Context Navigation

source: java/net/deterlab/abac/GENIPrivCredential.java @ 484bb5a

abac0-leakabac0-meimei-idmei-rt0-nmei_rt0tvf-new-xml

Last change on this file since 484bb5a was 484bb5a, checked in by Ted Faber <faber@…>, 12 years ago
Comments
Property mode set to `100644`
File size: 8.8 KB

Line
1	package net.deterlab.abac;
2
3	import java.io.*;
4	import java.math.*;
5	import java.text.*;
6
7	import java.util.*;
8	import java.security.*;
9	import java.security.cert.*;
10
11	import javax.security.auth.x500.*;
12
13	import javax.xml.parsers.*;
14	import javax.xml.transform.*;
15	import javax.xml.transform.dom.*;
16	import javax.xml.transform.stream.*;
17
18	import javax.xml.crypto.*;
19	import javax.xml.crypto.dsig.*;
20	import javax.xml.crypto.dsig.dom.*;
21	import javax.xml.crypto.dsig.keyinfo.*;
22	import javax.xml.crypto.dsig.spec.*;
23
24	import org.xml.sax.*;
25	import org.w3c.dom.*;
26
27	import org.bouncycastle.asn1.*;
28	import org.bouncycastle.asn1.x509.*;
29	import org.bouncycastle.x509.*;
30	import org.bouncycastle.x509.util.*;
31	import org.bouncycastle.openssl.*;
32
33	/**
34	* An ABAC credential formatted as an abac-type GENI credential.
35	* @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
36	* @version 1.4
37	*/
38	public class GENIPrivCredential extends GENICredential {
39	/**
40	* Create an empty Credential.
41	*/
42	public GENIPrivCredential() {
43	m_head = m_tail = null;
44	doc = null;
45	id = null;
46	}
47	/**
48	* Create a credential from a head and tail role. This credential has no
49	* underlying certificate, and cannot be exported or used in real proofs.
50	* make_cert can create a certificate for a credential initialized this
51	* way.
52	* @param head the Role at the head of the credential
53	* @param tail the Role at the tail of the credential
54	*/
55	public GENIPrivCredential(Role head, Role tail, Document d, Identity i) {
56	m_head = head;
57	m_tail = tail;
58	doc = null;
59	id = null;
60	}
61
62	/**
63	* Create a certificate from this credential issued by the given identity.
64	* This is the signed XML ABAC credential.
65	* @param i the Identity that will issue the certificate
66	* @throws ABACException if xml creation fails
67	* @throws MissingIssuerException if the issuer is bad
68	* @throws BadSignatureException if the signature creation fails
69	*/
70	public void make_cert(Identity i)
71	throws ABACException {
72	throw new ABACException("Cannot generate a GENIPrivCredential");
73	}
74
75	/**
76	* Class that parses a GENI privilege credential into multiple
77	* GENIPrivCredential objects.
78	*/
79	static public class GENIPrivSpecialization
80	extends CredentialFactorySpecialization {
81
82	/**
83	* Extract an identity from a field holding a PEM-encoded x.509
84	* certificate (for example, owner_gid).
85	* @param n a Node that has the certificate in its Text Content
86	* @return the Identity
87	*/
88	protected Identity nodeToIdentity(Node n) {
89	String certStr = null;
90
91	if ( ( certStr = n.getTextContent()) == null ) return null;
92	try {
93	certStr = "-----BEGIN CERTIFICATE-----\n" +
94	certStr +
95	"\n-----END CERTIFICATE-----";
96	return new Identity(new StringReader(certStr));
97	}
98	catch (Exception e) {
99	return null;
100	}
101	}
102
103	/**
104	* Parses the credential into multiple Objects based on the permissions
105	* imbued by the credential.
106	* @param d a Document, the parsed credential
107	* @param issuer an Identity that signed the credential
108	* @return an array of GENIPrivCredentials that represent the
109	* credential
110	*/
111	protected Credential[] make_creds(Document d, Identity issuer)
112	throws ABACException {
113	Node root = null;
114	Node credential = null;
115	Node owner_gid = null;
116	Node target_gid = null;
117	Node privileges = null;
118	Node priv = null;
119	Identity owner = null;
120	Identity target = null;
121	ArrayList<GENIPrivCredential> rv =
122	new ArrayList<GENIPrivCredential>();
123
124
125	if ( (root = getChildByName(d, "signed-credential")) == null)
126	throw new CertInvalidException("No signed-credential element");
127	if ( (credential = getChildByName(root, "credential")) == null )
128	throw new CertInvalidException("No credential element");
129	if ( (owner_gid = getChildByName(credential, "owner_gid")) == null )
130	throw new CertInvalidException("No owner_gid element");
131	if ((target_gid = getChildByName(credential,"target_gid")) == null )
132	throw new CertInvalidException("No target_gid element");
133	if ((privileges = getChildByName(credential,"privileges")) == null )
134	throw new CertInvalidException("No privileges element");
135
136	if ( (owner = nodeToIdentity(owner_gid)) == null)
137	throw new CertInvalidException("Bad owner_gid element");
138	if ( (target = nodeToIdentity(target_gid)) == null)
139	throw new CertInvalidException("Bad target_gid element");
140
141	for (Node n = privileges.getFirstChild(); n != null;
142	n = n.getNextSibling()) {
143	if (n.getNodeType() != Node.ELEMENT_NODE \|\|
144	!"privilege".equals(n.getNodeName()))
145	throw new CertInvalidException(
146	"Child of privileges not privilege?");
147	Node name = null;
148	Node can_delegate = null;
149	boolean cd = false;
150	String cds = null;
151	String pname = null;
152
153	if ( (name = getChildByName(n, "name")) == null)
154	throw new CertInvalidException("No privilege name");
155
156	if ((can_delegate = getChildByName(n, "can_delegate")) == null)
157	throw new CertInvalidException("No privilege delegate");
158
159	if ( (pname = name.getTextContent()) == null)
160	throw new CertInvalidException("No privilege name text");
161	if ((cds = can_delegate.getTextContent()) == null)
162	throw new CertInvalidException("No delegate text");
163	cd = cds.equals("1") \|\| cds.equals("true");
164
165	/* First privilege includes the basic speaks for defintion
166	* for this owner */
167	if ( rv.isEmpty() ) {
168	rv.add(new GENIPrivCredential(
169	new Role(issuer.getKeyID() + ".speaks_for_" +
170	owner.getKeyID()),
171	new Role(owner.getKeyID()), d, issuer));
172	rv.add(new GENIPrivCredential(
173	new Role(issuer.getKeyID() + ".speaks_for_" +
174	owner.getKeyID()),
175	new Role(owner.getKeyID() + ".speaks_for_" +
176	owner.getKeyID()), d, issuer));
177	}
178
179	/* The privilege itself */
180	rv.add(new GENIPrivCredential(
181	new Role(issuer.getKeyID() + "." + pname + "_" +
182	target.getKeyID()),
183	new Role(issuer.getKeyID() + ".speaks_for_" +
184	owner.getKeyID()), d, issuer));
185	if (cd ) {
186	/* The rules for delegation, if necessary */
187	rv.add(new GENIPrivCredential(
188	new Role(issuer.getKeyID() + "." + pname +
189	"_" + target.getKeyID()),
190	new Role(issuer.getKeyID() + ".can_delegate_"
191	+ pname + "_" + target.getKeyID() +
192	"." + pname + "_" + target.getKeyID()),
193	d, issuer));
194	rv.add(new GENIPrivCredential(
195	new Role(issuer.getKeyID() +
196	".can_delegate_" + pname),
197	new Role(owner.getKeyID()), d, issuer));
198	}
199	}
200	return rv.toArray(new Credential[rv.size()]);
201	}
202
203	/**
204	* Parse the credential into multiple GENIPrivCredentials that encode
205	* its semantics.
206	* @param is an InputStream containing the credentals
207	* @param ids a Collection of Identities to use in validation
208	* @return an array of GENIPrivCredentials that represent the
209	* credential
210	* @throws CertInvalidException if the stream is unparsable
211	* @throws MissingIssuerException if none of the Identities can
212	* validate the certificate
213	* @throws BadSignatureException if the signature check fails
214	*/
215	public Credential[] parseCredential(InputStream is,
216	Collection<Identity> ids) throws ABACException {
217	try {
218	Document d = read_certificate(is);
219	XMLSignatureFactory fac =
220	XMLSignatureFactory.getInstance("DOM");
221	NodeList nl = d.getElementsByTagNameNS(XMLSignature.XMLNS,
222	"Signature");
223	DOMValidateContext valContext = null;
224	XMLSignature signature = null;
225	Identity lid = null;
226
227
228	if (nl.getLength() == 0)
229	throw new CertInvalidException(
230	"Cannot find Signature element");
231
232	setIDAttrs(d);
233	valContext = new DOMValidateContext(new X509KeySelector(),
234	nl.item(0));
235	if ( valContext == null )
236	throw new ABACException("No validation context!?");
237
238	signature = fac.unmarshalXMLSignature(valContext);
239	if (signature == null)
240	throw new BadSignatureException(
241	"Cannot unmarshal signature");
242
243	if (!signature.validate(valContext))
244	throw new BadSignatureException("bad signature");
245
246	lid = getIdentity(nl.item(0));
247
248	if ( !ids.contains(lid) ) ids.add(lid);
249
250	return make_creds(d, lid);
251	}
252	catch (ABACException ae) {
253	throw ae;
254	}
255	catch (Exception e) {
256	throw new BadSignatureException(e.getMessage(), e);
257	}
258	}
259
260	/**
261	* One cannot create a GENIPrivCredential to encodes a single arbitrary
262	* head and tail, so this always fails.
263	* @param head a Role to encode
264	* @param tail a Role to encode
265	*/
266	public Credential generateCredential(Role head, Role tail) {
267	return null;
268	}
269	};
270
271	/**
272	* Return a CredentialCredentialFactorySpecialization for
273	* GENIPrivCredentials. Used by the CredentialFactory to parse these kind
274	* of credentials.
275	* @return a CredentialFactorySpecialization for this kind of credential.
276	*/
277	static public CredentialFactorySpecialization
278	getCredentialFactorySpecialization() {
279	return new GENIPrivSpecialization();
280	}
281	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: