source: java/net/deterlab/abac/Identity.java @ 8200a9c

Last change on this file since 8200a9c was 461edba, checked in by Ted Faber <faber@…>, 10 years ago

Clean up javadoc for v8.

  • Property mode set to 100644
File size: 15.1 KB
RevLine 
[9725efb]1package net.deterlab.abac;
2
3import java.io.*;
4
5import java.util.*;
6import java.security.*;
7import java.security.cert.*;
[3a52bed]8import javax.security.auth.x500.*;
[9725efb]9
[3a52bed]10import java.math.BigInteger;
[9725efb]11
12import org.bouncycastle.asn1.*;
13import org.bouncycastle.asn1.util.*;
14import org.bouncycastle.asn1.x509.*;
15import org.bouncycastle.x509.*;
[238717d]16import org.bouncycastle.openssl.*;
17
[9725efb]18
[e36ea1d]19/**
20 * An ABAC identity.  An X509 Certificate-encoded public key.  The key
21 * identifier is used as the name of the Identity.  This whole class is
22 * something of a jabac extension.
23 * @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
[a1a9a47]24 * @version 1.5
[e36ea1d]25 */
[5cf72cc]26public class Identity implements Comparable {
[3f928b0]27    /** Default validity period (in seconds) */
28    static public long defaultValidity = 3600L * 24L * 365L;
[e36ea1d]29    /** The underlying X509 certificate. */
30    protected X509Certificate cert;
31    /** The public key id used as this principal's name */
32    protected String keyid;
33    /** The common name in the certificate, used as a mnemonic */
34    protected String cn;
35    /** The keypair, if any, used to sign for this Identity */
36    protected KeyPair kp;
[3f928b0]37    /** The expiration for this Identity */
38    protected Date expiration;
[9725efb]39
[238717d]40    /** Make sure BouncyCastle is loaded */
41    static { Context.loadBouncyCastle(); } 
42
[1a7e6d3]43    /**
[e36ea1d]44     * Initialize from PEM cert in a reader.  Use a PEMReader to get
45     * the certificate, and call init(cert) on it.
46     * @param r a Reader containing the certificate
[7ebf16d]47     * @throws CertInvalidException if the stream is unparsable
48     * @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]49     *                              certificate
[7ebf16d]50     * @throws BadSignatureException if the signature check fails
51     * @throws ABACException if an uncategorized error occurs
[1a7e6d3]52     */
[7ebf16d]53    protected void init(Reader r) throws ABACException {
[42ca4b8]54        PEMReader pr = new PEMReader(r);
55        Object c = null;
56
[7ebf16d]57        try {
58            while ( ( c= pr.readObject()) != null ){
59
60                if (c instanceof X509Certificate) {
61                    if ( cn == null ) 
62                        init((X509Certificate)c);
63                    else
64                        throw new CertInvalidException("Two certs in one");
65                }
66                else if (c instanceof KeyPair) setKeyPair((KeyPair)c);
67                else 
68                    throw new CertInvalidException(
69                            "Not an identity certificate");
[42ca4b8]70            }
[7ebf16d]71        }
72        catch (IOException e) {
73            throw new CertInvalidException(e.getMessage(), e);
[42ca4b8]74        }
[f31432f]75        // If there's nothing for the PEM reader to parse, the cert is invalid.
76        if (cn == null) 
[7ebf16d]77            throw new CertInvalidException("Not an identity certificate");
[8a14e37]78    }
79
80    /**
[e36ea1d]81     * Initialize internals from cert.  Confirm it is self signed,  and then
82     * the keyid and common name.  There's some work to get this stuff, but
83     * it's all an incantation of getting the right classes to get the right
84     * data.  Looks more complex than it is.
85     * @param c an X509Certificate to init from
[7ebf16d]86     * @throws CertInvalidException if the stream is unparsable
87     * @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]88     *                              certificate
[7ebf16d]89     * @throws BadSignatureException if the signature check fails
90     * @throws ABACException if an uncategorized error occurs
[8a14e37]91     */
[7ebf16d]92    protected void init(X509Certificate c) throws ABACException {
93        cert = (X509Certificate) c;
94        try {
[0595372]95            cert.verify(cert.getPublicKey());
[7ebf16d]96        }
97        catch (SignatureException e) {
[fbdd2d1]98            // XXX: the cert is not signed by the key we provided.  Right now
99            // we check each cert as if it were self-signed. Other signing
100            // strategies are allowed here by default.  We expect outside
101            // sources to validate ID certs if they expect different chains of
[7ebf16d]102        }
103        catch (CertificateException e) {
104            throw new CertInvalidException(e.getMessage(), e);
105        }
[4bd50f4]106        catch (InvalidKeyException e) {
107            // XXX: the cert is not signed by the key we provided.  Right now
108            // we check each cert as if it were self-signed. Other signing
109            // strategies are allowed here by default.  We expect outside
110            // sources to validate ID certs if they expect different chains of
111            // trust.
112        }
[7ebf16d]113        catch (GeneralSecurityException e) {
114            throw new ABACException(e.getMessage(), e);
115        }
[081eabc]116
117        // So far so good.  Check the validity (dates)
118        try {
119            cert.checkValidity();
120        }
121        catch (CertificateException e) {
122            // Validity exceprions are derived from CertificateExceptions
123            throw new CertInvalidException(e.getMessage(), e);
124        }
125
[7ebf16d]126        // Cert is valid, fill in the CN and keyid
127        keyid = Context.extractKeyID(cert.getPublicKey());
128        cn = cert.getSubjectDN().getName();
129        expiration = cert.getNotAfter();
130        /// XXX: better parse
131        if (cn.startsWith("CN=")) cn = cn.substring(3);
[9725efb]132    }
133
[1a7e6d3]134    /**
[81c80b9]135     * Construct from a string, used as a CN.  Keys are generated.  If signer
136     * and signingKey are given, sign the certificate with them.  If neither is
137     * given, self sign it.  If one is given and not the other, throw an
138     * ABACException.
[e36ea1d]139     * @param cn a String containing the menomnic name
[3f928b0]140     * @param validity a long containing the validity period (in seconds)
[81c80b9]141     * @param signer an X509Certificate that is signing the Identity
142     * @param signingKey the key with which to sign
[7ebf16d]143     * @throws CertInvalidException if the stream is unparsable
144     * @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]145     *                              certificate
[7ebf16d]146     * @throws BadSignatureException if the signature check fails
147     * @throws ABACException if an uncategorized error occurs
[1a7e6d3]148     */
[81c80b9]149    public Identity(String cn, long validity, X509Certificate signer, 
150            PrivateKey signingKey) 
151            throws ABACException {
152
153        if ( (signer != null && signingKey == null) || 
154                (signer == null && signingKey != null) )
155            throw new ABACException("Both signer and signingKey must be "+ 
156                    "given or neither");
157
[3a52bed]158        X509V1CertificateGenerator gen = new X509V1CertificateGenerator();
[7ebf16d]159        try {
160            kp = KeyPairGenerator.getInstance("RSA").genKeyPair();
161        }
162        catch (NoSuchAlgorithmException e) {
163            throw new ABACException(e.getMessage(), e);
164        }
165        X509Certificate a = null;
[81c80b9]166        X500Principal sp = (signer != null ) ?
167            signer.getSubjectX500Principal() : new X500Principal("CN=" + cn);
168        PrivateKey sk = (signingKey != null ) ? signingKey : kp.getPrivate();
[3a52bed]169
[81c80b9]170        gen.setIssuerDN(sp);
[3a52bed]171        gen.setSubjectDN(new X500Principal("CN=" + cn));
[3f928b0]172        gen.setNotAfter(new Date(System.currentTimeMillis() +
173                1000L * validity));
[3a52bed]174        gen.setNotBefore(new Date(System.currentTimeMillis()));
175        gen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
176        gen.setPublicKey(kp.getPublic());
177        gen.setSignatureAlgorithm("SHA256WithRSAEncryption");
[7ebf16d]178        try {
[81c80b9]179            a = (X509Certificate) gen.generate(sk, "BC");
[7ebf16d]180        }
181        catch (CertificateEncodingException e) {
182            throw new CertInvalidException(e.getMessage(), e);
183        }
184        catch (GeneralSecurityException e) {
185            throw new ABACException(e.getMessage(), e);
186        }
187
[3a52bed]188        init(a);
189    }
[81c80b9]190    /**
191     * Construct from a string, used as a CN.  Keys are generated.
192     * @param cn a String containing the menomnic name
193     * @param validity a long containing the validity period (in seconds)
194     * @throws CertInvalidException if the stream is unparsable
195     * @throws MissingIssuerException if none of the Identities can validate the
196     *                              certificate
197     * @throws BadSignatureException if the signature check fails
198     * @throws ABACException if an uncategorized error occurs
199     */
200    public Identity(String cn, long validity) throws ABACException {
201        this(cn, validity, null, null);
202    }
[3a52bed]203
[3f928b0]204    /**
205     * Construct from a string, used as a CN.  Keys are generated.
206     * @param cn a String containing the menomnic name
[7ebf16d]207     * @throws CertInvalidException if the stream is unparsable
208     * @throws MissingIssuerException if none of the Identities can validate the
[3f928b0]209     *                              certificate
[7ebf16d]210     * @throws BadSignatureException if the signature check fails
211     * @throws ABACException if an uncategorized error occurs
[3f928b0]212     */
[7ebf16d]213    public Identity(String cn) throws ABACException { 
[3f928b0]214        this(cn, defaultValidity);
215    }
[9725efb]216
[1a7e6d3]217    /**
[a7f73b5]218     * Construct from a file containing a self-signed PEM certificate.
[e36ea1d]219     * @param file the File to read
[7ebf16d]220     * @throws CertInvalidException if the stream is unparsable
221     * @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]222     *                              certificate
[7ebf16d]223     * @throws BadSignatureException if the signature check fails
224     * @throws ABACException if an uncategorized error occurs
225     * @throws FileNotFoundException if the file is invalid
[1a7e6d3]226     */
[7ebf16d]227    public Identity(File file) throws ABACException, FileNotFoundException { 
228        kp = null;
229        init(new FileReader(file));
230    }
[1a7e6d3]231
232    /**
[e36ea1d]233     * Construct from a reader containing a self-signed PEM certificate.
234     * @param r the Reader containing the certificate
[7ebf16d]235     * @throws CertInvalidException if the stream is unparsable
236     * @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]237     *                              certificate
[7ebf16d]238     * @throws BadSignatureException if the signature check fails
239     * @throws ABACException if an uncategorized error occurs
[1a7e6d3]240     */
[7ebf16d]241    public Identity(Reader r) throws ABACException {
242        kp = null;
243        init(r);
244    }
[1a7e6d3]245
246    /**
[e36ea1d]247     * Construct from an InputStream containing a self-signed PEM certificate.
248     * @param s the InputStream containing the certificate
[7ebf16d]249     * @throws CertInvalidException if the stream is unparsable
250     * @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]251     *                              certificate
[7ebf16d]252     * @throws BadSignatureException if the signature check fails
253     * @throws ABACException if an uncategorized error occurs
[1a7e6d3]254     */
[7ebf16d]255    public Identity(InputStream s) throws ABACException {
256        kp = null;
257        init(new InputStreamReader(s));
258    }
[1a7e6d3]259
[8a14e37]260    /**
[e36ea1d]261     * Construct from an X509Certificate
262     * @param cert an X509Certificate to init from
[7ebf16d]263     * @throws CertInvalidException if the stream is unparsable
264     * @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]265     *                              certificate
[7ebf16d]266     * @throws BadSignatureException if the signature check fails
267     * @throws ABACException if an uncategorized error occurs
[8a14e37]268     */
[4feb5be]269    public Identity(X509Certificate cert) throws ABACException {
[7ebf16d]270        kp = null;
271        init(cert);
272    }
[8a14e37]273
[8a93b41]274    /**
275     * Write the PEM key to the given writer.
[e36ea1d]276     * @param w the Writer
277     * @return true if the Identity had a keypair and wrote the key
278     * @throws IOException if writing fails
[8a93b41]279     */
280    public boolean writePrivateKey(Writer w) throws IOException {
281        if (kp != null ) {
282            PEMWriter pw = new PEMWriter(w);
283
284            pw.writeObject(kp.getPrivate());
285            pw.flush();
286            return true;
287        }
288        else return false;
289    }
290
291    /**
292     * Write the PEM key to a file with the given name.
[461edba]293     * @param fn a file name to write to
294     * @return true if the Identity had a keypair and wrote the key
295     * @throws IOException if writing fails (including bad file name)
[8a93b41]296     */
[461edba]297    public boolean writePrivateKey(String fn) throws IOException {
[8a93b41]298        return writePrivateKey(new FileWriter(fn));
299    }
300
301    /**
302     * Write the PEM key to the given file.
[e36ea1d]303     * @param fn a String with the output file name
304     * @return true if the Identity had a keypair and wrote the key
[461edba]305     * @throws IOException if writing fails (including bad file name)
[8a93b41]306     */
[461edba]307    public boolean writePrivateKey(File fn) throws IOException {
[8a93b41]308        return writePrivateKey(new FileWriter(fn));
309    }
310
311    /**
312     * Write the PEM key to the given OutputStream.
[e36ea1d]313     * @param s an OutputStream to write on
314     * @return true if the Identity had a keypair and wrote the key
[461edba]315     * @throws IOException if writing fails (including bad file name)
[8a93b41]316     */
[461edba]317    public boolean writePrivateKey(OutputStream s) throws IOException {
[8a93b41]318        return writePrivateKey(new OutputStreamWriter(s));
319    }
320
[1a7e6d3]321
322    /**
323     * Write the PEM cert to the given writer.
[e36ea1d]324     * @param w a Writer to write on
325     * @throws IOException if writing fails
[1a7e6d3]326     */
327    public void write(Writer w) throws IOException {
328        PEMWriter pw = new PEMWriter(w);
329
[0595372]330        pw.writeObject(cert);
[5cf72cc]331        pw.flush();
[1a7e6d3]332    }
333
334    /**
335     * Write the PEM cert to a file with the given name.
[461edba]336     * @param fn a file name to write to
337     * @throws IOException if writing fails (including bad file name)
[1a7e6d3]338     */
[461edba]339    public void write(String fn) throws IOException {
[1a7e6d3]340        write(new FileWriter(fn));
341    }
342
343    /**
344     * Write the PEM cert to the given file.
[e36ea1d]345     * @param fn a String with the output file name
346     * @throws IOException if writing fails
[1a7e6d3]347     */
[461edba]348    public void write(File fn) throws IOException {
[1a7e6d3]349        write(new FileWriter(fn));
350    }
351
352    /**
353     * Write the PEM cert to the given OutputStream.
[e36ea1d]354     * @param s an OutputStream to write on
355     * @throws IOException if writing fails
[1a7e6d3]356     */
[461edba]357    public void write(OutputStream s) throws IOException {
[1a7e6d3]358        write(new OutputStreamWriter(s));
359    }
[9725efb]360
[e9360e2]361
[e36ea1d]362    /**
363     * Return the Identity's KeyID
364     * @return the Identity's KeyID
365     */
[0595372]366    public String getKeyID() { return keyid; }
[e36ea1d]367    /**
368     * Return the Identity's mnemonic name
369     * @return the Identity's mnemonic name
370     */
[0595372]371    public String getName() { return cn; }
[e36ea1d]372    /**
373     * Return the Identity's X509 Certificate
374     * @return the Identity's X509 Certificate
375     */
376    public X509Certificate getCertificate() { return cert; }
[3f928b0]377
378    /**
379     * Return the expiration time of the Identity
380     * @return a Date the expiration time of the Identity
381     */
382    public Date getExpiration(){ return expiration; }
383
[e36ea1d]384    /**
385     * Return a simple string rep of the Identity.
386     * @return a simple string rep of the Identity.
387     */
[42ca4b8]388    public String toString() { 
[0595372]389        String s = keyid + " (" + cn ;
[42ca4b8]390
[ac131a1]391        if (getKeyPair() != null ) s += " [keyed]";
[42ca4b8]392        s += ")";
393        return s;
394    }
395    /**
396     * Associate a keypair with this Identity.  If the ID has a certificate,
397     * make sure that the keypair matches it.  If not throw an
398     * IllegalArgumentException.
[e36ea1d]399     * @param k the KeyPair to connect
400     * @throws IllegalArgumentException if the keypair does not
401     *                              match the pubkey in the X509 certificate
[42ca4b8]402     */
403    public void setKeyPair(KeyPair k) {
[0595372]404        if (keyid != null) {
405            String kid = Context.extractKeyID(k.getPublic());
[42ca4b8]406
[0595372]407            if ( kid != null && kid.equals(keyid)) kp = k;
[42ca4b8]408            else 
409                throw new IllegalArgumentException(
410                        "Keypair does not match certificate");
411        }
412        else kp = k;
413    }
[e36ea1d]414
415    /**
416     * Return the keypair associated with this Identity (if any)
417     * @return the keypair associated with this Identity (if any)
418     */
[42ca4b8]419    public KeyPair getKeyPair() { return kp; }
[e36ea1d]420
421    /**
[a7f73b5]422     * Return true if the two identites refer to teh same key.  Two Identities
423     * are equal if their key ID's match.
[e36ea1d]424     * @return true if the two key ID's are equal.
425     */
[5cf72cc]426    public boolean equals(Object o) { 
427        if ( o == null ) return false;
428        else if ( ! (o instanceof Identity) ) return false;
429        else return getKeyID().equals(((Identity)o).getKeyID());
430    }
[0100d7b]431
432    /**
433     * Return a hash code for the Identity - the hash of its KeyID()
434     * @return an int, the hashCode
435     */
436    public int hashCode() {
437        if (keyid == null) return super.hashCode();
438        return keyid.hashCode();
439    }
440
441
[e36ea1d]442    /**
[a7f73b5]443     * Order 2 identities for sorting.  They are ordered by their key ID's.
[e36ea1d]444     * @param o an Object to compare
445     * @return -1 if this Identity is before, 0 if they are the same, and 1
446     *              if this Identity is after the given object.
447     */
[5cf72cc]448    public int compareTo(Object o) { 
449        if ( ! (o instanceof Identity) ) return 1;
450        else return getKeyID().compareTo(((Identity)o).getKeyID());
451    }
[1a7e6d3]452
[9725efb]453};
Note: See TracBrowser for help on using the repository browser.