Context Navigation

source: java/net/deterlab/abac/GENIPrivCredential.java @ c1736fe

abac0-leakabac0-meitvf-new-xml

Last change on this file since c1736fe was c1736fe, checked in by Ted Faber <faber@…>, 11 years ago
Nicer class structure for GENI credentials
Property mode set to `100644`
File size: 10.2 KB

Rev	Line
[dd5d4d9]	1	package net.deterlab.abac;
	2
	3	import java.io.*;
	4	import java.math.*;
	5	import java.text.*;
	6
	7	import java.util.*;
	8	import java.security.*;
	9	import java.security.cert.*;
	10
	11	import javax.security.auth.x500.*;
	12
	13	import javax.xml.parsers.*;
	14	import javax.xml.transform.*;
	15	import javax.xml.transform.dom.*;
	16	import javax.xml.transform.stream.*;
	17
	18	import javax.xml.crypto.*;
	19	import javax.xml.crypto.dsig.*;
	20	import javax.xml.crypto.dsig.dom.*;
	21	import javax.xml.crypto.dsig.keyinfo.*;
	22	import javax.xml.crypto.dsig.spec.*;
	23
	24	import org.xml.sax.*;
	25	import org.w3c.dom.*;
	26
	27	import org.bouncycastle.asn1.*;
	28	import org.bouncycastle.asn1.x509.*;
	29	import org.bouncycastle.x509.*;
	30	import org.bouncycastle.x509.util.*;
	31	import org.bouncycastle.openssl.*;
	32
	33	/**
	34	* An ABAC credential formatted as an abac-type GENI credential.
	35	* @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
	36	* @version 1.4
	37	*/
	38	public class GENIPrivCredential extends GENICredential {
	39	/**
	40	* Create an empty Credential.
	41	*/
	42	public GENIPrivCredential() {
[7f614c1]	43	super();
[dd5d4d9]	44	doc = null;
	45	}
	46	/**
	47	* Create a credential from a head and tail role. This credential has no
	48	* underlying certificate, and cannot be exported or used in real proofs.
	49	* make_cert can create a certificate for a credential initialized this
	50	* way.
	51	* @param head the Role at the head of the credential
	52	* @param tail the Role at the tail of the credential
	53	*/
[7f614c1]	54	public GENIPrivCredential(Role head, Role tail, Document d, Identity i,
	55	Date e) {
[dd5d4d9]	56	m_head = head;
	57	m_tail = tail;
	58	doc = null;
	59	id = null;
[7f614c1]	60	m_expiration = e;
[dd5d4d9]	61	}
[675770e]	62	/**
	63	* Create a certificate from this credential issued by the given identity
	64	* valid for the given period; these credentials cannot be turned into
	65	* certificates, so this will always throw an exception.
	66	* @param i the Identity that will issue the certificate
	67	* @param validity a long holding the number of seconds that the credential
	68	* is valid for.
	69	* @throws ABACException if xml creation fails
	70	* @throws MissingIssuerException if the issuer is bad
	71	* @throws BadSignatureException if the signature creation fails
	72	*/
	73	public void make_cert(Identity i, long validity)
	74	throws ABACException {
	75	throw new ABACException("Cannot generate a GENIPrivCredential");
	76	}
	77
[dd5d4d9]	78
	79	/**
[675770e]	80	* Create a certificate from this credential issued by the given identity;
	81	* these credentials cannot be turned into certificates, so this will
	82	* always throw an exception.
[dd5d4d9]	83	* @param i the Identity that will issue the certificate
	84	* @throws ABACException if xml creation fails
	85	* @throws MissingIssuerException if the issuer is bad
	86	* @throws BadSignatureException if the signature creation fails
	87	*/
	88	public void make_cert(Identity i)
	89	throws ABACException {
	90	throw new ABACException("Cannot generate a GENIPrivCredential");
	91	}
	92
[484bb5a]	93	/**
	94	* Class that parses a GENI privilege credential into multiple
	95	* GENIPrivCredential objects.
	96	*/
[bd24a1a]	97	static class GENIPrivSpecialization
[dd5d4d9]	98	extends CredentialFactorySpecialization {
	99
[484bb5a]	100	/**
	101	* Extract an identity from a field holding a PEM-encoded x.509
	102	* certificate (for example, owner_gid).
	103	* @param n a Node that has the certificate in its Text Content
	104	* @return the Identity
	105	*/
[dd5d4d9]	106	protected Identity nodeToIdentity(Node n) {
	107	String certStr = null;
	108
	109	if ( ( certStr = n.getTextContent()) == null ) return null;
	110	try {
	111	certStr = "-----BEGIN CERTIFICATE-----\n" +
	112	certStr +
	113	"\n-----END CERTIFICATE-----";
	114	return new Identity(new StringReader(certStr));
	115	}
	116	catch (Exception e) {
	117	return null;
	118	}
	119	}
[484bb5a]	120
	121	/**
	122	* Parses the credential into multiple Objects based on the permissions
	123	* imbued by the credential.
	124	* @param d a Document, the parsed credential
	125	* @param issuer an Identity that signed the credential
	126	* @return an array of GENIPrivCredentials that represent the
	127	* credential
	128	*/
[dd5d4d9]	129	protected Credential[] make_creds(Document d, Identity issuer)
	130	throws ABACException {
	131	Node root = null;
	132	Node credential = null;
	133	Node owner_gid = null;
	134	Node target_gid = null;
	135	Node privileges = null;
	136	Node priv = null;
	137	Identity owner = null;
	138	Identity target = null;
	139	ArrayList<GENIPrivCredential> rv =
	140	new ArrayList<GENIPrivCredential>();
	141
	142
	143	if ( (root = getChildByName(d, "signed-credential")) == null)
	144	throw new CertInvalidException("No signed-credential element");
	145	if ( (credential = getChildByName(root, "credential")) == null )
	146	throw new CertInvalidException("No credential element");
	147	if ( (owner_gid = getChildByName(credential, "owner_gid")) == null )
	148	throw new CertInvalidException("No owner_gid element");
	149	if ((target_gid = getChildByName(credential,"target_gid")) == null )
	150	throw new CertInvalidException("No target_gid element");
	151	if ((privileges = getChildByName(credential,"privileges")) == null )
	152	throw new CertInvalidException("No privileges element");
	153
[2405adf]	154	Date exp = getTime(d, "expires");
	155
	156	if ( exp.before(new Date()))
	157	throw new CertInvalidException("Certificate Expired " + exp);
	158
[dd5d4d9]	159	if ( (owner = nodeToIdentity(owner_gid)) == null)
	160	throw new CertInvalidException("Bad owner_gid element");
	161	if ( (target = nodeToIdentity(target_gid)) == null)
	162	throw new CertInvalidException("Bad target_gid element");
	163
	164	for (Node n = privileges.getFirstChild(); n != null;
	165	n = n.getNextSibling()) {
[30ed647]	166	/* Ignore non-elements and non-privilege elements */
[dd5d4d9]	167	if (n.getNodeType() != Node.ELEMENT_NODE \|\|
[30ed647]	168	!"privilege".equals(n.getNodeName())) continue;
[dd5d4d9]	169	Node name = null;
	170	Node can_delegate = null;
	171	boolean cd = false;
	172	String cds = null;
	173	String pname = null;
	174
	175	if ( (name = getChildByName(n, "name")) == null)
	176	throw new CertInvalidException("No privilege name");
	177
	178	if ((can_delegate = getChildByName(n, "can_delegate")) == null)
	179	throw new CertInvalidException("No privilege delegate");
	180
	181	if ( (pname = name.getTextContent()) == null)
	182	throw new CertInvalidException("No privilege name text");
[6bf703b0]	183	if ((cds = can_delegate.getTextContent()) == null)
[dd5d4d9]	184	throw new CertInvalidException("No delegate text");
	185	cd = cds.equals("1") \|\| cds.equals("true");
	186
[484bb5a]	187	/* First privilege includes the basic speaks for defintion
	188	* for this owner */
[dd5d4d9]	189	if ( rv.isEmpty() ) {
	190	rv.add(new GENIPrivCredential(
	191	new Role(issuer.getKeyID() + ".speaks_for_" +
	192	owner.getKeyID()),
[7f614c1]	193	new Role(owner.getKeyID()), d, issuer, exp));
[dd5d4d9]	194	rv.add(new GENIPrivCredential(
	195	new Role(issuer.getKeyID() + ".speaks_for_" +
	196	owner.getKeyID()),
	197	new Role(owner.getKeyID() + ".speaks_for_" +
[7f614c1]	198	owner.getKeyID()), d, issuer, exp));
[dd5d4d9]	199	}
[484bb5a]	200
	201	/* The privilege itself */
[dd5d4d9]	202	rv.add(new GENIPrivCredential(
	203	new Role(issuer.getKeyID() + "." + pname + "_" +
	204	target.getKeyID()),
	205	new Role(issuer.getKeyID() + ".speaks_for_" +
[7f614c1]	206	owner.getKeyID()), d, issuer, exp));
[dd5d4d9]	207	if (cd ) {
[484bb5a]	208	/* The rules for delegation, if necessary */
[dd5d4d9]	209	rv.add(new GENIPrivCredential(
	210	new Role(issuer.getKeyID() + "." + pname +
	211	"_" + target.getKeyID()),
	212	new Role(issuer.getKeyID() + ".can_delegate_"
	213	+ pname + "_" + target.getKeyID() +
	214	"." + pname + "_" + target.getKeyID()),
[7f614c1]	215	d, issuer, exp));
[dd5d4d9]	216	rv.add(new GENIPrivCredential(
	217	new Role(issuer.getKeyID() +
	218	".can_delegate_" + pname),
[7f614c1]	219	new Role(owner.getKeyID()), d, issuer, exp));
[dd5d4d9]	220	}
	221	}
	222	return rv.toArray(new Credential[rv.size()]);
	223	}
	224
[484bb5a]	225	/**
	226	* Parse the credential into multiple GENIPrivCredentials that encode
	227	* its semantics.
	228	* @param is an InputStream containing the credentals
	229	* @param ids a Collection of Identities to use in validation
	230	* @return an array of GENIPrivCredentials that represent the
	231	* credential
	232	* @throws CertInvalidException if the stream is unparsable
	233	* @throws MissingIssuerException if none of the Identities can
	234	* validate the certificate
	235	* @throws BadSignatureException if the signature check fails
	236	*/
[dd5d4d9]	237	public Credential[] parseCredential(InputStream is,
	238	Collection<Identity> ids) throws ABACException {
	239	try {
	240	Document d = read_certificate(is);
	241	XMLSignatureFactory fac =
	242	XMLSignatureFactory.getInstance("DOM");
	243	NodeList nl = d.getElementsByTagNameNS(XMLSignature.XMLNS,
	244	"Signature");
	245	DOMValidateContext valContext = null;
	246	XMLSignature signature = null;
	247	Identity lid = null;
	248
	249
	250	if (nl.getLength() == 0)
	251	throw new CertInvalidException(
	252	"Cannot find Signature element");
	253
	254	setIDAttrs(d);
	255	valContext = new DOMValidateContext(new X509KeySelector(),
	256	nl.item(0));
	257	if ( valContext == null )
	258	throw new ABACException("No validation context!?");
	259
	260	signature = fac.unmarshalXMLSignature(valContext);
	261	if (signature == null)
	262	throw new BadSignatureException(
	263	"Cannot unmarshal signature");
	264
	265	if (!signature.validate(valContext))
	266	throw new BadSignatureException("bad signature");
	267
	268	lid = getIdentity(nl.item(0));
	269
	270	if ( !ids.contains(lid) ) ids.add(lid);
	271
[6bf703b0]	272	return make_creds(d, lid);
[dd5d4d9]	273	}
	274	catch (ABACException ae) {
	275	throw ae;
	276	}
	277	catch (Exception e) {
	278	throw new BadSignatureException(e.getMessage(), e);
	279	}
	280	}
	281
[484bb5a]	282	/**
	283	* One cannot create a GENIPrivCredential to encodes a single arbitrary
	284	* head and tail, so this always fails.
	285	* @param head a Role to encode
	286	* @param tail a Role to encode
	287	*/
[dd5d4d9]	288	public Credential generateCredential(Role head, Role tail) {
	289	return null;
	290	}
	291	};
	292
[c1736fe]	293	/**
	294	* These credentials are parsed in the specialization, so load_roles is
	295	* not used.
	296	* @throws CertInvalidException never
	297	*/
	298	protected void load_roles() throws CertInvalidException { }
	299
	300
	301	/**
	302	* These credentials are never baked so make_rt0_content is
	303	* not used.
	304	* @return a Node, the place to attach signatures
	305	* @throws ABACException never
	306	*/
	307	protected Node make_rt0_content(long validity) throws ABACException {
	308	return null;
	309	}
	310
[dd5d4d9]	311	/**
[484bb5a]	312	* Return a CredentialCredentialFactorySpecialization for
	313	* GENIPrivCredentials. Used by the CredentialFactory to parse these kind
	314	* of credentials.
[dd5d4d9]	315	* @return a CredentialFactorySpecialization for this kind of credential.
	316	*/
	317	static public CredentialFactorySpecialization
	318	getCredentialFactorySpecialization() {
	319	return new GENIPrivSpecialization();
	320	}
	321	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: