Context Navigation

source: java/net/deterlab/abac/GENIPrivCredential.java @ 6bf703b0

abac0-leakabac0-meimei-idmei-rt0-nmei_rt0tvf-new-xml

Last change on this file since 6bf703b0 was 6bf703b0, checked in by Ted Faber <faber@…>, 12 years ago
Add GENIProv parsing works
Property mode set to `100644`
File size: 7.4 KB

Line
1	package net.deterlab.abac;
2
3	import java.io.*;
4	import java.math.*;
5	import java.text.*;
6
7	import java.util.*;
8	import java.security.*;
9	import java.security.cert.*;
10
11	import javax.security.auth.x500.*;
12
13	import javax.xml.parsers.*;
14	import javax.xml.transform.*;
15	import javax.xml.transform.dom.*;
16	import javax.xml.transform.stream.*;
17
18	import javax.xml.crypto.*;
19	import javax.xml.crypto.dsig.*;
20	import javax.xml.crypto.dsig.dom.*;
21	import javax.xml.crypto.dsig.keyinfo.*;
22	import javax.xml.crypto.dsig.spec.*;
23
24	import org.xml.sax.*;
25	import org.w3c.dom.*;
26
27	import org.bouncycastle.asn1.*;
28	import org.bouncycastle.asn1.x509.*;
29	import org.bouncycastle.x509.*;
30	import org.bouncycastle.x509.util.*;
31	import org.bouncycastle.openssl.*;
32
33	/**
34	* An ABAC credential formatted as an abac-type GENI credential.
35	* @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
36	* @version 1.4
37	*/
38	public class GENIPrivCredential extends GENICredential {
39	/**
40	* Create an empty Credential.
41	*/
42	public GENIPrivCredential() {
43	m_head = m_tail = null;
44	doc = null;
45	id = null;
46	}
47	/**
48	* Create a credential from a head and tail role. This credential has no
49	* underlying certificate, and cannot be exported or used in real proofs.
50	* make_cert can create a certificate for a credential initialized this
51	* way.
52	* @param head the Role at the head of the credential
53	* @param tail the Role at the tail of the credential
54	*/
55	public GENIPrivCredential(Role head, Role tail, Document d, Identity i) {
56	m_head = head;
57	m_tail = tail;
58	doc = null;
59	id = null;
60	}
61
62	/**
63	* Create a certificate from this credential issued by the given identity.
64	* This is the signed XML ABAC credential.
65	* @param i the Identity that will issue the certificate
66	* @throws ABACException if xml creation fails
67	* @throws MissingIssuerException if the issuer is bad
68	* @throws BadSignatureException if the signature creation fails
69	*/
70	public void make_cert(Identity i)
71	throws ABACException {
72	throw new ABACException("Cannot generate a GENIPrivCredential");
73	}
74
75	static public class GENIPrivSpecialization
76	extends CredentialFactorySpecialization {
77
78	protected Identity nodeToIdentity(Node n) {
79	String certStr = null;
80
81	if ( ( certStr = n.getTextContent()) == null ) return null;
82	try {
83	certStr = "-----BEGIN CERTIFICATE-----\n" +
84	certStr +
85	"\n-----END CERTIFICATE-----";
86	return new Identity(new StringReader(certStr));
87	}
88	catch (Exception e) {
89	return null;
90	}
91	}
92	protected Credential[] make_creds(Document d, Identity issuer)
93	throws ABACException {
94	Node root = null;
95	Node credential = null;
96	Node owner_gid = null;
97	Node target_gid = null;
98	Node privileges = null;
99	Node priv = null;
100	Identity owner = null;
101	Identity target = null;
102	ArrayList<GENIPrivCredential> rv =
103	new ArrayList<GENIPrivCredential>();
104
105
106	if ( (root = getChildByName(d, "signed-credential")) == null)
107	throw new CertInvalidException("No signed-credential element");
108	if ( (credential = getChildByName(root, "credential")) == null )
109	throw new CertInvalidException("No credential element");
110	if ( (owner_gid = getChildByName(credential, "owner_gid")) == null )
111	throw new CertInvalidException("No owner_gid element");
112	if ((target_gid = getChildByName(credential,"target_gid")) == null )
113	throw new CertInvalidException("No target_gid element");
114	if ((privileges = getChildByName(credential,"privileges")) == null )
115	throw new CertInvalidException("No privileges element");
116
117	if ( (owner = nodeToIdentity(owner_gid)) == null)
118	throw new CertInvalidException("Bad owner_gid element");
119	if ( (target = nodeToIdentity(target_gid)) == null)
120	throw new CertInvalidException("Bad target_gid element");
121
122	for (Node n = privileges.getFirstChild(); n != null;
123	n = n.getNextSibling()) {
124	if (n.getNodeType() != Node.ELEMENT_NODE \|\|
125	!"privilege".equals(n.getNodeName()))
126	throw new CertInvalidException(
127	"Child of privileges not privilege?");
128	Node name = null;
129	Node can_delegate = null;
130	boolean cd = false;
131	String cds = null;
132	String pname = null;
133
134	if ( (name = getChildByName(n, "name")) == null)
135	throw new CertInvalidException("No privilege name");
136
137	if ((can_delegate = getChildByName(n, "can_delegate")) == null)
138	throw new CertInvalidException("No privilege delegate");
139
140	if ( (pname = name.getTextContent()) == null)
141	throw new CertInvalidException("No privilege name text");
142	if ((cds = can_delegate.getTextContent()) == null)
143	throw new CertInvalidException("No delegate text");
144	cd = cds.equals("1") \|\| cds.equals("true");
145
146	if ( rv.isEmpty() ) {
147	rv.add(new GENIPrivCredential(
148	new Role(issuer.getKeyID() + ".speaks_for_" +
149	owner.getKeyID()),
150	new Role(owner.getKeyID()), d, issuer));
151	rv.add(new GENIPrivCredential(
152	new Role(issuer.getKeyID() + ".speaks_for_" +
153	owner.getKeyID()),
154	new Role(owner.getKeyID() + ".speaks_for_" +
155	owner.getKeyID()), d, issuer));
156	}
157	rv.add(new GENIPrivCredential(
158	new Role(issuer.getKeyID() + "." + pname + "_" +
159	target.getKeyID()),
160	new Role(issuer.getKeyID() + ".speaks_for_" +
161	owner.getKeyID()), d, issuer));
162	if (cd ) {
163	rv.add(new GENIPrivCredential(
164	new Role(issuer.getKeyID() + "." + pname +
165	"_" + target.getKeyID()),
166	new Role(issuer.getKeyID() + ".can_delegate_"
167	+ pname + "_" + target.getKeyID() +
168	"." + pname + "_" + target.getKeyID()),
169	d, issuer));
170	rv.add(new GENIPrivCredential(
171	new Role(issuer.getKeyID() +
172	".can_delegate_" + pname),
173	new Role(owner.getKeyID()), d, issuer));
174	}
175	}
176	return rv.toArray(new Credential[rv.size()]);
177	}
178
179	public Credential[] parseCredential(InputStream is,
180	Collection<Identity> ids) throws ABACException {
181	try {
182	Document d = read_certificate(is);
183	XMLSignatureFactory fac =
184	XMLSignatureFactory.getInstance("DOM");
185	NodeList nl = d.getElementsByTagNameNS(XMLSignature.XMLNS,
186	"Signature");
187	DOMValidateContext valContext = null;
188	XMLSignature signature = null;
189	Identity lid = null;
190
191
192	if (nl.getLength() == 0)
193	throw new CertInvalidException(
194	"Cannot find Signature element");
195
196	setIDAttrs(d);
197	valContext = new DOMValidateContext(new X509KeySelector(),
198	nl.item(0));
199	if ( valContext == null )
200	throw new ABACException("No validation context!?");
201
202	signature = fac.unmarshalXMLSignature(valContext);
203	if (signature == null)
204	throw new BadSignatureException(
205	"Cannot unmarshal signature");
206
207	if (!signature.validate(valContext))
208	throw new BadSignatureException("bad signature");
209
210	lid = getIdentity(nl.item(0));
211
212	if ( !ids.contains(lid) ) ids.add(lid);
213
214	return make_creds(d, lid);
215	}
216	catch (ABACException ae) {
217	throw ae;
218	}
219	catch (Exception e) {
220	throw new BadSignatureException(e.getMessage(), e);
221	}
222	}
223
224	public Credential generateCredential(Role head, Role tail) {
225	return null;
226	}
227	};
228
229	/**
230	* Return a CredentialCredentialFactorySpecialization for GENICredentials.
231	* Used by the CredentialFactory to parse and generate these kind of
232	* credentials. It basically wraps constuctor calls.
233	* @return a CredentialFactorySpecialization for this kind of credential.
234	*/
235	static public CredentialFactorySpecialization
236	getCredentialFactorySpecialization() {
237	return new GENIPrivSpecialization();
238	}
239	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: