Context Navigation

source: java/net/deterlab/abac/GENIPrivCredential.java @ 79f516b

abac0-leakabac0-meitvf-new-xml

Last change on this file since 79f516b was 79f516b, checked in by Ted Faber <faber@…>, 11 years ago
Properly read nicknames from creds
Property mode set to `100644`
File size: 10.3 KB

Line
1	package net.deterlab.abac;
2
3	import java.io.*;
4	import java.math.*;
5	import java.text.*;
6
7	import java.util.*;
8	import java.security.*;
9	import java.security.cert.*;
10
11	import javax.security.auth.x500.*;
12
13	import javax.xml.parsers.*;
14	import javax.xml.transform.*;
15	import javax.xml.transform.dom.*;
16	import javax.xml.transform.stream.*;
17
18	import javax.xml.crypto.*;
19	import javax.xml.crypto.dsig.*;
20	import javax.xml.crypto.dsig.dom.*;
21	import javax.xml.crypto.dsig.keyinfo.*;
22	import javax.xml.crypto.dsig.spec.*;
23
24	import org.xml.sax.*;
25	import org.w3c.dom.*;
26
27	import org.bouncycastle.asn1.*;
28	import org.bouncycastle.asn1.x509.*;
29	import org.bouncycastle.x509.*;
30	import org.bouncycastle.x509.util.*;
31	import org.bouncycastle.openssl.*;
32
33	/**
34	* An ABAC credential formatted as an abac-type GENI credential.
35	* @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
36	* @version 1.4
37	*/
38	public class GENIPrivCredential extends GENICredential {
39	/**
40	* Create an empty Credential.
41	*/
42	public GENIPrivCredential() {
43	super();
44	doc = null;
45	}
46	/**
47	* Create a credential from a head and tail role. This credential has no
48	* underlying certificate, and cannot be exported or used in real proofs.
49	* make_cert can create a certificate for a credential initialized this
50	* way.
51	* @param head the Role at the head of the credential
52	* @param tail the Role at the tail of the credential
53	*/
54	public GENIPrivCredential(Role head, Role tail, Document d, Identity i,
55	Date e) {
56	m_head = head;
57	m_tail = tail;
58	doc = null;
59	id = null;
60	m_expiration = e;
61	}
62	/**
63	* Create a certificate from this credential issued by the given identity
64	* valid for the given period; these credentials cannot be turned into
65	* certificates, so this will always throw an exception.
66	* @param i the Identity that will issue the certificate
67	* @param validity a long holding the number of seconds that the credential
68	* is valid for.
69	* @throws ABACException if xml creation fails
70	* @throws MissingIssuerException if the issuer is bad
71	* @throws BadSignatureException if the signature creation fails
72	*/
73	public void make_cert(Identity i, long validity)
74	throws ABACException {
75	throw new ABACException("Cannot generate a GENIPrivCredential");
76	}
77
78
79	/**
80	* Create a certificate from this credential issued by the given identity;
81	* these credentials cannot be turned into certificates, so this will
82	* always throw an exception.
83	* @param i the Identity that will issue the certificate
84	* @throws ABACException if xml creation fails
85	* @throws MissingIssuerException if the issuer is bad
86	* @throws BadSignatureException if the signature creation fails
87	*/
88	public void make_cert(Identity i)
89	throws ABACException {
90	throw new ABACException("Cannot generate a GENIPrivCredential");
91	}
92
93	/**
94	* Class that parses a GENI privilege credential into multiple
95	* GENIPrivCredential objects.
96	*/
97	static class GENIPrivSpecialization
98	extends CredentialFactorySpecialization {
99
100	/**
101	* Extract an identity from a field holding a PEM-encoded x.509
102	* certificate (for example, owner_gid).
103	* @param n a Node that has the certificate in its Text Content
104	* @return the Identity
105	*/
106	protected Identity nodeToIdentity(Node n) {
107	String certStr = null;
108
109	if ( ( certStr = n.getTextContent()) == null ) return null;
110	try {
111	certStr = "-----BEGIN CERTIFICATE-----\n" +
112	certStr +
113	"\n-----END CERTIFICATE-----";
114	return new Identity(new StringReader(certStr));
115	}
116	catch (Exception e) {
117	return null;
118	}
119	}
120
121	/**
122	* Parses the credential into multiple Objects based on the permissions
123	* imbued by the credential.
124	* @param d a Document, the parsed credential
125	* @param issuer an Identity that signed the credential
126	* @return an array of GENIPrivCredentials that represent the
127	* credential
128	*/
129	protected Credential[] make_creds(Document d, Identity issuer)
130	throws ABACException {
131	Node root = null;
132	Node credential = null;
133	Node owner_gid = null;
134	Node target_gid = null;
135	Node privileges = null;
136	Node priv = null;
137	Identity owner = null;
138	Identity target = null;
139	ArrayList<GENIPrivCredential> rv =
140	new ArrayList<GENIPrivCredential>();
141
142
143	if ( (root = getChildByName(d, "signed-credential")) == null)
144	throw new CertInvalidException("No signed-credential element");
145	if ( (credential = getChildByName(root, "credential")) == null )
146	throw new CertInvalidException("No credential element");
147	if ( (owner_gid = getChildByName(credential, "owner_gid")) == null )
148	throw new CertInvalidException("No owner_gid element");
149	if ((target_gid = getChildByName(credential,"target_gid")) == null )
150	throw new CertInvalidException("No target_gid element");
151	if ((privileges = getChildByName(credential,"privileges")) == null )
152	throw new CertInvalidException("No privileges element");
153
154	Date exp = getTime(d, "expires");
155
156	if ( exp.before(new Date()))
157	throw new CertInvalidException("Certificate Expired " + exp);
158
159	if ( (owner = nodeToIdentity(owner_gid)) == null)
160	throw new CertInvalidException("Bad owner_gid element");
161	if ( (target = nodeToIdentity(target_gid)) == null)
162	throw new CertInvalidException("Bad target_gid element");
163
164	for (Node n = privileges.getFirstChild(); n != null;
165	n = n.getNextSibling()) {
166	/* Ignore non-elements and non-privilege elements */
167	if (n.getNodeType() != Node.ELEMENT_NODE \|\|
168	!"privilege".equals(n.getNodeName())) continue;
169	Node name = null;
170	Node can_delegate = null;
171	boolean cd = false;
172	String cds = null;
173	String pname = null;
174
175	if ( (name = getChildByName(n, "name")) == null)
176	throw new CertInvalidException("No privilege name");
177
178	if ((can_delegate = getChildByName(n, "can_delegate")) == null)
179	throw new CertInvalidException("No privilege delegate");
180
181	if ( (pname = name.getTextContent()) == null)
182	throw new CertInvalidException("No privilege name text");
183	if ((cds = can_delegate.getTextContent()) == null)
184	throw new CertInvalidException("No delegate text");
185	cd = cds.equals("1") \|\| cds.equals("true");
186
187	/* First privilege includes the basic speaks for defintion
188	* for this owner */
189	if ( rv.isEmpty() ) {
190	rv.add(new GENIPrivCredential(
191	new Role(issuer.getKeyID() + ".speaks_for_" +
192	owner.getKeyID()),
193	new Role(owner.getKeyID()), d, issuer, exp));
194	rv.add(new GENIPrivCredential(
195	new Role(issuer.getKeyID() + ".speaks_for_" +
196	owner.getKeyID()),
197	new Role(owner.getKeyID() + ".speaks_for_" +
198	owner.getKeyID()), d, issuer, exp));
199	}
200
201	/* The privilege itself */
202	rv.add(new GENIPrivCredential(
203	new Role(issuer.getKeyID() + "." + pname + "_" +
204	target.getKeyID()),
205	new Role(issuer.getKeyID() + ".speaks_for_" +
206	owner.getKeyID()), d, issuer, exp));
207	if (cd ) {
208	/* The rules for delegation, if necessary */
209	rv.add(new GENIPrivCredential(
210	new Role(issuer.getKeyID() + "." + pname +
211	"_" + target.getKeyID()),
212	new Role(issuer.getKeyID() + ".can_delegate_"
213	+ pname + "_" + target.getKeyID() +
214	"." + pname + "_" + target.getKeyID()),
215	d, issuer, exp));
216	rv.add(new GENIPrivCredential(
217	new Role(issuer.getKeyID() +
218	".can_delegate_" + pname),
219	new Role(owner.getKeyID()), d, issuer, exp));
220	}
221	}
222	return rv.toArray(new Credential[rv.size()]);
223	}
224
225	/**
226	* Parse the credential into multiple GENIPrivCredentials that encode
227	* its semantics.
228	* @param is an InputStream containing the credentals
229	* @param ids a Collection of Identities to use in validation
230	* @return an array of GENIPrivCredentials that represent the
231	* credential
232	* @throws CertInvalidException if the stream is unparsable
233	* @throws MissingIssuerException if none of the Identities can
234	* validate the certificate
235	* @throws BadSignatureException if the signature check fails
236	*/
237	public Credential[] parseCredential(InputStream is,
238	Collection<Identity> ids) throws ABACException {
239	try {
240	Document d = read_certificate(is);
241	XMLSignatureFactory fac =
242	XMLSignatureFactory.getInstance("DOM");
243	NodeList nl = d.getElementsByTagNameNS(XMLSignature.XMLNS,
244	"Signature");
245	DOMValidateContext valContext = null;
246	XMLSignature signature = null;
247	Identity lid = null;
248
249
250	if (nl.getLength() == 0)
251	throw new CertInvalidException(
252	"Cannot find Signature element");
253
254	setIDAttrs(d);
255	valContext = new DOMValidateContext(new X509KeySelector(),
256	nl.item(0));
257	if ( valContext == null )
258	throw new ABACException("No validation context!?");
259
260	signature = fac.unmarshalXMLSignature(valContext);
261	if (signature == null)
262	throw new BadSignatureException(
263	"Cannot unmarshal signature");
264
265	if (!signature.validate(valContext))
266	throw new BadSignatureException("bad signature");
267
268	lid = getIdentity(nl.item(0));
269
270	if ( !ids.contains(lid) ) ids.add(lid);
271
272	return make_creds(d, lid);
273	}
274	catch (ABACException ae) {
275	throw ae;
276	}
277	catch (Exception e) {
278	throw new BadSignatureException(e.getMessage(), e);
279	}
280	}
281
282	/**
283	* One cannot create a GENIPrivCredential to encodes a single arbitrary
284	* head and tail, so this always fails.
285	* @param head a Role to encode
286	* @param tail a Role to encode
287	* @param aliases a KeyIDMap with keyid aliases
288	* @return null
289	*/
290	public Credential generateCredential(Role head, Role tail,
291	KeyIDMap aliases) {
292	return null;
293	}
294	};
295
296	/**
297	* These credentials are parsed in the specialization, so load_roles is
298	* not used.
299	* @throws CertInvalidException never
300	*/
301	protected void load_roles() throws CertInvalidException { }
302
303
304	/**
305	* These credentials are never baked so make_rt0_content is
306	* not used.
307	* @return a Node, the place to attach signatures
308	* @throws ABACException never
309	*/
310	protected Node make_rt0_content(long validity) throws ABACException {
311	return null;
312	}
313
314	/**
315	* Return a CredentialCredentialFactorySpecialization for
316	* GENIPrivCredentials. Used by the CredentialFactory to parse these kind
317	* of credentials.
318	* @return a CredentialFactorySpecialization for this kind of credential.
319	*/
320	static public CredentialFactorySpecialization
321	getCredentialFactorySpecialization() {
322	return new GENIPrivSpecialization();
323	}
324	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: