
247                XMLSignature signature = null;
248                Identity lid = null;
249
250
251                if (nl.getLength() == 0) 
252                    throw new CertInvalidException(
253                            "Cannot find Signature element");
254
255                setIDAttrs(d);
256                valContext = new DOMValidateContext(new X509KeySelector(),
257                        nl.item(0));
258                if ( valContext == null )
259                    throw new ABACException("No validation context!?");
260
261                signature = fac.unmarshalXMLSignature(valContext);
262                if (signature == null) 
263                    throw new BadSignatureException(
264                            "Cannot unmarshal signature");
265
266                if (!signature.validate(valContext))
267                    throw new BadSignatureException("bad signature");
268
269                lid = getIdentity(nl.item(0));
270
271                if ( !ids.contains(lid) ) ids.add(lid);
272
[6bf703b0]273                return make_creds(d, lid);
[dd5d4d9]274            }
275            catch (ABACException ae) {
276                throw ae;
277            }
278            catch (Exception e) {
279                throw new BadSignatureException(e.getMessage(), e);
280            }
281        }
282
[484bb5a]283        /**
284         * One cannot create a GENIPrivCredential to encodes a single arbitrary
285         * head and tail, so this always fails.
286         * @param head a Role to encode
287         * @param tail a Role to encode
288         */
[dd5d4d9]289        public Credential generateCredential(Role head, Role tail) {
290            return null;
291        }
292    };
293
294    /**
[484bb5a]295     * Return a CredentialCredentialFactorySpecialization for
296     * GENIPrivCredentials.  Used by the CredentialFactory to parse these kind
297     * of credentials.
[dd5d4d9]298     * @return a CredentialFactorySpecialization for this kind of credential.
299     */
300    static public CredentialFactorySpecialization
301            getCredentialFactorySpecialization() {
302        return new GENIPrivSpecialization();
303    }
304}
Note: See TracBrowser for help on using the repository browser.