Context Navigation

source: java/net/deterlab/abac/Identity.java

Last change on this file was 461edba, checked in by Ted Faber <faber@…>, 10 years ago
Clean up javadoc for v8.
Property mode set to `100644`
File size: 15.1 KB

Rev	Line
[9725efb]	1	package net.deterlab.abac;
	2
	3	import java.io.*;
	4
	5	import java.util.*;
	6	import java.security.*;
	7	import java.security.cert.*;
[3a52bed]	8	import javax.security.auth.x500.*;
[9725efb]	9
[3a52bed]	10	import java.math.BigInteger;
[9725efb]	11
	12	import org.bouncycastle.asn1.*;
	13	import org.bouncycastle.asn1.util.*;
	14	import org.bouncycastle.asn1.x509.*;
	15	import org.bouncycastle.x509.*;
[238717d]	16	import org.bouncycastle.openssl.*;
	17
[9725efb]	18
[e36ea1d]	19	/**
	20	* An ABAC identity. An X509 Certificate-encoded public key. The key
	21	* identifier is used as the name of the Identity. This whole class is
	22	* something of a jabac extension.
	23	* @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
[a1a9a47]	24	* @version 1.5
[e36ea1d]	25	*/
[5cf72cc]	26	public class Identity implements Comparable {
[3f928b0]	27	/** Default validity period (in seconds) */
	28	static public long defaultValidity = 3600L * 24L * 365L;
[e36ea1d]	29	/** The underlying X509 certificate. */
	30	protected X509Certificate cert;
	31	/** The public key id used as this principal's name */
	32	protected String keyid;
	33	/** The common name in the certificate, used as a mnemonic */
	34	protected String cn;
	35	/** The keypair, if any, used to sign for this Identity */
	36	protected KeyPair kp;
[3f928b0]	37	/** The expiration for this Identity */
	38	protected Date expiration;
[9725efb]	39
[238717d]	40	/** Make sure BouncyCastle is loaded */
	41	static { Context.loadBouncyCastle(); }
	42
[1a7e6d3]	43	/**
[e36ea1d]	44	* Initialize from PEM cert in a reader. Use a PEMReader to get
	45	* the certificate, and call init(cert) on it.
	46	* @param r a Reader containing the certificate
[7ebf16d]	47	* @throws CertInvalidException if the stream is unparsable
	48	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	49	* certificate
[7ebf16d]	50	* @throws BadSignatureException if the signature check fails
	51	* @throws ABACException if an uncategorized error occurs
[1a7e6d3]	52	*/
[7ebf16d]	53	protected void init(Reader r) throws ABACException {
[42ca4b8]	54	PEMReader pr = new PEMReader(r);
	55	Object c = null;
	56
[7ebf16d]	57	try {
	58	while ( ( c= pr.readObject()) != null ){
	59
	60	if (c instanceof X509Certificate) {
	61	if ( cn == null )
	62	init((X509Certificate)c);
	63	else
	64	throw new CertInvalidException("Two certs in one");
	65	}
	66	else if (c instanceof KeyPair) setKeyPair((KeyPair)c);
	67	else
	68	throw new CertInvalidException(
	69	"Not an identity certificate");
[42ca4b8]	70	}
[7ebf16d]	71	}
	72	catch (IOException e) {
	73	throw new CertInvalidException(e.getMessage(), e);
[42ca4b8]	74	}
[f31432f]	75	// If there's nothing for the PEM reader to parse, the cert is invalid.
	76	if (cn == null)
[7ebf16d]	77	throw new CertInvalidException("Not an identity certificate");
[8a14e37]	78	}
	79
	80	/**
[e36ea1d]	81	* Initialize internals from cert. Confirm it is self signed, and then
	82	* the keyid and common name. There's some work to get this stuff, but
	83	* it's all an incantation of getting the right classes to get the right
	84	* data. Looks more complex than it is.
	85	* @param c an X509Certificate to init from
[7ebf16d]	86	* @throws CertInvalidException if the stream is unparsable
	87	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	88	* certificate
[7ebf16d]	89	* @throws BadSignatureException if the signature check fails
	90	* @throws ABACException if an uncategorized error occurs
[8a14e37]	91	*/
[7ebf16d]	92	protected void init(X509Certificate c) throws ABACException {
	93	cert = (X509Certificate) c;
	94	try {
[0595372]	95	cert.verify(cert.getPublicKey());
[7ebf16d]	96	}
	97	catch (SignatureException e) {
[fbdd2d1]	98	// XXX: the cert is not signed by the key we provided. Right now
	99	// we check each cert as if it were self-signed. Other signing
	100	// strategies are allowed here by default. We expect outside
	101	// sources to validate ID certs if they expect different chains of
[7ebf16d]	102	}
	103	catch (CertificateException e) {
	104	throw new CertInvalidException(e.getMessage(), e);
	105	}
[4bd50f4]	106	catch (InvalidKeyException e) {
	107	// XXX: the cert is not signed by the key we provided. Right now
	108	// we check each cert as if it were self-signed. Other signing
	109	// strategies are allowed here by default. We expect outside
	110	// sources to validate ID certs if they expect different chains of
	111	// trust.
	112	}
[7ebf16d]	113	catch (GeneralSecurityException e) {
	114	throw new ABACException(e.getMessage(), e);
	115	}
[081eabc]	116
	117	// So far so good. Check the validity (dates)
	118	try {
	119	cert.checkValidity();
	120	}
	121	catch (CertificateException e) {
	122	// Validity exceprions are derived from CertificateExceptions
	123	throw new CertInvalidException(e.getMessage(), e);
	124	}
	125
[7ebf16d]	126	// Cert is valid, fill in the CN and keyid
	127	keyid = Context.extractKeyID(cert.getPublicKey());
	128	cn = cert.getSubjectDN().getName();
	129	expiration = cert.getNotAfter();
	130	/// XXX: better parse
	131	if (cn.startsWith("CN=")) cn = cn.substring(3);
[9725efb]	132	}
	133
[1a7e6d3]	134	/**
[81c80b9]	135	* Construct from a string, used as a CN. Keys are generated. If signer
	136	* and signingKey are given, sign the certificate with them. If neither is
	137	* given, self sign it. If one is given and not the other, throw an
	138	* ABACException.
[e36ea1d]	139	* @param cn a String containing the menomnic name
[3f928b0]	140	* @param validity a long containing the validity period (in seconds)
[81c80b9]	141	* @param signer an X509Certificate that is signing the Identity
	142	* @param signingKey the key with which to sign
[7ebf16d]	143	* @throws CertInvalidException if the stream is unparsable
	144	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	145	* certificate
[7ebf16d]	146	* @throws BadSignatureException if the signature check fails
	147	* @throws ABACException if an uncategorized error occurs
[1a7e6d3]	148	*/
[81c80b9]	149	public Identity(String cn, long validity, X509Certificate signer,
	150	PrivateKey signingKey)
	151	throws ABACException {
	152
	153	if ( (signer != null && signingKey == null) \|\|
	154	(signer == null && signingKey != null) )
	155	throw new ABACException("Both signer and signingKey must be "+
	156	"given or neither");
	157
[3a52bed]	158	X509V1CertificateGenerator gen = new X509V1CertificateGenerator();
[7ebf16d]	159	try {
	160	kp = KeyPairGenerator.getInstance("RSA").genKeyPair();
	161	}
	162	catch (NoSuchAlgorithmException e) {
	163	throw new ABACException(e.getMessage(), e);
	164	}
	165	X509Certificate a = null;
[81c80b9]	166	X500Principal sp = (signer != null ) ?
	167	signer.getSubjectX500Principal() : new X500Principal("CN=" + cn);
	168	PrivateKey sk = (signingKey != null ) ? signingKey : kp.getPrivate();
[3a52bed]	169
[81c80b9]	170	gen.setIssuerDN(sp);
[3a52bed]	171	gen.setSubjectDN(new X500Principal("CN=" + cn));
[3f928b0]	172	gen.setNotAfter(new Date(System.currentTimeMillis() +
	173	1000L * validity));
[3a52bed]	174	gen.setNotBefore(new Date(System.currentTimeMillis()));
	175	gen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
	176	gen.setPublicKey(kp.getPublic());
	177	gen.setSignatureAlgorithm("SHA256WithRSAEncryption");
[7ebf16d]	178	try {
[81c80b9]	179	a = (X509Certificate) gen.generate(sk, "BC");
[7ebf16d]	180	}
	181	catch (CertificateEncodingException e) {
	182	throw new CertInvalidException(e.getMessage(), e);
	183	}
	184	catch (GeneralSecurityException e) {
	185	throw new ABACException(e.getMessage(), e);
	186	}
	187
[3a52bed]	188	init(a);
	189	}
[81c80b9]	190	/**
	191	* Construct from a string, used as a CN. Keys are generated.
	192	* @param cn a String containing the menomnic name
	193	* @param validity a long containing the validity period (in seconds)
	194	* @throws CertInvalidException if the stream is unparsable
	195	* @throws MissingIssuerException if none of the Identities can validate the
	196	* certificate
	197	* @throws BadSignatureException if the signature check fails
	198	* @throws ABACException if an uncategorized error occurs
	199	*/
	200	public Identity(String cn, long validity) throws ABACException {
	201	this(cn, validity, null, null);
	202	}
[3a52bed]	203
[3f928b0]	204	/**
	205	* Construct from a string, used as a CN. Keys are generated.
	206	* @param cn a String containing the menomnic name
[7ebf16d]	207	* @throws CertInvalidException if the stream is unparsable
	208	* @throws MissingIssuerException if none of the Identities can validate the
[3f928b0]	209	* certificate
[7ebf16d]	210	* @throws BadSignatureException if the signature check fails
	211	* @throws ABACException if an uncategorized error occurs
[3f928b0]	212	*/
[7ebf16d]	213	public Identity(String cn) throws ABACException {
[3f928b0]	214	this(cn, defaultValidity);
	215	}
[9725efb]	216
[1a7e6d3]	217	/**
[a7f73b5]	218	* Construct from a file containing a self-signed PEM certificate.
[e36ea1d]	219	* @param file the File to read
[7ebf16d]	220	* @throws CertInvalidException if the stream is unparsable
	221	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	222	* certificate
[7ebf16d]	223	* @throws BadSignatureException if the signature check fails
	224	* @throws ABACException if an uncategorized error occurs
	225	* @throws FileNotFoundException if the file is invalid
[1a7e6d3]	226	*/
[7ebf16d]	227	public Identity(File file) throws ABACException, FileNotFoundException {
	228	kp = null;
	229	init(new FileReader(file));
	230	}
[1a7e6d3]	231
	232	/**
[e36ea1d]	233	* Construct from a reader containing a self-signed PEM certificate.
	234	* @param r the Reader containing the certificate
[7ebf16d]	235	* @throws CertInvalidException if the stream is unparsable
	236	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	237	* certificate
[7ebf16d]	238	* @throws BadSignatureException if the signature check fails
	239	* @throws ABACException if an uncategorized error occurs
[1a7e6d3]	240	*/
[7ebf16d]	241	public Identity(Reader r) throws ABACException {
	242	kp = null;
	243	init(r);
	244	}
[1a7e6d3]	245
	246	/**
[e36ea1d]	247	* Construct from an InputStream containing a self-signed PEM certificate.
	248	* @param s the InputStream containing the certificate
[7ebf16d]	249	* @throws CertInvalidException if the stream is unparsable
	250	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	251	* certificate
[7ebf16d]	252	* @throws BadSignatureException if the signature check fails
	253	* @throws ABACException if an uncategorized error occurs
[1a7e6d3]	254	*/
[7ebf16d]	255	public Identity(InputStream s) throws ABACException {
	256	kp = null;
	257	init(new InputStreamReader(s));
	258	}
[1a7e6d3]	259
[8a14e37]	260	/**
[e36ea1d]	261	* Construct from an X509Certificate
	262	* @param cert an X509Certificate to init from
[7ebf16d]	263	* @throws CertInvalidException if the stream is unparsable
	264	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	265	* certificate
[7ebf16d]	266	* @throws BadSignatureException if the signature check fails
	267	* @throws ABACException if an uncategorized error occurs
[8a14e37]	268	*/
[4feb5be]	269	public Identity(X509Certificate cert) throws ABACException {
[7ebf16d]	270	kp = null;
	271	init(cert);
	272	}
[8a14e37]	273
[8a93b41]	274	/**
	275	* Write the PEM key to the given writer.
[e36ea1d]	276	* @param w the Writer
	277	* @return true if the Identity had a keypair and wrote the key
	278	* @throws IOException if writing fails
[8a93b41]	279	*/
	280	public boolean writePrivateKey(Writer w) throws IOException {
	281	if (kp != null ) {
	282	PEMWriter pw = new PEMWriter(w);
	283
	284	pw.writeObject(kp.getPrivate());
	285	pw.flush();
	286	return true;
	287	}
	288	else return false;
	289	}
	290
	291	/**
	292	* Write the PEM key to a file with the given name.
[461edba]	293	* @param fn a file name to write to
	294	* @return true if the Identity had a keypair and wrote the key
	295	* @throws IOException if writing fails (including bad file name)
[8a93b41]	296	*/
[461edba]	297	public boolean writePrivateKey(String fn) throws IOException {
[8a93b41]	298	return writePrivateKey(new FileWriter(fn));
	299	}
	300
	301	/**
	302	* Write the PEM key to the given file.
[e36ea1d]	303	* @param fn a String with the output file name
	304	* @return true if the Identity had a keypair and wrote the key
[461edba]	305	* @throws IOException if writing fails (including bad file name)
[8a93b41]	306	*/
[461edba]	307	public boolean writePrivateKey(File fn) throws IOException {
[8a93b41]	308	return writePrivateKey(new FileWriter(fn));
	309	}
	310
	311	/**
	312	* Write the PEM key to the given OutputStream.
[e36ea1d]	313	* @param s an OutputStream to write on
	314	* @return true if the Identity had a keypair and wrote the key
[461edba]	315	* @throws IOException if writing fails (including bad file name)
[8a93b41]	316	*/
[461edba]	317	public boolean writePrivateKey(OutputStream s) throws IOException {
[8a93b41]	318	return writePrivateKey(new OutputStreamWriter(s));
	319	}
	320
[1a7e6d3]	321
	322	/**
	323	* Write the PEM cert to the given writer.
[e36ea1d]	324	* @param w a Writer to write on
	325	* @throws IOException if writing fails
[1a7e6d3]	326	*/
	327	public void write(Writer w) throws IOException {
	328	PEMWriter pw = new PEMWriter(w);
	329
[0595372]	330	pw.writeObject(cert);
[5cf72cc]	331	pw.flush();
[1a7e6d3]	332	}
	333
	334	/**
	335	* Write the PEM cert to a file with the given name.
[461edba]	336	* @param fn a file name to write to
	337	* @throws IOException if writing fails (including bad file name)
[1a7e6d3]	338	*/
[461edba]	339	public void write(String fn) throws IOException {
[1a7e6d3]	340	write(new FileWriter(fn));
	341	}
	342
	343	/**
	344	* Write the PEM cert to the given file.
[e36ea1d]	345	* @param fn a String with the output file name
	346	* @throws IOException if writing fails
[1a7e6d3]	347	*/
[461edba]	348	public void write(File fn) throws IOException {
[1a7e6d3]	349	write(new FileWriter(fn));
	350	}
	351
	352	/**
	353	* Write the PEM cert to the given OutputStream.
[e36ea1d]	354	* @param s an OutputStream to write on
	355	* @throws IOException if writing fails
[1a7e6d3]	356	*/
[461edba]	357	public void write(OutputStream s) throws IOException {
[1a7e6d3]	358	write(new OutputStreamWriter(s));
	359	}
[9725efb]	360
[e9360e2]	361
[e36ea1d]	362	/**
	363	* Return the Identity's KeyID
	364	* @return the Identity's KeyID
	365	*/
[0595372]	366	public String getKeyID() { return keyid; }
[e36ea1d]	367	/**
	368	* Return the Identity's mnemonic name
	369	* @return the Identity's mnemonic name
	370	*/
[0595372]	371	public String getName() { return cn; }
[e36ea1d]	372	/**
	373	* Return the Identity's X509 Certificate
	374	* @return the Identity's X509 Certificate
	375	*/
	376	public X509Certificate getCertificate() { return cert; }
[3f928b0]	377
	378	/**
	379	* Return the expiration time of the Identity
	380	* @return a Date the expiration time of the Identity
	381	*/
	382	public Date getExpiration(){ return expiration; }
	383
[e36ea1d]	384	/**
	385	* Return a simple string rep of the Identity.
	386	* @return a simple string rep of the Identity.
	387	*/
[42ca4b8]	388	public String toString() {
[0595372]	389	String s = keyid + " (" + cn ;
[42ca4b8]	390
[ac131a1]	391	if (getKeyPair() != null ) s += " [keyed]";
[42ca4b8]	392	s += ")";
	393	return s;
	394	}
	395	/**
	396	* Associate a keypair with this Identity. If the ID has a certificate,
	397	* make sure that the keypair matches it. If not throw an
	398	* IllegalArgumentException.
[e36ea1d]	399	* @param k the KeyPair to connect
	400	* @throws IllegalArgumentException if the keypair does not
	401	* match the pubkey in the X509 certificate
[42ca4b8]	402	*/
	403	public void setKeyPair(KeyPair k) {
[0595372]	404	if (keyid != null) {
	405	String kid = Context.extractKeyID(k.getPublic());
[42ca4b8]	406
[0595372]	407	if ( kid != null && kid.equals(keyid)) kp = k;
[42ca4b8]	408	else
	409	throw new IllegalArgumentException(
	410	"Keypair does not match certificate");
	411	}
	412	else kp = k;
	413	}
[e36ea1d]	414
	415	/**
	416	* Return the keypair associated with this Identity (if any)
	417	* @return the keypair associated with this Identity (if any)
	418	*/
[42ca4b8]	419	public KeyPair getKeyPair() { return kp; }
[e36ea1d]	420
	421	/**
[a7f73b5]	422	* Return true if the two identites refer to teh same key. Two Identities
	423	* are equal if their key ID's match.
[e36ea1d]	424	* @return true if the two key ID's are equal.
	425	*/
[5cf72cc]	426	public boolean equals(Object o) {
	427	if ( o == null ) return false;
	428	else if ( ! (o instanceof Identity) ) return false;
	429	else return getKeyID().equals(((Identity)o).getKeyID());
	430	}
[0100d7b]	431
	432	/**
	433	* Return a hash code for the Identity - the hash of its KeyID()
	434	* @return an int, the hashCode
	435	*/
	436	public int hashCode() {
	437	if (keyid == null) return super.hashCode();
	438	return keyid.hashCode();
	439	}
	440
	441
[e36ea1d]	442	/**
[a7f73b5]	443	* Order 2 identities for sorting. They are ordered by their key ID's.
[e36ea1d]	444	* @param o an Object to compare
	445	* @return -1 if this Identity is before, 0 if they are the same, and 1
	446	* if this Identity is after the given object.
	447	*/
[5cf72cc]	448	public int compareTo(Object o) {
	449	if ( ! (o instanceof Identity) ) return 1;
	450	else return getKeyID().compareTo(((Identity)o).getKeyID());
	451	}
[1a7e6d3]	452
[9725efb]	453	};

Note: See TracBrowser for help on using the repository browser.

Download in other formats: